cleanup working directory, spec file and unused patches after rebase

2015-02-20 15:04:36 +01:00 · 2015-02-20 15:04:36 +01:00 · 77f453b74d
commit 77f453b74d
parent 08cb909f5d
7 changed files with 1 additions and 424 deletions
--- a/openssh-5.1p1-scp-manpage.patch
+++ b/openssh-5.1p1-scp-manpage.patch
@ -1,18 +0,0 @@
 diff -up openssh-5.1p1/scp.1.manpage openssh-5.1p1/scp.1
 --- openssh-5.1p1/scp.1.manpage	2008-07-12 09:12:49.000000000 +0200
 +++ openssh-5.1p1/scp.1	2008-07-23 19:18:15.000000000 +0200
@@ -66,6 +66,14 @@ treating file names containing
 as host specifiers.
 Copies between two remote hosts are also permitted.
 .Pp
 +When copying a source file to a target file which already exists,
 +.Nm 
 +will replace the contents of the target file (keeping the inode).
 +.Pp
 +If the target file does not yet exist, an empty file with the target
 +file name is created, then filled with the source file contents.
 +No attempt is made at "near-atomic" transfer using temporary files.
 +.Pp
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl 1
--- a/openssh-5618210618256bbf5f4f71b2887ff186fd451736.patch
+++ b/openssh-5618210618256bbf5f4f71b2887ff186fd451736.patch
@ -1,177 +0,0 @@
 From 5618210618256bbf5f4f71b2887ff186fd451736 Mon Sep 17 00:00:00 2001
 From: Damien Miller <djm@mindrot.org>
 Date: Sun, 20 Apr 2014 13:44:47 +1000
 Subject: [PATCH]  - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c
 version.h]    OpenSSH 6.5 and 6.6 sometimes encode a value used in the
 curve25519    key exchange incorrectly, causing connection failures about
 0.2% of    the time when this method is used against a peer that implements  
  the method properly.
   Fix the problem and disable the curve25519 KEX when speaking to
   OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
   to enable the compatability code.
 ---
 ChangeLog     | 11 +++++++++++
 bufaux.c      |  5 ++++-
 compat.c      | 17 ++++++++++++++++-
 compat.h      |  2 ++
 sshconnect2.c |  2 ++
 sshd.c        |  3 +++
 version.h     |  2 +-
 7 files changed, 39 insertions(+), 3 deletions(-)
 diff --git a/ChangeLog b/ChangeLog
 index 1603a07..928999d 100644
 --- a/ChangeLog
 +++ b/ChangeLog
@@ -1,13 +1,23 @@
 20140420
 -   - djm@cvs.openbsd.org 2014/04/01 03:34:10
 -     [sshconnect.c]
 -     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
 -     certificate keys to plain keys and attempt SSHFP resolution.
 -     
 -     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
 -     dialog by offering only certificate keys.
 -     
 -     Reported by mcv21 AT cam.ac.uk
 + - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h]
 +   OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519
 +   key exchange incorrectly, causing connection failures about 0.2% of
 +   the time when this method is used against a peer that implements
 +   the method properly.
 +
 +   Fix the problem and disable the curve25519 KEX when speaking to
 +   OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
 +   to enable the compatability code.
 +
 + - djm@cvs.openbsd.org 2014/04/01 03:34:10
 +   [sshconnect.c]
 +   When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
 +   certificate keys to plain keys and attempt SSHFP resolution.
 +   
 +   Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
 +   dialog by offering only certificate keys.
