rpms
/
openssh
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

rebase for openssh-6.3p1, remove unused patches (#1007769)

This commit is contained in:
Petr Lautrbach 2013-10-14 15:54:41 +02:00
parent c33ef551ca
commit 84822b5dec
19 changed files with 2100 additions and 3401 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1080
openssh-6.2p1-aarch64.patch
View File

File diff suppressed because it is too large Load Diff

12
openssh-6.2p1-modpipe-cflags.patch
View File

@ -1,12 +0,0 @@
diff -up openssh-6.2p1/Makefile.in.modpipe-pie openssh-6.2p1/Makefile.in
--- openssh-6.2p1/Makefile.in.modpipe-pie 2013-04-04 14:44:26.293745777 +0200
+++ openssh-6.2p1/Makefile.in 2013-04-04 14:44:49.483647020 +0200
@@ -418,7 +418,7 @@ uninstall:
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \
- $(CC) $(CPPFLAGS) -o $@ $? \
+ $(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $? \
$(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT)

64
openssh-6.2p2-sftp-multibyte.patch
View File

@ -1,64 +0,0 @@
diff --git a/ChangeLog b/ChangeLog
index f5e2df0..74a03f8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+20130605
+ - dtucker@cvs.openbsd.org 2013/06/04 20:42:36
+ [sftp.c]
+ Make sftp's libedit interface marginally multibyte aware by building up
+ the quoted string by character instead of by byte. Prevents failures
+ when linked against a libedit built with wide character support (bz#1990).
+ "looks ok" djm
+
20130516
- (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be
executed if mktemp failed; bz#2105 ok dtucker@
diff --git a/sftp.c b/sftp.c
index 25c35fa..c9a9919 100644
--- a/sftp.c
+++ b/sftp.c
@@ -38,6 +38,7 @@
#ifdef HAVE_LIBGEN_H
#include <libgen.h>
#endif
+#include <locale.h>
#ifdef USE_LIBEDIT
#include <histedit.h>
#else
@@ -1694,8 +1695,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
char *file, int remote, int lastarg, char quote, int terminated)
{
glob_t g;
- char *tmp, *tmp2, ins[3];
+ char *tmp, *tmp2, ins[8];
u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs;
+ int clen;
const LineInfo *lf;
/* Glob from "file" location */
@@ -1764,10 +1766,13 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
tmp2 = tmp + filelen - cesc;
len = strlen(tmp2);
/* quote argument on way out */
- for (i = 0; i < len; i++) {
+ for (i = 0; i < len; i += clen) {
+ if ((clen = mblen(tmp2 + i, len - i)) < 0 ||
+ (size_t)clen > sizeof(ins) - 2)
+ fatal("invalid multibyte character");
ins[0] = '\\';
- ins[1] = tmp2[i];
- ins[2] = '\0';
+ memcpy(ins + 1, tmp2 + i, clen);
+ ins[clen + 1] = '\0';
switch (tmp2[i]) {
case '\'':
case '"':
@@ -2112,6 +2117,7 @@ main(int argc, char **argv)
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
+ setlocale(LC_CTYPE, "");
__progname = ssh_get_progname(argv[0]);
memset(&args, '\0', sizeof(args));

23
openssh-6.2p2-ssh_gai_strerror.patch
View File

@ -1,23 +0,0 @@
diff -U0 openssh-6.2p2/ChangeLog.ssh_gai_strerror openssh-6.2p2/ChangeLog
--- openssh-6.2p2/ChangeLog.ssh_gai_strerror 2013-07-23 12:03:41.467902339 +0200
+++ openssh-6.2p2/ChangeLog 2013-07-23 12:06:03.414281151 +0200
@@ -0,0 +1,7 @@
+20130718
+ - djm@cvs.openbsd.org 2013/07/12 00:43:50
+ [misc.c]
+ in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when
+ errno == 0. Avoids confusing error message in some broken resolver
+ cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker
+
diff -up openssh-6.2p2/misc.c.ssh_gai_strerror openssh-6.2p2/misc.c
--- openssh-6.2p2/misc.c.ssh_gai_strerror 2013-07-23 12:03:41.321902978 +0200
+++ openssh-6.2p2/misc.c 2013-07-23 12:03:41.467902339 +0200
@@ -127,7 +127,7 @@ unset_nonblock(int fd)
const char *
ssh_gai_strerror(int gaierr)
{
- if (gaierr == EAI_SYSTEM)
+ if (gaierr == EAI_SYSTEM && errno != 0)
return strerror(errno);
return gai_strerror(gaierr);
}

456
openssh-6.2p1-audit.patch → openssh-6.3p1-audit.patch
View File

File diff suppressed because it is too large Load Diff

392
openssh-6.2p1-coverity.patch → openssh-6.3p1-coverity.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-6.2p1/auth-pam.c.coverity openssh-6.2p1/auth-pam.c diff -up openssh-6.3p1/auth-pam.c.coverity openssh-6.3p1/auth-pam.c
--- openssh-6.2p1/auth-pam.c.coverity 2009-07-12 14:07:21.000000000 +0200 --- openssh-6.3p1/auth-pam.c.coverity 2013-06-02 00:07:32.000000000 +0200
+++ openssh-6.2p1/auth-pam.c 2013-03-22 09:49:37.341595458 +0100 +++ openssh-6.3p1/auth-pam.c 2013-10-07 13:20:36.288298063 +0200
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void * @@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
if (sshpam_thread_status != -1) if (sshpam_thread_status != -1)
return (sshpam_thread_status); return (sshpam_thread_status);
@ -15,10 +15,10 @@ diff -up openssh-6.2p1/auth-pam.c.coverity openssh-6.2p1/auth-pam.c
return (status); return (status);
} }
#endif #endif
diff -up openssh-6.2p1/channels.c.coverity openssh-6.2p1/channels.c diff -up openssh-6.3p1/channels.c.coverity openssh-6.3p1/channels.c
--- openssh-6.2p1/channels.c.coverity 2012-12-02 23:50:55.000000000 +0100 --- openssh-6.3p1/channels.c.coverity 2013-09-13 08:19:31.000000000 +0200
+++ openssh-6.2p1/channels.c 2013-03-22 09:49:37.344595444 +0100 +++ openssh-6.3p1/channels.c 2013-10-07 13:20:36.289298058 +0200
@@ -232,11 +232,11 @@ channel_register_fds(Channel *c, int rfd @@ -233,11 +233,11 @@ channel_register_fds(Channel *c, int rfd
channel_max_fd = MAX(channel_max_fd, wfd); channel_max_fd = MAX(channel_max_fd, wfd);
channel_max_fd = MAX(channel_max_fd, efd); channel_max_fd = MAX(channel_max_fd, efd);
@ -33,7 +33,7 @@ diff -up openssh-6.2p1/channels.c.coverity openssh-6.2p1/channels.c
fcntl(efd, F_SETFD, FD_CLOEXEC); fcntl(efd, F_SETFD, FD_CLOEXEC);
c->rfd = rfd; c->rfd = rfd;
@@ -251,11 +251,11 @@ channel_register_fds(Channel *c, int rfd @@ -255,11 +255,11 @@ channel_register_fds(Channel *c, int rfd
/* enable nonblocking mode */ /* enable nonblocking mode */
if (nonblock) { if (nonblock) {
@ -48,10 +48,10 @@ diff -up openssh-6.2p1/channels.c.coverity openssh-6.2p1/channels.c
set_nonblock(efd); set_nonblock(efd);
} }
} }
diff -up openssh-6.2p1/clientloop.c.coverity openssh-6.2p1/clientloop.c diff -up openssh-6.3p1/clientloop.c.coverity openssh-6.3p1/clientloop.c
--- openssh-6.2p1/clientloop.c.coverity 2013-01-09 05:55:51.000000000 +0100 --- openssh-6.3p1/clientloop.c.coverity 2013-06-10 05:07:12.000000000 +0200
+++ openssh-6.2p1/clientloop.c 2013-03-22 09:49:37.342595453 +0100 +++ openssh-6.3p1/clientloop.c 2013-10-07 13:20:36.289298058 +0200
@@ -2061,14 +2061,15 @@ client_input_global_request(int type, u_ @@ -2068,14 +2068,15 @@ client_input_global_request(int type, u_
char *rtype; char *rtype;
int want_reply; int want_reply;
int success = 0; int success = 0;
@ -69,10 +69,10 @@ diff -up openssh-6.2p1/clientloop.c.coverity openssh-6.2p1/clientloop.c
packet_send(); packet_send();
packet_write_wait(); packet_write_wait();
} }
diff -up openssh-6.2p1/key.c.coverity openssh-6.2p1/key.c diff -up openssh-6.3p1/key.c.coverity openssh-6.3p1/key.c
--- openssh-6.2p1/key.c.coverity 2013-01-18 01:44:05.000000000 +0100 --- openssh-6.3p1/key.c.coverity 2013-06-01 23:41:51.000000000 +0200
+++ openssh-6.2p1/key.c 2013-03-22 09:49:37.345595440 +0100 +++ openssh-6.3p1/key.c 2013-10-07 13:20:36.290298054 +0200
@@ -808,8 +808,10 @@ key_read(Key *ret, char **cpp) @@ -807,8 +807,10 @@ key_read(Key *ret, char **cpp)
success = 1; success = 1;
/*XXXX*/ /*XXXX*/
key_free(k); key_free(k);
@ -83,9 +83,9 @@ diff -up openssh-6.2p1/key.c.coverity openssh-6.2p1/key.c
/* advance cp: skip whitespace and data */ /* advance cp: skip whitespace and data */
while (*cp == ' ' || *cp == '\t') while (*cp == ' ' || *cp == '\t')
cp++; cp++;
diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c diff -up openssh-6.3p1/monitor.c.coverity openssh-6.3p1/monitor.c
--- openssh-6.2p1/monitor.c.coverity 2012-12-12 00:44:39.000000000 +0100 --- openssh-6.3p1/monitor.c.coverity 2013-07-20 05:21:53.000000000 +0200
+++ openssh-6.2p1/monitor.c 2013-03-22 12:19:55.189921353 +0100 +++ openssh-6.3p1/monitor.c 2013-10-07 13:54:36.761314042 +0200
@@ -449,7 +449,7 @@ monitor_child_preauth(Authctxt *_authctx @@ -449,7 +449,7 @@ monitor_child_preauth(Authctxt *_authctx
mm_get_keystate(pmonitor); mm_get_keystate(pmonitor);
@ -95,7 +95,7 @@ diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c
; ;
close(pmonitor->m_sendfd); close(pmonitor->m_sendfd);
@@ -1194,6 +1194,10 @@ mm_answer_keyallowed(int sock, Buffer *m @@ -1202,6 +1202,10 @@ mm_answer_keyallowed(int sock, Buffer *m
break; break;
} }
} }
@ -106,8 +106,8 @@ diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c
if (key != NULL) if (key != NULL)
key_free(key); key_free(key);
@@ -1216,9 +1220,6 @@ mm_answer_keyallowed(int sock, Buffer *m @@ -1223,9 +1227,6 @@ mm_answer_keyallowed(int sock, Buffer *m
xfree(chost); free(chost);
} }
- debug3("%s: key %p is %s", - debug3("%s: key %p is %s",
@ -116,10 +116,10 @@ diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c
buffer_clear(m); buffer_clear(m);
buffer_put_int(m, allowed); buffer_put_int(m, allowed);
buffer_put_int(m, forced_command != NULL); buffer_put_int(m, forced_command != NULL);
diff -up openssh-6.2p1/monitor_wrap.c.coverity openssh-6.2p1/monitor_wrap.c diff -up openssh-6.3p1/monitor_wrap.c.coverity openssh-6.3p1/monitor_wrap.c
--- openssh-6.2p1/monitor_wrap.c.coverity 2013-01-09 06:12:19.000000000 +0100 --- openssh-6.3p1/monitor_wrap.c.coverity 2013-06-02 00:07:32.000000000 +0200
+++ openssh-6.2p1/monitor_wrap.c 2013-03-22 09:49:37.347595431 +0100 +++ openssh-6.3p1/monitor_wrap.c 2013-10-07 13:20:36.291298049 +0200
@@ -708,10 +708,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, @@ -710,10 +710,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) { (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error("%s: cannot allocate fds for pty", __func__); error("%s: cannot allocate fds for pty", __func__);
@ -133,9 +133,9 @@ diff -up openssh-6.2p1/monitor_wrap.c.coverity openssh-6.2p1/monitor_wrap.c
return 0; return 0;
} }
close(tmp1); close(tmp1);
diff -up openssh-6.2p1/openbsd-compat/bindresvport.c.coverity openssh-6.2p1/openbsd-compat/bindresvport.c diff -up openssh-6.3p1/openbsd-compat/bindresvport.c.coverity openssh-6.3p1/openbsd-compat/bindresvport.c
--- openssh-6.2p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100 --- openssh-6.3p1/openbsd-compat/bindresvport.c.coverity 2010-12-03 00:50:26.000000000 +0100
+++ openssh-6.2p1/openbsd-compat/bindresvport.c 2013-03-22 09:49:37.347595431 +0100 +++ openssh-6.3p1/openbsd-compat/bindresvport.c 2013-10-07 13:20:36.291298049 +0200
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr @@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
struct sockaddr_in6 *in6; struct sockaddr_in6 *in6;
u_int16_t *portp; u_int16_t *portp;
@ -145,10 +145,10 @@ diff -up openssh-6.2p1/openbsd-compat/bindresvport.c.coverity openssh-6.2p1/open
int i; int i;
if (sa == NULL) { if (sa == NULL) {
diff -up openssh-6.2p1/packet.c.coverity openssh-6.2p1/packet.c diff -up openssh-6.3p1/packet.c.coverity openssh-6.3p1/packet.c
--- openssh-6.2p1/packet.c.coverity 2013-02-12 01:03:59.000000000 +0100 --- openssh-6.3p1/packet.c.coverity 2013-07-18 08:12:45.000000000 +0200
+++ openssh-6.2p1/packet.c 2013-03-22 09:49:37.348595426 +0100 +++ openssh-6.3p1/packet.c 2013-10-07 13:20:36.291298049 +0200
@@ -1192,6 +1192,7 @@ packet_read_poll1(void) @@ -1199,6 +1199,7 @@ packet_read_poll1(void)
case DEATTACK_DETECTED: case DEATTACK_DETECTED:
packet_disconnect("crc32 compensation attack: " packet_disconnect("crc32 compensation attack: "
"network attack detected"); "network attack detected");
@ -156,18 +156,9 @@ diff -up openssh-6.2p1/packet.c.coverity openssh-6.2p1/packet.c
case DEATTACK_DOS_DETECTED: case DEATTACK_DOS_DETECTED:
packet_disconnect("deattack denial of " packet_disconnect("deattack denial of "
"service detected"); "service detected");
@@ -1728,7 +1729,7 @@ void diff -up openssh-6.3p1/progressmeter.c.coverity openssh-6.3p1/progressmeter.c
packet_write_wait(void) --- openssh-6.3p1/progressmeter.c.coverity 2013-06-02 15:46:24.000000000 +0200
{ +++ openssh-6.3p1/progressmeter.c 2013-10-07 13:42:32.377850691 +0200
fd_set *setp;
- int ret, ms_remain;
+ int ret, ms_remain = 0;
struct timeval start, timeout, *timeoutp = NULL;
setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
diff -up openssh-6.2p1/progressmeter.c.coverity openssh-6.2p1/progressmeter.c
--- openssh-6.2p1/progressmeter.c.coverity 2006-08-05 04:39:40.000000000 +0200
+++ openssh-6.2p1/progressmeter.c 2013-03-22 09:49:37.349595422 +0100
@@ -65,7 +65,7 @@ static void update_progress_meter(int); @@ -65,7 +65,7 @@ static void update_progress_meter(int);
static time_t start; /* start progress */ static time_t start; /* start progress */
@ -184,11 +175,11 @@ diff -up openssh-6.2p1/progressmeter.c.coverity openssh-6.2p1/progressmeter.c
-start_progress_meter(char *f, off_t filesize, off_t *ctr) -start_progress_meter(char *f, off_t filesize, off_t *ctr)
+start_progress_meter(const char *f, off_t filesize, off_t *ctr) +start_progress_meter(const char *f, off_t filesize, off_t *ctr)
{ {
start = last_update = time(NULL); start = last_update = monotime();
file = f; file = f;
diff -up openssh-6.2p1/progressmeter.h.coverity openssh-6.2p1/progressmeter.h diff -up openssh-6.3p1/progressmeter.h.coverity openssh-6.3p1/progressmeter.h
--- openssh-6.2p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200 --- openssh-6.3p1/progressmeter.h.coverity 2006-03-26 05:30:02.000000000 +0200
+++ openssh-6.2p1/progressmeter.h 2013-03-22 09:49:37.349595422 +0100 +++ openssh-6.3p1/progressmeter.h 2013-10-07 13:20:36.292298044 +0200
@@ -23,5 +23,5 @@ @@ -23,5 +23,5 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/ */
@ -196,9 +187,9 @@ diff -up openssh-6.2p1/progressmeter.h.coverity openssh-6.2p1/progressmeter.h
-void start_progress_meter(char *, off_t, off_t *); -void start_progress_meter(char *, off_t, off_t *);
+void start_progress_meter(const char *, off_t, off_t *); +void start_progress_meter(const char *, off_t, off_t *);
void stop_progress_meter(void); void stop_progress_meter(void);
diff -up openssh-6.2p1/scp.c.coverity openssh-6.2p1/scp.c diff -up openssh-6.3p1/scp.c.coverity openssh-6.3p1/scp.c
--- openssh-6.2p1/scp.c.coverity 2013-03-20 02:55:15.000000000 +0100 --- openssh-6.3p1/scp.c.coverity 2013-07-18 08:11:25.000000000 +0200
+++ openssh-6.2p1/scp.c 2013-03-22 09:49:37.349595422 +0100 +++ openssh-6.3p1/scp.c 2013-10-07 13:20:36.292298044 +0200
@@ -155,7 +155,7 @@ killchild(int signo) @@ -155,7 +155,7 @@ killchild(int signo)
{ {
if (do_cmd_pid > 1) { if (do_cmd_pid > 1) {
@ -208,10 +199,10 @@ diff -up openssh-6.2p1/scp.c.coverity openssh-6.2p1/scp.c
} }
if (signo) if (signo)
diff -up openssh-6.2p1/servconf.c.coverity openssh-6.2p1/servconf.c diff -up openssh-6.3p1/servconf.c.coverity openssh-6.3p1/servconf.c
--- openssh-6.2p1/servconf.c.coverity 2013-02-12 01:02:08.000000000 +0100 --- openssh-6.3p1/servconf.c.coverity 2013-07-20 05:21:53.000000000 +0200
+++ openssh-6.2p1/servconf.c 2013-03-22 09:49:37.350595418 +0100 +++ openssh-6.3p1/servconf.c 2013-10-07 13:20:36.293298039 +0200
@@ -1268,7 +1268,7 @@ process_server_config_line(ServerOptions @@ -1323,7 +1323,7 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing subsystem name.", fatal("%s line %d: Missing subsystem name.",
filename, linenum); filename, linenum);
if (!*activep) { if (!*activep) {
@ -220,7 +211,7 @@ diff -up openssh-6.2p1/servconf.c.coverity openssh-6.2p1/servconf.c
break; break;
} }
for (i = 0; i < options->num_subsystems; i++) for (i = 0; i < options->num_subsystems; i++)
@@ -1359,8 +1359,9 @@ process_server_config_line(ServerOptions @@ -1414,8 +1414,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) { if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid()); *charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */ /* increase optional counter */
@ -232,16 +223,16 @@ diff -up openssh-6.2p1/servconf.c.coverity openssh-6.2p1/servconf.c
} }
break; break;
diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c diff -up openssh-6.3p1/serverloop.c.coverity openssh-6.3p1/serverloop.c
--- openssh-6.2p1/serverloop.c.coverity 2012-12-07 03:07:47.000000000 +0100 --- openssh-6.3p1/serverloop.c.coverity 2013-07-18 08:12:45.000000000 +0200
+++ openssh-6.2p1/serverloop.c 2013-03-22 09:49:37.351595413 +0100 +++ openssh-6.3p1/serverloop.c 2013-10-07 13:43:36.620537138 +0200
@@ -147,13 +147,13 @@ notify_setup(void) @@ -147,13 +147,13 @@ notify_setup(void)
static void static void
notify_parent(void) notify_parent(void)
{ {
- if (notify_pipe[1] != -1) - if (notify_pipe[1] != -1)
+ if (notify_pipe[1] >= 0) + if (notify_pipe[1] >= 0)
write(notify_pipe[1], "", 1); (void)write(notify_pipe[1], "", 1);
} }
static void static void
notify_prepare(fd_set *readset) notify_prepare(fd_set *readset)
@ -307,7 +298,7 @@ diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c
if (fdin != fdout) if (fdin != fdout)
close(fdin); close(fdin);
else else
@@ -741,15 +741,15 @@ server_loop(pid_t pid, int fdin_arg, int @@ -739,15 +739,15 @@ server_loop(pid_t pid, int fdin_arg, int
buffer_free(&stderr_buffer); buffer_free(&stderr_buffer);
/* Close the file descriptors. */ /* Close the file descriptors. */
@ -326,7 +317,7 @@ diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c
close(fdin); close(fdin);
fdin = -1; fdin = -1;
@@ -943,7 +943,7 @@ server_input_window_size(int type, u_int @@ -946,7 +946,7 @@ server_input_window_size(int type, u_int
debug("Window change received."); debug("Window change received.");
packet_check_eom(); packet_check_eom();
@ -335,7 +326,7 @@ diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c
pty_change_window_size(fdin, row, col, xpixel, ypixel); pty_change_window_size(fdin, row, col, xpixel, ypixel);
} }
@@ -1003,7 +1003,7 @@ server_request_tun(void) @@ -1006,7 +1006,7 @@ server_request_tun(void)
} }
tun = packet_get_int(); tun = packet_get_int();
@ -344,111 +335,9 @@ diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c
if (tun != SSH_TUNID_ANY && forced_tun_device != tun) if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
goto done; goto done;
tun = forced_tun_device; tun = forced_tun_device;
diff -up openssh-6.2p1/sftp.c.coverity openssh-6.2p1/sftp.c diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
--- openssh-6.2p1/sftp.c.coverity 2013-02-22 23:12:24.000000000 +0100 --- openssh-6.3p1/sftp-client.c.coverity 2013-07-26 00:40:00.000000000 +0200
+++ openssh-6.2p1/sftp.c 2013-03-22 09:49:37.352595409 +0100 +++ openssh-6.3p1/sftp-client.c 2013-10-07 13:48:45.885027420 +0200
@@ -202,7 +202,7 @@ killchild(int signo)
{
if (sshpid > 1) {
kill(sshpid, SIGTERM);
- waitpid(sshpid, NULL, 0);
+ (void) waitpid(sshpid, NULL, 0);
}
_exit(1);
@@ -312,7 +312,7 @@ local_do_ls(const char *args)
/* Strip one path (usually the pwd) from the start of another */
static char *
-path_strip(char *path, char *strip)
+path_strip(const char *path, const char *strip)
{
size_t len;
@@ -330,7 +330,7 @@ path_strip(char *path, char *strip)
}
static char *
-make_absolute(char *p, char *pwd)
+make_absolute(char *p, const char *pwd)
{
char *abs_str;
@@ -478,7 +478,7 @@ parse_df_flags(const char *cmd, char **a
}
static int
-is_dir(char *path)
+is_dir(const char *path)
{
struct stat sb;
@@ -490,7 +490,7 @@ is_dir(char *path)
}
static int
-remote_is_dir(struct sftp_conn *conn, char *path)
+remote_is_dir(struct sftp_conn *conn, const char *path)
{
Attrib *a;
@@ -504,7 +504,7 @@ remote_is_dir(struct sftp_conn *conn, ch
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
static int
-pathname_is_dir(char *pathname)
+pathname_is_dir(const char *pathname)
{
size_t l = strlen(pathname);
@@ -512,7 +512,7 @@ pathname_is_dir(char *pathname)
}
static int
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag)
{
char *abs_src = NULL;
@@ -586,7 +586,7 @@ out:
}
static int
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag)
{
char *tmp_dst = NULL;
@@ -691,7 +691,7 @@ sdirent_comp(const void *aa, const void
/* sftp ls.1 replacement for directories */
static int
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
{
int n;
u_int c = 1, colspace = 0, columns = 1;
@@ -776,7 +776,7 @@ do_ls_dir(struct sftp_conn *conn, char *
/* sftp ls.1 replacement which handles path globs */
static int
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
int lflag)
{
char *fname, *lname;
@@ -857,7 +857,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
}
static int
-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
{
struct sftp_statvfs st;
char s_used[FMT_SCALED_STRSIZE];
diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
--- openssh-6.2p1/sftp-client.c.coverity 2012-07-02 14:15:39.000000000 +0200
+++ openssh-6.2p1/sftp-client.c 2013-03-22 09:49:37.353595404 +0100
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer * @@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
} }
@ -599,28 +488,28 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
int int
-do_download(struct sftp_conn *conn, char *remote_path, char *local_path, -do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
+do_download(struct sftp_conn *conn, const char *remote_path, const char *local_path, +do_download(struct sftp_conn *conn, const char *remote_path, const char *local_path,
Attrib *a, int pflag) Attrib *a, int pflag, int resume)
{ {
Attrib junk; Attrib junk;
@@ -1226,7 +1226,7 @@ do_download(struct sftp_conn *conn, char @@ -1255,7 +1255,7 @@ do_download(struct sftp_conn *conn, char
} }
static int static int
-download_dir_internal(struct sftp_conn *conn, char *src, char *dst, -download_dir_internal(struct sftp_conn *conn, char *src, char *dst,
+download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, +download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
Attrib *dirattrib, int pflag, int printflag, int depth) Attrib *dirattrib, int pflag, int printflag, int depth, int resume)
{ {
int i, ret = 0; int i, ret = 0;
@@ -1316,7 +1316,7 @@ download_dir_internal(struct sftp_conn * @@ -1345,7 +1345,7 @@ download_dir_internal(struct sftp_conn *
} }
int int
-download_dir(struct sftp_conn *conn, char *src, char *dst, -download_dir(struct sftp_conn *conn, char *src, char *dst,
+download_dir(struct sftp_conn *conn, const char *src, const char *dst, +download_dir(struct sftp_conn *conn, const char *src, const char *dst,
Attrib *dirattrib, int pflag, int printflag) Attrib *dirattrib, int pflag, int printflag, int resume)
{ {
char *src_canon; char *src_canon;
@@ -1334,7 +1334,7 @@ download_dir(struct sftp_conn *conn, cha @@ -1363,7 +1363,7 @@ download_dir(struct sftp_conn *conn, cha
} }
int int
@ -629,7 +518,7 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
int pflag) int pflag)
{ {
int local_fd; int local_fd;
@@ -1517,7 +1517,7 @@ do_upload(struct sftp_conn *conn, char * @@ -1548,7 +1548,7 @@ do_upload(struct sftp_conn *conn, char *
} }
static int static int
@ -638,7 +527,7 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
int pflag, int printflag, int depth) int pflag, int printflag, int depth)
{ {
int ret = 0, status; int ret = 0, status;
@@ -1608,7 +1608,7 @@ upload_dir_internal(struct sftp_conn *co @@ -1639,7 +1639,7 @@ upload_dir_internal(struct sftp_conn *co
} }
int int
@ -647,7 +536,7 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
int pflag) int pflag)
{ {
char *dst_canon; char *dst_canon;
@@ -1625,7 +1625,7 @@ upload_dir(struct sftp_conn *conn, char @@ -1656,7 +1656,7 @@ upload_dir(struct sftp_conn *conn, char
} }
char * char *
@ -656,9 +545,9 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
{ {
char *ret; char *ret;
size_t len = strlen(p1) + strlen(p2) + 2; size_t len = strlen(p1) + strlen(p2) + 2;
diff -up openssh-6.2p1/sftp-client.h.coverity openssh-6.2p1/sftp-client.h diff -up openssh-6.3p1/sftp-client.h.coverity openssh-6.3p1/sftp-client.h
--- openssh-6.2p1/sftp-client.h.coverity 2010-12-04 23:02:48.000000000 +0100 --- openssh-6.3p1/sftp-client.h.coverity 2013-07-25 03:56:52.000000000 +0200
+++ openssh-6.2p1/sftp-client.h 2013-03-22 09:49:37.353595404 +0100 +++ openssh-6.3p1/sftp-client.h 2013-10-07 13:45:10.108080813 +0200
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in @@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
u_int sftp_proto_version(struct sftp_conn *); u_int sftp_proto_version(struct sftp_conn *);
@ -727,15 +616,15 @@ diff -up openssh-6.2p1/sftp-client.h.coverity openssh-6.2p1/sftp-client.h
* Download 'remote_path' to 'local_path'. Preserve permissions and times * Download 'remote_path' to 'local_path'. Preserve permissions and times
* if 'pflag' is set * if 'pflag' is set
*/ */
-int do_download(struct sftp_conn *, char *, char *, Attrib *, int); -int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int);
+int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int); +int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int, int);
/* /*
* Recursively download 'remote_directory' to 'local_directory'. Preserve * Recursively download 'remote_directory' to 'local_directory'. Preserve
* times if 'pflag' is set * times if 'pflag' is set
*/ */
-int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int); -int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int, int);
+int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int, int); +int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int, int, int);
/* /*
* Upload 'local_path' to 'remote_path'. Preserve permissions and times * Upload 'local_path' to 'remote_path'. Preserve permissions and times
@ -756,10 +645,112 @@ diff -up openssh-6.2p1/sftp-client.h.coverity openssh-6.2p1/sftp-client.h
+char *path_append(const char *, const char *); +char *path_append(const char *, const char *);
#endif #endif
diff -up openssh-6.2p1/ssh-agent.c.coverity openssh-6.2p1/ssh-agent.c diff -up openssh-6.3p1/sftp.c.coverity openssh-6.3p1/sftp.c
--- openssh-6.2p1/ssh-agent.c.coverity 2011-06-03 06:14:16.000000000 +0200 --- openssh-6.3p1/sftp.c.coverity 2013-07-25 03:56:52.000000000 +0200
+++ openssh-6.2p1/ssh-agent.c 2013-03-22 09:49:37.354595400 +0100 +++ openssh-6.3p1/sftp.c 2013-10-07 13:49:47.322727449 +0200
@@ -1147,8 +1147,8 @@ main(int ac, char **av) @@ -213,7 +213,7 @@ killchild(int signo)
{
if (sshpid > 1) {
kill(sshpid, SIGTERM);
- waitpid(sshpid, NULL, 0);
+ (void) waitpid(sshpid, NULL, 0);
}
_exit(1);
@@ -324,7 +324,7 @@ local_do_ls(const char *args)
/* Strip one path (usually the pwd) from the start of another */
static char *
-path_strip(char *path, char *strip)
+path_strip(const char *path, const char *strip)
{
size_t len;
@@ -342,7 +342,7 @@ path_strip(char *path, char *strip)
}
static char *
-make_absolute(char *p, char *pwd)
+make_absolute(char *p, const char *pwd)
{
char *abs_str;
@@ -493,7 +493,7 @@ parse_df_flags(const char *cmd, char **a
}
static int
-is_dir(char *path)
+is_dir(const char *path)
{
struct stat sb;
@@ -505,7 +505,7 @@ is_dir(char *path)
}
static int
-remote_is_dir(struct sftp_conn *conn, char *path)
+remote_is_dir(struct sftp_conn *conn, const char *path)
{
Attrib *a;
@@ -519,7 +519,7 @@ remote_is_dir(struct sftp_conn *conn, ch
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
static int
-pathname_is_dir(char *pathname)
+pathname_is_dir(const char *pathname)
{
size_t l = strlen(pathname);
@@ -527,7 +527,7 @@ pathname_is_dir(char *pathname)
}
static int
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag, int resume)
{
char *abs_src = NULL;
@@ -605,7 +605,7 @@ out:
}
static int
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
+process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
int pflag, int rflag)
{
char *tmp_dst = NULL;
@@ -709,7 +709,7 @@ sdirent_comp(const void *aa, const void
/* sftp ls.1 replacement for directories */
static int
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
+do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
{
int n;
u_int c = 1, colspace = 0, columns = 1;
@@ -794,7 +794,7 @@ do_ls_dir(struct sftp_conn *conn, char *
/* sftp ls.1 replacement which handles path globs */
static int
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
+do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
int lflag)
{
char *fname, *lname;
@@ -875,7 +875,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
}
static int
-do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
+do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
{
struct sftp_statvfs st;
char s_used[FMT_SCALED_STRSIZE];
diff -up openssh-6.3p1/ssh-agent.c.coverity openssh-6.3p1/ssh-agent.c
--- openssh-6.3p1/ssh-agent.c.coverity 2013-07-20 05:22:49.000000000 +0200
+++ openssh-6.3p1/ssh-agent.c 2013-10-07 13:20:36.296298024 +0200
@@ -1143,8 +1143,8 @@ main(int ac, char **av)
sanitise_stdfd(); sanitise_stdfd();
/* drop */ /* drop */
@ -770,37 +761,28 @@ diff -up openssh-6.2p1/ssh-agent.c.coverity openssh-6.2p1/ssh-agent.c
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */ /* Disable ptrace on Linux without sgid bit */
diff -up openssh-6.2p1/sshd.c.coverity openssh-6.2p1/sshd.c diff -up openssh-6.3p1/sshd.c.coverity openssh-6.3p1/sshd.c
--- openssh-6.2p1/sshd.c.coverity 2013-02-12 01:04:48.000000000 +0100 --- openssh-6.3p1/sshd.c.coverity 2013-07-20 05:21:53.000000000 +0200
+++ openssh-6.2p1/sshd.c 2013-03-22 09:49:37.355595396 +0100 +++ openssh-6.3p1/sshd.c 2013-10-07 13:20:36.296298024 +0200
@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt) @@ -699,8 +699,10 @@ privsep_preauth(Authctxt *authctxt)
if (getuid() == 0 || geteuid() == 0) if (getuid() == 0 || geteuid() == 0)
privsep_preauth_child(); privsep_preauth_child();
setproctitle("%s", "[net]"); setproctitle("%s", "[net]");
- if (box != NULL) - if (box != NULL)
+ if (box != NULL) { + if (box != NULL) {
ssh_sandbox_child(box); ssh_sandbox_child(box);
+ xfree(box); + free(box);
+ } + }
return 0; return 0;
} }
@@ -1320,6 +1322,9 @@ server_accept_loop(int *sock_in, int *so @@ -1345,6 +1347,9 @@ server_accept_loop(int *sock_in, int *so
if (num_listen_socks < 0) if (num_listen_socks < 0)
break; break;
} }
+ +
+ if (fdset != NULL) + if (fdset != NULL)
+ xfree(fdset); + free(fdset);
} }
@@ -1806,7 +1811,7 @@ main(int ac, char **av)
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
- chdir("/");
+ (void) chdir("/");
/* ignore SIGPIPE */
signal(SIGPIPE, SIG_IGN);

8
openssh-6.2p1-ctr-cavstest.patch → openssh-6.3p1-ctr-cavstest.patch
View File

@ -185,8 +185,8 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
+ +
+ cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt); + cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt);
+ +
+ xfree(key); + free(key);
+ xfree(iv); + free(iv);
+ +
+ outdata = malloc(datalen); + outdata = malloc(datalen);
+ if(outdata == NULL) { + if(outdata == NULL) {
@ -196,7 +196,7 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
+ +
+ cipher_crypt(&cc, outdata, data, datalen, 0, 0); + cipher_crypt(&cc, outdata, data, datalen, 0, 0);
+ +
+ xfree(data); + free(data);
+ +
+ cipher_cleanup(&cc); + cipher_cleanup(&cc);
+ +
@ -204,7 +204,7 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
+ printf("%02X", (unsigned char)*p); + printf("%02X", (unsigned char)*p);
+ } + }
+ +
+ xfree(outdata); + free(outdata);
+ +
+ printf("\n"); + printf("\n");
+ return 0; + return 0;

2
openssh-5.9p1-ctr-evp-fast.patch → openssh-6.3p1-ctr-evp-fast.patch
View File

@ -97,5 +97,5 @@ diff -up openssh-5.9p1/cipher-ctr.c.ctr-evp openssh-5.9p1/cipher-ctr.c
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
+ EVP_CIPHER_CTX_cleanup(&c->ecbctx); + EVP_CIPHER_CTX_cleanup(&c->ecbctx);
memset(c, 0, sizeof(*c)); memset(c, 0, sizeof(*c));
xfree(c); free(c);
EVP_CIPHER_CTX_set_app_data(ctx, NULL); EVP_CIPHER_CTX_set_app_data(ctx, NULL);

375
openssh-6.2p1-fingerprint.patch → openssh-6.3p1-fingerprint.patch
View File

@ -1,14 +1,31 @@
diff -up openssh-6.2p1/auth2-hostbased.c.fingerprint openssh-6.2p1/auth2-hostbased.c diff -up openssh-6.3p1/auth-rsa.c.fingerprint openssh-6.3p1/auth-rsa.c
--- openssh-6.2p1/auth2-hostbased.c.fingerprint 2010-08-05 05:04:50.000000000 +0200 diff -up openssh-6.3p1/auth.c.fingerprint openssh-6.3p1/auth.c
+++ openssh-6.2p1/auth2-hostbased.c 2013-03-22 12:20:49.009685008 +0100 --- openssh-6.3p1/auth.c.fingerprint 2013-10-07 14:02:36.998968153 +0200
@@ -196,16 +196,18 @@ hostbased_key_allowed(struct passwd *pw, +++ openssh-6.3p1/auth.c 2013-10-07 15:42:05.243812405 +0200
@@ -685,9 +685,10 @@ auth_key_is_revoked(Key *key)
case 1:
revoked:
/* Key revoked */
- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
error("WARNING: authentication attempt with a revoked "
- "%s key %s ", key_type(key), key_fp);
+ "%s key %s%s ", key_type(key),
+ key_fingerprint_prefix(), key_fp);
free(key_fp);
return 1;
}
diff -up openssh-6.3p1/auth2-hostbased.c.fingerprint openssh-6.3p1/auth2-hostbased.c
--- openssh-6.3p1/auth2-hostbased.c.fingerprint 2013-10-07 14:02:36.998968153 +0200
+++ openssh-6.3p1/auth2-hostbased.c 2013-10-07 15:43:49.747355927 +0200
@@ -200,16 +200,18 @@ hostbased_key_allowed(struct passwd *pw,
if (host_status == HOST_OK) { if (host_status == HOST_OK) {
if (key_is_cert(key)) { if (key_is_cert(key)) {
- fp = key_fingerprint(key->cert->signature_key, - fp = key_fingerprint(key->cert->signature_key,
- SSH_FP_MD5, SSH_FP_HEX); - SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_selected_fingerprint(key->cert->signature_key, + fp = key_selected_fingerprint(key->cert->signature_key,
+ SSH_FP_HEX); + SSH_FP_HEX);
verbose("Accepted certificate ID \"%s\" signed by " verbose("Accepted certificate ID \"%s\" signed by "
- "%s CA %s from %s@%s", key->cert->key_id, - "%s CA %s from %s@%s", key->cert->key_id,
- key_type(key->cert->signature_key), fp, - key_type(key->cert->signature_key), fp,
@ -25,12 +42,12 @@ diff -up openssh-6.2p1/auth2-hostbased.c.fingerprint openssh-6.2p1/auth2-hostbas
+ key_type(key), key_fingerprint_prefix(), + key_type(key), key_fingerprint_prefix(),
+ fp, cuser, lookup); + fp, cuser, lookup);
} }
xfree(fp); free(fp);
} }
diff -up openssh-6.2p1/auth2-pubkey.c.fingerprint openssh-6.2p1/auth2-pubkey.c diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c
--- openssh-6.2p1/auth2-pubkey.c.fingerprint 2013-02-15 00:28:56.000000000 +0100 --- openssh-6.3p1/auth2-pubkey.c.fingerprint 2013-07-18 08:10:10.000000000 +0200
+++ openssh-6.2p1/auth2-pubkey.c 2013-03-22 12:20:49.009685008 +0100 +++ openssh-6.3p1/auth2-pubkey.c 2013-10-07 15:50:44.617495624 +0200
@@ -317,10 +317,10 @@ check_authkeys_file(FILE *f, char *file, @@ -359,10 +359,10 @@ check_authkeys_file(FILE *f, char *file,
continue; continue;
if (!key_is_cert_authority) if (!key_is_cert_authority)
continue; continue;
@ -45,20 +62,20 @@ diff -up openssh-6.2p1/auth2-pubkey.c.fingerprint openssh-6.2p1/auth2-pubkey.c
/* /*
* If the user has specified a list of principals as * If the user has specified a list of principals as
* a key option, then prefer that list to matching * a key option, then prefer that list to matching
@@ -360,9 +360,9 @@ check_authkeys_file(FILE *f, char *file, @@ -400,9 +400,9 @@ check_authkeys_file(FILE *f, char *file,
if (key_is_cert_authority)
continue;
found_key = 1; found_key = 1;
debug("matching key found: file %s, line %lu",
file, linenum);
- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); - fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
- verbose("Found matching %s key: %s", - debug("matching key found: file %s, line %lu %s %s",
- key_type(found), fp); - file, linenum, key_type(found), fp);
+ fp = key_selected_fingerprint(found, SSH_FP_HEX); + fp = key_selected_fingerprint(found, SSH_FP_HEX);
+ verbose("Found matching %s key: %s%s", + verbose("Found matching %s key: %s%s",
+ key_type(found), key_fingerprint_prefix(), fp); + key_type(found), key_fingerprint_prefix(), fp);
xfree(fp); free(fp);
break; break;
} }
@@ -384,13 +384,13 @@ user_cert_trusted_ca(struct passwd *pw, @@ -425,13 +425,13 @@ user_cert_trusted_ca(struct passwd *pw,
if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
return 0; return 0;
@ -76,42 +93,10 @@ diff -up openssh-6.2p1/auth2-pubkey.c.fingerprint openssh-6.2p1/auth2-pubkey.c
options.trusted_user_ca_keys); options.trusted_user_ca_keys);
goto out; goto out;
} }
diff -up openssh-6.2p1/auth.c.fingerprint openssh-6.2p1/auth.c diff -up openssh-6.3p1/key.c.fingerprint openssh-6.3p1/key.c
--- openssh-6.2p1/auth.c.fingerprint 2013-03-12 01:31:05.000000000 +0100 --- openssh-6.3p1/key.c.fingerprint 2013-10-07 14:02:36.971968285 +0200
+++ openssh-6.2p1/auth.c 2013-03-22 12:22:32.515230386 +0100 +++ openssh-6.3p1/key.c 2013-10-07 14:02:36.999968148 +0200
@@ -663,9 +663,10 @@ auth_key_is_revoked(Key *key) @@ -598,6 +598,34 @@ key_fingerprint(const Key *k, enum fp_ty
case 1:
revoked:
/* Key revoked */
- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
error("WARNING: authentication attempt with a revoked "
- "%s key %s ", key_type(key), key_fp);
+ "%s key %s%s ", key_type(key),
+ key_fingerprint_prefix(), key_fp);
xfree(key_fp);
return 1;
}
diff -up openssh-6.2p1/auth-rsa.c.fingerprint openssh-6.2p1/auth-rsa.c
--- openssh-6.2p1/auth-rsa.c.fingerprint 2012-10-30 22:58:59.000000000 +0100
+++ openssh-6.2p1/auth-rsa.c 2013-03-22 12:20:49.011684999 +0100
@@ -328,9 +328,9 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli
* options; this will be reset if the options cause the
* authentication to be rejected.
*/
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
- verbose("Found matching %s key: %s",
- key_type(key), fp);
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
+ verbose("Found matching %s key: %s%s",
+ key_type(key), key_fingerprint_prefix(), fp);
xfree(fp);
key_free(key);
diff -up openssh-6.2p1/key.c.fingerprint openssh-6.2p1/key.c
--- openssh-6.2p1/key.c.fingerprint 2013-03-22 12:20:48.971685175 +0100
+++ openssh-6.2p1/key.c 2013-03-22 12:20:49.012684995 +0100
@@ -599,6 +599,34 @@ key_fingerprint(Key *k, enum fp_type dgs
return retval; return retval;
} }
@ -146,12 +131,12 @@ diff -up openssh-6.2p1/key.c.fingerprint openssh-6.2p1/key.c
/* /*
* Reads a multiple-precision integer in decimal from the buffer, and advances * Reads a multiple-precision integer in decimal from the buffer, and advances
* the pointer. The integer must already be initialized. This function is * the pointer. The integer must already be initialized. This function is
diff -up openssh-6.2p1/key.h.fingerprint openssh-6.2p1/key.h diff -up openssh-6.3p1/key.h.fingerprint openssh-6.3p1/key.h
--- openssh-6.2p1/key.h.fingerprint 2013-01-18 01:44:05.000000000 +0100 --- openssh-6.3p1/key.h.fingerprint 2013-10-07 14:02:36.999968148 +0200
+++ openssh-6.2p1/key.h 2013-03-22 12:23:35.308954528 +0100 +++ openssh-6.3p1/key.h 2013-10-07 15:44:17.574233450 +0200
@@ -97,6 +97,9 @@ int key_equal_public(const Key *, cons @@ -97,6 +97,9 @@ int key_equal_public(const Key *, cons
int key_equal(const Key *, const Key *); int key_equal(const Key *, const Key *);
char *key_fingerprint(Key *, enum fp_type, enum fp_rep); char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
+enum fp_type key_fingerprint_selection(void); +enum fp_type key_fingerprint_selection(void);
+char *key_selected_fingerprint(Key *, enum fp_rep); +char *key_selected_fingerprint(Key *, enum fp_rep);
@ -159,9 +144,9 @@ diff -up openssh-6.2p1/key.h.fingerprint openssh-6.2p1/key.h
const char *key_type(const Key *); const char *key_type(const Key *);
const char *key_cert_type(const Key *); const char *key_cert_type(const Key *);
int key_write(const Key *, FILE *); int key_write(const Key *, FILE *);
diff -up openssh-6.2p1/ssh-add.c.fingerprint openssh-6.2p1/ssh-add.c diff -up openssh-6.3p1/ssh-add.c.fingerprint openssh-6.3p1/ssh-add.c
--- openssh-6.2p1/ssh-add.c.fingerprint 2012-12-07 03:07:03.000000000 +0100 --- openssh-6.3p1/ssh-add.c.fingerprint 2013-10-07 14:02:37.000968143 +0200
+++ openssh-6.2p1/ssh-add.c 2013-03-22 12:20:49.029684920 +0100 +++ openssh-6.3p1/ssh-add.c 2013-10-07 14:44:57.466515766 +0200
@@ -326,10 +326,10 @@ list_identities(AuthenticationConnection @@ -326,10 +326,10 @@ list_identities(AuthenticationConnection
key = ssh_get_next_identity(ac, &comment, version)) { key = ssh_get_next_identity(ac, &comment, version)) {
had_identities = 1; had_identities = 1;
@ -174,13 +159,13 @@ diff -up openssh-6.2p1/ssh-add.c.fingerprint openssh-6.2p1/ssh-add.c
+ printf("%d %s%s %s (%s)\n", + printf("%d %s%s %s (%s)\n",
+ key_size(key), key_fingerprint_prefix(), + key_size(key), key_fingerprint_prefix(),
+ fp, comment, key_type(key)); + fp, comment, key_type(key));
xfree(fp); free(fp);
} else { } else {
if (!key_write(key, stdout)) if (!key_write(key, stdout))
diff -up openssh-6.2p1/ssh-agent.c.fingerprint openssh-6.2p1/ssh-agent.c diff -up openssh-6.3p1/ssh-agent.c.fingerprint openssh-6.3p1/ssh-agent.c
--- openssh-6.2p1/ssh-agent.c.fingerprint 2013-03-22 12:20:48.979685140 +0100 --- openssh-6.3p1/ssh-agent.c.fingerprint 2013-10-07 14:02:37.000968143 +0200
+++ openssh-6.2p1/ssh-agent.c 2013-03-22 12:20:49.030684916 +0100 +++ openssh-6.3p1/ssh-agent.c 2013-10-07 15:41:11.627044336 +0200
@@ -199,9 +199,9 @@ confirm_key(Identity *id) @@ -198,9 +198,9 @@ confirm_key(Identity *id)
char *p; char *p;
int ret = -1; int ret = -1;
@ -191,134 +176,11 @@ diff -up openssh-6.2p1/ssh-agent.c.fingerprint openssh-6.2p1/ssh-agent.c
+ if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.", + if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.",
+ id->comment, key_fingerprint_prefix(), p)) + id->comment, key_fingerprint_prefix(), p))
ret = 0; ret = 0;
xfree(p); free(p);
diff -up openssh-6.2p1/sshconnect2.c.fingerprint openssh-6.2p1/sshconnect2.c diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
--- openssh-6.2p1/sshconnect2.c.fingerprint 2013-03-20 02:55:15.000000000 +0100 --- openssh-6.3p1/ssh-keygen.c.fingerprint 2013-07-20 05:22:32.000000000 +0200
+++ openssh-6.2p1/sshconnect2.c 2013-03-22 12:20:49.031684912 +0100 +++ openssh-6.3p1/ssh-keygen.c 2013-10-07 14:25:52.864145038 +0200
@@ -592,8 +592,9 @@ input_userauth_pk_ok(int type, u_int32_t
key->type, pktype);
goto done;
}
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
- debug2("input_userauth_pk_ok: fp %s", fp);
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
+ debug2("input_userauth_pk_ok: fp %s%s",
+ key_fingerprint_prefix(), fp);
xfree(fp);
/*
@@ -1205,8 +1206,9 @@ sign_and_send_pubkey(Authctxt *authctxt,
int have_sig = 1;
char *fp;
- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
+ fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
+ debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
+ key_fingerprint_prefix(), fp);
xfree(fp);
if (key_to_blob(id->key, &blob, &bloblen) == 0) {
diff -up openssh-6.2p1/sshconnect.c.fingerprint openssh-6.2p1/sshconnect.c
--- openssh-6.2p1/sshconnect.c.fingerprint 2012-09-17 05:25:44.000000000 +0200
+++ openssh-6.2p1/sshconnect.c 2013-03-22 12:20:49.032684907 +0100
@@ -824,10 +824,10 @@ check_host_key(char *hostname, struct so
"key for IP address '%.128s' to the list "
"of known hosts.", type, ip);
} else if (options.visual_host_key) {
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- ra = key_fingerprint(host_key, SSH_FP_MD5,
- SSH_FP_RANDOMART);
- logit("Host key fingerprint is %s\n%s\n", fp, ra);
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
+ logit("Host key fingerprint is %s%s\n%s\n",
+ key_fingerprint_prefix(), fp, ra);
xfree(ra);
xfree(fp);
}
@@ -865,9 +865,8 @@ check_host_key(char *hostname, struct so
else
snprintf(msg1, sizeof(msg1), ".");
/* The default */
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- ra = key_fingerprint(host_key, SSH_FP_MD5,
- SSH_FP_RANDOMART);
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
msg2[0] = '\0';
if (options.verify_host_key_dns) {
if (matching_host_key_dns)
@@ -882,10 +881,11 @@ check_host_key(char *hostname, struct so
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
"established%s\n"
- "%s key fingerprint is %s.%s%s\n%s"
+ "%s key fingerprint is %s%s.%s%s\n%s"
"Are you sure you want to continue connecting "
"(yes/no)? ",
- host, ip, msg1, type, fp,
+ host, ip, msg1, type,
+ key_fingerprint_prefix(), fp,
options.visual_host_key ? "\n" : "",
options.visual_host_key ? ra : "",
msg2);
@@ -1130,8 +1130,9 @@ verify_host_key(char *host, struct socka
int flags = 0;
char *fp;
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- debug("Server host key: %s %s", key_type(host_key), fp);
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+ debug("Server host key: %s %s%s", key_type(host_key),
+ key_fingerprint_prefix(), fp);
xfree(fp);
/* XXX certs are not yet supported for DNS */
@@ -1232,14 +1233,15 @@ show_other_keys(struct hostkeys *hostkey
continue;
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
continue;
- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
+ fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
+ ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
logit("WARNING: %s key found for host %s\n"
"in %s:%lu\n"
- "%s key fingerprint %s.",
+ "%s key fingerprint %s%s.",
key_type(found->key),
found->host, found->file, found->line,
- key_type(found->key), fp);
+ key_type(found->key),
+ key_fingerprint_prefix(), fp);
if (options.visual_host_key)
logit("%s", ra);
xfree(ra);
@@ -1254,7 +1256,7 @@ warn_changed_key(Key *host_key)
{
char *fp;
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
@@ -1262,8 +1264,8 @@ warn_changed_key(Key *host_key)
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that a host key has just been changed.");
- error("The fingerprint for the %s key sent by the remote host is\n%s.",
- key_type(host_key), fp);
+ error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
+ key_type(host_key),key_fingerprint_prefix(), fp);
error("Please contact your system administrator.");
xfree(fp);
diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c
--- openssh-6.2p1/ssh-keygen.c.fingerprint 2013-02-12 01:03:36.000000000 +0100
+++ openssh-6.2p1/ssh-keygen.c 2013-03-22 12:20:49.033684903 +0100
@@ -767,13 +767,14 @@ do_fingerprint(struct passwd *pw) @@ -767,13 +767,14 @@ do_fingerprint(struct passwd *pw)
{ {
FILE *f; FILE *f;
@ -378,7 +240,7 @@ diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c
key_type(public)); key_type(public));
if (log_level >= SYSLOG_LEVEL_VERBOSE) if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra); printf("%s\n", ra);
@@ -1854,16 +1857,17 @@ do_show_cert(struct passwd *pw) @@ -1855,16 +1858,17 @@ do_show_cert(struct passwd *pw)
fatal("%s is not a certificate", identity_file); fatal("%s is not a certificate", identity_file);
v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00; v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
@ -402,7 +264,7 @@ diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c
printf(" Key ID: \"%s\"\n", key->cert->key_id); printf(" Key ID: \"%s\"\n", key->cert->key_id);
if (!v00) { if (!v00) {
printf(" Serial: %llu\n", printf(" Serial: %llu\n",
@@ -2651,13 +2655,12 @@ passphrase_again: @@ -2655,13 +2659,12 @@ passphrase_again:
fclose(f); fclose(f);
if (!quiet) { if (!quiet) {
@ -418,4 +280,127 @@ diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c
+ printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment); + printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment);
printf("The key's randomart image is:\n"); printf("The key's randomart image is:\n");
printf("%s\n", ra); printf("%s\n", ra);
xfree(ra); free(ra);
diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
--- openssh-6.3p1/sshconnect.c.fingerprint 2013-06-01 23:31:19.000000000 +0200
+++ openssh-6.3p1/sshconnect.c 2013-10-07 14:43:54.859822036 +0200
@@ -830,10 +830,10 @@ check_host_key(char *hostname, struct so
"key for IP address '%.128s' to the list "
"of known hosts.", type, ip);
} else if (options.visual_host_key) {
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- ra = key_fingerprint(host_key, SSH_FP_MD5,
- SSH_FP_RANDOMART);
- logit("Host key fingerprint is %s\n%s\n", fp, ra);
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
+ logit("Host key fingerprint is %s%s\n%s\n",
+ key_fingerprint_prefix(), fp, ra);
free(ra);
free(fp);
}
@@ -871,9 +871,8 @@ check_host_key(char *hostname, struct so
else
snprintf(msg1, sizeof(msg1), ".");
/* The default */
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- ra = key_fingerprint(host_key, SSH_FP_MD5,
- SSH_FP_RANDOMART);
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+ ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
msg2[0] = '\0';
if (options.verify_host_key_dns) {
if (matching_host_key_dns)
@@ -888,10 +887,11 @@ check_host_key(char *hostname, struct so
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
"established%s\n"
- "%s key fingerprint is %s.%s%s\n%s"
+ "%s key fingerprint is %s%s.%s%s\n%s"
"Are you sure you want to continue connecting "
"(yes/no)? ",
- host, ip, msg1, type, fp,
+ host, ip, msg1, type,
+ key_fingerprint_prefix(), fp,
options.visual_host_key ? "\n" : "",
options.visual_host_key ? ra : "",
msg2);
@@ -1136,8 +1136,9 @@ verify_host_key(char *host, struct socka
int flags = 0;
char *fp;
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
- debug("Server host key: %s %s", key_type(host_key), fp);
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+ debug("Server host key: %s %s%s", key_type(host_key),
+ key_fingerprint_prefix(), fp);
free(fp);
/* XXX certs are not yet supported for DNS */
@@ -1238,14 +1239,15 @@ show_other_keys(struct hostkeys *hostkey
continue;
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
continue;
- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
+ fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
+ ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
logit("WARNING: %s key found for host %s\n"
"in %s:%lu\n"
- "%s key fingerprint %s.",
+ "%s key fingerprint %s%s.",
key_type(found->key),
found->host, found->file, found->line,
- key_type(found->key), fp);
+ key_type(found->key),
+ key_fingerprint_prefix(), fp);
if (options.visual_host_key)
logit("%s", ra);
free(ra);
@@ -1260,7 +1262,7 @@ warn_changed_key(Key *host_key)
{
char *fp;
- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
@@ -1268,8 +1270,8 @@ warn_changed_key(Key *host_key)
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that a host key has just been changed.");
- error("The fingerprint for the %s key sent by the remote host is\n%s.",
- key_type(host_key), fp);
+ error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
+ key_type(host_key),key_fingerprint_prefix(), fp);
error("Please contact your system administrator.");
free(fp);
diff -up openssh-6.3p1/sshconnect2.c.fingerprint openssh-6.3p1/sshconnect2.c
--- openssh-6.3p1/sshconnect2.c.fingerprint 2013-10-07 14:02:37.001968139 +0200
+++ openssh-6.3p1/sshconnect2.c 2013-10-07 15:20:09.403234714 +0200
@@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t
key->type, pktype);
goto done;
}
- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
- debug2("input_userauth_pk_ok: fp %s", fp);
+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
+ debug2("input_userauth_pk_ok: fp %s%s",
+ key_fingerprint_prefix(), fp);
free(fp);
/*
@@ -1202,8 +1203,9 @@ sign_and_send_pubkey(Authctxt *authctxt,
int have_sig = 1;
char *fp;
- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
+ fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
+ debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
+ key_fingerprint_prefix(), fp);
free(fp);
if (key_to_blob(id->key, &blob, &bloblen) == 0) {

343
openssh-6.2p1-fips.patch → openssh-6.3p1-fips.patch
View File

@ -1,6 +1,50 @@
diff -up openssh-6.2p1/authfile.c.fips openssh-6.2p1/authfile.c diff -up openssh-6.3p1/Makefile.in.fips openssh-6.3p1/Makefile.in
--- openssh-6.2p1/authfile.c.fips 2013-03-27 13:14:49.164683482 +0100 --- openssh-6.3p1/Makefile.in.fips 2013-10-11 22:24:32.850031186 +0200
+++ openssh-6.2p1/authfile.c 2013-03-27 13:14:49.177683431 +0100 +++ openssh-6.3p1/Makefile.in 2013-10-11 22:24:32.870031092 +0200
@@ -147,25 +147,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -177,7 +177,7 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh
$(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-6.3p1/authfile.c.fips openssh-6.3p1/authfile.c
--- openssh-6.3p1/authfile.c.fips 2013-10-11 22:24:32.857031153 +0200
+++ openssh-6.3p1/authfile.c 2013-10-11 22:24:32.870031092 +0200
@@ -148,8 +148,14 @@ key_private_rsa1_to_blob(Key *key, Buffe @@ -148,8 +148,14 @@ key_private_rsa1_to_blob(Key *key, Buffe
/* Allocate space for the private part of the key in the buffer. */ /* Allocate space for the private part of the key in the buffer. */
cp = buffer_append_space(&encrypted, buffer_len(&buffer)); cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@ -34,9 +78,22 @@ diff -up openssh-6.2p1/authfile.c.fips openssh-6.2p1/authfile.c
cipher_crypt(&ciphercontext, cp, cipher_crypt(&ciphercontext, cp,
buffer_ptr(&copy), buffer_len(&copy), 0, 0); buffer_ptr(&copy), buffer_len(&copy), 0, 0);
cipher_cleanup(&ciphercontext); cipher_cleanup(&ciphercontext);
diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c diff -up openssh-6.3p1/cipher-ctr.c.fips openssh-6.3p1/cipher-ctr.c
--- openssh-6.2p1/cipher.c.fips 2013-03-27 13:14:49.087683788 +0100 --- openssh-6.3p1/cipher-ctr.c.fips 2013-06-02 00:07:32.000000000 +0200
+++ openssh-6.2p1/cipher.c 2013-03-27 13:14:49.177683431 +0100 +++ openssh-6.3p1/cipher-ctr.c 2013-10-11 22:24:32.870031092 +0200
@@ -138,7 +138,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
+ EVP_CIPH_FLAG_FIPS;
#endif
return (&aes_ctr);
}
diff -up openssh-6.3p1/cipher.c.fips openssh-6.3p1/cipher.c
--- openssh-6.3p1/cipher.c.fips 2013-10-11 22:24:32.820031327 +0200
+++ openssh-6.3p1/cipher.c 2013-10-11 22:24:32.871031087 +0200
@@ -40,6 +40,7 @@ @@ -40,6 +40,7 @@
#include <sys/types.h> #include <sys/types.h>
@ -45,54 +102,63 @@ diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c
#include <string.h> #include <string.h>
#include <stdarg.h> #include <stdarg.h>
@@ -89,6 +90,27 @@ struct Cipher ciphers[] = { @@ -86,6 +87,27 @@ static const struct Cipher ciphers[] = {
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL } { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
}; };
+struct Cipher fips_ciphers[] = { +static const struct Cipher fips_ciphers[] = {
+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, + { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
+ { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, + { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
+ + { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, + { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc }, + { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc }, + { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, + { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+ { "rijndael-cbc@lysator.liu.se", + { "rijndael-cbc@lysator.liu.se",
+ SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, + SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr }, + { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_128_ctr }, + { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_128_ctr }, + { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
+#ifdef OPENSSL_HAVE_EVPGCM +#ifdef OPENSSL_HAVE_EVPGCM
+ { "aes128-gcm@openssh.com", + { "aes128-gcm@openssh.com",
+ SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm }, + SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
+ { "aes256-gcm@openssh.com", + { "aes256-gcm@openssh.com",
+ SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm }, + SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
+#endif +#endif
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, NULL } + { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
+}; +};
/*--*/ /*--*/
u_int /* Returns a comma-separated list of supported ciphers. */
@@ -143,7 +165,7 @@ Cipher * @@ -96,7 +118,7 @@ cipher_alg_list(void)
size_t nlen, rlen = 0;
const Cipher *c;
- for (c = ciphers; c->name != NULL; c++) {
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) {
if (c->number != SSH_CIPHER_SSH2)
continue;
if (ret != NULL)
@@ -161,7 +183,7 @@ const Cipher *
cipher_by_name(const char *name) cipher_by_name(const char *name)
{ {
Cipher *c; const Cipher *c;
- for (c = ciphers; c->name != NULL; c++) - for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) + for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (strcmp(c->name, name) == 0) if (strcmp(c->name, name) == 0)
return c; return c;
return NULL; return NULL;
@@ -153,7 +175,7 @@ Cipher * @@ -171,7 +193,7 @@ const Cipher *
cipher_by_number(int id) cipher_by_number(int id)
{ {
Cipher *c; const Cipher *c;
- for (c = ciphers; c->name != NULL; c++) - for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) + for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (c->number == id) if (c->number == id)
return c; return c;
return NULL; return NULL;
@@ -197,7 +219,7 @@ cipher_number(const char *name) @@ -215,7 +237,7 @@ cipher_number(const char *name)
Cipher *c; const Cipher *c;
if (name == NULL) if (name == NULL)
return -1; return -1;
- for (c = ciphers; c->name != NULL; c++) - for (c = ciphers; c->name != NULL; c++)
@ -100,13 +166,13 @@ diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c
if (strcasecmp(c->name, name) == 0) if (strcasecmp(c->name, name) == 0)
return c->number; return c->number;
return -1; return -1;
@@ -356,14 +378,15 @@ cipher_cleanup(CipherContext *cc) @@ -374,14 +396,15 @@ cipher_cleanup(CipherContext *cc)
* passphrase and using the resulting 16 bytes as the key. * passphrase and using the resulting 16 bytes as the key.
*/ */
-void -void
+int +int
cipher_set_key_string(CipherContext *cc, Cipher *cipher, cipher_set_key_string(CipherContext *cc, const Cipher *cipher,
const char *passphrase, int do_encrypt) const char *passphrase, int do_encrypt)
{ {
MD5_CTX md; MD5_CTX md;
@ -118,7 +184,7 @@ diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c
MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase)); MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
MD5_Final(digest, &md); MD5_Final(digest, &md);
@@ -371,6 +394,7 @@ cipher_set_key_string(CipherContext *cc, @@ -389,6 +412,7 @@ cipher_set_key_string(CipherContext *cc,
memset(digest, 0, sizeof(digest)); memset(digest, 0, sizeof(digest));
memset(&md, 0, sizeof(md)); memset(&md, 0, sizeof(md));
@ -126,34 +192,21 @@ diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c
} }
/* /*
diff -up openssh-6.2p1/cipher-ctr.c.fips openssh-6.2p1/cipher-ctr.c diff -up openssh-6.3p1/cipher.h.fips openssh-6.3p1/cipher.h
--- openssh-6.2p1/cipher-ctr.c.fips 2013-01-20 12:31:30.000000000 +0100 --- openssh-6.3p1/cipher.h.fips 2013-10-11 22:24:32.820031327 +0200
+++ openssh-6.2p1/cipher-ctr.c 2013-03-27 13:14:49.177683431 +0100 +++ openssh-6.3p1/cipher.h 2013-10-11 22:24:32.871031087 +0200
@@ -138,7 +138,8 @@ evp_aes_128_ctr(void) @@ -92,7 +92,7 @@ void cipher_init(CipherContext *, const
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
+ EVP_CIPH_FLAG_FIPS;
#endif
return (&aes_ctr);
}
diff -up openssh-6.2p1/cipher.h.fips openssh-6.2p1/cipher.h
--- openssh-6.2p1/cipher.h.fips 2013-03-27 13:14:49.088683784 +0100
+++ openssh-6.2p1/cipher.h 2013-03-27 13:14:49.177683431 +0100
@@ -91,7 +91,7 @@ void cipher_init(CipherContext *, Ciphe
void cipher_crypt(CipherContext *, u_char *, const u_char *, void cipher_crypt(CipherContext *, u_char *, const u_char *,
u_int, u_int, u_int); u_int, u_int, u_int);
void cipher_cleanup(CipherContext *); void cipher_cleanup(CipherContext *);
-void cipher_set_key_string(CipherContext *, Cipher *, const char *, int); -void cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
+int cipher_set_key_string(CipherContext *, Cipher *, const char *, int); +int cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
u_int cipher_blocksize(const Cipher *); u_int cipher_blocksize(const Cipher *);
u_int cipher_keylen(const Cipher *); u_int cipher_keylen(const Cipher *);
u_int cipher_authlen(const Cipher *); u_int cipher_authlen(const Cipher *);
diff -up openssh-6.2p1/key.c.fips openssh-6.2p1/key.c diff -up openssh-6.3p1/key.c.fips openssh-6.3p1/key.c
--- openssh-6.2p1/key.c.fips 2013-03-27 13:14:49.100683736 +0100 --- openssh-6.3p1/key.c.fips 2013-10-11 22:24:32.821031322 +0200
+++ openssh-6.2p1/key.c 2013-03-27 13:14:49.178683427 +0100 +++ openssh-6.3p1/key.c 2013-10-11 22:24:32.871031087 +0200
@@ -40,6 +40,7 @@ @@ -40,6 +40,7 @@
#include <sys/types.h> #include <sys/types.h>
@ -162,7 +215,7 @@ diff -up openssh-6.2p1/key.c.fips openssh-6.2p1/key.c
#include <openbsd-compat/openssl-compat.h> #include <openbsd-compat/openssl-compat.h>
#include <stdarg.h> #include <stdarg.h>
@@ -607,9 +608,13 @@ key_fingerprint_selection(void) @@ -606,9 +607,13 @@ key_fingerprint_selection(void)
char *env; char *env;
if (!rv_defined) { if (!rv_defined) {
@ -179,9 +232,9 @@ diff -up openssh-6.2p1/key.c.fips openssh-6.2p1/key.c
rv_defined = 1; rv_defined = 1;
} }
return rv; return rv;
diff -up openssh-6.2p1/mac.c.fips openssh-6.2p1/mac.c diff -up openssh-6.3p1/mac.c.fips openssh-6.3p1/mac.c
--- openssh-6.2p1/mac.c.fips 2013-03-27 13:14:49.093683764 +0100 --- openssh-6.3p1/mac.c.fips 2013-10-11 22:24:32.821031322 +0200
+++ openssh-6.2p1/mac.c 2013-03-27 13:16:33.524266158 +0100 +++ openssh-6.3p1/mac.c 2013-10-11 22:25:35.394737186 +0200
@@ -28,6 +28,7 @@ @@ -28,6 +28,7 @@
#include <sys/types.h> #include <sys/types.h>
@ -190,102 +243,56 @@ diff -up openssh-6.2p1/mac.c.fips openssh-6.2p1/mac.c
#include <stdarg.h> #include <stdarg.h>
#include <string.h> #include <string.h>
@@ -50,7 +51,7 @@ @@ -60,7 +61,7 @@ struct macalg {
#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
#define SSH_UMAC128 3
-struct {
+struct Macs {
char *name;
int type;
const EVP_MD * (*mdfunc)(void);
@@ -58,7 +59,9 @@ struct {
int key_len; /* just for UMAC */
int len; /* just for UMAC */
int etm; /* Encrypt-then-MAC */ int etm; /* Encrypt-then-MAC */
-} macs[] = { };
+};
+ -static const struct macalg macs[] = {
+struct Macs all_macs[] = { +static const struct macalg all_macs[] = {
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */ /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
{ "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
{ "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 }, { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, 0, 0, 0 },
@@ -89,9 +92,19 @@ struct { @@ -91,6 +92,18 @@ static const struct macalg macs[] = {
{ NULL, 0, NULL, 0, 0, 0, 0 } { NULL, 0, NULL, 0, 0, 0, 0 }
}; };
+struct Macs fips_macs[] = { +static const struct macalg fips_macs[] = {
+ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 }, + { "hmac-sha1", SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
+ { "hmac-sha1-etm@openssh.com", SSH_EVP, EVP_sha1, 0, 0, 0, 1 },
+#ifdef HAVE_EVP_SHA256 +#ifdef HAVE_EVP_SHA256
+ { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 }, + { "hmac-sha2-256", SSH_EVP, EVP_sha256, 0, 0, 0, 0 },
+ { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 }, + { "hmac-sha2-512", SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
+ { "hmac-sha2-256-etm@openssh.com", SSH_EVP, EVP_sha256, 0, 0, 0, 1 },
+ { "hmac-sha2-512-etm@openssh.com", SSH_EVP, EVP_sha512, 0, 0, 0, 1 },
+#endif +#endif
+ { NULL, 0, NULL, 0, -1, -1 } + { NULL, 0, NULL, 0, 0, 0, 0 }
+}; +};
+ +
static void /* Returns a comma-separated list of supported MACs. */
mac_setup_by_id(Mac *mac, int which) char *
mac_alg_list(void)
@@ -99,7 +112,7 @@ mac_alg_list(void)
size_t nlen, rlen = 0;
const struct macalg *m;
- for (m = macs; m->name != NULL; m++) {
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
if (ret != NULL)
ret[rlen++] = '\n';
nlen = strlen(m->name);
@@ -136,7 +149,7 @@ mac_setup(Mac *mac, char *name)
{ {
+ struct Macs *macs = FIPS_mode() ? fips_macs : all_macs; const struct macalg *m;
int evp_len;
mac->type = macs[which].type;
if (mac->type == SSH_EVP) {
@@ -113,6 +126,7 @@ int
mac_setup(Mac *mac, char *name)
{
int i;
+ struct Macs *macs = FIPS_mode() ? fips_macs : all_macs;
for (i = 0; macs[i].name; i++) { - for (m = macs; m->name != NULL; m++) {
if (strcmp(name, macs[i].name) == 0) { + for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
diff -up openssh-6.2p1/Makefile.in.fips openssh-6.2p1/Makefile.in if (strcmp(name, m->name) != 0)
--- openssh-6.2p1/Makefile.in.fips 2013-03-27 13:14:49.155683518 +0100 continue;
+++ openssh-6.2p1/Makefile.in 2013-03-27 13:14:49.178683427 +0100 if (mac != NULL)
@@ -145,25 +145,25 @@ libssh.a: $(LIBSSH_OBJS) diff -up openssh-6.3p1/myproposal.h.fips openssh-6.3p1/myproposal.h
$(RANLIB) $@ --- openssh-6.3p1/myproposal.h.fips 2013-06-11 04:10:02.000000000 +0200
+++ openssh-6.3p1/myproposal.h 2013-10-11 22:24:32.872031082 +0200
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) @@ -114,6 +114,19 @@
- $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
+ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
- $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
- $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
- $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
- $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -175,7 +175,7 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh
$(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -up openssh-6.2p1/myproposal.h.fips openssh-6.2p1/myproposal.h
--- openssh-6.2p1/myproposal.h.fips 2013-01-09 06:12:19.000000000 +0100
+++ openssh-6.2p1/myproposal.h 2013-03-27 13:14:49.178683427 +0100
@@ -106,6 +106,19 @@
#define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib" #define KEX_DEFAULT_COMP "none,zlib@openssh.com,zlib"
#define KEX_DEFAULT_LANG "" #define KEX_DEFAULT_LANG ""
@ -305,9 +312,9 @@ diff -up openssh-6.2p1/myproposal.h.fips openssh-6.2p1/myproposal.h
static char *myproposal[PROPOSAL_MAX] = { static char *myproposal[PROPOSAL_MAX] = {
KEX_DEFAULT_KEX, KEX_DEFAULT_KEX,
diff -up openssh-6.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.2p1/openbsd-compat/bsd-arc4random.c diff -up openssh-6.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.3p1/openbsd-compat/bsd-arc4random.c
--- openssh-6.2p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100 --- openssh-6.3p1/openbsd-compat/bsd-arc4random.c.fips 2010-03-25 22:52:02.000000000 +0100
+++ openssh-6.2p1/openbsd-compat/bsd-arc4random.c 2013-03-27 13:14:49.179683423 +0100 +++ openssh-6.3p1/openbsd-compat/bsd-arc4random.c 2013-10-11 22:24:32.872031082 +0200
@@ -37,25 +37,18 @@ @@ -37,25 +37,18 @@
#define REKEY_BYTES (1 << 24) #define REKEY_BYTES (1 << 24)
@ -363,9 +370,9 @@ diff -up openssh-6.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.2p1/openbs
} }
#endif /* !HAVE_ARC4RANDOM */ #endif /* !HAVE_ARC4RANDOM */
diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c diff -up openssh-6.3p1/ssh.c.fips openssh-6.3p1/ssh.c
--- openssh-6.2p2/ssh.c.fips 2013-04-05 02:22:36.000000000 +0200 --- openssh-6.3p1/ssh.c.fips 2013-07-25 03:55:53.000000000 +0200
+++ openssh-6.2p2/ssh.c 2013-10-08 17:21:26.894761211 +0200 +++ openssh-6.3p1/ssh.c 2013-10-11 22:24:32.872031082 +0200
@@ -73,6 +73,8 @@ @@ -73,6 +73,8 @@
#include <openssl/evp.h> #include <openssl/evp.h>
@ -389,8 +396,8 @@ diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c
#ifndef HAVE_SETPROCTITLE #ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */ /* Prepare for later setproctitle emulation */
@@ -329,6 +338,9 @@ main(int ac, char **av) @@ -330,6 +339,9 @@ main(int ac, char **av)
"ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) { switch (opt) {
case '1': case '1':
+ if (FIPS_mode()) { + if (FIPS_mode()) {
@ -399,7 +406,7 @@ diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c
options.protocol = SSH_PROTO_1; options.protocol = SSH_PROTO_1;
break; break;
case '2': case '2':
@@ -628,7 +640,6 @@ main(int ac, char **av) @@ -647,7 +659,6 @@ main(int ac, char **av)
if (!host) if (!host)
usage(); usage();
@ -407,7 +414,7 @@ diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c
ERR_load_crypto_strings(); ERR_load_crypto_strings();
/* Initialize the command to execute on remote host. */ /* Initialize the command to execute on remote host. */
@@ -719,6 +730,10 @@ main(int ac, char **av) @@ -748,6 +759,10 @@ main(int ac, char **av)
seed_rng(); seed_rng();
@ -418,7 +425,7 @@ diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c
if (options.user == NULL) if (options.user == NULL)
options.user = xstrdup(pw->pw_name); options.user = xstrdup(pw->pw_name);
@@ -787,6 +802,12 @@ main(int ac, char **av) @@ -816,6 +831,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000; timeout_ms = options.connection_timeout * 1000;
@ -431,9 +438,9 @@ diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c
/* Open a connection to the remote host. */ /* Open a connection to the remote host. */
if (ssh_connect(host, &hostaddr, options.port, if (ssh_connect(host, &hostaddr, options.port,
options.address_family, options.connection_attempts, &timeout_ms, options.address_family, options.connection_attempts, &timeout_ms,
diff -up openssh-6.2p1/sshconnect2.c.fips openssh-6.2p1/sshconnect2.c diff -up openssh-6.3p1/sshconnect2.c.fips openssh-6.3p1/sshconnect2.c
--- openssh-6.2p1/sshconnect2.c.fips 2013-03-27 13:14:49.066683871 +0100 --- openssh-6.3p1/sshconnect2.c.fips 2013-10-11 22:24:32.810031374 +0200
+++ openssh-6.2p1/sshconnect2.c 2013-03-27 13:14:49.179683423 +0100 +++ openssh-6.3p1/sshconnect2.c 2013-10-11 22:24:32.873031077 +0200
@@ -44,6 +44,8 @@ @@ -44,6 +44,8 @@
#include <vis.h> #include <vis.h>
#endif #endif
@ -466,9 +473,9 @@ diff -up openssh-6.2p1/sshconnect2.c.fips openssh-6.2p1/sshconnect2.c
if (options.hostkeyalgorithms != NULL) if (options.hostkeyalgorithms != NULL)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
options.hostkeyalgorithms; options.hostkeyalgorithms;
diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c diff -up openssh-6.3p1/sshd.c.fips openssh-6.3p1/sshd.c
--- openssh-6.2p2/sshd.c.fips 2013-10-08 17:14:05.455864248 +0200 --- openssh-6.3p1/sshd.c.fips 2013-10-11 22:24:32.842031223 +0200
+++ openssh-6.2p2/sshd.c 2013-10-08 17:22:15.897527827 +0200 +++ openssh-6.3p1/sshd.c 2013-10-11 22:24:32.873031077 +0200
@@ -76,6 +76,8 @@ @@ -76,6 +76,8 @@
#include <openssl/bn.h> #include <openssl/bn.h>
#include <openssl/md5.h> #include <openssl/md5.h>
@ -478,7 +485,7 @@ diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#ifdef HAVE_SECUREWARE #ifdef HAVE_SECUREWARE
@@ -1423,6 +1425,14 @@ main(int ac, char **av) @@ -1450,6 +1452,14 @@ main(int ac, char **av)
#endif #endif
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
@ -493,18 +500,18 @@ diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac; saved_argc = ac;
rexec_argc = ac; rexec_argc = ac;
@@ -1571,8 +1581,6 @@ main(int ac, char **av) @@ -1601,8 +1611,6 @@ main(int ac, char **av)
else else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
- OpenSSL_add_all_algorithms(); - OpenSSL_add_all_algorithms();
- -
/* /* If requested, redirect the logs to the specified logfile. */
* Force logging to stderr until we have loaded the private host if (logfile != NULL) {
* key (unless started from inetd) log_redirect_stderr_to(logfile);
@@ -1715,6 +1723,10 @@ main(int ac, char **av) @@ -1773,6 +1781,10 @@ main(int ac, char **av)
debug("private host key: #%d type %d %s", i, key->type, debug("private host key: #%d type %d %s", i, keytype,
key_type(key)); key_type(key ? key : pubkey));
} }
+ if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) { + if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) {
+ logit("Disabling protocol version 1. Not allowed in the FIPS mode."); + logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
@ -513,7 +520,7 @@ diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) { if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key"); logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1; options.protocol &= ~SSH_PROTO_1;
@@ -1878,6 +1890,10 @@ main(int ac, char **av) @@ -1936,6 +1948,10 @@ main(int ac, char **av)
/* Initialize the random number generator. */ /* Initialize the random number generator. */
arc4random_stir(); arc4random_stir();
@ -523,8 +530,8 @@ diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c
+ +
/* Chdir to the root directory so that the current disk can be /* Chdir to the root directory so that the current disk can be
unmounted if desired. */ unmounted if desired. */
(void) chdir("/"); if (chdir("/") == -1)
@@ -2420,6 +2436,9 @@ do_ssh2_kex(void) @@ -2498,6 +2514,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) { if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -534,7 +541,7 @@ diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c
} }
myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]); compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
@@ -2429,6 +2448,9 @@ do_ssh2_kex(void) @@ -2507,6 +2526,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) { if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] = myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;

90
openssh-6.2p1-force_krb.patch → openssh-6.3p1-force_krb.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
--- openssh-6.2p1/gss-serv-krb5.c.force_krb 2013-03-25 20:04:53.807817333 +0100 --- openssh-6.3p1/gss-serv-krb5.c.force_krb 2013-10-11 18:58:51.553948159 +0200
+++ openssh-6.2p1/gss-serv-krb5.c 2013-03-25 20:04:53.818817403 +0100 +++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 21:40:49.972337025 +0200
@@ -32,7 +32,9 @@ @@ -32,7 +32,9 @@
#include <sys/types.h> #include <sys/types.h>
@ -11,7 +11,7 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
#include "xmalloc.h" #include "xmalloc.h"
#include "key.h" #include "key.h"
@@ -40,12 +42,11 @@ @@ -40,10 +42,12 @@
#include "auth.h" #include "auth.h"
#include "log.h" #include "log.h"
#include "servconf.h" #include "servconf.h"
@ -20,18 +20,14 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
#include "buffer.h" #include "buffer.h"
#include "ssh-gss.h" #include "ssh-gss.h"
-extern ServerOptions options; +extern Authctxt *the_authctxt;
- extern ServerOptions options;
#ifdef HEIMDAL #ifdef HEIMDAL
# include <krb5.h> @@ -55,6 +59,13 @@ extern ServerOptions options;
#else # include <gssapi/gssapi_krb5.h>
@@ -56,6 +57,16 @@ extern ServerOptions options;
# endif
#endif #endif
+extern Authctxt *the_authctxt;
+extern ServerOptions options;
+
+/* all commands are allowed by default */ +/* all commands are allowed by default */
+char **k5users_allowed_cmds = NULL; +char **k5users_allowed_cmds = NULL;
+ +
@ -42,21 +38,16 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
static krb5_context krb_context = NULL; static krb5_context krb_context = NULL;
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */ /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
@@ -83,10 +94,11 @@ ssh_gssapi_krb5_init(void) @@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
*/
static int
-ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
+ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *luser)
{
krb5_principal princ; krb5_principal princ;
int retval; int retval;
const char *errmsg;
+ int k5login_exists; + int k5login_exists;
if (ssh_gssapi_krb5_init() == 0) if (ssh_gssapi_krb5_init() == 0)
return 0; return 0;
@@ -97,10 +109,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client @@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
krb5_get_err_text(krb_context, retval)); krb5_free_error_message(krb_context, errmsg);
return 0; return 0;
} }
- if (krb5_kuserok(krb_context, princ, name)) { - if (krb5_kuserok(krb_context, princ, name)) {
@ -66,21 +57,20 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
+ /* NOTE: .k5login and .k5users must opened as root, not the user, + /* NOTE: .k5login and .k5users must opened as root, not the user,
+ * because if they are on a krb5-protected filesystem, user credentials + * because if they are on a krb5-protected filesystem, user credentials
+ * to access these files aren't available yet. */ + * to access these files aren't available yet. */
+ if (krb5_kuserok(krb_context, princ, luser) && k5login_exists) { + if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
retval = 1; retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
- name, (char *)client->displayname.value); name, (char *)client->displayname.value);
+ luser, (char *)client->displayname.value);
+ } else if (ssh_gssapi_krb5_cmdok(princ, client->exportedname.value, + } else if (ssh_gssapi_krb5_cmdok(princ, client->exportedname.value,
+ luser, k5login_exists)) { + name, k5login_exists)) {
+ retval = 1; + retval = 1;
+ logit("Authorized to %s, krb5 principal %s " + logit("Authorized to %s, krb5 principal %s "
+ "(ssh_gssapi_krb5_cmdok)", + "(ssh_gssapi_krb5_cmdok)",
+ luser, (char *)client->displayname.value); + name, (char *)client->displayname.value);
} else } else
retval = 0; retval = 0;
@@ -108,6 +132,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client @@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
return retval; return retval;
} }
@ -216,9 +206,9 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
/* This writes out any forwarded credentials from the structure populated /* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */ * during userauth. Called after we have setuid to the user */
diff -up openssh-6.2p1/session.c.force_krb openssh-6.2p1/session.c diff -up openssh-6.3p1/session.c.force_krb openssh-6.3p1/session.c
--- openssh-6.2p1/session.c.force_krb 2013-03-25 20:04:53.724816810 +0100 --- openssh-6.3p1/session.c.force_krb 2013-10-11 18:58:51.487948468 +0200
+++ openssh-6.2p1/session.c 2013-03-25 20:04:53.818817403 +0100 +++ openssh-6.3p1/session.c 2013-10-11 18:58:51.563948112 +0200
@@ -823,6 +823,29 @@ do_exec(Session *s, const char *command) @@ -823,6 +823,29 @@ do_exec(Session *s, const char *command)
debug("Forced command (key option) '%.900s'", command); debug("Forced command (key option) '%.900s'", command);
} }
@ -249,10 +239,24 @@ diff -up openssh-6.2p1/session.c.force_krb openssh-6.2p1/session.c
#ifdef SSH_AUDIT_EVENTS #ifdef SSH_AUDIT_EVENTS
if (s->command != NULL || s->command_handle != -1) if (s->command != NULL || s->command_handle != -1)
fatal("do_exec: command already set"); fatal("do_exec: command already set");
diff -up openssh-6.2p1/sshd.8.force_krb openssh-6.2p1/sshd.8 diff -up openssh-6.3p1/ssh-gss.h.force_krb openssh-6.3p1/ssh-gss.h
--- openssh-6.2p1/sshd.8.force_krb 2013-03-25 20:04:53.787817207 +0100 --- openssh-6.3p1/ssh-gss.h.force_krb 2013-10-11 18:58:51.558948136 +0200
+++ openssh-6.2p1/sshd.8 2013-03-25 20:04:53.819817409 +0100 +++ openssh-6.3p1/ssh-gss.h 2013-10-11 18:58:51.563948112 +0200
@@ -323,6 +323,7 @@ Finally, the server and the client enter @@ -49,6 +49,10 @@
# endif /* !HAVE_DECL_GSS_C_NT_... */
# endif /* !HEIMDAL */
+
+/* .k5users support */
+extern char **k5users_allowed_cmds;
+
#endif /* KRB5 */
/* draft-ietf-secsh-gsskeyex-06 */
diff -up openssh-6.3p1/sshd.8.force_krb openssh-6.3p1/sshd.8
--- openssh-6.3p1/sshd.8.force_krb 2013-10-11 18:58:51.537948234 +0200
+++ openssh-6.3p1/sshd.8 2013-10-11 18:58:51.563948112 +0200
@@ -326,6 +326,7 @@ Finally, the server and the client enter
The client tries to authenticate itself using The client tries to authenticate itself using
host-based authentication, host-based authentication,
public key authentication, public key authentication,
@ -260,7 +264,7 @@ diff -up openssh-6.2p1/sshd.8.force_krb openssh-6.2p1/sshd.8
challenge-response authentication, challenge-response authentication,
or password authentication. or password authentication.
.Pp .Pp
@@ -796,6 +797,12 @@ This file is used in exactly the same wa @@ -797,6 +798,12 @@ This file is used in exactly the same wa
but allows host-based authentication without permitting login with but allows host-based authentication without permitting login with
rlogin/rsh. rlogin/rsh.
.Pp .Pp
@ -273,17 +277,3 @@ diff -up openssh-6.2p1/sshd.8.force_krb openssh-6.2p1/sshd.8
.It Pa ~/.ssh/ .It Pa ~/.ssh/
This directory is the default location for all user-specific configuration This directory is the default location for all user-specific configuration
and authentication information. and authentication information.
diff -up openssh-6.2p1/ssh-gss.h.force_krb openssh-6.2p1/ssh-gss.h
--- openssh-6.2p1/ssh-gss.h.force_krb 2013-03-25 20:04:53.819817409 +0100
+++ openssh-6.2p1/ssh-gss.h 2013-03-25 20:05:26.463023197 +0100
@@ -49,6 +49,10 @@
# endif /* !HAVE_DECL_GSS_C_NT_... */
# endif /* !HEIMDAL */
+
+/* .k5users support */
+extern char **k5users_allowed_cmds;
+
#endif /* KRB5 */
/* draft-ietf-secsh-gsskeyex-06 */

2039
openssh-6.2p1-gsskex.patch → openssh-6.3p1-gsskex.patch
View File

File diff suppressed because it is too large Load Diff

74
openssh-6.2p1-keycat.patch → openssh-6.3p1-keycat.patch
View File

@ -1,24 +1,6 @@
diff -up openssh-6.2p1/auth2-pubkey.c.keycat openssh-6.2p1/auth2-pubkey.c diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat
--- openssh-6.2p1/auth2-pubkey.c.keycat 2013-03-25 21:34:17.779978851 +0100 --- openssh-6.3p1/HOWTO.ssh-keycat.keycat 2013-10-10 15:16:33.445566916 +0200
+++ openssh-6.2p1/auth2-pubkey.c 2013-03-25 21:34:17.798978973 +0100 +++ openssh-6.3p1/HOWTO.ssh-keycat 2013-10-10 15:16:33.445566916 +0200
@@ -573,6 +573,14 @@ user_key_command_allowed2(struct passwd
_exit(1);
}
+#ifdef WITH_SELINUX
+ if (ssh_selinux_setup_env_variables() < 0) {
+ error ("failed to copy environment: %s",
+ strerror(errno));
+ _exit(127);
+ }
+#endif
+
execl(options.authorized_keys_command,
options.authorized_keys_command, user_pw->pw_name, NULL);
diff -up openssh-6.2p1/HOWTO.ssh-keycat.keycat openssh-6.2p1/HOWTO.ssh-keycat
--- openssh-6.2p1/HOWTO.ssh-keycat.keycat 2013-03-25 21:34:17.798978973 +0100
+++ openssh-6.2p1/HOWTO.ssh-keycat 2013-03-25 21:34:17.798978973 +0100
@@ -0,0 +1,12 @@ @@ -0,0 +1,12 @@
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys +The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
+of an user in any environment. This includes environments with +of an user in any environment. This includes environments with
@ -32,9 +14,9 @@ diff -up openssh-6.2p1/HOWTO.ssh-keycat.keycat openssh-6.2p1/HOWTO.ssh-keycat
+ PubkeyAuthentication yes + PubkeyAuthentication yes
+ +
+ +
diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in
--- openssh-6.2p1/Makefile.in.keycat 2013-03-25 21:34:17.793978941 +0100 --- openssh-6.3p1/Makefile.in.keycat 2013-10-10 15:16:33.442566930 +0200
+++ openssh-6.2p1/Makefile.in 2013-03-25 21:35:48.282559562 +0100 +++ openssh-6.3p1/Makefile.in 2013-10-10 15:16:33.445566916 +0200
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server @@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@ -52,7 +34,7 @@ diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-aes.o \ canohost.o channels.o cipher.o cipher-aes.o \
@@ -170,6 +171,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) @@ -172,6 +173,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS) $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
@ -62,7 +44,7 @@ diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -276,6 +280,7 @@ install-files: @@ -279,6 +283,7 @@ install-files:
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi fi
@ -70,10 +52,28 @@ diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd-compat/port-linux.c diff -up openssh-6.3p1/auth2-pubkey.c.keycat openssh-6.3p1/auth2-pubkey.c
--- openssh-6.2p1/openbsd-compat/port-linux.c.keycat 2013-03-25 21:34:17.785978890 +0100 --- openssh-6.3p1/auth2-pubkey.c.keycat 2013-10-10 15:16:33.429566992 +0200
+++ openssh-6.2p1/openbsd-compat/port-linux.c 2013-03-25 21:34:17.800978986 +0100 +++ openssh-6.3p1/auth2-pubkey.c 2013-10-10 15:16:33.445566916 +0200
@@ -315,7 +315,7 @@ ssh_selinux_getctxbyname(char *pwname, @@ -606,6 +606,14 @@ user_key_command_allowed2(struct passwd
_exit(1);
}
+#ifdef WITH_SELINUX
+ if (ssh_selinux_setup_env_variables() < 0) {
+ error ("failed to copy environment: %s",
+ strerror(errno));
+ _exit(127);
+ }
+#endif
+
execl(options.authorized_keys_command,
options.authorized_keys_command, user_pw->pw_name, NULL);
diff -up openssh-6.3p1/openbsd-compat/port-linux.c.keycat openssh-6.3p1/openbsd-compat/port-linux.c
--- openssh-6.3p1/openbsd-compat/port-linux.c.keycat 2013-10-10 15:16:33.435566964 +0200
+++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 15:32:19.946065189 +0200
@@ -313,7 +313,7 @@ ssh_selinux_getctxbyname(char *pwname,
/* Setup environment variables for pam_selinux */ /* Setup environment variables for pam_selinux */
static int static int
@ -82,13 +82,13 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd-
{ {
const char *reqlvl; const char *reqlvl;
char *role; char *role;
@@ -326,16 +326,16 @@ ssh_selinux_setup_pam_variables(void) @@ -324,16 +324,16 @@ ssh_selinux_setup_pam_variables(void)
ssh_selinux_get_role_level(&role, &reqlvl); ssh_selinux_get_role_level(&role, &reqlvl);
- rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); - rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+ rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : ""); + rv = set_it("SELINUX_ROLE_REQUESTED", role ? role : "");
if (inetd_flag && !rexeced_flag) { if (inetd_flag && !rexeced_flag) {
use_current = "1"; use_current = "1";
} else { } else {
@ -101,8 +101,8 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd-
+ rv = rv || set_it("SELINUX_USE_CURRENT_RANGE", use_current); + rv = rv || set_it("SELINUX_USE_CURRENT_RANGE", use_current);
if (role != NULL) if (role != NULL)
xfree(role); free(role);
@@ -343,6 +343,24 @@ ssh_selinux_setup_pam_variables(void) @@ -341,6 +341,24 @@ ssh_selinux_setup_pam_variables(void)
return rv; return rv;
} }
@ -127,9 +127,9 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd-
/* Set the execution context to the default for the specified user */ /* Set the execution context to the default for the specified user */
void void
ssh_selinux_setup_exec_context(char *pwname) ssh_selinux_setup_exec_context(char *pwname)
diff -up openssh-6.2p1/ssh-keycat.c.keycat openssh-6.2p1/ssh-keycat.c diff -up openssh-6.3p1/ssh-keycat.c.keycat openssh-6.3p1/ssh-keycat.c
--- openssh-6.2p1/ssh-keycat.c.keycat 2013-03-25 21:34:17.800978986 +0100 --- openssh-6.3p1/ssh-keycat.c.keycat 2013-10-10 15:16:33.446566911 +0200
+++ openssh-6.2p1/ssh-keycat.c 2013-03-25 21:34:17.800978986 +0100 +++ openssh-6.3p1/ssh-keycat.c 2013-10-10 15:16:33.446566911 +0200
@@ -0,0 +1,238 @@ @@ -0,0 +1,238 @@
+/* +/*
+ * Redistribution and use in source and binary forms, with or without + * Redistribution and use in source and binary forms, with or without

88
openssh-6.2p1-kuserok.patch → openssh-6.3p1-kuserok.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-6.2p1/auth-krb5.c.kuserok openssh-6.2p1/auth-krb5.c diff -up openssh-6.3p1/auth-krb5.c.kuserok openssh-6.3p1/auth-krb5.c
--- openssh-6.2p1/auth-krb5.c.kuserok 2013-03-25 20:06:51.295558062 +0100 --- openssh-6.3p1/auth-krb5.c.kuserok 2013-10-11 21:41:42.889087613 +0200
+++ openssh-6.2p1/auth-krb5.c 2013-03-25 20:06:51.318558207 +0100 +++ openssh-6.3p1/auth-krb5.c 2013-10-11 21:41:42.905087537 +0200
@@ -55,6 +55,20 @@ @@ -55,6 +55,20 @@
extern ServerOptions options; extern ServerOptions options;
@ -22,7 +22,7 @@ diff -up openssh-6.2p1/auth-krb5.c.kuserok openssh-6.2p1/auth-krb5.c
static int static int
krb5_init(void *context) krb5_init(void *context)
{ {
@@ -147,7 +161,7 @@ auth_krb5_password(Authctxt *authctxt, c @@ -159,7 +173,7 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem) if (problem)
goto out; goto out;
@ -31,10 +31,10 @@ diff -up openssh-6.2p1/auth-krb5.c.kuserok openssh-6.2p1/auth-krb5.c
problem = -1; problem = -1;
goto out; goto out;
} }
diff -up openssh-6.2p1/gss-serv-krb5.c.kuserok openssh-6.2p1/gss-serv-krb5.c diff -up openssh-6.3p1/gss-serv-krb5.c.kuserok openssh-6.3p1/gss-serv-krb5.c
--- openssh-6.2p1/gss-serv-krb5.c.kuserok 2013-03-25 20:06:51.311558163 +0100 --- openssh-6.3p1/gss-serv-krb5.c.kuserok 2013-10-11 21:41:42.901087556 +0200
+++ openssh-6.2p1/gss-serv-krb5.c 2013-03-25 20:06:51.319558214 +0100 +++ openssh-6.3p1/gss-serv-krb5.c 2013-10-11 21:46:42.898673597 +0200
@@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr @@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
int); int);
static krb5_context krb_context = NULL; static krb5_context krb_context = NULL;
@ -42,19 +42,19 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.kuserok openssh-6.2p1/gss-serv-krb5.c
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */ /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
@@ -115,7 +116,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client @@ -116,7 +117,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
/* NOTE: .k5login and .k5users must opened as root, not the user, /* NOTE: .k5login and .k5users must opened as root, not the user,
* because if they are on a krb5-protected filesystem, user credentials * because if they are on a krb5-protected filesystem, user credentials
* to access these files aren't available yet. */ * to access these files aren't available yet. */
- if (krb5_kuserok(krb_context, princ, luser) && k5login_exists) { - if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
+ if (ssh_krb5_kuserok(krb_context, princ, luser) && k5login_exists) { + if (ssh_krb5_kuserok(krb_context, princ, name) && k5login_exists) {
retval = 1; retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)", logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
luser, (char *)client->displayname.value); name, (char *)client->displayname.value);
diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
--- openssh-6.2p1/servconf.c.kuserok 2013-03-25 20:06:51.305558125 +0100 --- openssh-6.3p1/servconf.c.kuserok 2013-10-11 21:41:42.896087580 +0200
+++ openssh-6.2p1/servconf.c 2013-03-25 20:06:51.319558214 +0100 +++ openssh-6.3p1/servconf.c 2013-10-11 21:48:24.664194016 +0200
@@ -150,6 +150,7 @@ initialize_server_options(ServerOptions @@ -157,6 +157,7 @@ initialize_server_options(ServerOptions
options->ip_qos_interactive = -1; options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1; options->ip_qos_bulk = -1;
options->version_addendum = NULL; options->version_addendum = NULL;
@ -62,7 +62,7 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
} }
void void
@@ -299,6 +300,8 @@ fill_default_server_options(ServerOption @@ -310,6 +311,8 @@ fill_default_server_options(ServerOption
options->version_addendum = xstrdup(""); options->version_addendum = xstrdup("");
if (options->show_patchlevel == -1) if (options->show_patchlevel == -1)
options->show_patchlevel = 0; options->show_patchlevel = 0;
@ -71,7 +71,7 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
/* Turn privilege separation on by default */ /* Turn privilege separation on by default */
if (use_privsep == -1) if (use_privsep == -1)
@@ -325,7 +328,7 @@ typedef enum { @@ -336,7 +339,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel, sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -80,7 +80,7 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
sKerberosTgtPassing, sChallengeResponseAuthentication, sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily, sListenAddress, sAddressFamily,
@@ -397,11 +400,13 @@ static struct { @@ -409,11 +412,13 @@ static struct {
#else #else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
@ -94,7 +94,7 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
#endif #endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1460,6 +1465,10 @@ process_server_config_line(ServerOptions @@ -1515,6 +1520,10 @@ process_server_config_line(ServerOptions
*activep = value; *activep = value;
break; break;
@ -105,15 +105,15 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
case sPermitOpen: case sPermitOpen:
arg = strdelim(&cp); arg = strdelim(&cp);
if (!arg || *arg == '\0') if (!arg || *arg == '\0')
@@ -1761,6 +1770,7 @@ copy_set_server_options(ServerOptions *d @@ -1815,6 +1824,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(max_authtries); M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive); M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk); M_CP_INTOPT(ip_qos_bulk);
+ M_CP_INTOPT(use_kuserok); + M_CP_INTOPT(use_kuserok);
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
/* See comment in servconf.h */ @@ -2055,6 +2065,7 @@ dump_config(ServerOptions *o)
COPY_MATCH_STRING_OPTS();
@@ -1999,6 +2009,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseDNS, o->use_dns); dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding); dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep); dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
@ -121,10 +121,10 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
/* string arguments */ /* string arguments */
dump_cfg_string(sPidFile, o->pid_file); dump_cfg_string(sPidFile, o->pid_file);
diff -up openssh-6.2p1/servconf.h.kuserok openssh-6.2p1/servconf.h diff -up openssh-6.3p1/servconf.h.kuserok openssh-6.3p1/servconf.h
--- openssh-6.2p1/servconf.h.kuserok 2013-03-25 20:06:51.305558125 +0100 --- openssh-6.3p1/servconf.h.kuserok 2013-10-11 21:41:42.896087580 +0200
+++ openssh-6.2p1/servconf.h 2013-03-25 20:06:51.320558220 +0100 +++ openssh-6.3p1/servconf.h 2013-10-11 21:41:42.907087528 +0200
@@ -173,6 +173,7 @@ typedef struct { @@ -174,6 +174,7 @@ typedef struct {
int num_permitted_opens; int num_permitted_opens;
@ -132,21 +132,10 @@ diff -up openssh-6.2p1/servconf.h.kuserok openssh-6.2p1/servconf.h
char *chroot_directory; char *chroot_directory;
char *revoked_keys_file; char *revoked_keys_file;
char *trusted_user_ca_keys; char *trusted_user_ca_keys;
diff -up openssh-6.2p1/sshd_config.kuserok openssh-6.2p1/sshd_config diff -up openssh-6.3p1/sshd_config.5.kuserok openssh-6.3p1/sshd_config.5
--- openssh-6.2p1/sshd_config.kuserok 2013-03-25 20:06:51.308558144 +0100 --- openssh-6.3p1/sshd_config.5.kuserok 2013-10-11 21:41:42.898087571 +0200
+++ openssh-6.2p1/sshd_config 2013-03-25 20:06:51.320558220 +0100 +++ openssh-6.3p1/sshd_config.5 2013-10-11 21:41:42.907087528 +0200
@@ -83,6 +83,7 @@ ChallengeResponseAuthentication no @@ -675,6 +675,10 @@ Specifies whether to automatically destr
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
+#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
diff -up openssh-6.2p1/sshd_config.5.kuserok openssh-6.2p1/sshd_config.5
--- openssh-6.2p1/sshd_config.5.kuserok 2013-03-25 20:06:51.308558144 +0100
+++ openssh-6.2p1/sshd_config.5 2013-03-25 20:08:34.249207272 +0100
@@ -660,6 +660,10 @@ Specifies whether to automatically destr
file on logout. file on logout.
The default is The default is
.Dq yes . .Dq yes .
@ -157,7 +146,7 @@ diff -up openssh-6.2p1/sshd_config.5.kuserok openssh-6.2p1/sshd_config.5
.It Cm KexAlgorithms .It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated. Multiple algorithms must be comma-separated.
@@ -819,6 +823,7 @@ Available keywords are @@ -833,6 +837,7 @@ Available keywords are
.Cm HostbasedUsesNameFromPacketOnly , .Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication , .Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication , .Cm KerberosAuthentication ,
@ -165,3 +154,14 @@ diff -up openssh-6.2p1/sshd_config.5.kuserok openssh-6.2p1/sshd_config.5
.Cm MaxAuthTries , .Cm MaxAuthTries ,
.Cm MaxSessions , .Cm MaxSessions ,
.Cm PasswordAuthentication , .Cm PasswordAuthentication ,
diff -up openssh-6.3p1/sshd_config.kuserok openssh-6.3p1/sshd_config
--- openssh-6.3p1/sshd_config.kuserok 2013-10-11 21:41:42.898087571 +0200
+++ openssh-6.3p1/sshd_config 2013-10-11 21:41:42.907087528 +0200
@@ -86,6 +86,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
+#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no

6
openssh-6.2p1-ldap.patch → openssh-6.3p1-ldap.patch
View File

@ -383,7 +383,7 @@ diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c
+ if ((logfile = fopen (logfilename, "a")) == NULL) + if ((logfile = fopen (logfilename, "a")) == NULL)
+ fatal ("cannot append to %s: %s", logfilename, strerror (errno)); + fatal ("cannot append to %s: %s", logfilename, strerror (errno));
+ debug3 ("LDAP debug into %s", logfilename); + debug3 ("LDAP debug into %s", logfilename);
+ xfree (logfilename); + free (logfilename);
+ ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile); + ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
+ } + }
+#endif +#endif
@ -672,12 +672,12 @@ diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c
+ timeout.tv_usec = 0; + timeout.tv_usec = 0;
+ if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) { + if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
+ error ("ldap_search_st(): %s", ldap_err2string (rc)); + error ("ldap_search_st(): %s", ldap_err2string (rc));
+ xfree (buffer); + free (buffer);
+ return; + return;
+ } + }
+ +
+ /* free */ + /* free */
+ xfree (buffer); + free (buffer);
+ +
+ for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) { + for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
+ int num; + int num;

44
openssh-6.1p1-privsep-selinux.patch → openssh-6.3p1-privsep-selinux.patch
View File

@ -1,8 +1,8 @@
diff -up openssh-6.1p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.1p1/openbsd-compat/port-linux.c diff -up openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.c
--- openssh-6.1p1/openbsd-compat/port-linux.c.privsep-selinux 2012-11-05 14:46:39.334809203 +0100 --- openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux 2013-10-10 14:58:20.634762245 +0200
+++ openssh-6.1p1/openbsd-compat/port-linux.c 2012-11-05 14:54:32.614504884 +0100 +++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 15:13:57.864306950 +0200
@@ -505,6 +505,25 @@ ssh_selinux_change_context(const char *n @@ -503,6 +503,25 @@ ssh_selinux_change_context(const char *n
xfree(newctx); free(newctx);
} }
+void +void
@ -27,9 +27,9 @@ diff -up openssh-6.1p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.1p1
#endif /* WITH_SELINUX */ #endif /* WITH_SELINUX */
#ifdef LINUX_OOM_ADJUST #ifdef LINUX_OOM_ADJUST
diff -up openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.1p1/openbsd-compat/port-linux.h diff -up openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.h
--- openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux 2011-01-25 02:16:18.000000000 +0100 --- openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux 2011-01-25 02:16:18.000000000 +0100
+++ openssh-6.1p1/openbsd-compat/port-linux.h 2012-11-05 14:46:39.339809234 +0100 +++ openssh-6.3p1/openbsd-compat/port-linux.h 2013-10-10 14:58:20.634762245 +0200
@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void); @@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
void ssh_selinux_setup_pty(char *, const char *); void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_setup_exec_context(char *); void ssh_selinux_setup_exec_context(char *);
@ -38,10 +38,10 @@ diff -up openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.1p1
void ssh_selinux_setfscreatecon(const char *); void ssh_selinux_setfscreatecon(const char *);
#endif #endif
diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c diff -up openssh-6.3p1/session.c.privsep-selinux openssh-6.3p1/session.c
--- openssh-6.1p1/session.c.privsep-selinux 2012-12-03 09:43:11.727505761 +0100 --- openssh-6.3p1/session.c.privsep-selinux 2013-10-10 14:58:20.617762326 +0200
+++ openssh-6.1p1/session.c 2012-12-03 09:54:50.455688902 +0100 +++ openssh-6.3p1/session.c 2013-10-10 15:13:16.520503590 +0200
@@ -1519,6 +1519,9 @@ do_setusercontext(struct passwd *pw) @@ -1522,6 +1522,9 @@ do_setusercontext(struct passwd *pw)
pw->pw_uid); pw->pw_uid);
chroot_path = percent_expand(tmp, "h", pw->pw_dir, chroot_path = percent_expand(tmp, "h", pw->pw_dir,
"u", pw->pw_name, (char *)NULL); "u", pw->pw_name, (char *)NULL);
@ -51,7 +51,7 @@ diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
safely_chroot(chroot_path, pw->pw_uid); safely_chroot(chroot_path, pw->pw_uid);
free(tmp); free(tmp);
free(chroot_path); free(chroot_path);
@@ -1533,6 +1536,12 @@ do_setusercontext(struct passwd *pw) @@ -1544,6 +1547,12 @@ do_setusercontext(struct passwd *pw)
/* Permanently switch to the desired uid. */ /* Permanently switch to the desired uid. */
permanently_set_uid(pw); permanently_set_uid(pw);
#endif #endif
@ -61,10 +61,10 @@ diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
+ strcasecmp(options.chroot_directory, "none") == 0) + strcasecmp(options.chroot_directory, "none") == 0)
+ ssh_selinux_copy_context(); + ssh_selinux_copy_context();
+#endif +#endif
} } else if (options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("server lacks privileges to chroot to ChrootDirectory");
@@ -1787,9 +1796,6 @@ do_child(Session *s, const char *command @@ -1808,9 +1817,6 @@ do_child(Session *s, const char *command
argv[i] = NULL; argv[i] = NULL;
optind = optreset = 1; optind = optreset = 1;
__progname = argv[0]; __progname = argv[0];
@ -74,10 +74,10 @@ diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
exit(sftp_server_main(i, argv, s->pw)); exit(sftp_server_main(i, argv, s->pw));
} }
diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c diff -up openssh-6.3p1/sshd.c.privsep-selinux openssh-6.3p1/sshd.c
--- openssh-6.1p1/sshd.c.privsep-selinux 2013-02-24 11:29:32.997823377 +0100 --- openssh-6.3p1/sshd.c.privsep-selinux 2013-10-10 14:58:20.632762255 +0200
+++ openssh-6.1p1/sshd.c 2013-02-24 11:43:34.171182720 +0100 +++ openssh-6.3p1/sshd.c 2013-10-10 14:58:20.635762241 +0200
@@ -653,6 +653,10 @@ privsep_preauth_child(void) @@ -668,6 +668,10 @@ privsep_preauth_child(void)
/* Demote the private keys to public keys. */ /* Demote the private keys to public keys. */
demote_sensitive_data(); demote_sensitive_data();
@ -88,7 +88,7 @@ diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c
/* Change our root directory */ /* Change our root directory */
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
@@ -794,6 +798,13 @@ privsep_postauth(Authctxt *authctxt) @@ -811,6 +815,13 @@ privsep_postauth(Authctxt *authctxt)
do_setusercontext(authctxt->pw); do_setusercontext(authctxt->pw);
skip: skip:

46
openssh-6.1p1-redhat.patch → openssh-6.3p1-redhat.patch
View File

@ -1,10 +1,10 @@
diff -up openssh-6.1p1/ssh_config.redhat openssh-6.1p1/ssh_config diff -up openssh-6.3p1/ssh_config.redhat openssh-6.3p1/ssh_config
--- openssh-6.1p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100 --- openssh-6.3p1/ssh_config.redhat 2013-10-11 14:51:18.345876648 +0200
+++ openssh-6.1p1/ssh_config 2012-10-26 16:28:51.820340584 +0200 +++ openssh-6.3p1/ssh_config 2013-10-11 15:13:05.429829266 +0200
@@ -45,3 +45,14 @@ @@ -46,3 +46,14 @@
# PermitLocalCommand no
# VisualHostKey no # VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com # ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
+Host * +Host *
+ GSSAPIAuthentication yes + GSSAPIAuthentication yes
+# If this option is set to yes then remote X11 clients will have full access +# If this option is set to yes then remote X11 clients will have full access
@ -12,14 +12,14 @@ diff -up openssh-6.1p1/ssh_config.redhat openssh-6.1p1/ssh_config
+# mode correctly we set this to yes. +# mode correctly we set this to yes.
+ ForwardX11Trusted yes + ForwardX11Trusted yes
+# Send locale-related environment variables +# Send locale-related environment variables
+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES + SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT + SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE + SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS + SendEnv XMODIFIERS
diff -up openssh-6.1p1/sshd_config.0.redhat openssh-6.1p1/sshd_config.0 diff -up openssh-6.3p1/sshd_config.0.redhat openssh-6.3p1/sshd_config.0
--- openssh-6.1p1/sshd_config.0.redhat 2012-10-26 16:28:51.762340584 +0200 --- openssh-6.3p1/sshd_config.0.redhat 2013-09-13 08:20:43.000000000 +0200
+++ openssh-6.1p1/sshd_config.0 2012-10-26 16:28:51.821340584 +0200 +++ openssh-6.3p1/sshd_config.0 2013-10-11 14:51:18.345876648 +0200
@@ -583,9 +583,9 @@ DESCRIPTION @@ -653,9 +653,9 @@ DESCRIPTION
SyslogFacility SyslogFacility
Gives the facility code that is used when logging messages from Gives the facility code that is used when logging messages from
@ -32,10 +32,10 @@ diff -up openssh-6.1p1/sshd_config.0.redhat openssh-6.1p1/sshd_config.0
TCPKeepAlive TCPKeepAlive
Specifies whether the system should send TCP keepalive messages Specifies whether the system should send TCP keepalive messages
diff -up openssh-6.1p1/sshd_config.5.redhat openssh-6.1p1/sshd_config.5 diff -up openssh-6.3p1/sshd_config.5.redhat openssh-6.3p1/sshd_config.5
--- openssh-6.1p1/sshd_config.5.redhat 2012-10-26 16:28:51.763340584 +0200 --- openssh-6.3p1/sshd_config.5.redhat 2013-07-20 05:21:53.000000000 +0200
+++ openssh-6.1p1/sshd_config.5 2012-10-26 16:28:51.822340584 +0200 +++ openssh-6.3p1/sshd_config.5 2013-10-11 14:51:18.346876643 +0200
@@ -1015,7 +1015,7 @@ Note that this option applies to protoco @@ -1095,7 +1095,7 @@ Note that this option applies to protoco
.It Cm SyslogFacility .It Cm SyslogFacility
Gives the facility code that is used when logging messages from Gives the facility code that is used when logging messages from
.Xr sshd 8 . .Xr sshd 8 .
@ -44,9 +44,9 @@ diff -up openssh-6.1p1/sshd_config.5.redhat openssh-6.1p1/sshd_config.5
LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH. The default is AUTH.
.It Cm TCPKeepAlive .It Cm TCPKeepAlive
diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
--- openssh-6.1p1/sshd_config.redhat 2012-10-26 16:28:51.819340584 +0200 --- openssh-6.3p1/sshd_config.redhat 2013-10-11 14:51:18.343876657 +0200
+++ openssh-6.1p1/sshd_config 2012-10-26 16:31:44.773340564 +0200 +++ openssh-6.3p1/sshd_config 2013-10-11 14:51:18.346876643 +0200
@@ -10,6 +10,10 @@ @@ -10,6 +10,10 @@
# possible, but leave them commented. Uncommented options override the # possible, but leave them commented. Uncommented options override the
# default value. # default value.
@ -58,7 +58,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
#Port 22 #Port 22
#AddressFamily any #AddressFamily any
#ListenAddress 0.0.0.0 #ListenAddress 0.0.0.0
@@ -32,6 +36,7 @@ @@ -35,6 +39,7 @@
# Logging # Logging
# obsoletes QuietMode and FascistLogging # obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH #SyslogFacility AUTH
@ -66,7 +66,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
#LogLevel INFO #LogLevel INFO
# Authentication: # Authentication:
@@ -67,9 +72,11 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -70,9 +75,11 @@ AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes #PasswordAuthentication yes
#PermitEmptyPasswords no #PermitEmptyPasswords no
@ -78,7 +78,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
# Kerberos options # Kerberos options
#KerberosAuthentication no #KerberosAuthentication no
@@ -79,7 +86,9 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -82,7 +89,9 @@ AuthorizedKeysFile .ssh/authorized_keys
# GSSAPI options # GSSAPI options
#GSSAPIAuthentication no #GSSAPIAuthentication no
@ -88,7 +88,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
# Set this to 'yes' to enable PAM authentication, account processing, # Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will # and session processing. If this is enabled, PAM authentication will
@@ -91,11 +100,13 @@ AuthorizedKeysFile .ssh/authorized_keys @@ -94,11 +103,13 @@ AuthorizedKeysFile .ssh/authorized_keys
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.
#UsePAM no #UsePAM no
@ -102,7 +102,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
#X11DisplayOffset 10 #X11DisplayOffset 10
#X11UseLocalhost yes #X11UseLocalhost yes
#PrintMotd yes #PrintMotd yes
@@ -117,6 +128,12 @@ UsePrivilegeSeparation sandbox # Defaul @@ -120,6 +131,12 @@ UsePrivilegeSeparation sandbox # Defaul
# no default banner path # no default banner path
#Banner none #Banner none

317
openssh-6.2p1-role-mls.patch → openssh-6.3p1-role-mls.patch
View File

@ -1,20 +1,7 @@
diff -up openssh-6.2p1/auth.h.role-mls openssh-6.2p1/auth.h diff -up openssh-6.3p1/auth-pam.c.role-mls openssh-6.3p1/auth-pam.c
--- openssh-6.2p1/auth.h.role-mls 2013-03-25 17:47:00.565746862 +0100 --- openssh-6.3p1/auth-pam.c.role-mls 2013-10-10 14:34:43.799494546 +0200
+++ openssh-6.2p1/auth.h 2013-03-25 17:47:00.602747073 +0100 +++ openssh-6.3p1/auth-pam.c 2013-10-10 14:34:43.835494375 +0200
@@ -59,6 +59,9 @@ struct Authctxt { @@ -1071,7 +1071,7 @@ is_pam_session_open(void)
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+#ifdef WITH_SELINUX
+ char *role;
+#endif
void *kbdintctxt;
void *jpake_ctx;
#ifdef BSD_AUTH
diff -up openssh-6.2p1/auth-pam.c.role-mls openssh-6.2p1/auth-pam.c
--- openssh-6.2p1/auth-pam.c.role-mls 2013-03-25 17:47:00.535746690 +0100
+++ openssh-6.2p1/auth-pam.c 2013-03-25 17:47:00.602747073 +0100
@@ -1074,7 +1074,7 @@ is_pam_session_open(void)
* during the ssh authentication process. * during the ssh authentication process.
*/ */
int int
@ -23,9 +10,9 @@ diff -up openssh-6.2p1/auth-pam.c.role-mls openssh-6.2p1/auth-pam.c
{ {
int ret = 1; int ret = 1;
#ifdef HAVE_PAM_PUTENV #ifdef HAVE_PAM_PUTENV
diff -up openssh-6.2p1/auth-pam.h.role-mls openssh-6.2p1/auth-pam.h diff -up openssh-6.3p1/auth-pam.h.role-mls openssh-6.3p1/auth-pam.h
--- openssh-6.2p1/auth-pam.h.role-mls 2004-09-11 14:17:26.000000000 +0200 --- openssh-6.3p1/auth-pam.h.role-mls 2004-09-11 14:17:26.000000000 +0200
+++ openssh-6.2p1/auth-pam.h 2013-03-25 17:47:00.602747073 +0100 +++ openssh-6.3p1/auth-pam.h 2013-10-10 14:34:43.835494375 +0200
@@ -38,7 +38,7 @@ void do_pam_session(void); @@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *); void do_pam_set_tty(const char *);
void do_pam_setcred(int ); void do_pam_setcred(int );
@ -35,10 +22,23 @@ diff -up openssh-6.2p1/auth-pam.h.role-mls openssh-6.2p1/auth-pam.h
char ** fetch_pam_environment(void); char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void); char ** fetch_pam_child_environment(void);
void free_pam_environment(char **); void free_pam_environment(char **);
diff -up openssh-6.2p1/auth1.c.role-mls openssh-6.2p1/auth1.c diff -up openssh-6.3p1/auth.h.role-mls openssh-6.3p1/auth.h
--- openssh-6.2p1/auth1.c.role-mls 2012-12-02 23:53:20.000000000 +0100 --- openssh-6.3p1/auth.h.role-mls 2013-10-10 14:34:43.834494379 +0200
+++ openssh-6.2p1/auth1.c 2013-03-25 17:47:00.600747062 +0100 +++ openssh-6.3p1/auth.h 2013-10-10 14:38:45.060348227 +0200
@@ -386,6 +386,9 @@ do_authentication(Authctxt *authctxt) @@ -59,6 +59,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
+#ifdef WITH_SELINUX
+ char *role;
+#endif
void *kbdintctxt;
char *info; /* Extra info for next auth_log */
void *jpake_ctx;
diff -up openssh-6.3p1/auth1.c.role-mls openssh-6.3p1/auth1.c
--- openssh-6.3p1/auth1.c.role-mls 2013-06-02 00:01:24.000000000 +0200
+++ openssh-6.3p1/auth1.c 2013-10-10 14:34:43.835494375 +0200
@@ -381,6 +381,9 @@ do_authentication(Authctxt *authctxt)
{ {
u_int ulen; u_int ulen;
char *user, *style = NULL; char *user, *style = NULL;
@ -48,7 +48,7 @@ diff -up openssh-6.2p1/auth1.c.role-mls openssh-6.2p1/auth1.c
/* Get the name of the user that we wish to log in as. */ /* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER); packet_read_expect(SSH_CMSG_USER);
@@ -394,11 +397,24 @@ do_authentication(Authctxt *authctxt) @@ -389,11 +392,24 @@ do_authentication(Authctxt *authctxt)
user = packet_get_cstring(&ulen); user = packet_get_cstring(&ulen);
packet_check_eom(); packet_check_eom();
@ -73,52 +73,10 @@ diff -up openssh-6.2p1/auth1.c.role-mls openssh-6.2p1/auth1.c
/* Verify that the user is a valid user. */ /* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff -up openssh-6.2p1/auth2.c.role-mls openssh-6.2p1/auth2.c diff -up openssh-6.3p1/auth2-gss.c.role-mls openssh-6.3p1/auth2-gss.c
--- openssh-6.2p1/auth2.c.role-mls 2013-03-25 17:47:00.556746810 +0100 --- openssh-6.3p1/auth2-gss.c.role-mls 2013-06-01 23:31:18.000000000 +0200
+++ openssh-6.2p1/auth2.c 2013-03-25 17:47:00.600747062 +0100 +++ openssh-6.3p1/auth2-gss.c 2013-10-10 14:34:43.836494370 +0200
@@ -218,6 +218,9 @@ input_userauth_request(int type, u_int32 @@ -256,6 +256,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
+#ifdef WITH_SELINUX
+ char *role = NULL;
+#endif
int authenticated = 0;
if (authctxt == NULL)
@@ -229,6 +232,11 @@ input_userauth_request(int type, u_int32
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+#ifdef WITH_SELINUX
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = 0;
+#endif
+
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
- if (use_privsep)
+#ifdef WITH_SELINUX
+ authctxt->role = role ? xstrdup(role) : NULL;
+#endif
+ if (use_privsep) {
mm_inform_authserv(service, style);
+#ifdef WITH_SELINUX
+ mm_inform_authrole(role);
+#endif
+ }
userauth_banner();
if (auth2_setup_methods_lists(authctxt) != 0)
packet_disconnect("no authentication methods enabled");
diff -up openssh-6.2p1/auth2-gss.c.role-mls openssh-6.2p1/auth2-gss.c
--- openssh-6.2p1/auth2-gss.c.role-mls 2012-12-02 23:53:20.000000000 +0100
+++ openssh-6.2p1/auth2-gss.c 2013-03-25 17:47:00.601747067 +0100
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt; Authctxt *authctxt = ctxt;
Gssctxt *gssctxt; Gssctxt *gssctxt;
int authenticated = 0; int authenticated = 0;
@ -126,7 +84,7 @@ diff -up openssh-6.2p1/auth2-gss.c.role-mls openssh-6.2p1/auth2-gss.c
Buffer b; Buffer b;
gss_buffer_desc mic, gssbuf; gss_buffer_desc mic, gssbuf;
u_int len; u_int len;
@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple @@ -268,7 +269,13 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len); mic.value = packet_get_string(&len);
mic.length = len; mic.length = len;
@ -141,18 +99,18 @@ diff -up openssh-6.2p1/auth2-gss.c.role-mls openssh-6.2p1/auth2-gss.c
"gssapi-with-mic"); "gssapi-with-mic");
gssbuf.value = buffer_ptr(&b); gssbuf.value = buffer_ptr(&b);
@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple @@ -280,6 +287,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed"); logit("GSSAPI MIC check failed");
buffer_free(&b); buffer_free(&b);
+ if (micuser != authctxt->user) + if (micuser != authctxt->user)
+ xfree(micuser); + free(micuser);
xfree(mic.value); free(mic.value);
authctxt->postponed = 0; authctxt->postponed = 0;
diff -up openssh-6.2p1/auth2-hostbased.c.role-mls openssh-6.2p1/auth2-hostbased.c diff -up openssh-6.3p1/auth2-hostbased.c.role-mls openssh-6.3p1/auth2-hostbased.c
--- openssh-6.2p1/auth2-hostbased.c.role-mls 2013-03-25 17:47:00.565746862 +0100 --- openssh-6.3p1/auth2-hostbased.c.role-mls 2013-10-10 14:34:43.818494455 +0200
+++ openssh-6.2p1/auth2-hostbased.c 2013-03-25 17:47:00.601747067 +0100 +++ openssh-6.3p1/auth2-hostbased.c 2013-10-10 14:34:43.836494370 +0200
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt) @@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len); buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */ /* reconstruct packet */
@ -170,30 +128,69 @@ diff -up openssh-6.2p1/auth2-hostbased.c.role-mls openssh-6.2p1/auth2-hostbased.
buffer_put_cstring(&b, service); buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased"); buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen); buffer_put_string(&b, pkalg, alen);
diff -up openssh-6.2p1/auth2-pubkey.c.role-mls openssh-6.2p1/auth2-pubkey.c diff -up openssh-6.3p1/auth2-pubkey.c.role-mls openssh-6.3p1/auth2-pubkey.c
--- openssh-6.2p1/auth2-pubkey.c.role-mls 2013-03-25 17:47:00.565746862 +0100 --- openssh-6.3p1/auth2-pubkey.c.role-mls 2013-10-10 14:34:43.836494370 +0200
+++ openssh-6.2p1/auth2-pubkey.c 2013-03-25 17:47:00.601747067 +0100 +++ openssh-6.3p1/auth2-pubkey.c 2013-10-10 14:57:17.452062486 +0200
@@ -127,7 +127,15 @@ userauth_pubkey(Authctxt *authctxt) @@ -127,9 +127,11 @@ userauth_pubkey(Authctxt *authctxt)
} }
/* reconstruct packet */ /* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
- buffer_put_cstring(&b, authctxt->user); - xasprintf(&userstyle, "%s%s%s", authctxt->user,
+#ifdef WITH_SELINUX + xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
+ if (authctxt->role) { authctxt->style ? ":" : "",
+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); - authctxt->style ? authctxt->style : "");
+ buffer_append(&b, authctxt->user, strlen(authctxt->user)); + authctxt->style ? authctxt->style : "",
+ buffer_put_char(&b, '/'); + authctxt->role ? "/" : "",
+ buffer_append(&b, authctxt->role, strlen(authctxt->role)); + authctxt->role ? authctxt->role : "");
+ } else buffer_put_cstring(&b, userstyle);
+#endif free(userstyle);
+ buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b, buffer_put_cstring(&b,
datafellows & SSH_BUG_PKSERVICE ? diff -up openssh-6.3p1/auth2.c.role-mls openssh-6.3p1/auth2.c
"ssh-userauth" : --- openssh-6.3p1/auth2.c.role-mls 2013-10-10 14:34:43.819494451 +0200
diff -up openssh-6.2p1/misc.c.role-mls openssh-6.2p1/misc.c +++ openssh-6.3p1/auth2.c 2013-10-10 14:34:43.835494375 +0200
--- openssh-6.2p1/misc.c.role-mls 2011-09-22 13:34:36.000000000 +0200 @@ -221,6 +221,9 @@ input_userauth_request(int type, u_int32
+++ openssh-6.2p1/misc.c 2013-03-25 17:47:00.603747079 +0100 Authctxt *authctxt = ctxt;
@@ -427,6 +427,7 @@ char * Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
+#ifdef WITH_SELINUX
+ char *role = NULL;
+#endif
int authenticated = 0;
if (authctxt == NULL)
@@ -232,6 +235,11 @@ input_userauth_request(int type, u_int32
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+#ifdef WITH_SELINUX
+ if ((role = strchr(user, '/')) != NULL)
+ *role++ = 0;
+#endif
+
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
@@ -254,8 +262,15 @@ input_userauth_request(int type, u_int32
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
- if (use_privsep)
+#ifdef WITH_SELINUX
+ authctxt->role = role ? xstrdup(role) : NULL;
+#endif
+ if (use_privsep) {
mm_inform_authserv(service, style);
+#ifdef WITH_SELINUX
+ mm_inform_authrole(role);
+#endif
+ }
userauth_banner();
if (auth2_setup_methods_lists(authctxt) != 0)
packet_disconnect("no authentication methods enabled");
diff -up openssh-6.3p1/misc.c.role-mls openssh-6.3p1/misc.c
--- openssh-6.3p1/misc.c.role-mls 2013-08-08 04:50:06.000000000 +0200
+++ openssh-6.3p1/misc.c 2013-10-10 14:34:43.836494370 +0200
@@ -429,6 +429,7 @@ char *
colon(char *cp) colon(char *cp)
{ {
int flag = 0; int flag = 0;
@ -201,7 +198,7 @@ diff -up openssh-6.2p1/misc.c.role-mls openssh-6.2p1/misc.c
if (*cp == ':') /* Leading colon is part of file name. */ if (*cp == ':') /* Leading colon is part of file name. */
return NULL; return NULL;
@@ -442,6 +443,13 @@ colon(char *cp) @@ -444,6 +445,13 @@ colon(char *cp)
return (cp); return (cp);
if (*cp == '/') if (*cp == '/')
return NULL; return NULL;
@ -215,10 +212,10 @@ diff -up openssh-6.2p1/misc.c.role-mls openssh-6.2p1/misc.c
} }
return NULL; return NULL;
} }
diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
--- openssh-6.2p1/monitor.c.role-mls 2013-03-25 17:47:00.587746987 +0100 --- openssh-6.3p1/monitor.c.role-mls 2013-10-10 14:34:43.821494441 +0200
+++ openssh-6.2p1/monitor.c 2013-03-25 17:47:00.604747085 +0100 +++ openssh-6.3p1/monitor.c 2013-10-10 14:54:57.933725463 +0200
@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *); @@ -149,6 +149,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *); int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *); int mm_answer_authserv(int, Buffer *);
@ -228,7 +225,7 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
int mm_answer_authpassword(int, Buffer *); int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *);
@@ -232,6 +235,9 @@ struct mon_table mon_dispatch_proto20[] @@ -233,6 +236,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -238,7 +235,7 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM #ifdef USE_PAM
@@ -846,6 +852,9 @@ mm_answer_pwnamallow(int sock, Buffer *m @@ -853,6 +859,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
else { else {
/* Allow service/style information on the auth context */ /* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -248,7 +245,7 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
} }
#ifdef USE_PAM #ifdef USE_PAM
@@ -889,6 +898,25 @@ mm_answer_authserv(int sock, Buffer *m) @@ -894,6 +903,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0); return (0);
} }
@ -263,7 +260,7 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
+ __func__, authctxt->role); + __func__, authctxt->role);
+ +
+ if (strlen(authctxt->role) == 0) { + if (strlen(authctxt->role) == 0) {
+ xfree(authctxt->role); + free(authctxt->role);
+ authctxt->role = NULL; + authctxt->role = NULL;
+ } + }
+ +
@ -274,45 +271,45 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
int int
mm_answer_authpassword(int sock, Buffer *m) mm_answer_authpassword(int sock, Buffer *m)
{ {
@@ -1262,7 +1290,7 @@ static int @@ -1269,7 +1297,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen) monitor_valid_userblob(u_char *data, u_int datalen)
{ {
Buffer b; Buffer b;
- char *p; - char *p, *userstyle;
+ char *p, *r; + char *p, *r, *userstyle;
u_int len; u_int len;
int fail = 0; int fail = 0;
@@ -1288,6 +1316,8 @@ monitor_valid_userblob(u_char *data, u_i @@ -1295,6 +1323,8 @@ monitor_valid_userblob(u_char *data, u_i
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++; fail++;
p = buffer_get_string(&b, NULL); p = buffer_get_cstring(&b, NULL);
+ if ((r = strchr(p, '/')) != NULL) + if ((r = strchr(p, '/')) != NULL)
+ *r = '\0'; + *r = '\0';
if (strcmp(authctxt->user, p) != 0) { xasprintf(&userstyle, "%s%s%s", authctxt->user,
logit("wrong user name passed to monitor: expected %s != %.100s", authctxt->style ? ":" : "",
authctxt->user, p); authctxt->style ? authctxt->style : "");
@@ -1319,7 +1349,7 @@ monitor_valid_hostbasedblob(u_char *data @@ -1330,7 +1360,7 @@ monitor_valid_hostbasedblob(u_char *data
char *chost) char *chost)
{ {
Buffer b; Buffer b;
- char *p; - char *p, *userstyle;
+ char *p, *r; + char *p, *r, *userstyle;
u_int len; u_int len;
int fail = 0; int fail = 0;
@@ -1336,6 +1366,8 @@ monitor_valid_hostbasedblob(u_char *data @@ -1347,6 +1377,8 @@ monitor_valid_hostbasedblob(u_char *data
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++; fail++;
p = buffer_get_string(&b, NULL); p = buffer_get_cstring(&b, NULL);
+ if ((r = strchr(p, '/')) != NULL) + if ((r = strchr(p, '/')) != NULL)
+ *r = '\0'; + *r = '\0';
if (strcmp(authctxt->user, p) != 0) { xasprintf(&userstyle, "%s%s%s", authctxt->user,
logit("wrong user name passed to monitor: expected %s != %.100s", authctxt->style ? ":" : "",
authctxt->user, p); authctxt->style ? authctxt->style : "");
diff -up openssh-6.2p1/monitor.h.role-mls openssh-6.2p1/monitor.h diff -up openssh-6.3p1/monitor.h.role-mls openssh-6.3p1/monitor.h
--- openssh-6.2p1/monitor.h.role-mls 2013-03-25 17:47:00.605747090 +0100 --- openssh-6.3p1/monitor.h.role-mls 2013-10-10 14:34:43.821494441 +0200
+++ openssh-6.2p1/monitor.h 2013-03-25 17:50:00.824775483 +0100 +++ openssh-6.3p1/monitor.h 2013-10-10 14:34:43.837494365 +0200
@@ -61,6 +61,9 @@ enum monitor_reqtype { @@ -61,6 +61,9 @@ enum monitor_reqtype {
MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57, MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57,
MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59, MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
@ -323,10 +320,10 @@ diff -up openssh-6.2p1/monitor.h.role-mls openssh-6.2p1/monitor.h
MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
diff -up openssh-6.2p1/monitor_wrap.c.role-mls openssh-6.2p1/monitor_wrap.c diff -up openssh-6.3p1/monitor_wrap.c.role-mls openssh-6.3p1/monitor_wrap.c
--- openssh-6.2p1/monitor_wrap.c.role-mls 2013-03-25 17:47:00.588746993 +0100 --- openssh-6.3p1/monitor_wrap.c.role-mls 2013-10-10 14:34:43.822494436 +0200
+++ openssh-6.2p1/monitor_wrap.c 2013-03-25 17:47:00.605747090 +0100 +++ openssh-6.3p1/monitor_wrap.c 2013-10-10 14:34:43.838494360 +0200
@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char * @@ -338,6 +338,25 @@ mm_inform_authserv(char *service, char *
buffer_free(&m); buffer_free(&m);
} }
@ -352,9 +349,9 @@ diff -up openssh-6.2p1/monitor_wrap.c.role-mls openssh-6.2p1/monitor_wrap.c
/* Do the password authentication */ /* Do the password authentication */
int int
mm_auth_password(Authctxt *authctxt, char *password) mm_auth_password(Authctxt *authctxt, char *password)
diff -up openssh-6.2p1/monitor_wrap.h.role-mls openssh-6.2p1/monitor_wrap.h diff -up openssh-6.3p1/monitor_wrap.h.role-mls openssh-6.3p1/monitor_wrap.h
--- openssh-6.2p1/monitor_wrap.h.role-mls 2013-03-25 17:47:00.588746993 +0100 --- openssh-6.3p1/monitor_wrap.h.role-mls 2013-10-10 14:34:43.822494436 +0200
+++ openssh-6.2p1/monitor_wrap.h 2013-03-25 17:47:00.605747090 +0100 +++ openssh-6.3p1/monitor_wrap.h 2013-10-10 14:34:43.838494360 +0200
@@ -42,6 +42,9 @@ int mm_is_monitor(void); @@ -42,6 +42,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int); DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
@ -365,9 +362,9 @@ diff -up openssh-6.2p1/monitor_wrap.h.role-mls openssh-6.2p1/monitor_wrap.h
struct passwd *mm_getpwnamallow(const char *); struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void); char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *); int mm_auth_password(struct Authctxt *, char *);
diff -up openssh-6.2p1/openbsd-compat/Makefile.in.role-mls openssh-6.2p1/openbsd-compat/Makefile.in diff -up openssh-6.3p1/openbsd-compat/Makefile.in.role-mls openssh-6.3p1/openbsd-compat/Makefile.in
--- openssh-6.2p1/openbsd-compat/Makefile.in.role-mls 2013-03-25 17:47:00.606747096 +0100 --- openssh-6.3p1/openbsd-compat/Makefile.in.role-mls 2013-05-10 08:28:56.000000000 +0200
+++ openssh-6.2p1/openbsd-compat/Makefile.in 2013-03-25 17:50:36.024979473 +0100 +++ openssh-6.3p1/openbsd-compat/Makefile.in 2013-10-10 14:34:43.838494360 +0200
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
@ -377,9 +374,9 @@ diff -up openssh-6.2p1/openbsd-compat/Makefile.in.role-mls openssh-6.2p1/openbsd
.c.o: .c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $< $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbsd-compat/port-linux.c diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbsd-compat/port-linux.c
--- openssh-6.2p1/openbsd-compat/port-linux.c.role-mls 2012-03-09 00:25:18.000000000 +0100 --- openssh-6.3p1/openbsd-compat/port-linux.c.role-mls 2013-06-02 00:07:32.000000000 +0200
+++ openssh-6.2p1/openbsd-compat/port-linux.c 2013-03-25 17:47:00.606747096 +0100 +++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 14:40:41.841793347 +0200
@@ -31,68 +31,271 @@ @@ -31,68 +31,271 @@
#include "log.h" #include "log.h"
@ -419,7 +416,8 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
+static int +static int
+send_audit_message(int success, security_context_t default_context, +send_audit_message(int success, security_context_t default_context,
+ security_context_t selected_context) + security_context_t selected_context)
+{ {
- static int enabled = -1;
+ int rc=0; + int rc=0;
+#ifdef HAVE_LINUX_AUDIT +#ifdef HAVE_LINUX_AUDIT
+ char *msg = NULL; + char *msg = NULL;
@ -465,8 +463,7 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
+ +
+static int +static int
+mls_range_allowed(security_context_t src, security_context_t dst) +mls_range_allowed(security_context_t src, security_context_t dst)
{ +{
- static int enabled = -1;
+ struct av_decision avd; + struct av_decision avd;
+ int retval; + int retval;
+ unsigned int bit = CONTEXT__CONTAINS; + unsigned int bit = CONTEXT__CONTAINS;
@ -683,16 +680,16 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
} }
#ifdef HAVE_GETSEUSERBYNAME #ifdef HAVE_GETSEUSERBYNAME
@@ -102,7 +305,42 @@ ssh_selinux_getctxbyname(char *pwname) @@ -100,7 +303,42 @@ ssh_selinux_getctxbyname(char *pwname)
xfree(lvl); free(lvl);
#endif #endif
- return sc; - return sc;
+ if (role != NULL) + if (role != NULL)
+ xfree(role); + free(role);
+ if (con) + if (con)
+ context_free(con); + context_free(con);
+ +
+ return (r); + return (r);
+} +}
+ +
@ -710,7 +707,7 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
+ ssh_selinux_get_role_level(&role, &reqlvl); + ssh_selinux_get_role_level(&role, &reqlvl);
+ +
+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); + rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : "");
+ +
+ if (inetd_flag && !rexeced_flag) { + if (inetd_flag && !rexeced_flag) {
+ use_current = "1"; + use_current = "1";
+ } else { + } else {
@ -721,13 +718,13 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
+ rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current); + rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
+ +
+ if (role != NULL) + if (role != NULL)
+ xfree(role); + free(role);
+ +
+ return rv; + return rv;
} }
/* Set the execution context to the default for the specified user */ /* Set the execution context to the default for the specified user */
@@ -110,28 +348,71 @@ void @@ -108,28 +346,71 @@ void
ssh_selinux_setup_exec_context(char *pwname) ssh_selinux_setup_exec_context(char *pwname)
{ {
security_context_t user_ctx = NULL; security_context_t user_ctx = NULL;
@ -806,7 +803,7 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
debug3("%s: done", __func__); debug3("%s: done", __func__);
} }
@@ -149,7 +430,10 @@ ssh_selinux_setup_pty(char *pwname, cons @@ -147,7 +428,10 @@ ssh_selinux_setup_pty(char *pwname, cons
debug3("%s: setting TTY context on %s", __func__, tty); debug3("%s: setting TTY context on %s", __func__, tty);
@ -818,8 +815,8 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
/* XXX: should these calls fatal() upon failure in enforcing mode? */ /* XXX: should these calls fatal() upon failure in enforcing mode? */
@@ -221,21 +505,6 @@ ssh_selinux_change_context(const char *n @@ -219,21 +503,6 @@ ssh_selinux_change_context(const char *n
xfree(newctx); free(newctx);
} }
-void -void
@ -840,9 +837,9 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
#endif /* WITH_SELINUX */ #endif /* WITH_SELINUX */
#ifdef LINUX_OOM_ADJUST #ifdef LINUX_OOM_ADJUST
diff -up openssh-6.2p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.2p1/openbsd-compat/port-linux_part_2.c diff -up openssh-6.3p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.3p1/openbsd-compat/port-linux_part_2.c
--- openssh-6.2p1/openbsd-compat/port-linux_part_2.c.role-mls 2013-03-25 17:47:00.607747102 +0100 --- openssh-6.3p1/openbsd-compat/port-linux_part_2.c.role-mls 2013-10-10 14:34:43.839494355 +0200
+++ openssh-6.2p1/openbsd-compat/port-linux_part_2.c 2013-03-25 17:47:00.607747102 +0100 +++ openssh-6.3p1/openbsd-compat/port-linux_part_2.c 2013-10-10 14:34:43.839494355 +0200
@@ -0,0 +1,75 @@ @@ -0,0 +1,75 @@
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */ +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+ +
@ -919,10 +916,10 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.2p1
+#endif /* WITH_SELINUX */ +#endif /* WITH_SELINUX */
+ +
+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ +#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
diff -up openssh-6.2p1/sshd.c.role-mls openssh-6.2p1/sshd.c diff -up openssh-6.3p1/sshd.c.role-mls openssh-6.3p1/sshd.c
--- openssh-6.2p1/sshd.c.role-mls 2013-03-25 17:47:00.589746999 +0100 --- openssh-6.3p1/sshd.c.role-mls 2013-10-10 14:34:43.824494427 +0200
+++ openssh-6.2p1/sshd.c 2013-03-25 17:47:00.607747102 +0100 +++ openssh-6.3p1/sshd.c 2013-10-10 14:34:43.839494355 +0200
@@ -2118,6 +2118,9 @@ main(int ac, char **av) @@ -2179,6 +2179,9 @@ main(int ac, char **av)
restore_uid(); restore_uid();
} }
#endif #endif

42
openssh.spec
View File

@ -92,9 +92,9 @@ Source13: sshd-keygen
Patch0: openssh-5.9p1-wIm.patch Patch0: openssh-5.9p1-wIm.patch
#? #?
Patch100: openssh-6.2p1-coverity.patch Patch100: openssh-6.3p1-coverity.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1872 #https://bugzilla.mindrot.org/show_bug.cgi?id=1872
Patch101: openssh-6.2p1-fingerprint.patch Patch101: openssh-6.3p1-fingerprint.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894 #https://bugzilla.mindrot.org/show_bug.cgi?id=1894
#https://bugzilla.redhat.com/show_bug.cgi?id=735889 #https://bugzilla.redhat.com/show_bug.cgi?id=735889
Patch102: openssh-5.8p1-getaddrinfo.patch Patch102: openssh-5.8p1-getaddrinfo.patch
@ -102,7 +102,7 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
Patch103: openssh-5.8p1-packet.patch Patch103: openssh-5.8p1-packet.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
Patch200: openssh-6.2p1-audit.patch Patch200: openssh-6.3p1-audit.patch
# --- pam_ssh-agent --- # --- pam_ssh-agent ---
# make it build reusing the openssh sources # make it build reusing the openssh sources
@ -112,14 +112,14 @@ Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch
# explicitly make pam callbacks visible # explicitly make pam callbacks visible
Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX) #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
Patch400: openssh-6.2p1-role-mls.patch Patch400: openssh-6.3p1-role-mls.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=781634 #https://bugzilla.redhat.com/show_bug.cgi?id=781634
Patch404: openssh-6.1p1-privsep-selinux.patch Patch404: openssh-6.3p1-privsep-selinux.patch
#?-- unwanted child :( #?-- unwanted child :(
Patch501: openssh-6.2p1-ldap.patch Patch501: openssh-6.3p1-ldap.patch
#? #?
Patch502: openssh-6.2p1-keycat.patch Patch502: openssh-6.3p1-keycat.patch
#http6://bugzilla.mindrot.org/show_bug.cgi?id=1644 #http6://bugzilla.mindrot.org/show_bug.cgi?id=1644
Patch601: openssh-5.2p1-allow-ip-opts.patch Patch601: openssh-5.2p1-allow-ip-opts.patch
@ -141,7 +141,7 @@ Patch608: openssh-6.1p1-askpass-ld.patch
Patch609: openssh-5.5p1-x11.patch Patch609: openssh-5.5p1-x11.patch
#? #?
Patch700: openssh-6.2p1-fips.patch Patch700: openssh-6.3p1-fips.patch
#? #?
Patch701: openssh-5.6p1-exit-deadlock.patch Patch701: openssh-5.6p1-exit-deadlock.patch
#? #?
@ -155,7 +155,7 @@ Patch705: openssh-5.1p1-scp-manpage.patch
#? #?
Patch706: openssh-5.8p1-localdomain.patch Patch706: openssh-5.8p1-localdomain.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX) #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
Patch707: openssh-6.1p1-redhat.patch Patch707: openssh-6.3p1-redhat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :) #https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
Patch708: openssh-6.2p1-entropy.patch Patch708: openssh-6.2p1-entropy.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX) #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
@ -163,29 +163,19 @@ Patch709: openssh-6.2p1-vendor.patch
# warn users for unsupported UsePAM=no (#757545) # warn users for unsupported UsePAM=no (#757545)
Patch711: openssh-6.1p1-log-usepam-no.patch Patch711: openssh-6.1p1-log-usepam-no.patch
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL # make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
Patch712: openssh-5.9p1-ctr-evp-fast.patch Patch712: openssh-6.3p1-ctr-evp-fast.patch
# add cavs test binary for the aes-ctr # add cavs test binary for the aes-ctr
Patch713: openssh-6.2p1-ctr-cavstest.patch Patch713: openssh-6.3p1-ctr-cavstest.patch
#http://www.sxw.org.uk/computing/patches/openssh.html #http://www.sxw.org.uk/computing/patches/openssh.html
#changed cache storage type - #848228 #changed cache storage type - #848228
Patch800: openssh-6.2p1-gsskex.patch Patch800: openssh-6.3p1-gsskex.patch
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
Patch801: openssh-6.2p1-force_krb.patch Patch801: openssh-6.3p1-force_krb.patch
Patch900: openssh-6.1p1-gssapi-canohost.patch Patch900: openssh-6.1p1-gssapi-canohost.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780 #https://bugzilla.mindrot.org/show_bug.cgi?id=1780
Patch901: openssh-6.2p1-kuserok.patch Patch901: openssh-6.3p1-kuserok.patch
# build regress/modpipe tests with $(CFLAGS), based on
# http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-March/031167.html
Patch905: openssh-6.2p1-modpipe-cflags.patch
# add latest config.{sub,guess} to support aarch64 (#926284)
Patch907: openssh-6.2p1-aarch64.patch
# make sftp's libedit interface marginally multibyte aware (#841771)
Patch908: openssh-6.2p2-sftp-multibyte.patch
# don't show Success for EAI_SYSTEM (#985964)
Patch909: openssh-6.2p2-ssh_gai_strerror.patch
License: BSD License: BSD
@ -404,10 +394,6 @@ popd
%patch900 -p1 -b .canohost %patch900 -p1 -b .canohost
%patch901 -p1 -b .kuserok %patch901 -p1 -b .kuserok
%patch905 -p1 -b .modpipe-cflags
%patch907 -p1 -b .aarch64
%patch908 -p1 -b .sftp-multibyte
%patch909 -p1 -b .ssh_gai_strerror
%if 0 %if 0
# Nothing here yet # Nothing here yet