rpms
/
openssh
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

rebase to new upstream release 6.9

This commit is contained in:
Jakub Jelen 2015-06-24 14:11:59 +02:00
parent 21bee694ac
commit 535d341e70
16 changed files with 1404 additions and 1680 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
openssh-6.2p1-vendor.patch
View File

@ -1,7 +1,7 @@
diff -up openssh-6.8p1/configure.ac.vendor openssh-6.8p1/configure.ac
--- openssh-6.8p1/configure.ac.vendor 2015-03-18 11:17:56.670880303 +0100
+++ openssh-6.8p1/configure.ac 2015-03-18 11:17:56.695880243 +0100
@@ -4743,6 +4743,12 @@ AC_ARG_WITH([lastlog],
diff -up openssh/configure.ac.vendor openssh/configure.ac
--- openssh/configure.ac.vendor 2015-06-24 11:05:39.805679794 +0200
+++ openssh/configure.ac 2015-06-24 11:05:39.835679719 +0200
@@ -4751,6 +4751,12 @@ AC_ARG_WITH([lastlog],
fi
]
)
@ -14,7 +14,7 @@ diff -up openssh-6.8p1/configure.ac.vendor openssh-6.8p1/configure.ac
dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the
@@ -5005,6 +5011,7 @@ echo " Translate v4 in v6 hack
@@ -5013,6 +5019,7 @@ echo " Translate v4 in v6 hack
echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE"
@ -22,10 +22,10 @@ diff -up openssh-6.8p1/configure.ac.vendor openssh-6.8p1/configure.ac
echo ""
diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
--- openssh-6.8p1/servconf.c.vendor 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/servconf.c 2015-03-18 11:19:16.279691126 +0100
@@ -145,6 +145,7 @@ initialize_server_options(ServerOptions
diff -up openssh/servconf.c.vendor openssh/servconf.c
--- openssh/servconf.c.vendor 2015-06-23 02:34:47.000000000 +0200
+++ openssh/servconf.c 2015-06-24 11:07:07.689460890 +0200
@@ -147,6 +147,7 @@ initialize_server_options(ServerOptions
options->max_authtries = -1;
options->max_sessions = -1;
options->banner = NULL;
@ -33,7 +33,7 @@ diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
@@ -327,6 +328,8 @@ fill_default_server_options(ServerOption
@@ -335,6 +336,8 @@ fill_default_server_options(ServerOption
options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
@ -42,7 +42,7 @@ diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
@@ -388,7 +391,7 @@ typedef enum {
@@ -397,7 +400,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
@ -50,8 +50,8 @@ diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
@@ -504,6 +507,7 @@ static struct {
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
@@ -517,6 +520,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL },
@ -59,7 +59,7 @@ diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1320,6 +1324,10 @@ process_server_config_line(ServerOptions
@@ -1372,6 +1376,10 @@ process_server_config_line(ServerOptions
multistate_ptr = multistate_privsep;
goto parse_multistate;
@ -70,18 +70,18 @@ diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
@@ -2145,6 +2153,7 @@ dump_config(ServerOptions *o)
@@ -2249,6 +2257,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
diff -up openssh-6.8p1/servconf.h.vendor openssh-6.8p1/servconf.h
--- openssh-6.8p1/servconf.h.vendor 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/servconf.h 2015-03-18 11:17:56.696880241 +0100
@@ -151,6 +151,7 @@ typedef struct {
dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
diff -up openssh/servconf.h.vendor openssh/servconf.h
--- openssh/servconf.h.vendor 2015-06-23 02:34:47.000000000 +0200
+++ openssh/servconf.h 2015-06-24 11:05:39.837679714 +0200
@@ -154,6 +154,7 @@ typedef struct {
int max_authtries;
int max_sessions;
char *banner; /* SSH-2 banner message */
@ -137,10 +137,10 @@ diff -up openssh-6.8p1/sshd_config.0.vendor openssh-6.8p1/sshd_config.0
StreamLocalBindMask
Sets the octal file creation mode mask (umask) used when creating
a Unix-domain socket file for local or remote port forwarding.
diff -up openssh-6.8p1/sshd_config.5.vendor openssh-6.8p1/sshd_config.5
--- openssh-6.8p1/sshd_config.5.vendor 2015-03-18 11:17:56.691880253 +0100
+++ openssh-6.8p1/sshd_config.5 2015-03-18 11:17:56.697880239 +0100
@@ -1276,6 +1276,13 @@ This option applies to protocol version
diff -up openssh/sshd_config.5.vendor openssh/sshd_config.5
--- openssh/sshd_config.5.vendor 2015-06-24 11:05:39.831679729 +0200
+++ openssh/sshd_config.5 2015-06-24 11:05:39.837679714 +0200
@@ -1344,6 +1344,13 @@ This option applies to protocol version
.It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024.

29
openssh-6.6.1p1-servconf-parser.patch
View File

@ -1,31 +1,12 @@
diff --git a/servconf.c b/servconf.c
index b7f3294..bc1e909 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1550,7 +1550,7 @@ process_server_config_line(ServerOptions *options, char *line,
break;
case sForceCommand:
- if (cp == NULL)
+ if (cp == NULL || *cp == '\0')
fatal("%.200s line %d: Missing argument.", filename,
linenum);
len = strspn(cp, WHITESPACE);
@@ -1595,7 +1595,7 @@ process_server_config_line(ServerOptions *options, char *line,
break;
case sVersionAddendum:
- if (cp == NULL)
+ if (cp == NULL || *cp == '\0')
fatal("%.200s line %d: Missing argument.", filename,
linenum);
len = strspn(cp, WHITESPACE);
@@ -1630,6 +1630,8 @@ process_server_config_line(ServerOptions *options, char *line,
diff -up openssh/servconf.c.servconf openssh/servconf.c
--- openssh/servconf.c.servconf 2015-06-24 11:26:26.186527736 +0200
+++ openssh/servconf.c 2015-06-24 11:26:39.847493075 +0200
@@ -1815,6 +1815,8 @@ process_server_config_line(ServerOptions
break;
case sAuthenticationMethods:
+ if (cp == NULL || *cp == '\0')
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
if (*activep && options->num_auth_methods == 0) {
if (options->num_auth_methods == 0) {
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_auth_methods >=

69
openssh-6.6p1-GSSAPIEnablek5users.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-6.8p1/gss-serv-krb5.c
--- openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users 2015-03-18 13:04:21.505306818 +0100
+++ openssh-6.8p1/gss-serv-krb5.c 2015-03-18 13:04:21.527306764 +0100
diff -up openssh/gss-serv-krb5.c.GSSAPIEnablek5users openssh/gss-serv-krb5.c
--- openssh/gss-serv-krb5.c.GSSAPIEnablek5users 2015-06-24 11:40:03.716448353 +0200
+++ openssh/gss-serv-krb5.c 2015-06-24 11:40:03.739448295 +0200
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
FILE *fp;
char file[MAXPATHLEN];
@ -18,10 +18,10 @@ diff -up openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-6.8p1/gss-ser
return ssh_krb5_kuserok(krb_context, principal, luser,
k5login_exists);
}
diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
--- openssh-6.8p1/servconf.c.GSSAPIEnablek5users 2015-03-18 13:04:21.516306791 +0100
+++ openssh-6.8p1/servconf.c 2015-03-18 13:05:26.846146608 +0100
@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
diff -up openssh/servconf.c.GSSAPIEnablek5users openssh/servconf.c
--- openssh/servconf.c.GSSAPIEnablek5users 2015-06-24 11:40:03.728448323 +0200
+++ openssh/servconf.c 2015-06-24 11:40:03.740448292 +0200
@@ -171,6 +171,7 @@ initialize_server_options(ServerOptions
options->version_addendum = NULL;
options->fingerprint_hash = -1;
options->use_kuserok = -1;
@ -29,7 +29,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
}
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
@@ -348,6 +349,8 @@ fill_default_server_options(ServerOption
@@ -353,6 +354,8 @@ fill_default_server_options(ServerOption
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
if (options->use_kuserok == -1)
options->use_kuserok = 1;
@ -38,7 +38,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = PRIVSEP_NOSANDBOX;
@@ -406,7 +409,7 @@ typedef enum {
@@ -412,7 +415,7 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
@ -47,7 +47,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
@@ -484,6 +487,7 @@ static struct {
@@ -490,12 +493,14 @@ static struct {
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
@ -55,7 +55,6 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
@@ -491,6 +495,7 @@ static struct {
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
@ -63,7 +62,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
#endif
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
@@ -1623,6 +1628,10 @@ process_server_config_line(ServerOptions
@@ -1663,6 +1668,10 @@ process_server_config_line(ServerOptions
intptr = &options->use_kuserok;
goto parse_flag;
@ -74,7 +73,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
@@ -1947,6 +1956,7 @@ copy_set_server_options(ServerOptions *d
@@ -2018,6 +2027,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
M_CP_INTOPT(use_kuserok);
@ -82,7 +81,7 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
@@ -2207,6 +2217,7 @@ dump_config(ServerOptions *o)
@@ -2300,6 +2310,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
@ -90,10 +89,10 @@ diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-6.8p1/servconf.h.GSSAPIEnablek5users openssh-6.8p1/servconf.h
--- openssh-6.8p1/servconf.h.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100
+++ openssh-6.8p1/servconf.h 2015-03-18 13:04:21.528306762 +0100
@@ -177,7 +177,8 @@ typedef struct {
diff -up openssh/servconf.h.GSSAPIEnablek5users openssh/servconf.h
--- openssh/servconf.h.GSSAPIEnablek5users 2015-06-24 11:40:03.717448351 +0200
+++ openssh/servconf.h 2015-06-24 11:40:03.740448292 +0200
@@ -179,7 +179,8 @@ typedef struct {
int num_permitted_opens;
@ -103,21 +102,10 @@ diff -up openssh-6.8p1/servconf.h.GSSAPIEnablek5users openssh-6.8p1/servconf.h
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff -up openssh-6.8p1/sshd_config.GSSAPIEnablek5users openssh-6.8p1/sshd_config
--- openssh-6.8p1/sshd_config.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100
+++ openssh-6.8p1/sshd_config 2015-03-18 13:04:21.528306762 +0100
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff -up openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users openssh-6.8p1/sshd_config.5
--- openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100
+++ openssh-6.8p1/sshd_config.5 2015-03-18 13:04:21.528306762 +0100
@@ -576,6 +576,12 @@ on logout.
diff -up openssh/sshd_config.5.GSSAPIEnablek5users openssh/sshd_config.5
--- openssh/sshd_config.5.GSSAPIEnablek5users 2015-06-24 11:40:03.741448290 +0200
+++ openssh/sshd_config.5 2015-06-24 11:40:40.707354263 +0200
@@ -628,6 +628,12 @@ on logout.
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
@ -128,5 +116,16 @@ diff -up openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users openssh-6.8p1/sshd_conf
+The default is
+.Dq no .
.It Cm GSSAPIStrictAcceptorCheck
Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against. If
Determines whether to be strict about the identity of the GSSAPI acceptor
a client authenticates against.
diff -up openssh/sshd_config.GSSAPIEnablek5users openssh/sshd_config
--- openssh/sshd_config.GSSAPIEnablek5users 2015-06-24 11:40:03.717448351 +0200
+++ openssh/sshd_config 2015-06-24 11:40:03.740448292 +0200
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will

2
openssh-6.6p1-ctr-cavstest.patch
View File

@ -133,7 +133,7 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
+ break;
+
+ total += n;
+ buf = xrealloc(buf, total + READ_CHUNK, 1);
+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
+ } while(total < MAX_READ_SIZE);
+ return buf;
+}

4
openssh-6.6p1-force_krb.patch
View File

@ -163,7 +163,7 @@ index 413b845..54dd383 100644
+ k5users_allowed_cmds[ncommands-1] =
+ xstrdup(pw->pw_shell);
+ k5users_allowed_cmds =
+ xrealloc(k5users_allowed_cmds, ++ncommands,
+ xreallocarray(k5users_allowed_cmds, ++ncommands,
+ sizeof(*k5users_allowed_cmds));
+ break;
+ }
@ -176,7 +176,7 @@ index 413b845..54dd383 100644
+ k5users_allowed_cmds[ncommands-1] =
+ xstrdup(token);
+ k5users_allowed_cmds =
+ xrealloc(k5users_allowed_cmds, ++ncommands,
+ xreallocarray(k5users_allowed_cmds, ++ncommands,
+ sizeof(*k5users_allowed_cmds));
+ token = strtok(NULL, " \t\n");
+ }

1276
openssh-6.6p1-gsskex.patch
View File

File diff suppressed because it is too large Load Diff

90
openssh-6.6p1-keycat.patch
View File

@ -1,6 +1,24 @@
diff -up openssh-6.8p1/HOWTO.ssh-keycat.keycat openssh-6.8p1/HOWTO.ssh-keycat
--- openssh-6.8p1/HOWTO.ssh-keycat.keycat 2015-03-18 11:13:43.063482958 +0100
+++ openssh-6.8p1/HOWTO.ssh-keycat 2015-03-18 11:13:43.063482958 +0100
diff -up openssh/auth2-pubkey.c.keycat openssh/auth2-pubkey.c
--- openssh/auth2-pubkey.c.keycat 2015-06-24 10:57:50.158849606 +0200
+++ openssh/auth2-pubkey.c 2015-06-24 11:04:23.989868638 +0200
@@ -490,6 +490,14 @@ subprocess(const char *tag, struct passw
_exit(1);
}
+#ifdef WITH_SELINUX
+ if (sshd_selinux_setup_env_variables() < 0) {
+ error ("failed to copy environment: %s",
+ strerror(errno));
+ _exit(127);
+ }
+#endif
+
execve(av[0], av, child_env);
error("%s exec \"%s\": %s", tag, command, strerror(errno));
_exit(127);
diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
--- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200
+++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200
@@ -0,0 +1,12 @@
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
+of an user in any environment. This includes environments with
@ -14,9 +32,9 @@ diff -up openssh-6.8p1/HOWTO.ssh-keycat.keycat openssh-6.8p1/HOWTO.ssh-keycat
+ PubkeyAuthentication yes
+
+
diff -up openssh-6.8p1/Makefile.in.keycat openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.keycat 2015-03-18 11:13:43.061482963 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:14:22.480389291 +0100
diff -up openssh/Makefile.in.keycat openssh/Makefile.in
--- openssh/Makefile.in.keycat 2015-06-24 10:57:50.152849621 +0200
+++ openssh/Makefile.in 2015-06-24 10:57:50.157849608 +0200
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@ -52,27 +70,23 @@ diff -up openssh-6.8p1/Makefile.in.keycat openssh-6.8p1/Makefile.in
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff -up openssh-6.8p1/auth2-pubkey.c.keycat openssh-6.8p1/auth2-pubkey.c
--- openssh-6.8p1/auth2-pubkey.c.keycat 2015-03-18 11:13:43.053482982 +0100
+++ openssh-6.8p1/auth2-pubkey.c 2015-03-18 11:13:43.063482958 +0100
@@ -623,6 +623,14 @@ user_key_command_allowed2(struct passwd
_exit(1);
}
diff -up openssh/openbsd-compat/port-linux.h.keycat openssh/openbsd-compat/port-linux.h
--- openssh/openbsd-compat/port-linux.h.keycat 2015-06-24 10:57:50.150849626 +0200
+++ openssh/openbsd-compat/port-linux.h 2015-06-24 10:57:50.160849601 +0200
@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+#ifdef WITH_SELINUX
+ if (sshd_selinux_setup_env_variables() < 0) {
+ error ("failed to copy environment: %s",
+ strerror(errno));
+ _exit(127);
+ }
+#endif
+
execl(options.authorized_keys_command,
options.authorized_keys_command, user_pw->pw_name, NULL);
+int sshd_selinux_enabled(void);
void sshd_selinux_copy_context(void);
void sshd_selinux_setup_exec_context(char *);
+int sshd_selinux_setup_env_variables(void);
#endif
diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat openssh-6.8p1/openbsd-compat/port-linux-sshd.c
--- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat 2015-03-18 11:13:43.057482972 +0100
+++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c 2015-03-18 11:13:43.063482958 +0100
#ifdef LINUX_OOM_ADJUST
diff -up openssh/openbsd-compat/port-linux-sshd.c.keycat openssh/openbsd-compat/port-linux-sshd.c
--- openssh/openbsd-compat/port-linux-sshd.c.keycat 2015-06-24 10:57:50.150849626 +0200
+++ openssh/openbsd-compat/port-linux-sshd.c 2015-06-24 10:57:50.159849603 +0200
@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
extern int inetd_flag;
extern int rexeced_flag;
@ -166,23 +180,9 @@ diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat openssh-6.8p1/ope
return;
if (getexeccon((security_context_t *)&ctx) != 0) {
diff -up openssh-6.8p1/openbsd-compat/port-linux.h.keycat openssh-6.8p1/openbsd-compat/port-linux.h
--- openssh-6.8p1/openbsd-compat/port-linux.h.keycat 2015-03-18 11:13:43.057482972 +0100
+++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 11:13:43.063482958 +0100
@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
+int sshd_selinux_enabled(void);
void sshd_selinux_copy_context(void);
void sshd_selinux_setup_exec_context(char *);
+int sshd_selinux_setup_env_variables(void);
#endif
#ifdef LINUX_OOM_ADJUST
diff -up openssh-6.8p1/platform.c.keycat openssh-6.8p1/platform.c
--- openssh-6.8p1/platform.c.keycat 2015-03-18 11:13:43.055482977 +0100
+++ openssh-6.8p1/platform.c 2015-03-18 11:13:43.063482958 +0100
diff -up openssh/platform.c.keycat openssh/platform.c
--- openssh/platform.c.keycat 2015-06-24 10:57:50.147849633 +0200
+++ openssh/platform.c 2015-06-24 10:57:50.160849601 +0200
@@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *p
{
#ifdef WITH_SELINUX
@ -192,9 +192,9 @@ diff -up openssh-6.8p1/platform.c.keycat openssh-6.8p1/platform.c
#endif
#ifdef USE_SOLARIS_PROJECTS
diff -up openssh-6.8p1/ssh-keycat.c.keycat openssh-6.8p1/ssh-keycat.c
--- openssh-6.8p1/ssh-keycat.c.keycat 2015-03-18 11:13:43.064482956 +0100
+++ openssh-6.8p1/ssh-keycat.c 2015-03-18 11:13:43.064482956 +0100
diff -up openssh/ssh-keycat.c.keycat openssh/ssh-keycat.c
--- openssh/ssh-keycat.c.keycat 2015-06-24 10:57:50.161849599 +0200
+++ openssh/ssh-keycat.c 2015-06-24 10:57:50.161849599 +0200
@@ -0,0 +1,238 @@
+/*
+ * Redistribution and use in source and binary forms, with or without

992
openssh-6.7p1-audit.patch
View File

File diff suppressed because it is too large Load Diff

22
openssh-6.7p1-coverity.patch
View File

@ -467,25 +467,3 @@ diff -up openssh-6.8p1/sshkey.c.coverity openssh-6.8p1/sshkey.c
#include "match.h"
/* openssh private key file format */
diff --git a/sshd.c b/sshd.c
index 6ff8f6f..2f2fcf8 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1548,6 +1548,7 @@ main(int ac, char **av)
int keytype;
Authctxt *authctxt;
struct connection_info *connection_info = get_connection_info(0, 0);
+ char *addr = NULL;
#ifdef HAVE_SECUREWARE
(void)set_auth_parameters(ac, av);
@@ -2261,7 +2262,8 @@ main(int ac, char **av)
/* Log the connection. */
verbose("Connection from %s port %d on %s port %d",
remote_ip, remote_port,
- get_local_ipaddr(sock_in), get_local_port());
+ (addr = get_local_ipaddr(sock_in)), get_local_port());
+ free(addr);
/*
* We don't want to listen forever unless the other side

