From 5878ebb50ee2dad81112f4e63ec22b2471a5d25c Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Mon, 25 Jul 2016 16:21:15 +0200 Subject: [PATCH] Most of the coverity patch applied upstream, context changes for rebase --- openssh-5.8p1-packet.patch | 6 +- openssh-6.6.1p1-log-in-chroot.patch | 2 +- openssh-6.6p1-allow-ip-opts.patch | 31 +++-- openssh-6.6p1-entropy.patch | 2 +- openssh-6.6p1-kuserok.patch | 2 +- openssh-6.6p1-redhat.patch | 2 +- openssh-6.7p1-coverity.patch | 134 +-------------------- openssh-7.0p1-show-more-fingerprints.patch | 2 +- openssh-7.2p1-audit.patch | 22 ++-- openssh-7.2p1-fips.patch | 8 +- openssh-7.2p1-gsskex.patch | 92 +++++--------- openssh-7.2p2-expose-pam.patch | 4 +- 12 files changed, 72 insertions(+), 235 deletions(-) diff --git a/openssh-5.8p1-packet.patch b/openssh-5.8p1-packet.patch index baccb53..2389903 100644 --- a/openssh-5.8p1-packet.patch +++ b/openssh-5.8p1-packet.patch @@ -7,6 +7,6 @@ diff -up openssh-6.8p1/packet.c.packet openssh-6.8p1/packet.c + if (!state) + return 0; - /* filedescriptors in and out are the same, so it's a socket */ - if (state->connection_in == state->connection_out) - return 1; + if (state->connection_in == -1 || state->connection_out == -1) + return 0; + diff --git a/openssh-6.6.1p1-log-in-chroot.patch b/openssh-6.6.1p1-log-in-chroot.patch index 5889005..46d8382 100644 --- a/openssh-6.6.1p1-log-in-chroot.patch +++ b/openssh-6.6.1p1-log-in-chroot.patch @@ -247,8 +247,8 @@ diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c - log_init(__progname, log_level, log_facility, log_stderr); + log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler); - #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* + * On platforms where we can, avoid making /proc/self/{mem,maps} diff -up openssh-6.8p1/sftp.h.log-in-chroot openssh-6.8p1/sftp.h --- openssh-6.8p1/sftp.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100 +++ openssh-6.8p1/sftp.h 2015-03-18 12:59:29.696022308 +0100 diff --git a/openssh-6.6p1-allow-ip-opts.patch b/openssh-6.6p1-allow-ip-opts.patch index e56d8aa..953d613 100644 --- a/openssh-6.6p1-allow-ip-opts.patch +++ b/openssh-6.6p1-allow-ip-opts.patch @@ -1,20 +1,19 @@ -diff --git a/canohost.c b/canohost.c -index a61a8c9..97ce58c 100644 ---- a/canohost.c -+++ b/canohost.c -@@ -165,12 +165,29 @@ check_ip_options(int sock, char *ipaddr) - option_size = sizeof(options); - if (getsockopt(sock, ipproto, IP_OPTIONS, options, +diff -up openssh/sshd.c.ip-opts openssh/sshd.c +--- openssh/sshd.c.ip-opts 2016-07-25 13:58:48.998507834 +0200 ++++ openssh/sshd.c 2016-07-25 14:01:28.346469878 +0200 +@@ -1507,12 +1507,29 @@ check_ip_options(struct ssh *ssh) + + if (getsockopt(sock_in, IPPROTO_IP, IP_OPTIONS, opts, &option_size) >= 0 && option_size != 0) { - text[0] = '\0'; - for (i = 0; i < option_size; i++) - snprintf(text + i*3, sizeof(text) - i*3, -- " %2.2x", options[i]); -- fatal("Connection from %.100s with IP options:%.800s", -- ipaddr, text); +- " %2.2x", opts[i]); +- fatal("Connection from %.100s port %d with IP opts: %.800s", +- ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text); + i = 0; + do { -+ switch (options[i]) { ++ switch (opts[i]) { + case 0: + case 1: + ++i; @@ -22,7 +21,7 @@ index a61a8c9..97ce58c 100644 + case 130: + case 133: + case 134: -+ i += options[i + 1]; ++ i += opts[i + 1]; + break; + default: + /* Fail, fatally, if we detect either loose or strict @@ -30,11 +29,11 @@ index a61a8c9..97ce58c 100644 + text[0] = '\0'; + for (i = 0; i < option_size; i++) + snprintf(text + i*3, sizeof(text) - i*3, -+ " %2.2x", options[i]); -+ fatal("Connection from %.100s with IP options:%.800s", -+ ipaddr, text); ++ " %2.2x", opts[i]); ++ fatal("Connection from %.100s port %d with IP options:%.800s", ++ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), text); + } + } while (i < option_size); } + return; #endif /* IP_OPTIONS */ - } diff --git a/openssh-6.6p1-entropy.patch b/openssh-6.6p1-entropy.patch index 9daa63c..b023ddc 100644 --- a/openssh-6.6p1-entropy.patch +++ b/openssh-6.6p1-entropy.patch @@ -18,7 +18,7 @@ index 843225d..041bbab 100644 +++ b/openbsd-compat/Makefile.in @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di - COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o + COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-err.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o -PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o +PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o diff --git a/openssh-6.6p1-kuserok.patch b/openssh-6.6p1-kuserok.patch index ebb0196..192b9c3 100644 --- a/openssh-6.6p1-kuserok.patch +++ b/openssh-6.6p1-kuserok.patch @@ -235,7 +235,7 @@ diff -up openssh-7.0p1/servconf.c.kuserok openssh-7.0p1/servconf.c M_CP_INTOPT(rekey_interval); @@ -2304,6 +2314,7 @@ dump_config(ServerOptions *o) - dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding); + dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); + dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok); diff --git a/openssh-6.6p1-redhat.patch b/openssh-6.6p1-redhat.patch index ec73cae..6ebd1e4 100644 --- a/openssh-6.6p1-redhat.patch +++ b/openssh-6.6p1-redhat.patch @@ -52,8 +52,8 @@ index c735429..e68ddee 100644 # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h @@ -36,6 +40,7 @@ + # Logging - # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH +SyslogFacility AUTHPRIV #LogLevel INFO diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch index 73fe662..143ebad 100644 --- a/openssh-6.7p1-coverity.patch +++ b/openssh-6.7p1-coverity.patch @@ -1,20 +1,3 @@ -diff -up openssh-6.8p1/auth-pam.c.coverity openssh-6.8p1/auth-pam.c ---- openssh-6.8p1/auth-pam.c.coverity 2015-03-18 17:21:51.792265051 +0100 -+++ openssh-6.8p1/auth-pam.c 2015-03-18 17:21:51.895264835 +0100 -@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void * - if (sshpam_thread_status != -1) - return (sshpam_thread_status); - signal(SIGCHLD, sshpam_oldsig); -- waitpid(thread, &status, 0); -+ while (waitpid(thread, &status, 0) < 0) { -+ if (errno == EINTR) -+ continue; -+ fatal("%s: waitpid: %s", __func__, -+ strerror(errno)); -+ } - return (status); - } - #endif diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c --- openssh-6.8p1/channels.c.coverity 2015-03-18 17:21:51.815265002 +0100 +++ openssh-6.8p1/channels.c 2015-03-18 17:21:51.896264833 +0100 @@ -60,27 +43,6 @@ diff -up openssh-6.8p1/monitor.c.coverity openssh-6.8p1/monitor.c ; close(pmonitor->m_sendfd); -@@ -1303,6 +1303,10 @@ mm_answer_keyallowed(int sock, Buffer *m - break; - } - } -+ -+ debug3("%s: key %p is %s", -+ __func__, key, allowed ? "allowed" : "not allowed"); -+ - if (key != NULL) - key_free(key); - -@@ -1324,9 +1328,6 @@ mm_answer_keyallowed(int sock, Buffer *m - free(chost); - } - -- debug3("%s: key %p is %s", -- __func__, key, allowed ? "allowed" : "not allowed"); -- - buffer_clear(m); - buffer_put_int(m, allowed); - buffer_put_int(m, forced_command != NULL); diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c --- openssh-6.8p1/monitor_wrap.c.coverity 2015-03-18 17:21:51.888264849 +0100 +++ openssh-6.8p1/monitor_wrap.c 2015-03-18 17:21:51.897264831 +0100 @@ -270,96 +232,6 @@ diff -up openssh-6.8p1/sftp.c.coverity openssh-6.8p1/sftp.c } _exit(1); -@@ -335,7 +335,7 @@ local_do_ls(const char *args) - - /* Strip one path (usually the pwd) from the start of another */ - static char * --path_strip(char *path, char *strip) -+path_strip(const char *path, const char *strip) - { - size_t len; - -@@ -353,7 +353,7 @@ path_strip(char *path, char *strip) - } - - static char * --make_absolute(char *p, char *pwd) -+make_absolute(char *p, const char *pwd) - { - char *abs_str; - -@@ -551,7 +551,7 @@ parse_no_flags(const char *cmd, char **a - } - - static int --is_dir(char *path) -+is_dir(const char *path) - { - struct stat sb; - -@@ -563,7 +563,7 @@ is_dir(char *path) - } - - static int --remote_is_dir(struct sftp_conn *conn, char *path) -+remote_is_dir(struct sftp_conn *conn, const char *path) - { - Attrib *a; - -@@ -577,7 +577,7 @@ remote_is_dir(struct sftp_conn *conn, ch - - /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */ - static int --pathname_is_dir(char *pathname) -+pathname_is_dir(const char *pathname) - { - size_t l = strlen(pathname); - -@@ -585,7 +585,7 @@ pathname_is_dir(char *pathname) - } - - static int --process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, -+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd, - int pflag, int rflag, int resume, int fflag) - { - char *abs_src = NULL; -@@ -669,7 +669,7 @@ out: - } - - static int --process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, -+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd, - int pflag, int rflag, int resume, int fflag) - { - char *tmp_dst = NULL; -@@ -779,7 +779,7 @@ sdirent_comp(const void *aa, const void - - /* sftp ls.1 replacement for directories */ - static int --do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) -+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag) - { - int n; - u_int c = 1, colspace = 0, columns = 1; -@@ -864,7 +864,7 @@ do_ls_dir(struct sftp_conn *conn, char * - - /* sftp ls.1 replacement which handles path globs */ - static int --do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, -+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path, - int lflag) - { - char *fname, *lname; -@@ -949,7 +949,7 @@ do_globbed_ls(struct sftp_conn *conn, ch - } - - static int --do_df(struct sftp_conn *conn, char *path, int hflag, int iflag) -+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag) - { - struct sftp_statvfs st; - char s_used[FMT_SCALED_STRSIZE]; diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c --- openssh-6.8p1/ssh-agent.c.coverity 2015-03-17 06:49:20.000000000 +0100 +++ openssh-6.8p1/ssh-agent.c 2015-03-18 17:21:58.284251454 +0100 @@ -372,8 +244,8 @@ diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c + (void) setegid(getgid()); + (void) setgid(getgid()); - #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) - /* Disable ptrace on Linux without sgid bit */ + platform_disable_tracing(0); /* strict=no */ + diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c --- openssh-6.8p1/sshd.c.coverity 2015-03-18 17:21:51.893264839 +0100 +++ openssh-6.8p1/sshd.c 2015-03-18 17:21:58.284251454 +0100 @@ -398,4 +270,4 @@ diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c + free(fdset); } - + /* diff --git a/openssh-7.0p1-show-more-fingerprints.patch b/openssh-7.0p1-show-more-fingerprints.patch index 52c7d73..2666842 100644 --- a/openssh-7.0p1-show-more-fingerprints.patch +++ b/openssh-7.0p1-show-more-fingerprints.patch @@ -127,8 +127,8 @@ index 1d03bdf..6af4c62 100644 { u_int i; @@ -2259,7 +2274,6 @@ dump_client_config(Options *o, const char *host) - dump_cfg_fmtint(oControlMaster, o->control_master); dump_cfg_fmtint(oEnableSSHKeysign, o->enable_ssh_keysign); + dump_cfg_fmtint(oClearAllForwardings, o->clear_forwardings); dump_cfg_fmtint(oExitOnForwardFailure, o->exit_on_forward_failure); - dump_cfg_fmtint(oFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(oForwardAgent, o->forward_agent); diff --git a/openssh-7.2p1-audit.patch b/openssh-7.2p1-audit.patch index 35bed50..9fdd075 100644 --- a/openssh-7.2p1-audit.patch +++ b/openssh-7.2p1-audit.patch @@ -850,7 +850,7 @@ diff -up openssh-7.2p1/auth.c.audit openssh-7.2p1/auth.c +++ openssh-7.2p1/auth.c 2016-02-12 18:24:34.220825178 +0100 @@ -646,9 +646,6 @@ getpwnamallow(const char *user) record_failed_login(user, - get_canonical_hostname(options.use_dns), "ssh"); + auth_get_canonical_hostname(ssh, options.use_dns), "ssh"); #endif -#ifdef SSH_AUDIT_EVENTS - audit_event(SSH_INVALID_USER); @@ -1084,7 +1084,7 @@ diff -up openssh-7.2p1/kex.h.audit openssh-7.2p1/kex.h +void newkeys_destroy(struct newkeys *newkeys); + - int kex_dh_hash(const char *, const char *, + int kex_dh_hash(int, const char *, const char *, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *); diff -up openssh-7.2p1/key.h.audit openssh-7.2p1/key.h @@ -1126,8 +1126,8 @@ diff -up openssh-7.2p1/mac.h.audit openssh-7.2p1/mac.h --- openssh-7.2p1/mac.h.audit 2016-02-12 11:47:25.000000000 +0100 +++ openssh-7.2p1/mac.h 2016-02-12 18:24:34.222825177 +0100 @@ -47,5 +47,6 @@ int mac_init(struct sshmac *); - int mac_compute(struct sshmac *, u_int32_t, const u_char *, int, - u_char *, size_t); + int mac_check(struct sshmac *, u_int32_t, const u_char *, size_t, + const u_char *, size_t); void mac_clear(struct sshmac *); +void mac_destroy(struct sshmac *); @@ -1139,8 +1139,8 @@ diff -up openssh-7.2p1/Makefile.in.audit openssh-7.2p1/Makefile.in kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ -- platform-pledge.o -+ platform-pledge.o auditstub.o +- platform-pledge.o platform-tracing.o ++ platform-pledge.o platform-tracing.o auditstub.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o @@ -1618,9 +1618,9 @@ diff -up openssh-7.2p1/monitor_wrap.h.audit openssh-7.2p1/monitor_wrap.h --- openssh-7.2p1/monitor_wrap.h.audit 2016-02-12 18:24:34.152825204 +0100 +++ openssh-7.2p1/monitor_wrap.h 2016-02-12 18:24:34.224825176 +0100 @@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char - int mm_user_key_allowed(struct passwd *, Key *, int); - int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *); - int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); + const char *, Key *); + int mm_auth_rhosts_rsa_key_allowed(struct passwd *, const char *, + const char *, Key *); -int mm_key_verify(Key *, u_char *, u_int, u_char *, u_int); +int mm_hostbased_key_verify(Key *, u_char *, u_int, u_char *, u_int); +int mm_user_key_verify(Key *, u_char *, u_int, u_char *, u_int); @@ -1962,13 +1962,15 @@ diff -up openssh-7.2p1/session.c.audit openssh-7.2p1/session.c void do_cleanup(Authctxt *authctxt) { -@@ -2793,5 +2861,5 @@ do_cleanup(Authctxt *authctxt) +@@ -2793,7 +2861,7 @@ do_cleanup(Authctxt *authctxt) * or if running in monitor. */ if (!use_privsep || mm_is_monitor()) - session_destroy_all(session_pty_cleanup2); + session_destroy_all(do_cleanup_one_session); } + + /* Return a name for the remote host that fits inside utmp_size */ diff -up openssh-7.2p1/session.h.audit openssh-7.2p1/session.h --- openssh-7.2p1/session.h.audit 2016-02-26 04:40:04.000000000 +0100 +++ openssh-7.2p1/session.h 2016-03-04 14:25:52.641329882 +0100 diff --git a/openssh-7.2p1-fips.patch b/openssh-7.2p1-fips.patch index 45ac0f0..5de7483 100644 --- a/openssh-7.2p1-fips.patch +++ b/openssh-7.2p1-fips.patch @@ -114,9 +114,9 @@ diff -up openssh-7.2p1/kex.c.fips openssh-7.2p1/kex.c --- openssh-7.2p1/kex.c.fips 2016-02-12 18:53:56.084665234 +0100 +++ openssh-7.2p1/kex.c 2016-02-12 18:53:56.091665235 +0100 @@ -35,6 +35,7 @@ - #ifdef WITH_OPENSSL #include + #include +#include #endif @@ -281,8 +281,8 @@ diff -up openssh-7.2p1/Makefile.in.fips openssh-7.2p1/Makefile.in - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS) - scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o utf8_stringprep.o - $(LD) -o $@ scp.o progressmeter.o bufaux.o utf8_stringprep.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o + $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o - $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) @@ -433,7 +433,7 @@ diff -up openssh-7.2p1/ssh.c.fips openssh-7.2p1/ssh.c #ifndef HAVE_SETPROCTITLE /* Prepare for later setproctitle emulation */ @@ -608,6 +618,9 @@ main(int ac, char **av) - "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { + "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { switch (opt) { case '1': + if (FIPS_mode()) { diff --git a/openssh-7.2p1-gsskex.patch b/openssh-7.2p1-gsskex.patch index 4544c54..d68a50c 100644 --- a/openssh-7.2p1-gsskex.patch +++ b/openssh-7.2p1-gsskex.patch @@ -179,7 +179,7 @@ diff -up openssh-7.2p1/configure.ac.gsskex openssh-7.2p1/configure.ac + [AC_MSG_RESULT(no)] + ) m4_pattern_allow([AU_IPv]) - AC_CHECK_DECL([AU_IPv4], [], + AC_CHECK_DECL([AU_IPv4], [], AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records]) diff -up openssh-7.2p1/gss-genr.c.gsskex openssh-7.2p1/gss-genr.c --- openssh-7.2p1/gss-genr.c.gsskex 2016-02-12 11:47:25.000000000 +0100 @@ -1392,6 +1392,7 @@ diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c + u_char *kbuf; + DH *dh; + int min = -1, max = -1, nbits = -1; ++ int cmin = -1, cmax = -1; /* client proposal */ + BIGNUM *shared_secret = NULL; + BIGNUM *dh_client_pub = NULL; + int type = 0; @@ -1430,11 +1431,12 @@ diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c + case KEX_GSS_GEX_SHA1: + debug("Doing group exchange"); + packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ); -+ min = packet_get_int(); ++ /* store client proposal to provide valid signature */ ++ cmin = packet_get_int(); + nbits = packet_get_int(); -+ max = packet_get_int(); -+ min = MAX(DH_GRP_MIN, min); -+ max = MIN(DH_GRP_MAX, max); ++ cmax = packet_get_int(); ++ min = MAX(DH_GRP_MIN, cmin); ++ max = MIN(DH_GRP_MAX, cmax); + packet_check_eom(); + if (max < min || nbits < min || max < nbits) + fatal("GSS_GEX, bad parameters: %d !< %d !< %d", @@ -1557,7 +1559,7 @@ diff -up openssh-7.2p1/kexgsss.c.gsskex openssh-7.2p1/kexgsss.c + buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), + buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), + NULL, 0, -+ min, nbits, max, ++ cmin, nbits, cmax, + dh->p, dh->g, + dh_client_pub, + dh->pub_key, @@ -1653,14 +1655,14 @@ diff -up openssh-7.2p1/kex.h.gsskex openssh-7.2p1/kex.h +int kexgss_server(struct ssh *); +#endif - int kex_dh_hash(const char *, const char *, + int kex_dh_hash(int, const char *, const char *, const u_char *, size_t, const u_char *, size_t, const u_char *, size_t, -diff -up openssh-7.2p1/Makefile.in.gsskex openssh-7.2p1/Makefile.in ---- openssh-7.2p1/Makefile.in.gsskex 2016-02-19 10:01:04.864969325 +0100 -+++ openssh-7.2p1/Makefile.in 2016-02-19 10:01:04.868969323 +0100 +diff -up openssh/Makefile.in.gsskex openssh/Makefile.in +--- openssh/Makefile.in.gsskex 2016-07-25 14:11:42.978324182 +0200 ++++ openssh/Makefile.in 2016-07-25 14:14:15.560289050 +0200 @@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \ - atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \ + atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ + kexgssc.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ @@ -2064,21 +2066,21 @@ diff -up openssh-7.2p1/readconf.h.gsskex openssh-7.2p1/readconf.h int password_authentication; /* Try password * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff -up openssh-7.2p1/regress/cert-hostkey.sh.gsskex openssh-7.2p1/regress/cert-hostkey.sh ---- openssh-7.2p1/regress/cert-hostkey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100 -+++ openssh-7.2p1/regress/cert-hostkey.sh 2016-02-19 10:01:04.870969322 +0100 -@@ -46,7 +46,7 @@ touch $OBJ/host_revoked_plain +diff -up openssh/regress/cert-hostkey.sh.gsskex openssh/regress/cert-hostkey.sh +--- openssh/regress/cert-hostkey.sh.gsskex 2016-07-25 14:11:42.986324181 +0200 ++++ openssh/regress/cert-hostkey.sh 2016-07-25 14:15:17.784274722 +0200 +@@ -59,7 +59,7 @@ touch $OBJ/host_revoked_plain touch $OBJ/host_revoked_cert - cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca + cat $OBJ/host_ca_key.pub $OBJ/host_ca_key2.pub > $OBJ/host_revoked_ca -PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` +PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'` - # Prepare certificate, plain key and CA KRLs - ${SSHKEYGEN} -kf $OBJ/host_krl_empty || fatal "KRL init failed" -diff -up openssh-7.2p1/regress/cert-userkey.sh.gsskex openssh-7.2p1/regress/cert-userkey.sh ---- openssh-7.2p1/regress/cert-userkey.sh.gsskex 2016-02-12 11:47:25.000000000 +0100 -+++ openssh-7.2p1/regress/cert-userkey.sh 2016-02-19 10:01:04.870969322 +0100 + if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then + PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" +diff -up openssh/regress/cert-userkey.sh.gsskex openssh/regress/cert-userkey.sh +--- openssh/regress/cert-userkey.sh.gsskex 2016-07-25 14:11:42.986324181 +0200 ++++ openssh/regress/cert-userkey.sh 2016-07-25 14:15:36.769270354 +0200 @@ -7,7 +7,7 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak @@ -2086,11 +2088,11 @@ diff -up openssh-7.2p1/regress/cert-userkey.sh.gsskex openssh-7.2p1/regress/cert -PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` +PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'` - kname() { - n=`echo "$1" | sed 's/^dsa/ssh-dss/;s/^rsa/ssh-rsa/;s/^ed/ssh-ed/'` -diff -up openssh-7.2p1/regress/kextype.sh.gsskex openssh-7.2p1/regress/kextype.sh ---- openssh-7.2p1/regress/kextype.sh.gsskex 2016-02-12 11:47:25.000000000 +0100 -+++ openssh-7.2p1/regress/kextype.sh 2016-02-19 10:01:04.870969322 +0100 + if echo "$PLAIN_TYPES" | grep '^rsa$' >/dev/null 2>&1 ; then + PLAIN_TYPES="$PLAIN_TYPES rsa-sha2-256 rsa-sha2-512" +diff -up openssh/regress/kextype.sh.gsskex openssh/regress/kextype.sh +--- openssh/regress/kextype.sh.gsskex 2016-07-24 13:50:13.000000000 +0200 ++++ openssh/regress/kextype.sh 2016-07-25 14:11:42.987324180 +0200 @@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh tries="1 2 3 4" @@ -2739,41 +2741,3 @@ diff -up openssh-7.2p1/sshkey.h.gsskex openssh-7.2p1/sshkey.h KEY_UNSPEC }; -diff --git a/kexgsss.c b/kexgsss.c -index b2f9658..2d33ff7 100644 ---- a/kexgsss.c -+++ b/kexgsss.c -@@ -69,6 +69,7 @@ kexgss_server(struct ssh *ssh) - u_char *kbuf; - DH *dh; - int min = -1, max = -1, nbits = -1; -+ int cmin = -1, cmax = -1; /* client proposal */ - BIGNUM *shared_secret = NULL; - BIGNUM *dh_client_pub = NULL; - int type = 0; -@@ -107,11 +108,12 @@ kexgss_server(struct ssh *ssh) - case KEX_GSS_GEX_SHA1: - debug("Doing group exchange"); - packet_read_expect(SSH2_MSG_KEXGSS_GROUPREQ); -- min = packet_get_int(); -+ /* store client proposal to provide valid signature */ -+ cmin = packet_get_int(); - nbits = packet_get_int(); -- max = packet_get_int(); -- min = MAX(DH_GRP_MIN, min); -- max = MIN(DH_GRP_MAX, max); -+ cmax = packet_get_int(); -+ min = MAX(DH_GRP_MIN, cmin); -+ max = MIN(DH_GRP_MAX, cmax); - packet_check_eom(); - if (max < min || nbits < min || max < nbits) - fatal("GSS_GEX, bad parameters: %d !< %d !< %d", -@@ -234,7 +236,7 @@ kexgss_server(struct ssh *ssh) - buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer), - buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my), - NULL, 0, -- min, nbits, max, -+ cmin, nbits, cmax, - dh->p, dh->g, - dh_client_pub, - dh->pub_key, diff --git a/openssh-7.2p2-expose-pam.patch b/openssh-7.2p2-expose-pam.patch index 49f6436..a2dfdd3 100644 --- a/openssh-7.2p2-expose-pam.patch +++ b/openssh-7.2p2-expose-pam.patch @@ -331,8 +331,8 @@ diff -up openssh-7.2p2/servconf.c.expose-pam openssh-7.2p2/servconf.c M_CP_INTOPT(rekey_interval); + M_CP_INTOPT(expose_auth_methods); - /* M_CP_STROPT and M_CP_STRARRAYOPT should not appear before here */ - #define M_CP_STROPT(n) do {\ + /* + * The bind_mask is a mode_t that may be unsigned, so we can't use @@ -2181,6 +2198,8 @@ fmt_intarg(ServerOpCodes code, int val) return fmt_multistate_int(val, multistate_tcpfwd); case sFingerprintHash: