rpms
/
openssh
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

rebase patches to openssh-7.9p1

This commit is contained in:
Jakub Jelen 2018-10-12 15:54:56 +02:00
parent 8089081fa9
commit eaa7af2e41
14 changed files with 1361 additions and 4086 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -32,3 +32,5 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/DJM-GPG-KEY.gpg
/openssh-7.8p1.tar.gz
/openssh-7.8p1.tar.gz.asc
/openssh-7.9p1.tar.gz
/openssh-7.9p1.tar.gz.asc

8
openssh-6.6.1p1-selinux-contexts.patch
View File

@ -82,14 +82,6 @@ diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 22ea8ef..1fc963d 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -26,6 +26,7 @@
#include <stdarg.h>
#include <string.h>
#include <stdio.h>
+#include <stdlib.h>
#include "log.h"
#include "xmalloc.h"
@@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)
strlcpy(newctx + len, newname, newlen - len);
if ((cx = index(cx + 1, ':')))

2
openssh-6.6p1-ctr-cavstest.patch
View File

@ -187,7 +187,7 @@ diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
+ usage();
+ }
+
+ SSLeay_add_all_algorithms();
+ OpenSSL_add_all_algorithms();
+
+ c = cipher_by_name(algo);
+ if (c == NULL) {

4
openssh-6.6p1-force_krb.patch
View File

@ -235,9 +235,9 @@ index 28659ec..9c94d8e 100644
+#endif
+#endif
+
s->forced = 0;
if (forced != NULL) {
if (IS_INTERNAL_SFTP(command)) {
s->is_subsystem = s->is_subsystem ?
s->forced = 1;
diff --git a/ssh-gss.h b/ssh-gss.h
index 0374c88..509109a 100644
--- a/ssh-gss.h

6
openssh-7.0p1-gssKexAlgorithms.patch
View File

@ -29,14 +29,14 @@ diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c
@@ -100,6 +101,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
char deroid[2];
const EVP_MD *evp_md = EVP_md5();
EVP_MD_CTX md;
EVP_MD_CTX *md;
+ char *s, *cp, *p;
if (gss_enc2oid != NULL) {
for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
@@ -113,6 +115,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
fatal("%s: sshbuf_new failed", __func__);
md = EVP_MD_CTX_new();
oidpos = 0;
+ s = cp = xstrdup(kex);
for (i = 0; i < gss_supported->count; i++) {
@ -81,9 +81,9 @@ diff -up openssh-7.0p1/gss-genr.c.gsskexalg openssh-7.0p1/gss-genr.c
}
}
+ free(s);
EVP_MD_CTX_free(md);
gss_enc2oid[oidpos].oid = NULL;
gss_enc2oid[oidpos].encoded = NULL;
diff -up openssh-7.0p1/gss-serv.c.gsskexalg openssh-7.0p1/gss-serv.c
--- openssh-7.0p1/gss-serv.c.gsskexalg 2015-08-19 12:28:38.024518959 +0200
+++ openssh-7.0p1/gss-serv.c 2015-08-19 12:28:38.078518839 +0200

2688
openssh-7.3p1-openssl-1.1.0.patch
View File

File diff suppressed because it is too large Load Diff

4
openssh-7.5p1-sandbox.patch
View File

@ -20,8 +20,8 @@ index ca75cc7..6e7de31 100644
+#if defined(__NR_flock) && defined(__s390__)
+ SC_ALLOW(__NR_flock),
+#endif
#ifdef __NR_geteuid
SC_ALLOW(__NR_geteuid),
#ifdef __NR_futex
SC_ALLOW(__NR_futex),
#endif
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_gettimeofday

