diff --git a/openssh-7.9p1-backports.patch b/openssh-7.9p1-backports.patch new file mode 100644 index 0000000..d89138b --- /dev/null +++ b/openssh-7.9p1-backports.patch @@ -0,0 +1,186 @@ +From 631165f6c43d230df9174423aeb19fcf09a67ef4 Mon Sep 17 00:00:00 2001 +From: Damien Miller +Date: Mon, 22 Oct 2018 11:22:50 +1100 +Subject: [PATCH 1/7] fix compile for openssl 1.0.x w/ --with-ssl-engine + +bz#2921, patch from cotequeiroz +--- + openbsd-compat/openssl-compat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c +index 8b4a3627..590b66d1 100644 +--- a/openbsd-compat/openssl-compat.c ++++ b/openbsd-compat/openssl-compat.c +@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void) + ENGINE_load_builtin_engines(); + ENGINE_register_all_complete(); + +-#if OPENSSL_VERSION_NUMBER < 0x10001000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + OPENSSL_config(NULL); + #else + OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | +-- +2.20.1 + + +From 55d7cdda4dc4e8284ccd276f73440be400250a1e Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Mon, 22 Oct 2018 20:05:18 +1100 +Subject: [PATCH 2/7] Include openssl compatibility. + +Patch from rosenp at gmail.com via openssh-unix-dev. +--- + ssh-keysign.c | 1 + + ssh_api.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/ssh-keysign.c b/ssh-keysign.c +index 744ecb4f..bcd1508c 100644 +--- a/ssh-keysign.c ++++ b/ssh-keysign.c +@@ -40,6 +40,7 @@ + #include + #include + #include ++#include "openbsd-compat/openssl-compat.h" + #endif + + #include "xmalloc.h" +diff --git a/ssh_api.c b/ssh_api.c +index c84b4e71..e727c0d6 100644 +--- a/ssh_api.c ++++ b/ssh_api.c +@@ -29,6 +29,8 @@ + #include "ssherr.h" + #include "sshbuf.h" + ++#include "openbsd-compat/openssl-compat.h" ++ + #include + + int _ssh_exchange_banner(struct ssh *); +-- +2.20.1 + + +From 22092e375125dc602227afb8b2d3b285203e77c1 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Mon, 5 Nov 2018 17:31:24 +1100 +Subject: [PATCH 3/7] Fix pasto for HAVE_EVP_CIPHER_CTX_SET_IV. + +Prevents unnecessary redefinition. Patch from mforney at mforney.org. +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 7379ab35..1041bf25 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2850,7 +2850,7 @@ if test "x$openssl" = "xyes" ; then + [AC_DEFINE([HAVE_EVP_CIPHER_CTX_GET_IV], [1], + [Define if libcrypto has EVP_CIPHER_CTX_get_iv])]) + AC_SEARCH_LIBS([EVP_CIPHER_CTX_set_iv], [crypto], +- [AC_DEFINE([HAVE_EVP_CIPHER_CTX_GET_IV], [1], ++ [AC_DEFINE([HAVE_EVP_CIPHER_CTX_SET_IV], [1], + [Define if libcrypto has EVP_CIPHER_CTX_set_iv])]) + + AC_SEARCH_LIBS([RSA_get0_crt_params], [crypto], +-- +2.20.1 + + +From 904d478f07deabb401f741f88c67ab2e07f742bd Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Sun, 11 Nov 2018 15:54:54 +1100 +Subject: [PATCH 4/7] Remove hardcoded service name in cygwin setup. + +bz#2922, patch from Christian.Lupien at USherbrooke.ca, sanity check +by vinschen at redhat.com. +--- + contrib/cygwin/ssh-host-config | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config +index 261020af..e9f038db 100644 +--- a/contrib/cygwin/ssh-host-config ++++ b/contrib/cygwin/ssh-host-config +@@ -307,7 +307,7 @@ check_service_files_ownership() { + + if [ -z "${run_service_as}" ] + then +- accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | ++ accnt_name=$(/usr/bin/cygrunsrv -VQ "${service_name}" | + /usr/bin/sed -ne 's/^Account *: *//gp') + if [ "${accnt_name}" = "LocalSystem" ] + then +-- +2.20.1 + + +From 4608a60cb4893a25490fd88ffdaaae6256381ae3 Mon Sep 17 00:00:00 2001 +From: Damien Miller +Date: Fri, 23 Nov 2018 10:45:20 +1100 +Subject: [PATCH 6/7] fix configure test for OpenSSL version + +square brackets in case statements may be eaten by autoconf. + +Report and fix from Filipp Gunbin; tweaked by naddy@ +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 1041bf25..9920ede5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2616,7 +2616,7 @@ if test "x$openssl" = "xyes" ; then + AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")]) + ;; + 100*) ;; # 1.0.x +- 101000[0123456]*) ++ 101000[[0123456]]*) + # https://github.com/openssl/openssl/pull/4613 + AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")]) + ;; +-- +2.20.1 + + +From f429c1b2ef631f2855e51a790cf71761d752bbca Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 27 Dec 2018 23:02:11 +0000 +Subject: [PATCH 7/7] upstream: Request RSA-SHA2 signatures for + +rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms; ok markus@ + +OpenBSD-Commit-ID: afc6f7ca216ccd821656d1c911d2a3deed685033 +--- + authfd.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/authfd.c b/authfd.c +index ecdd869a..62cbf8c1 100644 +--- a/authfd.c ++++ b/authfd.c +@@ -327,10 +327,12 @@ ssh_free_identitylist(struct ssh_identitylist *idl) + static u_int + agent_encode_alg(const struct sshkey *key, const char *alg) + { +- if (alg != NULL && key->type == KEY_RSA) { +- if (strcmp(alg, "rsa-sha2-256") == 0) ++ if (alg != NULL && sshkey_type_plain(key->type) == KEY_RSA) { ++ if (strcmp(alg, "rsa-sha2-256") == 0 || ++ strcmp(alg, "rsa-sha2-256-cert-v01@openssh.com") == 0) + return SSH_AGENT_RSA_SHA2_256; +- else if (strcmp(alg, "rsa-sha2-512") == 0) ++ if (strcmp(alg, "rsa-sha2-512") == 0 || ++ strcmp(alg, "rsa-sha2-512-cert-v01@openssh.com") == 0) + return SSH_AGENT_RSA_SHA2_512; + } + return 0; +-- +2.20.1 + diff --git a/openssh.spec b/openssh.spec index 2b9e369..4862b8b 100644 --- a/openssh.spec +++ b/openssh.spec @@ -229,6 +229,8 @@ Patch954: openssh-7.9p1-disable-sha1.patch # Backport Match final so the crypto-policies do not break canonicalization (#1630166) # https://bugzilla.mindrot.org/show_bug.cgi?id=2906 Patch955: openssh-7.9p1-match-final.patch +# Backport more after-release fixes (#1665611) +Patch956: openssh-7.9p1-backports.patch License: BSD Group: Applications/Internet @@ -454,6 +456,7 @@ popd %patch808 -p1 -b .gsskex-method %patch954 -p1 -b .disable-sha1 %patch955 -p1 -b .match-final +%patch956 -p1 -b .backports %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race