Most of the coverity patch applied upstream, context changes for rebase

2016-07-25 16:21:15 +02:00 · 2016-07-25 16:21:15 +02:00 · 5878ebb50e
commit 5878ebb50e
parent 70c2ac20bd
12 changed files with 72 additions and 235 deletions
--- a/openssh-5.8p1-packet.patch
+++ b/openssh-5.8p1-packet.patch
@ -7,6 +7,6 @@ diff -up openssh-6.8p1/packet.c.packet openssh-6.8p1/packet.c
 
 +	if (!state)
 +		return 0;
- 	/* filedescriptors in and out are the same, so it's a socket */
- 	if (state->connection_in == state->connection_out)
- 		return 1;
+ 	if (state->connection_in == -1 || state->connection_out == -1)
+ 		return 0;
+ 
--- a/openssh-6.6.1p1-log-in-chroot.patch
+++ b/openssh-6.6.1p1-log-in-chroot.patch
@ -247,8 +247,8 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
 -	log_init(__progname, log_level, log_facility, log_stderr);
 +	log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
 
- #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
 	/*
+ 	 * On platforms where we can, avoid making /proc/self/{mem,maps}
 diff -up openssh-6.8p1/sftp.h.log-in-chroot openssh-6.8p1/sftp.h
 --- openssh-6.8p1/sftp.h.log-in-chroot	2015-03-17 06:49:20.000000000 +0100
 +++ openssh-6.8p1/sftp.h	2015-03-18 12:59:29.696022308 +0100
--- a/openssh-6.6p1-allow-ip-opts.patch
+++ b/openssh-6.6p1-allow-ip-opts.patch
@ -1,20 +1,19 @@
-diff --git a/canohost.c b/canohost.c
-index a61a8c9..97ce58c 100644
--- a/canohost.c
-+++ b/canohost.c
-@@ -165,12 +165,29 @@ check_ip_options(int sock, char *ipaddr)
- 	option_size = sizeof(options);
- 	if (getsockopt(sock, ipproto, IP_OPTIONS, options,
+diff -up openssh/sshd.c.ip-opts openssh/sshd.c
+--- openssh/sshd.c.ip-opts	2016-07-25 13:58:48.998507834 +0200
+++ openssh/sshd.c	2016-07-25 14:01:28.346469878 +0200
+@@ -1507,12 +1507,29 @@ check_ip_options(struct ssh *ssh)
+ 
+ 	if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts,
 	    &option_size) >= 0 && option_size != 0) {
 -		text[0] = '\0';
 -		for (i = 0; i < option_size; i++)
 -			snprintf(text + i*3, sizeof(text) - i*3,
-			    " %2.2x", options[i]);
-		fatal("Connection from %.100s with IP options:%.800s",
-		    ipaddr, text);
+-			    " %2.2x", opts[i]);
+-		fatal("Connection from %.100s port %d with IP opts: %.800s",
+-		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
 +		i = 0;
 +		do {
-+			switch (options[i]) {
+			switch (opts[i]) {
 +				case 0:
 +				case 1:
 +					++i;
@ -22,7 +21,7 @@ index a61a8c9..97ce58c 100644
 +				case 130:
 +				case 133:
 +				case 134:
-+					i += options[i + 1];
+					i += opts[i + 1];
 +					break;
 +				default:
 +				/* Fail, fatally, if we detect either loose or strict
@ -30,11 +29,11 @@ index a61a8c9..97ce58c 100644
 +					text[0] = '\0';
 +					for (i = 0; i < option_size; i++)
 +						snprintf(text + i*3, sizeof(text) - i*3,
-+							" %2.2x", options[i]);
-+					fatal("Connection from %.100s with IP options:%.800s",
-+						ipaddr, text);
+							" %2.2x", opts[i]);
+					fatal("Connection from %.100s port %d with IP options:%.800s",
+						ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text);
 +			}
 +		} while (i < option_size);
 	}
+ 	return;
 #endif /* IP_OPTIONS */
- }
--- a/openssh-6.6p1-entropy.patch
+++ b/openssh-6.6p1-entropy.patch
@ -18,7 +18,7 @@ index 843225d..041bbab 100644
 +++ b/openbsd-compat/Makefile.in
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
 
- COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
+ COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
 
 -PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
 +PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
--- a/openssh-6.6p1-kuserok.patch
+++ b/openssh-6.6p1-kuserok.patch
@ -235,7 +235,7 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c
 	M_CP_INTOPT(rekey_interval);
 
@@ -2304,6 +2314,7 @@ dump_config(ServerOptions *o)
- 	dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
+ 	dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink);
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
 	dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
 +	dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
--- a/openssh-6.6p1-redhat.patch
+++ b/openssh-6.6p1-redhat.patch
@ -52,8 +52,8 @@ index c735429..e68ddee 100644
 # Lifetime and size of ephemeral version 1 server key
 #KeyRegenerationInterval 1h
@@ -36,6 +40,7 @@
+ 
 # Logging
- # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
 +SyslogFacility AUTHPRIV
 #LogLevel INFO
--- a/openssh-6.7p1-coverity.patch
+++ b/openssh-6.7p1-coverity.patch
@ -1,20 +1,3 @@
-diff -up openssh-6.8p1/auth-pam.c.coverity openssh-6.8p1/auth-pam.c
--- openssh-6.8p1/auth-pam.c.coverity	2015-03-18 17:21:51.792265051 +0100
-+++ openssh-6.8p1/auth-pam.c	2015-03-18 17:21:51.895264835 +0100
-@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
- 	if (sshpam_thread_status != -1)
- 		return (sshpam_thread_status);
- 	signal(SIGCHLD, sshpam_oldsig);
-	waitpid(thread, &status, 0);
-+	while (waitpid(thread, &status, 0) < 0) {
-+		if (errno == EINTR)
-+			continue;
-+		fatal("%s: waitpid: %s", __func__,
-+				strerror(errno));
-+	}
- 	return (status);
- }
- #endif
 diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c
 --- openssh-6.8p1/channels.c.coverity	2015-03-18 17:21:51.815265002 +0100
 +++ openssh-6.8p1/channels.c	2015-03-18 17:21:51.896264833 +0100
@ -60,27 +43,6 @@ diff -up openssh-6.8p1/monitor.c.coverity openssh-6.8p1/monitor.c
 		;
 
 	close(pmonitor->m_sendfd);
-@@ -1303,6 +1303,10 @@ mm_answer_keyallowed(int sock, Buffer *m
- 			break;
- 		}
- 	}
-+
-+	debug3("%s: key %p is %s",
-+	    __func__, key, allowed ? "allowed" : "not allowed");
-+
- 	if (key != NULL)
- 		key_free(key);
- 
-@@ -1324,9 +1328,6 @@ mm_answer_keyallowed(int sock, Buffer *m
- 		free(chost);
- 	}
- 
-	debug3("%s: key %p is %s",
-	    __func__, key, allowed ? "allowed" : "not allowed");
-
- 	buffer_clear(m);
- 	buffer_put_int(m, allowed);
- 	buffer_put_int(m, forced_command != NULL);
 diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c
 --- openssh-6.8p1/monitor_wrap.c.coverity	2015-03-18 17:21:51.888264849 +0100
 +++ openssh-6.8p1/monitor_wrap.c	2015-03-18 17:21:51.897264831 +0100
@ -270,96 +232,6 @@ diff -up openssh-6.8p1/sftp.c.coverity openssh-6.8p1/sftp.c
 	}
 
