diff --git a/.gitignore b/.gitignore index b64821a..6c4a714 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2 /openssh-6.4p1.tar.gz /openssh-6.6p1.tar.gz /openssh-6.7p1.tar.gz +/openssh-6.8p1.tar.gz diff --git a/openssh-5.8p1-packet.patch b/openssh-5.8p1-packet.patch index 4951af6..baccb53 100644 --- a/openssh-5.8p1-packet.patch +++ b/openssh-5.8p1-packet.patch @@ -1,12 +1,12 @@ -diff -up openssh-5.8p1/packet.c.packet openssh-5.8p1/packet.c ---- openssh-5.8p1/packet.c.packet 2011-04-05 13:29:06.998648899 +0200 -+++ openssh-5.8p1/packet.c 2011-04-05 13:30:32.967648596 +0200 -@@ -294,6 +294,8 @@ packet_connection_is_on_socket(void) +diff -up openssh-6.8p1/packet.c.packet openssh-6.8p1/packet.c +--- openssh-6.8p1/packet.c.packet 2015-03-18 10:56:32.286930601 +0100 ++++ openssh-6.8p1/packet.c 2015-03-18 10:58:38.535629739 +0100 +@@ -371,6 +371,8 @@ ssh_packet_connection_is_on_socket(struc struct sockaddr_storage from, to; socklen_t fromlen, tolen; -+ if (!active_state) ++ if (!state) + return 0; /* filedescriptors in and out are the same, so it's a socket */ - if (active_state->connection_in == active_state->connection_out) + if (state->connection_in == state->connection_out) return 1; diff --git a/openssh-6.1p1-askpass-ld.patch b/openssh-6.1p1-askpass-ld.patch deleted file mode 100644 index f7a7fac..0000000 --- a/openssh-6.1p1-askpass-ld.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -up openssh-6.1p1/contrib/Makefile.askpass-ld openssh-6.1p1/contrib/Makefile ---- openssh-6.1p1/contrib/Makefile.askpass-ld 2012-05-19 07:24:37.000000000 +0200 -+++ openssh-6.1p1/contrib/Makefile 2012-09-14 20:35:47.565704718 +0200 -@@ -4,12 +4,12 @@ all: - @echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2" - - gnome-ssh-askpass1: gnome-ssh-askpass1.c -- $(CC) `gnome-config --cflags gnome gnomeui` \ -+ $(CC) ${CFLAGS} `gnome-config --cflags gnome gnomeui` \ - gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \ - `gnome-config --libs gnome gnomeui` - - gnome-ssh-askpass2: gnome-ssh-askpass2.c -- $(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \ -+ $(CC) ${CFLAGS} `$(PKG_CONFIG) --cflags gtk+-2.0` \ - gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \ - `$(PKG_CONFIG) --libs gtk+-2.0 x11` - diff --git a/openssh-6.2p1-vendor.patch b/openssh-6.2p1-vendor.patch index 583a486..67769f0 100644 --- a/openssh-6.2p1-vendor.patch +++ b/openssh-6.2p1-vendor.patch @@ -1,8 +1,7 @@ -diff --git a/configure.ac b/configure.ac -index 6553074..8dedb95 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -4676,6 +4676,12 @@ AC_ARG_WITH([lastlog], +diff -up openssh-6.8p1/configure.ac.vendor openssh-6.8p1/configure.ac +--- openssh-6.8p1/configure.ac.vendor 2015-03-18 11:17:56.670880303 +0100 ++++ openssh-6.8p1/configure.ac 2015-03-18 11:17:56.695880243 +0100 +@@ -4743,6 +4743,12 @@ AC_ARG_WITH([lastlog], fi ] ) @@ -15,7 +14,7 @@ index 6553074..8dedb95 100644 dnl lastlog, [uw]tmpx? detection dnl NOTE: set the paths in the platform section to avoid the -@@ -4938,6 +4944,7 @@ echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" +@@ -5005,6 +5011,7 @@ echo " Translate v4 in v6 hack echo " BSD Auth support: $BSD_AUTH_MSG" echo " Random number source: $RAND_MSG" echo " Privsep sandbox style: $SANDBOX_STYLE" @@ -23,11 +22,10 @@ index 6553074..8dedb95 100644 echo "" -diff --git a/servconf.c b/servconf.c -index e3ebaac..c8a3f28 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -141,6 +141,7 @@ initialize_server_options(ServerOptions *options) +diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c +--- openssh-6.8p1/servconf.c.vendor 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/servconf.c 2015-03-18 11:19:16.279691126 +0100 +@@ -145,6 +145,7 @@ initialize_server_options(ServerOptions options->max_authtries = -1; options->max_sessions = -1; options->banner = NULL; @@ -35,7 +33,7 @@ index e3ebaac..c8a3f28 100644 options->use_dns = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; -@@ -310,6 +311,8 @@ fill_default_server_options(ServerOptions *options) +@@ -327,6 +328,8 @@ fill_default_server_options(ServerOption options->ip_qos_bulk = IPTOS_THROUGHPUT; if (options->version_addendum == NULL) options->version_addendum = xstrdup(""); @@ -44,16 +42,16 @@ index e3ebaac..c8a3f28 100644 if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) options->fwd_opts.streamlocal_bind_mask = 0177; if (options->fwd_opts.streamlocal_bind_unlink == -1) -@@ -353,7 +356,7 @@ typedef enum { +@@ -388,7 +391,7 @@ typedef enum { sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, - sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, - sMaxStartups, sMaxAuthTries, sMaxSessions, + sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes, + sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions, - sBanner, sUseDNS, sHostbasedAuthentication, + sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, - sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax, sAuthorizedKeysFile, + sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, + sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, -@@ -467,6 +470,7 @@ static struct { +@@ -504,6 +507,7 @@ static struct { { "maxauthtries", sMaxAuthTries, SSHCFG_ALL }, { "maxsessions", sMaxSessions, SSHCFG_ALL }, { "banner", sBanner, SSHCFG_ALL }, @@ -61,7 +59,7 @@ index e3ebaac..c8a3f28 100644 { "usedns", sUseDNS, SSHCFG_GLOBAL }, { "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL }, { "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL }, -@@ -1263,6 +1267,10 @@ process_server_config_line(ServerOptions *options, char *line, +@@ -1320,6 +1324,10 @@ process_server_config_line(ServerOptions multistate_ptr = multistate_privsep; goto parse_multistate; @@ -72,7 +70,7 @@ index e3ebaac..c8a3f28 100644 case sAllowUsers: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_users >= MAX_ALLOW_USERS) -@@ -2081,6 +2089,7 @@ dump_config(ServerOptions *o) +@@ -2145,6 +2153,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sUseLogin, o->use_login); dump_cfg_fmtint(sCompression, o->compression); dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports); @@ -80,11 +78,10 @@ index e3ebaac..c8a3f28 100644 dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); -diff --git a/servconf.h b/servconf.h -index 49b228b..21719e2 100644 ---- a/servconf.h -+++ b/servconf.h -@@ -149,6 +149,7 @@ typedef struct { +diff -up openssh-6.8p1/servconf.h.vendor openssh-6.8p1/servconf.h +--- openssh-6.8p1/servconf.h.vendor 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/servconf.h 2015-03-18 11:17:56.696880241 +0100 +@@ -151,6 +151,7 @@ typedef struct { int max_authtries; int max_sessions; char *banner; /* SSH-2 banner message */ @@ -92,11 +89,10 @@ index 49b228b..21719e2 100644 int use_dns; int client_alive_interval; /* * poke the client this often to -diff --git a/sshd.c b/sshd.c -index afe9afa..193b206 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -432,7 +432,7 @@ sshd_exchange_identification(int sock_in, int sock_out) +diff -up openssh-6.8p1/sshd.c.vendor openssh-6.8p1/sshd.c +--- openssh-6.8p1/sshd.c.vendor 2015-03-18 11:17:56.669880305 +0100 ++++ openssh-6.8p1/sshd.c 2015-03-18 11:17:56.697880239 +0100 +@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in } xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", @@ -105,7 +101,7 @@ index afe9afa..193b206 100644 *options.version_addendum == '\0' ? "" : " ", options.version_addendum, newline); -@@ -1677,7 +1677,8 @@ main(int ac, char **av) +@@ -1737,7 +1737,8 @@ main(int ac, char **av) exit(1); } @@ -115,23 +111,21 @@ index afe9afa..193b206 100644 #ifdef WITH_OPENSSL SSLeay_version(SSLEAY_VERSION) #else -diff --git a/sshd_config b/sshd_config -index 3092ac6..da3db5d 100644 ---- a/sshd_config -+++ b/sshd_config -@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Default for new installations. +diff -up openssh-6.8p1/sshd_config.vendor openssh-6.8p1/sshd_config +--- openssh-6.8p1/sshd_config.vendor 2015-03-18 11:17:56.697880239 +0100 ++++ openssh-6.8p1/sshd_config 2015-03-18 11:20:15.552550274 +0100 +@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Defaul #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 +#ShowPatchLevel no - #UseDNS yes + #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 -diff --git a/sshd_config.0 b/sshd_config.0 -index 43867d3..a3898c3 100644 ---- a/sshd_config.0 -+++ b/sshd_config.0 -@@ -700,6 +700,11 @@ DESCRIPTION +diff -up openssh-6.8p1/sshd_config.0.vendor openssh-6.8p1/sshd_config.0 +--- openssh-6.8p1/sshd_config.0.vendor 2015-03-18 11:17:56.691880253 +0100 ++++ openssh-6.8p1/sshd_config.0 2015-03-18 11:17:56.697880239 +0100 +@@ -740,6 +740,11 @@ DESCRIPTION Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 1024. @@ -143,11 +137,10 @@ index 43867d3..a3898c3 100644 StreamLocalBindMask Sets the octal file creation mode mask (umask) used when creating a Unix-domain socket file for local or remote port forwarding. -diff --git a/sshd_config.5 b/sshd_config.5 -index 89a0cf2..cccb310 100644 ---- a/sshd_config.5 -+++ b/sshd_config.5 -@@ -1200,6 +1200,13 @@ This option applies to protocol version 1 only. +diff -up openssh-6.8p1/sshd_config.5.vendor openssh-6.8p1/sshd_config.5 +--- openssh-6.8p1/sshd_config.5.vendor 2015-03-18 11:17:56.691880253 +0100 ++++ openssh-6.8p1/sshd_config.5 2015-03-18 11:17:56.697880239 +0100 +@@ -1276,6 +1276,13 @@ This option applies to protocol version .It Cm ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 server key. The minimum value is 512, and the default is 1024. diff --git a/openssh-6.6.1p1-cisco-dh-keys.patch b/openssh-6.6.1p1-cisco-dh-keys.patch index 0763b10..6890c05 100644 --- a/openssh-6.6.1p1-cisco-dh-keys.patch +++ b/openssh-6.6.1p1-cisco-dh-keys.patch @@ -1,7 +1,6 @@ -diff --git a/compat.c b/compat.c -index 2709dc5..7412a54 100644 ---- a/compat.c -+++ b/compat.c +diff -up openssh-6.8p1/compat.c.cisco-dh openssh-6.8p1/compat.c +--- openssh-6.8p1/compat.c.cisco-dh 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/compat.c 2015-03-19 12:57:58.862606969 +0100 @@ -167,6 +167,7 @@ compat_datafellows(const char *version) SSH_BUG_SCANNER }, { "Probe-*", @@ -10,10 +9,9 @@ index 2709dc5..7412a54 100644 { NULL, 0 } }; -diff --git a/compat.h b/compat.h -index a6c3f3d..d8def7d 100644 ---- a/compat.h -+++ b/compat.h +diff -up openssh-6.8p1/compat.h.cisco-dh openssh-6.8p1/compat.h +--- openssh-6.8p1/compat.h.cisco-dh 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/compat.h 2015-03-19 12:57:58.862606969 +0100 @@ -60,6 +60,7 @@ #define SSH_NEW_OPENSSH 0x04000000 #define SSH_BUG_DYNAMIC_RPORT 0x08000000 @@ -22,49 +20,35 @@ index a6c3f3d..d8def7d 100644 void enable_compat13(void); void enable_compat20(void); -diff --git a/kexgexc.c b/kexgexc.c -index 355b7ba..0a91bdd 100644 ---- a/kexgexc.c -+++ b/kexgexc.c -@@ -58,20 +58,37 @@ kexgex_client(Kex *kex) - int min, max, nbits; - DH *dh; +diff -up openssh-6.8p1/kexgexc.c.cisco-dh openssh-6.8p1/kexgexc.c +--- openssh-6.8p1/kexgexc.c.cisco-dh 2015-03-19 12:57:58.862606969 +0100 ++++ openssh-6.8p1/kexgexc.c 2015-03-19 13:11:52.320519969 +0100 +@@ -64,8 +64,27 @@ kexgex_client(struct ssh *ssh) -+ min = DH_GRP_MIN; -+ max = DH_GRP_MAX; + kex->min = DH_GRP_MIN; + kex->max = DH_GRP_MAX; + + /* Servers with MAX4096DH need a preferred size (nbits) <= 4096. + * We need to also ensure that min < nbits < max */ + + if (datafellows & SSH_BUG_MAX4096DH) { + /* The largest min for these servers is 4096 */ -+ min = MIN(min, 4096); ++ kex->min = MIN(kex->min, 4096); + } + - nbits = dh_estimate(kex->dh_need * 8); -+ nbits = MIN(nbits, max); -+ nbits = MAX(nbits, min); + kex->nbits = nbits; +- if (ssh->compat & SSH_OLD_DHGEX) { ++ kex->nbits = MIN(nbits, kex->max); ++ kex->nbits = MAX(nbits, kex->min); + -+ if (datafellows & SSH_BUG_MAX4096DH) { ++ if (ssh->compat & SSH_BUG_MAX4096DH) { + /* Cannot have a nbits > 4096 for these servers */ -+ nbits = MIN(nbits, 4096); ++ kex->nbits = MIN(kex->nbits, 4096); + /* nbits has to be powers of two */ -+ if (nbits == 3072) -+ nbits = 4096; ++ if (kex->nbits == 3072) ++ kex->nbits = 4096; + } - - if (datafellows & SSH_OLD_DHGEX) { ++ if (ssh->compat & SSH_OLD_DHGEX) { /* Old GEX request */ /* Old GEX request */ - packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD); - packet_put_int(nbits); -- min = DH_GRP_MIN; -- max = DH_GRP_MAX; - - debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits); - } else { - /* New GEX request */ -- min = DH_GRP_MIN; -- max = DH_GRP_MAX; - packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST); - packet_put_int(min); - packet_put_int(nbits); + if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)) + != 0 || diff --git a/openssh-6.6.1p1-log-in-chroot.patch b/openssh-6.6.1p1-log-in-chroot.patch index bca27be..7590812 100644 --- a/openssh-6.6.1p1-log-in-chroot.patch +++ b/openssh-6.6.1p1-log-in-chroot.patch @@ -1,7 +1,6 @@ -diff --git a/log.c b/log.c -index 32e1d2e..d4caeb5 100644 ---- a/log.c -+++ b/log.c +diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c +--- openssh-6.8p1/log.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/log.c 2015-03-18 12:59:29.694022313 +0100 @@ -241,6 +241,11 @@ debug3(const char *fmt,...) void log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) @@ -14,7 +13,7 @@ index 32e1d2e..d4caeb5 100644 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) struct syslog_data sdata = SYSLOG_DATA_INIT; #endif -@@ -264,8 +269,10 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) +@@ -264,8 +269,10 @@ log_init(char *av0, LogLevel level, Sysl exit(1); } @@ -27,10 +26,9 @@ index 32e1d2e..d4caeb5 100644 log_on_stderr = on_stderr; if (on_stderr) -diff --git a/log.h b/log.h -index ae7df25..30c3310 100644 ---- a/log.h -+++ b/log.h +diff -up openssh-6.8p1/log.h.log-in-chroot openssh-6.8p1/log.h +--- openssh-6.8p1/log.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/log.h 2015-03-18 12:59:29.694022313 +0100 @@ -49,6 +49,7 @@ typedef enum { typedef void (log_handler_fn)(LogLevel, const char *, void *); @@ -39,11 +37,10 @@ index ae7df25..30c3310 100644 void log_change_level(LogLevel); int log_is_on_stderr(void); void log_redirect_stderr_to(const char *); -diff --git a/monitor.c b/monitor.c -index 7ebc76e..d97e640 100644 ---- a/monitor.c -+++ b/monitor.c -@@ -378,6 +378,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) +diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c +--- openssh-6.8p1/monitor.c.log-in-chroot 2015-03-18 12:59:29.669022374 +0100 ++++ openssh-6.8p1/monitor.c 2015-03-18 13:01:52.894671198 +0100 +@@ -357,6 +357,8 @@ monitor_child_preauth(Authctxt *_authctx close(pmonitor->m_log_sendfd); pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; @@ -52,7 +49,7 @@ index 7ebc76e..d97e640 100644 authctxt = _authctxt; memset(authctxt, 0, sizeof(*authctxt)); -@@ -486,6 +488,8 @@ monitor_child_postauth(struct monitor *pmonitor) +@@ -465,6 +467,8 @@ monitor_child_postauth(struct monitor *p close(pmonitor->m_recvfd); pmonitor->m_recvfd = -1; @@ -61,7 +58,7 @@ index 7ebc76e..d97e640 100644 monitor_set_child_handler(pmonitor->m_pid); signal(SIGHUP, &monitor_child_handler); signal(SIGTERM, &monitor_child_handler); -@@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonitor) +@@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonito if (log_level_name(level) == NULL) fatal("%s: invalid log level %u (corrupted message?)", __func__, level); @@ -70,8 +67,8 @@ index 7ebc76e..d97e640 100644 buffer_free(&logmsg); free(msg); -@@ -2107,13 +2111,28 @@ monitor_init(void) - mm_init_compression(mon->m_zlib); +@@ -1998,13 +2002,28 @@ monitor_init(void) + (ssh_packet_comp_free_func *)mm_zfree); } + mon->m_state = ""; @@ -101,13 +98,12 @@ index 7ebc76e..d97e640 100644 } #ifdef GSSAPI -diff --git a/monitor.h b/monitor.h -index ff79fbb..00c2028 100644 ---- a/monitor.h -+++ b/monitor.h +diff -up openssh-6.8p1/monitor.h.log-in-chroot openssh-6.8p1/monitor.h +--- openssh-6.8p1/monitor.h.log-in-chroot 2015-03-18 12:59:29.695022310 +0100 ++++ openssh-6.8p1/monitor.h 2015-03-18 13:02:56.926514197 +0100 @@ -83,10 +83,11 @@ struct monitor { struct mm_master *m_zlib; - struct Kex **m_pkex; + struct kex **m_pkex; pid_t m_pid; + char *m_state; }; @@ -118,11 +114,10 @@ index ff79fbb..00c2028 100644 void monitor_sync(struct monitor *); struct Authctxt; -diff --git a/session.c b/session.c -index 9c94d8e..40a681e 100644 ---- a/session.c -+++ b/session.c -@@ -160,6 +160,8 @@ login_cap_t *lc; +diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c +--- openssh-6.8p1/session.c.log-in-chroot 2015-03-18 12:59:29.675022359 +0100 ++++ openssh-6.8p1/session.c 2015-03-18 12:59:29.696022308 +0100 +@@ -161,6 +161,8 @@ login_cap_t *lc; static int is_child = 0; @@ -131,7 +126,7 @@ index 9c94d8e..40a681e 100644 /* Name and directory of socket for authentication agent forwarding. */ static char *auth_sock_name = NULL; static char *auth_sock_dir = NULL; -@@ -505,8 +507,8 @@ do_exec_no_pty(Session *s, const char *command) +@@ -506,8 +508,8 @@ do_exec_no_pty(Session *s, const char *c is_child = 1; /* Child. Reinitialize the log since the pid has changed. */ @@ -142,7 +137,7 @@ index 9c94d8e..40a681e 100644 /* * Create a new session and process group since the 4.4BSD -@@ -674,8 +676,8 @@ do_exec_pty(Session *s, const char *command) +@@ -675,8 +677,8 @@ do_exec_pty(Session *s, const char *comm close(ptymaster); /* Child. Reinitialize the log because the pid has changed. */ @@ -153,7 +148,7 @@ index 9c94d8e..40a681e 100644 /* Close the master side of the pseudo tty. */ close(ptyfd); -@@ -779,6 +781,7 @@ do_exec(Session *s, const char *command) +@@ -780,6 +782,7 @@ do_exec(Session *s, const char *command) int ret; const char *forced = NULL; char session_type[1024], *tty = NULL; @@ -161,7 +156,7 @@ index 9c94d8e..40a681e 100644 if (options.adm_forced_command) { original_command = command; -@@ -836,6 +839,10 @@ do_exec(Session *s, const char *command) +@@ -837,6 +840,10 @@ do_exec(Session *s, const char *command) tty += 5; } @@ -172,7 +167,7 @@ index 9c94d8e..40a681e 100644 verbose("Starting session: %s%s%s for %s from %.200s port %d", session_type, tty == NULL ? "" : " on ", -@@ -1677,14 +1684,6 @@ child_close_fds(void) +@@ -1678,14 +1685,6 @@ child_close_fds(void) * descriptors left by system functions. They will be closed later. */ endpwent(); @@ -187,7 +182,7 @@ index 9c94d8e..40a681e 100644 } /* -@@ -1830,8 +1829,6 @@ do_child(Session *s, const char *command) +@@ -1831,8 +1830,6 @@ do_child(Session *s, const char *command exit(1); } @@ -196,7 +191,7 @@ index 9c94d8e..40a681e 100644 if (!options.use_login) do_rc_files(s, shell); -@@ -1855,9 +1852,17 @@ do_child(Session *s, const char *command) +@@ -1856,9 +1853,17 @@ do_child(Session *s, const char *command argv[i] = NULL; optind = optreset = 1; __progname = argv[0]; @@ -215,10 +210,9 @@ index 9c94d8e..40a681e 100644 fflush(NULL); if (options.use_login) { -diff --git a/sftp-server-main.c b/sftp-server-main.c -index 7e644ab..e162b7a 100644 ---- a/sftp-server-main.c -+++ b/sftp-server-main.c +diff -up openssh-6.8p1/sftp-server-main.c.log-in-chroot openssh-6.8p1/sftp-server-main.c +--- openssh-6.8p1/sftp-server-main.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/sftp-server-main.c 2015-03-18 12:59:29.696022308 +0100 @@ -47,5 +47,5 @@ main(int argc, char **argv) return 1; } @@ -226,11 +220,10 @@ index 7e644ab..e162b7a 100644 - return (sftp_server_main(argc, argv, user_pw)); + return (sftp_server_main(argc, argv, user_pw, 0)); } -diff --git a/sftp-server.c b/sftp-server.c -index 0177130..8fa7fc7 100644 ---- a/sftp-server.c -+++ b/sftp-server.c -@@ -1440,7 +1440,7 @@ sftp_server_usage(void) +diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c +--- openssh-6.8p1/sftp-server.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/sftp-server.c 2015-03-18 13:03:52.510377911 +0100 +@@ -1502,7 +1502,7 @@ sftp_server_usage(void) } int @@ -238,8 +231,8 @@ index 0177130..8fa7fc7 100644 +sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler) { fd_set *rset, *wset; - int i, in, out, max, ch, skipargs = 0, log_stderr = 0; -@@ -1453,7 +1453,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) + int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0; +@@ -1515,7 +1515,7 @@ sftp_server_main(int argc, char **argv, extern char *__progname; __progname = ssh_get_progname(argv[0]); @@ -248,7 +241,7 @@ index 0177130..8fa7fc7 100644 pw = pwcopy(user_pw); -@@ -1524,7 +1524,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) +@@ -1586,7 +1586,7 @@ sftp_server_main(int argc, char **argv, } } @@ -257,10 +250,9 @@ index 0177130..8fa7fc7 100644 #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* -diff --git a/sftp.h b/sftp.h -index 2bde8bb..ddf1a39 100644 ---- a/sftp.h -+++ b/sftp.h +diff -up openssh-6.8p1/sftp.h.log-in-chroot openssh-6.8p1/sftp.h +--- openssh-6.8p1/sftp.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/sftp.h 2015-03-18 12:59:29.696022308 +0100 @@ -97,5 +97,5 @@ struct passwd; @@ -268,11 +260,10 @@ index 2bde8bb..ddf1a39 100644 -int sftp_server_main(int, char **, struct passwd *); +int sftp_server_main(int, char **, struct passwd *, int); void sftp_server_cleanup_exit(int) __attribute__((noreturn)); -diff --git a/sshd.c b/sshd.c -index 39b9c08..ca55d7f 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -737,7 +737,7 @@ privsep_postauth(Authctxt *authctxt) +diff -up openssh-6.8p1/sshd.c.log-in-chroot openssh-6.8p1/sshd.c +--- openssh-6.8p1/sshd.c.log-in-chroot 2015-03-18 12:59:29.691022320 +0100 ++++ openssh-6.8p1/sshd.c 2015-03-18 12:59:29.697022305 +0100 +@@ -744,7 +744,7 @@ privsep_postauth(Authctxt *authctxt) } /* New socket pair */ @@ -281,7 +272,7 @@ index 39b9c08..ca55d7f 100644 pmonitor->m_pid = fork(); if (pmonitor->m_pid == -1) -@@ -755,6 +755,11 @@ privsep_postauth(Authctxt *authctxt) +@@ -762,6 +762,11 @@ privsep_postauth(Authctxt *authctxt) close(pmonitor->m_sendfd); pmonitor->m_sendfd = -1; diff --git a/openssh-6.6.1p1-partial-success.patch b/openssh-6.6.1p1-partial-success.patch deleted file mode 100644 index b5c61cf..0000000 --- a/openssh-6.6.1p1-partial-success.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/auth2.c b/auth2.c -index d9b440a..ec0bf12 100644 ---- a/auth2.c -+++ b/auth2.c -@@ -355,8 +355,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method, - authctxt->success = 1; - } else { - -- /* Allow initial try of "none" auth without failure penalty */ -- if (!authctxt->server_caused_failure && -+ /* Allow initial try of "none" auth without failure penalty -+ * Partial succes is not failure */ -+ if (!authctxt->server_caused_failure && !partial && - (authctxt->attempt > 1 || strcmp(method, "none") != 0)) - authctxt->failures++; - if (authctxt->failures >= options.max_authtries) { diff --git a/openssh-6.6.1p1-utf8-banner.patch b/openssh-6.6.1p1-utf8-banner.patch index 1ab8ade..1513b6f 100644 --- a/openssh-6.6.1p1-utf8-banner.patch +++ b/openssh-6.6.1p1-utf8-banner.patch @@ -1,21 +1,19 @@ -diff --git a/Makefile.in b/Makefile.in -index 2ad26ff..0f0d39f 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -81,7 +81,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ +diff -up openssh-6.8p1/Makefile.in.utf8-banner openssh-6.8p1/Makefile.in +--- openssh-6.8p1/Makefile.in.utf8-banner 2015-03-18 12:41:28.174713188 +0100 ++++ openssh-6.8p1/Makefile.in 2015-03-18 12:45:52.723048114 +0100 +@@ -94,7 +94,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ - ssh-pkcs11.o krl.o smult_curve25519_ref.o \ - kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ -- ssh-ed25519.o digest-openssl.o hmac.o \ -+ ssh-ed25519.o digest-openssl.o hmac.o utf8_stringprep.o \ - sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o - - SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ -diff --git a/misc.h b/misc.h -index d4df619..d98b83d 100644 ---- a/misc.h -+++ b/misc.h -@@ -106,4 +106,7 @@ char *read_passphrase(const char *, int); + ssh-pkcs11.o smult_curve25519_ref.o \ + poly1305.o chacha.o cipher-chachapoly.o \ +- ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \ ++ ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o utf8_stringprep.o \ + sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ + kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ + kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ +diff -up openssh-6.8p1/misc.h.utf8-banner openssh-6.8p1/misc.h +--- openssh-6.8p1/misc.h.utf8-banner 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/misc.h 2015-03-18 12:41:28.175713185 +0100 +@@ -135,4 +135,7 @@ char *read_passphrase(const char *, int) int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2))); int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *); @@ -23,10 +21,9 @@ index d4df619..d98b83d 100644 +int utf8_stringprep(const char *, char *, size_t); + #endif /* _MISC_H */ -diff --git a/sshconnect2.c b/sshconnect2.c -index b00658b..08064f4 100644 ---- a/sshconnect2.c -+++ b/sshconnect2.c +diff -up openssh-6.8p1/sshconnect2.c.utf8-banner openssh-6.8p1/sshconnect2.c +--- openssh-6.8p1/sshconnect2.c.utf8-banner 2015-03-18 12:41:28.161713220 +0100 ++++ openssh-6.8p1/sshconnect2.c 2015-03-18 12:44:05.483317714 +0100 @@ -33,6 +33,8 @@ #include @@ -36,8 +33,8 @@ index b00658b..08064f4 100644 #include #include #include -@@ -519,21 +521,51 @@ input_userauth_error(int type, u_int32_t seq, void *ctxt) - "type %d", type); +@@ -532,21 +534,51 @@ input_userauth_error(int type, u_int32_t + return 0; } +/* Check whether we can display UTF-8 safely */ @@ -56,7 +53,7 @@ index b00658b..08064f4 100644 +} + /* ARGSUSED */ - void + int input_userauth_banner(int type, u_int32_t seq, void *ctxt) { char *msg, *raw, *lang; @@ -90,11 +87,9 @@ index b00658b..08064f4 100644 fprintf(stderr, "%s", msg); free(msg); } -diff --git a/stringprep-tables.c b/stringprep-tables.c -new file mode 100644 -index 0000000..49f4d9d ---- /dev/null -+++ b/stringprep-tables.c +diff -up openssh-6.8p1/stringprep-tables.c.utf8-banner openssh-6.8p1/stringprep-tables.c +--- openssh-6.8p1/stringprep-tables.c.utf8-banner 2015-03-18 12:41:28.175713185 +0100 ++++ openssh-6.8p1/stringprep-tables.c 2015-03-18 12:41:28.175713185 +0100 @@ -0,0 +1,661 @@ +/* Public domain. */ + @@ -757,11 +752,9 @@ index 0000000..49f4d9d + { 0xE0020, 0xE007F }, +}; + -diff --git a/utf8_stringprep.c b/utf8_stringprep.c -new file mode 100644 -index 0000000..bcafae7 ---- /dev/null -+++ b/utf8_stringprep.c +diff -up openssh-6.8p1/utf8_stringprep.c.utf8-banner openssh-6.8p1/utf8_stringprep.c +--- openssh-6.8p1/utf8_stringprep.c.utf8-banner 2015-03-18 12:41:28.175713185 +0100 ++++ openssh-6.8p1/utf8_stringprep.c 2015-03-18 12:41:28.175713185 +0100 @@ -0,0 +1,229 @@ +/* + * Copyright (c) 2013 Damien Miller diff --git a/openssh-6.6p1-GSSAPIEnablek5users.patch b/openssh-6.6p1-GSSAPIEnablek5users.patch index efd7917..cf01dd5 100644 --- a/openssh-6.6p1-GSSAPIEnablek5users.patch +++ b/openssh-6.6p1-GSSAPIEnablek5users.patch @@ -1,8 +1,7 @@ -diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c -index 961c564..0fcfd7b 100644 ---- a/gss-serv-krb5.c -+++ b/gss-serv-krb5.c -@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name, +diff -up openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-6.8p1/gss-serv-krb5.c +--- openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users 2015-03-18 13:04:21.505306818 +0100 ++++ openssh-6.8p1/gss-serv-krb5.c 2015-03-18 13:04:21.527306764 +0100 +@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri FILE *fp; char file[MAXPATHLEN]; char line[BUFSIZ] = ""; @@ -10,7 +9,7 @@ index 961c564..0fcfd7b 100644 struct stat st; struct passwd *pw = the_authctxt->pw; int found_principal = 0; -@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name, +@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir); /* If both .k5login and .k5users DNE, self-login is ok. */ @@ -19,19 +18,18 @@ index 961c564..0fcfd7b 100644 return ssh_krb5_kuserok(krb_context, principal, luser, k5login_exists); } -diff --git a/servconf.c b/servconf.c -index e4164b1..87a311b 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -164,6 +164,7 @@ initialize_server_options(ServerOptions *options) +diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c +--- openssh-6.8p1/servconf.c.GSSAPIEnablek5users 2015-03-18 13:04:21.516306791 +0100 ++++ openssh-6.8p1/servconf.c 2015-03-18 13:05:26.846146608 +0100 +@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions options->version_addendum = NULL; options->fingerprint_hash = -1; options->use_kuserok = -1; + options->enable_k5users = -1; } - void -@@ -331,6 +332,8 @@ fill_default_server_options(ServerOptions *options) + /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ +@@ -348,6 +349,8 @@ fill_default_server_options(ServerOption options->fingerprint_hash = SSH_FP_HASH_DEFAULT; if (options->use_kuserok == -1) options->use_kuserok = 1; @@ -40,16 +38,16 @@ index e4164b1..87a311b 100644 /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = PRIVSEP_NOSANDBOX; -@@ -371,7 +374,7 @@ typedef enum { +@@ -406,7 +409,7 @@ typedef enum { sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, - sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax, sAuthorizedKeysFile, + sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, + sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, - sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, + sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor, sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, -@@ -447,6 +450,7 @@ static struct { +@@ -484,6 +487,7 @@ static struct { { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL }, { "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL }, @@ -57,7 +55,7 @@ index e4164b1..87a311b 100644 #else { "gssapiauthentication", sUnsupported, SSHCFG_ALL }, { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL }, -@@ -454,6 +458,7 @@ static struct { +@@ -491,6 +495,7 @@ static struct { { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL }, { "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL }, { "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL }, @@ -65,7 +63,7 @@ index e4164b1..87a311b 100644 #endif { "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL }, { "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL }, -@@ -1566,6 +1571,10 @@ process_server_config_line(ServerOptions *options, char *line, +@@ -1623,6 +1628,10 @@ process_server_config_line(ServerOptions intptr = &options->use_kuserok; goto parse_flag; @@ -76,7 +74,7 @@ index e4164b1..87a311b 100644 case sPermitOpen: arg = strdelim(&cp); if (!arg || *arg == '\0') -@@ -1884,6 +1893,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) +@@ -1947,6 +1956,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); M_CP_INTOPT(use_kuserok); @@ -84,7 +82,7 @@ index e4164b1..87a311b 100644 M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_interval); -@@ -2143,6 +2153,7 @@ dump_config(ServerOptions *o) +@@ -2207,6 +2217,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); @@ -92,11 +90,10 @@ index e4164b1..87a311b 100644 /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); -diff --git a/servconf.h b/servconf.h -index cf2a505..070a8ed 100644 ---- a/servconf.h -+++ b/servconf.h -@@ -175,7 +175,8 @@ typedef struct { +diff -up openssh-6.8p1/servconf.h.GSSAPIEnablek5users openssh-6.8p1/servconf.h +--- openssh-6.8p1/servconf.h.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100 ++++ openssh-6.8p1/servconf.h 2015-03-18 13:04:21.528306762 +0100 +@@ -177,7 +177,8 @@ typedef struct { int num_permitted_opens; @@ -106,10 +103,9 @@ index cf2a505..070a8ed 100644 char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; -diff --git a/sshd_config b/sshd_config -index 0d9454d..e731de1 100644 ---- a/sshd_config -+++ b/sshd_config +diff -up openssh-6.8p1/sshd_config.GSSAPIEnablek5users openssh-6.8p1/sshd_config +--- openssh-6.8p1/sshd_config.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100 ++++ openssh-6.8p1/sshd_config 2015-03-18 13:04:21.528306762 +0100 @@ -94,6 +94,7 @@ GSSAPIAuthentication yes GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes @@ -118,11 +114,10 @@ index 0d9454d..e731de1 100644 # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -diff --git a/sshd_config.5 b/sshd_config.5 -index eb4dd9e..ce1229b 100644 ---- a/sshd_config.5 -+++ b/sshd_config.5 -@@ -548,6 +548,12 @@ on logout. +diff -up openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users openssh-6.8p1/sshd_config.5 +--- openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100 ++++ openssh-6.8p1/sshd_config.5 2015-03-18 13:04:21.528306762 +0100 +@@ -576,6 +576,12 @@ on logout. The default is .Dq yes . Note that this option applies to protocol version 2 only. diff --git a/openssh-6.6p1-ctr-cavstest.patch b/openssh-6.6p1-ctr-cavstest.patch index c752d62..6f4f1e8 100644 --- a/openssh-6.6p1-ctr-cavstest.patch +++ b/openssh-6.6p1-ctr-cavstest.patch @@ -1,7 +1,6 @@ -diff --git a/Makefile.in b/Makefile.in -index b225217..bbc3034 100644 ---- a/Makefile.in -+++ b/Makefile.in +diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in +--- openssh-6.8p1/Makefile.in.ctr-cavs 2015-03-18 11:22:05.493289018 +0100 ++++ openssh-6.8p1/Makefile.in 2015-03-18 11:22:44.504196316 +0100 @@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper @@ -14,12 +13,12 @@ index b225217..bbc3034 100644 MANFMT=@MANFMT@ INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) +-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) LIBOPENSSH_OBJS=\ - ssherr.o \ -@@ -190,6 +191,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o + ssh_api.o \ +@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS) @@ -29,7 +28,7 @@ index b225217..bbc3034 100644 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -310,6 +314,7 @@ install-files: +@@ -326,6 +330,7 @@ install-files: $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ fi $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT) @@ -37,11 +36,9 @@ index b225217..bbc3034 100644 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -diff --git a/ctr-cavstest.c b/ctr-cavstest.c -new file mode 100644 -index 0000000..bbcbe8a ---- /dev/null -+++ b/ctr-cavstest.c +diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c +--- openssh-6.8p1/ctr-cavstest.c.ctr-cavs 2015-03-18 11:22:05.521288952 +0100 ++++ openssh-6.8p1/ctr-cavstest.c 2015-03-18 11:22:05.521288952 +0100 @@ -0,0 +1,208 @@ +/* + * diff --git a/openssh-6.6p1-gsskex.patch b/openssh-6.6p1-gsskex.patch index 82e59ac..42b6a10 100644 --- a/openssh-6.6p1-gsskex.patch +++ b/openssh-6.6p1-gsskex.patch @@ -1,28 +1,26 @@ -diff --git a/Makefile.in b/Makefile.in -index bbc3034..c9891e0 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -87,6 +87,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ - atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ +diff -up openssh-6.8p1/Makefile.in.gsskex openssh-6.8p1/Makefile.in +--- openssh-6.8p1/Makefile.in.gsskex 2015-03-18 11:24:48.875900767 +0100 ++++ openssh-6.8p1/Makefile.in 2015-03-18 12:34:36.468748216 +0100 +@@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ + readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ + atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ - kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ + kexgssc.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ - ssh-pkcs11.o krl.o smult_curve25519_ref.o \ - kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ -@@ -106,7 +107,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + ssh-pkcs11.o smult_curve25519_ref.o \ + poly1305.o chacha.o cipher-chachapoly.o \ +@@ -111,7 +112,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw + auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o \ - monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \ - kexc25519s.o auth-krb5.o \ + monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \ - auth2-gss.o gss-serv.o gss-serv-krb5.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o \ -diff --git a/auth2-gss.c b/auth2-gss.c -index 4803e7e..222e3e0 100644 ---- a/auth2-gss.c -+++ b/auth2-gss.c +diff -up openssh-6.8p1/auth2-gss.c.gsskex openssh-6.8p1/auth2-gss.c +--- openssh-6.8p1/auth2-gss.c.gsskex 2015-03-18 11:24:48.832900869 +0100 ++++ openssh-6.8p1/auth2-gss.c 2015-03-18 12:32:50.584011552 +0100 @@ -31,6 +31,7 @@ #include @@ -31,9 +29,9 @@ index 4803e7e..222e3e0 100644 #include "xmalloc.h" #include "key.h" -@@ -53,6 +53,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); - static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); - static void input_gssapi_errtok(int, u_int32_t, void *); +@@ -53,6 +54,40 @@ static int input_gssapi_mic(int type, u_ + static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); + static int input_gssapi_errtok(int, u_int32_t, void *); +/* + * The 'gssapi_keyex' userauth mechanism. @@ -72,7 +70,7 @@ index 4803e7e..222e3e0 100644 /* * We only support those mechanisms that we know about (ie ones that we know * how to check local user kuserok and the like) -@@ -236,7 +270,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) +@@ -238,7 +273,8 @@ input_gssapi_exchange_complete(int type, packet_check_eom(); @@ -82,7 +80,7 @@ index 4803e7e..222e3e0 100644 authctxt->postponed = 0; dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); -@@ -278,7 +313,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) +@@ -281,7 +317,8 @@ input_gssapi_mic(int type, u_int32_t ple gssbuf.length = buffer_len(&b); if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) @@ -92,8 +90,8 @@ index 4803e7e..222e3e0 100644 else logit("GSSAPI MIC check failed"); -@@ -295,6 +331,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) - userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL); +@@ -299,6 +336,12 @@ input_gssapi_mic(int type, u_int32_t ple + return 0; } +Authmethod method_gsskeyex = { @@ -105,10 +103,9 @@ index 4803e7e..222e3e0 100644 Authmethod method_gssapi = { "gssapi-with-mic", userauth_gssapi, -diff --git a/auth2.c b/auth2.c -index d6fbc93..124d02b 100644 ---- a/auth2.c -+++ b/auth2.c +diff -up openssh-6.8p1/auth2.c.gsskex openssh-6.8p1/auth2.c +--- openssh-6.8p1/auth2.c.gsskex 2015-03-18 11:24:48.832900869 +0100 ++++ openssh-6.8p1/auth2.c 2015-03-18 11:24:48.875900767 +0100 @@ -70,6 +70,7 @@ extern Authmethod method_passwd; extern Authmethod method_kbdint; extern Authmethod method_hostbased; @@ -125,13 +122,12 @@ index d6fbc93..124d02b 100644 &method_gssapi, #endif &method_passwd, -diff --git a/clientloop.c b/clientloop.c -index 397c965..20ce0b5 100644 ---- a/clientloop.c -+++ b/clientloop.c -@@ -111,6 +111,10 @@ - #include "msg.h" - #include "roaming.h" +diff -up openssh-6.8p1/clientloop.c.gsskex openssh-6.8p1/clientloop.c +--- openssh-6.8p1/clientloop.c.gsskex 2015-03-18 11:24:48.875900767 +0100 ++++ openssh-6.8p1/clientloop.c 2015-03-18 12:30:42.647329654 +0100 +@@ -114,6 +114,10 @@ + #include "ssherr.h" + #include "hostfile.h" +#ifdef GSSAPI +#include "ssh-gss.h" @@ -140,7 +136,7 @@ index 397c965..20ce0b5 100644 /* import options */ extern Options options; -@@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) +@@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_cha /* Do channel operations unless rekeying in progress. */ if (!rekeying) { channel_after_select(readset, writeset); @@ -155,12 +151,11 @@ index 397c965..20ce0b5 100644 + if (need_rekeying || packet_need_rekeying()) { debug("need rekeying"); - xxx_kex->done = 0; -diff --git a/configure.ac b/configure.ac -index 8dedb95..2c4adac 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) + active_state->kex->done = 0; +diff -up openssh-6.8p1/configure.ac.gsskex openssh-6.8p1/configure.ac +--- openssh-6.8p1/configure.ac.gsskex 2015-03-18 11:24:48.866900788 +0100 ++++ openssh-6.8p1/configure.ac 2015-03-18 11:24:48.876900765 +0100 +@@ -620,6 +620,30 @@ main() { if (NSVersionOfRunTimeLibrary(" [Use tunnel device compatibility to OpenBSD]) AC_DEFINE([SSH_TUN_PREPEND_AF], [1], [Prepend the address family to IP tunnel traffic]) @@ -191,11 +186,10 @@ index 8dedb95..2c4adac 100644 m4_pattern_allow([AU_IPv]) AC_CHECK_DECL([AU_IPv4], [], AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) -diff --git a/gss-genr.c b/gss-genr.c -index b39281b..a3a2289 100644 ---- a/gss-genr.c -+++ b/gss-genr.c -@@ -39,12 +39,167 @@ +diff -up openssh-6.8p1/gss-genr.c.gsskex openssh-6.8p1/gss-genr.c +--- openssh-6.8p1/gss-genr.c.gsskex 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/gss-genr.c 2015-03-18 11:24:48.876900765 +0100 +@@ -40,12 +40,167 @@ #include "buffer.h" #include "log.h" #include "ssh2.h" @@ -363,7 +357,7 @@ index b39281b..a3a2289 100644 /* Check that the OID in a data stream matches that in the context */ int ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len) -@@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok, +@@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de } ctx->major = gss_init_sec_context(&ctx->minor, @@ -372,7 +366,7 @@ index b39281b..a3a2289 100644 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 0, NULL, recv_tok, NULL, send_tok, flags, NULL); -@@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) +@@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con } OM_uint32 @@ -415,7 +409,7 @@ index b39281b..a3a2289 100644 if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, GSS_C_QOP_DEFAULT, buffer, hash))) ssh_gssapi_error(ctx); -@@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) +@@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer return (ctx->major); } @@ -435,7 +429,7 @@ index b39281b..a3a2289 100644 void ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, const char *context) -@@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, +@@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha } int @@ -453,7 +447,7 @@ index b39281b..a3a2289 100644 /* RFC 4462 says we MUST NOT do SPNEGO */ if (oid->length == spnego_oid.length && -@@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) +@@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx ssh_gssapi_build_ctx(ctx); ssh_gssapi_set_oid(*ctx, oid); major = ssh_gssapi_import_name(*ctx, host); @@ -464,7 +458,7 @@ index b39281b..a3a2289 100644 if (!GSS_ERROR(major)) { major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token, NULL); -@@ -272,10 +483,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host) +@@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx GSS_C_NO_BUFFER); } @@ -532,11 +526,10 @@ index b39281b..a3a2289 100644 +} + #endif /* GSSAPI */ -diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c -index 795992d..413b845 100644 ---- a/gss-serv-krb5.c -+++ b/gss-serv-krb5.c -@@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) +diff -up openssh-6.8p1/gss-serv-krb5.c.gsskex openssh-6.8p1/gss-serv-krb5.c +--- openssh-6.8p1/gss-serv-krb5.c.gsskex 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/gss-serv-krb5.c 2015-03-18 11:24:48.876900765 +0100 +@@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl krb5_error_code problem; krb5_principal princ; OM_uint32 maj_status, min_status; @@ -545,7 +538,7 @@ index 795992d..413b845 100644 const char *errmsg; if (client->creds == NULL) { -@@ -181,11 +181,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) +@@ -181,11 +181,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl return; } @@ -576,7 +569,7 @@ index 795992d..413b845 100644 #ifdef USE_PAM if (options.use_pam) -@@ -194,9 +209,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) +@@ -194,9 +209,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl krb5_cc_close(krb_context, ccache); @@ -663,11 +656,10 @@ index 795992d..413b845 100644 }; #endif /* KRB5 */ -diff --git a/gss-serv.c b/gss-serv.c -index 5c59924..2289e8e 100644 ---- a/gss-serv.c -+++ b/gss-serv.c -@@ -45,15 +45,20 @@ +diff -up openssh-6.8p1/gss-serv.c.gsskex openssh-6.8p1/gss-serv.c +--- openssh-6.8p1/gss-serv.c.gsskex 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/gss-serv.c 2015-03-18 11:24:48.877900762 +0100 +@@ -44,15 +44,20 @@ #include "channels.h" #include "session.h" #include "misc.h" @@ -690,20 +682,21 @@ index 5c59924..2289e8e 100644 #ifdef KRB5 extern ssh_gssapi_mech gssapi_kerberos_mech; -@@ -100,25 +105,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) +@@ -99,25 +104,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) char lname[NI_MAXHOST]; gss_OID_set oidset; - gss_create_empty_oid_set(&status, &oidset); - gss_add_oid_set_member(&status, ctx->oid, &oidset); -+ if (options.gss_strict_acceptor) { -+ gss_create_empty_oid_set(&status, &oidset); -+ gss_add_oid_set_member(&status, ctx->oid, &oidset); - +- - if (gethostname(lname, sizeof(lname))) { - gss_release_oid_set(&status, &oidset); - return (-1); - } ++ if (options.gss_strict_acceptor) { ++ gss_create_empty_oid_set(&status, &oidset); ++ gss_add_oid_set_member(&status, ctx->oid, &oidset); ++ + if (gethostname(lname, sizeof(lname))) { + gss_release_oid_set(&status, &oidset); + return (-1); @@ -722,22 +715,22 @@ index 5c59924..2289e8e 100644 gss_release_oid_set(&status, &oidset); return (ctx->major); - } -- -- if ((ctx->major = gss_acquire_cred(&ctx->minor, -- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) -- ssh_gssapi_error(ctx); + } else { + ctx->name = GSS_C_NO_NAME; + ctx->creds = GSS_C_NO_CREDENTIAL; + return GSS_S_COMPLETE; + } +- if ((ctx->major = gss_acquire_cred(&ctx->minor, +- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL))) +- ssh_gssapi_error(ctx); +- - gss_release_oid_set(&status, &oidset); - return (ctx->major); } /* Privileged */ -@@ -133,6 +145,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) +@@ -132,6 +144,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss } /* Unprivileged */ @@ -767,7 +760,7 @@ index 5c59924..2289e8e 100644 void ssh_gssapi_supported_oids(gss_OID_set *oidset) { -@@ -142,7 +177,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) +@@ -141,7 +176,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o gss_OID_set supported; gss_create_empty_oid_set(&min_status, oidset); @@ -778,7 +771,7 @@ index 5c59924..2289e8e 100644 while (supported_mechs[i]->name != NULL) { if (GSS_ERROR(gss_test_oid_set_member(&min_status, -@@ -268,8 +305,48 @@ OM_uint32 +@@ -267,8 +304,48 @@ OM_uint32 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) { int i = 0; @@ -800,7 +793,8 @@ index 5c59924..2289e8e 100644 + ssh_gssapi_error(ctx); + return (ctx->major); + } -+ + +- gss_buffer_desc ename; + ctx->major = gss_compare_name(&ctx->minor, client->name, + new_name, &equal); + @@ -815,8 +809,7 @@ index 5c59924..2289e8e 100644 + } + + debug("Marking rekeyed credentials for export"); - -- gss_buffer_desc ename; ++ + gss_release_name(&ctx->minor, &client->name); + gss_release_cred(&ctx->minor, &client->creds); + client->name = new_name; @@ -828,7 +821,7 @@ index 5c59924..2289e8e 100644 client->mech = NULL; -@@ -284,6 +361,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) +@@ -283,6 +360,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g if (client->mech == NULL) return GSS_S_FAILURE; @@ -842,7 +835,7 @@ index 5c59924..2289e8e 100644 if ((ctx->major = gss_display_name(&ctx->minor, ctx->client, &client->displayname, NULL))) { ssh_gssapi_error(ctx); -@@ -301,6 +385,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) +@@ -300,6 +384,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g return (ctx->major); } @@ -851,7 +844,7 @@ index 5c59924..2289e8e 100644 /* We can't copy this structure, so we just move the pointer to it */ client->creds = ctx->client_creds; ctx->client_creds = GSS_C_NO_CREDENTIAL; -@@ -311,11 +397,20 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) +@@ -310,11 +396,20 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g void ssh_gssapi_cleanup_creds(void) { @@ -877,7 +870,7 @@ index 5c59924..2289e8e 100644 } } -@@ -348,7 +443,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep) +@@ -347,7 +442,7 @@ ssh_gssapi_do_child(char ***envp, u_int /* Privileged */ int @@ -886,7 +879,7 @@ index 5c59924..2289e8e 100644 { OM_uint32 lmin; -@@ -358,9 +453,11 @@ ssh_gssapi_userok(char *user) +@@ -357,9 +452,11 @@ ssh_gssapi_userok(char *user) return 0; } if (gssapi_client.mech && gssapi_client.mech->userok) @@ -900,7 +893,7 @@ index 5c59924..2289e8e 100644 /* Destroy delegated credentials if userok fails */ gss_release_buffer(&lmin, &gssapi_client.displayname); gss_release_buffer(&lmin, &gssapi_client.exportedname); -@@ -374,14 +471,90 @@ ssh_gssapi_userok(char *user) +@@ -373,14 +470,90 @@ ssh_gssapi_userok(char *user) return (0); } @@ -997,12 +990,11 @@ index 5c59924..2289e8e 100644 } #endif -diff --git a/kex.c b/kex.c -index a173e70..4563920 100644 ---- a/kex.c -+++ b/kex.c -@@ -53,6 +53,10 @@ - #include "roaming.h" +diff -up openssh-6.8p1/kex.c.gsskex openssh-6.8p1/kex.c +--- openssh-6.8p1/kex.c.gsskex 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/kex.c 2015-03-18 12:29:33.452501699 +0100 +@@ -55,6 +55,10 @@ + #include "sshbuf.h" #include "digest.h" +#ifdef GSSAPI @@ -1012,10 +1004,10 @@ index a173e70..4563920 100644 #if OPENSSL_VERSION_NUMBER >= 0x00907000L # if defined(HAVE_EVP_SHA256) # define evp_ssh_sha256 EVP_sha256 -@@ -94,6 +98,11 @@ static const struct kexalg kexalgs[] = { - #ifdef HAVE_EVP_SHA256 +@@ -95,6 +99,11 @@ static const struct kexalg kexalgs[] = { + #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL) { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, - #endif /* HAVE_EVP_SHA256 */ + #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ +#ifdef GSSAPI + { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 }, + { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 }, @@ -1024,7 +1016,7 @@ index a173e70..4563920 100644 { NULL, -1, -1, -1}, }; -@@ -123,6 +132,12 @@ kex_alg_by_name(const char *name) +@@ -128,6 +137,12 @@ kex_alg_by_name(const char *name) for (k = kexalgs; k->name != NULL; k++) { if (strcmp(k->name, name) == 0) return k; @@ -1037,11 +1029,10 @@ index a173e70..4563920 100644 } return NULL; } -diff --git a/kex.h b/kex.h -index 4c40ec8..1c76c08 100644 ---- a/kex.h -+++ b/kex.h -@@ -76,6 +76,11 @@ enum kex_exchange { +diff -up openssh-6.8p1/kex.h.gsskex openssh-6.8p1/kex.h +--- openssh-6.8p1/kex.h.gsskex 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/kex.h 2015-03-18 12:28:17.600690296 +0100 +@@ -93,6 +93,11 @@ enum kex_exchange { KEX_DH_GEX_SHA256, KEX_ECDH_SHA2, KEX_C25519_SHA256, @@ -1053,8 +1044,8 @@ index 4c40ec8..1c76c08 100644 KEX_MAX }; -@@ -135,6 +140,12 @@ struct Kex { - int flags; +@@ -139,6 +144,12 @@ struct kex { + u_int flags; int hash_alg; int ec_nid; +#ifdef GSSAPI @@ -1065,24 +1056,22 @@ index 4c40ec8..1c76c08 100644 +#endif char *client_version_string; char *server_version_string; - int (*verify_host_key)(Key *); -@@ -166,6 +177,10 @@ void kexecdh_client(Kex *); - void kexecdh_server(Kex *); - void kexc25519_client(Kex *); - void kexc25519_server(Kex *); + int (*verify_host_key)(struct sshkey *, struct ssh *); +@@ -183,6 +194,10 @@ int kexecdh_client(struct ssh *); + int kexecdh_server(struct ssh *); + int kexc25519_client(struct ssh *); + int kexc25519_server(struct ssh *); +#ifdef GSSAPI -+void kexgss_client(Kex *); -+void kexgss_server(Kex *); ++int kexgss_client(struct ssh *); ++int kexgss_server(struct ssh *); +#endif - void - kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, -diff --git a/kexgssc.c b/kexgssc.c -new file mode 100644 -index 0000000..e90b567 ---- /dev/null -+++ b/kexgssc.c -@@ -0,0 +1,334 @@ + int kex_dh_hash(const char *, const char *, + const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, +diff -up openssh-6.8p1/kexgssc.c.gsskex openssh-6.8p1/kexgssc.c +--- openssh-6.8p1/kexgssc.c.gsskex 2015-03-18 11:24:48.877900762 +0100 ++++ openssh-6.8p1/kexgssc.c 2015-03-18 11:24:48.877900762 +0100 +@@ -0,0 +1,338 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * @@ -1127,22 +1116,23 @@ index 0000000..e90b567 +#include "log.h" +#include "packet.h" +#include "dh.h" ++#include "digest.h" + +#include "ssh-gss.h" + -+void -+kexgss_client(Kex *kex) { ++int ++kexgss_client(struct ssh *ssh) { + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr; + Gssctxt *ctxt; + OM_uint32 maj_status, min_status, ret_flags; -+ u_int klen, kout, slen = 0, hashlen, strlen; ++ u_int klen, kout, slen = 0, strlen; + DH *dh; + BIGNUM *dh_server_pub = NULL; + BIGNUM *shared_secret = NULL; + BIGNUM *p = NULL; + BIGNUM *g = NULL; -+ u_char *kbuf, *hash; ++ u_char *kbuf; + u_char *serverhostkey = NULL; + u_char *empty = ""; + char *msg; @@ -1150,21 +1140,23 @@ index 0000000..e90b567 + int type = 0; + int first = 1; + int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX; ++ u_char hash[SSH_DIGEST_MAX_LENGTH]; ++ size_t hashlen; + + /* Initialise our GSSAPI world */ + ssh_gssapi_build_ctx(&ctxt); -+ if (ssh_gssapi_id_kex(ctxt, kex->name, kex->kex_type) ++ if (ssh_gssapi_id_kex(ctxt, ssh->kex->name, ssh->kex->kex_type) + == GSS_C_NO_OID) + fatal("Couldn't identify host exchange"); + -+ if (ssh_gssapi_import_name(ctxt, kex->gss_host)) ++ if (ssh_gssapi_import_name(ctxt, ssh->kex->gss_host)) + fatal("Couldn't import hostname"); + -+ if (kex->gss_client && -+ ssh_gssapi_client_identity(ctxt, kex->gss_client)) ++ if (ssh->kex->gss_client && ++ ssh_gssapi_client_identity(ctxt, ssh->kex->gss_client)) + fatal("Couldn't acquire client credentials"); + -+ switch (kex->kex_type) { ++ switch (ssh->kex->kex_type) { + case KEX_GSS_GRP1_SHA1: + dh = dh_new_group1(); + break; @@ -1173,7 +1165,7 @@ index 0000000..e90b567 + break; + case KEX_GSS_GEX_SHA1: + debug("Doing group exchange\n"); -+ nbits = dh_estimate(kex->we_need * 8); ++ nbits = dh_estimate(ssh->kex->we_need * 8); + packet_start(SSH2_MSG_KEXGSS_GROUPREQ); + packet_put_int(min); + packet_put_int(nbits); @@ -1198,11 +1190,11 @@ index 0000000..e90b567 + dh = dh_new_group(g, p); + break; + default: -+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); ++ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); + } + + /* Step 1 - e is dh->pub_key */ -+ dh_gen_key(dh, kex->we_need * 8); ++ dh_gen_key(dh, ssh->kex->we_need * 8); + + /* This is f, we initialise it now to make life easier */ + dh_server_pub = BN_new(); @@ -1215,7 +1207,7 @@ index 0000000..e90b567 + debug("Calling gss_init_sec_context"); + + maj_status = ssh_gssapi_init_ctx(ctxt, -+ kex->gss_deleg_creds, token_ptr, &send_tok, ++ ssh->kex->gss_deleg_creds, token_ptr, &send_tok, + &ret_flags); + + if (GSS_ERROR(maj_status)) { @@ -1348,38 +1340,39 @@ index 0000000..e90b567 + memset(kbuf, 0, klen); + free(kbuf); + -+ switch (kex->kex_type) { ++ hashlen = sizeof(hash); ++ switch (ssh->kex->kex_type) { + case KEX_GSS_GRP1_SHA1: + case KEX_GSS_GRP14_SHA1: -+ kex_dh_hash( kex->client_version_string, -+ kex->server_version_string, -+ buffer_ptr(&kex->my), buffer_len(&kex->my), -+ buffer_ptr(&kex->peer), buffer_len(&kex->peer), ++ kex_dh_hash( ssh->kex->client_version_string, ++ ssh->kex->server_version_string, ++ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), ++ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), + (serverhostkey ? serverhostkey : empty), slen, + dh->pub_key, /* e */ + dh_server_pub, /* f */ + shared_secret, /* K */ -+ &hash, &hashlen ++ hash, &hashlen + ); + break; + case KEX_GSS_GEX_SHA1: + kexgex_hash( -+ kex->hash_alg, -+ kex->client_version_string, -+ kex->server_version_string, -+ buffer_ptr(&kex->my), buffer_len(&kex->my), -+ buffer_ptr(&kex->peer), buffer_len(&kex->peer), ++ ssh->kex->hash_alg, ++ ssh->kex->client_version_string, ++ ssh->kex->server_version_string, ++ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), ++ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), + (serverhostkey ? serverhostkey : empty), slen, + min, nbits, max, + dh->p, dh->g, + dh->pub_key, + dh_server_pub, + shared_secret, -+ &hash, &hashlen ++ hash, &hashlen + ); + break; + default: -+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); ++ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); + } + + gssbuf.value = hash; @@ -1397,13 +1390,13 @@ index 0000000..e90b567 + BN_clear_free(dh_server_pub); + + /* save session id */ -+ if (kex->session_id == NULL) { -+ kex->session_id_len = hashlen; -+ kex->session_id = xmalloc(kex->session_id_len); -+ memcpy(kex->session_id, hash, kex->session_id_len); ++ if (ssh->kex->session_id == NULL) { ++ ssh->kex->session_id_len = hashlen; ++ ssh->kex->session_id = xmalloc(ssh->kex->session_id_len); ++ memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len); + } + -+ if (kex->gss_deleg_creds) ++ if (ssh->kex->gss_deleg_creds) + ssh_gssapi_credentials_updated(ctxt); + + if (gss_kex_context == NULL) @@ -1411,18 +1404,16 @@ index 0000000..e90b567 + else + ssh_gssapi_delete_ctx(&ctxt); + -+ kex_derive_keys_bn(kex, hash, hashlen, shared_secret); ++ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret); + BN_clear_free(shared_secret); -+ kex_finish(kex); ++ return kex_send_newkeys(ssh); +} + +#endif /* GSSAPI */ -diff --git a/kexgsss.c b/kexgsss.c -new file mode 100644 -index 0000000..b880998 ---- /dev/null -+++ b/kexgsss.c -@@ -0,0 +1,290 @@ +diff -up openssh-6.8p1/kexgsss.c.gsskex openssh-6.8p1/kexgsss.c +--- openssh-6.8p1/kexgsss.c.gsskex 2015-03-18 11:24:48.878900760 +0100 ++++ openssh-6.8p1/kexgsss.c 2015-03-18 11:24:48.878900760 +0100 +@@ -0,0 +1,295 @@ +/* + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * @@ -1470,11 +1461,12 @@ index 0000000..b880998 +#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */ +#include "servconf.h" +#include "ssh-gss.h" ++#include "digest.h" + +extern ServerOptions options; + -+void -+kexgss_server(Kex *kex) ++int ++kexgss_server(struct ssh *ssh) +{ + OM_uint32 maj_status, min_status; + @@ -1489,8 +1481,8 @@ index 0000000..b880998 + gss_buffer_desc gssbuf, recv_tok, msg_tok; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + Gssctxt *ctxt = NULL; -+ u_int slen, klen, kout, hashlen; -+ u_char *kbuf, *hash; ++ u_int slen, klen, kout; ++ u_char *kbuf; + DH *dh; + int min = -1, max = -1, nbits = -1; + BIGNUM *shared_secret = NULL; @@ -1498,6 +1490,8 @@ index 0000000..b880998 + int type = 0; + gss_OID oid; + char *mechs; ++ u_char hash[SSH_DIGEST_MAX_LENGTH]; ++ size_t hashlen; + + /* Initialise GSSAPI */ + @@ -1509,8 +1503,8 @@ index 0000000..b880998 + if ((mechs = ssh_gssapi_server_mechanisms())) + free(mechs); + -+ debug2("%s: Identifying %s", __func__, kex->name); -+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); ++ debug2("%s: Identifying %s", __func__, ssh->kex->name); ++ oid = ssh_gssapi_id_kex(NULL, ssh->kex->name, ssh->kex->kex_type); + if (oid == GSS_C_NO_OID) + fatal("Unknown gssapi mechanism"); + @@ -1519,7 +1513,7 @@ index 0000000..b880998 + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) + fatal("Unable to acquire credentials for the server"); + -+ switch (kex->kex_type) { ++ switch (ssh->kex->kex_type) { + case KEX_GSS_GRP1_SHA1: + dh = dh_new_group1(); + break; @@ -1550,10 +1544,10 @@ index 0000000..b880998 + packet_write_wait(); + break; + default: -+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); ++ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); + } + -+ dh_gen_key(dh, kex->we_need * 8); ++ dh_gen_key(dh, ssh->kex->we_need * 8); + + do { + debug("Wait SSH2_MSG_GSSAPI_INIT"); @@ -1636,43 +1630,44 @@ index 0000000..b880998 + memset(kbuf, 0, klen); + free(kbuf); + -+ switch (kex->kex_type) { ++ hashlen = sizeof(hash); ++ switch (ssh->kex->kex_type) { + case KEX_GSS_GRP1_SHA1: + case KEX_GSS_GRP14_SHA1: + kex_dh_hash( -+ kex->client_version_string, kex->server_version_string, -+ buffer_ptr(&kex->peer), buffer_len(&kex->peer), -+ buffer_ptr(&kex->my), buffer_len(&kex->my), ++ ssh->kex->client_version_string, ssh->kex->server_version_string, ++ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), ++ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), + NULL, 0, /* Change this if we start sending host keys */ + dh_client_pub, dh->pub_key, shared_secret, -+ &hash, &hashlen ++ hash, &hashlen + ); + break; + case KEX_GSS_GEX_SHA1: + kexgex_hash( -+ kex->hash_alg, -+ kex->client_version_string, kex->server_version_string, -+ buffer_ptr(&kex->peer), buffer_len(&kex->peer), -+ buffer_ptr(&kex->my), buffer_len(&kex->my), ++ ssh->kex->hash_alg, ++ ssh->kex->client_version_string, ssh->kex->server_version_string, ++ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), ++ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), + NULL, 0, + min, nbits, max, + dh->p, dh->g, + dh_client_pub, + dh->pub_key, + shared_secret, -+ &hash, &hashlen ++ hash, &hashlen + ); + break; + default: -+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); ++ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type); + } + + BN_clear_free(dh_client_pub); + -+ if (kex->session_id == NULL) { -+ kex->session_id_len = hashlen; -+ kex->session_id = xmalloc(kex->session_id_len); -+ memcpy(kex->session_id, hash, kex->session_id_len); ++ if (ssh->kex->session_id == NULL) { ++ ssh->kex->session_id_len = hashlen; ++ ssh->kex->session_id = xmalloc(ssh->kex->session_id_len); ++ memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len); + } + + gssbuf.value = hash; @@ -1703,21 +1698,21 @@ index 0000000..b880998 + + DH_free(dh); + -+ kex_derive_keys_bn(kex, hash, hashlen, shared_secret); ++ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret); + BN_clear_free(shared_secret); -+ kex_finish(kex); ++ kex_send_newkeys(ssh); + + /* If this was a rekey, then save out any delegated credentials we + * just exchanged. */ + if (options.gss_store_rekey) + ssh_gssapi_rekey_creds(); ++ return 0; +} +#endif /* GSSAPI */ -diff --git a/monitor.c b/monitor.c -index d3f87e1..7ebc76e 100644 ---- a/monitor.c -+++ b/monitor.c -@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *); +diff -up openssh-6.8p1/monitor.c.gsskex openssh-6.8p1/monitor.c +--- openssh-6.8p1/monitor.c.gsskex 2015-03-18 11:24:48.834900865 +0100 ++++ openssh-6.8p1/monitor.c 2015-03-18 12:24:38.971233895 +0100 +@@ -160,6 +160,8 @@ int mm_answer_gss_setup_ctx(int, Buffer int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); int mm_answer_gss_checkmic(int, Buffer *); @@ -1726,7 +1721,7 @@ index d3f87e1..7ebc76e 100644 #endif #ifdef SSH_AUDIT_EVENTS -@@ -261,11 +263,18 @@ struct mon_table mon_dispatch_proto20[] = { +@@ -240,11 +242,18 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, @@ -1745,7 +1740,7 @@ index d3f87e1..7ebc76e 100644 #ifdef WITH_OPENSSL {MONITOR_REQ_MODULI, 0, mm_answer_moduli}, #endif -@@ -380,6 +389,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) +@@ -359,6 +368,10 @@ monitor_child_preauth(Authctxt *_authctx /* Permit requests for moduli and signatures */ monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); @@ -1756,7 +1751,7 @@ index d3f87e1..7ebc76e 100644 } else { mon_dispatch = mon_dispatch_proto15; -@@ -488,6 +501,10 @@ monitor_child_postauth(struct monitor *pmonitor) +@@ -467,6 +480,10 @@ monitor_child_postauth(struct monitor *p monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1); monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1); monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); @@ -1767,10 +1762,10 @@ index d3f87e1..7ebc76e 100644 } else { mon_dispatch = mon_dispatch_postauth15; monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1); -@@ -1893,6 +1910,13 @@ mm_get_kex(Buffer *m) - kex->kex[KEX_ECDH_SHA2] = kexecdh_server; - #endif - kex->kex[KEX_C25519_SHA256] = kexc25519_server; +@@ -1892,6 +1909,13 @@ monitor_apply_keystate(struct monitor *p + # endif + #endif /* WITH_OPENSSL */ + kex->kex[KEX_C25519_SHA256] = kexc25519_server; +#ifdef GSSAPI + if (options.gss_keyex) { + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server; @@ -1778,10 +1773,10 @@ index d3f87e1..7ebc76e 100644 + kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server; + } +#endif - kex->server = 1; - kex->hostkey_type = buffer_get_int(m); - kex->kex_type = buffer_get_int(m); -@@ -2100,6 +2124,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) + kex->load_host_public_key=&get_hostkey_public_by_type; + kex->load_host_private_key=&get_hostkey_private_by_type; + kex->host_key_index=&get_hostkey_index; +@@ -1991,6 +2015,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer OM_uint32 major; u_int len; @@ -1791,7 +1786,7 @@ index d3f87e1..7ebc76e 100644 goid.elements = buffer_get_string(m, &len); goid.length = len; -@@ -2127,6 +2154,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) +@@ -2018,6 +2045,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe OM_uint32 flags = 0; /* GSI needs this */ u_int len; @@ -1801,7 +1796,7 @@ index d3f87e1..7ebc76e 100644 in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); -@@ -2144,6 +2174,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) +@@ -2035,6 +2065,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); @@ -1809,7 +1804,7 @@ index d3f87e1..7ebc76e 100644 } return (0); } -@@ -2155,6 +2186,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) +@@ -2046,6 +2077,9 @@ mm_answer_gss_checkmic(int sock, Buffer OM_uint32 ret; u_int len; @@ -1819,7 +1814,7 @@ index d3f87e1..7ebc76e 100644 gssbuf.value = buffer_get_string(m, &len); gssbuf.length = len; mic.value = buffer_get_string(m, &len); -@@ -2181,7 +2215,11 @@ mm_answer_gss_userok(int sock, Buffer *m) +@@ -2072,7 +2106,11 @@ mm_answer_gss_userok(int sock, Buffer *m { int authenticated; @@ -1832,7 +1827,7 @@ index d3f87e1..7ebc76e 100644 buffer_clear(m); buffer_put_int(m, authenticated); -@@ -2194,5 +2232,73 @@ mm_answer_gss_userok(int sock, Buffer *m) +@@ -2085,5 +2123,73 @@ mm_answer_gss_userok(int sock, Buffer *m /* Monitor loop will terminate if authenticated */ return (authenticated); } @@ -1906,10 +1901,9 @@ index d3f87e1..7ebc76e 100644 + #endif /* GSSAPI */ -diff --git a/monitor.h b/monitor.h -index 20e2b4a..ff79fbb 100644 ---- a/monitor.h -+++ b/monitor.h +diff -up openssh-6.8p1/monitor.h.gsskex openssh-6.8p1/monitor.h +--- openssh-6.8p1/monitor.h.gsskex 2015-03-18 11:24:48.834900865 +0100 ++++ openssh-6.8p1/monitor.h 2015-03-18 11:24:48.878900760 +0100 @@ -60,6 +60,8 @@ enum monitor_reqtype { #ifdef WITH_SELINUX MONITOR_REQ_AUTHROLE = 80, @@ -1919,11 +1913,10 @@ index 20e2b4a..ff79fbb 100644 MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, -diff --git a/monitor_wrap.c b/monitor_wrap.c -index 82f114c..7e991e6 100644 ---- a/monitor_wrap.c -+++ b/monitor_wrap.c -@@ -1300,7 +1300,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) +diff -up openssh-6.8p1/monitor_wrap.c.gsskex openssh-6.8p1/monitor_wrap.c +--- openssh-6.8p1/monitor_wrap.c.gsskex 2015-03-18 11:24:48.834900865 +0100 ++++ openssh-6.8p1/monitor_wrap.c 2015-03-18 11:24:48.878900760 +0100 +@@ -1087,7 +1087,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss } int @@ -1932,7 +1925,7 @@ index 82f114c..7e991e6 100644 { Buffer m; int authenticated = 0; -@@ -1317,5 +1317,50 @@ mm_ssh_gssapi_userok(char *user) +@@ -1104,5 +1104,50 @@ mm_ssh_gssapi_userok(char *user) debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); return (authenticated); } @@ -1983,11 +1976,10 @@ index 82f114c..7e991e6 100644 + #endif /* GSSAPI */ -diff --git a/monitor_wrap.h b/monitor_wrap.h -index 9d5e5ba..93929e0 100644 ---- a/monitor_wrap.h -+++ b/monitor_wrap.h -@@ -61,8 +61,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *); +diff -up openssh-6.8p1/monitor_wrap.h.gsskex openssh-6.8p1/monitor_wrap.h +--- openssh-6.8p1/monitor_wrap.h.gsskex 2015-03-18 11:24:48.834900865 +0100 ++++ openssh-6.8p1/monitor_wrap.h 2015-03-18 11:24:48.878900760 +0100 +@@ -61,8 +61,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *, gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *); @@ -1999,11 +1991,10 @@ index 9d5e5ba..93929e0 100644 #endif #ifdef USE_PAM -diff --git a/readconf.c b/readconf.c -index 3f5c58b..1c07766 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -143,6 +143,8 @@ typedef enum { +diff -up openssh-6.8p1/readconf.c.gsskex openssh-6.8p1/readconf.c +--- openssh-6.8p1/readconf.c.gsskex 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/readconf.c 2015-03-18 11:24:48.879900758 +0100 +@@ -147,6 +147,8 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, @@ -2012,7 +2003,7 @@ index 3f5c58b..1c07766 100644 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, -@@ -187,10 +189,19 @@ static struct { +@@ -191,10 +193,19 @@ static struct { { "afstokenpassing", oUnsupported }, #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, @@ -2032,7 +2023,7 @@ index 3f5c58b..1c07766 100644 #endif { "fallbacktorsh", oDeprecated }, { "usersh", oDeprecated }, -@@ -868,10 +879,30 @@ parse_time: +@@ -892,10 +903,30 @@ parse_time: intptr = &options->gss_authentication; goto parse_flag; @@ -2063,7 +2054,7 @@ index 3f5c58b..1c07766 100644 case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -1553,7 +1584,12 @@ initialize_options(Options * options) +@@ -1601,7 +1632,12 @@ initialize_options(Options * options) options->pubkey_authentication = -1; options->challenge_response_authentication = -1; options->gss_authentication = -1; @@ -2076,7 +2067,7 @@ index 3f5c58b..1c07766 100644 options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -1677,8 +1713,14 @@ fill_default_options(Options * options) +@@ -1728,8 +1764,14 @@ fill_default_options(Options * options) options->challenge_response_authentication = 1; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2091,10 +2082,9 @@ index 3f5c58b..1c07766 100644 if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -diff --git a/readconf.h b/readconf.h -index a028306..1dbe509 100644 ---- a/readconf.h -+++ b/readconf.h +diff -up openssh-6.8p1/readconf.h.gsskex openssh-6.8p1/readconf.h +--- openssh-6.8p1/readconf.h.gsskex 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/readconf.h 2015-03-18 11:24:48.879900758 +0100 @@ -45,7 +45,12 @@ typedef struct { int challenge_response_authentication; /* Try S/Key or TIS, authentication. */ @@ -2108,23 +2098,21 @@ index a028306..1dbe509 100644 int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh -index 1d9e0ed..1277409 100644 ---- a/regress/cert-hostkey.sh -+++ b/regress/cert-hostkey.sh -@@ -17,7 +17,7 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\ - cat $OBJ/host_ca_key.pub - ) > $OBJ/known_hosts-cert +diff -up openssh-6.8p1/regress/cert-hostkey.sh.gsskex openssh-6.8p1/regress/cert-hostkey.sh +--- openssh-6.8p1/regress/cert-hostkey.sh.gsskex 2015-03-18 11:24:48.879900758 +0100 ++++ openssh-6.8p1/regress/cert-hostkey.sh 2015-03-18 12:15:49.556546478 +0100 +@@ -25,7 +25,7 @@ touch $OBJ/host_revoked_plain + touch $OBJ/host_revoked_cert + cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca -PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` +PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` type_has_legacy() { case $1 in -diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh -index b093a91..4c8da00 100644 ---- a/regress/cert-userkey.sh -+++ b/regress/cert-userkey.sh +diff -up openssh-6.8p1/regress/cert-userkey.sh.gsskex openssh-6.8p1/regress/cert-userkey.sh +--- openssh-6.8p1/regress/cert-userkey.sh.gsskex 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/regress/cert-userkey.sh 2015-03-18 11:24:48.879900758 +0100 @@ -6,7 +6,7 @@ tid="certified user keys" rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key* cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak @@ -2134,11 +2122,10 @@ index b093a91..4c8da00 100644 type_has_legacy() { case $1 in -diff --git a/regress/kextype.sh b/regress/kextype.sh -index 6f952f4..bcb609b 100644 ---- a/regress/kextype.sh -+++ b/regress/kextype.sh -@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy +diff -up openssh-6.8p1/regress/kextype.sh.gsskex openssh-6.8p1/regress/kextype.sh +--- openssh-6.8p1/regress/kextype.sh.gsskex 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/regress/kextype.sh 2015-03-18 11:24:48.879900758 +0100 +@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh tries="1 2 3 4" for k in `${SSH} -Q kex`; do @@ -2148,10 +2135,9 @@ index 6f952f4..bcb609b 100644 verbose "kex $k" for i in $tries; do ${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true -diff --git a/regress/rekey.sh b/regress/rekey.sh -index fd452b0..1148197 100644 ---- a/regress/rekey.sh -+++ b/regress/rekey.sh +diff -up openssh-6.8p1/regress/rekey.sh.gsskex openssh-6.8p1/regress/rekey.sh +--- openssh-6.8p1/regress/rekey.sh.gsskex 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/regress/rekey.sh 2015-03-18 11:24:48.879900758 +0100 @@ -38,6 +38,9 @@ increase_datafile_size 300 opts="" @@ -2172,11 +2158,10 @@ index fd452b0..1148197 100644 verbose "client rekey $c $kex" ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c done -diff --git a/servconf.c b/servconf.c -index c8a3f28..179c20d 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -110,7 +110,10 @@ initialize_server_options(ServerOptions *options) +diff -up openssh-6.8p1/servconf.c.gsskex openssh-6.8p1/servconf.c +--- openssh-6.8p1/servconf.c.gsskex 2015-03-18 11:24:48.866900788 +0100 ++++ openssh-6.8p1/servconf.c 2015-03-18 12:14:37.967721387 +0100 +@@ -114,7 +114,10 @@ initialize_server_options(ServerOptions options->kerberos_ticket_cleanup = -1; options->kerberos_get_afs_token = -1; options->gss_authentication=-1; @@ -2187,7 +2172,7 @@ index c8a3f28..179c20d 100644 options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; -@@ -253,8 +256,14 @@ fill_default_server_options(ServerOptions *options) +@@ -270,8 +273,14 @@ fill_default_server_options(ServerOption options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; @@ -2202,17 +2187,17 @@ index c8a3f28..179c20d 100644 if (options->password_authentication == -1) options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) -@@ -359,7 +368,8 @@ typedef enum { +@@ -394,7 +403,8 @@ typedef enum { sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication, - sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax, sAuthorizedKeysFile, + sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, + sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel, + sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, + sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel, sMatch, sPermitOpen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sHostCertificate, -@@ -428,10 +438,20 @@ static struct { +@@ -465,10 +475,20 @@ static struct { #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL }, @@ -2233,7 +2218,7 @@ index c8a3f28..179c20d 100644 { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL }, { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, -@@ -1113,10 +1133,22 @@ process_server_config_line(ServerOptions *options, char *line, +@@ -1170,10 +1190,22 @@ process_server_config_line(ServerOptions intptr = &options->gss_authentication; goto parse_flag; @@ -2256,7 +2241,7 @@ index c8a3f28..179c20d 100644 case sPasswordAuthentication: intptr = &options->password_authentication; goto parse_flag; -@@ -2070,6 +2102,9 @@ dump_config(ServerOptions *o) +@@ -2134,6 +2166,9 @@ dump_config(ServerOptions *o) #ifdef GSSAPI dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds); @@ -2266,11 +2251,10 @@ index c8a3f28..179c20d 100644 #endif dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication); dump_cfg_fmtint(sKbdInteractiveAuthentication, -diff --git a/servconf.h b/servconf.h -index 21719e2..397698b 100644 ---- a/servconf.h -+++ b/servconf.h -@@ -113,7 +113,10 @@ typedef struct { +diff -up openssh-6.8p1/servconf.h.gsskex openssh-6.8p1/servconf.h +--- openssh-6.8p1/servconf.h.gsskex 2015-03-18 11:24:48.866900788 +0100 ++++ openssh-6.8p1/servconf.h 2015-03-18 11:24:48.880900755 +0100 +@@ -115,7 +115,10 @@ typedef struct { int kerberos_get_afs_token; /* If true, try to get AFS token if * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ @@ -2281,10 +2265,9 @@ index 21719e2..397698b 100644 int password_authentication; /* If true, permit password * authentication. */ int kbd_interactive_authentication; /* If true, permit */ -diff --git a/ssh-gss.h b/ssh-gss.h -index a99d7f0..0374c88 100644 ---- a/ssh-gss.h -+++ b/ssh-gss.h +diff -up openssh-6.8p1/ssh-gss.h.gsskex openssh-6.8p1/ssh-gss.h +--- openssh-6.8p1/ssh-gss.h.gsskex 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/ssh-gss.h 2015-03-18 11:24:48.880900755 +0100 @@ -1,6 +1,6 @@ /* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */ /* @@ -2384,10 +2367,9 @@ index a99d7f0..0374c88 100644 #endif /* GSSAPI */ #endif /* _SSH_GSS_H */ -diff --git a/ssh_config b/ssh_config -index 3f83c40..4a0fb82 100644 ---- a/ssh_config -+++ b/ssh_config +diff -up openssh-6.8p1/ssh_config.gsskex openssh-6.8p1/ssh_config +--- openssh-6.8p1/ssh_config.gsskex 2015-03-18 11:24:48.861900800 +0100 ++++ openssh-6.8p1/ssh_config 2015-03-18 11:24:48.880900755 +0100 @@ -26,6 +26,8 @@ # HostbasedAuthentication no # GSSAPIAuthentication no @@ -2397,11 +2379,10 @@ index 3f83c40..4a0fb82 100644 # BatchMode no # CheckHostIP yes # AddressFamily any -diff --git a/ssh_config.5 b/ssh_config.5 -index f9ede7a..e6649ac 100644 ---- a/ssh_config.5 -+++ b/ssh_config.5 -@@ -701,11 +701,43 @@ Specifies whether user authentication based on GSSAPI is allowed. +diff -up openssh-6.8p1/ssh_config.5.gsskex openssh-6.8p1/ssh_config.5 +--- openssh-6.8p1/ssh_config.5.gsskex 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/ssh_config.5 2015-03-18 11:24:48.881900753 +0100 +@@ -743,11 +743,43 @@ Specifies whether user authentication ba The default is .Dq no . Note that this option applies to protocol version 2 only. @@ -2446,13 +2427,12 @@ index f9ede7a..e6649ac 100644 .It Cm HashKnownHosts Indicates that .Xr ssh 1 -diff --git a/sshconnect2.c b/sshconnect2.c -index 4724b66..703f8e4 100644 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -159,9 +159,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) - char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; - Kex *kex; +diff -up openssh-6.8p1/sshconnect2.c.gsskex openssh-6.8p1/sshconnect2.c +--- openssh-6.8p1/sshconnect2.c.gsskex 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/sshconnect2.c 2015-03-18 11:32:36.879784546 +0100 +@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *ho + struct kex *kex; + int r; +#ifdef GSSAPI + char *orig = NULL, *gss = NULL; @@ -2485,7 +2465,7 @@ index 4724b66..703f8e4 100644 if (options.ciphers == (char *)-1) { logit("No valid ciphers for protocol version 2 given, using defaults."); options.ciphers = NULL; -@@ -199,6 +224,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) +@@ -200,6 +225,17 @@ ssh_kex2(char *host, struct sockaddr *ho myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( myproposal[PROPOSAL_KEX_ALGS]); @@ -2503,10 +2483,10 @@ index 4724b66..703f8e4 100644 if (options.rekey_limit || options.rekey_interval) packet_set_rekey_limits((u_int32_t)options.rekey_limit, (time_t)options.rekey_interval); -@@ -213,10 +249,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) +@@ -217,11 +253,31 @@ ssh_kex2(char *host, struct sockaddr *ho kex->kex[KEX_ECDH_SHA2] = kexecdh_client; + # endif #endif - kex->kex[KEX_C25519_SHA256] = kexc25519_client; +#ifdef GSSAPI + if (options.gss_keyex) { + kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client; @@ -2514,6 +2494,7 @@ index 4724b66..703f8e4 100644 + kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client; + } +#endif + kex->kex[KEX_C25519_SHA256] = kexc25519_client; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; kex->verify_host_key=&verify_host_key_callback; @@ -2531,18 +2512,18 @@ index 4724b66..703f8e4 100644 + } +#endif + - xxx_kex = kex; + dispatch_run(DISPATCH_BLOCK, &kex->done, active_state); - dispatch_run(DISPATCH_BLOCK, &kex->done, kex); -@@ -306,6 +362,7 @@ void input_gssapi_token(int type, u_int32_t, void *); - void input_gssapi_hash(int type, u_int32_t, void *); - void input_gssapi_error(int, u_int32_t, void *); - void input_gssapi_errtok(int, u_int32_t, void *); + if (options.use_roaming && !kex->roaming) { +@@ -313,6 +369,7 @@ int input_gssapi_token(int type, u_int32 + int input_gssapi_hash(int type, u_int32_t, void *); + int input_gssapi_error(int, u_int32_t, void *); + int input_gssapi_errtok(int, u_int32_t, void *); +int userauth_gsskeyex(Authctxt *authctxt); #endif void userauth(Authctxt *, char *); -@@ -321,6 +378,11 @@ static char *authmethods_get(void); +@@ -328,6 +385,11 @@ static char *authmethods_get(void); Authmethod authmethods[] = { #ifdef GSSAPI @@ -2554,7 +2535,7 @@ index 4724b66..703f8e4 100644 {"gssapi-with-mic", userauth_gssapi, NULL, -@@ -617,19 +679,31 @@ userauth_gssapi(Authctxt *authctxt) +@@ -634,19 +696,31 @@ userauth_gssapi(Authctxt *authctxt) static u_int mech = 0; OM_uint32 min; int ok = 0; @@ -2588,7 +2569,7 @@ index 4724b66..703f8e4 100644 ok = 1; /* Mechanism works */ } else { mech++; -@@ -726,8 +800,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) +@@ -743,8 +817,8 @@ input_gssapi_response(int type, u_int32_ { Authctxt *authctxt = ctxt; Gssctxt *gssctxt; @@ -2599,9 +2580,9 @@ index 4724b66..703f8e4 100644 if (authctxt == NULL) fatal("input_gssapi_response: no authentication context"); -@@ -836,6 +910,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt) - free(msg); +@@ -857,6 +931,48 @@ input_gssapi_error(int type, u_int32_t p free(lang); + return 0; } + +int @@ -2648,11 +2629,10 @@ index 4724b66..703f8e4 100644 #endif /* GSSAPI */ int -diff --git a/sshd.c b/sshd.c -index f7b8aba..2871fe9 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -1761,10 +1761,13 @@ main(int ac, char **av) +diff -up openssh-6.8p1/sshd.c.gsskex openssh-6.8p1/sshd.c +--- openssh-6.8p1/sshd.c.gsskex 2015-03-18 11:24:48.869900781 +0100 ++++ openssh-6.8p1/sshd.c 2015-03-18 11:35:53.260315986 +0100 +@@ -1831,10 +1831,13 @@ main(int ac, char **av) logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; } @@ -2666,7 +2646,7 @@ index f7b8aba..2871fe9 100644 if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) { logit("sshd: no hostkeys available -- exiting."); exit(1); -@@ -2501,6 +2504,49 @@ do_ssh2_kex(void) +@@ -2580,6 +2583,48 @@ do_ssh2_kex(void) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( list_hostkey_types()); @@ -2711,13 +2691,12 @@ index f7b8aba..2871fe9 100644 + fatal("No supported key exchange algorithms"); + } +#endif -+ + /* start key exchange */ - kex = kex_setup(myproposal); - #ifdef WITH_OPENSSL -@@ -2511,6 +2557,13 @@ do_ssh2_kex(void) - kex->kex[KEX_ECDH_SHA2] = kexecdh_server; + if ((r = kex_setup(active_state, myproposal)) != 0) + fatal("kex_setup: %s", ssh_err(r)); +@@ -2594,6 +2639,13 @@ do_ssh2_kex(void) + # endif #endif kex->kex[KEX_C25519_SHA256] = kexc25519_server; +#ifdef GSSAPI @@ -2730,10 +2709,9 @@ index f7b8aba..2871fe9 100644 kex->server = 1; kex->client_version_string=client_version_string; kex->server_version_string=server_version_string; -diff --git a/sshd_config b/sshd_config -index 7061f75..f4796fc 100644 ---- a/sshd_config -+++ b/sshd_config +diff -up openssh-6.8p1/sshd_config.gsskex openssh-6.8p1/sshd_config +--- openssh-6.8p1/sshd_config.gsskex 2015-03-18 11:24:48.869900781 +0100 ++++ openssh-6.8p1/sshd_config 2015-03-18 11:24:48.882900750 +0100 @@ -91,6 +91,8 @@ ChallengeResponseAuthentication no # GSSAPI options GSSAPIAuthentication yes @@ -2743,11 +2721,10 @@ index 7061f75..f4796fc 100644 # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will -diff --git a/sshd_config.5 b/sshd_config.5 -index cccb310..8ad79d9 100644 ---- a/sshd_config.5 -+++ b/sshd_config.5 -@@ -536,12 +536,40 @@ Specifies whether user authentication based on GSSAPI is allowed. +diff -up openssh-6.8p1/sshd_config.5.gsskex openssh-6.8p1/sshd_config.5 +--- openssh-6.8p1/sshd_config.5.gsskex 2015-03-18 11:24:48.882900750 +0100 ++++ openssh-6.8p1/sshd_config.5 2015-03-18 12:12:57.914965842 +0100 +@@ -564,12 +564,40 @@ Specifies whether user authentication ba The default is .Dq no . Note that this option applies to protocol version 2 only. @@ -2785,6 +2762,6 @@ index cccb310..8ad79d9 100644 +successful connection rekeying. This option can be used to accepted renewed +or updated credentials from a compatible client. The default is +.Dq no . - .It Cm HostbasedAuthentication - Specifies whether rhosts or /etc/hosts.equiv authentication together - with successful public key client host authentication is allowed + .It Cm HostbasedAcceptedKeyTypes + Specifies the key types that will be accepted for hostbased authentication + as a comma-separated pattern list. diff --git a/openssh-6.6p1-keycat.patch b/openssh-6.6p1-keycat.patch index 4cbe95d..be79371 100644 --- a/openssh-6.6p1-keycat.patch +++ b/openssh-6.6p1-keycat.patch @@ -1,8 +1,6 @@ -diff --git a/HOWTO.ssh-keycat b/HOWTO.ssh-keycat -new file mode 100644 -index 0000000..630ec62 ---- /dev/null -+++ b/HOWTO.ssh-keycat +diff -up openssh-6.8p1/HOWTO.ssh-keycat.keycat openssh-6.8p1/HOWTO.ssh-keycat +--- openssh-6.8p1/HOWTO.ssh-keycat.keycat 2015-03-18 11:13:43.063482958 +0100 ++++ openssh-6.8p1/HOWTO.ssh-keycat 2015-03-18 11:13:43.063482958 +0100 @@ -0,0 +1,12 @@ +The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys +of an user in any environment. This includes environments with @@ -16,10 +14,9 @@ index 0000000..630ec62 + PubkeyAuthentication yes + + -diff --git a/Makefile.in b/Makefile.in -index f02aa1e..b225217 100644 ---- a/Makefile.in -+++ b/Makefile.in +diff -up openssh-6.8p1/Makefile.in.keycat openssh-6.8p1/Makefile.in +--- openssh-6.8p1/Makefile.in.keycat 2015-03-18 11:13:43.061482963 +0100 ++++ openssh-6.8p1/Makefile.in 2015-03-18 11:14:22.480389291 +0100 @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper @@ -33,13 +30,13 @@ index f02aa1e..b225217 100644 INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@ -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) LIBOPENSSH_OBJS=\ - ssherr.o \ -@@ -186,6 +187,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11 - ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o - $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + ssh_api.o \ +@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) + ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o + $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) +ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o + $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS) @@ -47,7 +44,7 @@ index f02aa1e..b225217 100644 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -305,6 +309,7 @@ install-files: +@@ -321,6 +325,7 @@ install-files: $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ fi @@ -55,11 +52,10 @@ index f02aa1e..b225217 100644 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -diff --git a/auth2-pubkey.c b/auth2-pubkey.c -index 12f5afd..269e642 100644 ---- a/auth2-pubkey.c -+++ b/auth2-pubkey.c -@@ -602,6 +602,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key) +diff -up openssh-6.8p1/auth2-pubkey.c.keycat openssh-6.8p1/auth2-pubkey.c +--- openssh-6.8p1/auth2-pubkey.c.keycat 2015-03-18 11:13:43.053482982 +0100 ++++ openssh-6.8p1/auth2-pubkey.c 2015-03-18 11:13:43.063482958 +0100 +@@ -623,6 +623,14 @@ user_key_command_allowed2(struct passwd _exit(1); } @@ -74,10 +70,9 @@ index 12f5afd..269e642 100644 execl(options.authorized_keys_command, options.authorized_keys_command, user_pw->pw_name, NULL); -diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c -index 265bd3a..8f32464 100644 ---- a/openbsd-compat/port-linux-sshd.c -+++ b/openbsd-compat/port-linux-sshd.c +diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat openssh-6.8p1/openbsd-compat/port-linux-sshd.c +--- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat 2015-03-18 11:13:43.057482972 +0100 ++++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c 2015-03-18 11:13:43.063482958 +0100 @@ -54,6 +54,20 @@ extern Authctxt *the_authctxt; extern int inetd_flag; extern int rexeced_flag; @@ -153,7 +148,7 @@ index 265bd3a..8f32464 100644 /* Set the execution context to the default for the specified user */ void sshd_selinux_setup_exec_context(char *pwname) -@@ -344,7 +376,7 @@ sshd_selinux_setup_exec_context(char *pwname) +@@ -344,7 +376,7 @@ sshd_selinux_setup_exec_context(char *pw int r = 0; security_context_t default_ctx = NULL; @@ -171,11 +166,10 @@ index 265bd3a..8f32464 100644 return; if (getexeccon((security_context_t *)&ctx) != 0) { -diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h -index b18893c..cb51f99 100644 ---- a/openbsd-compat/port-linux.h -+++ b/openbsd-compat/port-linux.h -@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const char *); +diff -up openssh-6.8p1/openbsd-compat/port-linux.h.keycat openssh-6.8p1/openbsd-compat/port-linux.h +--- openssh-6.8p1/openbsd-compat/port-linux.h.keycat 2015-03-18 11:13:43.057482972 +0100 ++++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 11:13:43.063482958 +0100 +@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const void ssh_selinux_change_context(const char *); void ssh_selinux_setfscreatecon(const char *); @@ -186,11 +180,10 @@ index b18893c..cb51f99 100644 #endif #ifdef LINUX_OOM_ADJUST -diff --git a/platform.c b/platform.c -index 84c47fa..6d876cb 100644 ---- a/platform.c -+++ b/platform.c -@@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *pw) +diff -up openssh-6.8p1/platform.c.keycat openssh-6.8p1/platform.c +--- openssh-6.8p1/platform.c.keycat 2015-03-18 11:13:43.055482977 +0100 ++++ openssh-6.8p1/platform.c 2015-03-18 11:13:43.063482958 +0100 +@@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *p { #ifdef WITH_SELINUX /* Cache selinux status for later use */ @@ -199,11 +192,9 @@ index 84c47fa..6d876cb 100644 #endif #ifdef USE_SOLARIS_PROJECTS -diff --git a/ssh-keycat.c b/ssh-keycat.c -new file mode 100644 -index 0000000..f8ed7af ---- /dev/null -+++ b/ssh-keycat.c +diff -up openssh-6.8p1/ssh-keycat.c.keycat openssh-6.8p1/ssh-keycat.c +--- openssh-6.8p1/ssh-keycat.c.keycat 2015-03-18 11:13:43.064482956 +0100 ++++ openssh-6.8p1/ssh-keycat.c 2015-03-18 11:13:43.064482956 +0100 @@ -0,0 +1,238 @@ +/* + * Redistribution and use in source and binary forms, with or without diff --git a/openssh-6.6p1-kuserok.patch b/openssh-6.6p1-kuserok.patch index b0b12a6..9e93051 100644 --- a/openssh-6.6p1-kuserok.patch +++ b/openssh-6.6p1-kuserok.patch @@ -1,7 +1,6 @@ -diff --git a/auth-krb5.c b/auth-krb5.c -index 0089b18..8480261 100644 ---- a/auth-krb5.c -+++ b/auth-krb5.c +diff -up openssh-6.8p1/auth-krb5.c.kuserok openssh-6.8p1/auth-krb5.c +--- openssh-6.8p1/auth-krb5.c.kuserok 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/auth-krb5.c 2015-03-18 12:37:14.349351304 +0100 @@ -55,6 +55,21 @@ extern ServerOptions options; @@ -24,7 +23,7 @@ index 0089b18..8480261 100644 static int krb5_init(void *context) { -@@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password) +@@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, c if (problem) goto out; @@ -36,11 +35,10 @@ index 0089b18..8480261 100644 problem = -1; goto out; } -diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c -index 54dd383..961c564 100644 ---- a/gss-serv-krb5.c -+++ b/gss-serv-krb5.c -@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *, +diff -up openssh-6.8p1/gss-serv-krb5.c.kuserok openssh-6.8p1/gss-serv-krb5.c +--- openssh-6.8p1/gss-serv-krb5.c.kuserok 2015-03-18 12:37:14.346351312 +0100 ++++ openssh-6.8p1/gss-serv-krb5.c 2015-03-18 12:37:14.349351304 +0100 +@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr int); static krb5_context krb_context = NULL; @@ -152,7 +150,7 @@ index 54dd383..961c564 100644 static int ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) { -@@ -116,7 +214,8 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name) +@@ -116,7 +214,8 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client /* NOTE: .k5login and .k5users must opened as root, not the user, * because if they are on a krb5-protected filesystem, user credentials * to access these files aren't available yet. */ @@ -162,7 +160,7 @@ index 54dd383..961c564 100644 retval = 1; logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", name, (char *)client->displayname.value); -@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name, +@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir); /* If both .k5login and .k5users DNE, self-login is ok. */ if (!k5login_exists && (access(file, F_OK) == -1)) { @@ -174,19 +172,18 @@ index 54dd383..961c564 100644 } if ((fp = fopen(file, "r")) == NULL) { int saved_errno = errno; -diff --git a/servconf.c b/servconf.c -index 179c20d..d17ed04 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -163,6 +163,7 @@ initialize_server_options(ServerOptions *options) +diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c +--- openssh-6.8p1/servconf.c.kuserok 2015-03-18 12:37:14.342351322 +0100 ++++ openssh-6.8p1/servconf.c 2015-03-18 12:38:36.133145700 +0100 +@@ -167,6 +167,7 @@ initialize_server_options(ServerOptions options->ip_qos_bulk = -1; options->version_addendum = NULL; options->fingerprint_hash = -1; + options->use_kuserok = -1; } - void -@@ -328,6 +329,8 @@ fill_default_server_options(ServerOptions *options) + /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ +@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption options->fwd_opts.streamlocal_bind_unlink = 0; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -195,8 +192,8 @@ index 179c20d..d17ed04 100644 /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = PRIVSEP_NOSANDBOX; -@@ -353,7 +356,7 @@ typedef enum { - sPermitRootLogin, sLogFacility, sLogLevel, +@@ -388,7 +391,7 @@ typedef enum { + sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, - sKerberosGetAFSToken, @@ -204,7 +201,7 @@ index 179c20d..d17ed04 100644 sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sAddressFamily, -@@ -427,11 +430,13 @@ static struct { +@@ -464,11 +467,13 @@ static struct { #else { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, #endif @@ -218,7 +215,7 @@ index 179c20d..d17ed04 100644 #endif { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, -@@ -1557,6 +1562,10 @@ process_server_config_line(ServerOptions *options, char *line, +@@ -1614,6 +1619,10 @@ process_server_config_line(ServerOptions *activep = value; break; @@ -229,7 +226,7 @@ index 179c20d..d17ed04 100644 case sPermitOpen: arg = strdelim(&cp); if (!arg || *arg == '\0') -@@ -1872,6 +1881,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth) +@@ -1935,6 +1944,7 @@ copy_set_server_options(ServerOptions *d M_CP_INTOPT(max_authtries); M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_bulk); @@ -237,7 +234,7 @@ index 179c20d..d17ed04 100644 M_CP_INTOPT(rekey_limit); M_CP_INTOPT(rekey_interval); -@@ -2130,6 +2140,7 @@ dump_config(ServerOptions *o) +@@ -2194,6 +2204,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); @@ -245,11 +242,10 @@ index 179c20d..d17ed04 100644 /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); -diff --git a/servconf.h b/servconf.h -index 397698b..cf2a505 100644 ---- a/servconf.h -+++ b/servconf.h -@@ -175,6 +175,7 @@ typedef struct { +diff -up openssh-6.8p1/servconf.h.kuserok openssh-6.8p1/servconf.h +--- openssh-6.8p1/servconf.h.kuserok 2015-03-18 12:37:14.342351322 +0100 ++++ openssh-6.8p1/servconf.h 2015-03-18 12:37:14.350351302 +0100 +@@ -177,6 +177,7 @@ typedef struct { int num_permitted_opens; @@ -257,10 +253,9 @@ index 397698b..cf2a505 100644 char *chroot_directory; char *revoked_keys_file; char *trusted_user_ca_keys; -diff --git a/sshd_config b/sshd_config -index f4796fc..0d9454d 100644 ---- a/sshd_config -+++ b/sshd_config +diff -up openssh-6.8p1/sshd_config.kuserok openssh-6.8p1/sshd_config +--- openssh-6.8p1/sshd_config.kuserok 2015-03-18 12:37:14.344351317 +0100 ++++ openssh-6.8p1/sshd_config 2015-03-18 12:37:14.350351302 +0100 @@ -87,6 +87,7 @@ ChallengeResponseAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes @@ -269,11 +264,10 @@ index f4796fc..0d9454d 100644 # GSSAPI options GSSAPIAuthentication yes -diff --git a/sshd_config.5 b/sshd_config.5 -index 8ad79d9..eb4dd9e 100644 ---- a/sshd_config.5 -+++ b/sshd_config.5 -@@ -740,6 +740,10 @@ Specifies whether to automatically destroy the user's ticket cache +diff -up openssh-6.8p1/sshd_config.5.kuserok openssh-6.8p1/sshd_config.5 +--- openssh-6.8p1/sshd_config.5.kuserok 2015-03-18 12:37:14.343351319 +0100 ++++ openssh-6.8p1/sshd_config.5 2015-03-18 12:39:23.373026939 +0100 +@@ -779,6 +779,10 @@ Specifies whether to automatically destr file on logout. The default is .Dq yes . @@ -284,8 +278,8 @@ index 8ad79d9..eb4dd9e 100644 .It Cm KexAlgorithms Specifies the available KEX (Key Exchange) algorithms. Multiple algorithms must be comma-separated. -@@ -961,6 +965,7 @@ Available keywords are - .Cm HostbasedUsesNameFromPacketOnly , +@@ -1017,6 +1021,7 @@ Available keywords are + .Cm IPQoS , .Cm KbdInteractiveAuthentication , .Cm KerberosAuthentication , +.Cm KerberosUseKuserok , diff --git a/openssh-6.6p1-role-mls.patch b/openssh-6.6p1-role-mls.patch index 02e81e6..e058f1e 100644 --- a/openssh-6.6p1-role-mls.patch +++ b/openssh-6.6p1-role-mls.patch @@ -1,7 +1,6 @@ -diff --git a/auth-pam.c b/auth-pam.c -index d789bad..cd1a775 100644 ---- a/auth-pam.c -+++ b/auth-pam.c +diff -up openssh-6.8p1/auth-pam.c.role-mls openssh-6.8p1/auth-pam.c +--- openssh-6.8p1/auth-pam.c.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/auth-pam.c 2015-03-18 11:04:21.045817122 +0100 @@ -1068,7 +1068,7 @@ is_pam_session_open(void) * during the ssh authentication process. */ @@ -11,10 +10,9 @@ index d789bad..cd1a775 100644 { int ret = 1; #ifdef HAVE_PAM_PUTENV -diff --git a/auth-pam.h b/auth-pam.h -index a1a2b52..b109a5a 100644 ---- a/auth-pam.h -+++ b/auth-pam.h +diff -up openssh-6.8p1/auth-pam.h.role-mls openssh-6.8p1/auth-pam.h +--- openssh-6.8p1/auth-pam.h.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/auth-pam.h 2015-03-18 11:04:21.045817122 +0100 @@ -38,7 +38,7 @@ void do_pam_session(void); void do_pam_set_tty(const char *); void do_pam_setcred(int ); @@ -24,11 +22,10 @@ index a1a2b52..b109a5a 100644 char ** fetch_pam_environment(void); char ** fetch_pam_child_environment(void); void free_pam_environment(char **); -diff --git a/auth.h b/auth.h -index d081c94..847cffd 100644 ---- a/auth.h -+++ b/auth.h -@@ -59,6 +59,9 @@ struct Authctxt { +diff -up openssh-6.8p1/auth.h.role-mls openssh-6.8p1/auth.h +--- openssh-6.8p1/auth.h.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/auth.h 2015-03-18 11:04:21.045817122 +0100 +@@ -62,6 +62,9 @@ struct Authctxt { char *service; struct passwd *pw; /* set if 'valid' */ char *style; @@ -38,11 +35,10 @@ index d081c94..847cffd 100644 void *kbdintctxt; char *info; /* Extra info for next auth_log */ #ifdef BSD_AUTH -diff --git a/auth1.c b/auth1.c -index 5038828..f0a98d2 100644 ---- a/auth1.c -+++ b/auth1.c -@@ -382,6 +382,9 @@ do_authentication(Authctxt *authctxt) +diff -up openssh-6.8p1/auth1.c.role-mls openssh-6.8p1/auth1.c +--- openssh-6.8p1/auth1.c.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/auth1.c 2015-03-18 11:04:21.046817119 +0100 +@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt) { u_int ulen; char *user, *style = NULL; @@ -52,7 +48,7 @@ index 5038828..f0a98d2 100644 /* Get the name of the user that we wish to log in as. */ packet_read_expect(SSH_CMSG_USER); -@@ -390,11 +393,24 @@ do_authentication(Authctxt *authctxt) +@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt) user = packet_get_cstring(&ulen); packet_check_eom(); @@ -77,11 +73,10 @@ index 5038828..f0a98d2 100644 /* Verify that the user is a valid user. */ if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) -diff --git a/auth2-gss.c b/auth2-gss.c -index 447f896..4803e7e 100644 ---- a/auth2-gss.c -+++ b/auth2-gss.c -@@ -252,6 +252,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) +diff -up openssh-6.8p1/auth2-gss.c.role-mls openssh-6.8p1/auth2-gss.c +--- openssh-6.8p1/auth2-gss.c.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/auth2-gss.c 2015-03-18 11:04:21.046817119 +0100 +@@ -255,6 +255,7 @@ input_gssapi_mic(int type, u_int32_t ple Authctxt *authctxt = ctxt; Gssctxt *gssctxt; int authenticated = 0; @@ -89,7 +84,7 @@ index 447f896..4803e7e 100644 Buffer b; gss_buffer_desc mic, gssbuf; u_int len; -@@ -264,7 +265,13 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) +@@ -267,7 +268,13 @@ input_gssapi_mic(int type, u_int32_t ple mic.value = packet_get_string(&len); mic.length = len; @@ -104,7 +99,7 @@ index 447f896..4803e7e 100644 "gssapi-with-mic"); gssbuf.value = buffer_ptr(&b); -@@ -276,6 +283,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) +@@ -279,6 +286,8 @@ input_gssapi_mic(int type, u_int32_t ple logit("GSSAPI MIC check failed"); buffer_free(&b); @@ -113,11 +108,10 @@ index 447f896..4803e7e 100644 free(mic.value); authctxt->postponed = 0; -diff --git a/auth2-hostbased.c b/auth2-hostbased.c -index b7ae353..41f1a3f 100644 ---- a/auth2-hostbased.c -+++ b/auth2-hostbased.c -@@ -113,7 +113,15 @@ userauth_hostbased(Authctxt *authctxt) +diff -up openssh-6.8p1/auth2-hostbased.c.role-mls openssh-6.8p1/auth2-hostbased.c +--- openssh-6.8p1/auth2-hostbased.c.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/auth2-hostbased.c 2015-03-18 11:04:21.046817119 +0100 +@@ -122,7 +122,15 @@ userauth_hostbased(Authctxt *authctxt) buffer_put_string(&b, session_id2, session_id2_len); /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); @@ -134,11 +128,10 @@ index b7ae353..41f1a3f 100644 buffer_put_cstring(&b, service); buffer_put_cstring(&b, "hostbased"); buffer_put_string(&b, pkalg, alen); -diff --git a/auth2-pubkey.c b/auth2-pubkey.c -index 3f4f789..12f5afd 100644 ---- a/auth2-pubkey.c -+++ b/auth2-pubkey.c -@@ -133,9 +133,11 @@ userauth_pubkey(Authctxt *authctxt) +diff -up openssh-6.8p1/auth2-pubkey.c.role-mls openssh-6.8p1/auth2-pubkey.c +--- openssh-6.8p1/auth2-pubkey.c.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/auth2-pubkey.c 2015-03-18 11:04:21.046817119 +0100 +@@ -145,9 +145,11 @@ userauth_pubkey(Authctxt *authctxt) } /* reconstruct packet */ buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); @@ -152,11 +145,10 @@ index 3f4f789..12f5afd 100644 buffer_put_cstring(&b, userstyle); free(userstyle); buffer_put_cstring(&b, -diff --git a/auth2.c b/auth2.c -index d9b440a..d6fbc93 100644 ---- a/auth2.c -+++ b/auth2.c -@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) +diff -up openssh-6.8p1/auth2.c.role-mls openssh-6.8p1/auth2.c +--- openssh-6.8p1/auth2.c.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/auth2.c 2015-03-18 11:04:21.046817119 +0100 +@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32 Authctxt *authctxt = ctxt; Authmethod *m = NULL; char *user, *service, *method, *style = NULL; @@ -166,7 +158,7 @@ index d9b440a..d6fbc93 100644 int authenticated = 0; if (authctxt == NULL) -@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) +@@ -226,6 +229,11 @@ input_userauth_request(int type, u_int32 debug("userauth-request for user %s service %s method %s", user, service, method); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); @@ -178,7 +170,7 @@ index d9b440a..d6fbc93 100644 if ((style = strchr(user, ':')) != NULL) *style++ = 0; -@@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) +@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32 use_privsep ? " [net]" : ""); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; @@ -195,10 +187,9 @@ index d9b440a..d6fbc93 100644 userauth_banner(); if (auth2_setup_methods_lists(authctxt) != 0) packet_disconnect("no authentication methods enabled"); -diff --git a/misc.c b/misc.c -index 94b05b0..651c21b 100644 ---- a/misc.c -+++ b/misc.c +diff -up openssh-6.8p1/misc.c.role-mls openssh-6.8p1/misc.c +--- openssh-6.8p1/misc.c.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/misc.c 2015-03-18 11:04:21.046817119 +0100 @@ -431,6 +431,7 @@ char * colon(char *cp) { @@ -221,11 +212,10 @@ index 94b05b0..651c21b 100644 } return NULL; } -diff --git a/monitor.c b/monitor.c -index dbe29f1..d3f87e1 100644 ---- a/monitor.c -+++ b/monitor.c -@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *); +diff -up openssh-6.8p1/monitor.c.role-mls openssh-6.8p1/monitor.c +--- openssh-6.8p1/monitor.c.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/monitor.c 2015-03-18 11:04:21.047817117 +0100 +@@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); @@ -235,7 +225,7 @@ index dbe29f1..d3f87e1 100644 int mm_answer_authpassword(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); -@@ -227,6 +230,9 @@ struct mon_table mon_dispatch_proto20[] = { +@@ -206,6 +209,9 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, @@ -245,7 +235,7 @@ index dbe29f1..d3f87e1 100644 {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM -@@ -824,6 +830,9 @@ mm_answer_pwnamallow(int sock, Buffer *m) +@@ -862,6 +868,9 @@ mm_answer_pwnamallow(int sock, Buffer *m else { /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); @@ -255,7 +245,7 @@ index dbe29f1..d3f87e1 100644 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); } #ifdef USE_PAM -@@ -865,6 +874,25 @@ mm_answer_authserv(int sock, Buffer *m) +@@ -903,6 +912,25 @@ mm_answer_authserv(int sock, Buffer *m) return (0); } @@ -281,7 +271,7 @@ index dbe29f1..d3f87e1 100644 int mm_answer_authpassword(int sock, Buffer *m) { -@@ -1241,7 +1269,7 @@ static int +@@ -1291,7 +1319,7 @@ static int monitor_valid_userblob(u_char *data, u_int datalen) { Buffer b; @@ -290,7 +280,7 @@ index dbe29f1..d3f87e1 100644 u_int len; int fail = 0; -@@ -1267,6 +1295,8 @@ monitor_valid_userblob(u_char *data, u_int datalen) +@@ -1317,6 +1345,8 @@ monitor_valid_userblob(u_char *data, u_i if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; p = buffer_get_cstring(&b, NULL); @@ -299,7 +289,7 @@ index dbe29f1..d3f87e1 100644 xasprintf(&userstyle, "%s%s%s", authctxt->user, authctxt->style ? ":" : "", authctxt->style ? authctxt->style : ""); -@@ -1302,7 +1332,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, +@@ -1352,7 +1382,7 @@ monitor_valid_hostbasedblob(u_char *data char *chost) { Buffer b; @@ -308,7 +298,7 @@ index dbe29f1..d3f87e1 100644 u_int len; int fail = 0; -@@ -1319,6 +1349,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, +@@ -1369,6 +1399,8 @@ monitor_valid_hostbasedblob(u_char *data if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) fail++; p = buffer_get_cstring(&b, NULL); @@ -317,10 +307,9 @@ index dbe29f1..d3f87e1 100644 xasprintf(&userstyle, "%s%s%s", authctxt->user, authctxt->style ? ":" : "", authctxt->style ? authctxt->style : ""); -diff --git a/monitor.h b/monitor.h -index 5bc41b5..20e2b4a 100644 ---- a/monitor.h -+++ b/monitor.h +diff -up openssh-6.8p1/monitor.h.role-mls openssh-6.8p1/monitor.h +--- openssh-6.8p1/monitor.h.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/monitor.h 2015-03-18 11:04:21.047817117 +0100 @@ -57,6 +57,10 @@ enum monitor_reqtype { MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49, MONITOR_REQ_TERM = 50, @@ -332,11 +321,10 @@ index 5bc41b5..20e2b4a 100644 MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105, -diff --git a/monitor_wrap.c b/monitor_wrap.c -index 45dc169..82f114c 100644 ---- a/monitor_wrap.c -+++ b/monitor_wrap.c -@@ -342,6 +342,25 @@ mm_inform_authserv(char *service, char *style) +diff -up openssh-6.8p1/monitor_wrap.c.role-mls openssh-6.8p1/monitor_wrap.c +--- openssh-6.8p1/monitor_wrap.c.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/monitor_wrap.c 2015-03-18 11:04:21.047817117 +0100 +@@ -347,6 +347,25 @@ mm_inform_authserv(char *service, char * buffer_free(&m); } @@ -362,13 +350,12 @@ index 45dc169..82f114c 100644 /* Do the password authentication */ int mm_auth_password(Authctxt *authctxt, char *password) -diff --git a/monitor_wrap.h b/monitor_wrap.h -index 18c2501..9d5e5ba 100644 ---- a/monitor_wrap.h -+++ b/monitor_wrap.h +diff -up openssh-6.8p1/monitor_wrap.h.role-mls openssh-6.8p1/monitor_wrap.h +--- openssh-6.8p1/monitor_wrap.h.role-mls 2015-03-18 11:04:21.047817117 +0100 ++++ openssh-6.8p1/monitor_wrap.h 2015-03-18 11:10:32.343936171 +0100 @@ -42,6 +42,9 @@ int mm_is_monitor(void); DH *mm_choose_dh(int, int, int); - int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); + int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int); void mm_inform_authserv(char *, char *); +#ifdef WITH_SELINUX +void mm_inform_authrole(char *); @@ -376,11 +363,10 @@ index 18c2501..9d5e5ba 100644 struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); -diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in -index ab1a3e3..843225d 100644 ---- a/openbsd-compat/Makefile.in -+++ b/openbsd-compat/Makefile.in -@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di +diff -up openssh-6.8p1/openbsd-compat/Makefile.in.role-mls openssh-6.8p1/openbsd-compat/Makefile.in +--- openssh-6.8p1/openbsd-compat/Makefile.in.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/openbsd-compat/Makefile.in 2015-03-18 11:04:21.047817117 +0100 +@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o @@ -389,11 +375,9 @@ index ab1a3e3..843225d 100644 .c.o: $(CC) $(CFLAGS) $(CPPFLAGS) -c $< -diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c -new file mode 100644 -index 0000000..6310717 ---- /dev/null -+++ b/openbsd-compat/port-linux-sshd.c +diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/openbsd-compat/port-linux-sshd.c +--- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls 2015-03-18 11:04:21.048817114 +0100 ++++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c 2015-03-18 11:04:21.048817114 +0100 @@ -0,0 +1,415 @@ +/* + * Copyright (c) 2005 Daniel Walsh @@ -810,10 +794,9 @@ index 0000000..6310717 +#endif +#endif + -diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c -index 4637a7a..22ea8ef 100644 ---- a/openbsd-compat/port-linux.c -+++ b/openbsd-compat/port-linux.c +diff -up openssh-6.8p1/openbsd-compat/port-linux.c.role-mls openssh-6.8p1/openbsd-compat/port-linux.c +--- openssh-6.8p1/openbsd-compat/port-linux.c.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/openbsd-compat/port-linux.c 2015-03-18 11:04:21.048817114 +0100 @@ -103,37 +103,6 @@ ssh_selinux_getctxbyname(char *pwname) return sc; } @@ -852,10 +835,9 @@ index 4637a7a..22ea8ef 100644 /* Set the TTY context for the specified user */ void ssh_selinux_setup_pty(char *pwname, const char *tty) -diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h -index e3d1004..8ef6cc4 100644 ---- a/openbsd-compat/port-linux.h -+++ b/openbsd-compat/port-linux.h +diff -up openssh-6.8p1/openbsd-compat/port-linux.h.role-mls openssh-6.8p1/openbsd-compat/port-linux.h +--- openssh-6.8p1/openbsd-compat/port-linux.h.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 11:04:21.048817114 +0100 @@ -22,9 +22,10 @@ #ifdef WITH_SELINUX int ssh_selinux_enabled(void); @@ -868,11 +850,10 @@ index e3d1004..8ef6cc4 100644 #endif #ifdef LINUX_OOM_ADJUST -diff --git a/platform.c b/platform.c -index ee313da..84c47fa 100644 ---- a/platform.c -+++ b/platform.c -@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw) +diff -up openssh-6.8p1/platform.c.role-mls openssh-6.8p1/platform.c +--- openssh-6.8p1/platform.c.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/platform.c 2015-03-18 11:04:21.048817114 +0100 +@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(stru } #endif /* HAVE_SETPCRED */ #ifdef WITH_SELINUX @@ -881,11 +862,10 @@ index ee313da..84c47fa 100644 #endif } -diff --git a/sshd.c b/sshd.c -index 481d001..41b317b 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -2144,6 +2144,9 @@ main(int ac, char **av) +diff -up openssh-6.8p1/sshd.c.role-mls openssh-6.8p1/sshd.c +--- openssh-6.8p1/sshd.c.role-mls 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/sshd.c 2015-03-18 11:04:21.048817114 +0100 +@@ -2220,6 +2220,9 @@ main(int ac, char **av) restore_uid(); } #endif diff --git a/openssh-6.6p1-set_remote_ipaddr.patch b/openssh-6.6p1-set_remote_ipaddr.patch index 166e569..ec4e416 100644 --- a/openssh-6.6p1-set_remote_ipaddr.patch +++ b/openssh-6.6p1-set_remote_ipaddr.patch @@ -1,8 +1,7 @@ -diff --git a/canohost.c b/canohost.c -index 97ce58c..1f9320a 100644 ---- a/canohost.c -+++ b/canohost.c -@@ -338,6 +338,21 @@ clear_cached_addr(void) +diff -up openssh-6.8p1/canohost.c.set_remote_ipaddr openssh-6.8p1/canohost.c +--- openssh-6.8p1/canohost.c.set_remote_ipaddr 2015-03-18 12:40:03.702925550 +0100 ++++ openssh-6.8p1/canohost.c 2015-03-18 12:40:03.749925432 +0100 +@@ -349,6 +349,21 @@ clear_cached_addr(void) cached_port = -1; } @@ -24,7 +23,7 @@ index 97ce58c..1f9320a 100644 /* * Returns the IP-address of the remote host as a string. The returned * string must not be freed. -@@ -347,17 +362,9 @@ const char * +@@ -358,17 +373,9 @@ const char * get_remote_ipaddr(void) { /* Check whether we have cached the ipaddr. */ @@ -45,10 +44,9 @@ index 97ce58c..1f9320a 100644 return canonical_host_ip; } -diff --git a/canohost.h b/canohost.h -index 4c8636f..4079953 100644 ---- a/canohost.h -+++ b/canohost.h +diff -up openssh-6.8p1/canohost.h.set_remote_ipaddr openssh-6.8p1/canohost.h +--- openssh-6.8p1/canohost.h.set_remote_ipaddr 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/canohost.h 2015-03-18 12:40:03.749925432 +0100 @@ -13,6 +13,7 @@ */ @@ -57,19 +55,18 @@ index 4c8636f..4079953 100644 const char *get_remote_ipaddr(void); const char *get_remote_name_or_ip(u_int, int); -diff --git a/sshconnect.c b/sshconnect.c -index e636f33..451a58b 100644 ---- a/sshconnect.c -+++ b/sshconnect.c -@@ -62,6 +62,7 @@ - #include "monitor_fdpass.h" - #include "ssh2.h" +diff -up openssh-6.8p1/sshconnect.c.set_remote_ipaddr openssh-6.8p1/sshconnect.c +--- openssh-6.8p1/sshconnect.c.set_remote_ipaddr 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/sshconnect.c 2015-03-18 12:40:58.096788804 +0100 +@@ -65,6 +65,7 @@ #include "version.h" + #include "authfile.h" + #include "ssherr.h" +#include "canohost.h" char *client_version_string = NULL; char *server_version_string = NULL; -@@ -170,6 +171,7 @@ ssh_proxy_fdpass_connect(const char *host, u_short port, +@@ -174,6 +175,7 @@ ssh_proxy_fdpass_connect(const char *hos /* Set the connection file descriptors. */ packet_set_connection(sock, sock); @@ -77,7 +74,7 @@ index e636f33..451a58b 100644 return 0; } -@@ -492,6 +494,7 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop, +@@ -496,6 +498,7 @@ ssh_connect_direct(const char *host, str /* Set the connection. */ packet_set_connection(sock, sock); diff --git a/openssh-6.7p1-audit.patch b/openssh-6.7p1-audit.patch index 2c1e80d..cb8e778 100644 --- a/openssh-6.7p1-audit.patch +++ b/openssh-6.7p1-audit.patch @@ -1,22 +1,19 @@ -diff --git a/Makefile.in b/Makefile.in -index 8e11217..9311e16 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -92,7 +92,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ - ssh-pkcs11.o krl.o smult_curve25519_ref.o \ - kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ - ssh-ed25519.o digest-openssl.o hmac.o utf8_stringprep.o \ -- sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o -+ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ -+ auditstub.o +diff -up openssh-6.8p1/Makefile.in.audit openssh-6.8p1/Makefile.in +--- openssh-6.8p1/Makefile.in.audit 2015-03-20 13:41:15.065883826 +0100 ++++ openssh-6.8p1/Makefile.in 2015-03-20 13:41:15.100883769 +0100 +@@ -98,7 +98,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ + sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ + kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ + kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ +- kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o ++ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o auditstub.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ -diff --git a/audit-bsm.c b/audit-bsm.c -index 6135591..c7a1b47 100644 ---- a/audit-bsm.c -+++ b/audit-bsm.c -@@ -375,10 +375,23 @@ audit_connection_from(const char *host, int port) +diff -up openssh-6.8p1/audit-bsm.c.audit openssh-6.8p1/audit-bsm.c +--- openssh-6.8p1/audit-bsm.c.audit 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/audit-bsm.c 2015-03-20 13:41:15.092883782 +0100 +@@ -375,10 +375,23 @@ audit_connection_from(const char *host, #endif } @@ -95,10 +92,9 @@ index 6135591..c7a1b47 100644 + /* not implemented */ +} #endif /* BSM */ -diff --git a/audit-linux.c b/audit-linux.c -index b3ee2f4..bff8180 100644 ---- a/audit-linux.c -+++ b/audit-linux.c +diff -up openssh-6.8p1/audit-linux.c.audit openssh-6.8p1/audit-linux.c +--- openssh-6.8p1/audit-linux.c.audit 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/audit-linux.c 2015-03-20 13:41:15.093883780 +0100 @@ -35,13 +35,25 @@ #include "log.h" @@ -227,7 +223,7 @@ index b3ee2f4..bff8180 100644 + goto out; + /* is the fingerprint_prefix() still needed? + snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s%s rport=%d", -+ type, bits, key_fingerprint_prefix(), fp, get_remote_port()); ++ type, bits, sshkey_fingerprint_prefix(), fp, get_remote_port()); + */ + snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d", + type, bits, fp, get_remote_port()); @@ -490,10 +486,9 @@ index b3ee2f4..bff8180 100644 + error("cannot write into audit"); +} #endif /* USE_LINUX_AUDIT */ -diff --git a/audit.c b/audit.c -index ced57fa..18908b4 100644 ---- a/audit.c -+++ b/audit.c +diff -up openssh-6.8p1/audit.c.audit openssh-6.8p1/audit.c +--- openssh-6.8p1/audit.c.audit 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/audit.c 2015-03-20 13:41:15.093883780 +0100 @@ -28,6 +28,7 @@ #include @@ -548,7 +543,7 @@ index ced57fa..18908b4 100644 + char *fp; + const char *crypto_name; + -+ fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX); ++ fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX); + if (key->type == KEY_RSA1) + crypto_name = "ssh-rsa1"; + else @@ -637,7 +632,7 @@ index ced57fa..18908b4 100644 +{ + debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s%s, result %d", + host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits, -+ key_fingerprint_prefix(), fp, rv); ++ sshkey_fingerprint_prefix(), fp, rv); +} + +/* @@ -691,10 +686,9 @@ index ced57fa..18908b4 100644 } # endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */ #endif /* SSH_AUDIT_EVENTS */ -diff --git a/audit.h b/audit.h -index 92ede5b..903df66 100644 ---- a/audit.h -+++ b/audit.h +diff -up openssh-6.8p1/audit.h.audit openssh-6.8p1/audit.h +--- openssh-6.8p1/audit.h.audit 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/audit.h 2015-03-20 13:41:15.093883780 +0100 @@ -28,6 +28,7 @@ # define _SSH_AUDIT_H @@ -730,11 +724,9 @@ index 92ede5b..903df66 100644 +void audit_generate_ephemeral_server_key(const char *); #endif /* _SSH_AUDIT_H */ -diff --git a/auditstub.c b/auditstub.c -new file mode 100644 -index 0000000..116f460 ---- /dev/null -+++ b/auditstub.c +diff -up openssh-6.8p1/auditstub.c.audit openssh-6.8p1/auditstub.c +--- openssh-6.8p1/auditstub.c.audit 2015-03-20 13:41:15.093883780 +0100 ++++ openssh-6.8p1/auditstub.c 2015-03-20 13:41:15.093883780 +0100 @@ -0,0 +1,50 @@ +/* $Id: auditstub.c,v 1.1 jfch Exp $ */ + @@ -786,11 +778,10 @@ index 0000000..116f460 +audit_session_key_free_body(int ctos, pid_t pid, uid_t uid) +{ +} -diff --git a/auth-rsa.c b/auth-rsa.c -index ff7a132..1e12515 100644 ---- a/auth-rsa.c -+++ b/auth-rsa.c -@@ -93,7 +93,10 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) +diff -up openssh-6.8p1/auth-rsa.c.audit openssh-6.8p1/auth-rsa.c +--- openssh-6.8p1/auth-rsa.c.audit 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/auth-rsa.c 2015-03-20 13:41:15.094883779 +0100 +@@ -95,7 +95,10 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) { u_char buf[32], mdbuf[16]; struct ssh_digest_ctx *md; @@ -802,7 +793,7 @@ index ff7a132..1e12515 100644 /* don't allow short keys */ if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { -@@ -117,12 +120,18 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) +@@ -119,12 +122,18 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16]) ssh_digest_free(md); /* Verify that the response is the original challenge. */ @@ -812,7 +803,7 @@ index ff7a132..1e12515 100644 + rv = timingsafe_bcmp(response, mdbuf, 16) == 0; + +#ifdef SSH_AUDIT_EVENTS -+ fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX); ++ fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX); + if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) { + debug("unsuccessful audit"); + rv = 0; @@ -826,11 +817,10 @@ index ff7a132..1e12515 100644 } /* -diff --git a/auth.c b/auth.c -index 5a9acd3..7eba5d4 100644 ---- a/auth.c -+++ b/auth.c -@@ -642,9 +642,6 @@ getpwnamallow(const char *user) +diff -up openssh-6.8p1/auth.c.audit openssh-6.8p1/auth.c +--- openssh-6.8p1/auth.c.audit 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/auth.c 2015-03-20 13:41:15.094883779 +0100 +@@ -644,9 +644,6 @@ getpwnamallow(const char *user) record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh"); #endif @@ -840,11 +830,10 @@ index 5a9acd3..7eba5d4 100644 return (NULL); } if (!allowed_user(pw)) -diff --git a/auth.h b/auth.h -index 847cffd..19fbcf5 100644 ---- a/auth.h -+++ b/auth.h -@@ -187,6 +187,7 @@ void abandon_challenge_response(Authctxt *); +diff -up openssh-6.8p1/auth.h.audit openssh-6.8p1/auth.h +--- openssh-6.8p1/auth.h.audit 2015-03-20 13:41:15.002883927 +0100 ++++ openssh-6.8p1/auth.h 2015-03-20 13:41:15.094883779 +0100 +@@ -195,6 +195,7 @@ void abandon_challenge_response(Authctxt char *expand_authorized_keys(const char *, struct passwd *pw); char *authorized_principals_file(struct passwd *); @@ -852,19 +841,18 @@ index 847cffd..19fbcf5 100644 FILE *auth_openkeyfile(const char *, struct passwd *, int); FILE *auth_openprincipals(const char *, struct passwd *, int); -@@ -204,6 +205,7 @@ Key *get_hostkey_private_by_type(int); - int get_hostkey_index(Key *); +@@ -213,6 +214,7 @@ int get_hostkey_index(Key *, int, struc int ssh1_session_key(BIGNUM *); - void sshd_hostkey_sign(Key *, Key *, u_char **, u_int *, u_char *, u_int); + int sshd_hostkey_sign(Key *, Key *, u_char **, size_t *, + const u_char *, size_t, u_int); +int hostbased_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int); /* debug messages during authentication */ void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); -diff --git a/auth2-hostbased.c b/auth2-hostbased.c -index 41f1a3f..80d9802 100644 ---- a/auth2-hostbased.c -+++ b/auth2-hostbased.c -@@ -138,7 +138,7 @@ userauth_hostbased(Authctxt *authctxt) +diff -up openssh-6.8p1/auth2-hostbased.c.audit openssh-6.8p1/auth2-hostbased.c +--- openssh-6.8p1/auth2-hostbased.c.audit 2015-03-20 13:41:15.002883927 +0100 ++++ openssh-6.8p1/auth2-hostbased.c 2015-03-20 13:41:15.093883780 +0100 +@@ -147,7 +147,7 @@ userauth_hostbased(Authctxt *authctxt) /* test for allowed key and correct signature */ authenticated = 0; if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && @@ -873,7 +861,7 @@ index 41f1a3f..80d9802 100644 buffer_len(&b))) == 1) authenticated = 1; -@@ -155,6 +155,18 @@ done: +@@ -164,6 +164,18 @@ done: return authenticated; } @@ -892,20 +880,19 @@ index 41f1a3f..80d9802 100644 /* return 1 if given hostkey is allowed */ int hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, -diff --git a/auth2-pubkey.c b/auth2-pubkey.c -index 269e642..110ec48 100644 ---- a/auth2-pubkey.c -+++ b/auth2-pubkey.c -@@ -160,7 +160,7 @@ userauth_pubkey(Authctxt *authctxt) +diff -up openssh-6.8p1/auth2-pubkey.c.audit openssh-6.8p1/auth2-pubkey.c +--- openssh-6.8p1/auth2-pubkey.c.audit 2015-03-20 13:41:15.013883910 +0100 ++++ openssh-6.8p1/auth2-pubkey.c 2015-03-20 13:41:15.094883779 +0100 +@@ -172,7 +172,7 @@ userauth_pubkey(Authctxt *authctxt) /* test for correct signature */ authenticated = 0; if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && - PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), + PRIVSEP(user_key_verify(key, sig, slen, buffer_ptr(&b), - buffer_len(&b))) == 1) + buffer_len(&b))) == 1) { authenticated = 1; - buffer_free(&b); -@@ -232,6 +232,18 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) + /* Record the successful key to prevent reuse */ +@@ -250,6 +250,18 @@ pubkey_auth_info(Authctxt *authctxt, con free(extra); } @@ -924,11 +911,10 @@ index 269e642..110ec48 100644 static int match_principals_option(const char *principal_list, struct sshkey_cert *cert) { -diff --git a/auth2.c b/auth2.c -index ec4ff8a..9e6e815 100644 ---- a/auth2.c -+++ b/auth2.c -@@ -250,9 +250,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) +diff -up openssh-6.8p1/auth2.c.audit openssh-6.8p1/auth2.c +--- openssh-6.8p1/auth2.c.audit 2015-03-20 13:41:15.044883860 +0100 ++++ openssh-6.8p1/auth2.c 2015-03-20 13:41:15.093883780 +0100 +@@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32 } else { logit("input_userauth_request: invalid user %s", user); authctxt->pw = fakepw(); @@ -938,11 +924,10 @@ index ec4ff8a..9e6e815 100644 } #ifdef USE_PAM if (options.use_pam) -diff --git a/cipher.c b/cipher.c -index 638ca2d..9cc7cf8 100644 ---- a/cipher.c -+++ b/cipher.c -@@ -57,26 +57,6 @@ extern const EVP_CIPHER *evp_ssh1_3des(void); +diff -up openssh-6.8p1/cipher.c.audit openssh-6.8p1/cipher.c +--- openssh-6.8p1/cipher.c.audit 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/cipher.c 2015-03-20 13:41:15.101883767 +0100 +@@ -57,26 +59,6 @@ extern const EVP_CIPHER *evp_ssh1_3des(v extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); #endif @@ -969,10 +954,9 @@ index 638ca2d..9cc7cf8 100644 static const struct sshcipher ciphers[] = { #ifdef WITH_SSH1 { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, -diff --git a/cipher.h b/cipher.h -index de74c1e..26ed4cb 100644 ---- a/cipher.h -+++ b/cipher.h +diff -up openssh-6.8p1/cipher.h.audit openssh-6.8p1/cipher.h +--- openssh-6.8p1/cipher.h.audit 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/cipher.h 2015-03-20 13:41:15.094883779 +0100 @@ -62,7 +62,26 @@ #define CIPHER_ENCRYPT 1 #define CIPHER_DECRYPT 0 @@ -1001,75 +985,60 @@ index de74c1e..26ed4cb 100644 struct sshcipher_ctx { int plaintext; int encrypt; -diff --git a/kex.c b/kex.c -index 4563920..e0cf3de 100644 ---- a/kex.c -+++ b/kex.c -@@ -52,6 +52,7 @@ - #include "monitor.h" - #include "roaming.h" +diff -up openssh-6.8p1/kex.c.audit openssh-6.8p1/kex.c +--- openssh-6.8p1/kex.c.audit 2015-03-20 13:41:15.046883856 +0100 ++++ openssh-6.8p1/kex.c 2015-03-20 13:41:15.101883767 +0100 +@@ -54,6 +55,7 @@ + #include "ssherr.h" + #include "sshbuf.h" #include "digest.h" +#include "audit.h" #ifdef GSSAPI #include "ssh-gss.h" -@@ -370,9 +371,13 @@ static void - choose_enc(Enc *enc, char *client, char *server) +@@ -484,8 +508,12 @@ choose_enc(struct sshenc *enc, char *cli { char *name = match_list(client, server, NULL); + - if (name == NULL) + if (name == NULL) { +#ifdef SSH_AUDIT_EVENTS + audit_unsupported(0); +#endif - fatal("no matching cipher found: client %s server %s", - client, server); + return SSH_ERR_NO_CIPHER_ALG_MATCH; + } if ((enc->cipher = cipher_by_name(name)) == NULL) - fatal("matching cipher is not supported: %s", name); + return SSH_ERR_INTERNAL_ERROR; enc->name = name; -@@ -388,9 +393,13 @@ static void - choose_mac(Mac *mac, char *client, char *server) +@@ -503,8 +531,12 @@ choose_mac(struct ssh *ssh, struct sshma { char *name = match_list(client, server, NULL); + - if (name == NULL) + if (name == NULL) { +#ifdef SSH_AUDIT_EVENTS + audit_unsupported(1); +#endif - fatal("no matching mac found: client %s server %s", - client, server); + return SSH_ERR_NO_MAC_ALG_MATCH; + } if (mac_setup(mac, name) < 0) - fatal("unsupported mac %s", name); + return SSH_ERR_INTERNAL_ERROR; /* truncate the key */ -@@ -405,8 +414,12 @@ static void - choose_comp(Comp *comp, char *client, char *server) +@@ -521,8 +553,12 @@ choose_comp(struct sshcomp *comp, char * { char *name = match_list(client, server, NULL); + - if (name == NULL) + if (name == NULL) { +#ifdef SSH_AUDIT_EVENTS + audit_unsupported(2); +#endif - fatal("no matching comp found: client %s server %s", client, server); + return SSH_ERR_NO_COMPRESS_ALG_MATCH; + } if (strcmp(name, "zlib@openssh.com") == 0) { comp->type = COMP_DELAYED; } else if (strcmp(name, "zlib") == 0) { -@@ -522,9 +535,11 @@ kex_choose_conf(Kex *kex) - authlen == 0 ? newkeys->mac.name : "", - newkeys->comp.name); - } -+ - choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]); - choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS], - sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]); -+ - need = dh_need = 0; - for (mode = 0; mode < MODE_MAX; mode++) { - newkeys = kex->newkeys[mode]; -@@ -536,11 +551,16 @@ kex_choose_conf(Kex *kex) +@@ -672,6 +708,10 @@ kex_choose_conf(struct ssh *ssh) dh_need = MAX(dh_need, newkeys->enc.block_size); dh_need = MAX(dh_need, newkeys->enc.iv_len); dh_need = MAX(dh_need, newkeys->mac.key_len); @@ -1080,19 +1049,13 @@ index 4563920..e0cf3de 100644 } /* XXX need runden? */ kex->we_need = need; - kex->dh_need = dh_need; - -+ - /* ignore the next message if the proposals do not match */ - if (first_kex_follows && !proposals_match(my, peer) && - !(datafellows & SSH_BUG_FIRSTKEX)) { -@@ -710,3 +730,34 @@ dump_digest(char *msg, u_char *digest, int len) - fprintf(stderr, "\n"); +@@ -847,3 +887,34 @@ dump_digest(char *msg, u_char *digest, i + sshbuf_dump_data(digest, len, stderr); } #endif + +static void -+enc_destroy(Enc *enc) ++enc_destroy(struct sshenc *enc) +{ + if (enc == NULL) + return; @@ -1111,7 +1074,7 @@ index 4563920..e0cf3de 100644 +} + +void -+newkeys_destroy(Newkeys *newkeys) ++newkeys_destroy(struct newkeys *newkeys) +{ + if (newkeys == NULL) + return; @@ -1121,41 +1084,38 @@ index 4563920..e0cf3de 100644 + memset(&newkeys->comp, 0, sizeof(newkeys->comp)); +} + -diff --git a/kex.h b/kex.h -index 1c76c08..e015d27 100644 ---- a/kex.h -+++ b/kex.h -@@ -182,6 +182,8 @@ void kexgss_client(Kex *); - void kexgss_server(Kex *); +diff -up openssh-6.8p1/kex.h.audit openssh-6.8p1/kex.h +--- openssh-6.8p1/kex.h.audit 2015-03-20 13:41:15.046883856 +0100 ++++ openssh-6.8p1/kex.h 2015-03-20 13:41:15.095883777 +0100 +@@ -199,6 +199,8 @@ int kexgss_client(struct ssh *); + int kexgss_server(struct ssh *); #endif -+void newkeys_destroy(Newkeys *newkeys); ++void newkeys_destroy(struct newkeys *newkeys); + - void - kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int, - BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *); -diff --git a/key.h b/key.h -index e1a3625..4a90e1e 100644 ---- a/key.h -+++ b/key.h -@@ -52,6 +52,7 @@ typedef struct sshkey Key; + int kex_dh_hash(const char *, const char *, + const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, + const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); +diff -up openssh-6.8p1/key.h.audit openssh-6.8p1/key.h +--- openssh-6.8p1/key.h.audit 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/key.h 2015-03-20 13:41:15.095883777 +0100 +@@ -50,6 +50,7 @@ typedef struct sshkey Key; + #define key_ecdsa_bits_to_nid sshkey_ecdsa_bits_to_nid #define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid - #define key_names_valid2 sshkey_names_valid2 #define key_is_cert sshkey_is_cert +#define key_is_private sshkey_is_private #define key_type_plain sshkey_type_plain #define key_cert_is_legacy sshkey_cert_is_legacy #define key_curve_name_to_nid sshkey_curve_name_to_nid -diff --git a/mac.c b/mac.c -index 402dc98..fd07bf2 100644 ---- a/mac.c -+++ b/mac.c -@@ -223,6 +223,20 @@ mac_clear(Mac *mac) +diff -up openssh-6.8p1/mac.c.audit openssh-6.8p1/mac.c +--- openssh-6.8p1/mac.c.audit 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/mac.c 2015-03-20 13:41:15.102883766 +0100 +@@ -226,6 +246,20 @@ mac_clear(struct sshmac *mac) mac->umac_ctx = NULL; } +void -+mac_destroy(Mac *mac) ++mac_destroy(struct sshmac *mac) +{ + if (mac == NULL) + return; @@ -1171,37 +1131,37 @@ index 402dc98..fd07bf2 100644 /* XXX copied from ciphers_valid */ #define MAC_SEP "," int -diff --git a/mac.h b/mac.h -index fbe18c4..7dc7f43 100644 ---- a/mac.h -+++ b/mac.h -@@ -29,3 +29,4 @@ int mac_setup(Mac *, char *); - int mac_init(Mac *); - u_char *mac_compute(Mac *, u_int32_t, u_char *, int); - void mac_clear(Mac *); -+void mac_destroy(Mac *); -diff --git a/monitor.c b/monitor.c -index d97e640..07fa655 100644 ---- a/monitor.c -+++ b/monitor.c -@@ -100,6 +100,7 @@ +diff -up openssh-6.8p1/mac.h.audit openssh-6.8p1/mac.h +--- openssh-6.8p1/mac.h.audit 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/mac.h 2015-03-20 13:41:15.095883777 +0100 +@@ -47,5 +47,6 @@ int mac_init(struct sshmac *); + int mac_compute(struct sshmac *, u_int32_t, const u_char *, int, + u_char *, size_t); + void mac_clear(struct sshmac *); ++void mac_destroy(struct sshmac *); + + #endif /* SSHMAC_H */ +diff -up openssh-6.8p1/monitor.c.audit openssh-6.8p1/monitor.c +--- openssh-6.8p1/monitor.c.audit 2015-03-20 13:41:15.072883814 +0100 ++++ openssh-6.8p1/monitor.c 2015-03-20 13:41:15.107883758 +0100 +@@ -102,6 +102,7 @@ #include "ssh2.h" #include "roaming.h" #include "authfd.h" +#include "audit.h" + #include "match.h" + #include "ssherr.h" - #ifdef GSSAPI - static Gssctxt *gsscontext = NULL; -@@ -116,6 +117,8 @@ extern Buffer auth_debug; +@@ -117,6 +118,8 @@ extern Buffer auth_debug; extern int auth_debug_init; extern Buffer loginmsg; +extern void destroy_sensitive_data(int); + /* State exported from the child */ + static struct sshbuf *child_state; - struct { -@@ -188,6 +191,11 @@ int mm_answer_gss_updatecreds(int, Buffer *); +@@ -167,6 +170,11 @@ int mm_answer_gss_updatecreds(int, Buffe #ifdef SSH_AUDIT_EVENTS int mm_answer_audit_event(int, Buffer *); int mm_answer_audit_command(int, Buffer *); @@ -1213,7 +1173,7 @@ index d97e640..07fa655 100644 #endif static int monitor_read_log(struct monitor *); -@@ -247,6 +255,10 @@ struct mon_table mon_dispatch_proto20[] = { +@@ -226,6 +234,10 @@ struct mon_table mon_dispatch_proto20[] #endif #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, @@ -1224,7 +1184,7 @@ index d97e640..07fa655 100644 #endif #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, -@@ -285,6 +297,11 @@ struct mon_table mon_dispatch_postauth20[] = { +@@ -264,6 +276,11 @@ struct mon_table mon_dispatch_postauth20 #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command}, @@ -1236,7 +1196,7 @@ index d97e640..07fa655 100644 #endif {0, 0, NULL} }; -@@ -317,6 +334,10 @@ struct mon_table mon_dispatch_proto15[] = { +@@ -296,6 +313,10 @@ struct mon_table mon_dispatch_proto15[] #endif #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, @@ -1247,7 +1207,7 @@ index d97e640..07fa655 100644 #endif #endif /* WITH_SSH1 */ {0, 0, NULL} -@@ -330,6 +351,11 @@ struct mon_table mon_dispatch_postauth15[] = { +@@ -309,6 +330,11 @@ struct mon_table mon_dispatch_postauth15 #ifdef SSH_AUDIT_EVENTS {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event}, {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command}, @@ -1259,7 +1219,7 @@ index d97e640..07fa655 100644 #endif #endif /* WITH_SSH1 */ {0, 0, NULL} -@@ -1416,9 +1442,11 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1466,9 +1493,11 @@ mm_answer_keyverify(int sock, Buffer *m) Key *key; u_char *signature, *data, *blob; u_int signaturelen, datalen, bloblen; @@ -1271,7 +1231,7 @@ index d97e640..07fa655 100644 blob = buffer_get_string(m, &bloblen); signature = buffer_get_string(m, &signaturelen); data = buffer_get_string(m, &datalen); -@@ -1426,6 +1454,8 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1476,6 +1505,8 @@ mm_answer_keyverify(int sock, Buffer *m) if (hostbased_cuser == NULL || hostbased_chost == NULL || !monitor_allowed_key(blob, bloblen)) fatal("%s: bad key, not previously allowed", __func__); @@ -1280,7 +1240,7 @@ index d97e640..07fa655 100644 key = key_from_blob(blob, bloblen); if (key == NULL) -@@ -1446,7 +1476,17 @@ mm_answer_keyverify(int sock, Buffer *m) +@@ -1496,7 +1527,17 @@ mm_answer_keyverify(int sock, Buffer *m) if (!valid_data) fatal("%s: bad signature data blob", __func__); @@ -1299,7 +1259,7 @@ index d97e640..07fa655 100644 debug3("%s: key %p signature %s", __func__, key, (verified == 1) ? "verified" : "unverified"); -@@ -1499,6 +1539,12 @@ mm_session_close(Session *s) +@@ -1554,6 +1595,12 @@ mm_session_close(Session *s) debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); session_pty_cleanup2(s); } @@ -1312,7 +1272,7 @@ index d97e640..07fa655 100644 session_unused(s->self); } -@@ -1781,6 +1827,8 @@ mm_answer_term(int sock, Buffer *req) +@@ -1836,6 +1883,8 @@ mm_answer_term(int sock, Buffer *req) sshpam_cleanup(); #endif @@ -1321,7 +1281,7 @@ index d97e640..07fa655 100644 while (waitpid(pmonitor->m_pid, &status, 0) == -1) if (errno != EINTR) exit(1); -@@ -1823,11 +1871,43 @@ mm_answer_audit_command(int socket, Buffer *m) +@@ -1878,11 +1927,43 @@ mm_answer_audit_command(int socket, Buff { u_int len; char *cmd; @@ -1366,24 +1326,18 @@ index d97e640..07fa655 100644 free(cmd); return (0); } -@@ -1975,11 +2055,13 @@ mm_get_keystate(struct monitor *pmonitor) +@@ -1936,6 +2017,7 @@ + void + mm_get_keystate(struct monitor *pmonitor) + { ++ Buffer m; + debug3("%s: Waiting for new keys", __func__); - blob = buffer_get_string(&m, &bloblen); - current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen); -+ memset(blob, 0, bloblen); - free(blob); - - debug3("%s: Waiting for second key", __func__); - blob = buffer_get_string(&m, &bloblen); - current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen); -+ memset(blob, 0, bloblen); - free(blob); - - /* Now get sequence numbers for the packets */ -@@ -2025,6 +2107,21 @@ mm_get_keystate(struct monitor *pmonitor) - } - - buffer_free(&m); + if ((child_state = sshbuf_new()) == NULL) +@@ -1946,6 +2027,21 @@ mm_get_keystate(struct monitor *pmonitor + mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT, + child_state); + debug3("%s: GOT new keys", __func__); + +#ifdef SSH_AUDIT_EVENTS + if (compat20) { @@ -1402,7 +1356,7 @@ index d97e640..07fa655 100644 } -@@ -2321,3 +2418,87 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) { +@@ -2212,3 +2308,87 @@ mm_answer_gss_updatecreds(int socket, Bu #endif /* GSSAPI */ @@ -1490,10 +1444,9 @@ index d97e640..07fa655 100644 + return 0; +} +#endif /* SSH_AUDIT_EVENTS */ -diff --git a/monitor.h b/monitor.h -index 00c2028..cc8da6a 100644 ---- a/monitor.h -+++ b/monitor.h +diff -up openssh-6.8p1/monitor.h.audit openssh-6.8p1/monitor.h +--- openssh-6.8p1/monitor.h.audit 2015-03-20 13:41:15.072883814 +0100 ++++ openssh-6.8p1/monitor.h 2015-03-20 13:41:15.096883775 +0100 @@ -69,7 +69,13 @@ enum monitor_reqtype { MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107, MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109, @@ -1509,11 +1462,10 @@ index 00c2028..cc8da6a 100644 }; -diff --git a/monitor_wrap.c b/monitor_wrap.c -index 7e991e6..ba4ecd7 100644 ---- a/monitor_wrap.c -+++ b/monitor_wrap.c -@@ -456,7 +456,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key) +diff -up openssh-6.8p1/monitor_wrap.c.audit openssh-6.8p1/monitor_wrap.c +--- openssh-6.8p1/monitor_wrap.c.audit 2015-03-20 13:41:15.047883855 +0100 ++++ openssh-6.8p1/monitor_wrap.c 2015-03-20 13:41:15.108883756 +0100 +@@ -461,7 +461,7 @@ mm_key_allowed(enum mm_keytype type, cha */ int @@ -1522,7 +1474,7 @@ index 7e991e6..ba4ecd7 100644 { Buffer m; u_char *blob; -@@ -470,6 +470,7 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) +@@ -475,6 +475,7 @@ mm_key_verify(Key *key, u_char *sig, u_i return (0); buffer_init(&m); @@ -1530,7 +1482,7 @@ index 7e991e6..ba4ecd7 100644 buffer_put_string(&m, blob, len); buffer_put_string(&m, sig, siglen); buffer_put_string(&m, data, datalen); -@@ -487,6 +488,19 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen) +@@ -492,6 +493,18 @@ mm_key_verify(Key *key, u_char *sig, u_i return (verified); } @@ -1546,26 +1498,10 @@ index 7e991e6..ba4ecd7 100644 + return mm_key_verify(MM_USERKEY, key, sig, siglen, data, datalen); +} + -+ - /* Export key state after authentication */ - Newkeys * - mm_newkeys_from_blob(u_char *blob, int blen) -@@ -665,12 +679,14 @@ mm_send_keystate(struct monitor *monitor) - fatal("%s: conversion of newkeys failed", __func__); - - buffer_put_string(&m, blob, bloblen); -+ memset(blob, 0, bloblen); - free(blob); - - if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen)) - fatal("%s: conversion of newkeys failed", __func__); - - buffer_put_string(&m, blob, bloblen); -+ memset(blob, 0, bloblen); - free(blob); - - packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes); -@@ -1218,10 +1234,11 @@ mm_audit_event(ssh_audit_event_t event) + void + mm_send_keystate(struct monitor *monitor) + { +@@ -1005,10 +1018,11 @@ mm_audit_event(ssh_audit_event_t event) buffer_free(&m); } @@ -1578,7 +1514,7 @@ index 7e991e6..ba4ecd7 100644 debug3("%s entering command %s", __func__, command); -@@ -1229,6 +1246,26 @@ mm_audit_run_command(const char *command) +@@ -1016,6 +1030,26 @@ mm_audit_run_command(const char *command buffer_put_cstring(&m, command); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m); @@ -1605,7 +1541,7 @@ index 7e991e6..ba4ecd7 100644 buffer_free(&m); } #endif /* SSH_AUDIT_EVENTS */ -@@ -1364,3 +1401,72 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store) +@@ -1151,3 +1185,72 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc #endif /* GSSAPI */ @@ -1678,11 +1614,10 @@ index 7e991e6..ba4ecd7 100644 + buffer_free(&m); +} +#endif /* SSH_AUDIT_EVENTS */ -diff --git a/monitor_wrap.h b/monitor_wrap.h -index 93929e0..e43109f 100644 ---- a/monitor_wrap.h -+++ b/monitor_wrap.h -@@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char *, char *, Key *); +diff -up openssh-6.8p1/monitor_wrap.h.audit openssh-6.8p1/monitor_wrap.h +--- openssh-6.8p1/monitor_wrap.h.audit 2015-03-20 13:41:15.048883853 +0100 ++++ openssh-6.8p1/monitor_wrap.h 2015-03-20 13:41:15.096883775 +0100 +@@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char int mm_user_key_allowed(struct passwd *, Key *); int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); @@ -1706,20 +1641,19 @@ index 93929e0..e43109f 100644 #endif struct Session; -diff --git a/packet.c b/packet.c -index 9b7abd1..f1e00f7 100644 ---- a/packet.c -+++ b/packet.c -@@ -61,6 +61,7 @@ - #include +diff -up openssh-6.8p1/packet.c.audit openssh-6.8p1/packet.c +--- openssh-6.8p1/packet.c.audit 2015-03-20 13:41:14.990883947 +0100 ++++ openssh-6.8p1/packet.c 2015-03-20 13:41:15.097883774 +0100 +@@ -67,6 +67,7 @@ + #include "key.h" /* typedefs XXX */ #include "xmalloc.h" +#include "audit.h" - #include "buffer.h" - #include "packet.h" #include "crc32.h" -@@ -483,6 +484,13 @@ packet_get_connection_out(void) - return active_state->connection_out; + #include "deattack.h" + #include "compat.h" +@@ -448,6 +449,13 @@ ssh_packet_get_connection_out(struct ssh + return ssh->state->connection_out; } +static int @@ -1729,50 +1663,66 @@ index 9b7abd1..f1e00f7 100644 + (state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL); +} + - /* Closes the connection and clears and frees internal data structures. */ - - void -@@ -491,13 +499,6 @@ packet_close(void) - if (!active_state->initialized) + /* + * Returns the IP-address of the remote host as a string. The returned + * string must not be freed. +@@ -478,13 +486,6 @@ ssh_packet_close(struct ssh *ssh) + if (!state->initialized) return; - active_state->initialized = 0; -- if (active_state->connection_in == active_state->connection_out) { -- shutdown(active_state->connection_out, SHUT_RDWR); -- close(active_state->connection_out); + state->initialized = 0; +- if (state->connection_in == state->connection_out) { +- shutdown(state->connection_out, SHUT_RDWR); +- close(state->connection_out); - } else { -- close(active_state->connection_in); -- close(active_state->connection_out); +- close(state->connection_in); +- close(state->connection_out); - } - buffer_free(&active_state->input); - buffer_free(&active_state->output); - buffer_free(&active_state->outgoing_packet); -@@ -506,8 +507,18 @@ packet_close(void) - buffer_free(&active_state->compression_buffer); - buffer_compress_uninit(); + sshbuf_free(state->input); + sshbuf_free(state->output); + sshbuf_free(state->outgoing_packet); +@@ -516,14 +517,24 @@ ssh_packet_close(struct ssh *ssh) + inflateEnd(stream); + } } -- cipher_cleanup(&active_state->send_context); -- cipher_cleanup(&active_state->receive_context); -+ if (packet_state_has_keys(active_state)) { -+ cipher_cleanup(&active_state->send_context); -+ cipher_cleanup(&active_state->receive_context); +- if ((r = cipher_cleanup(&state->send_context)) != 0) +- error("%s: cipher_cleanup failed: %s", __func__, ssh_err(r)); +- if ((r = cipher_cleanup(&state->receive_context)) != 0) +- error("%s: cipher_cleanup failed: %s", __func__, ssh_err(r)); ++ if (packet_state_has_keys(state)) { ++ if ((r = cipher_cleanup(&state->send_context)) != 0) ++ error("%s: cipher_cleanup failed: %s", __func__, ssh_err(r)); ++ if ((r = cipher_cleanup(&state->receive_context)) != 0) ++ error("%s: cipher_cleanup failed: %s", __func__, ssh_err(r)); + audit_session_key_free(2); + } -+ if (active_state->connection_in == active_state->connection_out) { -+ shutdown(active_state->connection_out, SHUT_RDWR); -+ close(active_state->connection_out); + if (ssh->remote_ipaddr) { + free(ssh->remote_ipaddr); + ssh->remote_ipaddr = NULL; + } ++ if (state->connection_in == state->connection_out) { ++ shutdown(state->connection_out, SHUT_RDWR); ++ close(state->connection_out); + } else { -+ close(active_state->connection_in); -+ close(active_state->connection_out); ++ close(state->connection_in); ++ close(state->connection_out); + } + free(ssh->state); + ssh->state = NULL; } - - /* Sets remote side protocol flags. */ -@@ -747,6 +758,25 @@ packet_send1(void) - */ +@@ -941,6 +952,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod + } + if (state->newkeys[mode] != NULL) { + debug("set_newkeys: rekeying"); ++ audit_session_key_free(mode); + if ((r = cipher_cleanup(cc)) != 0) + return r; + enc = &state->newkeys[mode]->enc; +@@ -2263,6 +2275,73 @@ ssh_packet_get_output(struct ssh *ssh) + return (void *)ssh->state->output; } +static void -+newkeys_destroy_and_free(Newkeys *newkeys) ++newkeys_destroy_and_free(struct newkeys *newkeys) +{ + if (newkeys == NULL) + return; @@ -1790,21 +1740,6 @@ index 9b7abd1..f1e00f7 100644 + free(newkeys); +} + - void - set_newkeys(int mode) - { -@@ -772,6 +802,7 @@ set_newkeys(int mode) - } - if (active_state->newkeys[mode] != NULL) { - debug("set_newkeys: rekeying"); -+ audit_session_key_free(mode); - cipher_cleanup(cc); - enc = &active_state->newkeys[mode]->enc; - mac = &active_state->newkeys[mode]->mac; -@@ -2025,6 +2056,48 @@ packet_get_newkeys(int mode) - return (void *)active_state->newkeys[mode]; - } - +static void +packet_destroy_state(struct session_state *state) +{ @@ -1814,12 +1749,18 @@ index 9b7abd1..f1e00f7 100644 + cipher_cleanup(&state->receive_context); + cipher_cleanup(&state->send_context); + -+ buffer_free(&state->input); -+ buffer_free(&state->output); -+ buffer_free(&state->outgoing_packet); -+ buffer_free(&state->incoming_packet); -+ if( state->compression_buffer_ready ) -+ buffer_free(&state->compression_buffer); ++ buffer_free(state->input); ++ state->input = NULL; ++ buffer_free(state->output); ++ state->output = NULL; ++ buffer_free(state->outgoing_packet); ++ state->outgoing_packet = NULL; ++ buffer_free(state->incoming_packet); ++ state->incoming_packet = NULL; ++ if( state->compression_buffer ) { ++ buffer_free(state->compression_buffer); ++ state->compression_buffer = NULL; ++ } + newkeys_destroy_and_free(state->newkeys[MODE_IN]); + state->newkeys[MODE_IN] = NULL; + newkeys_destroy_and_free(state->newkeys[MODE_OUT]); @@ -1833,10 +1774,10 @@ index 9b7abd1..f1e00f7 100644 +packet_destroy_all(int audit_it, int privsep) +{ + if (audit_it) -+ audit_it = packet_state_has_keys (active_state) || -+ packet_state_has_keys (backup_state); -+ packet_destroy_state(active_state); -+ packet_destroy_state(backup_state); ++ audit_it = packet_state_has_keys (active_state->state) || ++ packet_state_has_keys (backup_state->state); ++ packet_destroy_state(active_state->state); ++ packet_destroy_state(backup_state->state); + if (audit_it) { +#ifdef SSH_AUDIT_EVENTS + if (privsep) @@ -1847,66 +1788,73 @@ index 9b7abd1..f1e00f7 100644 + } +} + + /* XXX TODO update roaming to new API (does not work anyway) */ /* * Save the state for the real connection, and use a separate state when - * resuming a suspended connection. -@@ -2032,18 +2104,12 @@ packet_get_newkeys(int mode) - void - packet_backup_state(void) +@@ -2272,18 +2373,12 @@ void + ssh_packet_backup_state(struct ssh *ssh, + struct ssh *backup_state) { -- struct session_state *tmp; +- struct ssh *tmp; - - close(active_state->connection_in); - active_state->connection_in = -1; - close(active_state->connection_out); - active_state->connection_out = -1; + close(ssh->state->connection_in); + ssh->state->connection_in = -1; + close(ssh->state->connection_out); + ssh->state->connection_out = -1; - if (backup_state) - tmp = backup_state; - else -- tmp = alloc_session_state(); - backup_state = active_state; -- active_state = tmp; -+ active_state = alloc_session_state(); +- tmp = ssh_alloc_session_state(); + backup_state = ssh; +- ssh = tmp; ++ ssh = ssh_alloc_session_state(); } - /* -@@ -2060,9 +2126,7 @@ packet_restore_state(void) - backup_state = active_state; - active_state = tmp; - active_state->connection_in = backup_state->connection_in; -- backup_state->connection_in = -1; - active_state->connection_out = backup_state->connection_out; -- backup_state->connection_out = -1; - len = buffer_len(&backup_state->input); + /* XXX FIXME FIXME FIXME */ +@@ -2302,9 +2397,7 @@ ssh_packet_restore_state(struct ssh *ssh + backup_state = ssh; + ssh = tmp; + ssh->state->connection_in = backup_state->state->connection_in; +- backup_state->state->connection_in = -1; + ssh->state->connection_out = backup_state->state->connection_out; +- backup_state->state->connection_out = -1; + len = sshbuf_len(backup_state->state->input); if (len > 0) { - buf = buffer_ptr(&backup_state->input); -@@ -2070,6 +2134,11 @@ packet_restore_state(void) - buffer_clear(&backup_state->input); + if ((r = sshbuf_putb(ssh->state->input, +@@ -2313,6 +2406,11 @@ ssh_packet_restore_state(struct ssh *ssh + sshbuf_reset(backup_state->state->input); add_recv_bytes(len); } -+ backup_state->connection_in = -1; -+ backup_state->connection_out = -1; -+ packet_destroy_state(backup_state); ++ backup_state->state->connection_in = -1; ++ backup_state->state->connection_out = -1; ++ packet_destroy_state(backup_state->state); + free(backup_state); + backup_state = NULL; } /* Reset after_authentication and reset compression in post-auth privsep */ -diff --git a/packet.h b/packet.h -index e7b5fcb..45a6ce6 100644 ---- a/packet.h -+++ b/packet.h -@@ -125,4 +125,5 @@ void packet_set_postauth(void); - void *packet_get_input(void); - void *packet_get_output(void); +diff -up openssh-6.8p1/packet.h.audit openssh-6.8p1/packet.h +--- openssh-6.8p1/packet.h.audit 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/packet.h 2015-03-20 13:41:15.097883774 +0100 +@@ -189,7 +189,7 @@ int sshpkt_get_end(struct ssh *ssh); + const u_char *sshpkt_ptr(struct ssh *, size_t *lenp); + + /* OLD API */ +-extern struct ssh *active_state; ++extern struct ssh *active_state, *backup_state; + #include "opacket.h" + + #if !defined(WITH_OPENSSL) +@@ -203,4 +203,5 @@ extern struct ssh *active_state; + # undef EC_POINT + #endif +void packet_destroy_all(int, int); #endif /* PACKET_H */ -diff --git a/session.c b/session.c -index 40a681e..acd87d5 100644 ---- a/session.c -+++ b/session.c -@@ -138,7 +138,7 @@ extern int log_stderr; +diff -up openssh-6.8p1/session.c.audit openssh-6.8p1/session.c +--- openssh-6.8p1/session.c.audit 2015-03-20 13:41:15.073883813 +0100 ++++ openssh-6.8p1/session.c 2015-03-20 13:41:15.097883774 +0100 +@@ -139,7 +139,7 @@ extern int log_stderr; extern int debug_flag; extern u_int utmp_len; extern int startup_pipe; @@ -1915,7 +1863,7 @@ index 40a681e..acd87d5 100644 extern Buffer loginmsg; /* original command from peer. */ -@@ -730,6 +730,14 @@ do_exec_pty(Session *s, const char *command) +@@ -731,6 +731,14 @@ do_exec_pty(Session *s, const char *comm /* Parent. Close the slave side of the pseudo tty. */ close(ttyfd); @@ -1930,7 +1878,7 @@ index 40a681e..acd87d5 100644 /* Enter interactive session. */ s->ptymaster = ptymaster; packet_set_interactive(1, -@@ -852,15 +860,19 @@ do_exec(Session *s, const char *command) +@@ -853,15 +861,19 @@ do_exec(Session *s, const char *command) get_remote_port()); #ifdef SSH_AUDIT_EVENTS @@ -1952,7 +1900,7 @@ index 40a681e..acd87d5 100644 #endif if (s->ttyfd != -1) ret = do_exec_pty(s, command); -@@ -1703,7 +1715,10 @@ do_child(Session *s, const char *command) +@@ -1704,7 +1716,10 @@ do_child(Session *s, const char *command int r = 0; /* remove hostkey from the child's memory */ @@ -1964,7 +1912,7 @@ index 40a681e..acd87d5 100644 /* Force a password change */ if (s->authctxt->force_pwchange) { -@@ -1933,6 +1948,7 @@ session_unused(int id) +@@ -1934,6 +1949,7 @@ session_unused(int id) sessions[id].ttyfd = -1; sessions[id].ptymaster = -1; sessions[id].x11_chanids = NULL; @@ -1972,7 +1920,7 @@ index 40a681e..acd87d5 100644 sessions[id].next_unused = sessions_first_unused; sessions_first_unused = id; } -@@ -2015,6 +2031,19 @@ session_open(Authctxt *authctxt, int chanid) +@@ -2016,6 +2032,19 @@ session_open(Authctxt *authctxt, int cha } Session * @@ -1992,7 +1940,7 @@ index 40a681e..acd87d5 100644 session_by_tty(char *tty) { int i; -@@ -2531,6 +2560,30 @@ session_exit_message(Session *s, int status) +@@ -2532,6 +2561,30 @@ session_exit_message(Session *s, int sta chan_write_failed(c); } @@ -2023,7 +1971,7 @@ index 40a681e..acd87d5 100644 void session_close(Session *s) { -@@ -2539,6 +2592,10 @@ session_close(Session *s) +@@ -2540,6 +2593,10 @@ session_close(Session *s) debug("session_close: session %d pid %ld", s->self, (long)s->pid); if (s->ttyfd != -1) session_pty_cleanup(s); @@ -2034,7 +1982,7 @@ index 40a681e..acd87d5 100644 free(s->term); free(s->display); free(s->x11_chanids); -@@ -2753,6 +2810,15 @@ do_authenticated2(Authctxt *authctxt) +@@ -2754,6 +2811,15 @@ do_authenticated2(Authctxt *authctxt) server_loop2(authctxt); } @@ -2050,17 +1998,16 @@ index 40a681e..acd87d5 100644 void do_cleanup(Authctxt *authctxt) { -@@ -2801,5 +2867,5 @@ do_cleanup(Authctxt *authctxt) +@@ -2802,5 +2868,5 @@ do_cleanup(Authctxt *authctxt) * or if running in monitor. */ if (!use_privsep || mm_is_monitor()) - session_destroy_all(session_pty_cleanup2); + session_destroy_all(do_cleanup_one_session); } -diff --git a/session.h b/session.h -index 6a2f35e..e9b312e 100644 ---- a/session.h -+++ b/session.h +diff -up openssh-6.8p1/session.h.audit openssh-6.8p1/session.h +--- openssh-6.8p1/session.h.audit 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/session.h 2015-03-20 13:41:15.097883774 +0100 @@ -61,6 +61,12 @@ struct Session { char *name; char *val; @@ -2085,19 +2032,18 @@ index 6a2f35e..e9b312e 100644 Session *session_by_tty(char *); void session_close(Session *); void do_setusercontext(struct passwd *); -diff --git a/sshd.c b/sshd.c -index ca55d7f..db23ce2 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -120,6 +120,7 @@ +diff -up openssh-6.8p1/sshd.c.audit openssh-6.8p1/sshd.c +--- openssh-6.8p1/sshd.c.audit 2015-03-20 13:41:15.083883796 +0100 ++++ openssh-6.8p1/sshd.c 2015-03-20 13:41:15.110883753 +0100 +@@ -121,6 +124,7 @@ #endif #include "monitor_wrap.h" #include "roaming.h" +#include "audit.h" #include "ssh-sandbox.h" #include "version.h" - -@@ -254,7 +255,7 @@ Buffer loginmsg; + #include "ssherr.h" +@@ -260,7 +264,7 @@ Buffer loginmsg; struct passwd *privsep_pw = NULL; /* Prototypes for various functions defined later in this file. */ @@ -2106,7 +2052,7 @@ index ca55d7f..db23ce2 100644 void demote_sensitive_data(void); #ifdef WITH_SSH1 -@@ -275,6 +276,15 @@ close_listen_socks(void) +@@ -281,6 +285,15 @@ close_listen_socks(void) num_listen_socks = -1; } @@ -2122,7 +2068,7 @@ index ca55d7f..db23ce2 100644 static void close_startup_pipes(void) { -@@ -554,22 +564,45 @@ sshd_exchange_identification(int sock_in, int sock_out) +@@ -560,22 +573,45 @@ sshd_exchange_identification(int sock_in } } @@ -2150,7 +2096,7 @@ index ca55d7f..db23ce2 100644 + char *fp; + + if (key_is_private(sensitive_data.host_keys[i])) -+ fp = key_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX); ++ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX); + else + fp = NULL; key_free(sensitive_data.host_keys[i]); @@ -2171,7 +2117,7 @@ index ca55d7f..db23ce2 100644 key_free(sensitive_data.host_certificates[i]); sensitive_data.host_certificates[i] = NULL; } -@@ -583,6 +616,8 @@ void +@@ -589,6 +625,8 @@ void demote_sensitive_data(void) { Key *tmp; @@ -2180,7 +2126,7 @@ index ca55d7f..db23ce2 100644 int i; if (sensitive_data.server_key) { -@@ -591,13 +626,25 @@ demote_sensitive_data(void) +@@ -597,13 +635,25 @@ demote_sensitive_data(void) sensitive_data.server_key = tmp; } @@ -2191,7 +2137,7 @@ index ca55d7f..db23ce2 100644 + char *fp; + + if (key_is_private(sensitive_data.host_keys[i])) -+ fp = key_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX); ++ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX); + else + fp = NULL; tmp = key_demote(sensitive_data.host_keys[i]); @@ -2206,7 +2152,7 @@ index ca55d7f..db23ce2 100644 } /* Certs do not need demotion */ } -@@ -667,7 +714,7 @@ privsep_preauth(Authctxt *authctxt) +@@ -675,7 +725,7 @@ privsep_preauth(Authctxt *authctxt) if (use_privsep == PRIVSEP_ON) box = ssh_sandbox_init(pmonitor); @@ -2215,35 +2161,26 @@ index ca55d7f..db23ce2 100644 if (pid == -1) { fatal("fork of unprivileged child failed"); } else if (pid != 0) { -@@ -721,6 +768,8 @@ privsep_preauth(Authctxt *authctxt) - } - } - -+extern Newkeys *current_keys[]; -+ - static void - privsep_postauth(Authctxt *authctxt) - { -@@ -745,6 +794,10 @@ privsep_postauth(Authctxt *authctxt) +@@ -759,6 +811,10 @@ privsep_postauth(Authctxt *authctxt) else if (pmonitor->m_pid != 0) { verbose("User child is on pid %ld", (long)pmonitor->m_pid); buffer_clear(&loginmsg); -+ newkeys_destroy(current_keys[MODE_OUT]); -+ newkeys_destroy(current_keys[MODE_IN]); ++ newkeys_destroy((*pmonitor->m_pkex)->newkeys[MODE_OUT]); ++ newkeys_destroy((*pmonitor->m_pkex)->newkeys[MODE_IN]); + audit_session_key_free_body(2, getpid(), getuid()); + packet_destroy_all(0, 0); monitor_child_postauth(pmonitor); /* NEVERREACHED */ -@@ -1222,6 +1275,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) +@@ -1286,6 +1341,7 @@ server_accept_loop(int *sock_in, int *so if (received_sigterm) { logit("Received signal %d; terminating.", (int) received_sigterm); + destroy_sensitive_data(0); close_listen_socks(); - unlink(options.pid_file); - exit(received_sigterm == SIGTERM ? 0 : 255); -@@ -2141,6 +2195,7 @@ main(int ac, char **av) + if (options.pid_file != NULL) + unlink(options.pid_file); +@@ -2242,6 +2321,7 @@ main(int ac, char **av) */ if (use_privsep) { mm_send_keystate(pmonitor); @@ -2251,7 +2188,7 @@ index ca55d7f..db23ce2 100644 exit(0); } -@@ -2186,7 +2241,7 @@ main(int ac, char **av) +@@ -2287,7 +2367,7 @@ main(int ac, char **av) privsep_postauth(authctxt); /* the monitor process [priv] will not return */ if (!compat20) @@ -2260,17 +2197,17 @@ index ca55d7f..db23ce2 100644 } packet_set_timeout(options.client_alive_interval, -@@ -2196,6 +2251,9 @@ main(int ac, char **av) +@@ -2301,6 +2381,9 @@ main(int ac, char **av) do_authenticated(authctxt); /* The connection has been terminated. */ + packet_destroy_all(1, 1); + destroy_sensitive_data(1); + - packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes); - packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes); + packet_get_bytes(&ibytes, &obytes); verbose("Transferred: sent %llu, received %llu bytes", -@@ -2355,6 +2413,10 @@ do_ssh1_kex(void) + (unsigned long long)obytes, (unsigned long long)ibytes); +@@ -2461,6 +2544,10 @@ do_ssh1_kex(void) if (cookie[i] != packet_get_char()) packet_disconnect("IP Spoofing check bytes do not match."); @@ -2281,16 +2218,16 @@ index ca55d7f..db23ce2 100644 debug("Encryption type: %.200s", cipher_name(cipher_type)); /* Get the encrypted integer. */ -@@ -2427,7 +2489,7 @@ do_ssh1_kex(void) - session_id[i] = session_key[i] ^ session_key[i + 16]; +@@ -2520,7 +2607,7 @@ do_ssh1_kex(void) } + /* Destroy the private and public keys. No longer. */ - destroy_sensitive_data(); + destroy_sensitive_data(0); if (use_privsep) mm_ssh1_session_id(session_id); -@@ -2598,6 +2660,16 @@ do_ssh2_kex(void) +@@ -2703,6 +2802,16 @@ do_ssh2_kex(void) void cleanup_exit(int i) { @@ -2307,7 +2244,7 @@ index ca55d7f..db23ce2 100644 if (the_authctxt) { do_cleanup(the_authctxt); if (use_privsep && privsep_is_preauth && -@@ -2609,9 +2681,14 @@ cleanup_exit(int i) +@@ -2714,9 +2823,14 @@ cleanup_exit(int i) pmonitor->m_pid, strerror(errno)); } } @@ -2323,11 +2260,10 @@ index ca55d7f..db23ce2 100644 audit_event(SSH_CONNECTION_ABANDON); #endif _exit(i); -diff --git a/sshkey.c b/sshkey.c -index 70df758..f078e11 100644 ---- a/sshkey.c -+++ b/sshkey.c -@@ -291,6 +291,33 @@ sshkey_type_is_valid_ca(int type) +diff -up openssh-6.8p1/sshkey.c.audit openssh-6.8p1/sshkey.c +--- openssh-6.8p1/sshkey.c.audit 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/sshkey.c 2015-03-20 13:41:15.111883751 +0100 +@@ -317,6 +319,33 @@ sshkey_type_is_valid_ca(int type) } int @@ -2361,11 +2297,10 @@ index 70df758..f078e11 100644 sshkey_is_cert(const struct sshkey *k) { if (k == NULL) -diff --git a/sshkey.h b/sshkey.h -index 4554b09..226a494 100644 ---- a/sshkey.h -+++ b/sshkey.h -@@ -134,6 +134,7 @@ u_int sshkey_size(const struct sshkey *); +diff -up openssh-6.8p1/sshkey.h.audit openssh-6.8p1/sshkey.h +--- openssh-6.8p1/sshkey.h.audit 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/sshkey.h 2015-03-20 13:41:15.098883772 +0100 +@@ -134,6 +134,7 @@ u_int sshkey_size(const struct sshkey int sshkey_generate(int type, u_int bits, struct sshkey **keyp); int sshkey_from_private(const struct sshkey *, struct sshkey **); int sshkey_type_from_name(const char *); @@ -2373,11 +2308,10 @@ index 4554b09..226a494 100644 int sshkey_is_cert(const struct sshkey *); int sshkey_type_is_cert(int); int sshkey_type_plain(int); - -diff -U3 openssh-6.6p1/sandbox-seccomp-filter.c openssh-6.6p1.seccomp/sandbox-seccomp-filter.c ---- openssh-6.6p1/sandbox-seccomp-filter.c 2014-02-06 01:17:50.000000000 +0100 -+++ openssh-6.6p1.seccomp/sandbox-seccomp-filter.c 2015-02-11 09:07:10.885000000 +0100 -@@ -95,6 +95,12 @@ +diff -up openssh-6.8p1/sandbox-seccomp-filter.c.audit openssh-6.8p1/sandbox-seccomp-filter.c +--- openssh-6.8p1/sandbox-seccomp-filter.c.audit 2015-03-20 13:41:15.088883788 +0100 ++++ openssh-6.8p1/sandbox-seccomp-filter.c 2015-03-20 13:41:15.097883774 +0100 +@@ -110,6 +110,12 @@ static const struct sock_filter preauth_ #ifdef __NR_time /* not defined on EABI ARM */ SC_ALLOW(time), #endif diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch index 875b79a..c7a7e04 100644 --- a/openssh-6.7p1-coverity.patch +++ b/openssh-6.7p1-coverity.patch @@ -1,8 +1,7 @@ -diff --git a/auth-pam.c b/auth-pam.c -index cd1a775..2fff267 100644 ---- a/auth-pam.c -+++ b/auth-pam.c -@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void **value) +diff -up openssh-6.8p1/auth-pam.c.coverity openssh-6.8p1/auth-pam.c +--- openssh-6.8p1/auth-pam.c.coverity 2015-03-18 17:21:51.792265051 +0100 ++++ openssh-6.8p1/auth-pam.c 2015-03-18 17:21:51.895264835 +0100 +@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void * if (sshpam_thread_status != -1) return (sshpam_thread_status); signal(SIGCHLD, sshpam_oldsig); @@ -16,11 +15,10 @@ index cd1a775..2fff267 100644 return (status); } #endif -diff --git a/channels.c b/channels.c -index 51a221d..0ef1d90 100644 ---- a/channels.c -+++ b/channels.c -@@ -239,11 +239,11 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd, +diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c +--- openssh-6.8p1/channels.c.coverity 2015-03-18 17:21:51.815265002 +0100 ++++ openssh-6.8p1/channels.c 2015-03-18 17:21:51.896264833 +0100 +@@ -243,11 +243,11 @@ channel_register_fds(Channel *c, int rfd channel_max_fd = MAX(channel_max_fd, wfd); channel_max_fd = MAX(channel_max_fd, efd); @@ -35,7 +33,7 @@ index 51a221d..0ef1d90 100644 fcntl(efd, F_SETFD, FD_CLOEXEC); c->rfd = rfd; -@@ -261,11 +261,11 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd, +@@ -265,11 +265,11 @@ channel_register_fds(Channel *c, int rfd /* enable nonblocking mode */ if (nonblock) { @@ -50,7 +48,7 @@ index 51a221d..0ef1d90 100644 set_nonblock(efd); } } -@@ -3959,13 +3959,13 @@ connect_local_xsocket_path(const char *pathname, int len) +@@ -3972,13 +3972,13 @@ connect_local_xsocket_path(const char *p int sock; struct sockaddr_un addr; @@ -66,35 +64,10 @@ index 51a221d..0ef1d90 100644 if (len > sizeof addr.sun_path) len = sizeof addr.sun_path; memcpy(addr.sun_path, pathname, len); -diff --git a/clientloop.c b/clientloop.c -index 20ce0b5..65cb26a 100644 ---- a/clientloop.c -+++ b/clientloop.c -@@ -2090,15 +2090,16 @@ client_input_global_request(int type, u_int32_t seq, void *ctxt) - { - char *rtype; - int want_reply; -- int success = 0; -+/* int success = 0; -+ success is still 0 the packet is allways SSH2_MSG_REQUEST_FAILURE, isn't it? */ - - rtype = packet_get_string(NULL); - want_reply = packet_get_char(); - debug("client_input_global_request: rtype %s want_reply %d", - rtype, want_reply); - if (want_reply) { -- packet_start(success ? -- SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE); -+ packet_start(/*success ? -+ SSH2_MSG_REQUEST_SUCCESS :*/ SSH2_MSG_REQUEST_FAILURE); - packet_send(); - packet_write_wait(); - } -diff --git a/entropy.c b/entropy.c -index 06b0095..a4097da 100644 ---- a/entropy.c -+++ b/entropy.c -@@ -44,6 +44,7 @@ +diff -up openssh-6.8p1/entropy.c.coverity openssh-6.8p1/entropy.c +--- openssh-6.8p1/entropy.c.coverity 2015-03-18 17:21:51.891264843 +0100 ++++ openssh-6.8p1/entropy.c 2015-03-18 17:21:51.897264831 +0100 +@@ -46,6 +46,7 @@ #include #include "openbsd-compat/openssl-compat.h" @@ -102,11 +75,10 @@ index 06b0095..a4097da 100644 #include "ssh.h" #include "misc.h" -diff --git a/monitor.c b/monitor.c -index 07fa655..b8e6e06 100644 ---- a/monitor.c -+++ b/monitor.c -@@ -488,7 +488,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) +diff -up openssh-6.8p1/monitor.c.coverity openssh-6.8p1/monitor.c +--- openssh-6.8p1/monitor.c.coverity 2015-03-18 17:21:51.887264852 +0100 ++++ openssh-6.8p1/monitor.c 2015-03-18 17:21:51.897264831 +0100 +@@ -444,7 +444,7 @@ monitor_child_preauth(Authctxt *_authctx mm_get_keystate(pmonitor); /* Drain any buffered messages from the child */ @@ -115,7 +87,7 @@ index 07fa655..b8e6e06 100644 ; close(pmonitor->m_sendfd); -@@ -1276,6 +1276,10 @@ mm_answer_keyallowed(int sock, Buffer *m) +@@ -1303,6 +1303,10 @@ mm_answer_keyallowed(int sock, Buffer *m break; } } @@ -126,7 +98,7 @@ index 07fa655..b8e6e06 100644 if (key != NULL) key_free(key); -@@ -1297,9 +1301,6 @@ mm_answer_keyallowed(int sock, Buffer *m) +@@ -1324,9 +1328,6 @@ mm_answer_keyallowed(int sock, Buffer *m free(chost); } @@ -136,11 +108,10 @@ index 07fa655..b8e6e06 100644 buffer_clear(m); buffer_put_int(m, allowed); buffer_put_int(m, forced_command != NULL); -diff --git a/monitor_wrap.c b/monitor_wrap.c -index ba4ecd7..b3e4ca1 100644 ---- a/monitor_wrap.c -+++ b/monitor_wrap.c -@@ -749,10 +749,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen) +diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c +--- openssh-6.8p1/monitor_wrap.c.coverity 2015-03-18 17:21:51.888264849 +0100 ++++ openssh-6.8p1/monitor_wrap.c 2015-03-18 17:21:51.897264831 +0100 +@@ -533,10 +533,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || (tmp2 = dup(pmonitor->m_recvfd)) == -1) { error("%s: cannot allocate fds for pty", __func__); @@ -154,11 +125,10 @@ index ba4ecd7..b3e4ca1 100644 return 0; } close(tmp1); -diff --git a/openbsd-compat/bindresvport.c b/openbsd-compat/bindresvport.c -index c89f214..80115c2 100644 ---- a/openbsd-compat/bindresvport.c -+++ b/openbsd-compat/bindresvport.c -@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr *sa) +diff -up openssh-6.8p1/openbsd-compat/bindresvport.c.coverity openssh-6.8p1/openbsd-compat/bindresvport.c +--- openssh-6.8p1/openbsd-compat/bindresvport.c.coverity 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/openbsd-compat/bindresvport.c 2015-03-18 17:21:51.897264831 +0100 +@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr struct sockaddr_in6 *in6; u_int16_t *portp; u_int16_t port; @@ -167,10 +137,9 @@ index c89f214..80115c2 100644 int i; if (sa == NULL) { -diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h -index 8b7cda2..e2ca8a1 100644 ---- a/openbsd-compat/port-linux.h -+++ b/openbsd-compat/port-linux.h +diff -up openssh-6.8p1/openbsd-compat/port-linux.h.coverity openssh-6.8p1/openbsd-compat/port-linux.h +--- openssh-6.8p1/openbsd-compat/port-linux.h.coverity 2015-03-18 17:21:51.861264906 +0100 ++++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 17:21:51.897264831 +0100 @@ -37,4 +37,6 @@ void oom_adjust_restore(void); void oom_adjust_setup(void); #endif @@ -178,23 +147,10 @@ index 8b7cda2..e2ca8a1 100644 +void linux_seed(void); + #endif /* ! _PORT_LINUX_H */ -diff --git a/packet.c b/packet.c -index 8ec353e..dbc2c33 100644 ---- a/packet.c -+++ b/packet.c -@@ -1246,6 +1246,7 @@ packet_read_poll1(void) - case DEATTACK_DETECTED: - packet_disconnect("crc32 compensation attack: " - "network attack detected"); -+ break; - case DEATTACK_DOS_DETECTED: - packet_disconnect("deattack denial of " - "service detected"); -diff --git a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c -index 8ba6d87..a7808c7 100644 ---- a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c -+++ b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c -@@ -87,7 +87,7 @@ pam_user_key_allowed2(struct passwd *pw, Key *key, char *file) +diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c.coverity openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c +--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c.coverity 2015-03-18 17:21:51.788265059 +0100 ++++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c 2015-03-18 17:21:51.898264829 +0100 +@@ -87,7 +87,7 @@ pam_user_key_allowed2(struct passwd *pw, found = key_new(key->type); while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) { @@ -203,7 +159,7 @@ index 8ba6d87..a7808c7 100644 /* Skip leading whitespace, empty and comment lines. */ for (cp = line; *cp == ' ' || *cp == '\t'; cp++) -@@ -99,7 +99,6 @@ pam_user_key_allowed2(struct passwd *pw, Key *key, char *file) +@@ -99,7 +99,6 @@ pam_user_key_allowed2(struct passwd *pw, /* no key? check if there are options for this key */ int quoted = 0; verbose("user_key_allowed: check options: '%s'", cp); @@ -211,10 +167,9 @@ index 8ba6d87..a7808c7 100644 for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { if (*cp == '\\' && cp[1] == '"') cp++; /* Skip both */ -diff --git a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c -index e14eb27..323817a 100644 ---- a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c -+++ b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c +diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.coverity openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c +--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.coverity 2015-03-18 17:21:51.786265063 +0100 ++++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c 2015-03-18 17:21:51.898264829 +0100 @@ -89,8 +89,7 @@ userauth_pubkey_from_id(Identity * id) authenticated = 1; @@ -225,44 +180,10 @@ index e14eb27..323817a 100644 if(sig != NULL) free(sig); if(pkblob != NULL) -diff --git a/progressmeter.c b/progressmeter.c -index bbbc706..ae6d1aa 100644 ---- a/progressmeter.c -+++ b/progressmeter.c -@@ -65,7 +65,7 @@ static void update_progress_meter(int); - - static time_t start; /* start progress */ - static time_t last_update; /* last progress update */ --static char *file; /* name of the file being transferred */ -+static const char *file; /* name of the file being transferred */ - static off_t start_pos; /* initial position of transfer */ - static off_t end_pos; /* ending position of transfer */ - static off_t cur_pos; /* transfer position as of last refresh */ -@@ -248,7 +248,7 @@ update_progress_meter(int ignore) - } - - void --start_progress_meter(char *f, off_t filesize, off_t *ctr) -+start_progress_meter(const char *f, off_t filesize, off_t *ctr) - { - start = last_update = monotime(); - file = f; -diff --git a/progressmeter.h b/progressmeter.h -index 10bab99..e9ca8f0 100644 ---- a/progressmeter.h -+++ b/progressmeter.h -@@ -23,5 +23,5 @@ - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - --void start_progress_meter(char *, off_t, off_t *); -+void start_progress_meter(const char *, off_t, off_t *); - void stop_progress_meter(void); -diff --git a/scp.c b/scp.c -index cbd904d..e4e9fa1 100644 ---- a/scp.c -+++ b/scp.c -@@ -155,7 +155,7 @@ killchild(int signo) +diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c +--- openssh-6.8p1/scp.c.coverity 2015-03-18 17:21:51.868264891 +0100 ++++ openssh-6.8p1/scp.c 2015-03-18 17:21:58.281251460 +0100 +@@ -156,7 +156,7 @@ killchild(int signo) { if (do_cmd_pid > 1) { kill(do_cmd_pid, signo ? signo : SIGTERM); @@ -271,11 +192,10 @@ index cbd904d..e4e9fa1 100644 } if (signo) -diff --git a/servconf.c b/servconf.c -index 87a311b..895cdca 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -1418,7 +1418,7 @@ process_server_config_line(ServerOptions *options, char *line, +diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c +--- openssh-6.8p1/servconf.c.coverity 2015-03-18 17:21:51.893264839 +0100 ++++ openssh-6.8p1/servconf.c 2015-03-18 17:21:58.281251460 +0100 +@@ -1475,7 +1475,7 @@ process_server_config_line(ServerOptions fatal("%s line %d: Missing subsystem name.", filename, linenum); if (!*activep) { @@ -284,7 +204,7 @@ index 87a311b..895cdca 100644 break; } for (i = 0; i < options->num_subsystems; i++) -@@ -1509,8 +1509,9 @@ process_server_config_line(ServerOptions *options, char *line, +@@ -1566,8 +1566,9 @@ process_server_config_line(ServerOptions if (*activep && *charptr == NULL) { *charptr = tilde_expand_filename(arg, getuid()); /* increase optional counter */ @@ -296,10 +216,9 @@ index 87a311b..895cdca 100644 } break; -diff --git a/serverloop.c b/serverloop.c -index e92f9e2..3cad041 100644 ---- a/serverloop.c -+++ b/serverloop.c +diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c +--- openssh-6.8p1/serverloop.c.coverity 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/serverloop.c 2015-03-18 17:28:45.616436080 +0100 @@ -147,13 +147,13 @@ notify_setup(void) static void notify_parent(void) @@ -327,7 +246,7 @@ index e92f9e2..3cad041 100644 debug2("notify_done: reading"); } -@@ -337,7 +337,7 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, +@@ -337,7 +337,7 @@ wait_until_can_do_something(fd_set **rea * If we have buffered data, try to write some of that data * to the program. */ @@ -345,7 +264,7 @@ index e92f9e2..3cad041 100644 data = buffer_ptr(&stdin_buffer); dlen = buffer_len(&stdin_buffer); len = write(fdin, data, dlen); -@@ -590,7 +590,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) +@@ -590,7 +590,7 @@ server_loop(pid_t pid, int fdin_arg, int set_nonblock(fdin); set_nonblock(fdout); /* we don't have stderr for interactive terminal sessions, see below */ @@ -354,7 +273,7 @@ index e92f9e2..3cad041 100644 set_nonblock(fderr); if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin)) -@@ -614,7 +614,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) +@@ -614,7 +614,7 @@ server_loop(pid_t pid, int fdin_arg, int max_fd = MAX(connection_in, connection_out); max_fd = MAX(max_fd, fdin); max_fd = MAX(max_fd, fdout); @@ -363,7 +282,7 @@ index e92f9e2..3cad041 100644 max_fd = MAX(max_fd, fderr); #endif -@@ -644,7 +644,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) +@@ -644,7 +644,7 @@ server_loop(pid_t pid, int fdin_arg, int * If we have received eof, and there is no more pending * input data, cause a real eof by closing fdin. */ @@ -372,7 +291,7 @@ index e92f9e2..3cad041 100644 if (fdin != fdout) close(fdin); else -@@ -740,15 +740,15 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) +@@ -740,15 +740,15 @@ server_loop(pid_t pid, int fdin_arg, int buffer_free(&stderr_buffer); /* Close the file descriptors. */ @@ -391,16 +310,16 @@ index e92f9e2..3cad041 100644 close(fdin); fdin = -1; -@@ -947,7 +947,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt) +@@ -950,7 +950,7 @@ server_input_window_size(int type, u_int debug("Window change received."); packet_check_eom(); - if (fdin != -1) + if (fdin >= 0) pty_change_window_size(fdin, row, col, xpixel, ypixel); + return 0; } - -@@ -1039,7 +1039,7 @@ server_request_tun(void) +@@ -1043,7 +1043,7 @@ server_request_tun(void) } tun = packet_get_int(); @@ -409,361 +328,10 @@ index e92f9e2..3cad041 100644 if (tun != SSH_TUNID_ANY && forced_tun_device != tun) goto done; tun = forced_tun_device; -diff --git a/sftp-client.c b/sftp-client.c -index 990b58d..3d0f22b 100644 ---- a/sftp-client.c -+++ b/sftp-client.c -@@ -151,7 +151,7 @@ get_msg(struct sftp_conn *conn, Buffer *m) - } - - static void --send_string_request(struct sftp_conn *conn, u_int id, u_int code, char *s, -+send_string_request(struct sftp_conn *conn, u_int id, u_int code, const char *s, - u_int len) - { - Buffer msg; -@@ -167,7 +167,7 @@ send_string_request(struct sftp_conn *conn, u_int id, u_int code, char *s, - - static void - send_string_attrs_request(struct sftp_conn *conn, u_int id, u_int code, -- char *s, u_int len, Attrib *a) -+ const char *s, u_int len, Attrib *a) - { - Buffer msg; - -@@ -429,7 +429,7 @@ sftp_proto_version(struct sftp_conn *conn) - } - - int --do_close(struct sftp_conn *conn, char *handle, u_int handle_len) -+do_close(struct sftp_conn *conn, const char *handle, u_int handle_len) - { - u_int id, status; - Buffer msg; -@@ -454,7 +454,7 @@ do_close(struct sftp_conn *conn, char *handle, u_int handle_len) - - - static int --do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag, -+do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag, - SFTP_DIRENT ***dir) - { - Buffer msg; -@@ -577,7 +577,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag, - } - - int --do_readdir(struct sftp_conn *conn, char *path, SFTP_DIRENT ***dir) -+do_readdir(struct sftp_conn *conn, const char *path, SFTP_DIRENT ***dir) - { - return(do_lsreaddir(conn, path, 0, dir)); - } -@@ -597,7 +597,7 @@ void free_sftp_dirents(SFTP_DIRENT **s) - } - - int --do_rm(struct sftp_conn *conn, char *path) -+do_rm(struct sftp_conn *conn, const char *path) - { - u_int status, id; - -@@ -612,7 +612,7 @@ do_rm(struct sftp_conn *conn, char *path) - } - - int --do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int print_flag) -+do_mkdir(struct sftp_conn *conn, const char *path, Attrib *a, int print_flag) - { - u_int status, id; - -@@ -628,7 +628,7 @@ do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int print_flag) - } - - int --do_rmdir(struct sftp_conn *conn, char *path) -+do_rmdir(struct sftp_conn *conn, const char *path) - { - u_int status, id; - -@@ -644,7 +644,7 @@ do_rmdir(struct sftp_conn *conn, char *path) - } - - Attrib * --do_stat(struct sftp_conn *conn, char *path, int quiet) -+do_stat(struct sftp_conn *conn, const char *path, int quiet) - { - u_int id; - -@@ -658,7 +658,7 @@ do_stat(struct sftp_conn *conn, char *path, int quiet) - } - - Attrib * --do_lstat(struct sftp_conn *conn, char *path, int quiet) -+do_lstat(struct sftp_conn *conn, const char *path, int quiet) - { - u_int id; - -@@ -679,7 +679,7 @@ do_lstat(struct sftp_conn *conn, char *path, int quiet) - - #ifdef notyet - Attrib * --do_fstat(struct sftp_conn *conn, char *handle, u_int handle_len, int quiet) -+do_fstat(struct sftp_conn *conn, const char *handle, u_int handle_len, int quiet) - { - u_int id; - -@@ -692,7 +692,7 @@ do_fstat(struct sftp_conn *conn, char *handle, u_int handle_len, int quiet) - #endif - - int --do_setstat(struct sftp_conn *conn, char *path, Attrib *a) -+do_setstat(struct sftp_conn *conn, const char *path, Attrib *a) - { - u_int status, id; - -@@ -709,7 +709,7 @@ do_setstat(struct sftp_conn *conn, char *path, Attrib *a) - } - - int --do_fsetstat(struct sftp_conn *conn, char *handle, u_int handle_len, -+do_fsetstat(struct sftp_conn *conn, const char *handle, u_int handle_len, - Attrib *a) - { - u_int status, id; -@@ -726,7 +726,7 @@ do_fsetstat(struct sftp_conn *conn, char *handle, u_int handle_len, - } - - char * --do_realpath(struct sftp_conn *conn, char *path) -+do_realpath(struct sftp_conn *conn, const char *path) - { - Buffer msg; - u_int type, expected_id, count, id; -@@ -775,7 +775,7 @@ do_realpath(struct sftp_conn *conn, char *path) - } - - int --do_rename(struct sftp_conn *conn, char *oldpath, char *newpath, -+do_rename(struct sftp_conn *conn, const char *oldpath, const char *newpath, - int force_legacy) - { - Buffer msg; -@@ -811,7 +811,7 @@ do_rename(struct sftp_conn *conn, char *oldpath, char *newpath, - } - - int --do_hardlink(struct sftp_conn *conn, char *oldpath, char *newpath) -+do_hardlink(struct sftp_conn *conn, const char *oldpath, const char *newpath) - { - Buffer msg; - u_int status, id; -@@ -844,7 +844,7 @@ do_hardlink(struct sftp_conn *conn, char *oldpath, char *newpath) - } - - int --do_symlink(struct sftp_conn *conn, char *oldpath, char *newpath) -+do_symlink(struct sftp_conn *conn, const char *oldpath, const char *newpath) - { - Buffer msg; - u_int status, id; -@@ -876,7 +876,7 @@ do_symlink(struct sftp_conn *conn, char *oldpath, char *newpath) - } - - int --do_fsync(struct sftp_conn *conn, char *handle, u_int handle_len) -+do_fsync(struct sftp_conn *conn, const char *handle, u_int handle_len) - { - Buffer msg; - u_int status, id; -@@ -907,7 +907,7 @@ do_fsync(struct sftp_conn *conn, char *handle, u_int handle_len) - - #ifdef notyet - char * --do_readlink(struct sftp_conn *conn, char *path) -+do_readlink(struct sftp_conn *conn, const char *path) - { - Buffer msg; - u_int type, expected_id, count, id; -@@ -1010,7 +1010,7 @@ do_fstatvfs(struct sftp_conn *conn, const char *handle, u_int handle_len, - - static void - send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset, -- u_int len, char *handle, u_int handle_len) -+ u_int len, const char *handle, u_int handle_len) - { - Buffer msg; - -@@ -1026,7 +1026,7 @@ send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset, - } - - int --do_download(struct sftp_conn *conn, char *remote_path, char *local_path, -+do_download(struct sftp_conn *conn, const char *remote_path, const char *local_path, - Attrib *a, int preserve_flag, int resume_flag, int fsync_flag) - { - Attrib junk; -@@ -1308,7 +1308,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, - } - - static int --download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth, -+download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, int depth, - Attrib *dirattrib, int preserve_flag, int print_flag, int resume_flag, - int fsync_flag) - { -@@ -1400,7 +1400,7 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth, - } - - int --download_dir(struct sftp_conn *conn, char *src, char *dst, -+download_dir(struct sftp_conn *conn, const char *src, const char *dst, - Attrib *dirattrib, int preserve_flag, int print_flag, - int resume_flag, int fsync_flag) - { -@@ -1419,7 +1419,7 @@ download_dir(struct sftp_conn *conn, char *src, char *dst, - } - - int --do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, -+do_upload(struct sftp_conn *conn, const char *local_path, const char *remote_path, - int preserve_flag, int resume, int fsync_flag) - { - int local_fd; -@@ -1628,7 +1628,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path, - } - - static int --upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth, -+upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, int depth, - int preserve_flag, int print_flag, int resume, int fsync_flag) - { - int ret = 0, status; -@@ -1721,7 +1721,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth, - } - - int --upload_dir(struct sftp_conn *conn, char *src, char *dst, int preserve_flag, -+upload_dir(struct sftp_conn *conn, const char *src, const char *dst, int preserve_flag, - int print_flag, int resume, int fsync_flag) - { - char *dst_canon; -@@ -1740,7 +1740,7 @@ upload_dir(struct sftp_conn *conn, char *src, char *dst, int preserve_flag, - } - - char * --path_append(char *p1, char *p2) -+path_append(const char *p1, const char *p2) - { - char *ret; - size_t len = strlen(p1) + strlen(p2) + 2; -diff --git a/sftp-client.h b/sftp-client.h -index 967840b..ffbcade 100644 ---- a/sftp-client.h -+++ b/sftp-client.h -@@ -56,79 +56,79 @@ struct sftp_conn *do_init(int, int, u_int, u_int, u_int64_t); - u_int sftp_proto_version(struct sftp_conn *); - - /* Close file referred to by 'handle' */ --int do_close(struct sftp_conn *, char *, u_int); -+int do_close(struct sftp_conn *, const char *, u_int); - - /* Read contents of 'path' to NULL-terminated array 'dir' */ --int do_readdir(struct sftp_conn *, char *, SFTP_DIRENT ***); -+int do_readdir(struct sftp_conn *, const char *, SFTP_DIRENT ***); - - /* Frees a NULL-terminated array of SFTP_DIRENTs (eg. from do_readdir) */ - void free_sftp_dirents(SFTP_DIRENT **); - - /* Delete file 'path' */ --int do_rm(struct sftp_conn *, char *); -+int do_rm(struct sftp_conn *, const char *); - - /* Create directory 'path' */ --int do_mkdir(struct sftp_conn *, char *, Attrib *, int); -+int do_mkdir(struct sftp_conn *, const char *, Attrib *, int); - - /* Remove directory 'path' */ --int do_rmdir(struct sftp_conn *, char *); -+int do_rmdir(struct sftp_conn *, const char *); - - /* Get file attributes of 'path' (follows symlinks) */ --Attrib *do_stat(struct sftp_conn *, char *, int); -+Attrib *do_stat(struct sftp_conn *, const char *, int); - - /* Get file attributes of 'path' (does not follow symlinks) */ --Attrib *do_lstat(struct sftp_conn *, char *, int); -+Attrib *do_lstat(struct sftp_conn *, const char *, int); - - /* Set file attributes of 'path' */ --int do_setstat(struct sftp_conn *, char *, Attrib *); -+int do_setstat(struct sftp_conn *, const char *, Attrib *); - - /* Set file attributes of open file 'handle' */ --int do_fsetstat(struct sftp_conn *, char *, u_int, Attrib *); -+int do_fsetstat(struct sftp_conn *, const char *, u_int, Attrib *); - - /* Canonicalise 'path' - caller must free result */ --char *do_realpath(struct sftp_conn *, char *); -+char *do_realpath(struct sftp_conn *, const char *); - - /* Get statistics for filesystem hosting file at "path" */ - int do_statvfs(struct sftp_conn *, const char *, struct sftp_statvfs *, int); - - /* Rename 'oldpath' to 'newpath' */ --int do_rename(struct sftp_conn *, char *, char *m, int force_legacy); -+int do_rename(struct sftp_conn *, const char *, const char *m, int force_legacy); - - /* Link 'oldpath' to 'newpath' */ --int do_hardlink(struct sftp_conn *, char *, char *); -+int do_hardlink(struct sftp_conn *, const char *, const char *); - - /* Rename 'oldpath' to 'newpath' */ --int do_symlink(struct sftp_conn *, char *, char *); -+int do_symlink(struct sftp_conn *, const char *, const char *); - - /* Call fsync() on open file 'handle' */ --int do_fsync(struct sftp_conn *conn, char *, u_int); -+int do_fsync(struct sftp_conn *conn, const char *, u_int); - - /* - * Download 'remote_path' to 'local_path'. Preserve permissions and times - * if 'pflag' is set - */ --int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int, int); -+int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int, int, int); - - /* - * Recursively download 'remote_directory' to 'local_directory'. Preserve - * times if 'pflag' is set - */ --int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, -+int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int, - int, int, int); - - /* - * Upload 'local_path' to 'remote_path'. Preserve permissions and times - * if 'pflag' is set - */ --int do_upload(struct sftp_conn *, char *, char *, int, int, int); -+int do_upload(struct sftp_conn *, const char *, const char *, int, int, int); - - /* - * Recursively upload 'local_directory' to 'remote_directory'. Preserve - * times if 'pflag' is set - */ --int upload_dir(struct sftp_conn *, char *, char *, int, int, int, int); -+int upload_dir(struct sftp_conn *, const char *, const char *, int, int, int, int); - - /* Concatenate paths, taking care of slashes. Caller must free result. */ --char *path_append(char *, char *); -+char *path_append(const char *, const char *); - - #endif -diff --git a/sftp.c b/sftp.c -index ff4d63d..4439100 100644 ---- a/sftp.c -+++ b/sftp.c -@@ -220,7 +220,7 @@ killchild(int signo) +diff -up openssh-6.8p1/sftp.c.coverity openssh-6.8p1/sftp.c +--- openssh-6.8p1/sftp.c.coverity 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/sftp.c 2015-03-18 17:21:58.283251456 +0100 +@@ -223,7 +223,7 @@ killchild(int signo) { if (sshpid > 1) { kill(sshpid, SIGTERM); @@ -772,7 +340,7 @@ index ff4d63d..4439100 100644 } _exit(1); -@@ -332,7 +332,7 @@ local_do_ls(const char *args) +@@ -335,7 +335,7 @@ local_do_ls(const char *args) /* Strip one path (usually the pwd) from the start of another */ static char * @@ -781,7 +349,7 @@ index ff4d63d..4439100 100644 { size_t len; -@@ -350,7 +350,7 @@ path_strip(char *path, char *strip) +@@ -353,7 +353,7 @@ path_strip(char *path, char *strip) } static char * @@ -790,7 +358,7 @@ index ff4d63d..4439100 100644 { char *abs_str; -@@ -548,7 +548,7 @@ parse_no_flags(const char *cmd, char **argv, int argc) +@@ -551,7 +551,7 @@ parse_no_flags(const char *cmd, char **a } static int @@ -799,7 +367,7 @@ index ff4d63d..4439100 100644 { struct stat sb; -@@ -560,7 +560,7 @@ is_dir(char *path) +@@ -563,7 +563,7 @@ is_dir(char *path) } static int @@ -808,7 +376,7 @@ index ff4d63d..4439100 100644 { Attrib *a; -@@ -574,7 +574,7 @@ remote_is_dir(struct sftp_conn *conn, char *path) +@@ -577,7 +577,7 @@ remote_is_dir(struct sftp_conn *conn, ch /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */ static int @@ -817,7 +385,7 @@ index ff4d63d..4439100 100644 { size_t l = strlen(pathname); -@@ -582,7 +582,7 @@ pathname_is_dir(char *pathname) +@@ -585,7 +585,7 @@ pathname_is_dir(char *pathname) } static int @@ -826,7 +394,7 @@ index ff4d63d..4439100 100644 int pflag, int rflag, int resume, int fflag) { char *abs_src = NULL; -@@ -666,7 +666,7 @@ out: +@@ -669,7 +669,7 @@ out: } static int @@ -835,7 +403,7 @@ index ff4d63d..4439100 100644 int pflag, int rflag, int resume, int fflag) { char *tmp_dst = NULL; -@@ -776,7 +776,7 @@ sdirent_comp(const void *aa, const void *bb) +@@ -779,7 +779,7 @@ sdirent_comp(const void *aa, const void /* sftp ls.1 replacement for directories */ static int @@ -844,7 +412,7 @@ index ff4d63d..4439100 100644 { int n; u_int c = 1, colspace = 0, columns = 1; -@@ -861,7 +861,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) +@@ -864,7 +864,7 @@ do_ls_dir(struct sftp_conn *conn, char * /* sftp ls.1 replacement which handles path globs */ static int @@ -853,7 +421,7 @@ index ff4d63d..4439100 100644 int lflag) { char *fname, *lname; -@@ -946,7 +946,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, +@@ -949,7 +949,7 @@ do_globbed_ls(struct sftp_conn *conn, ch } static int @@ -862,11 +430,10 @@ index ff4d63d..4439100 100644 { struct sftp_statvfs st; char s_used[FMT_SCALED_STRSIZE]; -diff --git a/ssh-agent.c b/ssh-agent.c -index c8036c8..4da3bb6 100644 ---- a/ssh-agent.c -+++ b/ssh-agent.c -@@ -1056,8 +1056,8 @@ main(int ac, char **av) +diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c +--- openssh-6.8p1/ssh-agent.c.coverity 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/ssh-agent.c 2015-03-18 17:21:58.284251454 +0100 +@@ -1166,8 +1166,8 @@ main(int ac, char **av) sanitise_stdfd(); /* drop */ @@ -877,29 +444,10 @@ index c8036c8..4da3bb6 100644 #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* Disable ptrace on Linux without sgid bit */ -diff --git a/ssh-keygen.c b/ssh-keygen.c -index 64fa217..635e8fd 100644 ---- a/ssh-keygen.c -+++ b/ssh-keygen.c -@@ -687,11 +687,11 @@ do_convert_from(struct passwd *pw) - fatal("%s: unknown key format %d", __func__, convert_format); - } - -- if (!private) -+ if (!private) { - ok = key_write(k, stdout); - if (ok) - fprintf(stdout, "\n"); -- else { -+ } else { - switch (k->type) { - case KEY_DSA: - ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, -diff --git a/sshd.c b/sshd.c -index 783abe3..eaade2a 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -771,8 +771,10 @@ privsep_preauth(Authctxt *authctxt) +diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c +--- openssh-6.8p1/sshd.c.coverity 2015-03-18 17:21:51.893264839 +0100 ++++ openssh-6.8p1/sshd.c 2015-03-18 17:21:58.284251454 +0100 +@@ -778,8 +778,10 @@ privsep_preauth(Authctxt *authctxt) if (getuid() == 0 || geteuid() == 0) privsep_preauth_child(); setproctitle("%s", "[net]"); @@ -911,7 +459,7 @@ index 783abe3..eaade2a 100644 return 0; } -@@ -1458,6 +1460,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) +@@ -1518,6 +1520,9 @@ server_accept_loop(int *sock_in, int *so if (num_listen_socks < 0) break; } @@ -921,15 +469,14 @@ index 783abe3..eaade2a 100644 } -diff --git a/sshkey.c b/sshkey.c -index 5e3d97f..dae8270 100644 ---- a/sshkey.c -+++ b/sshkey.c -@@ -54,6 +54,7 @@ +diff -up openssh-6.8p1/sshkey.c.coverity openssh-6.8p1/sshkey.c +--- openssh-6.8p1/sshkey.c.coverity 2015-03-18 17:21:58.285251452 +0100 ++++ openssh-6.8p1/sshkey.c 2015-03-18 17:45:32.232705363 +0100 +@@ -58,6 +58,7 @@ #include "digest.h" #define SSHKEY_INTERNAL #include "sshkey.h" +#include "log.h" + #include "match.h" /* openssh private key file format */ - #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n" diff --git a/openssh-6.7p1-debian-restore-tcp-wrappers.patch b/openssh-6.7p1-debian-restore-tcp-wrappers.patch index a5ee347..63d62a0 100644 --- a/openssh-6.7p1-debian-restore-tcp-wrappers.patch +++ b/openssh-6.7p1-debian-restore-tcp-wrappers.patch @@ -1,7 +1,7 @@ -diff -up openssh-6.7p1/configure.ac.tcp_wrappers openssh-6.7p1/configure.ac ---- openssh-6.7p1/configure.ac.tcp_wrappers 2015-01-20 16:58:39.829111746 +0100 -+++ openssh-6.7p1/configure.ac 2015-01-20 16:58:39.870111159 +0100 -@@ -1404,6 +1404,62 @@ AC_ARG_WITH([skey], +diff -up openssh-6.8p1/configure.ac.tcp_wrappers openssh-6.8p1/configure.ac +--- openssh-6.8p1/configure.ac.tcp_wrappers 2015-03-18 13:05:57.365071779 +0100 ++++ openssh-6.8p1/configure.ac 2015-03-18 13:05:57.408071673 +0100 +@@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey], ] ) @@ -64,7 +64,7 @@ diff -up openssh-6.7p1/configure.ac.tcp_wrappers openssh-6.7p1/configure.ac # Check whether user wants to use ldns LDNS_MSG="no" AC_ARG_WITH(ldns, -@@ -4959,6 +5015,7 @@ echo " KerberosV support +@@ -5026,6 +5082,7 @@ echo " KerberosV support echo " SELinux support: $SELINUX_MSG" echo " Smartcard support: $SCARD_MSG" echo " S/KEY support: $SKEY_MSG" @@ -72,9 +72,9 @@ diff -up openssh-6.7p1/configure.ac.tcp_wrappers openssh-6.7p1/configure.ac echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" echo " Solaris process contract support: $SPC_MSG" -diff -up openssh-6.7p1/sshd.8.tcp_wrappers openssh-6.7p1/sshd.8 ---- openssh-6.7p1/sshd.8.tcp_wrappers 2015-01-20 16:58:39.838111617 +0100 -+++ openssh-6.7p1/sshd.8 2015-01-20 16:58:39.871111145 +0100 +diff -up openssh-6.8p1/sshd.8.tcp_wrappers openssh-6.8p1/sshd.8 +--- openssh-6.8p1/sshd.8.tcp_wrappers 2015-03-18 13:05:57.377071749 +0100 ++++ openssh-6.8p1/sshd.8 2015-03-18 13:05:57.408071673 +0100 @@ -858,6 +858,12 @@ the user's home directory becomes access This file should be writable only by the user, and need not be readable by anyone else. @@ -96,12 +96,12 @@ diff -up openssh-6.7p1/sshd.8.tcp_wrappers openssh-6.7p1/sshd.8 .Xr login.conf 5 , .Xr moduli 5 , .Xr sshd_config 5 , -diff -up openssh-6.7p1/sshd.c.tcp_wrappers openssh-6.7p1/sshd.c ---- openssh-6.7p1/sshd.c.tcp_wrappers 2015-01-20 16:58:39.863111259 +0100 -+++ openssh-6.7p1/sshd.c 2015-01-20 16:59:12.992636776 +0100 -@@ -123,6 +123,13 @@ - #include "ssh-sandbox.h" +diff -up openssh-6.8p1/sshd.c.tcp_wrappers openssh-6.8p1/sshd.c +--- openssh-6.8p1/sshd.c.tcp_wrappers 2015-03-18 13:05:57.402071688 +0100 ++++ openssh-6.8p1/sshd.c 2015-03-18 13:06:48.199947136 +0100 +@@ -125,6 +125,13 @@ #include "version.h" + #include "ssherr.h" +#ifdef LIBWRAP +#include @@ -113,7 +113,7 @@ diff -up openssh-6.7p1/sshd.c.tcp_wrappers openssh-6.7p1/sshd.c #ifndef O_NOCTTY #define O_NOCTTY 0 #endif -@@ -2078,6 +2085,24 @@ main(int ac, char **av) +@@ -2150,6 +2157,24 @@ main(int ac, char **av) #ifdef SSH_AUDIT_EVENTS audit_connection_from(remote_ip, remote_port); #endif diff --git a/openssh-6.7p1-fingerprint.patch b/openssh-6.7p1-fingerprint.patch deleted file mode 100644 index d29fc9b..0000000 --- a/openssh-6.7p1-fingerprint.patch +++ /dev/null @@ -1,1596 +0,0 @@ -diff --git a/auth-rsa.c b/auth-rsa.c -index e9f4ede..ff7a132 100644 ---- a/auth-rsa.c -+++ b/auth-rsa.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: auth-rsa.c,v 1.88 2014/07/15 15:54:14 millert Exp $ */ -+/* $OpenBSD: auth-rsa.c,v 1.89 2014/12/21 22:27:56 djm Exp $ */ - /* - * Author: Tatu Ylonen - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -@@ -236,7 +236,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file, - "actual %d vs. announced %d.", - file, linenum, BN_num_bits(key->rsa->n), bits); - -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_fingerprint(key, options.fingerprint_hash, -+ SSH_FP_DEFAULT); - debug("matching key found: file %s, line %lu %s %s", - file, linenum, key_type(key), fp); - free(fp); -diff --git a/auth.c b/auth.c -index 5e60682..5a9acd3 100644 ---- a/auth.c -+++ b/auth.c -@@ -702,7 +702,7 @@ auth_key_is_revoked(Key *key) - case 1: - revoked: - /* Key revoked */ -- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ key_fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT); - error("WARNING: authentication attempt with a revoked " - "%s key %s ", key_type(key), key_fp); - free(key_fp); -diff --git a/auth2-hostbased.c b/auth2-hostbased.c -index 6787e4c..b7ae353 100644 ---- a/auth2-hostbased.c -+++ b/auth2-hostbased.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: auth2-hostbased.c,v 1.18 2014/07/15 15:54:14 millert Exp $ */ -+/* $OpenBSD: auth2-hostbased.c,v 1.19 2014/12/21 22:27:56 djm Exp $ */ - /* - * Copyright (c) 2000 Markus Friedl. All rights reserved. - * -@@ -208,13 +208,14 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, - if (host_status == HOST_OK) { - if (key_is_cert(key)) { - fp = key_fingerprint(key->cert->signature_key, -- SSH_FP_MD5, SSH_FP_HEX); -+ options.fingerprint_hash, SSH_FP_DEFAULT); - verbose("Accepted certificate ID \"%s\" signed by " - "%s CA %s from %s@%s", key->cert->key_id, - key_type(key->cert->signature_key), fp, - cuser, lookup); - } else { -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_fingerprint(key, options.fingerprint_hash, -+ SSH_FP_DEFAULT); - verbose("Accepted %s public key %s from %s@%s", - key_type(key), fp, cuser, lookup); - } -diff --git a/auth2-pubkey.c b/auth2-pubkey.c -index f3ca965..3f4f789 100644 ---- a/auth2-pubkey.c -+++ b/auth2-pubkey.c -@@ -213,7 +213,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) - - if (key_is_cert(key)) { - fp = key_fingerprint(key->cert->signature_key, -- SSH_FP_MD5, SSH_FP_HEX); -+ options.fingerprint_hash, SSH_FP_DEFAULT); - auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", - key_type(key), key->cert->key_id, - (unsigned long long)key->cert->serial, -@@ -221,7 +221,8 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) - extra == NULL ? "" : ", ", extra == NULL ? "" : extra); - free(fp); - } else { -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_fingerprint(key, options.fingerprint_hash, -+ SSH_FP_DEFAULT); - auth_info(authctxt, "%s %s%s%s", key_type(key), fp, - extra == NULL ? "" : ", ", extra == NULL ? "" : extra); - free(fp); -@@ -365,8 +366,8 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) - continue; - if (!key_is_cert_authority) - continue; -- fp = key_fingerprint(found, SSH_FP_MD5, -- SSH_FP_HEX); -+ fp = key_fingerprint(found, options.fingerprint_hash, -+ SSH_FP_DEFAULT); - debug("matching CA found: file %s, line %lu, %s %s", - file, linenum, key_type(found), fp); - /* -@@ -406,7 +407,8 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw) - if (key_is_cert_authority) - continue; - found_key = 1; -- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_fingerprint(found, options.fingerprint_hash, -+ SSH_FP_DEFAULT); - debug("matching key found: file %s, line %lu %s %s", - file, linenum, key_type(found), fp); - free(fp); -@@ -432,7 +434,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) - return 0; - - ca_fp = key_fingerprint(key->cert->signature_key, -- SSH_FP_MD5, SSH_FP_HEX); -+ options.fingerprint_hash, SSH_FP_DEFAULT); - - if (key_in_file(key->cert->signature_key, - options.trusted_user_ca_keys, 1) != 1) { -diff --git a/digest-libc.c b/digest-libc.c -index 1b4423a..169ded0 100644 ---- a/digest-libc.c -+++ b/digest-libc.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: digest-libc.c,v 1.3 2014/06/24 01:13:21 djm Exp $ */ -+/* $OpenBSD: digest-libc.c,v 1.4 2014/12/21 22:27:56 djm Exp $ */ - /* - * Copyright (c) 2013 Damien Miller - * Copyright (c) 2014 Markus Friedl. All rights reserved. -@@ -126,6 +126,26 @@ ssh_digest_by_alg(int alg) - return &(digests[alg]); - } - -+int -+ssh_digest_alg_by_name(const char *name) -+{ -+ int alg; -+ -+ for (alg = 0; alg < SSH_DIGEST_MAX; alg++) { -+ if (strcasecmp(name, digests[alg].name) == 0) -+ return digests[alg].id; -+ } -+ return -1; -+} -+ -+const char * -+ssh_digest_alg_name(int alg) -+{ -+ const struct ssh_digest *digest = ssh_digest_by_alg(alg); -+ -+ return digest == NULL ? NULL : digest->name; -+} -+ - size_t - ssh_digest_bytes(int alg) - { -diff --git a/digest-openssl.c b/digest-openssl.c -index 02b1703..bb58ff2 100644 ---- a/digest-openssl.c -+++ b/digest-openssl.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: digest-openssl.c,v 1.4 2014/07/03 03:26:43 djm Exp $ */ -+/* $OpenBSD: digest-openssl.c,v 1.5 2014/12/21 22:27:56 djm Exp $ */ - /* - * Copyright (c) 2013 Damien Miller - * -@@ -74,6 +74,26 @@ ssh_digest_by_alg(int alg) - return &(digests[alg]); - } - -+int -+ssh_digest_alg_by_name(const char *name) -+{ -+ int alg; -+ -+ for (alg = 0; digests[alg].id != -1; alg++) { -+ if (strcasecmp(name, digests[alg].name) == 0) -+ return digests[alg].id; -+ } -+ return -1; -+} -+ -+const char * -+ssh_digest_alg_name(int alg) -+{ -+ const struct ssh_digest *digest = ssh_digest_by_alg(alg); -+ -+ return digest == NULL ? NULL : digest->name; -+} -+ - size_t - ssh_digest_bytes(int alg) - { -diff --git a/digest.h b/digest.h -index 6afb197..3fe0734 100644 ---- a/digest.h -+++ b/digest.h -@@ -1,4 +1,4 @@ --/* $OpenBSD: digest.h,v 1.6 2014/07/03 04:36:45 djm Exp $ */ -+/* $OpenBSD: digest.h,v 1.7 2014/12/21 22:27:56 djm Exp $ */ - /* - * Copyright (c) 2013 Damien Miller - * -@@ -33,6 +33,12 @@ - struct sshbuf; - struct ssh_digest_ctx; - -+/* Looks up a digest algorithm by name */ -+int ssh_digest_alg_by_name(const char *name); -+ -+/* Returns the algorithm name for a digest identifier */ -+const char *ssh_digest_alg_name(int alg); -+ - /* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */ - size_t ssh_digest_bytes(int alg); - -diff --git a/dns.c b/dns.c -index c4d073c..4b8ae44 100644 ---- a/dns.c -+++ b/dns.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: dns.c,v 1.31 2014/06/24 01:13:21 djm Exp $ */ -+/* $OpenBSD: dns.c,v 1.32 2014/12/21 22:27:56 djm Exp $ */ - - /* - * Copyright (c) 2003 Wesley Griffin. All rights reserved. -@@ -41,6 +41,7 @@ - #include "key.h" - #include "dns.h" - #include "log.h" -+#include "digest.h" - - static const char *errset_text[] = { - "success", /* 0 ERRSET_SUCCESS */ -@@ -80,7 +81,7 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type, - u_char **digest, u_int *digest_len, Key *key) - { - int success = 0; -- enum fp_type fp_type = 0; -+ int fp_alg = -1; - - switch (key->type) { - case KEY_RSA: -@@ -110,17 +111,17 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type, - - switch (*digest_type) { - case SSHFP_HASH_SHA1: -- fp_type = SSH_FP_SHA1; -+ fp_alg = SSH_DIGEST_SHA1; - break; - case SSHFP_HASH_SHA256: -- fp_type = SSH_FP_SHA256; -+ fp_alg = SSH_DIGEST_SHA256; - break; - default: - *digest_type = SSHFP_HASH_RESERVED; /* 0 */ - } - - if (*algorithm && *digest_type) { -- *digest = key_fingerprint_raw(key, fp_type, digest_len); -+ *digest = key_fingerprint_raw(key, fp_alg, digest_len); - if (*digest == NULL) - fatal("dns_read_key: null from key_fingerprint_raw()"); - success = 1; -diff --git a/key.c b/key.c -index 2060761..780be1c 100644 ---- a/key.c -+++ b/key.c -@@ -40,8 +40,7 @@ key_new_private(int type) - } - - u_char* --key_fingerprint_raw(const Key *k, enum fp_type dgst_type, -- u_int *dgst_raw_length) -+key_fingerprint_raw(const Key *k, int dgst_alg, u_int *dgst_raw_length) - { - u_char *ret = NULL; - size_t dlen; -@@ -49,7 +48,7 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type, - - if (dgst_raw_length != NULL) - *dgst_raw_length = 0; -- if ((r = sshkey_fingerprint_raw(k, dgst_type, &ret, &dlen)) != 0) -+ if ((r = sshkey_fingerprint_raw(k, dgst_alg, &ret, &dlen)) != 0) - fatal("%s: %s", __func__, ssh_err(r)); - if (dlen > INT_MAX) - fatal("%s: giant len %zu", __func__, dlen); -diff --git a/key.h b/key.h -index c6401a5..e1a3625 100644 ---- a/key.h -+++ b/key.h -@@ -67,7 +67,7 @@ void key_add_private(Key *); - Key *key_new_private(int); - void key_free(Key *); - Key *key_demote(const Key *); --u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); -+u_char *key_fingerprint_raw(const Key *, int, u_int *); - int key_write(const Key *, FILE *); - int key_read(Key *, char **); - -diff --git a/krl.c b/krl.c -index eb31df9..4abed7e 100644 ---- a/krl.c -+++ b/krl.c -@@ -36,6 +36,7 @@ - #include "misc.h" - #include "log.h" - #include "xmalloc.h" -+#include "digest.h" - - #include "krl.h" - -@@ -406,7 +407,7 @@ ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key) - u_int len; - - debug3("%s: revoke type %s by sha1", __func__, key_type(key)); -- if ((blob = key_fingerprint_raw(key, SSH_FP_SHA1, &len)) == NULL) -+ if ((blob = key_fingerprint_raw(key, SSH_DIGEST_SHA1, &len)) == NULL) - return -1; - return revoke_blob(&krl->revoked_sha1s, blob, len); - } -@@ -1119,7 +1120,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key) - - /* Check explicitly revoked hashes first */ - memset(&rb, 0, sizeof(rb)); -- if ((rb.blob = key_fingerprint_raw(key, SSH_FP_SHA1, &rb.len)) == NULL) -+ if ((rb.blob = key_fingerprint_raw(key, SSH_DIGEST_SHA1, &rb.len)) == NULL) - return -1; - erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb); - free(rb.blob); -diff --git a/readconf.c b/readconf.c -index 7948ce1..3f5c58b 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -56,6 +56,7 @@ - #include "kex.h" - #include "mac.h" - #include "uidswap.h" -+#include "digest.h" - - /* Format of the configuration file: - -@@ -151,6 +152,7 @@ typedef enum { - oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, - oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, - oStreamLocalBindMask, oStreamLocalBindUnlink, -+ oFingerprintHash, - oIgnoredUnknownOption, oDeprecated, oUnsupported - } OpCodes; - -@@ -265,6 +267,7 @@ static struct { - { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, - { "streamlocalbindmask", oStreamLocalBindMask }, - { "streamlocalbindunlink", oStreamLocalBindUnlink }, -+ { "fingerprinthash", oFingerprintHash }, - { "ignoreunknown", oIgnoreUnknown }, - - { NULL, oBadOption } -@@ -1433,6 +1436,18 @@ parse_int: - intptr = &options->fwd_opts.streamlocal_bind_unlink; - goto parse_flag; - -+ case oFingerprintHash: -+ arg = strdelim(&s); -+ if (!arg || *arg == '\0') -+ fatal("%.200s line %d: Missing argument.", -+ filename, linenum); -+ if ((value = ssh_digest_alg_by_name(arg)) == -1) -+ fatal("%.200s line %d: Invalid hash algorithm \"%s\".", -+ filename, linenum, arg); -+ if (*activep) -+ options->fingerprint_hash = value; -+ break; -+ - case oDeprecated: - debug("%s line %d: Deprecated option \"%s\"", - filename, linenum, keyword); -@@ -1609,6 +1624,7 @@ initialize_options(Options * options) - options->canonicalize_max_dots = -1; - options->canonicalize_fallback_local = -1; - options->canonicalize_hostname = -1; -+ options->fingerprint_hash = -1; - } - - /* -@@ -1786,6 +1802,9 @@ fill_default_options(Options * options) - options->canonicalize_fallback_local = 1; - if (options->canonicalize_hostname == -1) - options->canonicalize_hostname = SSH_CANONICALISE_NO; -+ if (options->fingerprint_hash == -1) -+ options->fingerprint_hash = SSH_FP_HASH_DEFAULT; -+ - #define CLEAR_ON_NONE(v) \ - do { \ - if (option_clear_or_none(v)) { \ -diff --git a/readconf.h b/readconf.h -index 0b9cb77..a028306 100644 ---- a/readconf.h -+++ b/readconf.h -@@ -144,6 +144,8 @@ typedef struct { - int num_permitted_cnames; - struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS]; - -+ int fingerprint_hash; -+ - char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ - } Options; - -diff --git a/regress/Makefile b/regress/Makefile -index 3feb7a9..2905a0d 100644 ---- a/regress/Makefile -+++ b/regress/Makefile -@@ -1,6 +1,6 @@ --# $OpenBSD: Makefile,v 1.70 2014/06/24 01:14:17 djm Exp $ -+# $OpenBSD: Makefile,v 1.71 2014/12/22 02:15:52 djm Exp $ - --REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec -+REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t-exec - tests: $(REGRESS_TARGETS) - - # Interop tests are not run by default -@@ -119,7 +119,7 @@ t3: - ${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub - - t4: -- ${TEST_SSH_SSHKEYGEN} -lf ${.CURDIR}/rsa_openssh.pub |\ -+ ${TEST_SSH_SSHKEYGEN} -E md5 -lf ${.CURDIR}/rsa_openssh.pub |\ - awk '{print $$2}' | diff - ${.CURDIR}/t4.ok - - t5: -@@ -164,6 +164,10 @@ t10: $(OBJ)/t10.out - ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t10.out > /dev/null - ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null - -+t11: -+ ${TEST_SSH_SSHKEYGEN} -E sha256 -lf ${.CURDIR}/rsa_openssh.pub |\ -+ awk '{print $$2}' | diff - ${.CURDIR}/t11.ok -+ - t-exec: ${LTESTS:=.sh} - @if [ "x$?" = "x" ]; then exit 0; fi; \ - for TEST in ""$?; do \ -diff --git a/regress/t11.ok b/regress/t11.ok -new file mode 100644 -index 0000000..1925bb4 ---- /dev/null -+++ b/regress/t11.ok -@@ -0,0 +1 @@ -+SHA256:4w1rnrek3klTJOTVhwuCIFd5k+pq9Bfo5KTxxb8BqbY -diff --git a/regress/t4.ok b/regress/t4.ok -index 8c4942b..4631ea8 100644 ---- a/regress/t4.ok -+++ b/regress/t4.ok -@@ -1 +1 @@ --3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36 -+MD5:3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36 -diff --git a/regress/unittests/sshkey/test_file.c b/regress/unittests/sshkey/test_file.c -index 764f7fb..9c38a7c 100644 ---- a/regress/unittests/sshkey/test_file.c -+++ b/regress/unittests/sshkey/test_file.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: test_file.c,v 1.1 2014/06/24 01:14:18 djm Exp $ */ -+/* $OpenBSD: test_file.c,v 1.2 2014/12/22 02:15:52 djm Exp $ */ - /* - * Regress test for sshkey.h key management API - * -@@ -33,6 +33,7 @@ - #include "authfile.h" - #include "sshkey.h" - #include "sshbuf.h" -+#include "digest.h" - - #include "common.h" - -@@ -81,7 +82,7 @@ sshkey_file_tests(void) - - TEST_START("RSA1 key hex fingerprint"); - buf = load_text_file("rsa1_1.fp"); -- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX); -+ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX); - ASSERT_PTR_NE(cp, NULL); - ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); - sshbuf_free(buf); -@@ -90,7 +91,7 @@ sshkey_file_tests(void) - - TEST_START("RSA1 key bubblebabble fingerprint"); - buf = load_text_file("rsa1_1.fp.bb"); -- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE); -+ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE); - ASSERT_PTR_NE(cp, NULL); - ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); - sshbuf_free(buf); -@@ -164,7 +165,7 @@ sshkey_file_tests(void) - - TEST_START("RSA key hex fingerprint"); - buf = load_text_file("rsa_1.fp"); -- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX); -+ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX); - ASSERT_PTR_NE(cp, NULL); - ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); - sshbuf_free(buf); -@@ -173,7 +174,7 @@ sshkey_file_tests(void) - - TEST_START("RSA cert hex fingerprint"); - buf = load_text_file("rsa_1-cert.fp"); -- cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX); -+ cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX); - ASSERT_PTR_NE(cp, NULL); - ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); - sshbuf_free(buf); -@@ -183,7 +184,7 @@ sshkey_file_tests(void) - - TEST_START("RSA key bubblebabble fingerprint"); - buf = load_text_file("rsa_1.fp.bb"); -- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE); -+ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE); - ASSERT_PTR_NE(cp, NULL); - ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); - sshbuf_free(buf); -@@ -257,7 +258,7 @@ sshkey_file_tests(void) - - TEST_START("DSA key hex fingerprint"); - buf = load_text_file("dsa_1.fp"); -- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX); -+ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX); - ASSERT_PTR_NE(cp, NULL); - ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); - sshbuf_free(buf); -@@ -266,7 +267,7 @@ sshkey_file_tests(void) - - TEST_START("DSA cert hex fingerprint"); - buf = load_text_file("dsa_1-cert.fp"); -- cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX); -+ cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX); - ASSERT_PTR_NE(cp, NULL); - ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); - sshbuf_free(buf); -@@ -276,7 +277,7 @@ sshkey_file_tests(void) - - TEST_START("DSA key bubblebabble fingerprint"); - buf = load_text_file("dsa_1.fp.bb"); -- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE); -+ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE); - ASSERT_PTR_NE(cp, NULL); - ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); - sshbuf_free(buf); -@@ -357,7 +358,7 @@ sshkey_file_tests(void) - - TEST_START("ECDSA key hex fingerprint"); - buf = load_text_file("ecdsa_1.fp"); -- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX); -+ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX); - ASSERT_PTR_NE(cp, NULL); - ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); - sshbuf_free(buf); -@@ -366,7 +367,7 @@ sshkey_file_tests(void) - - TEST_START("ECDSA cert hex fingerprint"); - buf = load_text_file("ecdsa_1-cert.fp"); -- cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX); -+ cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX); - ASSERT_PTR_NE(cp, NULL); - ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); - sshbuf_free(buf); -@@ -376,7 +377,7 @@ sshkey_file_tests(void) - - TEST_START("ECDSA key bubblebabble fingerprint"); - buf = load_text_file("ecdsa_1.fp.bb"); -- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE); -+ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE); - ASSERT_PTR_NE(cp, NULL); - ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); - sshbuf_free(buf); -@@ -424,7 +425,7 @@ sshkey_file_tests(void) - - TEST_START("Ed25519 key hex fingerprint"); - buf = load_text_file("ed25519_1.fp"); -- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX); -+ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX); - ASSERT_PTR_NE(cp, NULL); - ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); - sshbuf_free(buf); -@@ -433,7 +434,7 @@ sshkey_file_tests(void) - - TEST_START("Ed25519 cert hex fingerprint"); - buf = load_text_file("ed25519_1-cert.fp"); -- cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX); -+ cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX); - ASSERT_PTR_NE(cp, NULL); - ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); - sshbuf_free(buf); -@@ -443,7 +444,7 @@ sshkey_file_tests(void) - - TEST_START("Ed25519 key bubblebabble fingerprint"); - buf = load_text_file("ed25519_1.fp.bb"); -- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE); -+ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE); - ASSERT_PTR_NE(cp, NULL); - ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf)); - sshbuf_free(buf); -diff --git a/regress/unittests/sshkey/testdata/dsa_1-cert.fp b/regress/unittests/sshkey/testdata/dsa_1-cert.fp -index 56ee1f8..b26145b 100644 ---- a/regress/unittests/sshkey/testdata/dsa_1-cert.fp -+++ b/regress/unittests/sshkey/testdata/dsa_1-cert.fp -@@ -1 +1 @@ --5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74 -+MD5:5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74 -diff --git a/regress/unittests/sshkey/testdata/dsa_1.fp b/regress/unittests/sshkey/testdata/dsa_1.fp -index 56ee1f8..b26145b 100644 ---- a/regress/unittests/sshkey/testdata/dsa_1.fp -+++ b/regress/unittests/sshkey/testdata/dsa_1.fp -@@ -1 +1 @@ --5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74 -+MD5:5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74 -diff --git a/regress/unittests/sshkey/testdata/dsa_2.fp b/regress/unittests/sshkey/testdata/dsa_2.fp -index ba9de82..8226574 100644 ---- a/regress/unittests/sshkey/testdata/dsa_2.fp -+++ b/regress/unittests/sshkey/testdata/dsa_2.fp -@@ -1 +1 @@ --72:5f:50:6b:e5:64:c5:62:21:92:3f:8b:10:9b:9f:1a -+MD5:72:5f:50:6b:e5:64:c5:62:21:92:3f:8b:10:9b:9f:1a -diff --git a/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp b/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp -index a56dbc8..c3d747a 100644 ---- a/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp -+++ b/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp -@@ -1 +1 @@ --f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44 -+MD5:f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44 -diff --git a/regress/unittests/sshkey/testdata/ecdsa_1.fp b/regress/unittests/sshkey/testdata/ecdsa_1.fp -index a56dbc8..c3d747a 100644 ---- a/regress/unittests/sshkey/testdata/ecdsa_1.fp -+++ b/regress/unittests/sshkey/testdata/ecdsa_1.fp -@@ -1 +1 @@ --f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44 -+MD5:f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44 -diff --git a/regress/unittests/sshkey/testdata/ecdsa_2.fp b/regress/unittests/sshkey/testdata/ecdsa_2.fp -index eb4bbdf..fe7526b 100644 ---- a/regress/unittests/sshkey/testdata/ecdsa_2.fp -+++ b/regress/unittests/sshkey/testdata/ecdsa_2.fp -@@ -1 +1 @@ --51:bd:ff:2b:6d:26:9b:90:f9:e1:4a:ca:a0:29:8e:70 -+MD5:51:bd:ff:2b:6d:26:9b:90:f9:e1:4a:ca:a0:29:8e:70 -diff --git a/regress/unittests/sshkey/testdata/ed25519_1-cert.fp b/regress/unittests/sshkey/testdata/ed25519_1-cert.fp -index e6d23d0..fbde87a 100644 ---- a/regress/unittests/sshkey/testdata/ed25519_1-cert.fp -+++ b/regress/unittests/sshkey/testdata/ed25519_1-cert.fp -@@ -1 +1 @@ --19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f -+MD5:19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f -diff --git a/regress/unittests/sshkey/testdata/ed25519_1.fp b/regress/unittests/sshkey/testdata/ed25519_1.fp -index e6d23d0..fbde87a 100644 ---- a/regress/unittests/sshkey/testdata/ed25519_1.fp -+++ b/regress/unittests/sshkey/testdata/ed25519_1.fp -@@ -1 +1 @@ --19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f -+MD5:19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f -diff --git a/regress/unittests/sshkey/testdata/ed25519_2.fp b/regress/unittests/sshkey/testdata/ed25519_2.fp -index 02c684f..ec1cdbb 100644 ---- a/regress/unittests/sshkey/testdata/ed25519_2.fp -+++ b/regress/unittests/sshkey/testdata/ed25519_2.fp -@@ -1 +1 @@ --5c:c9:ae:a3:0c:aa:28:29:b8:fc:7c:64:ba:6e:e9:c9 -+MD5:5c:c9:ae:a3:0c:aa:28:29:b8:fc:7c:64:ba:6e:e9:c9 -diff --git a/regress/unittests/sshkey/testdata/rsa1_1.fp b/regress/unittests/sshkey/testdata/rsa1_1.fp -index 782ece0..2e1068c 100644 ---- a/regress/unittests/sshkey/testdata/rsa1_1.fp -+++ b/regress/unittests/sshkey/testdata/rsa1_1.fp -@@ -1 +1 @@ --a8:82:9b:98:c5:e6:19:d6:83:39:9f:4d:3a:8f:7c:80 -+MD5:a8:82:9b:98:c5:e6:19:d6:83:39:9f:4d:3a:8f:7c:80 -diff --git a/regress/unittests/sshkey/testdata/rsa1_2.fp b/regress/unittests/sshkey/testdata/rsa1_2.fp -index c332537..cd00393 100644 ---- a/regress/unittests/sshkey/testdata/rsa1_2.fp -+++ b/regress/unittests/sshkey/testdata/rsa1_2.fp -@@ -1 +1 @@ --c0:83:1c:97:5f:32:77:7e:e4:e3:e9:29:b9:eb:76:9c -+MD5:c0:83:1c:97:5f:32:77:7e:e4:e3:e9:29:b9:eb:76:9c -diff --git a/regress/unittests/sshkey/testdata/rsa_1-cert.fp b/regress/unittests/sshkey/testdata/rsa_1-cert.fp -index bf9c2e3..1cf780d 100644 ---- a/regress/unittests/sshkey/testdata/rsa_1-cert.fp -+++ b/regress/unittests/sshkey/testdata/rsa_1-cert.fp -@@ -1 +1 @@ --be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b -+MD5:be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b -diff --git a/regress/unittests/sshkey/testdata/rsa_1.fp b/regress/unittests/sshkey/testdata/rsa_1.fp -index bf9c2e3..1cf780d 100644 ---- a/regress/unittests/sshkey/testdata/rsa_1.fp -+++ b/regress/unittests/sshkey/testdata/rsa_1.fp -@@ -1 +1 @@ --be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b -+MD5:be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b -diff --git a/regress/unittests/sshkey/testdata/rsa_2.fp b/regress/unittests/sshkey/testdata/rsa_2.fp -index 53939f4..8d43676 100644 ---- a/regress/unittests/sshkey/testdata/rsa_2.fp -+++ b/regress/unittests/sshkey/testdata/rsa_2.fp -@@ -1 +1 @@ --fb:8f:7b:26:3d:42:40:ef:ed:f1:ed:ee:66:9e:ba:b0 -+MD5:fb:8f:7b:26:3d:42:40:ef:ed:f1:ed:ee:66:9e:ba:b0 -diff --git a/servconf.c b/servconf.c -index b7f3294..e3ebaac 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -54,6 +54,7 @@ - #include "packet.h" - #include "hostfile.h" - #include "auth.h" -+#include "digest.h" - - static void add_listen_addr(ServerOptions *, char *, int); - static void add_one_listen_addr(ServerOptions *, char *, int); -@@ -157,6 +158,7 @@ initialize_server_options(ServerOptions *options) - options->ip_qos_interactive = -1; - options->ip_qos_bulk = -1; - options->version_addendum = NULL; -+ options->fingerprint_hash = -1; - } - - void -@@ -312,6 +314,8 @@ fill_default_server_options(ServerOptions *options) - options->fwd_opts.streamlocal_bind_mask = 0177; - if (options->fwd_opts.streamlocal_bind_unlink == -1) - options->fwd_opts.streamlocal_bind_unlink = 0; -+ if (options->fingerprint_hash == -1) -+ options->fingerprint_hash = SSH_FP_HASH_DEFAULT; - /* Turn privilege separation on by default */ - if (use_privsep == -1) - use_privsep = PRIVSEP_NOSANDBOX; -@@ -361,7 +365,7 @@ typedef enum { - sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, - sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, - sStreamLocalBindMask, sStreamLocalBindUnlink, -- sAllowStreamLocalForwarding, -+ sAllowStreamLocalForwarding, sFingerprintHash, - sDeprecated, sUnsupported - } ServerOpCodes; - -@@ -492,6 +496,7 @@ static struct { - { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL }, - { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL }, - { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL }, -+ { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL }, - { NULL, sBadOption, 0 } - }; - -@@ -1663,6 +1668,18 @@ process_server_config_line(ServerOptions *options, char *line, - intptr = &options->fwd_opts.streamlocal_bind_unlink; - goto parse_flag; - -+ case sFingerprintHash: -+ arg = strdelim(&cp); -+ if (!arg || *arg == '\0') -+ fatal("%.200s line %d: Missing argument.", -+ filename, linenum); -+ if ((value = ssh_digest_alg_by_name(arg)) == -1) -+ fatal("%.200s line %d: Invalid hash algorithm \"%s\".", -+ filename, linenum, arg); -+ if (*activep) -+ options->fingerprint_hash = value; -+ break; -+ - case sDeprecated: - logit("%s line %d: Deprecated option %s", - filename, linenum, arg); -@@ -1905,6 +1922,8 @@ fmt_intarg(ServerOpCodes code, int val) - return fmt_multistate_int(val, multistate_tcpfwd); - case sAllowStreamLocalForwarding: - return fmt_multistate_int(val, multistate_tcpfwd); -+ case sFingerprintHash: -+ return ssh_digest_alg_name(val); - case sProtocol: - switch (val) { - case SSH_PROTO_1: -@@ -2066,6 +2085,7 @@ dump_config(ServerOptions *o) - dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); - dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); - dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); -+ dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); - - /* string arguments */ - dump_cfg_string(sPidFile, o->pid_file); -diff --git a/servconf.h b/servconf.h -index 766db3a..49b228b 100644 ---- a/servconf.h -+++ b/servconf.h -@@ -1,4 +1,4 @@ --/* $OpenBSD: servconf.h,v 1.114 2014/07/15 15:54:14 millert Exp $ */ -+/* $OpenBSD: servconf.h,v 1.115 2014/12/21 22:27:56 djm Exp $ */ - - /* - * Author: Tatu Ylonen -@@ -185,6 +185,8 @@ typedef struct { - - u_int num_auth_methods; - char *auth_methods[MAX_AUTH_METHODS]; -+ -+ int fingerprint_hash; - } ServerOptions; - - /* Information about the incoming connection as used by Match */ -diff --git a/ssh-add.1 b/ssh-add.1 -index 4812448..04d1840 100644 ---- a/ssh-add.1 -+++ b/ssh-add.1 -@@ -44,6 +44,7 @@ - .Sh SYNOPSIS - .Nm ssh-add - .Op Fl cDdkLlXx -+.Op Fl E Ar fingerprint_hash - .Op Fl t Ar life - .Op Ar - .Nm ssh-add -@@ -108,6 +109,14 @@ If no public key is found at a given path, - will append - .Pa .pub - and retry. -+.It Fl E Ar fingerprint_hash -+Specifies the hash algorithm used when displaying key fingerprints. -+Valid options are: -+.Dq md5 -+and -+.Dq sha256 . -+The default is -+.Dq sha256 . - .It Fl e Ar pkcs11 - Remove keys provided by the PKCS#11 shared library - .Ar pkcs11 . -diff --git a/ssh-add.c b/ssh-add.c -index 78a3359..5d6a5f4 100644 ---- a/ssh-add.c -+++ b/ssh-add.c -@@ -63,6 +63,7 @@ - #include "pathnames.h" - #include "misc.h" - #include "ssherr.h" -+#include "digest.h" - - /* argv0 */ - extern char *__progname; -@@ -79,6 +80,8 @@ static char *default_files[] = { - NULL - }; - -+static int fingerprint_hash = SSH_FP_HASH_DEFAULT; -+ - /* Default lifetime (0 == forever) */ - static int lifetime = 0; - -@@ -340,8 +343,8 @@ list_identities(AuthenticationConnection *ac, int do_fp) - key = ssh_get_next_identity(ac, &comment, version)) { - had_identities = 1; - if (do_fp) { -- fp = key_fingerprint(key, SSH_FP_MD5, -- SSH_FP_HEX); -+ fp = key_fingerprint(key, fingerprint_hash, -+ SSH_FP_DEFAULT); - printf("%d %s %s (%s)\n", - key_size(key), fp, comment, key_type(key)); - free(fp); -@@ -408,6 +411,7 @@ usage(void) - fprintf(stderr, "usage: %s [options] [file ...]\n", __progname); - fprintf(stderr, "Options:\n"); - fprintf(stderr, " -l List fingerprints of all identities.\n"); -+ fprintf(stderr, " -E hash Specify hash algorithm used for fingerprints.\n"); - fprintf(stderr, " -L List public key parameters of all identities.\n"); - fprintf(stderr, " -k Load only keys and not certificates.\n"); - fprintf(stderr, " -c Require confirmation to sign using identities\n"); -@@ -428,6 +432,7 @@ main(int argc, char **argv) - AuthenticationConnection *ac = NULL; - char *pkcs11provider = NULL; - int i, ch, deleting = 0, ret = 0, key_only = 0; -+ int xflag = 0, lflag = 0, Dflag = 0; - - /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ - sanitise_stdfd(); -@@ -446,21 +451,28 @@ main(int argc, char **argv) - "Could not open a connection to your authentication agent.\n"); - exit(2); - } -- while ((ch = getopt(argc, argv, "klLcdDxXe:s:t:")) != -1) { -+ while ((ch = getopt(argc, argv, "klLcdDxXE:e:s:t:")) != -1) { - switch (ch) { -+ case 'E': -+ fingerprint_hash = ssh_digest_alg_by_name(optarg); -+ if (fingerprint_hash == -1) -+ fatal("Invalid hash algorithm \"%s\"", optarg); -+ break; - case 'k': - key_only = 1; - break; - case 'l': - case 'L': -- if (list_identities(ac, ch == 'l' ? 1 : 0) == -1) -- ret = 1; -- goto done; -+ if (lflag != 0) -+ fatal("-%c flag already specified", lflag); -+ lflag = ch; -+ break; - case 'x': - case 'X': -- if (lock_agent(ac, ch == 'x' ? 1 : 0) == -1) -- ret = 1; -- goto done; -+ if (xflag != 0) -+ fatal("-%c flag already specified", xflag); -+ xflag = ch; -+ break; - case 'c': - confirm = 1; - break; -@@ -468,9 +480,8 @@ main(int argc, char **argv) - deleting = 1; - break; - case 'D': -- if (delete_all(ac) == -1) -- ret = 1; -- goto done; -+ Dflag = 1; -+ break; - case 's': - pkcs11provider = optarg; - break; -@@ -491,6 +502,23 @@ main(int argc, char **argv) - goto done; - } - } -+ -+ if ((xflag != 0) + (lflag != 0) + (Dflag != 0) > 1) -+ fatal("Invalid combination of actions"); -+ else if (xflag) { -+ if (lock_agent(ac, xflag == 'x' ? 1 : 0) == -1) -+ ret = 1; -+ goto done; -+ } else if (lflag) { -+ if (list_identities(ac, lflag == 'l' ? 1 : 0) == -1) -+ ret = 1; -+ goto done; -+ } else if (Dflag) { -+ if (delete_all(ac) == -1) -+ ret = 1; -+ goto done; -+ } -+ - argc -= optind; - argv += optind; - if (pkcs11provider != NULL) { -diff --git a/ssh-agent.1 b/ssh-agent.1 -index a1e634f..d7e791b 100644 ---- a/ssh-agent.1 -+++ b/ssh-agent.1 -@@ -45,6 +45,7 @@ - .Op Fl c | s - .Op Fl d - .Op Fl a Ar bind_address -+.Op Fl E Ar fingerprint_hash - .Op Fl t Ar life - .Op Ar command Op Ar arg ... - .Nm ssh-agent -@@ -96,6 +97,14 @@ Debug mode. - When this option is specified - .Nm - will not fork. -+.It Fl E Ar fingerprint_hash -+Specifies the hash algorithm used when displaying key fingerprints. -+Valid options are: -+.Dq md5 -+and -+.Dq sha256 . -+The default is -+.Dq sha256 . - .It Fl k - Kill the current agent (given by the - .Ev SSH_AGENT_PID -diff --git a/ssh-agent.c b/ssh-agent.c -index 25f10c5..c8036c8 100644 ---- a/ssh-agent.c -+++ b/ssh-agent.c -@@ -142,6 +142,8 @@ extern char *__progname; - /* Default lifetime in seconds (0 == forever) */ - static long lifetime = 0; - -+static int fingerprint_hash = SSH_FP_HASH_DEFAULT; -+ - static void - close_socket(SocketEntry *e) - { -@@ -203,7 +205,7 @@ confirm_key(Identity *id) - char *p; - int ret = -1; - -- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); -+ p = key_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT); - if (ask_permission("Allow use of key %s?\nKey fingerprint %s.", - id->comment, p)) - ret = 0; -@@ -1026,7 +1028,7 @@ usage(void) - { - fprintf(stderr, - "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-t life]\n" -- " [command [arg ...]]\n" -+ " [-E fingerprint_hash] [command [arg ...]]\n" - " ssh-agent [-c | -s] -k\n"); - exit(1); - } -@@ -1069,8 +1071,13 @@ main(int ac, char **av) - __progname = ssh_get_progname(av[0]); - seed_rng(); - -- while ((ch = getopt(ac, av, "cdksa:t:")) != -1) { -+ while ((ch = getopt(ac, av, "cdksE:a:t:")) != -1) { - switch (ch) { -+ case 'E': -+ fingerprint_hash = ssh_digest_alg_by_name(optarg); -+ if (fingerprint_hash == -1) -+ fatal("Invalid hash algorithm \"%s\"", optarg); -+ break; - case 'c': - if (s_flag) - usage(); -diff --git a/ssh-keygen.1 b/ssh-keygen.1 -index 723a016..276dacc 100644 ---- a/ssh-keygen.1 -+++ b/ssh-keygen.1 -@@ -73,6 +73,7 @@ - .Op Fl f Ar keyfile - .Nm ssh-keygen - .Fl l -+.Op Fl E Ar fingerprint_hash - .Op Fl f Ar input_keyfile - .Nm ssh-keygen - .Fl B -@@ -269,6 +270,14 @@ When used in combination with - this option indicates that a CA key resides in a PKCS#11 token (see the - .Sx CERTIFICATES - section for details). -+.It Fl E Ar fingerprint_hash -+Specifies the hash algorithm used when displaying key fingerprints. -+Valid options are: -+.Dq md5 -+and -+.Dq sha256 . -+The default is -+.Dq sha256 . - .It Fl e - This option will read a private or public OpenSSH key file and - print to stdout the key in one of the formats specified by the -diff --git a/ssh-keygen.c b/ssh-keygen.c -index 23058ee..64fa217 100644 ---- a/ssh-keygen.c -+++ b/ssh-keygen.c -@@ -53,6 +53,7 @@ - #include "ssh-pkcs11.h" - #include "atomicio.h" - #include "krl.h" -+#include "digest.h" - - /* Number of bits in the RSA/DSA key. This value can be set on the command line. */ - #define DEFAULT_BITS 2048 -@@ -90,6 +91,9 @@ int show_cert = 0; - int print_fingerprint = 0; - int print_bubblebabble = 0; - -+/* Hash algorithm to use for fingerprints. */ -+int fingerprint_hash = SSH_FP_HASH_DEFAULT; -+ - /* The identity file name, given on the command line or entered by the user. */ - char identity_file[1024]; - int have_identity = 0; -@@ -749,11 +753,11 @@ do_download(struct passwd *pw) - Key **keys = NULL; - int i, nkeys; - enum fp_rep rep; -- enum fp_type fptype; -+ int fptype; - char *fp, *ra; - -- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; -- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; -+ fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash; -+ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; - - pkcs11_init(0); - nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys); -@@ -762,7 +766,7 @@ do_download(struct passwd *pw) - for (i = 0; i < nkeys; i++) { - if (print_fingerprint) { - fp = key_fingerprint(keys[i], fptype, rep); -- ra = key_fingerprint(keys[i], SSH_FP_MD5, -+ ra = key_fingerprint(keys[i], fingerprint_hash, - SSH_FP_RANDOMART); - printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]), - fp, key_type(keys[i])); -@@ -792,12 +796,11 @@ do_fingerprint(struct passwd *pw) - char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra; - int i, skip = 0, num = 0, invalid = 1; - enum fp_rep rep; -- enum fp_type fptype; -+ int fptype; - struct stat st; - -- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; -- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; -- -+ fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash; -+ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; - if (!have_identity) - ask_filename(pw, "Enter file in which the key is"); - if (stat(identity_file, &st) < 0) { -@@ -807,7 +810,8 @@ do_fingerprint(struct passwd *pw) - public = key_load_public(identity_file, &comment); - if (public != NULL) { - fp = key_fingerprint(public, fptype, rep); -- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); -+ ra = key_fingerprint(public, fingerprint_hash, -+ SSH_FP_RANDOMART); - printf("%u %s %s (%s)\n", key_size(public), fp, comment, - key_type(public)); - if (log_level >= SYSLOG_LEVEL_VERBOSE) -@@ -873,7 +877,8 @@ do_fingerprint(struct passwd *pw) - } - comment = *cp ? cp : comment; - fp = key_fingerprint(public, fptype, rep); -- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); -+ ra = key_fingerprint(public, fingerprint_hash, -+ SSH_FP_RANDOMART); - printf("%u %s %s (%s)\n", key_size(public), fp, - comment ? comment : "no comment", key_type(public)); - if (log_level >= SYSLOG_LEVEL_VERBOSE) -@@ -991,13 +996,15 @@ printhost(FILE *f, const char *name, Key *public, int ca, int revoked, int hash) - { - if (print_fingerprint) { - enum fp_rep rep; -- enum fp_type fptype; -+ int fptype; - char *fp, *ra; - -- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; -- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; -+ fptype = print_bubblebabble ? -+ SSH_DIGEST_SHA1 : fingerprint_hash; -+ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT; - fp = key_fingerprint(public, fptype, rep); -- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART); -+ ra = key_fingerprint(public, fingerprint_hash, -+ SSH_FP_RANDOMART); - printf("%u %s %s (%s)\n", key_size(public), fp, name, - key_type(public)); - if (log_level >= SYSLOG_LEVEL_VERBOSE) -@@ -1906,9 +1913,9 @@ do_show_cert(struct passwd *pw) - fatal("%s is not a certificate", identity_file); - v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; - -- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ key_fp = key_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT); - ca_fp = key_fingerprint(key->cert->signature_key, -- SSH_FP_MD5, SSH_FP_HEX); -+ fingerprint_hash, SSH_FP_DEFAULT); - - printf("%s:\n", identity_file); - printf(" Type: %s %s certificate\n", key_ssh_name(key), -@@ -2187,7 +2194,7 @@ usage(void) - " ssh-keygen -e [-m key_format] [-f input_keyfile]\n" - " ssh-keygen -y [-f input_keyfile]\n" - " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n" -- " ssh-keygen -l [-f input_keyfile]\n" -+ " ssh-keygen -l [-E fingerprint_hash] [-f input_keyfile]\n" - " ssh-keygen -B [-f input_keyfile]\n"); - #ifdef ENABLE_PKCS11 - fprintf(stderr, -@@ -2256,9 +2263,10 @@ main(int argc, char **argv) - exit(1); - } - -- /* Remaining characters: EUYdw */ -+ /* Remaining characters: UYdw */ - while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy" -- "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:a:b:f:g:j:m:n:r:s:t:z:")) != -1) { -+ "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:" -+ "a:b:f:g:j:m:n:r:s:t:z:")) != -1) { - switch (opt) { - case 'A': - gen_all_hostkeys = 1; -@@ -2269,6 +2277,11 @@ main(int argc, char **argv) - fatal("Bits has bad value %s (%s)", - optarg, errstr); - break; -+ case 'E': -+ fingerprint_hash = ssh_digest_alg_by_name(optarg); -+ if (fingerprint_hash == -1) -+ fatal("Invalid hash algorithm \"%s\"", optarg); -+ break; - case 'F': - find_host = 1; - rr_hostname = optarg; -@@ -2700,8 +2713,9 @@ passphrase_again: - fclose(f); - - if (!quiet) { -- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX); -- char *ra = key_fingerprint(public, SSH_FP_MD5, -+ char *fp = key_fingerprint(public, fingerprint_hash, -+ SSH_FP_DEFAULT); -+ char *ra = key_fingerprint(public, fingerprint_hash, - SSH_FP_RANDOMART); - printf("Your public key has been saved in %s.\n", - identity_file); -diff --git a/ssh-keysign.c b/ssh-keysign.c -index d95bb7d..3526d7d 100644 ---- a/ssh-keysign.c -+++ b/ssh-keysign.c -@@ -246,7 +246,8 @@ main(int argc, char **argv) - } - } - if (!found) { -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_fingerprint(key, options.fingerprint_hash, -+ SSH_FP_DEFAULT); - fatal("no matching hostkey found for key %s %s", - key_type(key), fp); - } -diff --git a/ssh.1 b/ssh.1 -index fa5cfb2..d3198a1 100644 ---- a/ssh.1 -+++ b/ssh.1 -@@ -1083,7 +1083,7 @@ Fingerprints can be determined using - If the fingerprint is already known, it can be matched - and the key can be accepted or rejected. - Because of the difficulty of comparing host keys --just by looking at hex strings, -+just by looking at fingerprint strings, - there is also support to compare host keys visually, - using - .Em random art . -diff --git a/sshconnect.c b/sshconnect.c -index ac09eae..7db31e6 100644 ---- a/sshconnect.c -+++ b/sshconnect.c -@@ -915,9 +915,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, - "key for IP address '%.128s' to the list " - "of known hosts.", type, ip); - } else if (options.visual_host_key) { -- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); -- ra = key_fingerprint(host_key, SSH_FP_MD5, -- SSH_FP_RANDOMART); -+ fp = key_fingerprint(host_key, -+ options.fingerprint_hash, SSH_FP_DEFAULT); -+ ra = key_fingerprint(host_key, -+ options.fingerprint_hash, SSH_FP_RANDOMART); - logit("Host key fingerprint is %s\n%s\n", fp, ra); - free(ra); - free(fp); -@@ -956,9 +957,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port, - else - snprintf(msg1, sizeof(msg1), "."); - /* The default */ -- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); -- ra = key_fingerprint(host_key, SSH_FP_MD5, -- SSH_FP_RANDOMART); -+ fp = key_fingerprint(host_key, -+ options.fingerprint_hash, SSH_FP_DEFAULT); -+ ra = key_fingerprint(host_key, -+ options.fingerprint_hash, SSH_FP_RANDOMART); - msg2[0] = '\0'; - if (options.verify_host_key_dns) { - if (matching_host_key_dns) -@@ -1222,7 +1224,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) - char *fp; - Key *plain = NULL; - -- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_fingerprint(host_key, options.fingerprint_hash, SSH_FP_DEFAULT); - debug("Server host key: %s %s", key_type(host_key), fp); - free(fp); - -@@ -1356,8 +1358,10 @@ show_other_keys(struct hostkeys *hostkeys, Key *key) - continue; - if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found)) - continue; -- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX); -- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART); -+ fp = key_fingerprint(found->key, -+ options.fingerprint_hash, SSH_FP_DEFAULT); -+ ra = key_fingerprint(found->key, -+ options.fingerprint_hash, SSH_FP_RANDOMART); - logit("WARNING: %s key found for host %s\n" - "in %s:%lu\n" - "%s key fingerprint %s.", -@@ -1378,7 +1382,8 @@ warn_changed_key(Key *host_key) - { - char *fp; - -- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_fingerprint(host_key, options.fingerprint_hash, -+ SSH_FP_DEFAULT); - - error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); - error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); -diff --git a/sshconnect2.c b/sshconnect2.c -index 68f7f4f..4724b66 100644 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -582,7 +582,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) - key->type, pktype); - goto done; - } -- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT); - debug2("input_userauth_pk_ok: fp %s", fp); - free(fp); - -@@ -991,7 +991,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id) - int have_sig = 1; - char *fp; - -- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX); -+ fp = key_fingerprint(id->key, options.fingerprint_hash, SSH_FP_DEFAULT); - debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp); - free(fp); - -diff --git a/sshd_config.5 b/sshd_config.5 -index fd44abe..0449eeb 100644 ---- a/sshd_config.5 -+++ b/sshd_config.5 -@@ -483,6 +483,15 @@ and finally - See PATTERNS in - .Xr ssh_config 5 - for more information on patterns. -+.It Cm FingerprintHash -+Specifies the hash algorithm used when logging key fingerprints. -+Valid options are: -+.Dq md5 -+and -+.Dq sha256 . -+The default is -+.Dq sha256 . -+.Pp - .It Cm ForceCommand - Forces the execution of the command specified by - .Cm ForceCommand , -diff --git a/sshkey.c b/sshkey.c -index fdd0c8a..70df758 100644 ---- a/sshkey.c -+++ b/sshkey.c -@@ -29,6 +29,7 @@ - - #include - #include -+#include - - #include - #include -@@ -852,29 +853,18 @@ sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp) - } - - int --sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type, -+sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg, - u_char **retp, size_t *lenp) - { - u_char *blob = NULL, *ret = NULL; - size_t blob_len = 0; -- int hash_alg = -1, r = SSH_ERR_INTERNAL_ERROR; -+ int r = SSH_ERR_INTERNAL_ERROR; - - if (retp != NULL) - *retp = NULL; - if (lenp != NULL) - *lenp = 0; -- -- switch (dgst_type) { -- case SSH_FP_MD5: -- hash_alg = SSH_DIGEST_MD5; -- break; -- case SSH_FP_SHA1: -- hash_alg = SSH_DIGEST_SHA1; -- break; -- case SSH_FP_SHA256: -- hash_alg = SSH_DIGEST_SHA256; -- break; -- default: -+ if (ssh_digest_bytes(dgst_alg) == 0) { - r = SSH_ERR_INVALID_ARGUMENT; - goto out; - } -@@ -899,7 +889,7 @@ sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type, - r = SSH_ERR_ALLOC_FAIL; - goto out; - } -- if ((r = ssh_digest_memory(hash_alg, blob, blob_len, -+ if ((r = ssh_digest_memory(dgst_alg, blob, blob_len, - ret, SSH_DIGEST_MAX_LENGTH)) != 0) - goto out; - /* success */ -@@ -908,7 +898,7 @@ sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type, - ret = NULL; - } - if (lenp != NULL) -- *lenp = ssh_digest_bytes(hash_alg); -+ *lenp = ssh_digest_bytes(dgst_alg); - r = 0; - out: - free(ret); -@@ -920,21 +910,45 @@ sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type, - } - - static char * --fingerprint_hex(u_char *dgst_raw, size_t dgst_raw_len) -+fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) - { -- char *retval; -- size_t i; -+ char *ret; -+ size_t plen = strlen(alg) + 1; -+ size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1; -+ int r; - -- if ((retval = calloc(1, dgst_raw_len * 3 + 1)) == NULL) -+ if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL) -+ return NULL; -+ strlcpy(ret, alg, rlen); -+ strlcat(ret, ":", rlen); -+ if (dgst_raw_len == 0) -+ return ret; -+ if ((r = b64_ntop(dgst_raw, dgst_raw_len, -+ ret + plen, rlen - plen)) == -1) { -+ explicit_bzero(ret, rlen); -+ free(ret); - return NULL; -- for (i = 0; i < dgst_raw_len; i++) { -- char hex[4]; -- snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]); -- strlcat(retval, hex, dgst_raw_len * 3 + 1); - } -+ /* Trim padding characters from end */ -+ ret[strcspn(ret, "=")] = '\0'; -+ return ret; -+} - -- /* Remove the trailing ':' character */ -- retval[(dgst_raw_len * 3) - 1] = '\0'; -+static char * -+fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len) -+{ -+ char *retval, hex[5]; -+ size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2; -+ -+ if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL) -+ return NULL; -+ strlcpy(retval, alg, rlen); -+ strlcat(retval, ":", rlen); -+ for (i = 0; i < dgst_raw_len; i++) { -+ snprintf(hex, sizeof(hex), "%s%02x", -+ i > 0 ? ":" : "", dgst_raw[i]); -+ strlcat(retval, hex, rlen); -+ } - return retval; - } - -@@ -1020,7 +1034,7 @@ fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len) - #define FLDSIZE_Y (FLDBASE + 1) - #define FLDSIZE_X (FLDBASE * 2 + 1) - static char * --fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len, -+fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len, - const struct sshkey *k) - { - /* -@@ -1028,9 +1042,9 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len, - * intersects with itself. Matter of taste. - */ - char *augmentation_string = " .o+=*BOX@%&#/^SE"; -- char *retval, *p, title[FLDSIZE_X]; -+ char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X]; - u_char field[FLDSIZE_X][FLDSIZE_Y]; -- size_t i, tlen; -+ size_t i, tlen, hlen; - u_int b; - int x, y, r; - size_t len = strlen(augmentation_string) - 1; -@@ -1075,8 +1089,12 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len, - sshkey_type(k), sshkey_size(k)); - /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */ - if (r < 0 || r > (int)sizeof(title)) -- snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); -- tlen = strlen(title); -+ r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k)); -+ tlen = (r <= 0) ? 0 : strlen(title); -+ -+ /* assemble hash ID. */ -+ r = snprintf(hash, sizeof(hash), "[%s]", alg); -+ hlen = (r <= 0) ? 0 : strlen(hash); - - /* output upper border */ - p = retval; -@@ -1085,7 +1103,7 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len, - *p++ = '-'; - memcpy(p, title, tlen); - p += tlen; -- for (i = p - retval - 1; i < FLDSIZE_X; i++) -+ for (i += tlen; i < FLDSIZE_X; i++) - *p++ = '-'; - *p++ = '+'; - *p++ = '\n'; -@@ -1101,7 +1119,11 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len, - - /* output lower border */ - *p++ = '+'; -- for (i = 0; i < FLDSIZE_X; i++) -+ for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++) -+ *p++ = '-'; -+ memcpy(p, hash, hlen); -+ p += hlen; -+ for (i += hlen; i < FLDSIZE_X; i++) - *p++ = '-'; - *p++ = '+'; - -@@ -1109,24 +1131,39 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len, - } - - char * --sshkey_fingerprint(const struct sshkey *k, enum sshkey_fp_type dgst_type, -+sshkey_fingerprint(const struct sshkey *k, int dgst_alg, - enum sshkey_fp_rep dgst_rep) - { - char *retval = NULL; - u_char *dgst_raw; - size_t dgst_raw_len; - -- if (sshkey_fingerprint_raw(k, dgst_type, &dgst_raw, &dgst_raw_len) != 0) -+ if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0) - return NULL; - switch (dgst_rep) { -+ case SSH_FP_DEFAULT: -+ if (dgst_alg == SSH_DIGEST_MD5) { -+ retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), -+ dgst_raw, dgst_raw_len); -+ } else { -+ retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), -+ dgst_raw, dgst_raw_len); -+ } -+ break; - case SSH_FP_HEX: -- retval = fingerprint_hex(dgst_raw, dgst_raw_len); -+ retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg), -+ dgst_raw, dgst_raw_len); -+ break; -+ case SSH_FP_BASE64: -+ retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg), -+ dgst_raw, dgst_raw_len); - break; - case SSH_FP_BUBBLEBABBLE: - retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len); - break; - case SSH_FP_RANDOMART: -- retval = fingerprint_randomart(dgst_raw, dgst_raw_len, k); -+ retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg), -+ dgst_raw, dgst_raw_len, k); - break; - default: - explicit_bzero(dgst_raw, dgst_raw_len); -diff --git a/sshkey.h b/sshkey.h -index 450b30c..4554b09 100644 ---- a/sshkey.h -+++ b/sshkey.h -@@ -1,4 +1,4 @@ --/* $OpenBSD: sshkey.h,v 1.1 2014/06/24 01:16:58 djm Exp $ */ -+/* $OpenBSD: sshkey.h,v 1.2 2014/12/21 22:27:55 djm Exp $ */ - - /* - * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. -@@ -67,16 +67,14 @@ enum sshkey_types { - KEY_UNSPEC - }; - --/* Fingerprint hash algorithms */ --enum sshkey_fp_type { -- SSH_FP_SHA1, -- SSH_FP_MD5, -- SSH_FP_SHA256 --}; -+/* Default fingerprint hash */ -+#define SSH_FP_HASH_DEFAULT SSH_DIGEST_SHA256 - - /* Fingerprint representation formats */ - enum sshkey_fp_rep { -+ SSH_FP_DEFAULT = 0, - SSH_FP_HEX, -+ SSH_FP_BASE64, - SSH_FP_BUBBLEBABBLE, - SSH_FP_RANDOMART - }; -@@ -124,9 +122,9 @@ int sshkey_equal_public(const struct sshkey *, - const struct sshkey *); - int sshkey_equal(const struct sshkey *, const struct sshkey *); - char *sshkey_fingerprint(const struct sshkey *, -- enum sshkey_fp_type, enum sshkey_fp_rep); -+ int, enum sshkey_fp_rep); - int sshkey_fingerprint_raw(const struct sshkey *k, -- enum sshkey_fp_type dgst_type, u_char **retp, size_t *lenp); -+ int, u_char **retp, size_t *lenp); - const char *sshkey_type(const struct sshkey *); - const char *sshkey_cert_type(const struct sshkey *); - int sshkey_write(const struct sshkey *, FILE *); diff --git a/openssh-6.7p1-fips.patch b/openssh-6.7p1-fips.patch index 984a038..0aafdcc 100644 --- a/openssh-6.7p1-fips.patch +++ b/openssh-6.7p1-fips.patch @@ -1,8 +1,7 @@ -diff --git a/Makefile.in b/Makefile.in -index 9311e16..1eb2b45 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -164,25 +164,25 @@ libssh.a: $(LIBSSH_OBJS) +diff -up openssh-6.8p1/Makefile.in.fips openssh-6.8p1/Makefile.in +--- openssh-6.8p1/Makefile.in.fips 2015-03-19 13:14:22.221212174 +0100 ++++ openssh-6.8p1/Makefile.in 2015-03-19 13:14:22.230212157 +0100 +@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS) $(RANLIB) $@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) @@ -34,7 +33,7 @@ index 9311e16..1eb2b45 100644 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) -@@ -197,7 +197,7 @@ ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o +@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a $(LD) -o $@ ssh-cavs.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o @@ -43,10 +42,9 @@ index 9311e16..1eb2b45 100644 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -diff --git a/cipher-ctr.c b/cipher-ctr.c -index 73e9c7c..40ee395 100644 ---- a/cipher-ctr.c -+++ b/cipher-ctr.c +diff -up openssh-6.8p1/cipher-ctr.c.fips openssh-6.8p1/cipher-ctr.c +--- openssh-6.8p1/cipher-ctr.c.fips 2015-03-19 13:14:22.155212302 +0100 ++++ openssh-6.8p1/cipher-ctr.c 2015-03-19 13:14:22.230212157 +0100 @@ -179,7 +179,8 @@ evp_aes_128_ctr(void) aes_ctr.do_cipher = ssh_aes_ctr; #ifndef SSH_OLD_EVP @@ -57,10 +55,9 @@ index 73e9c7c..40ee395 100644 #endif return (&aes_ctr); } -diff --git a/cipher.c b/cipher.c -index 9cc7cf8..5ebfa84 100644 ---- a/cipher.c -+++ b/cipher.c +diff -up openssh-6.8p1/cipher.c.fips openssh-6.8p1/cipher.c +--- openssh-6.8p1/cipher.c.fips 2015-03-19 13:14:22.224212169 +0100 ++++ openssh-6.8p1/cipher.c 2015-03-19 13:14:22.230212157 +0100 @@ -39,6 +39,8 @@ #include @@ -70,7 +67,7 @@ index 9cc7cf8..5ebfa84 100644 #include #include #include -@@ -99,6 +101,26 @@ static const struct sshcipher ciphers[] = { +@@ -99,6 +101,26 @@ static const struct sshcipher ciphers[] { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } }; @@ -133,11 +130,10 @@ index 9cc7cf8..5ebfa84 100644 if (strcasecmp(c->name, name) == 0) return c->number; return -1; -diff --git a/dh.h b/dh.h -index 48f7b68..9ff39f4 100644 ---- a/dh.h -+++ b/dh.h -@@ -45,6 +45,7 @@ int dh_estimate(int); +diff -up openssh-6.8p1/dh.h.fips openssh-6.8p1/dh.h +--- openssh-6.8p1/dh.h.fips 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/dh.h 2015-03-19 13:14:22.230212157 +0100 +@@ -45,6 +45,7 @@ u_int dh_estimate(int); /* Min and max values from RFC4419. */ #define DH_GRP_MIN 1024 @@ -145,11 +141,10 @@ index 48f7b68..9ff39f4 100644 #define DH_GRP_MAX 8192 /* -diff --git a/entropy.c b/entropy.c -index d24e724..06b0095 100644 ---- a/entropy.c -+++ b/entropy.c -@@ -215,6 +215,9 @@ seed_rng(void) +diff -up openssh-6.8p1/entropy.c.fips openssh-6.8p1/entropy.c +--- openssh-6.8p1/entropy.c.fips 2015-03-19 13:14:22.147212317 +0100 ++++ openssh-6.8p1/entropy.c 2015-03-19 13:14:22.230212157 +0100 +@@ -217,6 +217,9 @@ seed_rng(void) fatal("OpenSSL version mismatch. Built against %lx, you " "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); @@ -159,10 +154,9 @@ index d24e724..06b0095 100644 #ifndef OPENSSL_PRNG_ONLY if (RAND_status() == 1) { debug3("RNG is ready, skipping seeding"); -diff --git a/kex.c b/kex.c -index e0cf3de..e11198f 100644 ---- a/kex.c -+++ b/kex.c +diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c +--- openssh-6.8p1/kex.c.fips 2015-03-19 13:14:22.165212282 +0100 ++++ openssh-6.8p1/kex.c 2015-03-19 13:14:22.230212157 +0100 @@ -35,6 +35,7 @@ #ifdef WITH_OPENSSL @@ -170,7 +164,7 @@ index e0cf3de..e11198f 100644 +#include #endif - #include "xmalloc.h" + #include "ssh2.h" @@ -107,6 +108,25 @@ static const struct kexalg kexalgs[] = { { NULL, -1, -1, -1}, }; @@ -197,7 +191,7 @@ index e0cf3de..e11198f 100644 char * kex_alg_list(char sep) { -@@ -130,7 +150,7 @@ kex_alg_by_name(const char *name) +@@ -134,7 +154,7 @@ kex_alg_by_name(const char *name) { const struct kexalg *k; @@ -206,7 +200,7 @@ index e0cf3de..e11198f 100644 if (strcmp(k->name, name) == 0) return k; #ifdef GSSAPI -@@ -155,7 +175,10 @@ kex_names_valid(const char *names) +@@ -160,7 +180,10 @@ kex_names_valid(const char *names) for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { if (kex_alg_by_name(p) == NULL) { @@ -218,60 +212,34 @@ index e0cf3de..e11198f 100644 free(s); return 0; } -diff --git a/kexecdhc.c b/kexecdhc.c -index 2f7629c..20c9946 100644 ---- a/kexecdhc.c -+++ b/kexecdhc.c -@@ -154,6 +154,7 @@ kexecdh_client(Kex *kex) +diff -up openssh-6.8p1/kexgexc.c.fips openssh-6.8p1/kexgexc.c +--- openssh-6.8p1/kexgexc.c.fips 2015-03-19 13:14:22.196212223 +0100 ++++ openssh-6.8p1/kexgexc.c 2015-03-19 13:15:11.462117016 +0100 +@@ -28,6 +28,8 @@ - kex_derive_keys_bn(kex, hash, hashlen, shared_secret); - BN_clear_free(shared_secret); -+ memset(hash, 0, hashlen); - kex_finish(kex); - } - #else /* OPENSSL_HAS_ECC */ -diff --git a/kexecdhs.c b/kexecdhs.c -index 2700b72..0820894 100644 ---- a/kexecdhs.c -+++ b/kexecdhs.c -@@ -150,6 +150,7 @@ kexecdh_server(Kex *kex) - - kex_derive_keys_bn(kex, hash, hashlen, shared_secret); - BN_clear_free(shared_secret); -+ memset(hash, 0, hashlen); - kex_finish(kex); - } - #else /* OPENSSL_HAS_ECC */ -diff --git a/kexgexc.c b/kexgexc.c -index 0a91bdd..b75930b 100644 ---- a/kexgexc.c -+++ b/kexgexc.c -@@ -26,6 +26,8 @@ - - #include "includes.h" + #ifdef WITH_OPENSSL +#include + #include #include -@@ -58,7 +60,7 @@ kexgex_client(Kex *kex) - int min, max, nbits; - DH *dh; +@@ -62,7 +64,7 @@ kexgex_client(struct ssh *ssh) -- min = DH_GRP_MIN; -+ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN; - max = DH_GRP_MAX; + nbits = dh_estimate(kex->dh_need * 8); + +- kex->min = DH_GRP_MIN; ++ kex->min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN; + kex->max = DH_GRP_MAX; /* Servers with MAX4096DH need a preferred size (nbits) <= 4096. -diff --git a/kexgexs.c b/kexgexs.c -index 770ad28..9d4fc6d 100644 ---- a/kexgexs.c -+++ b/kexgexs.c -@@ -76,16 +76,16 @@ kexgex_server(Kex *kex) - omin = min = packet_get_int(); - onbits = nbits = packet_get_int(); - omax = max = packet_get_int(); +diff -up openssh-6.8p1/kexgexs.c.fips openssh-6.8p1/kexgexs.c +--- openssh-6.8p1/kexgexs.c.fips 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/kexgexs.c 2015-03-19 13:14:22.231212155 +0100 +@@ -87,9 +87,9 @@ input_kex_dh_gex_request(int type, u_int + kex->nbits = nbits; + kex->min = min; + kex->max = max; - min = MAX(DH_GRP_MIN, min); + min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min); max = MIN(DH_GRP_MAX, max); @@ -280,28 +248,28 @@ index 770ad28..9d4fc6d 100644 nbits = MIN(DH_GRP_MAX, nbits); break; case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD: - debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received"); - onbits = nbits = packet_get_int(); +@@ -99,7 +99,7 @@ input_kex_dh_gex_request(int type, u_int + goto out; + kex->nbits = nbits; /* unused for old GEX */ -- omin = min = DH_GRP_MIN; -+ omin = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN; - omax = max = DH_GRP_MAX; +- kex->min = min = DH_GRP_MIN; ++ kex->min = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN; + kex->max = max = DH_GRP_MAX; break; default: -diff --git a/mac.c b/mac.c -index fd07bf2..fedfbb2 100644 ---- a/mac.c -+++ b/mac.c +diff -up openssh-6.8p1/mac.c.fips openssh-6.8p1/mac.c +--- openssh-6.8p1/mac.c.fips 2015-03-19 13:14:22.224212169 +0100 ++++ openssh-6.8p1/mac.c 2015-03-19 13:14:22.231212155 +0100 @@ -27,6 +27,8 @@ #include +#include + - #include #include - #include -@@ -60,7 +62,7 @@ struct macalg { + #include + +@@ -54,7 +56,7 @@ struct macalg { int etm; /* Encrypt-then-MAC */ }; @@ -310,7 +278,7 @@ index fd07bf2..fedfbb2 100644 /* Encrypt-and-MAC (encrypt-and-authenticate) variants */ { "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 }, { "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 }, -@@ -91,6 +93,24 @@ static const struct macalg macs[] = { +@@ -85,6 +87,24 @@ static const struct macalg macs[] = { { NULL, 0, 0, 0, 0, 0, 0 } }; @@ -335,7 +303,7 @@ index fd07bf2..fedfbb2 100644 /* Returns a list of supported MACs separated by the specified char. */ char * mac_alg_list(char sep) -@@ -99,7 +119,7 @@ mac_alg_list(char sep) +@@ -93,7 +113,7 @@ mac_alg_list(char sep) size_t nlen, rlen = 0; const struct macalg *m; @@ -344,7 +312,7 @@ index fd07bf2..fedfbb2 100644 if (ret != NULL) ret[rlen++] = sep; nlen = strlen(m->name); -@@ -133,7 +153,7 @@ mac_setup(Mac *mac, char *name) +@@ -132,7 +152,7 @@ mac_setup(struct sshmac *mac, char *name { const struct macalg *m; @@ -352,11 +320,10 @@ index fd07bf2..fedfbb2 100644 + for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) { if (strcmp(name, m->name) != 0) continue; - if (mac != NULL) { -diff --git a/myproposal.h b/myproposal.h -index b35b2b8..a608d27 100644 ---- a/myproposal.h -+++ b/myproposal.h + if (mac != NULL) +diff -up openssh-6.8p1/myproposal.h.fips openssh-6.8p1/myproposal.h +--- openssh-6.8p1/myproposal.h.fips 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/myproposal.h 2015-03-19 13:14:22.231212155 +0100 @@ -140,6 +140,28 @@ "hmac-sha1-96," \ "hmac-md5-96" @@ -386,10 +353,9 @@ index b35b2b8..a608d27 100644 #else #define KEX_SERVER_KEX \ -diff --git a/ssh.c b/ssh.c -index 26e9681..a0a7c29 100644 ---- a/ssh.c -+++ b/ssh.c +diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c +--- openssh-6.8p1/ssh.c.fips 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/ssh.c 2015-03-19 13:14:22.232212153 +0100 @@ -75,6 +75,8 @@ #include #include @@ -399,7 +365,7 @@ index 26e9681..a0a7c29 100644 #include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/sys-queue.h" -@@ -433,6 +435,14 @@ main(int ac, char **av) +@@ -523,6 +525,14 @@ main(int ac, char **av) sanitise_stdfd(); __progname = ssh_get_progname(av[0]); @@ -414,8 +380,8 @@ index 26e9681..a0a7c29 100644 #ifndef HAVE_SETPROCTITLE /* Prepare for later setproctitle emulation */ -@@ -510,6 +519,9 @@ main(int ac, char **av) - "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { +@@ -600,6 +610,9 @@ main(int ac, char **av) + "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { switch (opt) { case '1': + if (FIPS_mode()) { @@ -424,7 +390,7 @@ index 26e9681..a0a7c29 100644 options.protocol = SSH_PROTO_1; break; case '2': -@@ -841,7 +853,6 @@ main(int ac, char **av) +@@ -941,7 +954,6 @@ main(int ac, char **av) host_arg = xstrdup(host); #ifdef WITH_OPENSSL @@ -432,7 +398,7 @@ index 26e9681..a0a7c29 100644 ERR_load_crypto_strings(); #endif -@@ -997,6 +1008,10 @@ main(int ac, char **av) +@@ -1115,6 +1127,10 @@ main(int ac, char **av) seed_rng(); @@ -443,7 +409,7 @@ index 26e9681..a0a7c29 100644 if (options.user == NULL) options.user = xstrdup(pw->pw_name); -@@ -1069,6 +1084,12 @@ main(int ac, char **av) +@@ -1192,6 +1208,12 @@ main(int ac, char **av) timeout_ms = options.connection_timeout * 1000; @@ -456,10 +422,9 @@ index 26e9681..a0a7c29 100644 /* Open a connection to the remote host. */ if (ssh_connect(host, addrs, &hostaddr, options.port, options.address_family, options.connection_attempts, -diff --git a/sshconnect2.c b/sshconnect2.c -index efe6158..5631f39 100644 ---- a/sshconnect2.c -+++ b/sshconnect2.c +diff -up openssh-6.8p1/sshconnect2.c.fips openssh-6.8p1/sshconnect2.c +--- openssh-6.8p1/sshconnect2.c.fips 2015-03-19 13:14:22.188212238 +0100 ++++ openssh-6.8p1/sshconnect2.c 2015-03-19 13:14:22.232212153 +0100 @@ -46,6 +46,8 @@ #include #endif @@ -469,13 +434,24 @@ index efe6158..5631f39 100644 #include "openbsd-compat/sys-queue.h" #include "xmalloc.h" -@@ -171,20 +173,25 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) +@@ -172,20 +174,25 @@ ssh_kex2(char *host, struct sockaddr *ho #ifdef GSSAPI if (options.gss_keyex) { - /* Add the GSSAPI mechanisms currently supported on this - * client to the key exchange algorithm proposal */ - orig = myproposal[PROPOSAL_KEX_ALGS]; +- +- if (options.gss_trust_dns) +- gss_host = (char *)get_canonical_hostname(1); +- else +- gss_host = host; +- +- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); +- if (gss) { +- debug("Offering GSSAPI proposal: %s", gss); +- xasprintf(&myproposal[PROPOSAL_KEX_ALGS], +- "%s,%s", gss, orig); + if (FIPS_mode()) { + logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode"); + options.gss_keyex = 0; @@ -483,21 +459,12 @@ index efe6158..5631f39 100644 + /* Add the GSSAPI mechanisms currently supported on this + * client to the key exchange algorithm proposal */ + orig = myproposal[PROPOSAL_KEX_ALGS]; - -- if (options.gss_trust_dns) -- gss_host = (char *)get_canonical_hostname(1); -- else -- gss_host = host; ++ + if (options.gss_trust_dns) + gss_host = (char *)get_canonical_hostname(1); + else + gss_host = host; - -- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); -- if (gss) { -- debug("Offering GSSAPI proposal: %s", gss); -- xasprintf(&myproposal[PROPOSAL_KEX_ALGS], -- "%s,%s", gss, orig); ++ + gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity); + if (gss) { + debug("Offering GSSAPI proposal: %s", gss); @@ -507,7 +474,7 @@ index efe6158..5631f39 100644 } } #endif -@@ -196,6 +203,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) +@@ -197,6 +204,10 @@ ssh_kex2(char *host, struct sockaddr *ho if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; @@ -518,7 +485,7 @@ index efe6158..5631f39 100644 } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -211,7 +222,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) +@@ -212,7 +223,11 @@ ssh_kex2(char *host, struct sockaddr *ho if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; @@ -530,7 +497,7 @@ index efe6158..5631f39 100644 if (options.hostkeyalgorithms != NULL) myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(options.hostkeyalgorithms); -@@ -223,9 +238,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) +@@ -224,9 +239,11 @@ ssh_kex2(char *host, struct sockaddr *ho } if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; @@ -543,10 +510,9 @@ index efe6158..5631f39 100644 #ifdef GSSAPI /* If we've got GSSAPI algorithms, then we also support the * 'null' hostkey, as a last resort */ -diff --git a/sshd.c b/sshd.c -index db23ce2..3ce59f0 100644 ---- a/sshd.c -+++ b/sshd.c +diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c +--- openssh-6.8p1/sshd.c.fips 2015-03-19 13:14:22.226212165 +0100 ++++ openssh-6.8p1/sshd.c 2015-03-19 13:14:22.232212153 +0100 @@ -66,6 +66,7 @@ #include #include @@ -555,7 +521,7 @@ index db23ce2..3ce59f0 100644 #include #include #include -@@ -76,6 +77,8 @@ +@@ -77,6 +78,8 @@ #include #include #include @@ -564,7 +530,7 @@ index db23ce2..3ce59f0 100644 #include "openbsd-compat/openssl-compat.h" #endif -@@ -1479,6 +1482,18 @@ main(int ac, char **av) +@@ -1543,6 +1546,18 @@ main(int ac, char **av) #endif __progname = ssh_get_progname(av[0]); @@ -583,7 +549,7 @@ index db23ce2..3ce59f0 100644 /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ saved_argc = ac; rexec_argc = ac; -@@ -1630,7 +1645,7 @@ main(int ac, char **av) +@@ -1694,7 +1709,7 @@ main(int ac, char **av) else closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); @@ -592,9 +558,9 @@ index db23ce2..3ce59f0 100644 OpenSSL_add_all_algorithms(); #endif -@@ -1816,6 +1831,10 @@ main(int ac, char **av) - debug("private host key: #%d type %d %s", i, keytype, - key_type(key ? key : pubkey)); +@@ -1890,6 +1905,10 @@ main(int ac, char **av) + sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp); + free(fp); } + if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) { + logit("Disabling protocol version 1. Not allowed in the FIPS mode."); @@ -603,7 +569,7 @@ index db23ce2..3ce59f0 100644 if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { logit("Disabling protocol version 1. Could not load host key"); options.protocol &= ~SSH_PROTO_1; -@@ -1982,6 +2001,10 @@ main(int ac, char **av) +@@ -2058,6 +2077,10 @@ main(int ac, char **av) /* Reinitialize the log (because of the fork above). */ log_init(__progname, options.log_level, options.log_facility, log_stderr); @@ -614,7 +580,7 @@ index db23ce2..3ce59f0 100644 /* Chdir to the root directory so that the current disk can be unmounted if desired. */ if (chdir("/") == -1) -@@ -2541,6 +2564,9 @@ do_ssh2_kex(void) +@@ -2642,6 +2665,9 @@ do_ssh2_kex(void) if (options.ciphers != NULL) { myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; @@ -624,7 +590,7 @@ index db23ce2..3ce59f0 100644 } myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); -@@ -2550,6 +2576,9 @@ do_ssh2_kex(void) +@@ -2651,6 +2677,9 @@ do_ssh2_kex(void) if (options.macs != NULL) { myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; @@ -634,7 +600,7 @@ index db23ce2..3ce59f0 100644 } if (options.compression == COMP_NONE) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = -@@ -2560,6 +2589,8 @@ do_ssh2_kex(void) +@@ -2661,6 +2690,8 @@ do_ssh2_kex(void) } if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; @@ -643,7 +609,7 @@ index db23ce2..3ce59f0 100644 myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( myproposal[PROPOSAL_KEX_ALGS]); -@@ -2586,10 +2617,14 @@ do_ssh2_kex(void) +@@ -2687,10 +2718,14 @@ do_ssh2_kex(void) if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) orig = NULL; @@ -662,19 +628,18 @@ index db23ce2..3ce59f0 100644 if (gss && orig) xasprintf(&newstr, "%s,%s", gss, orig); -diff --git a/sshkey.c b/sshkey.c -index f078e11..5e3d97f 100644 ---- a/sshkey.c -+++ b/sshkey.c -@@ -34,6 +34,7 @@ +diff -up openssh-6.8p1/sshkey.c.fips openssh-6.8p1/sshkey.c +--- openssh-6.8p1/sshkey.c.fips 2015-03-19 13:14:22.227212163 +0100 ++++ openssh-6.8p1/sshkey.c 2015-03-19 13:14:22.233212151 +0100 +@@ -35,6 +35,7 @@ #include #include #include +#include + #endif #include "crypto_api.h" - -@@ -1523,6 +1524,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap) +@@ -1562,6 +1563,8 @@ rsa_generate_private_key(u_int bits, RSA } if (!BN_set_word(f4, RSA_F4) || !RSA_generate_key_ex(private, bits, f4, NULL)) { @@ -683,9 +648,10 @@ index f078e11..5e3d97f 100644 ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } ---- a/servconf.c 2015-01-30 12:24:12.388337643 +0100 -+++ b/servconf.c 2015-01-30 12:26:36.229229751 +0100 -@@ -2159,8 +2162,10 @@ +diff -up openssh-6.8p1/servconf.c.fips openssh-6.8p1/servconf.c +--- openssh-6.8p1/servconf.c.fips 2015-03-19 13:14:22.210212196 +0100 ++++ openssh-6.8p1/servconf.c 2015-03-19 13:14:22.233212151 +0100 +@@ -2226,8 +2226,10 @@ dump_config(ServerOptions *o) /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sXAuthLocation, o->xauth_location); @@ -698,12 +664,14 @@ index f078e11..5e3d97f 100644 dump_cfg_string(sBanner, o->banner); dump_cfg_string(sForceCommand, o->adm_forced_command); dump_cfg_string(sChrootDirectory, o->chroot_directory); -@@ -2180,7 +2180,7 @@ +@@ -2240,8 +2242,8 @@ dump_config(ServerOptions *o) + dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); dump_cfg_string(sHostKeyAgent, o->host_key_agent); - dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : -- KEX_SERVER_KEX); +- dump_cfg_string(sKexAlgorithms, +- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX); ++ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : + FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX); - - /* string arguments requiring a lookup */ - dump_cfg_string(sLogLevel, log_level_name(o->log_level)); + dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ? + o->hostbased_key_types : KEX_DEFAULT_PK_ALG); + dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ? diff --git a/openssh-6.7p1-kdf-cavs.patch b/openssh-6.7p1-kdf-cavs.patch index 19e1b53..d219791 100644 --- a/openssh-6.7p1-kdf-cavs.patch +++ b/openssh-6.7p1-kdf-cavs.patch @@ -1,8 +1,7 @@ -diff --git a/Makefile.in b/Makefile.in -index 1eb2b45..cfa89a1 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper +diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in +--- openssh-6.8p1/Makefile.in.kdf-cavs 2015-03-18 11:23:46.346049359 +0100 ++++ openssh-6.8p1/Makefile.in 2015-03-18 11:24:20.395968445 +0100 +@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper SSH_KEYCAT=$(libexecdir)/ssh-keycat CTR_CAVSTEST=$(libexecdir)/ctr-cavstest @@ -18,8 +17,8 @@ index 1eb2b45..cfa89a1 100644 +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT) LIBOPENSSH_OBJS=\ - ssherr.o \ -@@ -196,6 +196,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o + ssh_api.o \ +@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS) @@ -29,7 +28,7 @@ index 1eb2b45..cfa89a1 100644 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -320,6 +321,8 @@ install-files: +@@ -331,6 +335,8 @@ install-files: fi $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT) @@ -38,12 +37,10 @@ index 1eb2b45..cfa89a1 100644 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -diff --git a/ssh-cavs.c b/ssh-cavs.c -new file mode 100644 -index 0000000..928ff80 ---- /dev/null -+++ b/ssh-cavs.c -@@ -0,0 +1,374 @@ +diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c +--- openssh-6.8p1/ssh-cavs.c.kdf-cavs 2015-03-18 11:23:46.348049354 +0100 ++++ openssh-6.8p1/ssh-cavs.c 2015-03-18 11:23:46.348049354 +0100 +@@ -0,0 +1,383 @@ +/* + * Copyright (C) 2015, Stephan Mueller + * @@ -95,6 +92,7 @@ index 0000000..928ff80 +#include "key.h" +#include "cipher.h" +#include "kex.h" ++#include "packet.h" + +static int bin_char(unsigned char hex) +{ @@ -208,16 +206,17 @@ index 0000000..928ff80 +static int sshkdf_cavs(struct kdf_cavs *test) +{ + int ret = 0; -+ Kex kex; ++ struct kex kex; + BIGNUM *Kbn = NULL; + int mode = 0; -+ Newkeys *ctoskeys; -+ Newkeys *stockeys; ++ struct newkeys *ctoskeys; ++ struct newkeys *stockeys; ++ struct ssh *ssh = NULL; + +#define HEXOUTLEN 500 + char hex[HEXOUTLEN]; + -+ memset(&kex, 0, sizeof(Kex)); ++ memset(&kex, 0, sizeof(struct kex)); + + Kbn = BN_new(); + BN_bin2bn(test->K, test->Klen, Kbn); @@ -254,7 +253,7 @@ index 0000000..928ff80 + + /* implement choose_enc */ + for (mode = 0; mode < 2; mode++) { -+ kex.newkeys[mode] = calloc(1, sizeof(Newkeys)); ++ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys)); + if (!kex.newkeys[mode]) { + printf("allocation of newkeys failed\n"); + ret = 1; @@ -280,10 +279,15 @@ index 0000000..928ff80 + kex.server = 1; + + /* do it */ -+ kex_derive_keys_bn(&kex, test->H, test->Hlen, Kbn); ++ if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){ ++ printf("Allocation error\n"); ++ goto out; ++ } ++ ssh->kex = &kex; ++ kex_derive_keys_bn(ssh, test->H, test->Hlen, Kbn); + -+ ctoskeys = kex_get_newkeys(0); -+ stockeys = kex_get_newkeys(1); ++ ctoskeys = kex.newkeys[0]; ++ stockeys = kex.newkeys[1]; + + /* get data */ + memset(hex, 0, HEXOUTLEN); @@ -323,6 +327,8 @@ index 0000000..928ff80 + free(kex.newkeys[0]); + if (kex.newkeys[1]) + free(kex.newkeys[1]); ++ if (ssh) ++ ssh_packet_close(ssh); + return ret; +} + @@ -418,11 +424,9 @@ index 0000000..928ff80 + return ret; + +} -diff --git a/ssh-cavs_driver.pl b/ssh-cavs_driver.pl -new file mode 100644 -index 0000000..6ed8f26 ---- /dev/null -+++ b/ssh-cavs_driver.pl +diff -up openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs openssh-6.8p1/ssh-cavs_driver.pl +--- openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs 2015-03-18 11:23:46.348049354 +0100 ++++ openssh-6.8p1/ssh-cavs_driver.pl 2015-03-18 11:23:46.348049354 +0100 @@ -0,0 +1,184 @@ +#!/usr/bin/env perl +# diff --git a/openssh-6.7p1-ldap.patch b/openssh-6.7p1-ldap.patch index e46e93a..296e7ea 100644 --- a/openssh-6.7p1-ldap.patch +++ b/openssh-6.7p1-ldap.patch @@ -1,8 +1,6 @@ -diff --git a/HOWTO.ldap-keys b/HOWTO.ldap-keys -new file mode 100644 -index 0000000..dd5f5cc ---- /dev/null -+++ b/HOWTO.ldap-keys +diff -up openssh-6.8p1/HOWTO.ldap-keys.ldap openssh-6.8p1/HOWTO.ldap-keys +--- openssh-6.8p1/HOWTO.ldap-keys.ldap 2015-03-18 11:11:29.029801467 +0100 ++++ openssh-6.8p1/HOWTO.ldap-keys 2015-03-18 11:11:29.029801467 +0100 @@ -0,0 +1,119 @@ + +HOW TO START @@ -123,10 +121,9 @@ index 0000000..dd5f5cc +5) Author + Jan F. Chadima + -diff --git a/Makefile.in b/Makefile.in -index 06be3d5..f02aa1e 100644 ---- a/Makefile.in -+++ b/Makefile.in +diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in +--- openssh-6.8p1/Makefile.in.ldap 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/Makefile.in 2015-03-18 11:13:10.147561177 +0100 @@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass SFTP_SERVER=$(libexecdir)/sftp-server @@ -146,8 +143,8 @@ index 06be3d5..f02aa1e 100644 +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) LIBOPENSSH_OBJS=\ - ssherr.o \ -@@ -108,8 +111,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ + ssh_api.o \ +@@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ sandbox-seccomp-filter.o sandbox-capsicum.o @@ -158,17 +155,17 @@ index 06be3d5..f02aa1e 100644 MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out -@@ -180,6 +183,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco +@@ -184,6 +187,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS) -+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o -+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) ++ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o ++ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) + ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -@@ -295,6 +301,10 @@ install-files: +@@ -311,6 +317,10 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) @@ -179,7 +176,7 @@ index 06be3d5..f02aa1e 100644 $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -@@ -311,6 +321,10 @@ install-files: +@@ -327,6 +337,10 @@ install-files: $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 @@ -190,7 +187,7 @@ index 06be3d5..f02aa1e 100644 -rm -f $(DESTDIR)$(bindir)/slogin ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 -@@ -340,6 +354,13 @@ install-sysconf: +@@ -356,6 +370,13 @@ install-sysconf: else \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ fi @@ -204,7 +201,7 @@ index 06be3d5..f02aa1e 100644 host-key: ssh-keygen$(EXEEXT) @if [ -z "$(DESTDIR)" ] ; then \ -@@ -403,6 +424,8 @@ uninstall: +@@ -419,6 +440,8 @@ uninstall: -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) @@ -213,7 +210,7 @@ index 06be3d5..f02aa1e 100644 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -@@ -414,6 +437,7 @@ uninstall: +@@ -430,6 +453,7 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 @@ -221,11 +218,10 @@ index 06be3d5..f02aa1e 100644 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 regress-prep: -diff --git a/configure.ac b/configure.ac -index 67c4486..6553074 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1569,6 +1569,106 @@ if test "x$use_pie" != "xno"; then +diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac +--- openssh-6.8p1/configure.ac.ldap 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/configure.ac 2015-03-18 11:11:29.030801464 +0100 +@@ -1605,6 +1605,106 @@ if test "x$use_pie" != "xno"; then fi fi @@ -332,11 +328,9 @@ index 67c4486..6553074 100644 dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS([ \ Blowfish_initstate \ -diff --git a/ldap-helper.c b/ldap-helper.c -new file mode 100644 -index 0000000..e95a94a ---- /dev/null -+++ b/ldap-helper.c +diff -up openssh-6.8p1/ldap-helper.c.ldap openssh-6.8p1/ldap-helper.c +--- openssh-6.8p1/ldap-helper.c.ldap 2015-03-18 11:11:29.030801464 +0100 ++++ openssh-6.8p1/ldap-helper.c 2015-03-18 11:11:29.030801464 +0100 @@ -0,0 +1,155 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -493,11 +487,9 @@ index 0000000..e95a94a +void *buffer_get_string(Buffer *b, u_int *l) { return NULL; } +void buffer_put_string(Buffer *b, const void *f, u_int l) {} + -diff --git a/ldap-helper.h b/ldap-helper.h -new file mode 100644 -index 0000000..14cb29a ---- /dev/null -+++ b/ldap-helper.h +diff -up openssh-6.8p1/ldap-helper.h.ldap openssh-6.8p1/ldap-helper.h +--- openssh-6.8p1/ldap-helper.h.ldap 2015-03-18 11:11:29.031801462 +0100 ++++ openssh-6.8p1/ldap-helper.h 2015-03-18 11:11:29.031801462 +0100 @@ -0,0 +1,32 @@ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -531,11 +523,9 @@ index 0000000..14cb29a +extern int config_warning_config_file; + +#endif /* LDAP_HELPER_H */ -diff --git a/ldap.conf b/ldap.conf -new file mode 100644 -index 0000000..42e38d3 ---- /dev/null -+++ b/ldap.conf +diff -up openssh-6.8p1/ldap.conf.ldap openssh-6.8p1/ldap.conf +--- openssh-6.8p1/ldap.conf.ldap 2015-03-18 11:11:29.031801462 +0100 ++++ openssh-6.8p1/ldap.conf 2015-03-18 11:11:29.031801462 +0100 @@ -0,0 +1,95 @@ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# @@ -632,11 +622,9 @@ index 0000000..42e38d3 + +#AccountClass posixAccount + -diff --git a/ldapbody.c b/ldapbody.c -new file mode 100644 -index 0000000..3029108 ---- /dev/null -+++ b/ldapbody.c +diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c +--- openssh-6.8p1/ldapbody.c.ldap 2015-03-18 11:11:29.031801462 +0100 ++++ openssh-6.8p1/ldapbody.c 2015-03-18 11:11:29.031801462 +0100 @@ -0,0 +1,493 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1131,11 +1119,9 @@ index 0000000..3029108 + return; +} + -diff --git a/ldapbody.h b/ldapbody.h -new file mode 100644 -index 0000000..665dca2 ---- /dev/null -+++ b/ldapbody.h +diff -up openssh-6.8p1/ldapbody.h.ldap openssh-6.8p1/ldapbody.h +--- openssh-6.8p1/ldapbody.h.ldap 2015-03-18 11:11:29.031801462 +0100 ++++ openssh-6.8p1/ldapbody.h 2015-03-18 11:11:29.031801462 +0100 @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1174,11 +1160,9 @@ index 0000000..665dca2 + +#endif /* LDAPBODY_H */ + -diff --git a/ldapconf.c b/ldapconf.c -new file mode 100644 -index 0000000..b49cae6 ---- /dev/null -+++ b/ldapconf.c +diff -up openssh-6.8p1/ldapconf.c.ldap openssh-6.8p1/ldapconf.c +--- openssh-6.8p1/ldapconf.c.ldap 2015-03-18 11:11:29.032801460 +0100 ++++ openssh-6.8p1/ldapconf.c 2015-03-18 11:11:29.032801460 +0100 @@ -0,0 +1,728 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1908,11 +1892,9 @@ index 0000000..b49cae6 + dump_cfg_string(lAccountClass, options.account_class); +} + -diff --git a/ldapconf.h b/ldapconf.h -new file mode 100644 -index 0000000..2cb550c ---- /dev/null -+++ b/ldapconf.h +diff -up openssh-6.8p1/ldapconf.h.ldap openssh-6.8p1/ldapconf.h +--- openssh-6.8p1/ldapconf.h.ldap 2015-03-18 11:11:29.032801460 +0100 ++++ openssh-6.8p1/ldapconf.h 2015-03-18 11:11:29.032801460 +0100 @@ -0,0 +1,73 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1987,11 +1969,9 @@ index 0000000..2cb550c +void dump_config(void); + +#endif /* LDAPCONF_H */ -diff --git a/ldapincludes.h b/ldapincludes.h -new file mode 100644 -index 0000000..8539bdc ---- /dev/null -+++ b/ldapincludes.h +diff -up openssh-6.8p1/ldapincludes.h.ldap openssh-6.8p1/ldapincludes.h +--- openssh-6.8p1/ldapincludes.h.ldap 2015-03-18 11:11:29.032801460 +0100 ++++ openssh-6.8p1/ldapincludes.h 2015-03-18 11:11:29.032801460 +0100 @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2034,11 +2014,9 @@ index 0000000..8539bdc +#endif + +#endif /* LDAPINCLUDES_H */ -diff --git a/ldapmisc.c b/ldapmisc.c -new file mode 100644 -index 0000000..de23c0c ---- /dev/null -+++ b/ldapmisc.c +diff -up openssh-6.8p1/ldapmisc.c.ldap openssh-6.8p1/ldapmisc.c +--- openssh-6.8p1/ldapmisc.c.ldap 2015-03-18 11:11:29.032801460 +0100 ++++ openssh-6.8p1/ldapmisc.c 2015-03-18 11:11:29.032801460 +0100 @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -2119,11 +2097,9 @@ index 0000000..de23c0c +} +#endif + -diff --git a/ldapmisc.h b/ldapmisc.h -new file mode 100644 -index 0000000..4c271df ---- /dev/null -+++ b/ldapmisc.h +diff -up openssh-6.8p1/ldapmisc.h.ldap openssh-6.8p1/ldapmisc.h +--- openssh-6.8p1/ldapmisc.h.ldap 2015-03-18 11:11:29.032801460 +0100 ++++ openssh-6.8p1/ldapmisc.h 2015-03-18 11:11:29.032801460 +0100 @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2160,11 +2136,9 @@ index 0000000..4c271df + +#endif /* LDAPMISC_H */ + -diff --git a/openssh-lpk-openldap.schema b/openssh-lpk-openldap.schema -new file mode 100644 -index 0000000..c84f90f ---- /dev/null -+++ b/openssh-lpk-openldap.schema +diff -up openssh-6.8p1/openssh-lpk-openldap.schema.ldap openssh-6.8p1/openssh-lpk-openldap.schema +--- openssh-6.8p1/openssh-lpk-openldap.schema.ldap 2015-03-18 11:11:29.033801457 +0100 ++++ openssh-6.8p1/openssh-lpk-openldap.schema 2015-03-18 11:11:29.033801457 +0100 @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2187,11 +2161,9 @@ index 0000000..c84f90f + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff --git a/openssh-lpk-sun.schema b/openssh-lpk-sun.schema -new file mode 100644 -index 0000000..3136673 ---- /dev/null -+++ b/openssh-lpk-sun.schema +diff -up openssh-6.8p1/openssh-lpk-sun.schema.ldap openssh-6.8p1/openssh-lpk-sun.schema +--- openssh-6.8p1/openssh-lpk-sun.schema.ldap 2015-03-18 11:11:29.033801457 +0100 ++++ openssh-6.8p1/openssh-lpk-sun.schema 2015-03-18 11:11:29.033801457 +0100 @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2216,11 +2188,9 @@ index 0000000..3136673 + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -diff --git a/ssh-ldap-helper.8 b/ssh-ldap-helper.8 -new file mode 100644 -index 0000000..5d2d7be ---- /dev/null -+++ b/ssh-ldap-helper.8 +diff -up openssh-6.8p1/ssh-ldap-helper.8.ldap openssh-6.8p1/ssh-ldap-helper.8 +--- openssh-6.8p1/ssh-ldap-helper.8.ldap 2015-03-18 11:11:29.033801457 +0100 ++++ openssh-6.8p1/ssh-ldap-helper.8 2015-03-18 11:11:29.033801457 +0100 @@ -0,0 +1,79 @@ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2301,21 +2271,17 @@ index 0000000..5d2d7be +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com -diff --git a/ssh-ldap-wrapper b/ssh-ldap-wrapper -new file mode 100644 -index 0000000..cb500aa ---- /dev/null -+++ b/ssh-ldap-wrapper +diff -up openssh-6.8p1/ssh-ldap-wrapper.ldap openssh-6.8p1/ssh-ldap-wrapper +--- openssh-6.8p1/ssh-ldap-wrapper.ldap 2015-03-18 11:11:29.033801457 +0100 ++++ openssh-6.8p1/ssh-ldap-wrapper 2015-03-18 11:11:29.033801457 +0100 @@ -0,0 +1,4 @@ +#!/bin/sh + +exec /usr/libexec/openssh/ssh-ldap-helper -s "$1" + -diff --git a/ssh-ldap.conf.5 b/ssh-ldap.conf.5 -new file mode 100644 -index 0000000..f7081b8 ---- /dev/null -+++ b/ssh-ldap.conf.5 +diff -up openssh-6.8p1/ssh-ldap.conf.5.ldap openssh-6.8p1/ssh-ldap.conf.5 +--- openssh-6.8p1/ssh-ldap.conf.5.ldap 2015-03-18 11:11:29.033801457 +0100 ++++ openssh-6.8p1/ssh-ldap.conf.5 2015-03-18 11:11:29.033801457 +0100 @@ -0,0 +1,385 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" diff --git a/openssh-6.7p1-sftp-force-permission.patch b/openssh-6.7p1-sftp-force-permission.patch index 05fff13..1a88e50 100644 --- a/openssh-6.7p1-sftp-force-permission.patch +++ b/openssh-6.7p1-sftp-force-permission.patch @@ -1,6 +1,7 @@ ---- openssh-5.3p1/sftp-server.8 2015-02-10 10:08:09.611849984 +0100 -+++ openssh-5.3p1/sftp-server.8.perms 2015-02-10 10:08:52.204120509 +0100 -@@ -33,6 +33,7 @@ +diff -up openssh-6.8p1/sftp-server.8.sftp-force-mode openssh-6.8p1/sftp-server.8 +--- openssh-6.8p1/sftp-server.8.sftp-force-mode 2015-03-17 06:49:20.000000000 +0100 ++++ openssh-6.8p1/sftp-server.8 2015-03-18 13:18:05.898306477 +0100 +@@ -38,6 +38,7 @@ .Op Fl P Ar blacklisted_requests .Op Fl p Ar whitelisted_requests .Op Fl u Ar umask @@ -8,7 +9,7 @@ .Ek .Nm .Fl Q Ar protocol_feature -@@ -77,6 +78,10 @@ Sets an explicit +@@ -138,6 +139,10 @@ Sets an explicit .Xr umask 2 to be applied to newly-created files and directories, instead of the user's default mask. @@ -19,9 +20,10 @@ .El .Pp On some systems, ---- openssh-5.3p1/sftp-server.c 2015-02-10 10:08:09.611849984 +0100 -+++ openssh-5.3p1/sftp-server.c.perms 2015-02-10 10:39:00.855453028 +0100 -@@ -70,6 +70,10 @@ Buffer oqueue; +diff -up openssh-6.8p1/sftp-server.c.sftp-force-mode openssh-6.8p1/sftp-server.c +--- openssh-6.8p1/sftp-server.c.sftp-force-mode 2015-03-18 13:18:05.883306513 +0100 ++++ openssh-6.8p1/sftp-server.c 2015-03-18 13:18:36.697232193 +0100 +@@ -70,6 +70,10 @@ struct sshbuf *oqueue; /* Version of client */ static u_int version; @@ -32,10 +34,10 @@ /* SSH2_FXP_INIT received */ static int init_done; -@@ -551,6 +555,10 @@ process_open(void) - a = get_attrib(); +@@ -693,6 +697,10 @@ process_open(u_int32_t id) + debug3("request %u: open flags %d", id, pflags); flags = flags_from_portable(pflags); - mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666; + mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666; + if (permforce == 1) { /* Force perm if -m is set */ + mode = permforcemode; + (void)umask(0); /* so umask does not interfere */ @@ -43,7 +45,7 @@ logit("open \"%s\" flags %s mode 0%o", name, string_from_portable(pflags), mode); if (readonly && -@@ -1322,7 +1330,7 @@ sftp_server_usage(void) +@@ -1495,7 +1503,7 @@ sftp_server_usage(void) fprintf(stderr, "usage: %s [-ehR] [-d start_directory] [-f log_facility] " "[-l log_level]\n\t[-P blacklisted_requests] " @@ -52,7 +54,7 @@ " %s -Q protocol_feature\n", __progname, __progname); exit(1); -@@ -1343,7 +1351,7 @@ sftp_server_main(int argc, char **argv, +@@ -1520,7 +1528,7 @@ sftp_server_main(int argc, char **argv, pw = pwcopy(user_pw); while (!skipargs && (ch = getopt(argc, argv, @@ -61,7 +63,7 @@ switch (ch) { case 'Q': if (strcasecmp(optarg, "requests") != 0) { -@@ -1373,6 +1381,15 @@ sftp_server_main(int argc, char **argv, +@@ -1580,6 +1588,15 @@ sftp_server_main(int argc, char **argv, fatal("Invalid umask \"%s\"", optarg); (void)umask((mode_t)mask); break; diff --git a/openssh-6.7p1-sshdT-output.patch b/openssh-6.7p1-sshdT-output.patch index 11e9c69..aa09346 100644 --- a/openssh-6.7p1-sshdT-output.patch +++ b/openssh-6.7p1-sshdT-output.patch @@ -1,14 +1,7 @@ ---- a/servconf.c 2015-01-30 12:24:12.388337643 +0100 -+++ b/servconf.c 2015-01-30 12:26:36.229229751 +0100 -@@ -55,6 +55,7 @@ - #include "hostfile.h" - #include "auth.h" - #include "digest.h" -+#include "myproposal.h" - - static void add_listen_addr(ServerOptions *, char *, int); - static void add_one_listen_addr(ServerOptions *, char *, int); -@@ -1974,6 +1974,8 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals) +diff -up openssh-6.8p1/servconf.c.sshdt openssh-6.8p1/servconf.c +--- openssh-6.8p1/servconf.c.sshdt 2015-03-18 13:07:24.457858235 +0100 ++++ openssh-6.8p1/servconf.c 2015-03-18 13:09:27.253557396 +0100 +@@ -2118,6 +2118,8 @@ dump_cfg_strarray_oneline(ServerOpCodes { u_int i; @@ -17,7 +10,7 @@ printf("%s", lookup_opcode_name(code)); for (i = 0; i < count; i++) printf(" %s", vals[i]); -@@ -2093,7 +2094,7 @@ +@@ -2156,7 +2158,7 @@ dump_config(ServerOptions *o) /* integer arguments */ #ifdef USE_PAM @@ -26,7 +19,7 @@ #endif dump_cfg_int(sServerKeyBits, o->server_key_bits); dump_cfg_int(sLoginGraceTime, o->login_grace_time); -@@ -2103,6 +2104,7 @@ +@@ -2166,6 +2168,7 @@ dump_config(ServerOptions *o) dump_cfg_int(sMaxSessions, o->max_sessions); dump_cfg_int(sClientAliveInterval, o->client_alive_interval); dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); @@ -34,7 +27,7 @@ /* formatted integer arguments */ dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); -@@ -2150,6 +2152,7 @@ +@@ -2213,6 +2216,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel); dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); @@ -42,19 +35,7 @@ dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); -@@ -2159,9 +2162,8 @@ - /* string arguments */ - dump_cfg_string(sPidFile, o->pid_file); - dump_cfg_string(sXAuthLocation, o->xauth_location); -- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : -- cipher_alg_list(',', 0)); -- dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(',')); -+ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT); -+ dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC); - dump_cfg_string(sBanner, o->banner); - dump_cfg_string(sForceCommand, o->adm_forced_command); - dump_cfg_string(sChrootDirectory, o->chroot_directory); -@@ -2169,12 +2171,13 @@ +@@ -2231,7 +2235,8 @@ dump_config(ServerOptions *o) dump_cfg_string(sRevokedKeys, o->revoked_keys_file); dump_cfg_string(sAuthorizedPrincipalsFile, o->authorized_principals_file); @@ -64,14 +45,7 @@ dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command); dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user); dump_cfg_string(sHostKeyAgent, o->host_key_agent); -- dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : -- kex_alg_list(',')); -+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : -+ KEX_SERVER_KEX); - - /* string arguments requiring a lookup */ - dump_cfg_string(sLogLevel, log_level_name(o->log_level)); -@@ -2096,7 +2101,7 @@ dump_config(ServerOptions *o) +@@ -2251,7 +2256,7 @@ dump_config(ServerOptions *o) o->authorized_keys_files); dump_cfg_strarray(sHostKeyFile, o->num_host_key_files, o->host_key_files); diff --git a/openssh.spec b/openssh.spec index c707144..25622f4 100644 --- a/openssh.spec +++ b/openssh.spec @@ -65,10 +65,10 @@ %endif # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 -%define openssh_ver 6.7p1 -%define openssh_rel 11 +%define openssh_ver 6.8p1 +%define openssh_rel 1 %define pam_ssh_agent_ver 0.9.3 -%define pam_ssh_agent_rel 4 +%define pam_ssh_agent_rel 5 Summary: An open source implementation of SSH protocol versions 1 and 2 Name: openssh @@ -96,8 +96,6 @@ Patch0: openssh-5.9p1-wIm.patch #? Patch100: openssh-6.7p1-coverity.patch -#https://bugzilla.mindrot.org/show_bug.cgi?id=1872 -Patch101: openssh-6.7p1-fingerprint.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1894 #https://bugzilla.redhat.com/show_bug.cgi?id=735889 Patch102: openssh-5.8p1-getaddrinfo.patch @@ -140,8 +138,6 @@ Patch604: openssh-6.6p1-keyperm.patch Patch606: openssh-5.9p1-ipv6man.patch #? Patch607: openssh-5.8p2-sigpipe.patch -#? -Patch608: openssh-6.1p1-askpass-ld.patch #https://bugzilla.mindrot.org/show_bug.cgi?id=1789 Patch609: openssh-5.5p1-x11.patch @@ -193,9 +189,6 @@ Patch911: openssh-6.6p1-set_remote_ipaddr.patch # https://bugzilla.mindrot.org/show_bug.cgi?id=2058 # slightly changed patch from comment 10 Patch912: openssh-6.6.1p1-utf8-banner.patch -# don't consider a partial success as a failure -# https://bugzilla.mindrot.org/show_bug.cgi?id=2270 -Patch913: openssh-6.6.1p1-partial-success.patch # fix parsing of empty options in sshd_conf # https://bugzilla.mindrot.org/show_bug.cgi?id=2281 Patch914: openssh-6.6.1p1-servconf-parser.patch @@ -377,7 +370,6 @@ The module is most useful for su and sudo service stacks. %patch0 -p1 -b .wIm %endif -%patch101 -p1 -b .fingerprint # investigate %patch102 -p1 -b .getaddrinfo %patch103 -p1 -b .packet @@ -408,7 +400,6 @@ popd %patch604 -p1 -b .keyperm %patch606 -p1 -b .ipv6man %patch607 -p1 -b .sigpipe -%patch608 -p1 -b .askpass-ld %patch609 -p1 -b .x11 %patch702 -p1 -b .progress %patch703 -p1 -b .grab-info @@ -431,7 +422,6 @@ popd %patch906 -p1 -b .fromto-remote %patch911 -p1 -b .set_remote_ipaddr %patch912 -p1 -b .utf8-banner -%patch913 -p1 -b .partial-success %patch914 -p1 -b .servconf %patch916 -p1 -b .contexts %patch917 -p1 -b .cisco-dh @@ -764,6 +754,9 @@ getent passwd sshd >/dev/null || \ %endif %changelog +* Fri Mar 20 2015 Jakub Jelen 6.8p1-1 + 0.9.3.5 +- new upstream release openssh-6.8p1 + * Thu Mar 12 2015 Jakub Jelen 6.7p1-11 + 0.9.3-4 - Ability to specify LDAP filter in ldap.conf for ssh-ldap-helper - Fix auditing when using combination of ForceCommand and PTY diff --git a/sources b/sources index 1215c48..7de5d73 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 9872ca1983e566ff5a89c240529e223d pam_ssh_agent_auth-0.9.3.tar.bz2 -3246aa79317b1d23cae783a3bf8275d6 openssh-6.7p1.tar.gz +08f72de6751acfbd0892b5f003922701 openssh-6.8p1.tar.gz