28
openssh-7.6p1-audit.patch
View File

@ -2048,12 +2048,12 @@ diff -up openssh-7.6p1/sshd.c.audit openssh-7.6p1/sshd.c
+ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+ else
+ fp = NULL;
if ((r = sshkey_demote(sensitive_data.host_keys[i],
&tmp)) != 0)
fatal("could not demote host %s key: %s",
sshkey_type(sensitive_data.host_keys[i]),
ssh_err(r));
sshkey_free(sensitive_data.host_keys[i]);
if ((r = sshkey_from_private(
sensitive_data.host_keys[i], &tmp)) != 0)
fatal("could not demote host %s key: %s",
sshkey_type(sensitive_data.host_keys[i]),
ssh_err(r));
sshkey_free(sensitive_data.host_keys[i]);
sensitive_data.host_keys[i] = tmp;
+ if (fp != NULL) {
+#ifdef SSH_AUDIT_EVENTS
@ -2126,7 +2126,7 @@ diff -up openssh-7.6p1/sshd.c.audit openssh-7.6p1/sshd.c
diff -up openssh-7.6p1/sshkey.c.audit openssh-7.6p1/sshkey.c
--- openssh-7.6p1/sshkey.c.audit 2017-10-04 17:18:32.758504660 +0200
+++ openssh-7.6p1/sshkey.c 2017-10-04 17:18:32.839505074 +0200
@@ -295,6 +295,32 @@ sshkey_type_is_valid_ca(int type)
@@ -295,6 +295,38 @@ sshkey_type_is_valid_ca(int type)
}
int
@ -2135,11 +2135,17 @@ diff -up openssh-7.6p1/sshkey.c.audit openssh-7.6p1/sshkey.c
+ switch (k->type) {
+#ifdef WITH_OPENSSL
+ case KEY_RSA_CERT:
+ case KEY_RSA:
+ return k->rsa->d != NULL;
+ case KEY_RSA: {
+ const BIGNUM *d;
+ RSA_get0_key(k->rsa, NULL, NULL, &d);
+ return d != NULL;
+ }
+ case KEY_DSA_CERT:
+ case KEY_DSA:
+ return k->dsa->priv_key != NULL;
+ case KEY_DSA: {
+ const BIGNUM *priv_key;
+ DSA_get0_key(k->dsa, NULL, &priv_key);
+ return priv_key != NULL;
+ }
+#ifdef OPENSSL_HAS_ECC
+ case KEY_ECDSA_CERT:
+ case KEY_ECDSA:

199
openssh-7.6p1-pkcs11-ecdsa.patch
View File

@ -1,6 +1,6 @@
diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11-client.c
--- openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa 2018-02-16 13:25:59.426469253 +0100
+++ openssh-7.6p1/ssh-pkcs11-client.c 2018-02-16 13:25:59.428469265 +0100
diff -up openssh/ssh-pkcs11-client.c.pkcs11-ecdsa openssh/ssh-pkcs11-client.c
--- openssh/ssh-pkcs11-client.c.pkcs11-ecdsa 2018-10-12 14:05:55.020656974 +0200
+++ openssh/ssh-pkcs11-client.c 2018-10-12 14:05:55.023656999 +0200
@@ -31,6 +31,15 @@
#include <errno.h>
@ -15,9 +15,9 @@ diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
+#endif
+#endif
#include "pathnames.h"
#include "xmalloc.h"
@@ -139,9 +147,9 @@ pkcs11_rsa_private_encrypt(int flen, con
#include "openbsd-compat/openssl-compat.h"
@@ -155,9 +164,9 @@ pkcs11_rsa_private_encrypt(int flen, con
return (ret);
}
@ -27,9 +27,9 @@ diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
-wrap_key(RSA *rsa)
+wrap_rsa_key(RSA *rsa)
{
static RSA_METHOD helper_rsa;
static RSA_METHOD *helper_rsa;
@@ -152,6 +160,88 @@ wrap_key(RSA *rsa)
@@ -170,6 +179,88 @@ wrap_key(RSA *rsa)
return (0);
}
@ -118,7 +118,7 @@ diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
static int
pkcs11_start_helper(void)
{
@@ -212,7 +281,15 @@ pkcs11_add_provider(char *name, char *pi
@@ -238,7 +329,15 @@ pkcs11_add_provider(char *name, char *pi
__func__, ssh_err(r));
if ((r = sshkey_from_blob(blob, blen, &k)) != 0)
fatal("%s: bad key: %s", __func__, ssh_err(r));
@ -135,11 +135,11 @@ diff -up openssh-7.6p1/ssh-pkcs11-client.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
(*keysp)[i] = k;
free(blob);
}
diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
--- openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa 2018-02-16 13:25:59.427469259 +0100
+++ openssh-7.6p1/ssh-pkcs11.c 2018-02-16 13:44:51.270554797 +0100
@@ -32,6 +32,16 @@
#include "openbsd-compat/sys-queue.h"
diff -up openssh/ssh-pkcs11.c.pkcs11-ecdsa openssh/ssh-pkcs11.c
--- openssh/ssh-pkcs11.c.pkcs11-ecdsa 2018-10-12 14:05:55.021656982 +0200
+++ openssh/ssh-pkcs11.c 2018-10-12 14:11:54.292636679 +0200
@@ -33,6 +33,16 @@
#include "openbsd-compat/openssl-compat.h"
#include <openssl/x509.h>
+#include <openssl/rsa.h>
@ -155,15 +155,15 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
#define CRYPTOKI_COMPAT
#include "pkcs11.h"
@@ -67,6 +76,7 @@ TAILQ_HEAD(, pkcs11_provider) pkcs11_pro
@@ -74,6 +84,7 @@ TAILQ_HEAD(, pkcs11_provider) pkcs11_pro
struct pkcs11_key {
struct pkcs11_provider *provider;
CK_ULONG slotidx;
+ CK_ULONG key_type;
int (*orig_finish)(RSA *rsa);
RSA_METHOD rsa_method;
RSA_METHOD *rsa_method;
char *keyid;
@@ -75,6 +85,9 @@ struct pkcs11_key {
@@ -82,6 +93,9 @@ struct pkcs11_key {
};
int pkcs11_interactive = 0;
@ -173,7 +173,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
/*
* This can't be in the ssh-pkcs11-uri, becase we can not depend on
@@ -289,6 +302,40 @@ pkcs11_find(struct pkcs11_provider *p, C
@@ -345,6 +359,40 @@ pkcs11_find(struct pkcs11_provider *p, C
return (ret);
}
@ -214,7 +214,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
/* openssl callback doing the actual signing operation */
static int
pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
@@ -310,7 +357,6 @@ pkcs11_rsa_private_encrypt(int flen, con
@@ -366,7 +414,6 @@ pkcs11_rsa_private_encrypt(int flen, con
{CKA_ID, NULL, 0},
{CKA_SIGN, NULL, sizeof(true_val) }
};
@ -222,7 +222,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
int rval = -1;
key_filter[0].pValue = &private_key_class;
@@ -326,33 +372,8 @@ pkcs11_rsa_private_encrypt(int flen, con
@@ -383,33 +430,8 @@ pkcs11_rsa_private_encrypt(int flen, con
}
f = k11->provider->module->function_list;
si = &k11->provider->module->slotinfo[k11->slotidx];
@ -258,7 +258,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
}
key_filter[1].pValue = k11->keyid;
key_filter[1].ulValueLen = k11->keyid_len;
@@ -390,6 +411,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *
@@ -447,6 +469,7 @@ pkcs11_rsa_wrap(struct pkcs11_provider *
const RSA_METHOD *def = RSA_get_default_method();
k11 = xcalloc(1, sizeof(*k11));
@ -266,7 +266,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
k11->provider = provider;
provider->refcount++; /* provider referenced by RSA key */
k11->slotidx = slotidx;
@@ -415,6 +437,184 @@ pkcs11_rsa_wrap(struct pkcs11_provider *
@@ -477,6 +500,184 @@ pkcs11_rsa_wrap(struct pkcs11_provider *
return (0);
}
@ -451,7 +451,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
/* remove trailing spaces */
static void
rmspace(u_char *buf, size_t len)
@@ -482,11 +646,13 @@ static int
@@ -544,11 +745,13 @@ static int
pkcs11_fetch_keys(struct pkcs11_provider *p, CK_ULONG slotidx,
struct sshkey ***keysp, int *nkeys, struct pkcs11_uri *uri)
{
@ -466,7 +466,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
{ CKA_ID, NULL, 0 },
{ CKA_LABEL, NULL, 0 }
};
@@ -507,29 +673,60 @@ pkcs11_fetch_keys(struct pkcs11_provider
@@ -569,29 +772,60 @@ pkcs11_fetch_keys(struct pkcs11_provider
{ CKA_SUBJECT, NULL, 0 },
{ CKA_VALUE, NULL, 0 }
};
@ -533,9 +533,12 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
cert_attribs, keysp, nkeys) < 0)
return (-1);
return (0);
@@ -553,6 +746,11 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
@@ -624,8 +858,13 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
CK_ATTRIBUTE filter[], size_t filter_size, CK_ATTRIBUTE attribs[4],
struct sshkey ***keysp, int *nkeys)
{
struct sshkey *key;
- struct sshkey *key;
+ struct sshkey *key = NULL;
RSA *rsa;
+#ifdef ENABLE_PKCS11_ECDSA
+ EC_KEY *ecdsa;
@ -545,7 +548,7 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
X509 *x509;
EVP_PKEY *evp = NULL;
int i;
@@ -608,6 +806,9 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
@@ -678,6 +917,9 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
* or ID, label, subject and value for certificates.
*/
rsa = NULL;
@ -555,9 +558,9 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
if ((rv = f->C_GetAttributeValue(session, obj, attribs, nattribs))
!= CKR_OK) {
error("C_GetAttributeValue failed: %lu", rv);
@@ -620,6 +821,45 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
rsa->e = BN_bin2bn(attribs[3].pValue,
attribs[3].ulValueLen, NULL);
@@ -700,6 +942,45 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
BN_free(rsa_n);
BN_free(rsa_e);
}
+#ifdef ENABLE_PKCS11_ECDSA
+ } else if (attribs[2].type == CKA_EC_PARAMS ) {
@ -601,43 +604,61 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
} else {
cp = attribs[3].pValue;
if ((x509 = X509_new()) == NULL) {
@@ -639,13 +879,28 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
@@ -707,13 +988,28 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
} else if (d2i_X509(&x509, &cp, attribs[3].ulValueLen)
== NULL) {
error("d2i_X509 failed");
- } else if ((evp = X509_get_pubkey(x509)) == NULL ||
- EVP_PKEY_base_id(evp) != EVP_PKEY_RSA ||
- EVP_PKEY_get0_RSA(evp) == NULL) {
- debug("X509_get_pubkey failed or no rsa");
- } else if ((rsa = RSAPublicKey_dup(
- EVP_PKEY_get0_RSA(evp))) == NULL) {
- error("RSAPublicKey_dup");
+ } else if ((evp = X509_get_pubkey(x509)) == NULL) {
+ debug("X509_get_pubkey failed");
+ } else {
+ switch (EVP_PKEY_base_id(evp)) {
+ case EVP_PKEY_RSA:
+ if (EVP_PKEY_get0_RSA(evp) == NULL)
+ debug("Missing RSA key");
+ else if ((rsa = RSAPublicKey_dup(
+ EVP_PKEY_get0_RSA(evp))) == NULL)
+ error("RSAPublicKey_dup failed");
+ break;
+ case EVP_PKEY_EC:
+ if (EVP_PKEY_get0_EC_KEY(evp) == NULL)
+ debug("Missing ECDSA key");
+ else if ((ecdsa = EC_KEY_dup(
+ EVP_PKEY_get0_EC_KEY(evp))) == NULL)
+ error("EC_KEY_dup failed");
+ break;
+ default:
+ debug("not a RSA or ECDSA key");
+ break;
+ }
}
X509_free(x509);
EVP_PKEY_free(evp);
}
- if (rsa && rsa->n && rsa->e &&
- pkcs11_rsa_wrap(p, slotidx, &attribs[0], &attribs[1], rsa) == 0) {
- if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
- fatal("sshkey_new failed");
- key->rsa = rsa;
- key->type = KEY_RSA;
- key->flags |= SSHKEY_FLAG_EXT;
+ key = NULL;
+ if (rsa || ecdsa) {
+ if (rsa && rsa->n && rsa->e &&
+ pkcs11_rsa_wrap(p, slotidx, &attribs[0], &attribs[1], rsa) == 0) {
+ if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
+ fatal("sshkey_new failed");
+ key->rsa = rsa;
+ key->type = KEY_RSA;
+ key->flags |= SSHKEY_FLAG_EXT;
@@ -725,6 +1021,17 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
key->rsa = rsa;
key->type = KEY_RSA;
key->flags |= SSHKEY_FLAG_EXT;
+#ifdef ENABLE_PKCS11_ECDSA
+ } else if(ecdsa && pkcs11_ecdsa_wrap(p, slotidx, &attribs[0], &attribs[1], ecdsa) == 0) {
+ if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
+ fatal("sshkey_new failed");
+ key->ecdsa = ecdsa;
+ key->ecdsa_nid = sshkey_ecdsa_key_to_nid(ecdsa);
+ key->type = KEY_ECDSA;
+ key->flags |= SSHKEY_FLAG_EXT;
+ } else if (ecdsa &&
+ pkcs11_ecdsa_wrap(p, slotidx, &attribs[0], &attribs[1], ecdsa) == 0) {
+ if ((key = sshkey_new(KEY_UNSPEC)) == NULL)
+ fatal("sshkey_new failed");
+ key->ecdsa = ecdsa;
+ key->type = KEY_ECDSA;
+ key->flags |= SSHKEY_FLAG_EXT;
+#endif /* ENABLE_PKCS11_ECDSA */
+ }
+ }
+
+ if(key) {
+ if (key) {
if (pkcs11_key_included(keysp, nkeys, key)) {
sshkey_free(key);
} else {
@@ -658,6 +913,10 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
@@ -737,6 +1044,10 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
}
} else if (rsa) {
RSA_free(rsa);
@ -648,9 +669,9 @@ diff -up openssh-7.6p1/ssh-pkcs11.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.c
}
for (i = 0; i < nattribs; i++)
free(attribs[i].pValue);
diff -up openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11-helper.c
--- openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa 2017-10-02 21:34:26.000000000 +0200
+++ openssh-7.6p1/ssh-pkcs11-helper.c 2018-02-16 13:25:59.428469265 +0100
diff -up openssh/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh/ssh-pkcs11-helper.c
--- openssh/ssh-pkcs11-helper.c.pkcs11-ecdsa 2018-10-11 02:56:36.000000000 +0200
+++ openssh/ssh-pkcs11-helper.c 2018-10-12 14:05:55.023656999 +0200
@@ -24,6 +24,17 @@
#include "openbsd-compat/sys-queue.h"
@ -669,7 +690,7 @@ diff -up openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
#include <stdarg.h>
#include <string.h>
#include <unistd.h>
@@ -80,7 +90,7 @@ del_keys_by_name(char *name)
@@ -77,7 +88,7 @@ del_keys_by_name(char *name)
if (!strcmp(ki->providername, name)) {
TAILQ_REMOVE(&pkcs11_keylist, ki, next);
free(ki->providername);
@ -678,7 +699,7 @@ diff -up openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
free(ki);
}
}
@@ -164,6 +174,20 @@ process_del(void)
@@ -172,6 +183,20 @@ process_del(void)
sshbuf_free(msg);
}
@ -699,7 +720,7 @@ diff -up openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
static void
process_sign(void)
{
@@ -180,14 +204,38 @@ process_sign(void)
@@ -192,14 +217,38 @@ process_sign(void)
else {
if ((found = lookup_key(key)) != NULL) {
#ifdef WITH_OPENSSL
@ -746,9 +767,9 @@ diff -up openssh-7.6p1/ssh-pkcs11-helper.c.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11
}
#endif /* WITH_OPENSSL */
}
diff -up openssh-7.6p1/ssh-pkcs11.h.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.h
--- openssh-7.6p1/ssh-pkcs11.h.pkcs11-ecdsa 2018-02-16 13:25:59.429469272 +0100
+++ openssh-7.6p1/ssh-pkcs11.h 2018-02-16 13:45:29.623800048 +0100
diff -up openssh/ssh-pkcs11.h.pkcs11-ecdsa openssh/ssh-pkcs11.h
--- openssh/ssh-pkcs11.h.pkcs11-ecdsa 2018-10-12 14:05:55.021656982 +0200
+++ openssh/ssh-pkcs11.h 2018-10-12 14:05:55.023656999 +0200
@@ -20,6 +20,7 @@
int pkcs11_init(int);
void pkcs11_terminate(void);
@ -757,45 +778,3 @@ diff -up openssh-7.6p1/ssh-pkcs11.h.pkcs11-ecdsa openssh-7.6p1/ssh-pkcs11.h
int pkcs11_add_provider_by_uri(struct pkcs11_uri *, char *, struct sshkey ***);
int pkcs11_del_provider(char *);
int pkcs11_uri_write(const struct sshkey *, FILE *);
diff -up openssh-7.6p1/ssh-pkcs11.c.old openssh-7.6p1/ssh-pkcs11.c
--- openssh-7.6p1/ssh-pkcs11.c.old 2018-02-16 16:43:08.861520255 +0100
+++ openssh-7.6p1/ssh-pkcs11.c 2018-02-16 16:56:35.312601451 +0100
@@ -917,13 +917,28 @@ pkcs11_fetch_keys_filter(struct pkcs11_p
} else if (d2i_X509(&x509, &cp, attribs[3].ulValueLen)
== NULL) {
error("d2i_X509 failed");
- } else if ((evp = X509_get_pubkey(x509)) == NULL ||
- evp->type != EVP_PKEY_RSA ||
- evp->pkey.rsa == NULL) {
- debug("X509_get_pubkey failed or no rsa");
- } else if ((rsa = RSAPublicKey_dup(evp->pkey.rsa))
- == NULL) {
- error("RSAPublicKey_dup");
+ } else if ((evp = X509_get_pubkey(x509)) == NULL) {
+ debug("X509_get_pubkey failed");
+ } else {
+ switch (evp->type) {
+ case EVP_PKEY_RSA:
+ if (evp->pkey.rsa == NULL)
+ debug("Missing RSA key");
+ else if ((rsa = RSAPublicKey_dup(
+ evp->pkey.rsa)) == NULL)
+ error("RSAPublicKey_dup failed");
+ break;
+ case EVP_PKEY_EC:
+ if (evp->pkey.ecdsa == NULL)
+ debug("Missing ECDSA key");
+ else if ((ecdsa = EC_KEY_dup(
+ evp->pkey.ecdsa)) == NULL)
+ error("EC_KEY_dup failed");
+ break;
+ default:
+ debug("not a RSA or ECDSA key");
+ break;
+ }
}
X509_free(x509);
EVP_PKEY_free(evp);

2400
openssh-7.6p1-pkcs11-uri.patch
View File

File diff suppressed because it is too large Load Diff

30
openssh-7.7p1-fips.patch
View File

@ -102,12 +102,14 @@ diff -up openssh-7.7p1/dh.h.fips openssh-7.7p1/dh.h
diff -up openssh-7.7p1/entropy.c.fips openssh-7.7p1/entropy.c
--- openssh-7.7p1/entropy.c.fips 2018-08-08 10:08:40.698718928 +0200
+++ openssh-7.7p1/entropy.c 2018-08-08 10:08:40.822719973 +0200
@@ -217,6 +217,9 @@ seed_rng(void)
@@ -217,6 +217,11 @@ seed_rng(void)
fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
+ /* clean the PRNG status when exiting the program */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ atexit(RAND_cleanup);
+#endif
+
#ifndef OPENSSL_PRNG_ONLY
if (RAND_status() == 1) {
@ -377,16 +379,16 @@ diff -up openssh-7.7p1/myproposal.h.fips openssh-7.7p1/myproposal.h
+ "hmac-sha1"
+#endif
+
#else /* WITH_OPENSSL */
#define KEX_SERVER_KEX \
/* Not a KEX value, but here so all the algorithm defaults are together */
#define SSH_ALLOWED_CA_SIGALGS \
"ecdsa-sha2-nistp256," \
diff -up openssh-7.7p1/readconf.c.fips openssh-7.7p1/readconf.c
--- openssh-7.7p1/readconf.c.fips 2018-08-08 10:08:40.769719527 +0200
+++ openssh-7.7p1/readconf.c 2018-08-08 10:08:40.824719990 +0200
@@ -2081,17 +2081,18 @@ fill_default_options(Options * options)
all_mac = mac_alg_list(',');
@@ -2081,18 +2081,19 @@ fill_default_options(Options * options)
all_kex = kex_alg_list(',');
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
-#define ASSEMBLE(what, defaults, all) \
+#define ASSEMBLE(what, defaults, fips_defaults, all) \
do { \
@ -401,11 +403,13 @@ diff -up openssh-7.7p1/readconf.c.fips openssh-7.7p1/readconf.c
- ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, all_kex);
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
#undef ASSEMBLE
free(all_cipher);
free(all_mac);
@ -425,10 +429,10 @@ diff -up openssh-7.7p1/sandbox-seccomp-filter.c.fips openssh-7.7p1/sandbox-secco
diff -up openssh-7.7p1/servconf.c.fips openssh-7.7p1/servconf.c
--- openssh-7.7p1/servconf.c.fips 2018-08-08 10:08:40.778719603 +0200
+++ openssh-7.7p1/servconf.c 2018-08-08 10:08:40.824719990 +0200
@@ -196,17 +196,18 @@ option_clear_or_none(const char *o)
all_mac = mac_alg_list(',');
@@ -196,18 +196,19 @@ option_clear_or_none(const char *o)
all_kex = kex_alg_list(',');
all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ',');
-#define ASSEMBLE(what, defaults, all) \
+#define ASSEMBLE(what, defaults, fips_defaults, all) \
do { \
@ -443,12 +447,14 @@ diff -up openssh-7.7p1/servconf.c.fips openssh-7.7p1/servconf.c
- ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, all_key);
- ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, all_sig);
+ ASSEMBLE(ciphers, KEX_SERVER_ENCRYPT, KEX_FIPS_ENCRYPT, all_cipher);
+ ASSEMBLE(macs, KEX_SERVER_MAC, KEX_FIPS_MAC, all_mac);
+ ASSEMBLE(kex_algorithms, KEX_SERVER_KEX, KEX_DEFAULT_KEX_FIPS, all_kex);
+ ASSEMBLE(hostkeyalgorithms, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
+ ASSEMBLE(hostbased_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
+ ASSEMBLE(pubkey_key_types, KEX_DEFAULT_PK_ALG, KEX_FIPS_PK_ALG, all_key);
+ ASSEMBLE(ca_sign_algorithms, SSH_ALLOWED_CA_SIGALGS, KEX_FIPS_PK_ALG, all_sig);
#undef ASSEMBLE
free(all_cipher);
free(all_mac);
@ -464,11 +470,13 @@ diff -up openssh-7.7p1/ssh.c.fips openssh-7.7p1/ssh.c
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
@@ -579,6 +581,14 @@ main(int ac, char **av)
@@ -579,6 +581,16 @@ main(int ac, char **av)
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
+ SSLeay_add_all_algorithms();
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ SSLeay_add_all_algorithms();
+#endif
+ if (access("/etc/system-fips", F_OK) == 0)
+ if (! FIPSCHECK_verify(NULL, NULL)){
+ if (FIPS_mode())
@ -605,7 +613,7 @@ diff -up openssh-7.7p1/sshd.c.fips openssh-7.7p1/sshd.c
#endif
__progname = ssh_get_progname(av[0]);
+ SSLeay_add_all_algorithms();
+ OpenSSL_add_all_algorithms();
+ if (access("/etc/system-fips", F_OK) == 0)
+ if (! FIPSCHECK_verify(NULL, NULL)) {
+ openlog(__progname, LOG_PID, LOG_AUTHPRIV);

58
openssh-7.8p1-gsskex.patch
View File

@ -188,7 +188,7 @@ diff -up openssh/configure.ac.gsskex openssh/configure.ac
diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
--- openssh/gss-genr.c.gsskex 2018-08-20 07:57:29.000000000 +0200
+++ openssh/gss-genr.c 2018-08-22 13:18:47.444383602 +0200
@@ -35,18 +35,177 @@
@@ -35,18 +35,179 @@
#include <string.h>
#include <signal.h>
#include <unistd.h>
@ -256,7 +256,7 @@ diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
+ u_char digest[EVP_MAX_MD_SIZE];
+ char deroid[2];
+ const EVP_MD *evp_md = EVP_md5();
+ EVP_MD_CTX md;
+ EVP_MD_CTX *md;
+
+ if (gss_enc2oid != NULL) {
+ for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
@ -270,6 +270,7 @@ diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
+ if ((buf = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+
+ md = EVP_MD_CTX_new();
+ oidpos = 0;
+ for (i = 0; i < gss_supported->count; i++) {
+ if (gss_supported->elements[i].length < 128 &&
@ -278,12 +279,12 @@ diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
+ deroid[0] = SSH_GSS_OIDTYPE;
+ deroid[1] = gss_supported->elements[i].length;
+
+ EVP_DigestInit(&md, evp_md);
+ EVP_DigestUpdate(&md, deroid, 2);
+ EVP_DigestUpdate(&md,
+ EVP_DigestInit(md, evp_md);
+ EVP_DigestUpdate(md, deroid, 2);
+ EVP_DigestUpdate(md,
+ gss_supported->elements[i].elements,
+ gss_supported->elements[i].length);
+ EVP_DigestFinal(&md, digest, NULL);
+ EVP_DigestFinal(md, digest, NULL);
+
+ encoded = xmalloc(EVP_MD_size(evp_md) * 2);
+ enclen = __b64_ntop(digest, EVP_MD_size(evp_md),
@ -311,6 +312,7 @@ diff -up openssh/gss-genr.c.gsskex openssh/gss-genr.c
+ oidpos++;
+ }
+ }
+ EVP_MD_CTX_free(md);
+ gss_enc2oid[oidpos].oid = NULL;
+ gss_enc2oid[oidpos].encoded = NULL;
+
@ -988,7 +990,7 @@ diff -up openssh/kex.c.gsskex openssh/kex.c
diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
--- openssh/kexgssc.c.gsskex 2018-08-22 11:47:33.311216457 +0200
+++ openssh/kexgssc.c 2018-08-22 11:47:33.311216457 +0200
@@ -0,0 +1,338 @@
@@ -0,0 +1,341 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
@ -1049,6 +1051,7 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
+ BIGNUM *shared_secret = NULL;
+ BIGNUM *p = NULL;
+ BIGNUM *g = NULL;
+ const BIGNUM *pub_key, *p1, *g1;
+ u_char *kbuf;
+ u_char *serverhostkey = NULL;
+ u_char *empty = "";
@ -1110,8 +1113,9 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
+ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
+ }
+
+ /* Step 1 - e is dh->pub_key */
+ /* Step 1 - e is pub_key */
+ dh_gen_key(dh, ssh->kex->we_need * 8);
+ DH_get0_key(dh, &pub_key, NULL);
+
+ /* This is f, we initialise it now to make life easier */
+ dh_server_pub = BN_new();
@ -1159,7 +1163,7 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
+ packet_start(SSH2_MSG_KEXGSS_INIT);
+ packet_put_string(send_tok.value,
+ send_tok.length);
+ packet_put_bignum2(dh->pub_key);
+ packet_put_bignum2((BIGNUM *)pub_key);
+ first = 0;
+ } else {
+ packet_start(SSH2_MSG_KEXGSS_CONTINUE);
@ -1266,13 +1270,14 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
+ (serverhostkey ? serverhostkey : empty), slen,
+ dh->pub_key, /* e */
+ pub_key, /* e */
+ dh_server_pub, /* f */
+ shared_secret, /* K */
+ hash, &hashlen
+ );
+ break;
+ case KEX_GSS_GEX_SHA1:
+ DH_get0_pqg(dh, &p1, NULL, &g1);
+ kexgex_hash(
+ ssh->kex->hash_alg,
+ ssh->kex->client_version_string,
@ -1281,8 +1286,8 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
+ (serverhostkey ? serverhostkey : empty), slen,
+ min, nbits, max,
+ dh->p, dh->g,
+ dh->pub_key,
+ p, g,
+ pub_key,
+ dh_server_pub,
+ shared_secret,
+ hash, &hashlen
@ -1330,7 +1335,7 @@ diff -up openssh/kexgssc.c.gsskex openssh/kexgssc.c
diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
--- openssh/kexgsss.c.gsskex 2018-08-22 11:47:33.311216457 +0200
+++ openssh/kexgsss.c 2018-08-22 11:47:33.311216457 +0200
@@ -0,0 +1,297 @@
@@ -0,0 +1,300 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
@ -1410,6 +1415,7 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
+ char *mechs;
+ u_char hash[SSH_DIGEST_MAX_LENGTH];
+ size_t hashlen;
+ const BIGNUM *p, *g, *pub_key;
+
+ /* Initialise GSSAPI */
+
@ -1455,9 +1461,10 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
+ if (dh == NULL)
+ packet_disconnect("Protocol error: no matching group found");
+
+ DH_get0_pqg(dh, &p, NULL, &g);
+ packet_start(SSH2_MSG_KEXGSS_GROUP);
+ packet_put_bignum2(dh->p);
+ packet_put_bignum2(dh->g);
+ packet_put_bignum2((BIGNUM *)p);
+ packet_put_bignum2((BIGNUM *)g);
+ packet_send();
+
+ packet_write_wait();
@ -1549,6 +1556,7 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
+ memset(kbuf, 0, klen);
+ free(kbuf);
+
+ DH_get0_key(dh, &pub_key, NULL);
+ hashlen = sizeof(hash);
+ switch (ssh->kex->kex_type) {
+ case KEX_GSS_GRP1_SHA1:
@ -1558,7 +1566,7 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
+ sshbuf_ptr(ssh->kex->peer), sshbuf_len(ssh->kex->peer),
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
+ NULL, 0, /* Change this if we start sending host keys */
+ dh_client_pub, dh->pub_key, shared_secret,
+ dh_client_pub, pub_key, shared_secret,
+ hash, &hashlen
+ );
+ break;
@ -1570,9 +1578,9 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
+ sshbuf_ptr(ssh->kex->my), sshbuf_len(ssh->kex->my),
+ NULL, 0,
+ cmin, nbits, cmax,
+ dh->p, dh->g,
+ p, g,
+ dh_client_pub,
+ dh->pub_key,
+ pub_key,
+ shared_secret,
+ hash, &hashlen
+ );
@ -1596,7 +1604,7 @@ diff -up openssh/kexgsss.c.gsskex openssh/kexgsss.c
+ fatal("Couldn't get MIC");
+
+ packet_start(SSH2_MSG_KEXGSS_COMPLETE);
+ packet_put_bignum2(dh->pub_key);
+ packet_put_bignum2(pub_key);
+ packet_put_string(msg_tok.value,msg_tok.length);
+
+ if (send_tok.length != 0) {
@ -1928,7 +1936,7 @@ diff -up openssh/monitor_wrap.c.gsskex openssh/monitor_wrap.c
+
+ sshbuf_free(m);
+
+ return(major);
+ return (major);
+}
+
+int
@ -2617,16 +2625,6 @@ diff -up openssh/sshconnect2.c.gsskex openssh/sshconnect2.c
diff -up openssh/sshd.c.gsskex openssh/sshd.c
--- openssh/sshd.c.gsskex 2018-08-22 11:47:33.299216360 +0200
+++ openssh/sshd.c 2018-08-22 13:34:28.455975954 +0200
@@ -537,8 +537,7 @@ privsep_preauth_child(void)
#ifdef GSSAPI
/* Cache supported mechanism OIDs for later use */
- if (options.gss_authentication)
- ssh_gssapi_prepare_supported_oids();
+ ssh_gssapi_prepare_supported_oids();
#endif
reseed_prngs();
@@ -887,8 +887,9 @@ notify_hostkeys(struct ssh *ssh)
}
debug3("%s: sent %u hostkeys", __func__, nkeys);

14
openssh.spec
View File

@ -65,10 +65,10 @@
%endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 7.8p1
%global openssh_rel 3
%global openssh_ver 7.9p1
%global openssh_rel 1
%global pam_ssh_agent_ver 0.10.3
%global pam_ssh_agent_rel 5
%global pam_ssh_agent_rel 6
Summary: An open source implementation of SSH protocol version 2
Name: openssh
@ -100,8 +100,6 @@ Patch100: openssh-6.7p1-coverity.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
#Patch102: openssh-5.8p1-getaddrinfo.patch
# OpenSSL 1.1.0 compatibility
Patch104: openssh-7.3p1-openssl-1.1.0.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248
@ -451,7 +449,6 @@ popd
%patch700 -p1 -b .fips
%patch100 -p1 -b .coverity
%patch104 -p1 -b .openssl
%if 0
# Nothing here yet
@ -568,7 +565,10 @@ popd
%if %{pam_ssh_agent}
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
LDFLAGS="$SAVE_LDFLAGS"
%configure --with-selinux --libexecdir=/%{_libdir}/security --with-mantype=man
%configure --with-selinux \
--libexecdir=/%{_libdir}/security \
--with-mantype=man \
--without-openssl-header-check `# The check is broken`
make
popd
%endif

4
sources
View File

@ -1,4 +1,4 @@
SHA512 (openssh-7.8p1.tar.gz) = 8e5b0c8682a9243e4e8b7c374ec989dccd1a752eb6f84e593b67141e8b23dcc8b9a7322b1f7525d18e2ce8830a767d0d9793f997486339db201a57986b910705
SHA512 (openssh-7.8p1.tar.gz.asc) = 3a7bef84df3c07aa78965a11a6bbd6ca6e5d1e9265ac08871b3e5d304646be651b74f5302a195e86a56e6a83b19d79292e5599c9a9cf6f003a513d4354e8ad2f
SHA512 (openssh-7.9p1.tar.gz) = 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e
SHA512 (openssh-7.9p1.tar.gz.asc) = 881db1b541813136fabd9adb9f5430c4f0fae372c06c99cb049feb8526a573275fe80c129c89511dd4e65f73f41e29364fefaaf8b7c78835224691c488d5da32
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
SHA512 (pam_ssh_agent_auth-0.10.3.tar.bz2) = d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66