 	_exit(1);
-@@ -335,7 +335,7 @@ local_do_ls(const char *args)
- 
- /* Strip one path (usually the pwd) from the start of another */
- static char *
-path_strip(char *path, char *strip)
-+path_strip(const char *path, const char *strip)
- {
- 	size_t len;
- 
-@@ -353,7 +353,7 @@ path_strip(char *path, char *strip)
- }
- 
- static char *
-make_absolute(char *p, char *pwd)
-+make_absolute(char *p, const char *pwd)
- {
- 	char *abs_str;
- 
-@@ -551,7 +551,7 @@ parse_no_flags(const char *cmd, char **a
- }
- 
- static int
-is_dir(char *path)
-+is_dir(const char *path)
- {
- 	struct stat sb;
- 
-@@ -563,7 +563,7 @@ is_dir(char *path)
- }
- 
- static int
-remote_is_dir(struct sftp_conn *conn, char *path)
-+remote_is_dir(struct sftp_conn *conn, const char *path)
- {
- 	Attrib *a;
- 
-@@ -577,7 +577,7 @@ remote_is_dir(struct sftp_conn *conn, ch
- 
- /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
- static int
-pathname_is_dir(char *pathname)
-+pathname_is_dir(const char *pathname)
- {
- 	size_t l = strlen(pathname);
- 
-@@ -585,7 +585,7 @@ pathname_is_dir(char *pathname)
- }
- 
- static int
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
-+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
-     int pflag, int rflag, int resume, int fflag)
- {
- 	char *abs_src = NULL;
-@@ -669,7 +669,7 @@ out:
- }
- 
- static int
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
-+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
-     int pflag, int rflag, int resume, int fflag)
- {
- 	char *tmp_dst = NULL;
-@@ -779,7 +779,7 @@ sdirent_comp(const void *aa, const void
- 
- /* sftp ls.1 replacement for directories */
- static int
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
-+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
- {
- 	int n;
- 	u_int c = 1, colspace = 0, columns = 1;
-@@ -864,7 +864,7 @@ do_ls_dir(struct sftp_conn *conn, char *
- 
- /* sftp ls.1 replacement which handles path globs */
- static int
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
-+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
-     int lflag)
- {
- 	char *fname, *lname;
-@@ -949,7 +949,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
- }
- 
- static int
-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
-+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
- {
- 	struct sftp_statvfs st;
- 	char s_used[FMT_SCALED_STRSIZE];
 diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
 --- openssh-6.8p1/ssh-agent.c.coverity	2015-03-17 06:49:20.000000000 +0100
 +++ openssh-6.8p1/ssh-agent.c	2015-03-18 17:21:58.284251454 +0100
@ -372,8 +244,8 @@ diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
 +	(void) setegid(getgid());
 +	(void) setgid(getgid());
 
- #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
- 	/* Disable ptrace on Linux without sgid bit */
+ 	platform_disable_tracing(0);	/* strict=no */
+ 
 diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
 --- openssh-6.8p1/sshd.c.coverity	2015-03-18 17:21:51.893264839 +0100
 +++ openssh-6.8p1/sshd.c	2015-03-18 17:21:58.284251454 +0100
@ -398,4 +270,4 @@ diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
 +		free(fdset);
 }
 
- 
+ /*
--- a/openssh-7.0p1-show-more-fingerprints.patch
+++ b/openssh-7.0p1-show-more-fingerprints.patch
@ -127,8 +127,8 @@ index 1d03bdf..6af4c62 100644
 {
 	u_int i;
@@ -2259,7 +2274,6 @@ dump_client_config(Options *o, const char *host)
- 	dump_cfg_fmtint(oControlMaster, o->control_master);
 	dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign);
+ 	dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings);
 	dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure);
 -	dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash);
 	dump_cfg_fmtint(oForwardAgent, o->forward_agent);
--- a/openssh-7.2p1-audit.patch
+++ b/openssh-7.2p1-audit.patch
@ -850,7 +850,7 @@ diff -up openssh-7.2p1/auth.c.audit openssh-7.2p1/auth.c
 +++ openssh-7.2p1/auth.c	2016-02-12 18:24:34.220825178 +0100
@@ -646,9 +646,6 @@ getpwnamallow(const char *user)
 		record_failed_login(user,
- 		    get_canonical_hostname(options.use_dns), "ssh");
+ 		    auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
 #endif
 -#ifdef SSH_AUDIT_EVENTS
 -		audit_event(SSH_INVALID_USER);
@ -1084,7 +1084,7 @@ diff -up openssh-7.2p1/kex.h.audit openssh-7.2p1/kex.h
 