30
openssh-6.7p1-debian-restore-tcp-wrappers.patch
View File

@ -1,7 +1,7 @@
diff -up openssh-6.8p1/configure.ac.tcp_wrappers openssh-6.8p1/configure.ac
--- openssh-6.8p1/configure.ac.tcp_wrappers 2015-03-18 13:05:57.365071779 +0100
+++ openssh-6.8p1/configure.ac 2015-03-18 13:05:57.408071673 +0100
@@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey],
diff -up openssh/configure.ac.tcp_wrappers openssh/configure.ac
--- openssh/configure.ac.tcp_wrappers 2015-06-24 11:41:04.519293694 +0200
+++ openssh/configure.ac 2015-06-24 11:41:04.556293600 +0200
@@ -1448,6 +1448,62 @@ AC_ARG_WITH([skey],
]
)
@ -64,7 +64,7 @@ diff -up openssh-6.8p1/configure.ac.tcp_wrappers openssh-6.8p1/configure.ac
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
@@ -5026,6 +5082,7 @@ echo " KerberosV support
@@ -5034,6 +5090,7 @@ echo " KerberosV support
echo " SELinux support: $SELINUX_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
@ -72,10 +72,10 @@ diff -up openssh-6.8p1/configure.ac.tcp_wrappers openssh-6.8p1/configure.ac
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
diff -up openssh-6.8p1/sshd.8.tcp_wrappers openssh-6.8p1/sshd.8
--- openssh-6.8p1/sshd.8.tcp_wrappers 2015-03-18 13:05:57.377071749 +0100
+++ openssh-6.8p1/sshd.8 2015-03-18 13:05:57.408071673 +0100
@@ -858,6 +858,12 @@ the user's home directory becomes access
diff -up openssh/sshd.8.tcp_wrappers openssh/sshd.8
--- openssh/sshd.8.tcp_wrappers 2015-06-24 11:41:04.527293674 +0200
+++ openssh/sshd.8 2015-06-24 11:41:04.556293600 +0200
@@ -860,6 +860,12 @@ the user's home directory becomes access
This file should be writable only by the user, and need not be
readable by anyone else.
.Pp
@ -88,7 +88,7 @@ diff -up openssh-6.8p1/sshd.8.tcp_wrappers openssh-6.8p1/sshd.8
.It Pa /etc/hosts.equiv
This file is for host-based authentication (see
.Xr ssh 1 ) .
@@ -981,6 +987,7 @@ IPv6 address can be used everywhere wher
@@ -983,6 +989,7 @@ IPv6 address can be used everywhere wher
.Xr ssh-keygen 1 ,
.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
@ -96,9 +96,9 @@ diff -up openssh-6.8p1/sshd.8.tcp_wrappers openssh-6.8p1/sshd.8
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
diff -up openssh-6.8p1/sshd.c.tcp_wrappers openssh-6.8p1/sshd.c
--- openssh-6.8p1/sshd.c.tcp_wrappers 2015-03-18 13:05:57.402071688 +0100
+++ openssh-6.8p1/sshd.c 2015-03-18 13:06:48.199947136 +0100
diff -up openssh/sshd.c.tcp_wrappers openssh/sshd.c
--- openssh/sshd.c.tcp_wrappers 2015-06-24 11:41:04.549293618 +0200
+++ openssh/sshd.c 2015-06-24 11:41:53.331169536 +0200
@@ -125,6 +125,13 @@
#include "version.h"
#include "ssherr.h"
@ -113,7 +113,7 @@ diff -up openssh-6.8p1/sshd.c.tcp_wrappers openssh-6.8p1/sshd.c
#ifndef O_NOCTTY
#define O_NOCTTY 0
#endif
@@ -2150,6 +2157,24 @@ main(int ac, char **av)
@@ -2158,6 +2165,24 @@ main(int ac, char **av)
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
#endif
@ -137,4 +137,4 @@ diff -up openssh-6.8p1/sshd.c.tcp_wrappers openssh-6.8p1/sshd.c
+#endif /* LIBWRAP */
/* Log the connection. */
verbose("Connection from %s port %d on %s port %d",
laddr = get_local_ipaddr(sock_in);

323
openssh-6.7p1-fips.patch
View File

@ -1,63 +1,6 @@
diff -up openssh-6.8p1/Makefile.in.fips openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.fips 2015-03-19 13:14:22.221212174 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-19 13:14:22.230212157 +0100
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
$(LD) -o $@ ssh-cavs.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-6.8p1/cipher-ctr.c.fips openssh-6.8p1/cipher-ctr.c
--- openssh-6.8p1/cipher-ctr.c.fips 2015-03-19 13:14:22.155212302 +0100
+++ openssh-6.8p1/cipher-ctr.c 2015-03-19 13:14:22.230212157 +0100
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
+ EVP_CIPH_FLAG_FIPS;
#endif
return (&aes_ctr);
}
diff -up openssh-6.8p1/cipher.c.fips openssh-6.8p1/cipher.c
--- openssh-6.8p1/cipher.c.fips 2015-03-19 13:14:22.224212169 +0100
+++ openssh-6.8p1/cipher.c 2015-03-19 13:14:22.230212157 +0100
diff -up openssh/cipher.c.fips openssh/cipher.c
--- openssh/cipher.c.fips 2015-06-24 12:00:58.730242500 +0200
+++ openssh/cipher.c 2015-06-24 12:00:58.737242482 +0200
@@ -39,6 +39,8 @@
#include <sys/types.h>
@ -130,10 +73,23 @@ diff -up openssh-6.8p1/cipher.c.fips openssh-6.8p1/cipher.c
if (strcasecmp(c->name, name) == 0)
return c->number;
return -1;
diff -up openssh-6.8p1/dh.h.fips openssh-6.8p1/dh.h
--- openssh-6.8p1/dh.h.fips 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/dh.h 2015-03-19 13:14:22.230212157 +0100
@@ -45,6 +45,7 @@ u_int dh_estimate(int);
diff -up openssh/cipher-ctr.c.fips openssh/cipher-ctr.c
--- openssh/cipher-ctr.c.fips 2015-06-24 12:00:58.669242656 +0200
+++ openssh/cipher-ctr.c 2015-06-24 12:00:58.736242484 +0200
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
+ EVP_CIPH_FLAG_FIPS;
#endif
return (&aes_ctr);
}
diff -up openssh/dh.h.fips openssh/dh.h
--- openssh/dh.h.fips 2015-06-23 02:34:47.000000000 +0200
+++ openssh/dh.h 2015-06-24 12:00:58.737242482 +0200
@@ -46,6 +46,7 @@ u_int dh_estimate(int);
/* Min and max values from RFC4419. */
#define DH_GRP_MIN 1024
@ -141,9 +97,9 @@ diff -up openssh-6.8p1/dh.h.fips openssh-6.8p1/dh.h
#define DH_GRP_MAX 8192
/*
diff -up openssh-6.8p1/entropy.c.fips openssh-6.8p1/entropy.c
--- openssh-6.8p1/entropy.c.fips 2015-03-19 13:14:22.147212317 +0100
+++ openssh-6.8p1/entropy.c 2015-03-19 13:14:22.230212157 +0100
diff -up openssh/entropy.c.fips openssh/entropy.c
--- openssh/entropy.c.fips 2015-06-24 12:00:58.662242674 +0200
+++ openssh/entropy.c 2015-06-24 12:00:58.737242482 +0200
@@ -217,6 +217,9 @@ seed_rng(void)
fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
@ -154,9 +110,9 @@ diff -up openssh-6.8p1/entropy.c.fips openssh-6.8p1/entropy.c
#ifndef OPENSSL_PRNG_ONLY
if (RAND_status() == 1) {
debug3("RNG is ready, skipping seeding");
diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
--- openssh-6.8p1/kex.c.fips 2015-03-19 13:14:22.165212282 +0100
+++ openssh-6.8p1/kex.c 2015-03-19 13:14:22.230212157 +0100
diff -up openssh/kex.c.fips openssh/kex.c
--- openssh/kex.c.fips 2015-06-24 12:00:58.730242500 +0200
+++ openssh/kex.c 2015-06-24 12:00:58.737242482 +0200
@@ -35,6 +35,7 @@
#ifdef WITH_OPENSSL
@ -165,7 +121,7 @@ diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
#endif
#include "ssh2.h"
@@ -107,6 +108,25 @@ static const struct kexalg kexalgs[] = {
@@ -108,6 +109,25 @@ static const struct kexalg kexalgs[] = {
{ NULL, -1, -1, -1},
};
@ -191,7 +147,7 @@ diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
char *
kex_alg_list(char sep)
{
@@ -134,7 +154,7 @@ kex_alg_by_name(const char *name)
@@ -135,7 +155,7 @@ kex_alg_by_name(const char *name)
{
const struct kexalg *k;
@ -200,7 +156,7 @@ diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
if (strcmp(k->name, name) == 0)
return k;
#ifdef GSSAPI
@@ -160,7 +180,10 @@ kex_names_valid(const char *names)
@@ -161,7 +181,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
@ -212,54 +168,47 @@ diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
free(s);
return 0;
}
diff -up openssh-6.8p1/kexgexc.c.fips openssh-6.8p1/kexgexc.c
--- openssh-6.8p1/kexgexc.c.fips 2015-03-19 13:14:22.196212223 +0100
+++ openssh-6.8p1/kexgexc.c 2015-03-19 13:15:11.462117016 +0100
@@ -28,6 +28,8 @@
diff -up openssh/kexgexc.c.fips openssh/kexgexc.c
--- openssh/kexgexc.c.fips 2015-06-24 12:00:58.737242482 +0200
+++ openssh/kexgexc.c 2015-06-24 12:02:26.996015709 +0200
@@ -28,6 +28,7 @@
#ifdef WITH_OPENSSL
+#include <openssl/fips.h>
+
#include <sys/param.h>
#include <sys/types.h>
#include <openssl/dh.h>
@@ -62,7 +64,7 @@ kexgex_client(struct ssh *ssh)
@@ -63,7 +64,7 @@ kexgex_client(struct ssh *ssh)
nbits = dh_estimate(kex->dh_need * 8);
- kex->min = DH_GRP_MIN;
+ kex->min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
kex->max = DH_GRP_MAX;
kex->nbits = nbits;
if (datafellows & SSH_BUG_DHGEX_LARGE)
diff -up openssh/kexgexs.c.fips openssh/kexgexs.c
--- openssh/kexgexs.c.fips 2015-06-24 12:00:58.738242479 +0200
+++ openssh/kexgexs.c 2015-06-24 13:48:23.735320199 +0200
@@ -81,11 +81,11 @@ input_kex_dh_gex_request(int type, u_int
(r = sshpkt_get_end(ssh)) != 0)
goto out;
kex->nbits = nbits;
- kex->min = min;
+ kex->min = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
kex->max = max;
- min = MAX(DH_GRP_MIN, min);
+ min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
max = MIN(DH_GRP_MAX, max);
- nbits = MAX(DH_GRP_MIN, nbits);
+ nbits = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits);
nbits = MIN(DH_GRP_MAX, nbits);
/* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
diff -up openssh-6.8p1/kexgexs.c.fips openssh-6.8p1/kexgexs.c
--- openssh-6.8p1/kexgexs.c.fips 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/kexgexs.c 2015-03-19 13:14:22.231212155 +0100
@@ -87,9 +87,9 @@ input_kex_dh_gex_request(int type, u_int
kex->nbits = nbits;
kex->min = min;
kex->max = max;
- min = MAX(DH_GRP_MIN, min);
+ min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
max = MIN(DH_GRP_MAX, max);
- nbits = MAX(DH_GRP_MIN, nbits);
+ nbits = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, nbits);
nbits = MIN(DH_GRP_MAX, nbits);
break;
case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD:
@@ -99,7 +99,7 @@ input_kex_dh_gex_request(int type, u_int
goto out;
kex->nbits = nbits;
/* unused for old GEX */
- kex->min = min = DH_GRP_MIN;
+ kex->min = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
kex->max = max = DH_GRP_MAX;
break;
default:
diff -up openssh-6.8p1/mac.c.fips openssh-6.8p1/mac.c
--- openssh-6.8p1/mac.c.fips 2015-03-19 13:14:22.224212169 +0100
+++ openssh-6.8p1/mac.c 2015-03-19 13:14:22.231212155 +0100
if (kex->max < kex->min || kex->nbits < kex->min ||
diff -up openssh/mac.c.fips openssh/mac.c
--- openssh/mac.c.fips 2015-06-24 12:00:58.731242497 +0200
+++ openssh/mac.c 2015-06-24 12:00:58.738242479 +0200
@@ -27,6 +27,8 @@
#include <sys/types.h>
@ -321,10 +270,54 @@ diff -up openssh-6.8p1/mac.c.fips openssh-6.8p1/mac.c
if (strcmp(name, m->name) != 0)
continue;
if (mac != NULL)
diff -up openssh-6.8p1/myproposal.h.fips openssh-6.8p1/myproposal.h
--- openssh-6.8p1/myproposal.h.fips 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/myproposal.h 2015-03-19 13:14:22.231212155 +0100
@@ -140,6 +140,28 @@
diff -up openssh/Makefile.in.fips openssh/Makefile.in
--- openssh/Makefile.in.fips 2015-06-24 12:00:58.731242497 +0200
+++ openssh/Makefile.in 2015-06-24 12:00:58.736242484 +0200
@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
$(LD) -o $@ ssh-cavs.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh/myproposal.h.fips openssh/myproposal.h
--- openssh/myproposal.h.fips 2015-06-23 02:34:47.000000000 +0200
+++ openssh/myproposal.h 2015-06-24 12:00:58.738242479 +0200
@@ -143,6 +143,28 @@
"hmac-sha1-96," \
"hmac-md5-96"
@ -353,9 +346,36 @@ diff -up openssh-6.8p1/myproposal.h.fips openssh-6.8p1/myproposal.h
#else
#define KEX_SERVER_KEX \
diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
--- openssh-6.8p1/ssh.c.fips 2015-03-17 06:49:20.000000000 +0100
+++ openssh-6.8p1/ssh.c 2015-03-19 13:14:22.232212153 +0100
diff -up openssh/servconf.c.fips openssh/servconf.c
--- openssh/servconf.c.fips 2015-06-24 12:00:58.726242510 +0200
+++ openssh/servconf.c 2015-06-24 13:49:40.164085648 +0200
@@ -2319,8 +2319,10 @@ dump_config(ServerOptions *o)
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
dump_cfg_string(sXAuthLocation, o->xauth_location);
- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
- dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
+ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : FIPS_mode()
+ ? KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT);
+ dump_cfg_string(sMacs, o->macs ? o->macs : FIPS_mode()
+ ? KEX_FIPS_MAC : KEX_SERVER_MAC);
dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2335,8 +2337,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedPrincipalsCommand, o->authorized_principals_command);
dump_cfg_string(sAuthorizedPrincipalsCommandUser, o->authorized_principals_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
- dump_cfg_string(sKexAlgorithms,
- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
+ FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX);
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
diff -up openssh/ssh.c.fips openssh/ssh.c
--- openssh/ssh.c.fips 2015-06-23 02:34:47.000000000 +0200
+++ openssh/ssh.c 2015-06-24 12:00:58.738242479 +0200
@@ -75,6 +75,8 @@
#include <openssl/evp.h>
#include <openssl/err.h>
@ -365,7 +385,7 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
@@ -523,6 +525,14 @@ main(int ac, char **av)
@@ -521,6 +523,14 @@ main(int ac, char **av)
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
@ -380,7 +400,7 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
@@ -600,6 +610,9 @@ main(int ac, char **av)
@@ -598,6 +608,9 @@ main(int ac, char **av)
"ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
@ -390,7 +410,7 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
options.protocol = SSH_PROTO_1;
break;
case '2':
@@ -941,7 +954,6 @@ main(int ac, char **av)
@@ -939,7 +952,6 @@ main(int ac, char **av)
host_arg = xstrdup(host);
#ifdef WITH_OPENSSL
@ -398,7 +418,7 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
ERR_load_crypto_strings();
#endif
@@ -1115,6 +1127,10 @@ main(int ac, char **av)
@@ -1113,6 +1125,10 @@ main(int ac, char **av)
seed_rng();
@ -409,7 +429,7 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
if (options.user == NULL)
options.user = xstrdup(pw->pw_name);
@@ -1192,6 +1208,12 @@ main(int ac, char **av)
@@ -1190,6 +1206,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000;
@ -422,9 +442,9 @@ diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
/* Open a connection to the remote host. */
if (ssh_connect(host, addrs, &hostaddr, options.port,
options.address_family, options.connection_attempts,
diff -up openssh-6.8p1/sshconnect2.c.fips openssh-6.8p1/sshconnect2.c
--- openssh-6.8p1/sshconnect2.c.fips 2015-03-19 13:14:22.188212238 +0100
+++ openssh-6.8p1/sshconnect2.c 2015-03-19 13:14:22.232212153 +0100
diff -up openssh/sshconnect2.c.fips openssh/sshconnect2.c
--- openssh/sshconnect2.c.fips 2015-06-24 12:00:58.698242582 +0200
+++ openssh/sshconnect2.c 2015-06-24 12:00:58.739242477 +0200
@@ -46,6 +46,8 @@
#include <vis.h>
#endif
@ -510,9 +530,9 @@ diff -up openssh-6.8p1/sshconnect2.c.fips openssh-6.8p1/sshconnect2.c
#ifdef GSSAPI
/* If we've got GSSAPI algorithms, then we also support the
* 'null' hostkey, as a last resort */
diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
--- openssh-6.8p1/sshd.c.fips 2015-03-19 13:14:22.226212165 +0100
+++ openssh-6.8p1/sshd.c 2015-03-19 13:14:22.232212153 +0100
diff -up openssh/sshd.c.fips openssh/sshd.c
--- openssh/sshd.c.fips 2015-06-24 12:00:58.734242489 +0200
+++ openssh/sshd.c 2015-06-24 12:00:58.739242477 +0200
@@ -66,6 +66,7 @@
#include <grp.h>
#include <pwd.h>
@ -530,7 +550,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
#include "openbsd-compat/openssl-compat.h"
#endif
@@ -1543,6 +1546,18 @@ main(int ac, char **av)
@@ -1548,6 +1551,18 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);
@ -549,7 +569,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
@@ -1694,7 +1709,7 @@ main(int ac, char **av)
@@ -1700,7 +1715,7 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@ -558,7 +578,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
OpenSSL_add_all_algorithms();
#endif
@@ -1890,6 +1905,10 @@ main(int ac, char **av)
@@ -1901,6 +1916,10 @@ main(int ac, char **av)
sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp);
free(fp);
}
@ -569,7 +589,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
@@ -2058,6 +2077,10 @@ main(int ac, char **av)
@@ -2069,6 +2088,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -580,7 +600,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
if (chdir("/") == -1)
@@ -2642,6 +2665,9 @@ do_ssh2_kex(void)
@@ -2654,6 +2677,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -590,7 +610,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -2651,6 +2677,9 @@ do_ssh2_kex(void)
@@ -2663,6 +2689,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@ -600,7 +620,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
}
if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
@@ -2661,6 +2690,8 @@ do_ssh2_kex(void)
@@ -2673,6 +2702,8 @@ do_ssh2_kex(void)
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@ -609,7 +629,7 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
myproposal[PROPOSAL_KEX_ALGS]);
@@ -2687,10 +2718,14 @@ do_ssh2_kex(void)
@@ -2699,10 +2730,14 @@ do_ssh2_kex(void)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL;
@ -628,9 +648,9 @@ diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig);
diff -up openssh-6.8p1/sshkey.c.fips openssh-6.8p1/sshkey.c
--- openssh-6.8p1/sshkey.c.fips 2015-03-19 13:14:22.227212163 +0100
+++ openssh-6.8p1/sshkey.c 2015-03-19 13:14:22.233212151 +0100
diff -up openssh/sshkey.c.fips openssh/sshkey.c
--- openssh/sshkey.c.fips 2015-06-24 12:00:58.735242487 +0200
+++ openssh/sshkey.c 2015-06-24 12:00:58.740242474 +0200
@@ -35,6 +35,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
@ -639,7 +659,7 @@ diff -up openssh-6.8p1/sshkey.c.fips openssh-6.8p1/sshkey.c
#endif
#include "crypto_api.h"
@@ -1562,6 +1563,8 @@ rsa_generate_private_key(u_int bits, RSA
@@ -1586,6 +1587,8 @@ rsa_generate_private_key(u_int bits, RSA
}
if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
@ -648,30 +668,3 @@ diff -up openssh-6.8p1/sshkey.c.fips openssh-6.8p1/sshkey.c
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
diff -up openssh-6.8p1/servconf.c.fips openssh-6.8p1/servconf.c
--- openssh-6.8p1/servconf.c.fips 2015-03-19 13:14:22.210212196 +0100
+++ openssh-6.8p1/servconf.c 2015-03-19 13:14:22.233212151 +0100
@@ -2226,8 +2226,10 @@ dump_config(ServerOptions *o)
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
dump_cfg_string(sXAuthLocation, o->xauth_location);
- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
- dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
+ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : FIPS_mode()
+ ? KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT);
+ dump_cfg_string(sMacs, o->macs ? o->macs : FIPS_mode()
+ ? KEX_FIPS_MAC : KEX_SERVER_MAC);
dump_cfg_string(sBanner, o->banner != NULL ? o->banner : "none");
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
@@ -2240,8 +2242,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
- dump_cfg_string(sKexAlgorithms,
- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
+ FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX);
dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?

2
openssh-6.7p1-ldap.patch
View File

@ -1742,7 +1742,7 @@ diff -up openssh-6.8p1/ldapconf.c.ldap openssh-6.8p1/ldapconf.c
+ len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
+ (options.ssl == 0) ? "" : "s", options.host, options.port);
+ options.uri[MAXURILEN - 1] = 0;
+ options.uri = xrealloc (options.uri, len + 1, 1);
+ options.uri = xreallocarray(options.uri, len + 1, 1);
+ }
+ if (options.binddn == NULL)
+ options.binddn = "";

104
openssh-6.7p1-seccomp-aarch64.patch
View File

@ -1,104 +1,14 @@
diff --git a/configure.ac b/configure.ac
index 4065d0e..d59ad44 100644
--- a/configure.ac
+++ b/configure.ac
@@ -764,9 +764,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
i*86-*)
seccomp_audit_arch=AUDIT_ARCH_I386
;;
- arm*-*)
+ aarch64*-*)
+ seccomp_audit_arch=AUDIT_ARCH_AARCH64
+ ;;
+ arm*-*)
seccomp_audit_arch=AUDIT_ARCH_ARM
- ;;
+ ;;
esac
if test "x$seccomp_audit_arch" != "x" ; then
AC_MSG_RESULT(["$seccomp_audit_arch"])
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 095b04a..52f6810 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -43,6 +43,7 @@
#include <sys/resource.h>
#include <sys/prctl.h>
+#include <linux/net.h>
#include <linux/audit.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
@@ -80,6 +81,17 @@
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
+#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 3), \
+ /* load first syscall argument */ \
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
+ offsetof(struct seccomp_data, args[(_arg_nr)])), \
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
+ BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
+ /* reload syscall number; all rules expect it in accumulator */ \
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
+ offsetof(struct seccomp_data, nr))
+
/* Syscall filtering set for preauth. */
static const struct sock_filter preauth_insns[] = {
/* Ensure the syscall arch convention is as expected. */
@@ -90,8 +90,23 @@ static const struct sock_filter preauth_insns[] = {
/* Load the syscall number for checking. */
BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
offsetof(struct seccomp_data, nr)),
- SC_DENY(open, EACCES),
+#ifdef __NR_stat
SC_DENY(stat, EACCES),
+#endif
+ SC_DENY(openat, EACCES),
+#ifdef __NR_open
+ SC_DENY(open, EACCES), /* not on AArch64 */
+#endif
+#ifdef __NR_fstat
+ SC_DENY(fstat, EACCES), /* x86_64, Aarch64 */
+#endif
+#if defined(__NR_stat64) && defined(__NR_fstat64)
+ SC_DENY(stat64, EACCES), /* ix86, arm */
+ SC_DENY(fstat64, EACCES),
+#endif
+#ifdef __NR_newfstatat
+ SC_DENY(newfstatat, EACCES), /* Aarch64 */
+#endif
SC_ALLOW(getpid),
SC_ALLOW(gettimeofday),
SC_ALLOW(clock_gettime),
@@ -111,12 +123,19 @@ static const struct sock_filter preauth_insns[] = {
SC_ALLOW(shutdown),
#endif
SC_ALLOW(brk),
+#ifdef __NR_poll /* not on AArch64 */
SC_ALLOW(poll),
+#endif
diff -up openssh/configure.ac.seccomp openssh/configure.ac
diff -up openssh/sandbox-seccomp-filter.c.seccomp openssh/sandbox-seccomp-filter.c
--- openssh/sandbox-seccomp-filter.c.seccomp 2015-06-24 11:45:44.001581471 +0200
+++ openssh/sandbox-seccomp-filter.c 2015-06-24 11:51:54.032635297 +0200
@@ -165,6 +165,9 @@ static const struct sock_filter preauth_
#ifdef __NR__newselect
SC_ALLOW(_newselect),
#else
+#ifdef __NR_select /* not on AArch64 */
SC_ALLOW(select),
#endif
+#ifdef __NR_pselect6 /* AArch64 */
+ SC_ALLOW(pselect6),
+#endif
+#endif
SC_ALLOW(madvise),
#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */
SC_ALLOW(mmap2),
@@ -154,6 +157,9 @@ static const struct sock_filter preauth_insns[] = {
#else
SC_ALLOW(sigprocmask),
#ifdef __NR_poll
SC_ALLOW(poll),
#endif
+#ifdef __NR_socketcall
+ SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
+#endif
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
};

11
openssh-6.8p1-880575.patch
View File

@ -1,11 +0,0 @@
--- openssh-6.8p1/authfile.c.orig 2015-03-26 09:59:06.646924879 +0100
+++ openssh-6.8p1/authfile.c 2015-03-26 09:59:19.310905998 +0100
@@ -194,7 +194,7 @@
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("Permissions 0%3.3o for '%s' are too open.",
(u_int)st.st_mode & 0777, filename);
- error("It is recommended that your private key files are NOT accessible by others.");
+ error("It is required that your private key files are NOT accessible by others.");
error("This private key will be ignored.");
return SSH_ERR_KEY_BAD_PERMISSIONS;
}

69
openssh-6.8p1-sshdT-output.patch
View File

@ -1,41 +1,7 @@
diff -up openssh-6.8p1/servconf.c.sshdt openssh-6.8p1/servconf.c
--- openssh-6.8p1/servconf.c.sshdt 2015-05-28 13:32:55.728821389 +0200
+++ openssh-6.8p1/servconf.c 2015-05-28 13:34:01.937750270 +0200
@@ -2118,6 +2118,8 @@ dump_cfg_strarray_oneline(ServerOpCodes
{
u_int i;
+ if (count <= 0)
+ return;
printf("%s", lookup_opcode_name(code));
for (i = 0; i < count; i++)
printf(" %s", vals[i]);
@@ -2156,7 +2158,7 @@ dump_config(ServerOptions *o)
/* integer arguments */
#ifdef USE_PAM
- dump_cfg_int(sUsePAM, o->use_pam);
+ dump_cfg_fmtint(sUsePAM, o->use_pam);
#endif
dump_cfg_int(sServerKeyBits, o->server_key_bits);
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
@@ -2166,6 +2168,7 @@ dump_config(ServerOptions *o)
dump_cfg_int(sMaxSessions, o->max_sessions);
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
+ dump_cfg_int(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask);
/* formatted integer arguments */
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
@@ -2213,6 +2216,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+ dump_cfg_fmtint(sAllowAgentForwarding, o->allow_agent_forwarding);
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
@@ -2224,14 +2228,15 @@ dump_config(ServerOptions *o)
diff -up openssh/servconf.c.sshdt openssh/servconf.c
--- openssh/servconf.c.sshdt 2015-06-24 11:42:29.041078704 +0200
+++ openssh/servconf.c 2015-06-24 11:44:39.734745802 +0200
@@ -2317,7 +2317,7 @@ dump_config(ServerOptions *o)
dump_cfg_string(sXAuthLocation, o->xauth_location);
dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
@ -44,29 +10,10 @@ diff -up openssh-6.8p1/servconf.c.sshdt openssh-6.8p1/servconf.c
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
dump_cfg_string(sTrustedUserCAKeys, o->trusted_user_ca_keys);
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
dump_cfg_string(sAuthorizedPrincipalsFile,
o->authorized_principals_file);
- dump_cfg_string(sVersionAddendum, o->version_addendum);
+ dump_cfg_string(sVersionAddendum, *o->version_addendum == '\0'
+ ? "none" : o->version_addendum);
dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
@@ -2251,7 +2256,7 @@ dump_config(ServerOptions *o)
o->authorized_keys_files);
dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
o->host_key_files);
- dump_cfg_strarray(sHostKeyFile, o->num_host_cert_files,
+ dump_cfg_strarray(sHostCertificate, o->num_host_cert_files,
o->host_cert_files);
dump_cfg_strarray(sAllowUsers, o->num_allow_users, o->allow_users);
dump_cfg_strarray(sDenyUsers, o->num_deny_users, o->deny_users);
diff --git a/ssh.1 b/ssh.1
index cf02526..7fddf46 100644
--- a/ssh.1
+++ b/ssh.1
@@ -441,7 +441,11 @@ For full details of the options listed below, and their possible values, see
diff -up openssh/ssh.1.sshdt openssh/ssh.1
--- openssh/ssh.1.sshdt 2015-06-24 11:42:19.565102807 +0200
+++ openssh/ssh.1 2015-06-24 11:42:29.042078701 +0200
@@ -441,7 +441,11 @@ For full details of the options listed b
.It GatewayPorts
.It GlobalKnownHostsFile
.It GSSAPIAuthentication

13
openssh.spec
View File

@ -65,10 +65,10 @@
%endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 6.8p1
%define openssh_rel 9
%define openssh_ver 6.9p1
%define openssh_rel 1
%define pam_ssh_agent_ver 0.9.3
%define pam_ssh_agent_rel 5
%define pam_ssh_agent_rel 6
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
@ -218,8 +218,6 @@ Patch924: openssh-6.7p1-seccomp-aarch64.patch
Patch925: openssh-6.7p1-ssh-copy-id-truncated-keys.patch
# Add sftp option to force mode of created files (#1191055)
Patch926: openssh-6.7p1-sftp-force-permission.patch
# Upstream bug #1878 reintroduced in openssh6.7p1
Patch927: openssh-6.8p1-880575.patch
# Memory problems
# https://bugzilla.mindrot.org/show_bug.cgi?id=2401
Patch928: openssh-6.8p1-memory-problems.patch
@ -316,7 +314,7 @@ Requires: openssh = %{version}-%{release}
Summary: PAM module for authentication with ssh-agent
Group: System Environment/Base
Version: %{pam_ssh_agent_ver}
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}.2
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}%{?rescue_rel}
License: BSD
%description
@ -433,7 +431,7 @@ popd
%patch912 -p1 -b .utf8-banner
%patch914 -p1 -b .servconf
%patch916 -p1 -b .contexts
%patch917 -p1 -b .cisco-dh
#%patch917 -p1 -b .cisco-dh # investigate
%patch918 -p1 -b .log-in-chroot
%patch919 -p1 -b .scp
%patch920 -p1 -b .config
@ -444,7 +442,6 @@ popd
%patch924 -p1 -b .seccomp
%patch925 -p1 -b .newline
%patch926 -p1 -b .sftp-force-mode
%patch927 -p1 -b .bz880575
%patch928 -p1 -b .memory
%patch200 -p1 -b .audit