 +   
 +   Reported by mcv21 AT cam.ac.uk
 20140313
  - (djm) Release OpenSSH 6.6
 diff --git a/bufaux.c b/bufaux.c
 index e24b5fc..f6a6f2a 100644
 --- a/bufaux.c
 +++ b/bufaux.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
 +/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
 	if (l > 8 * 1024)
 		fatal("%s: length %u too long", __func__, l);
 +	/* Skip leading zero bytes */
 +	for (; l > 0 && *s == 0; l--, s++)
 +		;
 	p = buf = xmalloc(l + 1);
 	/*
 	 * If most significant bit is set then prepend a zero byte to
 diff --git a/compat.c b/compat.c
 index 9d9fabe..2709dc5 100644
 --- a/compat.c
 +++ b/compat.c
@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
 		{ "Sun_SSH_1.0*",	SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
 		{ "OpenSSH_4*",		0 },
 		{ "OpenSSH_5*",		SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
 +		{ "OpenSSH_6.6.1*",	SSH_NEW_OPENSSH},
 +		{ "OpenSSH_6.5*,"
 +		  "OpenSSH_6.6*",	SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
 		{ "OpenSSH*",		SSH_NEW_OPENSSH },
 		{ "*MindTerm*",		0 },
 		{ "2.1.0*",		SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
 	return cipher_prop;
 }
 -
 char *
 compat_pkalg_proposal(char *pkalg_prop)
 {
@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
 	return pkalg_prop;
 }
 +char *
 +compat_kex_proposal(char *kex_prop)
 +{
 +	if (!(datafellows & SSH_BUG_CURVE25519PAD))
 +		return kex_prop;
 +	debug2("%s: original KEX proposal: %s", __func__, kex_prop);
 +	kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
 +	debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
 +	if (*kex_prop == '\0')
 +		fatal("No supported key exchange algorithms found");
 +	return kex_prop;
 +}
 +
 diff --git a/compat.h b/compat.h
 index b174fa1..a6c3f3d 100644
 --- a/compat.h
 +++ b/compat.h
@@ -59,6 +59,7 @@
 #define SSH_BUG_RFWD_ADDR	0x02000000
 #define SSH_NEW_OPENSSH		0x04000000
 #define SSH_BUG_DYNAMIC_RPORT	0x08000000
 +#define SSH_BUG_CURVE25519PAD	0x10000000
 void     enable_compat13(void);
 void     enable_compat20(void);
@@ -66,6 +67,7 @@ void     compat_datafellows(const char *);
 int	 proto_spec(const char *);
 char	*compat_cipher_proposal(char *);
 char	*compat_pkalg_proposal(char *);
 +char	*compat_kex_proposal(char *);
 extern int compat13;
 extern int compat20;
 diff --git a/sshconnect2.c b/sshconnect2.c
 index bb9292f..b00658b 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
@@ -220,6 +220,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
 	}
 	if (options.kex_algorithms != NULL)
 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
 +	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
 +	    myproposal[PROPOSAL_KEX_ALGS]);
 #ifdef GSSAPI
 	/* If we've got GSSAPI algorithms, then we also support the
 diff --git a/sshd.c b/sshd.c
 index e4e406e..512c7ed 100644
 --- a/sshd.c
 +++ b/sshd.c
@@ -2488,6 +2488,9 @@ do_ssh2_kex(void)
 	if (options.kex_algorithms != NULL)
 		myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
 +	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
 +	    myproposal[PROPOSAL_KEX_ALGS]);
 +
 	if (options.rekey_limit || options.rekey_interval)
 		packet_set_rekey_limits((u_int32_t)options.rekey_limit,
 		    (time_t)options.rekey_interval);
 diff --git a/version.h b/version.h
 index a1579ac..a33e77c 100644
 --- a/version.h
 +++ b/version.h
@@ -1,6 +1,6 @@
 /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
 -#define SSH_VERSION	"OpenSSH_6.6"
 +#define SSH_VERSION	"OpenSSH_6.6.1"
 #define SSH_PORTABLE	"p1"
 #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
--- a/openssh-6.4p1-CLOCK_BOOTTIME.patch
+++ b/openssh-6.4p1-CLOCK_BOOTTIME.patch
@ -1,29 +0,0 @@
 --- a/misc.c
 +++ b/misc.c
@@ -865,17 +865,24 @@ ms_to_timeval(struct timeval *tv, int ms
 time_t
 monotime(void)
 {
 -#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_MONOTONIC)
 +#if defined(HAVE_CLOCK_GETTIME) && \
 +    (defined(CLOCK_MONOTONIC) || defined(CLOCK_BOOTTIME))
 	struct timespec ts;
 	static int gettime_failed = 0;
 	if (!gettime_failed) {
 +#if defined(CLOCK_BOOTTIME)
 +		if (clock_gettime(CLOCK_BOOTTIME, &ts) == 0)
 +			return (ts.tv_sec);
 +#endif
 +#if defined(CLOCK_MONOTONIC)
 		if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
 			return (ts.tv_sec);
 +#endif
 		debug3("clock_gettime: %s", strerror(errno));
 		gettime_failed = 1;
 	}
 -#endif
 +#endif /* HAVE_CLOCK_GETTIME && (CLOCK_MONOTONIC || CLOCK_BOOTTIME */
 	return time(NULL);
 }
--- a/openssh-6.6.1p1-NI_MAXHOST.patch
+++ b/openssh-6.6.1p1-NI_MAXHOST.patch
@ -1,76 +0,0 @@
 diff --git a/ChangeLog b/ChangeLog
 index 928999d..3887495 100644
 --- a/ChangeLog
 +++ b/ChangeLog
@@ -1,3 +1,10 @@
 +20140703
 + - OpenBSD CVS Sync
 +   - djm@cvs.openbsd.org 2014/07/03 03:34:09
 +     [gss-serv.c session.c ssh-keygen.c]
 +     standardise on NI_MAXHOST for gethostname() string lengths; about
 +     1/2 the cases were using it already. Fixes bz#2239 en passant
 +
 20140420
  - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h]
    OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519
 diff --git a/gss-serv.c b/gss-serv.c
 index 14f540e..29916d3 100644
 --- a/gss-serv.c
 +++ b/gss-serv.c
@@ -1,4 +1,4 @@
 -/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
 +/* $OpenBSD: gss-serv.c,v 1.27 2014/07/03 03:34:09 djm Exp $ */
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -102,14 +102,14 @@ static OM_uint32
 ssh_gssapi_acquire_cred(Gssctxt *ctx)
 {
 	OM_uint32 status;
 -	char lname[MAXHOSTNAMELEN];
 +	char lname[NI_MAXHOST];
 	gss_OID_set oidset;
 	if (options.gss_strict_acceptor) {
 		gss_create_empty_oid_set(&status, &oidset);
 		gss_add_oid_set_member(&status, ctx->oid, &oidset);
 -		if (gethostname(lname, MAXHOSTNAMELEN)) {
 +		if (gethostname(lname, sizeof(lname))) {
 			gss_release_oid_set(&status, &oidset);
 			return (-1);
 		}
 diff --git a/session.c b/session.c
 index ba4589b..e4add93 100644
 --- a/session.c
 +++ b/session.c
@@ -49,6 +49,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
 +#include <netdb.h>
 #ifdef HAVE_PATHS_H
 #include <paths.h>
 #endif
@@ -2669,7 +2670,7 @@ session_setup_x11fwd(Session *s)
 {
 	struct stat st;
 	char display[512], auth_display[512];
 -	char hostname[MAXHOSTNAMELEN];
 +	char hostname[NI_MAXHOST];
 	u_int i;
 	if (no_x11_forwarding_flag) {
 diff --git a/ssh-keygen.c b/ssh-keygen.c
 index 482dc1c..66198e6 100644
 --- a/ssh-keygen.c
 +++ b/ssh-keygen.c
@@ -165,7 +165,7 @@ int rounds = 0;
 /* argv0 */
 extern char *__progname;
 -char hostname[MAXHOSTNAMELEN];
 +char hostname[NI_MAXHOST];
 /* moduli.c */
 int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
--- a/openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch
+++ b/openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch
@ -1,28 +0,0 @@
 diff --git a/ChangeLog b/ChangeLog
 index 3887495..a4dc72f 100644
 --- a/ChangeLog
 +++ b/ChangeLog
@@ -1,3 +1,9 @@
 +20140823
 + - (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on
 +   lastlog writing on platforms with high UIDs; bz#2263
 + - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth
 +   monitor, not preauth; bz#2263
 +
 20140703
  - OpenBSD CVS Sync
    - djm@cvs.openbsd.org 2014/07/03 03:34:09
 diff --git a/monitor.c b/monitor.c
 index bdabe21..5a65114 100644
 --- a/monitor.c
 +++ b/monitor.c
@@ -501,6 +501,9 @@ monitor_child_postauth(struct monitor *pmonitor)
 	signal(SIGHUP, &monitor_child_handler);
 	signal(SIGTERM, &monitor_child_handler);
 	signal(SIGINT, &monitor_child_handler);
 +#ifdef SIGXFSZ
 +	signal(SIGXFSZ, SIG_IGN);
 +#endif
 	if (compat20) {
 		mon_dispatch = mon_dispatch_postauth20;
--- a/openssh-6.6p1-CVE-2014-2653.patch
+++ b/openssh-6.6p1-CVE-2014-2653.patch
@ -1,80 +0,0 @@
 diff --git a/ChangeLog b/ChangeLog
 index 38de846..1603a07 100644
 --- a/ChangeLog
 +++ b/ChangeLog
@@ -1,3 +1,14 @@
 +20140420
 +   - djm@cvs.openbsd.org 2014/04/01 03:34:10
 +     [sshconnect.c]
 +     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
 +     certificate keys to plain keys and attempt SSHFP resolution.
 +     
 +     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
 +     dialog by offering only certificate keys.
 +     
 +     Reported by mcv21 AT cam.ac.uk
 +
 20140313
  - (djm) Release OpenSSH 6.6
 diff --git a/sshconnect.c b/sshconnect.c
 index 394cca8..e636f33 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
@@ -1219,30 +1219,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
 {
 	int flags = 0;
 	char *fp;
 +	Key *plain = NULL;
 	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
 	debug("Server host key: %s %s%s", key_type(host_key),
 	    key_fingerprint_prefix(), fp);
 	free(fp);
 -	/* XXX certs are not yet supported for DNS */
 -	if (!key_is_cert(host_key) && options.verify_host_key_dns &&
 -	    verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
 -		if (flags & DNS_VERIFY_FOUND) {
 -
 -			if (options.verify_host_key_dns == 1 &&
 -			    flags & DNS_VERIFY_MATCH &&
 -			    flags & DNS_VERIFY_SECURE)
 -				return 0;
 -
 -			if (flags & DNS_VERIFY_MATCH) {
 -				matching_host_key_dns = 1;
 -			} else {
 -				warn_changed_key(host_key);
 -				error("Update the SSHFP RR in DNS with the new "
 -				    "host key to get rid of this message.");
 +	if (options.verify_host_key_dns) {
 +		/*
 +		 * XXX certs are not yet supported for DNS, so downgrade
 +		 * them and try the plain key.
 +		 */
 +		plain = key_from_private(host_key);
 +		if (key_is_cert(plain))
 +			key_drop_cert(plain);
 +		if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
 +			if (flags & DNS_VERIFY_FOUND) {
 +				if (options.verify_host_key_dns == 1 &&
 +				    flags & DNS_VERIFY_MATCH &&
 +				    flags & DNS_VERIFY_SECURE) {
 +					key_free(plain);
 +					return 0;
 +				}
 +				if (flags & DNS_VERIFY_MATCH) {
 +					matching_host_key_dns = 1;
 +				} else {
 +					warn_changed_key(plain);
 +					error("Update the SSHFP RR in DNS "
 +					    "with the new host key to get rid "
 +					    "of this message.");
 +				}
 			}
 		}
 +		key_free(plain);
 	}
 	return check_host_key(host, hostaddr, options.port, host_key, RDRW,
--- a/openssh.spec
+++ b/openssh.spec
@ -151,8 +151,6 @@ Patch702: openssh-5.1p1-askpass-progress.patch
 #?
 Patch703: openssh-4.3p2-askpass-grab-info.patch
 #?
 Patch705: openssh-5.1p1-scp-manpage.patch
 #?
 Patch706: openssh-6.6.1p1-localdomain.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
 Patch707: openssh-6.6p1-redhat.patch
@ -187,16 +185,6 @@ Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
 Patch905: openssh-6.4p1-legacy-ssh-copy-id.patch
 # Use tty allocation for a remote scp (#985650)
 Patch906: openssh-6.4p1-fromto-remote.patch
 # Try CLOCK_BOOTTIME with fallback (#1091992)
 Patch907: openssh-6.4p1-CLOCK_BOOTTIME.patch
 # Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
 # dialog by offering only certificate keys. (#1081338)
 Patch908: openssh-6.6p1-CVE-2014-2653.patch
 # OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519 key exchange incorrectly
 # Disable the curve25519 KEX when speaking to OpenSSH 6.5 or 6.6
 Patch909: openssh-5618210618256bbf5f4f71b2887ff186fd451736.patch
 # standardise on NI_MAXHOST for gethostname() string lengths (#1051490)
 Patch910: openssh-6.6.1p1-NI_MAXHOST.patch
 # set a client's address right after a connection is set
 # http://bugzilla.mindrot.org/show_bug.cgi?id=2257
 Patch911: openssh-6.6p1-set_remote_ipaddr.patch
@ -210,9 +198,6 @@ Patch913: openssh-6.6.1p1-partial-success.patch
 # fix parsing of empty options in sshd_conf
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2281
 Patch914: openssh-6.6.1p1-servconf-parser.patch
 # Ignore SIGXFSZ in postauth monitor
 # https://bugzilla.mindrot.org/show_bug.cgi?id=2263
 Patch915: openssh-6.6.1p1-ignore-SIGXFSZ-in-postauth.patch
 # privsep_preauth: use SELinux context from selinux-policy (#1008580)
 Patch916: openssh-6.6.1p1-selinux-contexts.patch
 # use different values for DH for Cisco servers (#1026430)
@ -486,7 +471,7 @@ export LDFLAGS
 %endif
 %if %{kerberos5}
 if test -r /etc/profile.d/krb5-devel.sh ; then
-        source /etc/profile.d/krb5-devel.sh
+	source /etc/profile.d/krb5-devel.sh
 fi
 krb5_prefix=`krb5-config --prefix`
 if test "$krb5_prefix" != "%{_prefix}" ; then