 +void	newkeys_destroy(struct newkeys *newkeys);
 +
- int	 kex_dh_hash(const char *, const char *,
+ int	 kex_dh_hash(int, const char *, const char *,
     const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
     const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
 diff -up openssh-7.2p1/key.h.audit openssh-7.2p1/key.h
@ -1126,8 +1126,8 @@ diff -up openssh-7.2p1/mac.h.audit openssh-7.2p1/mac.h
 --- openssh-7.2p1/mac.h.audit	2016-02-12 11:47:25.000000000 +0100
 +++ openssh-7.2p1/mac.h	2016-02-12 18:24:34.222825177 +0100
@@ -47,5 +47,6 @@ int	 mac_init(struct sshmac *);
- int	 mac_compute(struct sshmac *, u_int32_t, const u_char *, int,
-     u_char *, size_t);
+ int	 mac_check(struct sshmac *, u_int32_t, const u_char *, size_t,
+     const u_char *, size_t);
 void	 mac_clear(struct sshmac *);
 +void	 mac_destroy(struct sshmac *);
 
@ -1139,8 +1139,8 @@ diff -up openssh-7.2p1/Makefile.in.audit openssh-7.2p1/Makefile.in
 	kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
 	kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
 	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
-	platform-pledge.o
-+	platform-pledge.o auditstub.o
+-	platform-pledge.o platform-tracing.o
+	platform-pledge.o platform-tracing.o auditstub.o
 
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect1.o sshconnect2.o mux.o
@ -1618,9 +1618,9 @@ diff -up openssh-7.2p1/monitor_wrap.h.audit openssh-7.2p1/monitor_wrap.h
 --- openssh-7.2p1/monitor_wrap.h.audit	2016-02-12 18:24:34.152825204 +0100
 +++ openssh-7.2p1/monitor_wrap.h	2016-02-12 18:24:34.224825176 +0100
@@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char
- int mm_user_key_allowed(struct passwd *, Key *, int);
- int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *);
- int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
+     const char *, Key *);
+ int mm_auth_rhosts_rsa_key_allowed(struct passwd *, const char *,
+     const char *, Key *);
 -int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int);
 +int mm_hostbased_key_verify(Key *, u_char *, u_int, u_char *, u_int);
 +int mm_user_key_verify(Key *, u_char *, u_int, u_char *, u_int);
@ -1962,13 +1962,15 @@ diff -up openssh-7.2p1/session.c.audit openssh-7.2p1/session.c
 void
 do_cleanup(Authctxt *authctxt)
 {
-@@ -2793,5 +2861,5 @@ do_cleanup(Authctxt *authctxt)
+@@ -2793,7 +2861,7 @@ do_cleanup(Authctxt *authctxt)
 	 * or if running in monitor.
 	 */
 	if (!use_privsep || mm_is_monitor())
 -		session_destroy_all(session_pty_cleanup2);
 +		session_destroy_all(do_cleanup_one_session);
 }
+ 
+ /* Return a name for the remote host that fits inside utmp_size */
 diff -up openssh-7.2p1/session.h.audit openssh-7.2p1/session.h
 --- openssh-7.2p1/session.h.audit	2016-02-26 04:40:04.000000000 +0100
 +++ openssh-7.2p1/session.h	2016-03-04 14:25:52.641329882 +0100
--- a/openssh-7.2p1-fips.patch
+++ b/openssh-7.2p1-fips.patch
@ -114,9 +114,9 @@ diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c
 --- openssh-7.2p1/kex.c.fips	2016-02-12 18:53:56.084665234 +0100
 +++ openssh-7.2p1/kex.c	2016-02-12 18:53:56.091665235 +0100
@@ -35,6 +35,7 @@
- 
 #ifdef WITH_OPENSSL
 #include <openssl/crypto.h>
+ #include <openssl/dh.h>
 +#include <openssl/fips.h>
 #endif
 
@ -281,8 +281,8 @@ diff -up openssh-7.2p1/Makefile.in.fips openssh-7.2p1/Makefile.in
 -	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 +	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 
- scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o utf8_stringprep.o
- 	$(LD) -o $@ scp.o progressmeter.o bufaux.o utf8_stringprep.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
+ 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
 ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
 -	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@ -433,7 +433,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c
 #ifndef HAVE_SETPROCTITLE
 	/* Prepare for later setproctitle emulation */
@@ -608,6 +618,9 @@ main(int ac, char **av)
- 	    "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
+ 	    "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
 		switch (opt) {
 		case '1':
 +			if (FIPS_mode()) {
--- a/openssh-7.2p1-gsskex.patch
+++ b/openssh-7.2p1-gsskex.patch
@ -179,7 +179,7 @@ diff -up openssh-7.2p1/configure.ac.gsskex openssh-7.2p1/configure.ac
 +		[AC_MSG_RESULT(no)]
 +	)
 	m4_pattern_allow([AU_IPv])
- 	AC_CHECK_DECL([AU_IPv4], [], 
+ 	AC_CHECK_DECL([AU_IPv4], [],
 	    AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
 diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c
 --- openssh-7.2p1/gss-genr.c.gsskex	2016-02-12 11:47:25.000000000 +0100
@ -1392,6 +1392,7 @@ diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c
 +	u_char *kbuf;
 +	DH *dh;
 +	int min = -1, max = -1, nbits = -1;
+	int cmin = -1, cmax = -1; /* client proposal */
 +	BIGNUM *shared_secret = NULL;
 +	BIGNUM *dh_client_pub = NULL;
 +	int type = 0;
@ -1430,11 +1431,12 @@ diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c
 +	case KEX_GSS_GEX_SHA1:
 +		debug("Doing group exchange");
 +		packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
-+		min = packet_get_int();
+		/* store client proposal to provide valid signature */
+		cmin = packet_get_int();
 +		nbits = packet_get_int();
-+		max = packet_get_int();
-+		min = MAX(DH_GRP_MIN, min);
-+		max = MIN(DH_GRP_MAX, max);
+		cmax = packet_get_int();
+		min = MAX(DH_GRP_MIN, cmin);
+		max = MIN(DH_GRP_MAX, cmax);
 +		packet_check_eom();
 +		if (max < min || nbits < min || max < nbits)
 +			fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
@ -1557,7 +1559,7 @@ diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c
 +		    buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
 +		    buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
 +		    NULL, 0,
-+		    min, nbits, max,
+		    cmin, nbits, cmax,
 +		    dh->p, dh->g,
 +		    dh_client_pub,
 +		    dh->pub_key,
@ -1653,14 +1655,14 @@ diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h
 +int	 kexgss_server(struct ssh *);
 +#endif
 
- int	 kex_dh_hash(const char *, const char *,
+ int	 kex_dh_hash(int, const char *, const char *,
     const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
-diff -up openssh-7.2p1/Makefile.in.gsskex openssh-7.2p1/Makefile.in
--- openssh-7.2p1/Makefile.in.gsskex	2016-02-19 10:01:04.864969325 +0100
-+++ openssh-7.2p1/Makefile.in	2016-02-19 10:01:04.868969323 +0100
+diff -up openssh/Makefile.in.gsskex openssh/Makefile.in
+--- openssh/Makefile.in.gsskex	2016-07-25 14:11:42.978324182 +0200
+++ openssh/Makefile.in	2016-07-25 14:14:15.560289050 +0200
@@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 	readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
- 	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \
+ 	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
 +	kexgssc.o \
 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
@ -2064,21 +2066,21 @@ diff -up openssh-7.2p1/readconf.h.gsskex openssh-7.2p1/readconf.h
 	int     password_authentication;	/* Try password
 						 * authentication. */
 	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff -up openssh-7.2p1/regress/cert-hostkey.sh.gsskex openssh-7.2p1/regress/cert-hostkey.sh
--- openssh-7.2p1/regress/cert-hostkey.sh.gsskex	2016-02-12 11:47:25.000000000 +0100
-+++ openssh-7.2p1/regress/cert-hostkey.sh	2016-02-19 10:01:04.870969322 +0100
-@@ -46,7 +46,7 @@ touch $OBJ/host_revoked_plain
+diff -up openssh/regress/cert-hostkey.sh.gsskex openssh/regress/cert-hostkey.sh
+--- openssh/regress/cert-hostkey.sh.gsskex	2016-07-25 14:11:42.986324181 +0200
+++ openssh/regress/cert-hostkey.sh	2016-07-25 14:15:17.784274722 +0200
+@@ -59,7 +59,7 @@ touch $OBJ/host_revoked_plain
 touch $OBJ/host_revoked_cert
- cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
+ cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca
 
 -PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
 +PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
 
- # Prepare certificate, plain key and CA KRLs
- ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed"
-diff -up openssh-7.2p1/regress/cert-userkey.sh.gsskex openssh-7.2p1/regress/cert-userkey.sh
--- openssh-7.2p1/regress/cert-userkey.sh.gsskex	2016-02-12 11:47:25.000000000 +0100
-+++ openssh-7.2p1/regress/cert-userkey.sh	2016-02-19 10:01:04.870969322 +0100
+ if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
+ 	PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
+diff -up openssh/regress/cert-userkey.sh.gsskex openssh/regress/cert-userkey.sh
+--- openssh/regress/cert-userkey.sh.gsskex	2016-07-25 14:11:42.986324181 +0200
+++ openssh/regress/cert-userkey.sh	2016-07-25 14:15:36.769270354 +0200
@@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
@ -2086,11 +2088,11 @@ diff -up openssh-7.2p1/regress/cert-userkey.sh.gsskex openssh-7.2p1/regress/cert
 -PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
 +PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
 
- kname() {
- 	n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'`
-diff -up openssh-7.2p1/regress/kextype.sh.gsskex openssh-7.2p1/regress/kextype.sh
--- openssh-7.2p1/regress/kextype.sh.gsskex	2016-02-12 11:47:25.000000000 +0100
-+++ openssh-7.2p1/regress/kextype.sh	2016-02-19 10:01:04.870969322 +0100
+ if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then
+ 	PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512"
+diff -up openssh/regress/kextype.sh.gsskex openssh/regress/kextype.sh
+--- openssh/regress/kextype.sh.gsskex	2016-07-24 13:50:13.000000000 +0200
+++ openssh/regress/kextype.sh	2016-07-25 14:11:42.987324180 +0200
@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh
 
 tries="1 2 3 4"
@ -2739,41 +2741,3 @@ diff -up openssh-7.2p1/sshkey.h.gsskex openssh-7.2p1/sshkey.h
 	KEY_UNSPEC
 };
 
-diff --git a/kexgsss.c b/kexgsss.c
-index b2f9658..2d33ff7 100644
--- a/kexgsss.c
-+++ b/kexgsss.c
-@@ -69,6 +69,7 @@ kexgss_server(struct ssh *ssh)
- 	u_char *kbuf;
- 	DH *dh;
- 	int min = -1, max = -1, nbits = -1;
-+	int cmin = -1, cmax = -1; /* client proposal */
- 	BIGNUM *shared_secret = NULL;
- 	BIGNUM *dh_client_pub = NULL;
- 	int type = 0;
-@@ -107,11 +108,12 @@ kexgss_server(struct ssh *ssh)
- 	case KEX_GSS_GEX_SHA1:
- 		debug("Doing group exchange");
- 		packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ);
-		min = packet_get_int();
-+		/* store client proposal to provide valid signature */
-+		cmin = packet_get_int();
- 		nbits = packet_get_int();
-		max = packet_get_int();
-		min = MAX(DH_GRP_MIN, min);
-		max = MIN(DH_GRP_MAX, max);
-+		cmax = packet_get_int();
-+		min = MAX(DH_GRP_MIN, cmin);
-+		max = MIN(DH_GRP_MAX, cmax);
- 		packet_check_eom();
- 		if (max < min || nbits < min || max < nbits)
- 			fatal("GSS_GEX, bad parameters: %d !< %d !< %d",
-@@ -234,7 +236,7 @@ kexgss_server(struct ssh *ssh)
- 		    buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
- 		    buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
- 		    NULL, 0,
-		    min, nbits, max,
-+		    cmin, nbits, cmax,
- 		    dh->p, dh->g,
- 		    dh_client_pub,
- 		    dh->pub_key,
--- a/openssh-7.2p2-expose-pam.patch
+++ b/openssh-7.2p2-expose-pam.patch
@ -331,8 +331,8 @@ diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c
 	M_CP_INTOPT(rekey_interval);
 +	M_CP_INTOPT(expose_auth_methods);
 
- 	/* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */
- #define M_CP_STROPT(n) do {\
+ 	/*
+ 	 * The bind_mask is a mode_t that may be unsigned, so we can't use
@@ -2181,6 +2198,8 @@ fmt_intarg(ServerOpCodes code, int val)
 		return fmt_multistate_int(val, multistate_tcpfwd);
 	case sFingerprintHash: