Compare commits

...

17 Commits
master ... main

Author SHA1 Message Date
Dmitry Belyavskiy
ac2648baae pam_auth version bump 2021-04-30 17:06:28 +02:00
Dmitry Belyavskiy
f0f3114095 pam_auth version bump 2021-04-30 16:57:20 +02:00
Dmitry Belyavskiy
df26987d52 Fixes from RHEL 8.5.0 2021-04-29 16:37:35 +02:00
Dmitry Belyavskiy
f32b842272 OpenSSH release update
Resolves: rhbz#1950819
8.5p1 => 8.6p1
2021-04-29 16:37:35 +02:00
Dmitry Belyavskiy
446f300da0 Remove all the coverity warnings 2021-03-26 12:55:57 +01:00
Dmitry Belyavskiy
a2e7f72c3c Fix coverity issues for openssh (#1938831) 2021-03-25 10:53:25 +01:00
Rex Dieter
44aae310bd create userunit dir before installing to it
*shrug*, for posterity, consider using
install -D ...
2021-03-09 09:33:17 -06:00
Rex Dieter
9979ff5307 ssh-agent.serivce is user unit (#1761817#27) 2021-03-09 09:19:14 -06:00
Rex Dieter
5f230a4999 -clients: provide ssh-agent.service (#1761817) 2021-03-04 15:10:26 +01:00
Jakub Jelen
25c16c68f5 openssh-8.5p1-1 + 0.10.4-2 2021-03-03 11:08:52 +01:00
Zbigniew Jędrzejewski-Szmek
6e1851c5ba Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
2021-03-02 16:13:10 +01:00
Fedora Release Engineering
7347a74385 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2021-01-26 22:36:09 +00:00
Jakub Jelen
ab05c4fa21 8.4p1-5 + 0.10.4-1 (forgotten version bump) 2021-01-22 17:35:02 +01:00
Jakub Jelen
106b283ba5 8.4p1-5 + 0.10.4-1 2021-01-22 12:58:02 +01:00
Timothée Ravier
a886069993 Use /usr/share/empty.ssh instead of /var/empty/sshd
This has the following advantages:
  * Removes a dependency on a directory stored in /var
  * /usr is mounted read only on ostree based systems (CoreOS, Silverblue)

This also removes the tmpfiles config.

Edit Jakub Jelen: Removed the version bump from PR

https://src.fedoraproject.org/rpms/openssh/pull-request/14
2021-01-22 12:57:36 +01:00
Jakub Jelen
1a45c5da8d Remove openssh-cavs subpackage as it is no longer needed and broken anyway
The CAVS drivers were used for FIPS certification when OpenSSH used to
be a FIPS module. This is no longer the case and these leftovers
were left in place until they work. This is no longer the case either
so lets get rid of 1000 lines of patches.
2021-01-22 12:50:51 +01:00
Jakub Jelen
ee6f0fcc0a Accept empty labels (#1919007) 2021-01-22 12:22:08 +01:00
36 changed files with 2920 additions and 3589 deletions

5
.gitignore vendored
View File

@ -45,3 +45,8 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-8.4p1.tar.gz /openssh-8.4p1.tar.gz
/openssh-8.4p1.tar.gz.asc /openssh-8.4p1.tar.gz.asc
/pam_ssh_agent_auth-0.10.4.tar.gz /pam_ssh_agent_auth-0.10.4.tar.gz
/openssh-8.5p1.tar.gz
/openssh-8.5p1.tar.gz.asc
/gpgkey-736060BA.gpg
/openssh-8.6p1.tar.gz
/openssh-8.6p1.tar.gz.asc

View File

@ -1,12 +1,11 @@
diff -up openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-7.4p1/contrib/gnome-ssh-askpass2.c diff -up openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info openssh-8.6p1/contrib/gnome-ssh-askpass2.c
--- openssh-7.4p1/contrib/gnome-ssh-askpass2.c.grab-info 2016-12-23 13:31:22.645213115 +0100 --- openssh-8.6p1/contrib/gnome-ssh-askpass2.c.grab-info 2021-04-19 13:57:11.720113536 +0200
+++ openssh-7.4p1/contrib/gnome-ssh-askpass2.c 2016-12-23 13:31:40.997216691 +0100 +++ openssh-8.6p1/contrib/gnome-ssh-askpass2.c 2021-04-19 13:59:29.842163204 +0200
@@ -65,9 +65,12 @@ report_failed_grab (GtkWidget *parent_wi @@ -70,8 +70,12 @@ report_failed_grab (GtkWidget *parent_wi
err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0, err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
GTK_MESSAGE_ERROR, GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE,
GTK_BUTTONS_CLOSE, - "Could not grab %s. A malicious client may be eavesdropping "
- "Could not grab %s. "
- "A malicious client may be eavesdropping "
- "on your session.", what); - "on your session.", what);
+ "SSH password dialog could not grab the %s input.\n" + "SSH password dialog could not grab the %s input.\n"
+ "This might be caused by application such as screensaver, " + "This might be caused by application such as screensaver, "

View File

@ -1,19 +1,19 @@
diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c diff -up openssh-8.6p1/log.c.log-in-chroot openssh-8.6p1/log.c
--- openssh-7.4p1/log.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.6p1/log.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-7.4p1/log.c 2016-12-23 15:14:33.330168088 +0100 +++ openssh-8.6p1/log.c 2021-04-19 14:43:08.544843434 +0200
@@ -250,6 +250,11 @@ debug3(const char *fmt,...) @@ -194,6 +194,11 @@ void
void log_init(const char *av0, LogLevel level, SyslogFacility facility,
log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) int on_stderr)
{ {
+ log_init_handler(av0, level, facility, on_stderr, 1); + log_init_handler(av0, level, facility, on_stderr, 1);
+} +}
+ +
+void +void
+log_init_handler(char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) { +log_init_handler(const char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT; struct syslog_data sdata = SYSLOG_DATA_INIT;
#endif #endif
@@ -273,8 +278,10 @@ log_init(char *av0, LogLevel level, Sysl @@ -206,8 +211,10 @@ log_init(const char *av0, LogLevel level
exit(1); exit(1);
} }
@ -26,21 +26,21 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
log_on_stderr = on_stderr; log_on_stderr = on_stderr;
if (on_stderr) if (on_stderr)
diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h diff -up openssh-8.6p1/log.h.log-in-chroot openssh-8.6p1/log.h
--- openssh-7.4p1/log.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.6p1/log.h.log-in-chroot 2021-04-19 14:43:08.544843434 +0200
+++ openssh-7.4p1/log.h 2016-12-23 15:14:33.330168088 +0100 +++ openssh-8.6p1/log.h 2021-04-19 14:56:46.931042176 +0200
@@ -49,6 +49,7 @@ typedef enum { @@ -52,6 +52,7 @@ typedef enum {
typedef void (log_handler_fn)(LogLevel, const char *, void *); typedef void (log_handler_fn)(LogLevel, int, const char *, void *);
void log_init(char *, LogLevel, SyslogFacility, int); void log_init(const char *, LogLevel, SyslogFacility, int);
+void log_init_handler(char *, LogLevel, SyslogFacility, int, int); +void log_init_handler(const char *, LogLevel, SyslogFacility, int, int);
LogLevel log_level_get(void); LogLevel log_level_get(void);
int log_change_level(LogLevel); int log_change_level(LogLevel);
int log_is_on_stderr(void); int log_is_on_stderr(void);
diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c diff -up openssh-8.6p1/monitor.c.log-in-chroot openssh-8.6p1/monitor.c
--- openssh-7.4p1/monitor.c.log-in-chroot 2016-12-23 15:14:33.311168085 +0100 --- openssh-8.6p1/monitor.c.log-in-chroot 2021-04-19 14:43:08.526843298 +0200
+++ openssh-7.4p1/monitor.c 2016-12-23 15:16:42.154193100 +0100 +++ openssh-8.6p1/monitor.c 2021-04-19 14:55:25.286424043 +0200
@@ -307,6 +307,8 @@ monitor_child_preauth(Authctxt *_authctx @@ -297,6 +297,8 @@ monitor_child_preauth(struct ssh *ssh, s
close(pmonitor->m_log_sendfd); close(pmonitor->m_log_sendfd);
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1; pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
@ -49,7 +49,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
authctxt = (Authctxt *)ssh->authctxt; authctxt = (Authctxt *)ssh->authctxt;
memset(authctxt, 0, sizeof(*authctxt)); memset(authctxt, 0, sizeof(*authctxt));
ssh->authctxt = authctxt; ssh->authctxt = authctxt;
@@ -405,6 +407,8 @@ monitor_child_postauth(struct monitor *p @@ -408,6 +410,8 @@ monitor_child_postauth(struct ssh *ssh,
close(pmonitor->m_recvfd); close(pmonitor->m_recvfd);
pmonitor->m_recvfd = -1; pmonitor->m_recvfd = -1;
@ -58,16 +58,16 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
monitor_set_child_handler(pmonitor->m_pid); monitor_set_child_handler(pmonitor->m_pid);
ssh_signal(SIGHUP, &monitor_child_handler); ssh_signal(SIGHUP, &monitor_child_handler);
ssh_signal(SIGTERM, &monitor_child_handler); ssh_signal(SIGTERM, &monitor_child_handler);
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito @@ -480,7 +484,7 @@ monitor_read_log(struct monitor *pmonito
/* Log it */
if (log_level_name(level) == NULL) if (log_level_name(level) == NULL)
fatal("%s: invalid log level %u (corrupted message?)", fatal_f("invalid log level %u (corrupted message?)", level);
__func__, level); - sshlogdirect(level, forced, "%s [preauth]", msg);
- do_log2(level, "%s [preauth]", msg); + sshlogdirect(level, forced, "%s [%s]", msg, pmonitor->m_state);
+ do_log2(level, "%s [%s]", msg, pmonitor->m_state);
sshbuf_free(logmsg); sshbuf_free(logmsg);
free(msg); free(msg);
@@ -1719,13 +1723,28 @@ monitor_init(void) @@ -1868,13 +1872,28 @@ monitor_init(void)
mon = xcalloc(1, sizeof(*mon)); mon = xcalloc(1, sizeof(*mon));
monitor_openfds(mon, 1); monitor_openfds(mon, 1);
@ -89,7 +89,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
+ xasprintf(&dev_log_path, "%s/dev/log", chroot_dir); + xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
+ +
+ if (stat(dev_log_path, &dev_log_stat) != 0) { + if (stat(dev_log_path, &dev_log_stat) != 0) {
+ debug("%s: /dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", __func__, chroot_dir); + debug_f("/dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", chroot_dir);
+ do_logfds = 1; + do_logfds = 1;
+ } + }
+ free(dev_log_path); + free(dev_log_path);
@ -98,10 +98,10 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
} }
#ifdef GSSAPI #ifdef GSSAPI
diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h diff -up openssh-8.6p1/monitor.h.log-in-chroot openssh-8.6p1/monitor.h
--- openssh-7.4p1/monitor.h.log-in-chroot 2016-12-23 15:14:33.330168088 +0100 --- openssh-8.6p1/monitor.h.log-in-chroot 2021-04-19 14:43:08.527843305 +0200
+++ openssh-7.4p1/monitor.h 2016-12-23 15:16:28.372190424 +0100 +++ openssh-8.6p1/monitor.h 2021-04-19 14:43:08.545843441 +0200
@@ -83,10 +83,11 @@ struct monitor { @@ -80,10 +80,11 @@ struct monitor {
int m_log_sendfd; int m_log_sendfd;
struct kex **m_pkex; struct kex **m_pkex;
pid_t m_pid; pid_t m_pid;
@ -114,9 +114,9 @@ diff -up openssh-7.4p1/monitor.h.log-in-chroot openssh-7.4p1/monitor.h
struct Authctxt; struct Authctxt;
void monitor_child_preauth(struct ssh *, struct monitor *); void monitor_child_preauth(struct ssh *, struct monitor *);
diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c diff -up openssh-8.6p1/session.c.log-in-chroot openssh-8.6p1/session.c
--- openssh-7.4p1/session.c.log-in-chroot 2016-12-23 15:14:33.319168086 +0100 --- openssh-8.6p1/session.c.log-in-chroot 2021-04-19 14:43:08.534843358 +0200
+++ openssh-7.4p1/session.c 2016-12-23 15:18:18.742211853 +0100 +++ openssh-8.6p1/session.c 2021-04-19 14:43:08.545843441 +0200
@@ -160,6 +160,7 @@ login_cap_t *lc; @@ -160,6 +160,7 @@ login_cap_t *lc;
static int is_child = 0; static int is_child = 0;
@ -125,7 +125,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
/* File containing userauth info, if ExposeAuthInfo set */ /* File containing userauth info, if ExposeAuthInfo set */
static char *auth_info_file = NULL; static char *auth_info_file = NULL;
@@ -619,6 +620,7 @@ do_exec(Session *s, const char *command) @@ -661,6 +662,7 @@ do_exec(struct ssh *ssh, Session *s, con
int ret; int ret;
const char *forced = NULL, *tty = NULL; const char *forced = NULL, *tty = NULL;
char session_type[1024]; char session_type[1024];
@ -133,7 +133,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
if (options.adm_forced_command) { if (options.adm_forced_command) {
original_command = command; original_command = command;
@@ -676,6 +678,10 @@ do_exec(Session *s, const char *command) @@ -720,6 +722,10 @@ do_exec(struct ssh *ssh, Session *s, con
tty += 5; tty += 5;
} }
@ -144,7 +144,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
verbose("Starting session: %s%s%s for %s from %.200s port %d id %d", verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
session_type, session_type,
tty == NULL ? "" : " on ", tty == NULL ? "" : " on ",
@@ -1486,14 +1492,6 @@ child_close_fds(void) @@ -1524,14 +1530,6 @@ child_close_fds(struct ssh *ssh)
/* Stop directing logs to a high-numbered fd before we close it */ /* Stop directing logs to a high-numbered fd before we close it */
log_redirect_stderr_to(NULL); log_redirect_stderr_to(NULL);
@ -159,7 +159,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
} }
/* /*
@@ -1629,8 +1627,6 @@ do_child(Session *s, const char *command @@ -1665,8 +1663,6 @@ do_child(struct ssh *ssh, Session *s, co
exit(1); exit(1);
} }
@ -168,7 +168,7 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
do_rc_files(ssh, s, shell); do_rc_files(ssh, s, shell);
/* restore SIGPIPE for child */ /* restore SIGPIPE for child */
@@ -1653,9 +1649,17 @@ do_child(Session *s, const char *command @@ -1691,9 +1687,17 @@ do_child(struct ssh *ssh, Session *s, co
argv[i] = NULL; argv[i] = NULL;
optind = optreset = 1; optind = optreset = 1;
__progname = argv[0]; __progname = argv[0];
@ -187,9 +187,9 @@ diff -up openssh-7.4p1/session.c.log-in-chroot openssh-7.4p1/session.c
fflush(NULL); fflush(NULL);
/* Get the last component of the shell name. */ /* Get the last component of the shell name. */
diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h diff -up openssh-8.6p1/sftp.h.log-in-chroot openssh-8.6p1/sftp.h
--- openssh-7.4p1/sftp.h.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.6p1/sftp.h.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-7.4p1/sftp.h 2016-12-23 15:14:33.331168088 +0100 +++ openssh-8.6p1/sftp.h 2021-04-19 14:43:08.545843441 +0200
@@ -97,5 +97,5 @@ @@ -97,5 +97,5 @@
struct passwd; struct passwd;
@ -197,10 +197,10 @@ diff -up openssh-7.4p1/sftp.h.log-in-chroot openssh-7.4p1/sftp.h
-int sftp_server_main(int, char **, struct passwd *); -int sftp_server_main(int, char **, struct passwd *);
+int sftp_server_main(int, char **, struct passwd *, int); +int sftp_server_main(int, char **, struct passwd *, int);
void sftp_server_cleanup_exit(int) __attribute__((noreturn)); void sftp_server_cleanup_exit(int) __attribute__((noreturn));
diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c
--- openssh-7.4p1/sftp-server.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.6p1/sftp-server.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-7.4p1/sftp-server.c 2016-12-23 15:14:33.331168088 +0100 +++ openssh-8.6p1/sftp-server.c 2021-04-19 14:43:08.545843441 +0200
@@ -1497,7 +1497,7 @@ sftp_server_usage(void) @@ -1644,7 +1644,7 @@ sftp_server_usage(void)
} }
int int
@ -209,7 +209,7 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
{ {
fd_set *rset, *wset; fd_set *rset, *wset;
int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0; int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
@@ -1511,7 +1511,7 @@ sftp_server_main(int argc, char **argv, @@ -1657,7 +1657,7 @@ sftp_server_main(int argc, char **argv,
extern char *__progname; extern char *__progname;
__progname = ssh_get_progname(argv[0]); __progname = ssh_get_progname(argv[0]);
@ -218,7 +218,7 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
pw = pwcopy(user_pw); pw = pwcopy(user_pw);
@@ -1582,7 +1582,7 @@ sftp_server_main(int argc, char **argv, @@ -1730,7 +1730,7 @@ sftp_server_main(int argc, char **argv,
} }
} }
@ -227,20 +227,20 @@ diff -up openssh-7.4p1/sftp-server.c.log-in-chroot openssh-7.4p1/sftp-server.c
/* /*
* On platforms where we can, avoid making /proc/self/{mem,maps} * On platforms where we can, avoid making /proc/self/{mem,maps}
diff -up openssh-7.4p1/sftp-server-main.c.log-in-chroot openssh-7.4p1/sftp-server-main.c diff -up openssh-8.6p1/sftp-server-main.c.log-in-chroot openssh-8.6p1/sftp-server-main.c
--- openssh-7.4p1/sftp-server-main.c.log-in-chroot 2016-12-19 05:59:41.000000000 +0100 --- openssh-8.6p1/sftp-server-main.c.log-in-chroot 2021-04-16 05:55:25.000000000 +0200
+++ openssh-7.4p1/sftp-server-main.c 2016-12-23 15:14:33.331168088 +0100 +++ openssh-8.6p1/sftp-server-main.c 2021-04-19 14:43:08.545843441 +0200
@@ -49,5 +49,5 @@ main(int argc, char **argv) @@ -50,5 +50,5 @@ main(int argc, char **argv)
return 1; return 1;
} }
- return (sftp_server_main(argc, argv, user_pw)); - return (sftp_server_main(argc, argv, user_pw));
+ return (sftp_server_main(argc, argv, user_pw, 0)); + return (sftp_server_main(argc, argv, user_pw, 0));
} }
diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c diff -up openssh-8.6p1/sshd.c.log-in-chroot openssh-8.6p1/sshd.c
--- openssh-7.4p1/sshd.c.log-in-chroot 2016-12-23 15:14:33.328168088 +0100 --- openssh-8.6p1/sshd.c.log-in-chroot 2021-04-19 14:43:08.543843426 +0200
+++ openssh-7.4p1/sshd.c 2016-12-23 15:14:33.332168088 +0100 +++ openssh-8.6p1/sshd.c 2021-04-19 14:43:08.545843441 +0200
@@ -650,7 +650,7 @@ privsep_postauth(Authctxt *authctxt) @@ -559,7 +559,7 @@ privsep_postauth(struct ssh *ssh, Authct
} }
/* New socket pair */ /* New socket pair */
@ -249,7 +249,7 @@ diff -up openssh-7.4p1/sshd.c.log-in-chroot openssh-7.4p1/sshd.c
pmonitor->m_pid = fork(); pmonitor->m_pid = fork();
if (pmonitor->m_pid == -1) if (pmonitor->m_pid == -1)
@@ -668,6 +668,11 @@ privsep_postauth(Authctxt *authctxt) @@ -578,6 +578,11 @@ privsep_postauth(struct ssh *ssh, Authct
close(pmonitor->m_sendfd); close(pmonitor->m_sendfd);
pmonitor->m_sendfd = -1; pmonitor->m_sendfd = -1;

View File

@ -34,19 +34,19 @@ index 8f32464..18a2ca4 100644
+ +
+ contexts_path = selinux_openssh_contexts_path(); + contexts_path = selinux_openssh_contexts_path();
+ if (contexts_path == NULL) { + if (contexts_path == NULL) {
+ debug3("%s: Failed to get the path to SELinux context", __func__); + debug3_f("Failed to get the path to SELinux context");
+ return; + return;
+ } + }
+ +
+ if ((contexts_file = fopen(contexts_path, "r")) == NULL) { + if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
+ debug("%s: Failed to open SELinux context file", __func__); + debug_f("Failed to open SELinux context file");
+ return; + return;
+ } + }
+ +
+ if (fstat(fileno(contexts_file), &sb) != 0 || + if (fstat(fileno(contexts_file), &sb) != 0 ||
+ sb.st_uid != 0 || (sb.st_mode & 022) != 0) { + sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
+ logit("%s: SELinux context file needs to be owned by root" + logit_f("SELinux context file needs to be owned by root"
+ " and not writable by anyone else", __func__); + " and not writable by anyone else");
+ fclose(contexts_file); + fclose(contexts_file);
+ return; + return;
+ } + }
@ -70,7 +70,7 @@ index 8f32464..18a2ca4 100644
+ if (arg && strcmp(arg, "privsep_preauth") == 0) { + if (arg && strcmp(arg, "privsep_preauth") == 0) {
+ arg = strdelim(&cp); + arg = strdelim(&cp);
+ if (!arg || *arg == '\0') { + if (!arg || *arg == '\0') {
+ debug("%s: privsep_preauth is empty", __func__); + debug_f("privsep_preauth is empty");
+ fclose(contexts_file); + fclose(contexts_file);
+ return; + return;
+ } + }
@ -80,8 +80,8 @@ index 8f32464..18a2ca4 100644
+ fclose(contexts_file); + fclose(contexts_file);
+ +
+ if (preauth_context == NULL) { + if (preauth_context == NULL) {
+ debug("%s: Unable to find 'privsep_preauth' option in" + debug_f("Unable to find 'privsep_preauth' option in"
+ " SELinux context file", __func__); + " SELinux context file");
+ return; + return;
+ } + }
+ +
@ -101,10 +101,11 @@ index 22ea8ef..1fc963d 100644
if ((cx = index(cx + 1, ':'))) if ((cx = index(cx + 1, ':')))
strlcat(newctx, cx, newlen); strlcat(newctx, cx, newlen);
- debug3("%s: setting context from '%s' to '%s'", __func__, - debug3("%s: setting context from '%s' to '%s'", __func__,
+ debug("%s: setting context from '%s' to '%s'", __func__, + debug_f("setting context from '%s' to '%s'",
oldctx, newctx); oldctx, newctx);
if (setcon(newctx) < 0) if (setcon(newctx) < 0)
switchlog("%s: setcon %s from %s failed with %s", __func__, do_log2(log_level, "%s: setcon %s from %s failed with %s",
__func__, newctx, oldctx, strerror(errno));
diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
index cb51f99..8b7cda2 100644 index cb51f99..8b7cda2 100644
--- a/openbsd-compat/port-linux.h --- a/openbsd-compat/port-linux.h

View File

@ -39,8 +39,8 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -418,7 +421,7 @@ typedef enum { @@ -418,7 +421,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes, sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
sHostKeyAlgorithms, sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, - sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor, + sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,

View File

@ -1,257 +0,0 @@
diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.ctr-cavs 2015-03-18 11:22:05.493289018 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:22:44.504196316 +0100
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_KEYCAT=$(libexecdir)/ssh-keycat
+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
.SUFFIXES: .lo
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
XMSS_OBJS=\
ssh-xmss.o \
@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
$(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -326,6 +330,7 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
--- openssh-6.8p1/ctr-cavstest.c.ctr-cavs 2015-03-18 11:22:05.521288952 +0100
+++ openssh-6.8p1/ctr-cavstest.c 2015-03-18 11:22:05.521288952 +0100
@@ -0,0 +1,215 @@
+/*
+ *
+ * invocation (all of the following are equal):
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
+ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+
+#include "xmalloc.h"
+#include "log.h"
+#include "ssherr.h"
+#include "cipher.h"
+
+/* compatibility with old or broken OpenSSL versions */
+#include "openbsd-compat/openssl-compat.h"
+
+void usage(void) {
+ fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
+ " --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
+ " [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
+ "Hexadecimal output is printed to stdout.\n"
+ "Hexadecimal input data can be alternatively read from stdin.\n");
+ exit(1);
+}
+
+void *fromhex(char *hex, size_t *len)
+{
+ unsigned char *bin;
+ char *p;
+ size_t n = 0;
+ int shift = 4;
+ unsigned char out = 0;
+ unsigned char *optr;
+
+ bin = xmalloc(strlen(hex)/2);
+ optr = bin;
+
+ for (p = hex; *p != '\0'; ++p) {
+ unsigned char c;
+
+ c = *p;
+ if (isspace(c))
+ continue;
+
+ if (c >= '0' && c <= '9') {
+ c = c - '0';
+ } else if (c >= 'A' && c <= 'F') {
+ c = c - 'A' + 10;
+ } else if (c >= 'a' && c <= 'f') {
+ c = c - 'a' + 10;
+ } else {
+ /* truncate on nonhex cipher */
+ break;
+ }
+
+ out |= c << shift;
+ shift = (shift + 4) % 8;
+
+ if (shift) {
+ *(optr++) = out;
+ out = 0;
+ ++n;
+ }
+ }
+
+ *len = n;
+ return bin;
+}
+
+#define READ_CHUNK 4096
+#define MAX_READ_SIZE 1024*1024*100
+char *read_stdin(void)
+{
+ char *buf;
+ size_t n, total = 0;
+
+ buf = xmalloc(READ_CHUNK);
+
+ do {
+ n = fread(buf + total, 1, READ_CHUNK, stdin);
+ if (n < READ_CHUNK) /* terminate on short read */
+ break;
+
+ total += n;
+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
+ } while(total < MAX_READ_SIZE);
+ return buf;
+}
+
+int main (int argc, char *argv[])
+{
+
+ const struct sshcipher *c;
+ struct sshcipher_ctx *cc;
+ char *algo = "aes128-ctr";
+ char *hexkey = NULL;
+ char *hexiv = "00000000000000000000000000000000";
+ char *hexdata = NULL;
+ char *p;
+ int i, r;
+ int encrypt = 1;
+ void *key;
+ size_t keylen;
+ void *iv;
+ size_t ivlen;
+ void *data;
+ size_t datalen;
+ void *outdata;
+
+ for (i = 1; i < argc; ++i) {
+ if (strcmp(argv[i], "--algo") == 0) {
+ algo = argv[++i];
+ } else if (strcmp(argv[i], "--key") == 0) {
+ hexkey = argv[++i];
+ } else if (strcmp(argv[i], "--mode") == 0) {
+ ++i;
+ if (argv[i] == NULL) {
+ usage();
+ }
+ if (strncmp(argv[i], "enc", 3) == 0) {
+ encrypt = 1;
+ } else if (strncmp(argv[i], "dec", 3) == 0) {
+ encrypt = 0;
+ } else {
+ usage();
+ }
+ } else if (strcmp(argv[i], "--iv") == 0) {
+ hexiv = argv[++i];
+ } else if (strcmp(argv[i], "--data") == 0) {
+ hexdata = argv[++i];
+ }
+ }
+
+ if (hexkey == NULL || algo == NULL) {
+ usage();
+ }
+
+ OpenSSL_add_all_algorithms();
+
+ c = cipher_by_name(algo);
+ if (c == NULL) {
+ fprintf(stderr, "Error: unknown algorithm\n");
+ return 2;
+ }
+
+ if (hexdata == NULL) {
+ hexdata = read_stdin();
+ } else {
+ hexdata = xstrdup(hexdata);
+ }
+
+ key = fromhex(hexkey, &keylen);
+
+ if (keylen != 16 && keylen != 24 && keylen == 32) {
+ fprintf(stderr, "Error: unsupported key length\n");
+ return 2;
+ }
+
+ iv = fromhex(hexiv, &ivlen);
+
+ if (ivlen != 16) {
+ fprintf(stderr, "Error: unsupported iv length\n");
+ return 2;
+ }
+
+ data = fromhex(hexdata, &datalen);
+
+ if (data == NULL || datalen == 0) {
+ fprintf(stderr, "Error: no data to encrypt/decrypt\n");
+ return 2;
+ }
+
+ if ((r = cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt)) != 0) {
+ fprintf(stderr, "Error: cipher_init failed: %s\n", ssh_err(r));
+ return 2;
+ }
+
+ free(key);
+ free(iv);
+
+ outdata = malloc(datalen);
+ if(outdata == NULL) {
+ fprintf(stderr, "Error: memory allocation failure\n");
+ return 2;
+ }
+
+ if ((r = cipher_crypt(cc, 0, outdata, data, datalen, 0, 0)) != 0) {
+ fprintf(stderr, "Error: cipher_crypt failed: %s\n", ssh_err(r));
+ return 2;
+ }
+
+ free(data);
+
+ cipher_free(cc);
+
+ for (p = outdata; datalen > 0; ++p, --datalen) {
+ printf("%02X", (unsigned char)*p);
+ }
+
+ free(outdata);
+
+ printf("\n");
+ return 0;
+}
+

View File

@ -1,10 +1,10 @@
diff -up openssh/auth.c.keycat openssh/misc.c diff -up openssh/misc.c.keycat openssh/misc.c
--- openssh/auth.c.keycat 2015-06-24 10:57:50.158849606 +0200 --- openssh/misc.c.keycat 2015-06-24 10:57:50.158849606 +0200
+++ openssh/auth.c 2015-06-24 11:04:23.989868638 +0200 +++ openssh/misc.c 2015-06-24 11:04:23.989868638 +0200
@@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw @@ -966,6 +966,13 @@ subprocess(const char *tag, struct passw
error("%s: dup2: %s", tag, strerror(errno));
_exit(1); _exit(1);
} }
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+ if (sshd_selinux_setup_env_variables() < 0) { + if (sshd_selinux_setup_env_variables() < 0) {
+ error ("failed to copy environment: %s", + error ("failed to copy environment: %s",
@ -12,10 +12,9 @@ diff -up openssh/auth.c.keycat openssh/misc.c
+ _exit(127); + _exit(127);
+ } + }
+#endif +#endif
+ if (env != NULL)
execve(av[0], av, child_env); execve(av[0], av, env);
error("%s exec \"%s\": %s", tag, command, strerror(errno)); else
_exit(127);
diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
--- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200 --- openssh/HOWTO.ssh-keycat.keycat 2015-06-24 10:57:50.157849608 +0200
+++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200 +++ openssh/HOWTO.ssh-keycat 2015-06-24 10:57:50.157849608 +0200

View File

@ -193,7 +193,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -399,7 +402,7 @@ typedef enum { @@ -399,7 +402,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sRhostsRSAAuthentication, sRSAAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken, sKerberosUniqueCCache, - sKerberosGetAFSToken, sKerberosUniqueCCache,

View File

@ -13,7 +13,7 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
--- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100 --- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux 2016-12-23 18:58:52.973122201 +0100
+++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100 +++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c 2016-12-23 18:58:52.974122201 +0100
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw @@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
debug3("%s: done", __func__); debug3_f("done");
} }
+void +void
@ -25,15 +25,15 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
+ return; + return;
+ +
+ if (getexeccon((security_context_t *)&ctx) != 0) { + if (getexeccon((security_context_t *)&ctx) != 0) {
+ logit("%s: getexeccon failed with %s", __func__, strerror(errno)); + logit_f("getexeccon failed with %s", strerror(errno));
+ return; + return;
+ } + }
+ if (ctx != NULL) { + if (ctx != NULL) {
+ /* unset exec context before we will lose this capabililty */ + /* unset exec context before we will lose this capabililty */
+ if (setexeccon(NULL) != 0) + if (setexeccon(NULL) != 0)
+ fatal("%s: setexeccon failed with %s", __func__, strerror(errno)); + fatal_f("setexeccon failed with %s", strerror(errno));
+ if (setcon(ctx) != 0) + if (setcon(ctx) != 0)
+ fatal("%s: setcon failed with %s", __func__, strerror(errno)); + fatal_f("setcon failed with %s", strerror(errno));
+ freecon(ctx); + freecon(ctx);
+ } + }
+} +}

View File

@ -1,3 +1,79 @@
diff -up openssh-8.5p1/addr.c.coverity openssh-8.5p1/addr.c
--- openssh-8.5p1/addr.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/addr.c 2021-03-24 12:03:33.782968159 +0100
@@ -312,8 +312,10 @@ addr_pton(const char *p, struct xaddr *n
if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0)
return -1;
- if (ai == NULL || ai->ai_addr == NULL)
+ if (ai == NULL || ai->ai_addr == NULL) {
+ freeaddrinfo(ai);
return -1;
+ }
if (n != NULL && addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen,
n) == -1) {
@@ -336,12 +338,16 @@ addr_sa_pton(const char *h, const char *
if (h == NULL || getaddrinfo(h, s, &hints, &ai) != 0)
return -1;
- if (ai == NULL || ai->ai_addr == NULL)
+ if (ai == NULL || ai->ai_addr == NULL) {
+ freeaddrinfo(ai);
return -1;
+ }
if (sa != NULL) {
- if (slen < ai->ai_addrlen)
+ if (slen < ai->ai_addrlen) {
+ freeaddrinfo(ai);
return -1;
+ }
memcpy(sa, &ai->ai_addr, ai->ai_addrlen);
}
diff -up openssh-8.5p1/auth-krb5.c.coverity openssh-8.5p1/auth-krb5.c
--- openssh-8.5p1/auth-krb5.c.coverity 2021-03-24 12:03:33.724967756 +0100
+++ openssh-8.5p1/auth-krb5.c 2021-03-24 12:03:33.782968159 +0100
@@ -426,6 +426,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
umask(old_umask);
if (tmpfd == -1) {
logit("mkstemp(): %.100s", strerror(oerrno));
+ free(ccname);
return oerrno;
}
@@ -433,6 +434,7 @@ ssh_krb5_cc_new_unique(krb5_context ctx,
oerrno = errno;
logit("fchmod(): %.100s", strerror(oerrno));
close(tmpfd);
+ free(ccname);
return oerrno;
}
/* make sure the KRB5CCNAME is set for non-standard location */
diff -up openssh-8.5p1/auth-options.c.coverity openssh-8.5p1/auth-options.c
--- openssh-8.5p1/auth-options.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/auth-options.c 2021-03-24 12:03:33.782968159 +0100
@@ -409,8 +409,10 @@ sshauthopt_parse(const char *opts, const
errstr = "invalid environment string";
goto fail;
}
- if ((cp = strdup(opt)) == NULL)
+ if ((cp = strdup(opt)) == NULL) {
+ free(opt);
goto alloc_fail;
+ }
cp[tmp - opt] = '\0'; /* truncate at '=' */
if (!valid_env_name(cp)) {
free(cp);
@@ -706,6 +708,7 @@ serialise_array(struct sshbuf *m, char *
return r;
}
/* success */
+ sshbuf_free(b);
return 0;
}
diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
--- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100 --- openssh-7.4p1/channels.c.coverity 2016-12-23 16:40:26.881788686 +0100
+++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100 +++ openssh-7.4p1/channels.c 2016-12-23 16:42:36.244818763 +0100
@ -16,6 +92,195 @@ diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c
set_nonblock(efd); set_nonblock(efd);
} }
} }
@@ -1875,7 +1875,7 @@ channel_post_connecting(struct ssh *ssh,
debug("channel %d: connection failed: %s",
c->self, strerror(err));
/* Try next address, if any */
- if ((sock = connect_next(&c->connect_ctx)) > 0) {
+ if ((sock = connect_next(&c->connect_ctx)) >= 0) {
close(c->sock);
c->sock = c->rfd = c->wfd = sock;
channel_find_maxfd(ssh->chanctxt);
@@ -3804,7 +3804,7 @@ int
channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
{
int r, success = 0, idx = -1;
- char *host_to_connect, *listen_host, *listen_path;
+ char *host_to_connect = NULL, *listen_host = NULL, *listen_path = NULL;
int port_to_connect, listen_port;
/* Send the forward request to the remote side. */
@@ -3832,7 +3832,6 @@ channel_request_remote_forwarding(struct
success = 1;
if (success) {
/* Record that connection to this host/port is permitted. */
- host_to_connect = listen_host = listen_path = NULL;
port_to_connect = listen_port = 0;
if (fwd->connect_path != NULL) {
host_to_connect = xstrdup(fwd->connect_path);
@@ -3853,6 +3852,9 @@ channel_request_remote_forwarding(struct
host_to_connect, port_to_connect,
listen_host, listen_path, listen_port, NULL);
}
+ free(host_to_connect);
+ free(listen_host);
+ free(listen_path);
return idx;
}
diff -up openssh-8.5p1/compat.c.coverity openssh-8.5p1/compat.c
--- openssh-8.5p1/compat.c.coverity 2021-03-24 12:03:33.768968062 +0100
+++ openssh-8.5p1/compat.c 2021-03-24 12:03:33.783968166 +0100
@@ -191,10 +191,12 @@ compat_kex_proposal(struct ssh *ssh, cha
return p;
debug2_f("original KEX proposal: %s", p);
if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
+ /* coverity[overwrite_var : FALSE] */
if ((p = match_filter_denylist(p,
"curve25519-sha256@libssh.org")) == NULL)
fatal("match_filter_denylist failed");
if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
+ /* coverity[overwrite_var : FALSE] */
if ((p = match_filter_denylist(p,
"diffie-hellman-group-exchange-sha256,"
"diffie-hellman-group-exchange-sha1")) == NULL)
diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c
--- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100
@@ -282,6 +282,7 @@ verify_host_key_dns(const char *hostname
&hostkey_digest_len, hostkey)) {
error("Error calculating key fingerprint.");
freerrset(fingerprints);
+ free(dnskey_digest);
return -1;
}
}
diff -up openssh-8.5p1/gss-genr.c.coverity openssh-8.5p1/gss-genr.c
--- openssh-8.5p1/gss-genr.c.coverity 2021-03-26 11:52:46.613942552 +0100
+++ openssh-8.5p1/gss-genr.c 2021-03-26 11:54:37.881726318 +0100
@@ -167,8 +167,9 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
enclen = __b64_ntop(digest,
ssh_digest_bytes(SSH_DIGEST_MD5), encoded,
ssh_digest_bytes(SSH_DIGEST_MD5) * 2);
-
+#pragma GCC diagnostic ignored "-Wstringop-overflow"
cp = strncpy(s, kex, strlen(kex));
+#pragma pop
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (sshbuf_len(buf) != 0 &&
diff -up openssh-8.5p1/kexgssc.c.coverity openssh-8.5p1/kexgssc.c
--- openssh-8.5p1/kexgssc.c.coverity 2021-03-24 12:03:33.711967665 +0100
+++ openssh-8.5p1/kexgssc.c 2021-03-24 12:03:33.783968166 +0100
@@ -98,8 +98,10 @@ kexgss_client(struct ssh *ssh)
default:
fatal_f("Unexpected KEX type %d", kex->kex_type);
}
- if (r != 0)
+ if (r != 0) {
+ ssh_gssapi_delete_ctx(&ctxt);
return r;
+ }
token_ptr = GSS_C_NO_BUFFER;
diff -up openssh-8.5p1/krl.c.coverity openssh-8.5p1/krl.c
--- openssh-8.5p1/krl.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/krl.c 2021-03-24 12:03:33.783968166 +0100
@@ -1209,6 +1209,7 @@ ssh_krl_from_blob(struct sshbuf *buf, st
sshkey_free(key);
sshbuf_free(copy);
sshbuf_free(sect);
+ /* coverity[leaked_storage : FALSE] */
return r;
}
@@ -1261,6 +1262,7 @@ is_key_revoked(struct ssh_krl *krl, cons
return r;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
free(rb.blob);
+ rb.blob = NULL; /* make coverity happy */
if (erb != NULL) {
KRL_DBG(("revoked by key SHA1"));
return SSH_ERR_KEY_REVOKED;
@@ -1271,6 +1273,7 @@ is_key_revoked(struct ssh_krl *krl, cons
return r;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha256s, &rb);
free(rb.blob);
+ rb.blob = NULL; /* make coverity happy */
if (erb != NULL) {
KRL_DBG(("revoked by key SHA256"));
return SSH_ERR_KEY_REVOKED;
@@ -1282,6 +1285,7 @@ is_key_revoked(struct ssh_krl *krl, cons
return r;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
free(rb.blob);
+ rb.blob = NULL; /* make coverity happy */
if (erb != NULL) {
KRL_DBG(("revoked by explicit key"));
return SSH_ERR_KEY_REVOKED;
diff -up openssh-8.5p1/loginrec.c.coverity openssh-8.5p1/loginrec.c
--- openssh-8.5p1/loginrec.c.coverity 2021-03-24 13:18:53.793225885 +0100
+++ openssh-8.5p1/loginrec.c 2021-03-24 13:21:27.948404751 +0100
@@ -690,9 +690,11 @@ construct_utmp(struct logininfo *li,
*/
/* Use strncpy because we don't necessarily want null termination */
+ /* coverity[buffer_size_warning : FALSE] */
strncpy(ut->ut_name, li->username,
MIN_SIZEOF(ut->ut_name, li->username));
# ifdef HAVE_HOST_IN_UTMP
+ /* coverity[buffer_size_warning : FALSE] */
strncpy(ut->ut_host, li->hostname,
MIN_SIZEOF(ut->ut_host, li->hostname));
# endif
@@ -1690,6 +1692,7 @@ record_failed_login(struct ssh *ssh, con
memset(&ut, 0, sizeof(ut));
/* strncpy because we don't necessarily want nul termination */
+ /* coverity[buffer_size_warning : FALSE] */
strncpy(ut.ut_user, username, sizeof(ut.ut_user));
strlcpy(ut.ut_line, "ssh:notty", sizeof(ut.ut_line));
@@ -1699,6 +1702,7 @@ record_failed_login(struct ssh *ssh, con
ut.ut_pid = getpid();
/* strncpy because we don't necessarily want nul termination */
+ /* coverity[buffer_size_warning : FALSE] */
strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));
if (ssh_packet_connection_is_on_socket(ssh) &&
diff -up openssh-8.5p1/misc.c.coverity openssh-8.5p1/misc.c
--- openssh-8.5p1/misc.c.coverity 2021-03-24 12:03:33.745967902 +0100
+++ openssh-8.5p1/misc.c 2021-03-24 13:31:47.037079617 +0100
@@ -1425,6 +1425,8 @@ sanitise_stdfd(void)
}
if (nullfd > STDERR_FILENO)
close(nullfd);
+ /* coverity[leaked_handle : FALSE]*/
+ /* coverity[leaked_handle : FALSE]*/
}
char *
@@ -2511,6 +2513,7 @@ stdfd_devnull(int do_stdin, int do_stdou
}
if (devnull > STDERR_FILENO)
close(devnull);
+ /* coverity[leaked_handle : FALSE]*/
return ret;
}
diff -up openssh-8.5p1/moduli.c.coverity openssh-8.5p1/moduli.c
--- openssh-8.5p1/moduli.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/moduli.c 2021-03-24 12:03:33.784968173 +0100
@@ -476,6 +476,7 @@ write_checkpoint(char *cpfile, u_int32_t
else
logit("failed to write to checkpoint file '%s': %s", cpfile,
strerror(errno));
+ /* coverity[leaked_storage : FALSE] */
}
static unsigned long
diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
--- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100 --- openssh-7.4p1/monitor.c.coverity 2016-12-23 16:40:26.888788688 +0100
+++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100 +++ openssh-7.4p1/monitor.c 2016-12-23 16:40:26.900788691 +0100
@ -28,13 +293,22 @@ diff -up openssh-7.4p1/monitor.c.coverity openssh-7.4p1/monitor.c
; ;
if (pmonitor->m_recvfd >= 0) if (pmonitor->m_recvfd >= 0)
@@ -1678,7 +1678,7 @@ mm_answer_pty(struct ssh *ssh, int sock,
s->ptymaster = s->ptyfd;
debug3_f("tty %s ptyfd %d", s->tty, s->ttyfd);
-
+ /* coverity[leaked_handle : FALSE] */
return (0);
error:
diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
--- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100 --- openssh-7.4p1/monitor_wrap.c.coverity 2016-12-23 16:40:26.892788689 +0100
+++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100 +++ openssh-7.4p1/monitor_wrap.c 2016-12-23 16:40:26.900788691 +0100
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, @@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 || if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) { (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error("%s: cannot allocate fds for pty", __func__); error_f("cannot allocate fds for pty");
- if (tmp1 > 0) - if (tmp1 > 0)
+ if (tmp1 >= 0) + if (tmp1 >= 0)
close(tmp1); close(tmp1);
@ -57,6 +331,17 @@ diff -up openssh-7.4p1/openbsd-compat/bindresvport.c.coverity openssh-7.4p1/open
int i; int i;
if (sa == NULL) { if (sa == NULL) {
diff -up openssh-8.5p1/readconf.c.coverity openssh-8.5p1/readconf.c
--- openssh-8.5p1/readconf.c.coverity 2021-03-24 12:03:33.778968131 +0100
+++ openssh-8.5p1/readconf.c 2021-03-24 12:03:33.785968180 +0100
@@ -1847,6 +1847,7 @@ parse_pubkey_algos:
} else if (r != 0) {
error("%.200s line %d: glob failed for %s.",
filename, linenum, arg2);
+ free(arg2);
return -1;
}
free(arg2);
diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c diff -up openssh-7.4p1/scp.c.coverity openssh-7.4p1/scp.c
--- openssh-7.4p1/scp.c.coverity 2016-12-23 16:40:26.856788681 +0100 --- openssh-7.4p1/scp.c.coverity 2016-12-23 16:40:26.856788681 +0100
+++ openssh-7.4p1/scp.c 2016-12-23 16:40:26.901788691 +0100 +++ openssh-7.4p1/scp.c 2016-12-23 16:40:26.901788691 +0100
@ -120,11 +405,11 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
- while (read(notify_pipe[0], &c, 1) != -1) - while (read(notify_pipe[0], &c, 1) != -1)
+ if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset)) + if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
+ while (read(notify_pipe[0], &c, 1) >= 0) + while (read(notify_pipe[0], &c, 1) >= 0)
debug2("%s: reading", __func__); debug2_f("reading");
} }
@@ -518,7 +518,7 @@ server_request_tun(void) @@ -518,7 +518,7 @@ server_request_tun(void)
debug("%s: invalid tun", __func__); debug_f("invalid tun");
goto done; goto done;
} }
- if (auth_opts->force_tun_device != -1) { - if (auth_opts->force_tun_device != -1) {
@ -132,6 +417,24 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
if (tun != SSH_TUNID_ANY && if (tun != SSH_TUNID_ANY &&
auth_opts->force_tun_device != (int)tun) auth_opts->force_tun_device != (int)tun)
goto done; goto done;
diff -up openssh-8.5p1/session.c.coverity openssh-8.5p1/session.c
--- openssh-8.5p1/session.c.coverity 2021-03-24 12:03:33.777968124 +0100
+++ openssh-8.5p1/session.c 2021-03-24 12:03:33.786968187 +0100
@@ -1223,12 +1223,14 @@ do_setup_env(struct ssh *ssh, Session *s
/* Environment specified by admin */
for (i = 0; i < options.num_setenv; i++) {
cp = xstrdup(options.setenv[i]);
+ /* coverity[overwrite_var : FALSE] */
if ((value = strchr(cp, '=')) == NULL) {
/* shouldn't happen; vars are checked in servconf.c */
fatal("Invalid config SetEnv: %s", options.setenv[i]);
}
*value++ = '\0';
child_set_env(&env, &envsize, cp, value);
+ free(cp);
}
/* SSH_CLIENT deprecated */
diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
--- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100 --- openssh-7.4p1/sftp.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100 +++ openssh-7.4p1/sftp.c 2016-12-23 16:40:26.903788691 +0100
@ -144,9 +447,45 @@ diff -up openssh-7.4p1/sftp.c.coverity openssh-7.4p1/sftp.c
} }
_exit(1); _exit(1);
@@ -762,6 +762,8 @@ process_put(struct sftp_conn *conn, cons
fflag || global_fflag) == -1)
err = -1;
}
+ free(abs_dst);
+ abs_dst = NULL;
}
out:
@@ -985,6 +987,7 @@ do_globbed_ls(struct sftp_conn *conn, co
if (lflag & LS_LONG_VIEW) {
if (g.gl_statv[i] == NULL) {
error("no stat information for %s", fname);
+ free(fname);
continue;
}
lname = ls_file(fname, g.gl_statv[i], 1,
diff -up openssh-8.5p1/sk-usbhid.c.coverity openssh-8.5p1/sk-usbhid.c
--- openssh-8.5p1/sk-usbhid.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/sk-usbhid.c 2021-03-24 12:03:33.786968187 +0100
@@ -1256,6 +1256,7 @@ sk_load_resident_keys(const char *pin, s
freezero(rks[i], sizeof(*rks[i]));
}
free(rks);
+ free(device);
return ret;
}
diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
--- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100 --- openssh-7.4p1/ssh-agent.c.coverity 2016-12-19 05:59:41.000000000 +0100
+++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100 +++ openssh-7.4p1/ssh-agent.c 2016-12-23 16:40:26.903788691 +0100
@@ -869,6 +869,7 @@ sanitize_pkcs11_provider(const char *pro
if (pkcs11_uri_parse(provider, uri) != 0) {
error("Failed to parse PKCS#11 URI");
+ pkcs11_uri_cleanup(uri);
return NULL;
}
/* validate also provider from URI */
@@ -1220,8 +1220,8 @@ main(int ac, char **av) @@ -1220,8 +1220,8 @@ main(int ac, char **av)
sanitise_stdfd(); sanitise_stdfd();
@ -158,6 +497,17 @@ diff -up openssh-7.4p1/ssh-agent.c.coverity openssh-7.4p1/ssh-agent.c
platform_disable_tracing(0); /* strict=no */ platform_disable_tracing(0); /* strict=no */
diff -up openssh-8.5p1/ssh.c.coverity openssh-8.5p1/ssh.c
--- openssh-8.5p1/ssh.c.coverity 2021-03-24 12:03:33.779968138 +0100
+++ openssh-8.5p1/ssh.c 2021-03-24 12:03:33.786968187 +0100
@@ -1746,6 +1746,7 @@ control_persist_detach(void)
close(muxserver_sock);
muxserver_sock = -1;
options.control_master = SSHCTL_MASTER_NO;
+ /* coverity[leaked_handle: FALSE]*/
muxclient(options.control_path);
/* muxclient() doesn't return on success. */
fatal("Failed to connect to new control master");
diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
--- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100 --- openssh-7.4p1/sshd.c.coverity 2016-12-23 16:40:26.897788690 +0100
+++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100 +++ openssh-7.4p1/sshd.c 2016-12-23 16:40:26.904788692 +0100
@ -183,3 +533,67 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c
} }
/* /*
@@ -2474,7 +2479,7 @@ do_ssh2_kex(struct ssh *ssh)
if (options.rekey_limit || options.rekey_interval)
ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
options.rekey_interval);
-
+ /* coverity[leaked_storage : FALSE]*/
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
ssh, list_hostkey_types());
@@ -2519,8 +2524,11 @@ do_ssh2_kex(struct ssh *ssh)
if (newstr)
myproposal[PROPOSAL_KEX_ALGS] = newstr;
- else
+ else {
fatal("No supported key exchange algorithms");
+ free(gss);
+ }
+ /* coverity[leaked_storage: FALSE]*/
}
#endif
diff -up openssh-8.5p1/ssh-keygen.c.coverity openssh-8.5p1/ssh-keygen.c
--- openssh-8.5p1/ssh-keygen.c.coverity 2021-03-24 12:03:33.780968145 +0100
+++ openssh-8.5p1/ssh-keygen.c 2021-03-24 12:03:33.787968194 +0100
@@ -2332,6 +2332,9 @@ update_krl_from_file(struct passwd *pw,
r = ssh_krl_revoke_key_sha256(krl, blob, blen);
if (r != 0)
fatal_fr(r, "revoke key failed");
+ freezero(blob, blen);
+ blob = NULL;
+ blen = 0;
} else {
if (strncasecmp(cp, "key:", 4) == 0) {
cp += 4;
@@ -2879,6 +2882,7 @@ do_moduli_screen(const char *out_file, c
} else if (strncmp(opts[i], "start-line=", 11) == 0) {
start_lineno = strtoul(opts[i]+11, NULL, 10);
} else if (strncmp(opts[i], "checkpoint=", 11) == 0) {
+ free(checkpoint);
checkpoint = xstrdup(opts[i]+11);
} else if (strncmp(opts[i], "generator=", 10) == 0) {
generator_wanted = (u_int32_t)strtonum(
@@ -2920,6 +2924,9 @@ do_moduli_screen(const char *out_file, c
#else /* WITH_OPENSSL */
fatal("Moduli screening is not supported");
#endif /* WITH_OPENSSL */
+ free(checkpoint);
+ if (in != stdin)
+ fclose(in);
}
static char *
diff -up openssh-8.5p1/sshsig.c.coverity openssh-8.5p1/sshsig.c
--- openssh-8.5p1/sshsig.c.coverity 2021-03-02 11:31:47.000000000 +0100
+++ openssh-8.5p1/sshsig.c 2021-03-24 12:03:33.787968194 +0100
@@ -515,6 +515,7 @@ hash_file(int fd, const char *hashalg, s
oerrno = errno;
error_f("read: %s", strerror(errno));
ssh_digest_free(ctx);
+ ctx = NULL;
errno = oerrno;
r = SSH_ERR_SYSTEM_ERROR;
goto out;

View File

@ -1,618 +0,0 @@
diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
--- openssh-6.8p1/Makefile.in.kdf-cavs 2015-03-18 11:23:46.346049359 +0100
+++ openssh-6.8p1/Makefile.in 2015-03-18 11:24:20.395968445 +0100
@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_KEYCAT=$(libexecdir)/ssh-keycat
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
+SSH_CAVS=$(libexecdir)/ssh-cavs
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
.SUFFIXES: .lo
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
XMSS_OBJS=\
ssh-xmss.o \
@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
+ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
$(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
@@ -331,6 +335,8 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs_driver.pl $(DESTDIR)$(libexecdir)/ssh-cavs_driver.pl
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
--- openssh-6.8p1/ssh-cavs.c.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
+++ openssh-6.8p1/ssh-cavs.c 2015-03-18 11:23:46.348049354 +0100
@@ -0,0 +1,387 @@
+/*
+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU General Public License, in which case the provisions of the GPL2
+ * are required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
+ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
+ * DAMAGE.
+ */
+
+#include "includes.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+
+#include "xmalloc.h"
+#include "sshbuf.h"
+#include "sshkey.h"
+#include "cipher.h"
+#include "kex.h"
+#include "packet.h"
+#include "digest.h"
+
+static int bin_char(unsigned char hex)
+{
+ if (48 <= hex && 57 >= hex)
+ return (hex - 48);
+ if (65 <= hex && 70 >= hex)
+ return (hex - 55);
+ if (97 <= hex && 102 >= hex)
+ return (hex - 87);
+ return 0;
+}
+
+/*
+ * Convert hex representation into binary string
+ * @hex input buffer with hex representation
+ * @hexlen length of hex
+ * @bin output buffer with binary data
+ * @binlen length of already allocated bin buffer (should be at least
+ * half of hexlen -- if not, only a fraction of hexlen is converted)
+ */
+static void hex2bin(const char *hex, size_t hexlen,
+ unsigned char *bin, size_t binlen)
+{
+ size_t i = 0;
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
+
+ for (i = 0; i < chars; i++) {
+ bin[i] = bin_char(hex[(i*2)]) << 4;
+ bin[i] |= bin_char(hex[((i*2)+1)]);
+ }
+}
+
+/*
+ * Allocate sufficient space for binary representation of hex
+ * and convert hex into bin
+ *
+ * Caller must free bin
+ * @hex input buffer with hex representation
+ * @hexlen length of hex
+ * @bin return value holding the pointer to the newly allocated buffer
+ * @binlen return value holding the allocated size of bin
+ *
+ * return: 0 on success, !0 otherwise
+ */
+static int hex2bin_alloc(const char *hex, size_t hexlen,
+ unsigned char **bin, size_t *binlen)
+{
+ unsigned char *out = NULL;
+ size_t outlen = 0;
+
+ if (!hexlen)
+ return -EINVAL;
+
+ outlen = (hexlen + 1) / 2;
+
+ out = calloc(1, outlen);
+ if (!out)
+ return -errno;
+
+ hex2bin(hex, hexlen, out, outlen);
+ *bin = out;
+ *binlen = outlen;
+ return 0;
+}
+
+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
+ '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
+static char hex_char(unsigned int bin, int u)
+{
+ if (bin < sizeof(hex_char_map_l))
+ return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
+ return 'X';
+}
+
+/*
+ * Convert binary string into hex representation
+ * @bin input buffer with binary data
+ * @binlen length of bin
+ * @hex output buffer to store hex data
+ * @hexlen length of already allocated hex buffer (should be at least
+ * twice binlen -- if not, only a fraction of binlen is converted)
+ * @u case of hex characters (0=>lower case, 1=>upper case)
+ */
+static void bin2hex(const unsigned char *bin, size_t binlen,
+ char *hex, size_t hexlen, int u)
+{
+ size_t i = 0;
+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
+
+ for (i = 0; i < chars; i++) {
+ hex[(i*2)] = hex_char((bin[i] >> 4), u);
+ hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
+ }
+}
+
+struct kdf_cavs {
+ unsigned char *K;
+ size_t Klen;
+ unsigned char *H;
+ size_t Hlen;
+ unsigned char *session_id;
+ size_t session_id_len;
+
+ unsigned int iv_len;
+ unsigned int ek_len;
+ unsigned int ik_len;
+};
+
+static int sshkdf_cavs(struct kdf_cavs *test)
+{
+ int ret = 0;
+ struct kex kex;
+ struct sshbuf *Kb = NULL;
+ BIGNUM *Kbn = NULL;
+ int mode = 0;
+ struct newkeys *ctoskeys;
+ struct newkeys *stockeys;
+ struct ssh *ssh = NULL;
+
+#define HEXOUTLEN 500
+ char hex[HEXOUTLEN];
+
+ memset(&kex, 0, sizeof(struct kex));
+
+ Kbn = BN_new();
+ BN_bin2bn(test->K, test->Klen, Kbn);
+ if (!Kbn) {
+ printf("cannot convert K into bignum\n");
+ ret = 1;
+ goto out;
+ }
+ Kb = sshbuf_new();
+ if (!Kb) {
+ printf("cannot convert K into sshbuf\n");
+ ret = 1;
+ goto out;
+ }
+ sshbuf_put_bignum2(Kb, Kbn);
+
+ kex.session_id = test->session_id;
+ kex.session_id_len = test->session_id_len;
+
+ /* setup kex */
+
+ /* select the right hash based on struct ssh_digest digests */
+ switch (test->ik_len) {
+ case 20:
+ kex.hash_alg = SSH_DIGEST_SHA1;
+ break;
+ case 32:
+ kex.hash_alg = SSH_DIGEST_SHA256;
+ break;
+ case 48:
+ kex.hash_alg = SSH_DIGEST_SHA384;
+ break;
+ case 64:
+ kex.hash_alg = SSH_DIGEST_SHA512;
+ break;
+ default:
+ printf("Wrong hash type %u\n", test->ik_len);
+ ret = 1;
+ goto out;
+ }
+
+ /* implement choose_enc */
+ for (mode = 0; mode < 2; mode++) {
+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
+ if (!kex.newkeys[mode]) {
+ printf("allocation of newkeys failed\n");
+ ret = 1;
+ goto out;
+ }
+ kex.newkeys[mode]->enc.iv_len = test->iv_len;
+ kex.newkeys[mode]->enc.key_len = test->ek_len;
+ kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
+ kex.newkeys[mode]->mac.key_len = test->ik_len;
+ }
+
+ /* implement kex_choose_conf */
+ kex.we_need = kex.newkeys[0]->enc.key_len;
+ if (kex.we_need < kex.newkeys[0]->enc.block_size)
+ kex.we_need = kex.newkeys[0]->enc.block_size;
+ if (kex.we_need < kex.newkeys[0]->enc.iv_len)
+ kex.we_need = kex.newkeys[0]->enc.iv_len;
+ if (kex.we_need < kex.newkeys[0]->mac.key_len)
+ kex.we_need = kex.newkeys[0]->mac.key_len;
+
+ /* MODE_OUT (1) -> server to client
+ * MODE_IN (0) -> client to server */
+ kex.server = 1;
+
+ /* do it */
+ if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
+ printf("Allocation error\n");
+ goto out;
+ }
+ ssh->kex = &kex;
+ kex_derive_keys(ssh, test->H, test->Hlen, Kb);
+
+ ctoskeys = kex.newkeys[0];
+ stockeys = kex.newkeys[1];
+
+ /* get data */
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(ctoskeys->enc.iv, (size_t)ctoskeys->enc.iv_len,
+ hex, HEXOUTLEN, 0);
+ printf("Initial IV (client to server) = %s\n", hex);
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(stockeys->enc.iv, (size_t)stockeys->enc.iv_len,
+ hex, HEXOUTLEN, 0);
+ printf("Initial IV (server to client) = %s\n", hex);
+
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(ctoskeys->enc.key, (size_t)ctoskeys->enc.key_len,
+ hex, HEXOUTLEN, 0);
+ printf("Encryption key (client to server) = %s\n", hex);
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(stockeys->enc.key, (size_t)stockeys->enc.key_len,
+ hex, HEXOUTLEN, 0);
+ printf("Encryption key (server to client) = %s\n", hex);
+
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(ctoskeys->mac.key, (size_t)ctoskeys->mac.key_len,
+ hex, HEXOUTLEN, 0);
+ printf("Integrity key (client to server) = %s\n", hex);
+ memset(hex, 0, HEXOUTLEN);
+ bin2hex(stockeys->mac.key, (size_t)stockeys->mac.key_len,
+ hex, HEXOUTLEN, 0);
+ printf("Integrity key (server to client) = %s\n", hex);
+
+out:
+ if (Kbn)
+ BN_free(Kbn);
+ if (Kb)
+ sshbuf_free(Kb);
+ if (ssh)
+ ssh_packet_close(ssh);
+ return ret;
+}
+
+static void usage(void)
+{
+ fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr, "\t-K\tShared secret string\n");
+ fprintf(stderr, "\t-H\tHash string\n");
+ fprintf(stderr, "\t-s\tSession ID string\n");
+ fprintf(stderr, "\t-i\tIV length to be generated\n");
+ fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
+ fprintf(stderr, "\t-m\tMAC key length to be generated\n");
+}
+
+/*
+ * Test command example:
+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
+ *
+ * Initial IV (client to server) = 4bb320d1679dfd3a
+ * Initial IV (server to client) = 43dea6fdf263a308
+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
+ */
+int main(int argc, char *argv[])
+{
+ struct kdf_cavs test;
+ int ret = 1;
+ int opt = 0;
+
+ memset(&test, 0, sizeof(struct kdf_cavs));
+ while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
+ {
+ size_t len = 0;
+ switch(opt)
+ {
+ /*
+ * CAVS K is MPINT
+ * we want a hex (i.e. the caller must ensure the
+ * following transformations already happened):
+ * 1. cut off first four bytes
+ * 2. if most significant bit of value is
+ * 1, prepend 0 byte
+ */
+ case 'K':
+ len = strlen(optarg);
+ ret = hex2bin_alloc(optarg, len,
+ &test.K, &test.Klen);
+ if (ret)
+ goto out;
+ break;
+ case 'H':
+ len = strlen(optarg);
+ ret = hex2bin_alloc(optarg, len,
+ &test.H, &test.Hlen);
+ if (ret)
+ goto out;
+ break;
+ case 's':
+ len = strlen(optarg);
+ ret = hex2bin_alloc(optarg, len,
+ &test.session_id,
+ &test.session_id_len);
+ if (ret)
+ goto out;
+ break;
+ case 'i':
+ test.iv_len = strtoul(optarg, NULL, 10);
+ break;
+ case 'e':
+ test.ek_len = strtoul(optarg, NULL, 10);
+ break;
+ case 'm':
+ test.ik_len = strtoul(optarg, NULL, 10);
+ break;
+ default:
+ usage();
+ goto out;
+ }
+ }
+
+ ret = sshkdf_cavs(&test);
+
+out:
+ if (test.session_id)
+ free(test.session_id);
+ if (test.K)
+ free(test.K);
+ if (test.H)
+ free(test.H);
+ return ret;
+
+}
diff -up openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs openssh-6.8p1/ssh-cavs_driver.pl
--- openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
+++ openssh-6.8p1/ssh-cavs_driver.pl 2015-03-18 11:23:46.348049354 +0100
@@ -0,0 +1,184 @@
+#!/usr/bin/env perl
+#
+# CAVS test driver for OpenSSH
+#
+# Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# NO WARRANTY
+#
+# BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+# FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+# OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+# PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+# OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+# TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+# PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+# REPAIR OR CORRECTION.
+#
+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+# REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+# INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+# OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+# TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+# YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+# PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGES.
+#
+use strict;
+use warnings;
+use IPC::Open2;
+
+# Executing a program by feeding STDIN and retrieving
+# STDOUT
+# $1: data string to be piped to the app on STDIN
+# rest: program and args
+# returns: STDOUT of program as string
+sub pipe_through_program($@) {
+ my $in = shift;
+ my @args = @_;
+
+ my ($CO, $CI);
+ my $pid = open2($CO, $CI, @args);
+
+ my $out = "";
+ my $len = length($in);
+ my $first = 1;
+ while (1) {
+ my $rin = "";
+ my $win = "";
+ # Output of prog is FD that we read
+ vec($rin,fileno($CO),1) = 1;
+ # Input of prog is FD that we write
+ # check for $first is needed because we can have NULL input
+ # that is to be written to the app
+ if ( $len > 0 || $first) {
+ (vec($win,fileno($CI),1) = 1);
+ $first=0;
+ }
+ # Let us wait for 100ms
+ my $nfound = select(my $rout=$rin, my $wout=$win, undef, 0.1);
+ if ( $wout ) {
+ my $written = syswrite($CI, $in, $len);
+ die "broken pipe" if !defined $written;
+ $len -= $written;
+ substr($in, 0, $written) = "";
+ if ($len <= 0) {
+ close $CI or die "broken pipe: $!";
+ }
+ }
+ if ( $rout ) {
+ my $tmp_out = "";
+ my $bytes_read = sysread($CO, $tmp_out, 4096);
+ $out .= $tmp_out;
+ last if ($bytes_read == 0);
+ }
+ }
+ close $CO or die "broken pipe: $!";
+ waitpid $pid, 0;
+
+ return $out;
+}
+
+# Parser of CAVS test vector file
+# $1: Test vector file
+# $2: Output file for test results
+# return: nothing
+sub parse($$) {
+ my $infile = shift;
+ my $outfile = shift;
+
+ my $out = "";
+
+ my $K = "";
+ my $H = "";
+ my $session_id = "";
+ my $ivlen = 0;
+ my $eklen = "";
+ my $iklen = "";
+
+ open(IN, "<$infile");
+ while(<IN>) {
+
+ my $line = $_;
+ chomp($line);
+ $line =~ s/\r//;
+
+ if ($line =~ /\[SHA-1\]/) {
+ $iklen = 20;
+ } elsif ($line =~ /\[SHA-256\]/) {
+ $iklen = 32;
+ } elsif ($line =~ /\[SHA-384\]/) {
+ $iklen = 48;
+ } elsif ($line =~ /\[SHA-512\]/) {
+ $iklen = 64;
+ } elsif ($line =~ /^\[IV length\s*=\s*(.*)\]/) {
+ $ivlen = $1;
+ $ivlen = $ivlen / 8;
+ } elsif ($line =~ /^\[encryption key length\s*=\s*(.*)\]/) {
+ $eklen = $1;
+ $eklen = $eklen / 8;
+ } elsif ($line =~ /^K\s*=\s*(.*)/) {
+ $K = $1;
+ $K = substr($K, 8);
+ $K = "00" . $K;
+ } elsif ($line =~ /^H\s*=\s*(.*)/) {
+ $H = $1;
+ } elsif ($line =~ /^session_id\s*=\s*(.*)/) {
+ $session_id = $1;
+ }
+ $out .= $line . "\n";
+
+ if ($K ne "" && $H ne "" && $session_id ne "" &&
+ $ivlen ne "" && $eklen ne "" && $iklen > 0) {
+ $out .= pipe_through_program("", "./ssh-cavs -H $H -K $K -s $session_id -i $ivlen -e $eklen -m $iklen");
+
+ $K = "";
+ $H = "";
+ $session_id = "";
+ }
+ }
+ close IN;
+ $out =~ s/\n/\r\n/g; # make it a dos file
+ open(OUT, ">$outfile") or die "Cannot create output file $outfile: $?";
+ print OUT $out;
+ close OUT;
+}
+
+############################################################
+#
+# let us pretend to be C :-)
+sub main() {
+
+ my $infile=$ARGV[0];
+ die "Error: Test vector file $infile not found" if (! -f $infile);
+
+ my $outfile = $infile;
+ # let us add .rsp regardless whether we could strip .req
+ $outfile =~ s/\.req$//;
+ $outfile .= ".rsp";
+ if (-f $outfile) {
+ die "Output file $outfile could not be removed: $?"
+ unless unlink($outfile);
+ }
+ print STDERR "Performing tests from source file $infile with results stored in destination file $outfile\n";
+
+ # Do the job
+ parse($infile, $outfile);
+}
+
+###########################################
+# Call it
+main();
+1;

View File

@ -13,33 +13,33 @@ diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
+ struct sshbuf *m; + struct sshbuf *m;
+ int r, ret = 0; + int r, ret = 0;
+ +
+ debug3("%s: entering", __func__); + debug3_f("entering");
+ if ((m = sshbuf_new()) == NULL) + if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ do { + do {
+ blen = atomicio(read, fdin, buf, sizeof(buf)); + blen = atomicio(read, fdin, buf, sizeof(buf));
+ if (blen == 0) /* closed pipe */ + if (blen == 0) /* closed pipe */
+ break; + break;
+ if (blen != sizeof(buf)) { + if (blen != sizeof(buf)) {
+ error("%s: Failed to read the buffer from child", __func__); + error_f("Failed to read the buffer from child");
+ ret = -1; + ret = -1;
+ break; + break;
+ } + }
+ +
+ msg_len = get_u32(buf); + msg_len = get_u32(buf);
+ if (msg_len > 256 * 1024) + if (msg_len > 256 * 1024)
+ fatal("%s: read: bad msg_len %d", __func__, msg_len); + fatal_f("read: bad msg_len %d", msg_len);
+ sshbuf_reset(m); + sshbuf_reset(m);
+ if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0) + if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) { + if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
+ error("%s: Failed to read the the buffer content from the child", __func__); + error_f("Failed to read the the buffer content from the child");
+ ret = -1; + ret = -1;
+ break; + break;
+ } + }
+ if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen || + if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen ||
+ atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) { + atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
+ error("%s: Failed to write the message to the monitor", __func__); + error_f("Failed to write the message to the monitor");
+ ret = -1; + ret = -1;
+ break; + break;
+ } + }

View File

@ -49,7 +49,7 @@ index a7c0c5f..df8cc9a 100644
+ int ret = 0; + int ret = 0;
+ +
+ ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory); + ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
+ debug3("%s: k5login_directory = %s (rv=%d)", __func__, k5login_directory, ret); + debug3_f("k5login_directory = %s (rv=%d)", k5login_directory, ret);
+ if (k5login_directory == NULL || ret != 0) { + if (k5login_directory == NULL || ret != 0) {
+ /* If not set, the library will look for k5login + /* If not set, the library will look for k5login
+ * files in the user's home directory, with the filename .k5login. + * files in the user's home directory, with the filename .k5login.
@ -64,7 +64,7 @@ index a7c0c5f..df8cc9a 100644
+ k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "", + k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
+ pw->pw_name); + pw->pw_name);
+ } + }
+ debug("%s: Checking existence of file %s", __func__, file); + debug_f("Checking existence of file %s", file);
- snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir); - snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
return access(file, F_OK) == 0; return access(file, F_OK) == 0;

File diff suppressed because it is too large Load Diff

View File

@ -2,9 +2,9 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
--- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200 --- openssh/auth2-pubkey.c.refactor 2019-04-04 13:19:12.188821236 +0200
+++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200 +++ openssh/auth2-pubkey.c 2019-04-04 13:19:12.276822078 +0200
@@ -72,6 +72,9 @@ @@ -72,6 +72,9 @@
/* import */
extern ServerOptions options; extern ServerOptions options;
extern u_char *session_id2;
extern u_int session_id2_len;
+extern int inetd_flag; +extern int inetd_flag;
+extern int rexeced_flag; +extern int rexeced_flag;
+extern Authctxt *the_authctxt; +extern Authctxt *the_authctxt;
@ -12,59 +12,59 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
static char * static char *
format_key(const struct sshkey *key) format_key(const struct sshkey *key)
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh @@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command,
ac, av, &f, ac, av, &f,
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0) SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, - runas_pw, temporarily_use_uid, restore_uid)) == 0)
+ runas_pw, temporarily_use_uid, restore_uid,
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0) + (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
goto out; goto out;
uid_swapped = 1; uid_swapped = 1;
@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss @@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
if ((pid = subprocess("AuthorizedKeysCommand", command,
if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command,
ac, av, &f, ac, av, &f,
- SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0) SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
+ SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD, - runas_pw, temporarily_use_uid, restore_uid)) == 0)
+ runas_pw, temporarily_use_uid, restore_uid,
+ (inetd_flag && !rexeced_flag), the_authctxt)) == 0) + (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
goto out; goto out;
uid_swapped = 1; uid_swapped = 1;
diff -up openssh/auth.c.refactor openssh/auth.c diff -up openssh/misc.c.refactor openssh/misc.c
--- openssh/auth.c.refactor 2019-04-04 13:19:12.235821686 +0200 --- openssh/misc.c.refactor 2019-04-04 13:19:12.235821686 +0200
+++ openssh/auth.c 2019-04-04 13:19:12.276822078 +0200 +++ openssh/misc.c 2019-04-04 13:19:12.276822078 +0200
@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh * @@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
*/
pid_t pid_t
subprocess(const char *tag, struct passwd *pw, const char *command, subprocess(const char *tag, const char *command,
- int ac, char **av, FILE **child, u_int flags) int ac, char **av, FILE **child, u_int flags,
+ int ac, char **av, FILE **child, u_int flags, int inetd, - struct passwd *pw, privdrop_fn *drop_privs, privrestore_fn *restore_privs)
+ void *the_authctxt) + struct passwd *pw, privdrop_fn *drop_privs,
+ privrestore_fn *restore_privs, int inetd, void *the_authctxt)
{ {
FILE *f = NULL; FILE *f = NULL;
struct stat st; struct stat st;
@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw @@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
_exit(1);
} }
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
- if (sshd_selinux_setup_env_variables() < 0) { - if (sshd_selinux_setup_env_variables() < 0) {
+ if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) { + if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
error ("failed to copy environment: %s", error ("failed to copy environment: %s",
strerror(errno)); strerror(errno));
_exit(127); _exit(127);
diff -up openssh/auth.h.refactor openssh/auth.h diff -up openssh/misc.h.refactor openssh/misc.h
--- openssh/auth.h.refactor 2019-04-04 13:19:12.251821839 +0200 --- openssh/misc.h.refactor 2019-04-04 13:19:12.251821839 +0200
+++ openssh/auth.h 2019-04-04 13:19:12.276822078 +0200 +++ openssh/misc.h 2019-04-04 13:19:12.276822078 +0200
@@ -235,7 +235,7 @@ struct passwd *fakepw(void); @@ -235,7 +235,7 @@ struct passwd *fakepw(void);
#define SSH_SUBPROCESS_STDOUT_CAPTURE (1<<1) /* Redirect stdout */ #define SSH_SUBPROCESS_UNSAFE_PATH (1<<3) /* Don't check for safe cmd */
#define SSH_SUBPROCESS_STDERR_DISCARD (1<<2) /* Discard stderr */ #define SSH_SUBPROCESS_PRESERVE_ENV (1<<4) /* Keep parent environment */
pid_t subprocess(const char *, struct passwd *, pid_t subprocess(const char *, const char *, int, char **, FILE **, u_int,
- const char *, int, char **, FILE **, u_int flags); - struct passwd *, privdrop_fn *, privrestore_fn *);
+ const char *, int, char **, FILE **, u_int flags, int, void *); + struct passwd *, privdrop_fn *, privrestore_fn *, int, void *);
int sys_auth_passwd(struct ssh *, const char *);
typedef struct arglist arglist;
struct arglist {
diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
--- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200 --- openssh/openbsd-compat/port-linux.h.refactor 2019-04-04 13:19:12.256821887 +0200
+++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200 +++ openssh/openbsd-compat/port-linux.h 2019-04-04 13:19:12.276822078 +0200
@ -145,7 +145,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
char *role; char *role;
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it @@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
debug3("%s: setting execution context", __func__); debug3_f("setting execution context");
- ssh_selinux_get_role_level(&role, &reqlvl); - ssh_selinux_get_role_level(&role, &reqlvl);
+ ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt); + ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
@ -203,10 +203,10 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
+ if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) { + if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
switch (security_getenforce()) { switch (security_getenforce()) {
case -1: case -1:
fatal("%s: security_getenforce() failed", __func__); fatal_f("security_getenforce() failed");
@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw @@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
debug3("%s: setting execution context", __func__); debug3_f("setting execution context");
- r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx); - r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt); + r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
@ -269,3 +269,15 @@ diff -up openssh/sshd.c.refactor openssh/sshd.c
#endif #endif
#ifdef USE_PAM #ifdef USE_PAM
if (options.use_pam) { if (options.use_pam) {
diff -up openssh/sshconnect.c.refactor openssh/sshconnect.c
--- openssh/sshconnect.c.refactor 2021-02-24 00:12:03.065325046 +0100
+++ openssh/sshconnect.c 2021-02-24 00:12:12.126449544 +0100
@@ -892,7 +892,7 @@ load_hostkeys_command(struct hostkeys *h
if ((pid = subprocess(tag, command, ac, av, &f,
SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_UNSAFE_PATH|
- SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL)) == 0)
+ SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL, 0, NULL)) == 0)
goto out;
load_hostkeys_file(hostkeys, hostfile_hostname, tag, f, 1);

View File

@ -1,6 +1,6 @@
diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c diff -up openssh-8.6p1/cipher-ctr.c.fips openssh-8.6p1/cipher-ctr.c
--- openssh-8.0p1/cipher-ctr.c.fips 2019-07-23 14:55:45.326525641 +0200 --- openssh-8.6p1/cipher-ctr.c.fips 2021-04-19 16:53:02.994577324 +0200
+++ openssh-8.0p1/cipher-ctr.c 2019-07-23 14:55:45.401526401 +0200 +++ openssh-8.6p1/cipher-ctr.c 2021-04-19 16:53:03.064577862 +0200
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void) @@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr; aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP #ifndef SSH_OLD_EVP
@ -11,10 +11,10 @@ diff -up openssh-8.0p1/cipher-ctr.c.fips openssh-8.0p1/cipher-ctr.c
#endif #endif
return (&aes_ctr); return (&aes_ctr);
} }
diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c
--- openssh-8.0p1/dh.c.fips 2019-04-18 00:52:57.000000000 +0200 --- openssh-8.6p1/dh.c.fips 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.0p1/dh.c 2019-07-23 14:55:45.401526401 +0200 +++ openssh-8.6p1/dh.c 2021-04-19 16:58:47.750263410 +0200
@@ -152,6 +152,12 @@ choose_dh(int min, int wantbits, int max @@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max
int best, bestcount, which, linenum; int best, bestcount, which, linenum;
struct dhgroup dhg; struct dhgroup dhg;
@ -24,10 +24,10 @@ diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
+ return (dh_new_group_fallback(max)); + return (dh_new_group_fallback(max));
+ } + }
+ +
if ((f = fopen(_PATH_DH_MODULI, "r")) == NULL) { if ((f = fopen(get_moduli_filename(), "r")) == NULL) {
logit("WARNING: could not open %s (%s), using fixed modulus", logit("WARNING: could not open %s (%s), using fixed modulus",
_PATH_DH_MODULI, strerror(errno)); get_moduli_filename(), strerror(errno));
@@ -489,4 +495,38 @@ dh_estimate(int bits) @@ -502,4 +508,38 @@ dh_estimate(int bits)
return 8192; return 8192;
} }
@ -66,21 +66,21 @@ diff -up openssh-8.0p1/dh.c.fips openssh-8.0p1/dh.c
+} +}
+ +
#endif /* WITH_OPENSSL */ #endif /* WITH_OPENSSL */
diff -up openssh-8.0p1/dh.h.fips openssh-8.0p1/dh.h diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h
--- openssh-8.0p1/dh.h.fips 2019-04-18 00:52:57.000000000 +0200 --- openssh-8.6p1/dh.h.fips 2021-04-19 16:53:03.064577862 +0200
+++ openssh-8.0p1/dh.h 2019-07-23 14:55:45.401526401 +0200 +++ openssh-8.6p1/dh.h 2021-04-19 16:59:31.951616078 +0200
@@ -43,6 +43,7 @@ DH *dh_new_group_fallback(int); @@ -45,6 +45,7 @@ DH *dh_new_group_fallback(int);
int dh_gen_key(DH *, int); int dh_gen_key(DH *, int);
int dh_pub_is_valid(const DH *, const BIGNUM *); int dh_pub_is_valid(const DH *, const BIGNUM *);
+int dh_is_known_group(const DH *); +int dh_is_known_group(const DH *);
u_int dh_estimate(int); u_int dh_estimate(int);
void dh_set_moduli_file(const char *);
diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c
--- openssh-8.0p1/kex.c.fips 2019-07-23 14:55:45.395526340 +0200 --- openssh-8.6p1/kex.c.fips 2021-04-19 16:53:03.058577815 +0200
+++ openssh-8.0p1/kex.c 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.6p1/kex.c 2021-04-19 16:53:03.065577869 +0200
@@ -199,7 +199,10 @@ kex_names_valid(const char *names) @@ -203,7 +203,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0'; for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) { (p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) { if (kex_alg_by_name(p) == NULL) {
@ -92,9 +92,9 @@ diff -up openssh-8.0p1/kex.c.fips openssh-8.0p1/kex.c
free(s); free(s);
return 0; return 0;
} }
diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c
--- openssh-8.0p1/kexgexc.c.fips 2019-04-18 00:52:57.000000000 +0200 --- openssh-8.6p1/kexgexc.c.fips 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.0p1/kexgexc.c 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.6p1/kexgexc.c 2021-04-19 16:53:03.065577869 +0200
@@ -28,6 +28,7 @@ @@ -28,6 +28,7 @@
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
@ -103,7 +103,7 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
#include <sys/types.h> #include <sys/types.h>
#include <openssl/dh.h> #include <openssl/dh.h>
@@ -113,6 +114,10 @@ input_kex_dh_gex_group(int type, u_int32 @@ -115,6 +116,10 @@ input_kex_dh_gex_group(int type, u_int32
r = SSH_ERR_ALLOC_FAIL; r = SSH_ERR_ALLOC_FAIL;
goto out; goto out;
} }
@ -114,10 +114,10 @@ diff -up openssh-8.0p1/kexgexc.c.fips openssh-8.0p1/kexgexc.c
p = g = NULL; /* belong to kex->dh now */ p = g = NULL; /* belong to kex->dh now */
/* generate and send 'e', client DH public key */ /* generate and send 'e', client DH public key */
diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h
--- openssh-8.0p1/myproposal.h.fips 2019-04-18 00:52:57.000000000 +0200 --- openssh-8.6p1/myproposal.h.fips 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.0p1/myproposal.h 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.6p1/myproposal.h 2021-04-19 16:53:03.065577869 +0200
@@ -111,6 +111,20 @@ @@ -57,6 +57,20 @@
"rsa-sha2-256," \ "rsa-sha2-256," \
"ssh-rsa" "ssh-rsa"
@ -138,7 +138,7 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
#define KEX_SERVER_ENCRYPT \ #define KEX_SERVER_ENCRYPT \
"chacha20-poly1305@openssh.com," \ "chacha20-poly1305@openssh.com," \
"aes128-ctr,aes192-ctr,aes256-ctr," \ "aes128-ctr,aes192-ctr,aes256-ctr," \
@@ -134,6 +142,27 @@ @@ -78,6 +92,27 @@
#define KEX_CLIENT_MAC KEX_SERVER_MAC #define KEX_CLIENT_MAC KEX_SERVER_MAC
@ -165,11 +165,11 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
+ +
/* Not a KEX value, but here so all the algorithm defaults are together */ /* Not a KEX value, but here so all the algorithm defaults are together */
#define SSH_ALLOWED_CA_SIGALGS \ #define SSH_ALLOWED_CA_SIGALGS \
"ecdsa-sha2-nistp256," \ "ssh-ed25519," \
diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c
--- openssh-8.0p1/readconf.c.fips 2019-07-23 14:55:45.334525723 +0200 --- openssh-8.6p1/readconf.c.fips 2021-04-19 16:53:02.999577362 +0200
+++ openssh-8.0p1/readconf.c 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.6p1/readconf.c 2021-04-19 16:53:03.065577869 +0200
@@ -2179,11 +2179,16 @@ fill_default_options(Options * options) @@ -2538,11 +2538,16 @@ fill_default_options(Options * options)
all_key = sshkey_alg_list(0, 0, 1, ','); all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ',');
/* remove unsupported algos from default lists */ /* remove unsupported algos from default lists */
@ -191,10 +191,10 @@ diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
#define ASSEMBLE(what, defaults, all) \ #define ASSEMBLE(what, defaults, all) \
do { \ do { \
if ((r = kex_assemble_names(&options->what, \ if ((r = kex_assemble_names(&options->what, \
diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-seccomp-filter.c diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-seccomp-filter.c
--- openssh-8.0p1/sandbox-seccomp-filter.c.fips 2019-07-23 14:55:45.373526117 +0200 --- openssh-8.6p1/sandbox-seccomp-filter.c.fips 2021-04-19 16:53:03.034577631 +0200
+++ openssh-8.0p1/sandbox-seccomp-filter.c 2019-07-23 14:55:45.402526411 +0200 +++ openssh-8.6p1/sandbox-seccomp-filter.c 2021-04-19 16:53:03.065577869 +0200
@@ -137,6 +137,9 @@ static const struct sock_filter preauth_ @@ -160,6 +160,9 @@ static const struct sock_filter preauth_
#ifdef __NR_open #ifdef __NR_open
SC_DENY(__NR_open, EACCES), SC_DENY(__NR_open, EACCES),
#endif #endif
@ -204,10 +204,10 @@ diff -up openssh-8.0p1/sandbox-seccomp-filter.c.fips openssh-8.0p1/sandbox-secco
#ifdef __NR_openat #ifdef __NR_openat
SC_DENY(__NR_openat, EACCES), SC_DENY(__NR_openat, EACCES),
#endif #endif
diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c
--- openssh-8.0p1/servconf.c.fips 2019-07-23 14:55:45.361525996 +0200 --- openssh-8.6p1/servconf.c.fips 2021-04-19 16:53:03.027577577 +0200
+++ openssh-8.0p1/servconf.c 2019-07-23 14:55:45.403526421 +0200 +++ openssh-8.6p1/servconf.c 2021-04-19 16:53:03.066577877 +0200
@@ -208,11 +208,16 @@ assemble_algorithms(ServerOptions *o) @@ -226,11 +226,16 @@ assemble_algorithms(ServerOptions *o)
all_key = sshkey_alg_list(0, 0, 1, ','); all_key = sshkey_alg_list(0, 0, 1, ',');
all_sig = sshkey_alg_list(0, 1, 1, ','); all_sig = sshkey_alg_list(0, 1, 1, ',');
/* remove unsupported algos from default lists */ /* remove unsupported algos from default lists */
@ -229,10 +229,10 @@ diff -up openssh-8.0p1/servconf.c.fips openssh-8.0p1/servconf.c
#define ASSEMBLE(what, defaults, all) \ #define ASSEMBLE(what, defaults, all) \
do { \ do { \
if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \
diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c
--- openssh-8.0p1/ssh.c.fips 2019-07-23 14:55:45.378526168 +0200 --- openssh-8.6p1/ssh.c.fips 2021-04-19 16:53:03.038577662 +0200
+++ openssh-8.0p1/ssh.c 2019-07-23 14:55:45.403526421 +0200 +++ openssh-8.6p1/ssh.c 2021-04-19 16:53:03.066577877 +0200
@@ -76,6 +76,7 @@ @@ -77,6 +77,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
#endif #endif
@ -240,21 +240,21 @@ diff -up openssh-8.0p1/ssh.c.fips openssh-8.0p1/ssh.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
@@ -614,6 +626,10 @@ main(int ac, char **av) @@ -1516,6 +1517,10 @@ main(int ac, char **av)
dump_client_config(&options, host);
exit(0); exit(0);
} }
+
+ if (FIPS_mode()) { + if (FIPS_mode()) {
+ debug("FIPS mode initialized"); + debug("FIPS mode initialized");
+ } + }
+
/* Expand SecurityKeyProvider if it refers to an environment variable */ /* Expand SecurityKeyProvider if it refers to an environment variable */
if (options.sk_provider != NULL && *options.sk_provider == '$' && if (options.sk_provider != NULL && *options.sk_provider == '$' &&
diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c strlen(options.sk_provider) > 1) {
--- openssh-8.0p1/sshconnect2.c.fips 2019-07-23 14:55:45.336525743 +0200 diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c
+++ openssh-8.0p1/sshconnect2.c 2019-07-23 14:55:45.403526421 +0200 --- openssh-8.6p1/sshconnect2.c.fips 2021-04-19 16:53:03.055577792 +0200
@@ -44,6 +44,8 @@ +++ openssh-8.6p1/sshconnect2.c 2021-04-19 16:53:03.066577877 +0200
@@ -45,6 +45,8 @@
#include <vis.h> #include <vis.h>
#endif #endif
@ -263,7 +263,7 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
#include "openbsd-compat/sys-queue.h" #include "openbsd-compat/sys-queue.h"
#include "xmalloc.h" #include "xmalloc.h"
@@ -198,36 +203,41 @@ ssh_kex2(struct ssh *ssh, char *host, st @@ -269,36 +271,41 @@ ssh_kex2(struct ssh *ssh, char *host, st
#if defined(GSSAPI) && defined(WITH_OPENSSL) #if defined(GSSAPI) && defined(WITH_OPENSSL)
if (options.gss_keyex) { if (options.gss_keyex) {
@ -279,24 +279,6 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
- * and can not use DNS on that socket */ - * and can not use DNS on that socket */
- if (strcmp(gss_host, "UNKNOWN") == 0) { - if (strcmp(gss_host, "UNKNOWN") == 0) {
- free(gss_host); - free(gss_host);
- gss_host = xstrdup(host);
- }
- } else {
- gss_host = xstrdup(host);
- }
-
- gss = ssh_gssapi_client_mechanisms(gss_host,
- options.gss_client_identity, options.gss_kex_algorithms);
- if (gss) {
- debug("Offering GSSAPI proposal: %s", gss);
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
- "%s,%s", gss, orig);
-
- /* If we've got GSSAPI algorithms, then we also support the
- * 'null' hostkey, as a last resort */
- orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
- xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
- "%s,null", orig);
+ if (FIPS_mode()) { + if (FIPS_mode()) {
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode"); + logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0; + options.gss_keyex = 0;
@ -316,9 +298,24 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
+ gss_host = xstrdup(host); + gss_host = xstrdup(host);
+ } + }
+ } else { + } else {
+ gss_host = xstrdup(host); gss_host = xstrdup(host);
+ } }
+ - } else {
- gss_host = xstrdup(host);
- }
- gss = ssh_gssapi_client_mechanisms(gss_host,
- options.gss_client_identity, options.gss_kex_algorithms);
- if (gss) {
- debug("Offering GSSAPI proposal: %s", gss);
- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
- "%s,%s", gss, orig);
-
- /* If we've got GSSAPI algorithms, then we also support the
- * 'null' hostkey, as a last resort */
- orig = myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS];
- xasprintf(&myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS],
- "%s,null", orig);
+ gss = ssh_gssapi_client_mechanisms(gss_host, + gss = ssh_gssapi_client_mechanisms(gss_host,
+ options.gss_client_identity, options.gss_kex_algorithms); + options.gss_client_identity, options.gss_kex_algorithms);
+ if (gss) { + if (gss) {
@ -335,9 +332,9 @@ diff -up openssh-8.0p1/sshconnect2.c.fips openssh-8.0p1/sshconnect2.c
} }
} }
#endif #endif
diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c
--- openssh-8.0p1/sshd.c.fips 2019-07-23 14:55:45.398526371 +0200 --- openssh-8.6p1/sshd.c.fips 2021-04-19 16:53:03.060577831 +0200
+++ openssh-8.0p1/sshd.c 2019-07-23 14:55:45.403526421 +0200 +++ openssh-8.6p1/sshd.c 2021-04-19 16:57:45.827769340 +0200
@@ -66,6 +66,7 @@ @@ -66,6 +66,7 @@
#include <grp.h> #include <grp.h>
#include <pwd.h> #include <pwd.h>
@ -354,7 +351,7 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
#include "openbsd-compat/openssl-compat.h" #include "openbsd-compat/openssl-compat.h"
#endif #endif
@@ -1529,6 +1532,7 @@ main(int ac, char **av) @@ -1619,6 +1621,7 @@ main(int ac, char **av)
#endif #endif
__progname = ssh_get_progname(av[0]); __progname = ssh_get_progname(av[0]);
@ -362,7 +359,7 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac; saved_argc = ac;
rexec_argc = ac; rexec_argc = ac;
@@ -1992,6 +2007,10 @@ main(int ac, char **av) @@ -2110,6 +2113,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */ /* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr); log_init(__progname, options.log_level, options.log_facility, log_stderr);
@ -370,10 +367,10 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
+ debug("FIPS mode initialized"); + debug("FIPS mode initialized");
+ } + }
+ +
/* Chdir to the root directory so that the current disk can be /*
unmounted if desired. */ * Chdir to the root directory so that the current disk can be
if (chdir("/") == -1) * unmounted if desired.
@@ -2382,10 +2401,14 @@ do_ssh2_kex(struct ssh *ssh) @@ -2494,10 +2501,14 @@ do_ssh2_kex(struct ssh *ssh)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0) if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL; orig = NULL;
@ -392,9 +389,9 @@ diff -up openssh-8.0p1/sshd.c.fips openssh-8.0p1/sshd.c
if (gss && orig) if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig); xasprintf(&newstr, "%s,%s", gss, orig);
diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c
--- openssh-8.0p1/sshkey.c.fips 2019-07-23 14:55:45.398526371 +0200 --- openssh-8.6p1/sshkey.c.fips 2021-04-19 16:53:03.061577838 +0200
+++ openssh-8.0p1/sshkey.c 2019-07-23 14:55:45.404526431 +0200 +++ openssh-8.6p1/sshkey.c 2021-04-19 16:53:03.067577885 +0200
@@ -34,6 +34,7 @@ @@ -34,6 +34,7 @@
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/err.h> #include <openssl/err.h>
@ -411,19 +408,19 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
#include "ssh-sk.h" #include "ssh-sk.h"
#ifdef WITH_XMSS #ifdef WITH_XMSS
@@ -1591,6 +1593,8 @@ rsa_generate_private_key(u_int bits, RSA @@ -1705,6 +1707,8 @@ rsa_generate_private_key(u_int bits, RSA
} }
if (!BN_set_word(f4, RSA_F4) || if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) { !RSA_generate_key_ex(private, bits, f4, NULL)) {
+ if (FIPS_mode()) + if (FIPS_mode())
+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__); + logit_f("the key length might be unsupported by FIPS mode approved key generation method");
ret = SSH_ERR_LIBCRYPTO_ERROR; ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out; goto out;
} }
diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c
--- openssh-8.0p1/ssh-keygen.c.fips 2019-07-23 14:55:45.391526300 +0200 --- openssh-8.6p1/ssh-keygen.c.fips 2021-04-19 16:53:03.038577662 +0200
+++ openssh-8.0p1/ssh-keygen.c 2019-07-23 14:57:54.118830056 +0200 +++ openssh-8.6p1/ssh-keygen.c 2021-04-19 16:53:03.068577892 +0200
@@ -199,6 +199,12 @@ type_bits_valid(int type, const char *na @@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na
#endif #endif
} }
#ifdef WITH_OPENSSL #ifdef WITH_OPENSSL
@ -436,7 +433,7 @@ diff -up openssh-8.0p1/ssh-keygen.c.fips openssh-8.0p1/ssh-keygen.c
switch (type) { switch (type) {
case KEY_DSA: case KEY_DSA:
if (*bitsp != 1024) if (*bitsp != 1024)
@@ -1029,9 +1035,17 @@ do_gen_all_hostkeys(struct passwd *pw) @@ -1098,9 +1104,17 @@ do_gen_all_hostkeys(struct passwd *pw)
first = 1; first = 1;
printf("%s: generating new host keys: ", __progname); printf("%s: generating new host keys: ", __progname);
} }

View File

@ -1,7 +1,26 @@
diff --git a/auth-krb5.c b/auth-krb5.c diff -up openssh-8.6p1/auth.h.ccache_name openssh-8.6p1/auth.h
index a5a81ed2..63f877f2 100644 --- openssh-8.6p1/auth.h.ccache_name 2021-04-19 14:05:10.820744325 +0200
--- a/auth-krb5.c +++ openssh-8.6p1/auth.h 2021-04-19 14:05:10.853744569 +0200
+++ b/auth-krb5.c @@ -83,6 +83,7 @@ struct Authctxt {
krb5_principal krb5_user;
char *krb5_ticket_file;
char *krb5_ccname;
+ int krb5_set_env;
#endif
struct sshbuf *loginmsg;
@@ -231,7 +232,7 @@ struct passwd *fakepw(void);
int sys_auth_passwd(struct ssh *, const char *);
#if defined(KRB5) && !defined(HEIMDAL)
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *);
#endif
#endif /* AUTH_H */
diff -up openssh-8.6p1/auth-krb5.c.ccache_name openssh-8.6p1/auth-krb5.c
--- openssh-8.6p1/auth-krb5.c.ccache_name 2021-04-16 05:55:25.000000000 +0200
+++ openssh-8.6p1/auth-krb5.c 2021-04-19 14:40:55.142832954 +0200
@@ -51,6 +51,7 @@ @@ -51,6 +51,7 @@
#include <unistd.h> #include <unistd.h>
#include <string.h> #include <string.h>
@ -10,7 +29,7 @@ index a5a81ed2..63f877f2 100644
extern ServerOptions options; extern ServerOptions options;
@@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) @@ -77,7 +78,7 @@ auth_krb5_password(Authctxt *authctxt, c
#endif #endif
krb5_error_code problem; krb5_error_code problem;
krb5_ccache ccache = NULL; krb5_ccache ccache = NULL;
@ -19,24 +38,18 @@ index a5a81ed2..63f877f2 100644
char *client, *platform_client; char *client, *platform_client;
const char *errmsg; const char *errmsg;
@@ -163,7 +164,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password) @@ -163,8 +164,8 @@ auth_krb5_password(Authctxt *authctxt, c
goto out; goto out;
} }
- problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache); - problem = ssh_krb5_cc_gen(authctxt->krb5_ctx,
- &authctxt->krb5_fwd_ccache);
+ problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx, + problem = ssh_krb5_cc_new_unique(authctxt->krb5_ctx,
+ &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env); + &authctxt->krb5_fwd_ccache, &authctxt->krb5_set_env);
if (problem) if (problem)
goto out; goto out;
@@ -172,21 +174,20 @@ auth_krb5_password(Authctxt *authctxt, const char *password) @@ -179,15 +180,14 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
- problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
+ problem = krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
&creds);
if (problem)
goto out; goto out;
#endif #endif
@ -57,7 +70,7 @@ index a5a81ed2..63f877f2 100644
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname); do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
#endif #endif
@@ -222,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, const char *password) @@ -223,11 +223,54 @@ auth_krb5_password(Authctxt *authctxt, c
void void
krb5_cleanup_proc(Authctxt *authctxt) krb5_cleanup_proc(Authctxt *authctxt)
{ {
@ -113,7 +126,7 @@ index a5a81ed2..63f877f2 100644
if (authctxt->krb5_user) { if (authctxt->krb5_user) {
krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user); krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
authctxt->krb5_user = NULL; authctxt->krb5_user = NULL;
@@ -237,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt) @@ -238,36 +281,188 @@ krb5_cleanup_proc(Authctxt *authctxt)
} }
} }
@ -151,7 +164,7 @@ index a5a81ed2..63f877f2 100644
+ssh_krb5_expand_template(char **result, const char *template) { +ssh_krb5_expand_template(char **result, const char *template) {
+ char *p_n, *p_o, *r, *tmp_template; + char *p_n, *p_o, *r, *tmp_template;
+ +
+ debug3("%s: called, template = %s", __func__, template); + debug3_f("called, template = %s", template);
+ if (template == NULL) + if (template == NULL)
+ return -1; + return -1;
+ +
@ -179,7 +192,7 @@ index a5a81ed2..63f877f2 100644
+ } else { + } else {
+ p_o = strchr(p_n, '}') + 1; + p_o = strchr(p_n, '}') + 1;
+ *p_o = '\0'; + *p_o = '\0';
+ debug("%s: unsupported token %s in %s", __func__, p_n, template); + debug_f("unsupported token %s in %s", p_n, template);
+ /* unknown token, fallback to the default */ + /* unknown token, fallback to the default */
+ goto cleanup; + goto cleanup;
+ } + }
@ -198,16 +211,13 @@ index a5a81ed2..63f877f2 100644
+ return -1; + return -1;
+} +}
+ +
krb5_error_code +krb5_error_code
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret, oerrno;
- char ccname[40];
+ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) { +ssh_krb5_get_cctemplate(krb5_context ctx, char **ccname) {
+ profile_t p; + profile_t p;
+ int ret = 0; + int ret = 0;
+ char *value = NULL; + char *value = NULL;
+ +
+ debug3("%s: called", __func__); + debug3_f("called");
+ ret = krb5_get_profile(ctx, &p); + ret = krb5_get_profile(ctx, &p);
+ if (ret) + if (ret)
+ return ret; + return ret;
@ -218,11 +228,14 @@ index a5a81ed2..63f877f2 100644
+ +
+ ret = ssh_krb5_expand_template(ccname, value); + ret = ssh_krb5_expand_template(ccname, value);
+ +
+ debug3("%s: returning with ccname = %s", __func__, *ccname); + debug3_f("returning with ccname = %s", *ccname);
+ return ret; + return ret;
+} +}
+ +
+krb5_error_code krb5_error_code
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
- int tmpfd, ret, oerrno;
- char ccname[40];
+ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) { +ssh_krb5_cc_new_unique(krb5_context ctx, krb5_ccache *ccache, int *need_environment) {
+ int tmpfd, ret, oerrno, type_len; + int tmpfd, ret, oerrno, type_len;
+ char *ccname = NULL; + char *ccname = NULL;
@ -242,7 +255,7 @@ index a5a81ed2..63f877f2 100644
- logit("mkstemp(): %.100s", strerror(oerrno)); - logit("mkstemp(): %.100s", strerror(oerrno));
- return oerrno; - return oerrno;
- } - }
+ debug3("%s: called", __func__); + debug3_f("called");
+ if (need_environment) + if (need_environment)
+ *need_environment = 0; + *need_environment = 0;
+ ret = ssh_krb5_get_cctemplate(ctx, &ccname); + ret = ssh_krb5_get_cctemplate(ctx, &ccname);
@ -283,7 +296,7 @@ index a5a81ed2..63f877f2 100644
- close(tmpfd); - close(tmpfd);
- return (krb5_cc_resolve(ctx, ccname, ccache)); - return (krb5_cc_resolve(ctx, ccname, ccache));
+ debug3("%s: setting default ccname to %s", __func__, ccname); + debug3_f("setting default ccname to %s", ccname);
+ /* set the default with already expanded user IDs */ + /* set the default with already expanded user IDs */
+ ret = krb5_cc_set_default_name(ctx, ccname); + ret = krb5_cc_set_default_name(ctx, ccname);
+ if (ret) + if (ret)
@ -304,13 +317,13 @@ index a5a81ed2..63f877f2 100644
+ * a primary cache for this collection, if it supports that (non-FILE) + * a primary cache for this collection, if it supports that (non-FILE)
+ */ + */
+ if (krb5_cc_support_switch(ctx, type)) { + if (krb5_cc_support_switch(ctx, type)) {
+ debug3("%s: calling cc_new_unique(%s)", __func__, ccname); + debug3_f("calling cc_new_unique(%s)", ccname);
+ ret = krb5_cc_new_unique(ctx, type, NULL, ccache); + ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
+ free(type); + free(type);
+ if (ret) + if (ret)
+ return ret; + return ret;
+ +
+ debug3("%s: calling cc_switch()", __func__); + debug3_f("calling cc_switch()");
+ return krb5_cc_switch(ctx, *ccache); + return krb5_cc_switch(ctx, *ccache);
+ } else { + } else {
+ /* Otherwise, we can not create a unique ccname here (either + /* Otherwise, we can not create a unique ccname here (either
@ -318,36 +331,47 @@ index a5a81ed2..63f877f2 100644
+ * collections + * collections
+ */ + */
+ free(type); + free(type);
+ debug3("%s: calling cc_resolve(%s)", __func__, ccname); + debug3_f("calling cc_resolve(%s)", ccname);
+ return (krb5_cc_resolve(ctx, ccname, ccache)); + return (krb5_cc_resolve(ctx, ccname, ccache));
+ } + }
} }
#endif /* !HEIMDAL */ #endif /* !HEIMDAL */
#endif /* KRB5 */ #endif /* KRB5 */
diff --git a/auth.h b/auth.h diff -up openssh-8.6p1/gss-serv.c.ccache_name openssh-8.6p1/gss-serv.c
index 29491df9..fdab5040 100644 --- openssh-8.6p1/gss-serv.c.ccache_name 2021-04-19 14:05:10.844744503 +0200
--- a/auth.h +++ openssh-8.6p1/gss-serv.c 2021-04-19 14:05:10.854744577 +0200
+++ b/auth.h @@ -413,13 +413,15 @@ ssh_gssapi_cleanup_creds(void)
@@ -82,6 +82,7 @@ struct Authctxt { }
krb5_principal krb5_user;
char *krb5_ticket_file;
char *krb5_ccname;
+ int krb5_set_env;
#endif
struct sshbuf *loginmsg;
@@ -238,7 +239,7 @@ int sys_auth_passwd(struct ssh *, const char *); /* As user */
int sys_auth_passwd(struct ssh *, const char *); -void
+int
ssh_gssapi_storecreds(void)
{
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
- (*gssapi_client.mech->storecreds)(&gssapi_client);
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
} else
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
+
+ return 0;
}
#if defined(KRB5) && !defined(HEIMDAL) /* This allows GSSAPI methods to do things to the child's environment based
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *); @@ -499,9 +501,7 @@ ssh_gssapi_rekey_creds(void) {
+krb5_error_code ssh_krb5_cc_new_unique(krb5_context, krb5_ccache *, int *); char *envstr;
#endif #endif
#endif /* AUTH_H */ - if (gssapi_client.store.filename == NULL &&
diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c - gssapi_client.store.envval == NULL &&
--- openssh-7.9p1/gss-serv-krb5.c.ccache_name 2019-03-01 15:17:42.708611802 +0100 - gssapi_client.store.envvar == NULL)
+++ openssh-7.9p1/gss-serv-krb5.c 2019-03-01 15:17:42.713611844 +0100 + if (gssapi_client.store.envval == NULL)
return;
ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
diff -up openssh-8.6p1/gss-serv-krb5.c.ccache_name openssh-8.6p1/gss-serv-krb5.c
--- openssh-8.6p1/gss-serv-krb5.c.ccache_name 2021-04-19 14:05:10.852744562 +0200
+++ openssh-8.6p1/gss-serv-krb5.c 2021-04-19 14:05:10.854744577 +0200
@@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri @@ -267,7 +267,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
/* This writes out any forwarded credentials from the structure populated /* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */ * during userauth. Called after we have setuid to the user */
@ -450,7 +474,7 @@ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
do_pam_putenv(client->store.envvar, client->store.envval); do_pam_putenv(client->store.envvar, client->store.envval);
#endif #endif
@@ -361,7 +355,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl @@ -364,7 +354,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
client->store.data = krb_context; client->store.data = krb_context;
@ -459,43 +483,10 @@ diff -up openssh-7.9p1/gss-serv-krb5.c.ccache_name openssh-7.9p1/gss-serv-krb5.c
} }
int int
diff --git a/gss-serv.c b/gss-serv.c diff -up openssh-8.6p1/servconf.c.ccache_name openssh-8.6p1/servconf.c
index 6cae720e..16e55cbc 100644 --- openssh-8.6p1/servconf.c.ccache_name 2021-04-19 14:05:10.848744532 +0200
--- a/gss-serv.c +++ openssh-8.6p1/servconf.c 2021-04-19 14:05:10.854744577 +0200
+++ b/gss-serv.c @@ -136,6 +136,7 @@ initialize_server_options(ServerOptions
@@ -320,13 +320,15 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
}
/* As user */
-void
+int
ssh_gssapi_storecreds(void)
{
if (gssapi_client.mech && gssapi_client.mech->storecreds) {
- (*gssapi_client.mech->storecreds)(&gssapi_client);
+ return (*gssapi_client.mech->storecreds)(&gssapi_client);
} else
debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
+
+ return 0;
}
/* This allows GSSAPI methods to do things to the child's environment based
@@ -498,9 +500,7 @@ ssh_gssapi_rekey_creds() {
char *envstr;
#endif
- if (gssapi_client.store.filename == NULL &&
- gssapi_client.store.envval == NULL &&
- gssapi_client.store.envvar == NULL)
+ if (gssapi_client.store.envval == NULL)
return;
ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
--- openssh-7.9p1/servconf.c.ccache_name 2019-03-01 15:17:42.704611768 +0100
+++ openssh-7.9p1/servconf.c 2019-03-01 15:17:42.713611844 +0100
@@ -123,6 +123,7 @@ initialize_server_options(ServerOptions
options->kerberos_or_local_passwd = -1; options->kerberos_or_local_passwd = -1;
options->kerberos_ticket_cleanup = -1; options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1; options->kerberos_get_afs_token = -1;
@ -503,7 +494,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
options->gss_authentication=-1; options->gss_authentication=-1;
options->gss_keyex = -1; options->gss_keyex = -1;
options->gss_cleanup_creds = -1; options->gss_cleanup_creds = -1;
@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options) @@ -359,6 +360,8 @@ fill_default_server_options(ServerOption
options->kerberos_ticket_cleanup = 1; options->kerberos_ticket_cleanup = 1;
if (options->kerberos_get_afs_token == -1) if (options->kerberos_get_afs_token == -1)
options->kerberos_get_afs_token = 0; options->kerberos_get_afs_token = 0;
@ -512,8 +503,8 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
if (options->gss_authentication == -1) if (options->gss_authentication == -1)
options->gss_authentication = 0; options->gss_authentication = 0;
if (options->gss_keyex == -1) if (options->gss_keyex == -1)
@@ -447,7 +450,8 @@ typedef enum { @@ -506,7 +509,8 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel, sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
sRhostsRSAAuthentication, sRSAAuthentication, sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken, sChallengeResponseAuthentication, - sKerberosGetAFSToken, sChallengeResponseAuthentication,
@ -522,7 +513,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
sPasswordAuthentication, sKbdInteractiveAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily, sListenAddress, sAddressFamily,
sPrintMotd, sPrintLastLog, sIgnoreRhosts, sPrintMotd, sPrintLastLog, sIgnoreRhosts,
@@ -526,11 +530,13 @@ static struct { @@ -593,11 +597,13 @@ static struct {
#else #else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL }, { "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif #endif
@ -536,7 +527,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
#endif #endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL }, { "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
@@ -1437,6 +1443,10 @@ process_server_config_line(ServerOptions *options, char *line, @@ -1573,6 +1579,10 @@ process_server_config_line_depth(ServerO
intptr = &options->kerberos_get_afs_token; intptr = &options->kerberos_get_afs_token;
goto parse_flag; goto parse_flag;
@ -547,7 +538,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
case sGssAuthentication: case sGssAuthentication:
intptr = &options->gss_authentication; intptr = &options->gss_authentication;
goto parse_flag; goto parse_flag;
@@ -2507,6 +2517,7 @@ dump_config(ServerOptions *o) @@ -2891,6 +2901,7 @@ dump_config(ServerOptions *o)
# ifdef USE_AFS # ifdef USE_AFS
dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token); dump_cfg_fmtint(sKerberosGetAFSToken, o->kerberos_get_afs_token);
# endif # endif
@ -555,11 +546,10 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
#endif #endif
#ifdef GSSAPI #ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication); dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
diff --git a/servconf.h b/servconf.h diff -up openssh-8.6p1/servconf.h.ccache_name openssh-8.6p1/servconf.h
index db8362c6..4fa42d64 100644 --- openssh-8.6p1/servconf.h.ccache_name 2021-04-19 14:05:10.848744532 +0200
--- a/servconf.h +++ openssh-8.6p1/servconf.h 2021-04-19 14:05:10.855744584 +0200
+++ b/servconf.h @@ -140,6 +140,8 @@ typedef struct {
@@ -123,6 +123,8 @@ typedef struct {
* file on logout. */ * file on logout. */
int kerberos_get_afs_token; /* If true, try to get AFS token if int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */ * authenticated with Kerberos. */
@ -568,11 +558,10 @@ index db8362c6..4fa42d64 100644
int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_authentication; /* If true, permit GSSAPI authentication */
int gss_keyex; /* If true, permit GSSAPI key exchange */ int gss_keyex; /* If true, permit GSSAPI key exchange */
int gss_cleanup_creds; /* If true, destroy cred cache on logout */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */
diff --git a/session.c b/session.c diff -up openssh-8.6p1/session.c.ccache_name openssh-8.6p1/session.c
index 85df6a27..480a5ead 100644 --- openssh-8.6p1/session.c.ccache_name 2021-04-19 14:05:10.852744562 +0200
--- a/session.c +++ openssh-8.6p1/session.c 2021-04-19 14:05:10.855744584 +0200
+++ b/session.c @@ -1038,7 +1038,8 @@ do_setup_env(struct ssh *ssh, Session *s
@@ -1033,7 +1033,8 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
/* Allow any GSSAPI methods that we've used to alter /* Allow any GSSAPI methods that we've used to alter
* the child's environment as they see fit * the child's environment as they see fit
*/ */
@ -582,7 +571,7 @@ index 85df6a27..480a5ead 100644
#endif #endif
/* Set basic environment. */ /* Set basic environment. */
@@ -1105,7 +1106,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) @@ -1114,7 +1115,7 @@ do_setup_env(struct ssh *ssh, Session *s
} }
#endif #endif
#ifdef KRB5 #ifdef KRB5
@ -591,33 +580,10 @@ index 85df6a27..480a5ead 100644
child_set_env(&env, &envsize, "KRB5CCNAME", child_set_env(&env, &envsize, "KRB5CCNAME",
s->authctxt->krb5_ccname); s->authctxt->krb5_ccname);
#endif #endif
diff --git a/ssh-gss.h b/ssh-gss.h diff -up openssh-8.6p1/sshd.c.ccache_name openssh-8.6p1/sshd.c
index 6593e422..245178af 100644 --- openssh-8.6p1/sshd.c.ccache_name 2021-04-19 14:05:10.849744540 +0200
--- a/ssh-gss.h +++ openssh-8.6p1/sshd.c 2021-04-19 14:05:10.855744584 +0200
+++ b/ssh-gss.h @@ -2284,7 +2284,7 @@ main(int ac, char **av)
@@ -83,7 +82,7 @@ typedef struct ssh_gssapi_mech_struct {
int (*dochild) (ssh_gssapi_client *);
int (*userok) (ssh_gssapi_client *, char *);
int (*localname) (ssh_gssapi_client *, char **);
- void (*storecreds) (ssh_gssapi_client *);
+ int (*storecreds) (ssh_gssapi_client *);
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
} ssh_gssapi_mech;
@@ -127,7 +126,7 @@ int ssh_gssapi_userok(char *name);
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void);
-void ssh_gssapi_storecreds(void);
+int ssh_gssapi_storecreds(void);
const char *ssh_gssapi_displayname(void);
char *ssh_gssapi_server_mechanisms(void);
diff --git a/sshd.c b/sshd.c
index edbe815c..89514e8a 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2162,7 +2162,7 @@ main(int ac, char **av)
#ifdef GSSAPI #ifdef GSSAPI
if (options.gss_authentication) { if (options.gss_authentication) {
temporarily_use_uid(authctxt->pw); temporarily_use_uid(authctxt->pw);
@ -626,11 +592,10 @@ index edbe815c..89514e8a 100644
restore_uid(); restore_uid();
} }
#endif #endif
diff --git a/sshd_config.5 b/sshd_config.5 diff -up openssh-8.6p1/sshd_config.5.ccache_name openssh-8.6p1/sshd_config.5
index c0683d4a..2349f477 100644 --- openssh-8.6p1/sshd_config.5.ccache_name 2021-04-19 14:05:10.849744540 +0200
--- a/sshd_config.5 +++ openssh-8.6p1/sshd_config.5 2021-04-19 14:05:10.856744592 +0200
+++ b/sshd_config.5 @@ -939,6 +939,14 @@ Specifies whether to automatically destr
@@ -860,6 +860,14 @@ Specifies whether to automatically destroy the user's ticket cache
file on logout. file on logout.
The default is The default is
.Cm yes . .Cm yes .
@ -645,3 +610,24 @@ index c0683d4a..2349f477 100644
.It Cm KexAlgorithms .It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms. Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated. Multiple algorithms must be comma-separated.
diff -up openssh-8.6p1/ssh-gss.h.ccache_name openssh-8.6p1/ssh-gss.h
--- openssh-8.6p1/ssh-gss.h.ccache_name 2021-04-19 14:05:10.852744562 +0200
+++ openssh-8.6p1/ssh-gss.h 2021-04-19 14:05:10.855744584 +0200
@@ -114,7 +114,7 @@ typedef struct ssh_gssapi_mech_struct {
int (*dochild) (ssh_gssapi_client *);
int (*userok) (ssh_gssapi_client *, char *);
int (*localname) (ssh_gssapi_client *, char **);
- void (*storecreds) (ssh_gssapi_client *);
+ int (*storecreds) (ssh_gssapi_client *);
int (*updatecreds) (ssh_gssapi_ccache *, ssh_gssapi_client *);
} ssh_gssapi_mech;
@@ -175,7 +175,7 @@ int ssh_gssapi_userok(char *name, struct
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);
void ssh_gssapi_cleanup_creds(void);
-void ssh_gssapi_storecreds(void);
+int ssh_gssapi_storecreds(void);
const char *ssh_gssapi_displayname(void);
char *ssh_gssapi_server_mechanisms(void);

View File

@ -1,7 +1,7 @@
diff --git a/sshd.c b/sshd.c diff -up openssh-8.6p1/sshd.c.log-usepam-no openssh-8.6p1/sshd.c
--- a/sshd.c --- openssh-8.6p1/sshd.c.log-usepam-no 2021-04-19 14:00:45.099735129 +0200
+++ b/sshd.c +++ openssh-8.6p1/sshd.c 2021-04-19 14:03:21.140920974 +0200
@@ -1701,6 +1701,10 @@ main(int ac, char **av) @@ -1749,6 +1749,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
cfg, &includes, NULL); cfg, &includes, NULL);
@ -9,13 +9,13 @@ diff --git a/sshd.c b/sshd.c
+ if (! options.use_pam) + if (! options.use_pam)
+ logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems."); + logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems.");
+ +
/* Fill in default values for those options not explicitly set. */ #ifdef WITH_OPENSSL
fill_default_server_options(&options); if (options.moduli_file != NULL)
dh_set_moduli_file(options.moduli_file);
diff --git a/sshd_config b/sshd_config diff -up openssh-8.6p1/sshd_config.log-usepam-no openssh-8.6p1/sshd_config
--- a/sshd_config --- openssh-8.6p1/sshd_config.log-usepam-no 2021-04-19 14:00:45.098735121 +0200
+++ b/sshd_config +++ openssh-8.6p1/sshd_config 2021-04-19 14:00:45.099735129 +0200
@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no @@ -87,6 +87,8 @@ AuthorizedKeysFile .ssh/authorized_keys
# If you just want the PAM account and session checks to run without # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication # PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'. # and ChallengeResponseAuthentication to 'no'.

View File

@ -52,7 +52,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
gss_buffer_desc mic, gssbuf; gss_buffer_desc mic, gssbuf;
const char *displayname; const char *displayname;
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple @@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
fatal("%s: sshbuf_new failed", __func__); fatal_f("sshbuf_new failed");
mic.value = p; mic.value = p;
mic.length = len; mic.length = len;
- ssh_gssapi_buildmic(b, authctxt->user, authctxt->service, - ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
@ -63,7 +63,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
+#endif +#endif
+ micuser = authctxt->user; + micuser = authctxt->user;
+ ssh_gssapi_buildmic(b, micuser, authctxt->service, + ssh_gssapi_buildmic(b, micuser, authctxt->service,
"gssapi-with-mic"); "gssapi-with-mic", ssh->kex->session_id);
if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple @@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
@ -80,7 +80,7 @@ diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
+++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200 +++ openssh/auth2-hostbased.c 2018-08-22 11:14:56.816430924 +0200
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh) @@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
/* reconstruct packet */ /* reconstruct packet */
if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 || if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
(r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 || (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
+#ifdef WITH_SELINUX +#ifdef WITH_SELINUX
+ (authctxt->role + (authctxt->role
@ -224,8 +224,8 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
+ monitor_permit_authentications(1); + monitor_permit_authentications(1);
+ +
+ if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0) + if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_f("buffer error: %s", ssh_err(r));
+ debug3("%s: role=%s", __func__, authctxt->role); + debug3_f("role=%s", authctxt->role);
+ +
+ if (strlen(authctxt->role) == 0) { + if (strlen(authctxt->role) == 0) {
+ free(authctxt->role); + free(authctxt->role);
@ -251,7 +251,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
@@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i @@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i
fail++; fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse userstyle");
+ if ((s = strchr(cp, '/')) != NULL) + if ((s = strchr(cp, '/')) != NULL)
+ *s = '\0'; + *s = '\0';
xasprintf(&userstyle, "%s%s%s", authctxt->user, xasprintf(&userstyle, "%s%s%s", authctxt->user,
@ -269,7 +269,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
@@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data @@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data
fail++; fail++;
if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0) if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse userstyle");
+ if ((s = strchr(p, '/')) != NULL) + if ((s = strchr(p, '/')) != NULL)
+ *s = '\0'; + *s = '\0';
xasprintf(&userstyle, "%s%s%s", authctxt->user, xasprintf(&userstyle, "%s%s%s", authctxt->user,
@ -305,12 +305,12 @@ diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
+ int r; + int r;
+ struct sshbuf *m; + struct sshbuf *m;
+ +
+ debug3("%s entering", __func__); + debug3_f("entering");
+ +
+ if ((m = sshbuf_new()) == NULL) + if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0) + if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_f("buffer error: %s", ssh_err(r));
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
+ +
+ sshbuf_free(m); + sshbuf_free(m);
@ -357,7 +357,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
-void -void
-ssh_selinux_setup_exec_context(char *pwname) -ssh_selinux_setup_exec_context(char *pwname)
-{ -{
- security_context_t user_ctx = NULL; - char *user_ctx = NULL;
- -
- if (!ssh_selinux_enabled()) - if (!ssh_selinux_enabled())
- return; - return;
@ -393,7 +393,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
- user_ctx = ssh_selinux_getctxbyname(pwname); - user_ctx = ssh_selinux_getctxbyname(pwname);
+ if (getexeccon(&user_ctx) != 0) { + if (getexeccon(&user_ctx) != 0) {
+ error("%s: getexeccon: %s", __func__, strerror(errno)); + error_f("getexeccon: %s", strerror(errno));
+ goto out; + goto out;
+ } + }
+ +
@ -418,7 +418,7 @@ diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/por
diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
--- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200 --- openssh/openbsd-compat/port-linux-sshd.c.role-mls 2018-08-22 11:14:56.819430949 +0200
+++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200 +++ openssh/openbsd-compat/port-linux-sshd.c 2018-08-22 11:14:56.819430949 +0200
@@ -0,0 +1,425 @@ @@ -0,0 +1,421 @@
+/* +/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
+ * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com> + * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
@ -530,7 +530,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+ access_vector_t bit; + access_vector_t bit;
+ security_class_t class; + security_class_t class;
+ +
+ debug("%s: src:%s dst:%s", __func__, src, dst); + debug_f("src:%s dst:%s", src, dst);
+ class = string_to_security_class("context"); + class = string_to_security_class("context");
+ if (!class) { + if (!class) {
+ error("string_to_security_class failed to translate security class context"); + error("string_to_security_class failed to translate security class context");
@ -692,7 +692,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+ /* we actually don't change level */ + /* we actually don't change level */
+ reqlvl = ""; + reqlvl = "";
+ +
+ debug("%s: current connection level '%s'", __func__, reqlvl); + debug_f("current connection level '%s'", reqlvl);
+ +
+ } + }
+ +
@ -720,8 +720,8 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+ } + }
+ } + }
+ if (r != 0) { + if (r != 0) {
+ error("%s: Failed to get default SELinux security " + error_f("Failed to get default SELinux security "
+ "context for %s", __func__, pwname); + "context for %s", pwname);
+ } + }
+ +
+#ifdef HAVE_GETSEUSERBYNAME +#ifdef HAVE_GETSEUSERBYNAME
@ -746,7 +746,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+ char *use_current; + char *use_current;
+ int rv; + int rv;
+ +
+ debug3("%s: setting execution context", __func__); + debug3_f("setting execution context");
+ +
+ ssh_selinux_get_role_level(&role, &reqlvl); + ssh_selinux_get_role_level(&role, &reqlvl);
+ +
@ -783,32 +783,30 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+ if (sshd_selinux_setup_pam_variables()) { + if (sshd_selinux_setup_pam_variables()) {
+ switch (security_getenforce()) { + switch (security_getenforce()) {
+ case -1: + case -1:
+ fatal("%s: security_getenforce() failed", __func__); + fatal_f("security_getenforce() failed");
+ case 0: + case 0:
+ error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.", + error_f("SELinux PAM variable setup failure. Continuing in permissive mode.");
+ __func__);
+ break; + break;
+ default: + default:
+ fatal("%s: SELinux PAM variable setup failure. Aborting connection.", + fatal_f("SELinux PAM variable setup failure. Aborting connection.");
+ __func__);
+ } + }
+ } + }
+ return; + return;
+ } + }
+ +
+ debug3("%s: setting execution context", __func__); + debug3_f("setting execution context");
+ +
+ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx); + r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
+ if (r >= 0) { + if (r >= 0) {
+ r = setexeccon(user_ctx); + r = setexeccon(user_ctx);
+ if (r < 0) { + if (r < 0) {
+ error("%s: Failed to set SELinux execution context %s for %s", + error_f("Failed to set SELinux execution context %s for %s",
+ __func__, user_ctx, pwname); + user_ctx, pwname);
+ } + }
+#ifdef HAVE_SETKEYCREATECON +#ifdef HAVE_SETKEYCREATECON
+ else if (setkeycreatecon(user_ctx) < 0) { + else if (setkeycreatecon(user_ctx) < 0) {
+ error("%s: Failed to set SELinux keyring creation context %s for %s", + error_f("Failed to set SELinux keyring creation context %s for %s",
+ __func__, user_ctx, pwname); + user_ctx, pwname);
+ } + }
+#endif +#endif
+ } + }
@ -823,14 +821,12 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+ if (r < 0) { + if (r < 0) {
+ switch (security_getenforce()) { + switch (security_getenforce()) {
+ case -1: + case -1:
+ fatal("%s: security_getenforce() failed", __func__); + fatal_f("security_getenforce() failed");
+ case 0: + case 0:
+ error("%s: SELinux failure. Continuing in permissive mode.", + error_f("ELinux failure. Continuing in permissive mode.");
+ __func__);
+ break; + break;
+ default: + default:
+ fatal("%s: SELinux failure. Aborting connection.", + fatal_f("SELinux failure. Aborting connection.");
+ __func__);
+ } + }
+ } + }
+ if (user_ctx != NULL && user_ctx != default_ctx) + if (user_ctx != NULL && user_ctx != default_ctx)
@ -838,7 +834,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
+ if (default_ctx != NULL) + if (default_ctx != NULL)
+ freecon(default_ctx); + freecon(default_ctx);
+ +
+ debug3("%s: done", __func__); + debug3_f("done");
+} +}
+ +
+#endif +#endif

View File

@ -1,27 +0,0 @@
From 22bfdcf060b632b5a6ff603f8f42ff166c211a66 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 29 Sep 2020 10:02:45 +0000
Subject: [PATCH] Fail hard on the first failed attempt to write the
authorized_keys_file
---
ssh-copy-id | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 392f64f..e69a23f 100755
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -251,7 +251,7 @@ installkeys_sh() {
cd;
umask 077;
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
- { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE}; } &&
+ { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
cat >> ${AUTH_KEY_FILE} ||
exit 1;
if type restorecon >/dev/null 2>&1; then
--
GitLab

View File

@ -1,7 +1,7 @@
diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5 diff -up openssh-8.6p1/ssh_config.5.crypto-policies openssh-8.6p1/ssh_config.5
--- openssh-8.2p1/ssh_config.5.crypto-policies 2020-03-26 14:40:44.546775605 +0100 --- openssh-8.6p1/ssh_config.5.crypto-policies 2021-04-19 15:18:32.071920379 +0200
+++ openssh-8.2p1/ssh_config.5 2020-03-26 14:52:20.700649727 +0100 +++ openssh-8.6p1/ssh_config.5 2021-04-19 15:21:18.400179265 +0200
@@ -359,17 +359,17 @@ or @@ -368,15 +368,13 @@ or
.Qq *.c.example.com .Qq *.c.example.com
domains. domains.
.It Cm CASignatureAlgorithms .It Cm CASignatureAlgorithms
@ -14,19 +14,16 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
by certificate authorities (CAs). by certificate authorities (CAs).
-The default is: -The default is:
-.Bd -literal -offset indent -.Bd -literal -offset indent
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa -sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed -.Ed
-.Pp -.Pp
.Xr ssh 1 .Xr ssh 1
will not accept host certificates signed using algorithms other than those will not accept host certificates signed using algorithms other than those
specified. specified.
+.Pp @@ -436,20 +434,25 @@ If the option is set to
.It Cm CertificateFile (the default),
Specifies a file from which the user's certificate is read.
A corresponding private key must be provided separately in order
@@ -424,20 +424,25 @@ If the option is set to
.Cm no ,
the check will not be executed. the check will not be executed.
.It Cm Ciphers .It Cm Ciphers
+The default is handled system-wide by +The default is handled system-wide by
@ -55,7 +52,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
.Pp .Pp
The supported ciphers are: The supported ciphers are:
.Bd -literal -offset indent .Bd -literal -offset indent
@@ -453,13 +458,6 @@ aes256-gcm@openssh.com @@ -465,13 +468,6 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com chacha20-poly1305@openssh.com
.Ed .Ed
.Pp .Pp
@ -69,7 +66,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
The list of available ciphers may also be obtained using The list of available ciphers may also be obtained using
.Qq ssh -Q cipher . .Qq ssh -Q cipher .
.It Cm ClearAllForwardings .It Cm ClearAllForwardings
@@ -812,6 +810,11 @@ command line will be passed untouched to @@ -826,6 +822,11 @@ command line will be passed untouched to
The default is The default is
.Dq no . .Dq no .
.It Cm GSSAPIKexAlgorithms .It Cm GSSAPIKexAlgorithms
@ -81,7 +78,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
The list of key exchange algorithms that are offered for GSSAPI The list of key exchange algorithms that are offered for GSSAPI
key exchange. Possible values are key exchange. Possible values are
.Bd -literal -offset 3n .Bd -literal -offset 3n
@@ -824,10 +827,8 @@ gss-nistp256-sha256-, @@ -838,10 +839,8 @@ gss-nistp256-sha256-,
gss-curve25519-sha256- gss-curve25519-sha256-
.Ed .Ed
.Pp .Pp
@ -93,7 +90,7 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
.It Cm HashKnownHosts .It Cm HashKnownHosts
Indicates that Indicates that
.Xr ssh 1 .Xr ssh 1
@@ -1149,29 +1150,25 @@ it may be zero or more of: @@ -1169,29 +1168,25 @@ it may be zero or more of:
and and
.Cm pam . .Cm pam .
.It Cm KexAlgorithms .It Cm KexAlgorithms
@ -132,9 +129,9 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
.Pp .Pp
The list of available key exchange algorithms may also be obtained using The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q kex . .Qq ssh -Q kex .
@@ -1231,37 +1228,33 @@ The default is INFO. @@ -1301,37 +1296,33 @@ function, and all code in the
DEBUG and DEBUG1 are equivalent. file.
DEBUG2 and DEBUG3 each specify higher levels of verbose output. This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs .It Cm MACs
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
@ -179,56 +176,57 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
The list of available MAC algorithms may also be obtained using The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac . .Qq ssh -Q mac .
.It Cm NoHostAuthenticationForLocalhost .It Cm NoHostAuthenticationForLocalhost
@@ -1394,36 +1387,25 @@ instead of continuing to execute and pas @@ -1503,37 +1494,25 @@ instead of continuing to execute and pas
The default is The default is
.Cm no . .Cm no .
.It Cm PubkeyAcceptedKeyTypes .It Cm PubkeyAcceptedAlgorithms
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page +To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
+.Pp +.Pp
Specifies the key types that will be used for public key authentication Specifies the signature algorithms that will be used for public key
as a comma-separated list of patterns. authentication as a comma-separated list of patterns.
If the specified list begins with a If the specified list begins with a
.Sq + .Sq +
-character, then the key types after it will be appended to the default -character, then the algorithms after it will be appended to the default
-instead of replacing it. -instead of replacing it.
+character, then the key types after it will be appended to the built-in +character, then the algorithms after it will be appended to the built-in
+openssh default instead of replacing it. +openssh default instead of replacing it.
If the specified list begins with a If the specified list begins with a
.Sq - .Sq -
character, then the specified key types (including wildcards) will be removed character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them. -from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them. +from the built-in openssh default set instead of replacing them.
If the specified list begins with a If the specified list begins with a
.Sq ^ .Sq ^
character, then the specified key types will be placed at the head of the character, then the specified algorithms will be placed at the head of the
-default set. -default set.
-The default for this option is: -The default for this option is:
-.Bd -literal -offset 3n -.Bd -literal -offset 3n
-ssh-ed25519-cert-v01@openssh.com,
-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com, -ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com, -ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ssh-ed25519-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com, -sk-ssh-ed25519-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com, -rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com, -sk-ecdsa-sha2-nistp256@openssh.com,
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa -rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed -.Ed
+built-in openssh default set. +built-in openssh default set.
.Pp .Pp
The list of available key types may also be obtained using The list of available signature algorithms may also be obtained using
.Qq ssh -Q PubkeyAcceptedKeyTypes . .Qq ssh -Q PubkeyAcceptedAlgorithms .
diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5 diff -up openssh-8.6p1/sshd_config.5.crypto-policies openssh-8.6p1/sshd_config.5
--- openssh-8.2p1/sshd_config.5.crypto-policies 2020-03-26 14:40:44.530775355 +0100 --- openssh-8.6p1/sshd_config.5.crypto-policies 2021-04-19 15:18:32.062920311 +0200
+++ openssh-8.2p1/sshd_config.5 2020-03-26 14:48:56.732468099 +0100 +++ openssh-8.6p1/sshd_config.5 2021-04-19 15:20:42.591908243 +0200
@@ -375,16 +375,16 @@ If the argument is @@ -373,15 +373,13 @@ If the argument is
then no banner is displayed. then no banner is displayed.
By default, no banner is displayed. By default, no banner is displayed.
.It Cm CASignatureAlgorithms .It Cm CASignatureAlgorithms
@ -241,17 +239,15 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
by certificate authorities (CAs). by certificate authorities (CAs).
-The default is: -The default is:
-.Bd -literal -offset indent -.Bd -literal -offset indent
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa -sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,
-rsa-sha2-512,rsa-sha2-256
-.Ed -.Ed
-.Pp -.Pp
Certificates signed using other algorithms will not be accepted for Certificates signed using other algorithms will not be accepted for
public key or host-based authentication. public key or host-based authentication.
+.Pp
.It Cm ChallengeResponseAuthentication .It Cm ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via @@ -445,20 +443,25 @@ The default is
PAM or through authentication styles supported in
@@ -446,20 +446,25 @@ The default is
indicating not to indicating not to
.Xr chroot 2 . .Xr chroot 2 .
.It Cm Ciphers .It Cm Ciphers
@ -281,7 +277,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
.Pp .Pp
The supported ciphers are: The supported ciphers are:
.Pp .Pp
@@ -486,13 +491,6 @@ aes256-gcm@openssh.com @@ -485,13 +488,6 @@ aes256-gcm@openssh.com
chacha20-poly1305@openssh.com chacha20-poly1305@openssh.com
.El .El
.Pp .Pp
@ -295,7 +291,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
The list of available ciphers may also be obtained using The list of available ciphers may also be obtained using
.Qq ssh -Q cipher . .Qq ssh -Q cipher .
.It Cm ClientAliveCountMax .It Cm ClientAliveCountMax
@@ -681,22 +679,24 @@ For this to work @@ -680,21 +676,22 @@ For this to work
.Cm GSSAPIKeyExchange .Cm GSSAPIKeyExchange
needs to be enabled in the server and also used by the client. needs to be enabled in the server and also used by the client.
.It Cm GSSAPIKexAlgorithms .It Cm GSSAPIKexAlgorithms
@ -326,11 +322,9 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
-.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-, -.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
-gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- . -gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
This option only applies to connections using GSSAPI. This option only applies to connections using GSSAPI.
+.Pp .It Cm HostbasedAcceptedAlgorithms
.It Cm HostbasedAcceptedKeyTypes Specifies the signature algorithms that will be accepted for hostbased
Specifies the key types that will be accepted for hostbased authentication @@ -794,26 +791,13 @@ is specified, the location of the socket
as a list of comma-separated patterns.
@@ -793,25 +793,13 @@ is specified, the location of the socket
.Ev SSH_AUTH_SOCK .Ev SSH_AUTH_SOCK
environment variable. environment variable.
.It Cm HostKeyAlgorithms .It Cm HostKeyAlgorithms
@ -339,29 +333,30 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
+To see the defaults and how to modify this default, see manual page +To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
+.Pp +.Pp
Specifies the host key algorithms Specifies the host key signature algorithms
that the server offers. that the server offers.
-The default for this option is: -The default for this option is:
-.Bd -literal -offset 3n -.Bd -literal -offset 3n
-ssh-ed25519-cert-v01@openssh.com,
-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com, -ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com, -ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ssh-ed25519-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com, -sk-ssh-ed25519-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com, -rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com, -sk-ecdsa-sha2-nistp256@openssh.com,
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa -rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed -.Ed
-.Pp -.Pp
The list of available key types may also be obtained using The list of available signature algorithms may also be obtained using
.Qq ssh -Q HostKeyAlgorithms . .Qq ssh -Q HostKeyAlgorithms .
.It Cm IgnoreRhosts .It Cm IgnoreRhosts
@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi @@ -958,20 +942,25 @@ Specifies whether to look at .k5login fi
The default is The default is
.Cm yes . .Cm yes .
.It Cm KexAlgorithms .It Cm KexAlgorithms
@ -391,8 +386,8 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
The supported algorithms are: The supported algorithms are:
.Pp .Pp
.Bl -item -compact -offset indent .Bl -item -compact -offset indent
@@ -988,15 +981,6 @@ ecdh-sha2-nistp521 @@ -1003,15 +992,6 @@ ecdh-sha2-nistp521
sntrup4591761x25519-sha512@tinyssh.org sntrup761x25519-sha512@openssh.com
.El .El
.Pp .Pp
-The default is: -The default is:
@ -407,9 +402,9 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
The list of available key exchange algorithms may also be obtained using The list of available key exchange algorithms may also be obtained using
.Qq ssh -Q KexAlgorithms . .Qq ssh -Q KexAlgorithms .
.It Cm ListenAddress .It Cm ListenAddress
@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent. @@ -1097,21 +1077,26 @@ function, and all code in the
DEBUG2 and DEBUG3 each specify higher levels of debugging output. file.
Logging with a DEBUG level violates the privacy of users and is not recommended. This option is intended for debugging and no overrides are enabled by default.
.It Cm MACs .It Cm MACs
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
@ -438,7 +433,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
.Pp .Pp
The algorithms that contain The algorithms that contain
.Qq -etm .Qq -etm
@@ -1122,15 +1111,6 @@ umac-64-etm@openssh.com @@ -1154,15 +1139,6 @@ umac-64-etm@openssh.com
umac-128-etm@openssh.com umac-128-etm@openssh.com
.El .El
.Pp .Pp
@ -454,49 +449,50 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
The list of available MAC algorithms may also be obtained using The list of available MAC algorithms may also be obtained using
.Qq ssh -Q mac . .Qq ssh -Q mac .
.It Cm Match .It Cm Match
@@ -1480,36 +1460,25 @@ or equivalent.) @@ -1541,37 +1517,25 @@ or equivalent.)
The default is The default is
.Cm yes . .Cm yes .
.It Cm PubkeyAcceptedKeyTypes .It Cm PubkeyAcceptedAlgorithms
+The default is handled system-wide by +The default is handled system-wide by
+.Xr crypto-policies 7 . +.Xr crypto-policies 7 .
+To see the defaults and how to modify this default, see manual page +To see the defaults and how to modify this default, see manual page
+.Xr update-crypto-policies 8 . +.Xr update-crypto-policies 8 .
+.Pp +.Pp
Specifies the key types that will be accepted for public key authentication Specifies the signature algorithms that will be accepted for public key
as a list of comma-separated patterns. authentication as a list of comma-separated patterns.
Alternately if the specified list begins with a Alternately if the specified list begins with a
.Sq + .Sq +
-character, then the specified key types will be appended to the default set -character, then the specified algorithms will be appended to the default set
-instead of replacing them. -instead of replacing them.
+character, then the specified key types will be appended to the built-in +character, then the specified algorithms will be appended to the built-in
+openssh default set instead of replacing them. +openssh default set instead of replacing them.
If the specified list begins with a If the specified list begins with a
.Sq - .Sq -
character, then the specified key types (including wildcards) will be removed character, then the specified algorithms (including wildcards) will be removed
-from the default set instead of replacing them. -from the default set instead of replacing them.
+from the built-in openssh default set instead of replacing them. +from the built-in openssh default set instead of replacing them.
If the specified list begins with a If the specified list begins with a
.Sq ^ .Sq ^
character, then the specified key types will be placed at the head of the character, then the specified algorithms will be placed at the head of the
-default set. -default set.
-The default for this option is: -The default for this option is:
-.Bd -literal -offset 3n -.Bd -literal -offset 3n
-ssh-ed25519-cert-v01@openssh.com,
-ecdsa-sha2-nistp256-cert-v01@openssh.com, -ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ecdsa-sha2-nistp384-cert-v01@openssh.com, -ecdsa-sha2-nistp384-cert-v01@openssh.com,
-ecdsa-sha2-nistp521-cert-v01@openssh.com, -ecdsa-sha2-nistp521-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-ssh-ed25519-cert-v01@openssh.com,
-sk-ssh-ed25519-cert-v01@openssh.com, -sk-ssh-ed25519-cert-v01@openssh.com,
-sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
-rsa-sha2-512-cert-v01@openssh.com, -rsa-sha2-512-cert-v01@openssh.com,
-rsa-sha2-256-cert-v01@openssh.com, -rsa-sha2-256-cert-v01@openssh.com,
-ssh-rsa-cert-v01@openssh.com, -ssh-rsa-cert-v01@openssh.com,
-ssh-ed25519,
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521, -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
-sk-ssh-ed25519@openssh.com,
-sk-ecdsa-sha2-nistp256@openssh.com, -sk-ecdsa-sha2-nistp256@openssh.com,
-ssh-ed25519,sk-ssh-ed25519@openssh.com,
-rsa-sha2-512,rsa-sha2-256,ssh-rsa -rsa-sha2-512,rsa-sha2-256,ssh-rsa
-.Ed -.Ed
+built-in openssh default set. +built-in openssh default set.
.Pp .Pp
The list of available key types may also be obtained using The list of available signature algorithms may also be obtained using
.Qq ssh -Q PubkeyAcceptedKeyTypes . .Qq ssh -Q PubkeyAcceptedAlgorithms .

View File

@ -5,7 +5,7 @@ index e7549470..b68c1710 100644
@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ @@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexgexc.o kexgexs.o \ kexgexc.o kexgexs.o \
sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \ kexsntrup761x25519.o sntrup761.o kexgen.o \
+ kexgssc.o \ + kexgssc.o \
sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \ sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
sshbuf-io.o sshbuf-io.o
@ -17,7 +17,7 @@ index e7549470..b68c1710 100644
- auth2-gss.o gss-serv.o gss-serv-krb5.o \ - auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ + auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \ srclimit.o sftp-server.o sftp-common.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
diff --git a/auth.c b/auth.c diff --git a/auth.c b/auth.c
index 086b8ebb..687c57b4 100644 index 086b8ebb..687c57b4 100644
@ -138,7 +138,7 @@ index 9351e042..d6446c0c 100644
--- a/auth2-gss.c --- a/auth2-gss.c
+++ b/auth2-gss.c +++ b/auth2-gss.c
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */ /* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */
/* /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -165,19 +165,19 @@ index 9351e042..d6446c0c 100644
+ +
+ if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 || + if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
+ (r = sshpkt_get_end(ssh)) != 0) + (r = sshpkt_get_end(ssh)) != 0)
+ fatal("%s: %s", __func__, ssh_err(r)); + fatal_fr(r, "parsing");
+ +
+ if ((b = sshbuf_new()) == NULL) + if ((b = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ +
+ mic.value = p; + mic.value = p;
+ mic.length = len; + mic.length = len;
+ +
+ ssh_gssapi_buildmic(b, authctxt->user, authctxt->service, + ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
+ "gssapi-keyex"); + "gssapi-keyex", ssh->kex->session_id);
+ +
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) + if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
+ fatal("%s: sshbuf_mutable_ptr failed", __func__); + fatal_f("sshbuf_mutable_ptr failed");
+ gssbuf.length = sshbuf_len(b); + gssbuf.length = sshbuf_len(b);
+ +
+ /* gss_kex_context is NULL with privsep, so we can't check it here */ + /* gss_kex_context is NULL with privsep, so we can't check it here */
@ -197,7 +197,7 @@ index 9351e042..d6446c0c 100644
* how to check local user kuserok and the like) * how to check local user kuserok and the like)
@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh) @@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
if ((r = sshpkt_get_end(ssh)) != 0) if ((r = sshpkt_get_end(ssh)) != 0)
fatal("%s: %s", __func__, ssh_err(r)); fatal_fr(r, "parse packet");
- authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); - authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
+ authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user, + authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
@ -441,7 +441,7 @@ index d56257b4..763a63ff 100644
--- a/gss-genr.c --- a/gss-genr.c
+++ b/gss-genr.c +++ b/gss-genr.c
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
/* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */ /* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */
/* /*
- * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved. - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@ -449,7 +449,7 @@ index d56257b4..763a63ff 100644
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions * modification, are permitted provided that the following conditions
@@ -41,12 +41,36 @@ @@ -41,9 +41,33 @@
#include "sshbuf.h" #include "sshbuf.h"
#include "log.h" #include "log.h"
#include "ssh2.h" #include "ssh2.h"
@ -461,9 +461,6 @@ index d56257b4..763a63ff 100644
#include "ssh-gss.h" #include "ssh-gss.h"
extern u_char *session_id2;
extern u_int session_id2_len;
+typedef struct { +typedef struct {
+ char *encoded; + char *encoded;
+ gss_OID oid; + gss_OID oid;
@ -486,7 +483,7 @@ index d56257b4..763a63ff 100644
/* sshbuf_get for gss_buffer_desc */ /* sshbuf_get for gss_buffer_desc */
int int
ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
@@ -62,6 +86,162 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g) @@ -62,6 +86,159 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
return 0; return 0;
} }
@ -548,7 +545,7 @@ index d56257b4..763a63ff 100644
+ (gss_supported->count + 1)); + (gss_supported->count + 1));
+ +
+ if ((buf = sshbuf_new()) == NULL) + if ((buf = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ +
+ oidpos = 0; + oidpos = 0;
+ s = cp = xstrdup(kex); + s = cp = xstrdup(kex);
@ -565,8 +562,7 @@ index d56257b4..763a63ff 100644
+ gss_supported->elements[i].elements, + gss_supported->elements[i].elements,
+ gss_supported->elements[i].length)) != 0 || + gss_supported->elements[i].length)) != 0 ||
+ (r = ssh_digest_final(md, digest, sizeof(digest))) != 0) + (r = ssh_digest_final(md, digest, sizeof(digest))) != 0)
+ fatal("%s: digest failed: %s", __func__, + fatal_fr(r, "digest failed");
+ ssh_err(r));
+ ssh_digest_free(md); + ssh_digest_free(md);
+ md = NULL; + md = NULL;
+ +
@ -581,12 +577,10 @@ index d56257b4..763a63ff 100644
+ (p = strsep(&cp, ","))) { + (p = strsep(&cp, ","))) {
+ if (sshbuf_len(buf) != 0 && + if (sshbuf_len(buf) != 0 &&
+ (r = sshbuf_put_u8(buf, ',')) != 0) + (r = sshbuf_put_u8(buf, ',')) != 0)
+ fatal("%s: sshbuf_put_u8 error: %s", + fatal_fr(r, "sshbuf_put_u8 error");
+ __func__, ssh_err(r));
+ if ((r = sshbuf_put(buf, p, strlen(p))) != 0 || + if ((r = sshbuf_put(buf, p, strlen(p))) != 0 ||
+ (r = sshbuf_put(buf, encoded, enclen)) != 0) + (r = sshbuf_put(buf, encoded, enclen)) != 0)
+ fatal("%s: sshbuf_put error: %s", + fatal_fr(r, "sshbuf_put error");
+ __func__, ssh_err(r));
+ } + }
+ +
+ gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]); + gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
@ -599,7 +593,7 @@ index d56257b4..763a63ff 100644
+ gss_enc2oid[oidpos].encoded = NULL; + gss_enc2oid[oidpos].encoded = NULL;
+ +
+ if ((mechs = sshbuf_dup_string(buf)) == NULL) + if ((mechs = sshbuf_dup_string(buf)) == NULL)
+ fatal("%s: sshbuf_dup_string failed", __func__); + fatal_f("sshbuf_dup_string failed");
+ +
+ sshbuf_free(buf); + sshbuf_free(buf);
+ +
@ -721,7 +715,7 @@ index d56257b4..763a63ff 100644
+ +
void void
ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
const char *context) const char *context, const struct sshbuf *session_id)
@@ -273,11 +500,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service, @@ -273,11 +500,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
} }
@ -1123,10 +1117,10 @@ index ab3a15f0..6ce56e92 100644
+ +
+ if (gssapi_client.store.data != NULL) { + if (gssapi_client.store.data != NULL) {
+ if ((problem = krb5_cc_resolve(gssapi_client.store.data, gssapi_client.store.envval, &ccache))) { + if ((problem = krb5_cc_resolve(gssapi_client.store.data, gssapi_client.store.envval, &ccache))) {
+ debug("%s: krb5_cc_resolve(): %.100s", __func__, + debug_f("krb5_cc_resolve(): %.100s",
+ krb5_get_err_text(gssapi_client.store.data, problem)); + krb5_get_err_text(gssapi_client.store.data, problem));
+ } else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) { + } else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {
+ debug("%s: krb5_cc_destroy(): %.100s", __func__, + debug_f("krb5_cc_destroy(): %.100s",
+ krb5_get_err_text(gssapi_client.store.data, problem)); + krb5_get_err_text(gssapi_client.store.data, problem));
+ } else { + } else {
+ krb5_free_context(gssapi_client.store.data); + krb5_free_context(gssapi_client.store.data);
@ -1375,7 +1369,7 @@ index ce85f043..574c7609 100644
@@ -698,6 +755,9 @@ kex_free(struct kex *kex) @@ -698,6 +755,9 @@ kex_free(struct kex *kex)
sshbuf_free(kex->server_version); sshbuf_free(kex->server_version);
sshbuf_free(kex->client_pub); sshbuf_free(kex->client_pub);
free(kex->session_id); sshbuf_free(kex->session_id);
+#ifdef GSSAPI +#ifdef GSSAPI
+ free(kex->gss_host); + free(kex->gss_host);
+#endif /* GSSAPI */ +#endif /* GSSAPI */
@ -1389,7 +1383,7 @@ index a5ae6ac0..fe714141 100644
@@ -102,6 +102,15 @@ enum kex_exchange { @@ -102,6 +102,15 @@ enum kex_exchange {
KEX_ECDH_SHA2, KEX_ECDH_SHA2,
KEX_C25519_SHA256, KEX_C25519_SHA256,
KEX_KEM_SNTRUP4591761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512,
+#ifdef GSSAPI +#ifdef GSSAPI
+ KEX_GSS_GRP1_SHA1, + KEX_GSS_GRP1_SHA1,
+ KEX_GSS_GRP14_SHA1, + KEX_GSS_GRP14_SHA1,
@ -1498,7 +1492,7 @@ new file mode 100644
index 00000000..f6e1405e index 00000000..f6e1405e
--- /dev/null --- /dev/null
+++ b/kexgssc.c +++ b/kexgssc.c
@@ -0,0 +1,606 @@ @@ -0,0 +1,599 @@
+/* +/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ * + *
@ -1597,7 +1591,7 @@ index 00000000..f6e1405e
+ r = kex_c25519_keypair(kex); + r = kex_c25519_keypair(kex);
+ break; + break;
+ default: + default:
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); + fatal_f("Unexpected KEX type %d", kex->kex_type);
+ } + }
+ if (r != 0) + if (r != 0)
+ return r; + return r;
@ -1785,7 +1779,7 @@ index 00000000..f6e1405e
+ server_blob, + server_blob,
+ shared_secret, + shared_secret,
+ hash, &hashlen)) != 0) + hash, &hashlen)) != 0)
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); + fatal_f("Unexpected KEX type %d", kex->kex_type);
+ +
+ gssbuf.value = hash; + gssbuf.value = hash;
+ gssbuf.length = hashlen; + gssbuf.length = hashlen;
@ -2074,13 +2068,6 @@ index 00000000..f6e1405e
+ +
+ gss_release_buffer(&min_status, &msg_tok); + gss_release_buffer(&min_status, &msg_tok);
+ +
+ /* save session id */
+ if (kex->session_id == NULL) {
+ kex->session_id_len = hashlen;
+ kex->session_id = xmalloc(kex->session_id_len);
+ memcpy(kex->session_id, hash, kex->session_id_len);
+ }
+
+ if (kex->gss_deleg_creds) + if (kex->gss_deleg_creds)
+ ssh_gssapi_credentials_updated(ctxt); + ssh_gssapi_credentials_updated(ctxt);
+ +
@ -2202,12 +2189,12 @@ index 00000000..60bc02de
+ free(mechs); + free(mechs);
+ } + }
+ +
+ debug2("%s: Identifying %s", __func__, kex->name); + debug2_f("Identifying %s", kex->name);
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); + oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
+ if (oid == GSS_C_NO_OID) + if (oid == GSS_C_NO_OID)
+ fatal("Unknown gssapi mechanism"); + fatal("Unknown gssapi mechanism");
+ +
+ debug2("%s: Acquiring credentials", __func__); + debug2_f("Acquiring credentials");
+ +
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
+ fatal("Unable to acquire credentials for the server"); + fatal("Unable to acquire credentials for the server");
@ -2242,7 +2229,7 @@ index 00000000..60bc02de
+ &shared_secret); + &shared_secret);
+ break; + break;
+ default: + default:
+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type); + fatal_f("Unexpected KEX type %d", kex->kex_type);
+ } + }
+ if (r != 0) + if (r != 0)
+ goto out; + goto out;
@ -2398,12 +2385,12 @@ index 00000000..60bc02de
+ if ((mechs = ssh_gssapi_server_mechanisms())) + if ((mechs = ssh_gssapi_server_mechanisms()))
+ free(mechs); + free(mechs);
+ +
+ debug2("%s: Identifying %s", __func__, kex->name); + debug2_f("Identifying %s", kex->name);
+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type); + oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
+ if (oid == GSS_C_NO_OID) + if (oid == GSS_C_NO_OID)
+ fatal("Unknown gssapi mechanism"); + fatal("Unknown gssapi mechanism");
+ +
+ debug2("%s: Acquiring credentials", __func__); + debug2_f("Acquiring credentials");
+ +
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid)))) + if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
+ fatal("Unable to acquire credentials for the server"); + fatal("Unable to acquire credentials for the server");
@ -2656,29 +2643,29 @@ index 2ce89fe9..ebf76c7f 100644
+# endif +# endif
#endif /* WITH_OPENSSL */ #endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kex_gen_server; kex->kex[KEX_C25519_SHA256] = kex_gen_server;
kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
@@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) @@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
u_char *p; u_char *p;
int r; int r;
- if (!options.gss_authentication) - if (!options.gss_authentication)
- fatal("%s: GSSAPI authentication not enabled", __func__); - fatal_f("GSSAPI authentication not enabled");
+ if (!options.gss_authentication && !options.gss_keyex) + if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__); + fatal_f("GSSAPI not enabled");
if ((r = sshbuf_get_string(m, &p, &len)) != 0) if ((r = sshbuf_get_string(m, &p, &len)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "parse");
@@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) @@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
OM_uint32 flags = 0; /* GSI needs this */ OM_uint32 flags = 0; /* GSI needs this */
int r; int r;
- if (!options.gss_authentication) - if (!options.gss_authentication)
- fatal("%s: GSSAPI authentication not enabled", __func__); - fatal_f("GSSAPI authentication not enabled");
+ if (!options.gss_authentication && !options.gss_keyex) + if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__); + fatal_f("GSSAPI not enabled");
if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0) if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r)); fatal_fr(r, "ssh_gssapi_get_buffer_desc");
@@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m) @@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
@ -2692,9 +2679,9 @@ index 2ce89fe9..ebf76c7f 100644
int r; int r;
- if (!options.gss_authentication) - if (!options.gss_authentication)
- fatal("%s: GSSAPI authentication not enabled", __func__); - fatal_f("GSSAPI authentication not enabled");
+ if (!options.gss_authentication && !options.gss_keyex) + if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__); + fatal_f("GSSAPI not enabled");
if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 || if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
(r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0) (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
@ -2707,13 +2694,13 @@ index 2ce89fe9..ebf76c7f 100644
const char *displayname; const char *displayname;
- if (!options.gss_authentication) - if (!options.gss_authentication)
- fatal("%s: GSSAPI authentication not enabled", __func__); - fatal_f("GSSAPI authentication not enabled");
+ if (!options.gss_authentication && !options.gss_keyex) + if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__); + fatal_f("GSSAPI not enabled");
- authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); - authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+ if ((r = sshbuf_get_u32(m, &kex)) != 0) + if ((r = sshbuf_get_u32(m, &kex)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ authenticated = authctxt->valid && + authenticated = authctxt->valid &&
+ ssh_gssapi_userok(authctxt->user, authctxt->pw, kex); + ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
@ -2721,7 +2708,7 @@ index 2ce89fe9..ebf76c7f 100644
sshbuf_reset(m); sshbuf_reset(m);
if ((r = sshbuf_put_u32(m, authenticated)) != 0) if ((r = sshbuf_put_u32(m, authenticated)) != 0)
@@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) @@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
debug3("%s: sending result %d", __func__, authenticated); debug3_f("sending result %d", authenticated);
mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m); mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
- auth_method = "gssapi-with-mic"; - auth_method = "gssapi-with-mic";
@ -2733,7 +2720,7 @@ index 2ce89fe9..ebf76c7f 100644
if ((displayname = ssh_gssapi_displayname()) != NULL) if ((displayname = ssh_gssapi_displayname()) != NULL)
auth2_record_info(authctxt, "%s", displayname); auth2_record_info(authctxt, "%s", displayname);
@@ -1921,5 +1958,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m) @@ -1921,5 +1958,84 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
/* Monitor loop will terminate if authenticated */ /* Monitor loop will terminate if authenticated */
return (authenticated); return (authenticated);
} }
@ -2749,16 +2736,15 @@ index 2ce89fe9..ebf76c7f 100644
+ int r; + int r;
+ +
+ if (!options.gss_authentication && !options.gss_keyex) + if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__); + fatal_f("GSSAPI not enabled");
+ +
+ if ((r = sshbuf_get_string(m, &p, &len)) != 0) + if ((r = sshbuf_get_string(m, &p, &len)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ data.value = p; + data.value = p;
+ data.length = len; + data.length = len;
+ /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */ + /* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
+ if (data.length != 20 && data.length != 32 && data.length != 64) + if (data.length != 20 && data.length != 32 && data.length != 64)
+ fatal("%s: data length incorrect: %d", __func__, + fatal_f("data length incorrect: %d", (int) data.length);
+ (int) data.length);
+ +
+ /* Save the session ID on the first time around */ + /* Save the session ID on the first time around */
+ if (session_id2_len == 0) { + if (session_id2_len == 0) {
@ -2774,7 +2760,7 @@ index 2ce89fe9..ebf76c7f 100644
+ +
+ if ((r = sshbuf_put_u32(m, major)) != 0 || + if ((r = sshbuf_put_u32(m, major)) != 0 ||
+ (r = sshbuf_put_string(m, hash.value, hash.length)) != 0) + (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ mm_request_send(socket, MONITOR_ANS_GSSSIGN, m); + mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
+ +
@ -2795,12 +2781,12 @@ index 2ce89fe9..ebf76c7f 100644
+ int r, ok; + int r, ok;
+ +
+ if (!options.gss_authentication && !options.gss_keyex) + if (!options.gss_authentication && !options.gss_keyex)
+ fatal("%s: GSSAPI not enabled", __func__); + fatal_f("GSSAPI not enabled");
+ +
+ if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 || + if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 ||
+ (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 || + (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 ||
+ (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0) + (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ ok = ssh_gssapi_update_creds(&store); + ok = ssh_gssapi_update_creds(&store);
+ +
@ -2810,7 +2796,7 @@ index 2ce89fe9..ebf76c7f 100644
+ +
+ sshbuf_reset(m); + sshbuf_reset(m);
+ if ((r = sshbuf_put_u32(m, ok)) != 0) + if ((r = sshbuf_put_u32(m, ok)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m); + mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
+ +
@ -2847,14 +2833,14 @@ index 001a8fa1..6edb509a 100644
int r, authenticated = 0; int r, authenticated = 0;
if ((m = sshbuf_new()) == NULL) if ((m = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__); fatal_f("sshbuf_new failed");
+ if ((r = sshbuf_put_u32(m, kex)) != 0) + if ((r = sshbuf_put_u32(m, kex)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
mm_request_receive_expect(pmonitor->m_recvfd, mm_request_receive_expect(pmonitor->m_recvfd,
@@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user) @@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user)
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not "); debug3_f("user %sauthenticated", authenticated ? "" : "not ");
return (authenticated); return (authenticated);
} }
+ +
@ -2866,16 +2852,16 @@ index 001a8fa1..6edb509a 100644
+ int r; + int r;
+ +
+ if ((m = sshbuf_new()) == NULL) + if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ if ((r = sshbuf_put_string(m, data->value, data->length)) != 0) + if ((r = sshbuf_put_string(m, data->value, data->length)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m);
+ +
+ if ((r = sshbuf_get_u32(m, &major)) != 0 || + if ((r = sshbuf_get_u32(m, &major)) != 0 ||
+ (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0) + (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ sshbuf_free(m); + sshbuf_free(m);
+ +
@ -2889,7 +2875,7 @@ index 001a8fa1..6edb509a 100644
+ int r, ok; + int r, ok;
+ +
+ if ((m = sshbuf_new()) == NULL) + if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ +
+ if ((r = sshbuf_put_cstring(m, + if ((r = sshbuf_put_cstring(m,
+ store->filename ? store->filename : "")) != 0 || + store->filename ? store->filename : "")) != 0 ||
@ -2897,13 +2883,13 @@ index 001a8fa1..6edb509a 100644
+ store->envvar ? store->envvar : "")) != 0 || + store->envvar ? store->envvar : "")) != 0 ||
+ (r = sshbuf_put_cstring(m, + (r = sshbuf_put_cstring(m,
+ store->envval ? store->envval : "")) != 0) + store->envval ? store->envval : "")) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m);
+ +
+ if ((r = sshbuf_get_u32(m, &ok)) != 0) + if ((r = sshbuf_get_u32(m, &ok)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r)); + fatal_fr(r, "buffer error");
+ +
+ sshbuf_free(m); + sshbuf_free(m);
+ +
@ -3124,7 +3110,7 @@ index 70f5f73f..191575a1 100644
options->password_authentication = 1; options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1) if (options->kbd_interactive_authentication == -1)
@@ -531,6 +543,7 @@ typedef enum { @@ -531,6 +543,7 @@ typedef enum {
sHostKeyAlgorithms, sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey, + sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
@ -3246,7 +3232,7 @@ index 36180d07..70dd3665 100644
--- a/ssh-gss.h --- a/ssh-gss.h
+++ b/ssh-gss.h +++ b/ssh-gss.h
@@ -1,6 +1,6 @@ @@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */ /* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */
/* /*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved. + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -3332,7 +3318,7 @@ index 36180d07..70dd3665 100644
@@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **); @@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_buildmic(struct sshbuf *, const char *, void ssh_gssapi_buildmic(struct sshbuf *, const char *,
const char *, const char *); const char *, const char *, const struct sshbuf *);
-int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *); -int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
+int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *); +int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
+OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *); +OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
@ -3382,7 +3368,7 @@ index 60de6087..db5c65bc 100644
+.It GSSAPITrustDns +.It GSSAPITrustDns
.It HashKnownHosts .It HashKnownHosts
.It Host .It Host
.It HostbasedAuthentication .It HostbasedAcceptedAlgorithms
@@ -579,6 +585,8 @@ flag), @@ -579,6 +585,8 @@ flag),
(supported message integrity codes), (supported message integrity codes),
.Ar kex .Ar kex
@ -3526,9 +3512,9 @@ index af00fb30..03bc87eb 100644
+ +
xxx_host = host; xxx_host = host;
xxx_hostaddr = hostaddr; xxx_hostaddr = hostaddr;
xxx_conn_info = cinfo;
@@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) @@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
compat_pkalg_proposal(options.hostkeyalgorithms); compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
} }
+#if defined(GSSAPI) && defined(WITH_OPENSSL) +#if defined(GSSAPI) && defined(WITH_OPENSSL)
@ -3588,7 +3574,7 @@ index af00fb30..03bc87eb 100644
+# endif +# endif
+#endif /* WITH_OPENSSL */ +#endif /* WITH_OPENSSL */
ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client; ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client; ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
ssh->kex->verify_host_key=&verify_host_key_callback; ssh->kex->verify_host_key=&verify_host_key_callback;
+#if defined(GSSAPI) && defined(WITH_OPENSSL) +#if defined(GSSAPI) && defined(WITH_OPENSSL)
@ -3604,7 +3590,7 @@ index af00fb30..03bc87eb 100644
/* remove ext-info from the KEX proposals for rekeying */ /* remove ext-info from the KEX proposals for rekeying */
myproposal[PROPOSAL_KEX_ALGS] = myproposal[PROPOSAL_KEX_ALGS] =
compat_kex_proposal(options.kex_algorithms); compat_kex_proposal(ssh, options.kex_algorithms);
+#if defined(GSSAPI) && defined(WITH_OPENSSL) +#if defined(GSSAPI) && defined(WITH_OPENSSL)
+ /* repair myproposal after it was crumpled by the */ + /* repair myproposal after it was crumpled by the */
+ /* ext-info removal above */ + /* ext-info removal above */
@ -3616,7 +3602,7 @@ index af00fb30..03bc87eb 100644
+ } + }
+#endif +#endif
if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0) if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
fatal("kex_prop2buf: %s", ssh_err(r)); fatal_r(r, "kex_prop2buf");
@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *); @@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
static int input_gssapi_token(int type, u_int32_t, struct ssh *); static int input_gssapi_token(int type, u_int32_t, struct ssh *);
@ -3714,13 +3700,13 @@ index af00fb30..03bc87eb 100644
+ } + }
+ +
+ if ((b = sshbuf_new()) == NULL) + if ((b = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__); + fatal_f("sshbuf_new failed");
+ +
+ ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service, + ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
+ "gssapi-keyex"); + "gssapi-keyex", ssh->kex->session_id);
+ +
+ if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL) + if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
+ fatal("%s: sshbuf_mutable_ptr failed", __func__); + fatal_f("sshbuf_mutable_ptr failed");
+ gssbuf.length = sshbuf_len(b); + gssbuf.length = sshbuf_len(b);
+ +
+ if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) { + if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
@ -3734,7 +3720,7 @@ index af00fb30..03bc87eb 100644
+ (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 || + (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
+ (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 || + (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 ||
+ (r = sshpkt_send(ssh)) != 0) + (r = sshpkt_send(ssh)) != 0)
+ fatal("%s: %s", __func__, ssh_err(r)); + fatal_fr(r, "parsing");
+ +
+ sshbuf_free(b); + sshbuf_free(b);
+ gss_release_buffer(&ms, &mic); + gss_release_buffer(&ms, &mic);
@ -3751,11 +3737,11 @@ index 60b2aaf7..d92f03aa 100644
+++ b/sshd.c +++ b/sshd.c
@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh) @@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh)
} }
debug3("%s: sent %u hostkeys", __func__, nkeys); debug3_f("sent %u hostkeys", nkeys);
if (nkeys == 0) if (nkeys == 0)
- fatal("%s: no hostkeys", __func__); - fatal_f("no hostkeys");
- if ((r = sshpkt_send(ssh)) != 0) - if ((r = sshpkt_send(ssh)) != 0)
+ debug3("%s: no hostkeys", __func__); + debug3_f("no hostkeys");
+ else if ((r = sshpkt_send(ssh)) != 0) + else if ((r = sshpkt_send(ssh)) != 0)
sshpkt_fatal(ssh, r, "%s: send", __func__); sshpkt_fatal(ssh, r, "%s: send", __func__);
sshbuf_free(buf); sshbuf_free(buf);
@ -3772,7 +3758,7 @@ index 60b2aaf7..d92f03aa 100644
} }
@@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh) @@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types()); ssh, list_hostkey_types());
+#if defined(GSSAPI) && defined(WITH_OPENSSL) +#if defined(GSSAPI) && defined(WITH_OPENSSL)
+ { + {
@ -3818,7 +3804,7 @@ index 60b2aaf7..d92f03aa 100644
+ +
/* start key exchange */ /* start key exchange */
if ((r = kex_setup(ssh, myproposal)) != 0) if ((r = kex_setup(ssh, myproposal)) != 0)
fatal("kex_setup: %s", ssh_err(r)); fatal_r(r, "kex_setup");
@@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh) @@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh)
# ifdef OPENSSL_HAS_ECC # ifdef OPENSSL_HAS_ECC
kex->kex[KEX_ECDH_SHA2] = kex_gen_server; kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
@ -3837,7 +3823,7 @@ index 60b2aaf7..d92f03aa 100644
+# endif +# endif
+#endif /* WITH_OPENSSL */ +#endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kex_gen_server; kex->kex[KEX_C25519_SHA256] = kex_gen_server;
kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server; kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
kex->load_host_public_key=&get_hostkey_public_by_type; kex->load_host_public_key=&get_hostkey_public_by_type;
diff --git a/sshd_config b/sshd_config diff --git a/sshd_config b/sshd_config
index 19b7c91a..2c48105f 100644 index 19b7c91a..2c48105f 100644
@ -3898,9 +3884,9 @@ index 70ccea44..f6b41a2f 100644
+.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-, +.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
+gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- . +gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
+This option only applies to connections using GSSAPI. +This option only applies to connections using GSSAPI.
.It Cm HostbasedAcceptedKeyTypes .It Cm HostbasedAcceptedAlgorithms
Specifies the key types that will be accepted for hostbased authentication Specifies the signature algorithms that will be accepted for hostbased
as a list of comma-separated patterns. authentication as a list of comma-separated patterns.
diff --git a/sshkey.c b/sshkey.c diff --git a/sshkey.c b/sshkey.c
index 57995ee6..fd5b7724 100644 index 57995ee6..fd5b7724 100644
--- a/sshkey.c --- a/sshkey.c

View File

@ -0,0 +1,12 @@
diff -up openssh-8.0p1/ssh-keygen.c.strip-doseol openssh-8.0p1/ssh-keygen.c
--- openssh-8.0p1/ssh-keygen.c.strip-doseol 2021-03-18 17:41:34.472404994 +0100
+++ openssh-8.0p1/ssh-keygen.c 2021-03-18 17:41:55.255538761 +0100
@@ -901,7 +901,7 @@ do_fingerprint(struct passwd *pw)
while (getline(&line, &linesize, f) != -1) {
lnum++;
cp = line;
- cp[strcspn(cp, "\n")] = '\0';
+ cp[strcspn(cp, "\r\n")] = '\0';
/* Trim leading space and comments */
cp = line + strspn(line, " \t");
if (*cp == '#' || *cp == '\0')

View File

@ -96,7 +96,7 @@ index b6f041f4..1fbce2bb 100644
+ goto out; + goto out;
+ } + }
+ r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, + r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
+ kex->session_id, kex->session_id_len); + sshbuf_ptr(kex->session_id), sshbuf_len(kex->session_id));
+ if (r != 1) { + if (r != 1) {
+ r = SSH_ERR_LIBCRYPTO_ERROR; + r = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out; + goto out;

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,44 @@
diff -up openssh-8.0p1/auth-pam.c.preserve-pam-errors openssh-8.0p1/auth-pam.c
--- openssh-8.0p1/auth-pam.c.preserve-pam-errors 2021-03-31 17:03:15.618592347 +0200
+++ openssh-8.0p1/auth-pam.c 2021-03-31 17:06:58.115220014 +0200
@@ -511,7 +511,11 @@ sshpam_thread(void *ctxtp)
goto auth_fail;
if (!do_pam_account()) {
- sshpam_err = PAM_ACCT_EXPIRED;
+ /* Preserve PAM_PERM_DENIED and PAM_USER_UNKNOWN.
+ * Backward compatibility for other errors. */
+ if (sshpam_err != PAM_PERM_DENIED
+ && sshpam_err != PAM_USER_UNKNOWN)
+ sshpam_err = PAM_ACCT_EXPIRED;
goto auth_fail;
}
if (sshpam_authctxt->force_pwchange) {
@@ -568,8 +572,10 @@ sshpam_thread(void *ctxtp)
pam_strerror(sshpam_handle, sshpam_err))) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
/* XXX - can't do much about an error here */
- if (sshpam_err == PAM_ACCT_EXPIRED)
- ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, buffer);
+ if (sshpam_err == PAM_PERM_DENIED
+ || sshpam_err == PAM_USER_UNKNOWN
+ || sshpam_err == PAM_ACCT_EXPIRED)
+ ssh_msg_send(ctxt->pam_csock, sshpam_err, buffer);
else if (sshpam_maxtries_reached)
ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, buffer);
else
@@ -856,10 +862,12 @@ sshpam_query(void *ctx, char **name, cha
plen++;
free(msg);
break;
+ case PAM_USER_UNKNOWN:
+ case PAM_PERM_DENIED:
case PAM_ACCT_EXPIRED:
+ sshpam_account_status = 0;
+ /* FALLTHROUGH */
case PAM_MAXTRIES:
- if (type == PAM_ACCT_EXPIRED)
- sshpam_account_status = 0;
if (type == PAM_MAXTRIES)
sshpam_set_maxtries_reached(1);
/* FALLTHROUGH */

View File

@ -7,8 +7,8 @@ diff --git a/channels.c b/channels.c
if (x11_use_localhost) if (x11_use_localhost)
set_reuseaddr(sock); set_reuseaddr(sock);
if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) { if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
debug2("%s: bind port %d: %.100s", __func__, debug2_f("bind port %d: %.100s", port,
port, strerror(errno)); strerror(errno));
close(sock); close(sock);
+ +
+ /* do not remove successfully opened + /* do not remove successfully opened

View File

@ -37,8 +37,8 @@
+ * SHA2 signature types. + * SHA2 signature types.
+ */ + */
+ if (alg == NULL && + if (alg == NULL &&
+ (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) { + (key->type == KEY_RSA && (ssh->compat & SSH_BUG_SIGTYPE74))) {
+ oallowed = allowed = xstrdup(options.pubkey_key_types); + oallowed = allowed = xstrdup(options.pubkey_accepted_algos);
+ while ((cp = strsep(&allowed, ",")) != NULL) { + while ((cp = strsep(&allowed, ",")) != NULL) {
+ if (sshkey_type_from_name(cp) != key->type) + if (sshkey_type_from_name(cp) != key->type)
+ continue; + continue;

View File

@ -1,14 +0,0 @@
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index e0768c06..5065ae7e 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_pselect6
SC_ALLOW(__NR_pselect6),
#endif
+#ifdef __NR_pselect6_time64
+ SC_ALLOW(__NR_pselect6_time64),
+#endif
#ifdef __NR_read
SC_ALLOW(__NR_read),
#endif

View File

@ -1,130 +0,0 @@
From 66f16e5425eb881570e82bfef7baeac2e7accc0a Mon Sep 17 00:00:00 2001
From: Oleg <Fallmay@users.noreply.github.com>
Date: Thu, 1 Oct 2020 12:09:08 +0300
Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
---
contrib/ssh-copy-id | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 392f64f94..a76907717 100644
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -247,7 +247,7 @@ installkeys_sh() {
# the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
# the cat adds the keys we're getting via STDIN
# and if available restorecon is used to restore the SELinux context
- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
cd;
umask 077;
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
@@ -258,6 +258,7 @@ installkeys_sh() {
restorecon -F .ssh ${AUTH_KEY_FILE};
fi
EOF
+ )
# to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
From de59a431cdec833e3ec15691dd950402b4c052cf Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Sat, 3 Oct 2020 00:20:07 +0200
Subject: [PATCH] un-nest $() to make ksh cheerful
---
ssh-copy-id | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
From 02ac2c3c3db5478a440dfb1b90d15f686f2cbfc6 Mon Sep 17 00:00:00 2001
From: Philip Hands <phil@hands.com>
Date: Fri, 2 Oct 2020 21:30:10 +0200
Subject: [PATCH] ksh doesn't grok 'local'
and AFAICT it's not actually doing anything useful in the code, so let's
see how things go without it.
---
ssh-copy-id | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index a769077..11c9463 100755
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -76,7 +76,7 @@ quote() {
}
use_id_file() {
- local L_ID_FILE="$1"
+ L_ID_FILE="$1"
if [ -z "$L_ID_FILE" ] ; then
printf '%s: ERROR: no ID file found\n' "$0"
@@ -94,7 +94,7 @@ use_id_file() {
# check that the files are readable
for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
- local L_PRIVMSG=""
+ L_PRIVMSG=""
[ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
printf "\\n%s: ERROR: failed to open ID file '%s': %s\\n" "$0" "$f" "$(printf '%s\n%s\n' "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
exit 1
@@ -169,7 +169,7 @@ fi
# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
# and has the side effect of setting $NEW_IDS
populate_new_ids() {
- local L_SUCCESS="$1"
+ L_SUCCESS="$1"
# shellcheck disable=SC2086
if [ "$FORCED" ] ; then
@@ -181,13 +181,12 @@ populate_new_ids() {
eval set -- "$SSH_OPTS"
umask 0177
- local L_TMP_ID_FILE
L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
printf '%s: ERROR: mktemp failed\n' "$0" >&2
exit 1
fi
- local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
+ L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
# shellcheck disable=SC2064
trap "$L_CLEANUP" EXIT TERM INT QUIT
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
@@ -237,7 +236,7 @@ populate_new_ids() {
# produce a one-liner to add the keys to remote authorized_keys file
# optionally takes an alternative path for authorized_keys
installkeys_sh() {
- local AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
+ AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
# In setting INSTALLKEYS_SH:
# the tr puts it all on one line (to placate tcsh)
--
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 11c9463..ee3f637 100755
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -237,6 +237,7 @@ populate_new_ids() {
# optionally takes an alternative path for authorized_keys
installkeys_sh() {
AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
+ AUTH_KEY_DIR=$(dirname "${AUTH_KEY_FILE}")
# In setting INSTALLKEYS_SH:
# the tr puts it all on one line (to placate tcsh)
@@ -249,7 +250,7 @@ installkeys_sh() {
INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
cd;
umask 077;
- mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
+ mkdir -p "${AUTH_KEY_DIR}" &&
{ [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
cat >> ${AUTH_KEY_FILE} ||
exit 1;
--

View File

@ -13,9 +13,8 @@ addFilter(r'openssh-(askpass|cavs).x86_64: W: no-documentation')
# sshd config and sysconfig is not supposed to be world readable # sshd config and sysconfig is not supposed to be world readable
addFilter(r'non-readable /etc/(ssh/sshd_config|sysconfig/sshd)') addFilter(r'non-readable /etc/(ssh/sshd_config|sysconfig/sshd)')
# The /var/empty/sshd is supposed to have the given permissions # /usr/share/empty.sshd is required to have the given permissions
addFilter(r'non-standard-dir-perm /var/empty/sshd 711') addFilter(r'non-standard-dir-perm /usr/share/empty.sshd 711')
addFilter(r'non-standard-dir-in-var empty')
# Spelling false-positives # Spelling false-positives
addFilter(r'spelling-error (Summary\(en_US\)|.* en_US) (mls|su|sudo|rlogin|rsh|untrusted) ') addFilter(r'spelling-error (Summary\(en_US\)|.* en_US) (mls|su|sudo|rlogin|rsh|untrusted) ')

View File

@ -50,10 +50,10 @@
%{?static_openssl:%global static_libcrypto 1} %{?static_openssl:%global static_libcrypto 1}
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.4p1 %global openssh_ver 8.6p1
%global openssh_rel 4 %global openssh_rel 1
%global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 1 %global pam_ssh_agent_rel 3
Summary: An open source implementation of SSH protocol version 2 Summary: An open source implementation of SSH protocol version 2
Name: openssh Name: openssh
@ -64,7 +64,7 @@ URL: http://www.openssh.com/portable.html
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source2: sshd.pam Source2: sshd.pam
Source3: DJM-GPG-KEY.gpg Source3: gpgkey-736060BA.gpg
Source4: https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.gz Source4: https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.gz
Source5: pam_ssh_agent-rmheaders Source5: pam_ssh_agent-rmheaders
Source6: ssh-keycat.pam Source6: ssh-keycat.pam
@ -74,8 +74,8 @@ Source10: sshd.socket
Source11: sshd.service Source11: sshd.service
Source12: sshd-keygen@.service Source12: sshd-keygen@.service
Source13: sshd-keygen Source13: sshd-keygen
Source14: sshd.tmpfiles
Source15: sshd-keygen.target Source15: sshd-keygen.target
Source16: ssh-agent.service
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581 #https://bugzilla.mindrot.org/show_bug.cgi?id=2581
Patch100: openssh-6.7p1-coverity.patch Patch100: openssh-6.7p1-coverity.patch
@ -133,10 +133,6 @@ Patch707: openssh-7.7p1-redhat.patch
Patch711: openssh-7.8p1-UsePAM-warning.patch Patch711: openssh-7.8p1-UsePAM-warning.patch
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL # make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
Patch712: openssh-6.3p1-ctr-evp-fast.patch Patch712: openssh-6.3p1-ctr-evp-fast.patch
# add cavs test binary for the aes-ctr
Patch713: openssh-6.6p1-ctr-cavstest.patch
# add SSH KDF CAVS test driver
Patch714: openssh-6.7p1-kdf-cavs.patch
# GSSAPI Key Exchange (RFC 4462 + RFC 8732) # GSSAPI Key Exchange (RFC 4462 + RFC 8732)
# from https://github.com/openssh-gsskex/openssh-gsskex/tree/fedora/master # from https://github.com/openssh-gsskex/openssh-gsskex/tree/fedora/master
@ -183,9 +179,6 @@ Patch950: openssh-7.5p1-sandbox.patch
Patch951: openssh-8.0p1-pkcs11-uri.patch Patch951: openssh-8.0p1-pkcs11-uri.patch
# Unbreak scp between two IPv6 hosts (#1620333) # Unbreak scp between two IPv6 hosts (#1620333)
Patch953: openssh-7.8p1-scp-ipv6.patch Patch953: openssh-7.8p1-scp-ipv6.patch
# ssh-copy-id is unmaintained: Aggreagete patches
# https://gitlab.com/phil_hands/ssh-copy-id/-/merge_requests/2
Patch958: openssh-7.9p1-ssh-copy-id.patch
# Mention crypto-policies in manual pages (#1668325) # Mention crypto-policies in manual pages (#1668325)
Patch962: openssh-8.0p1-crypto-policies.patch Patch962: openssh-8.0p1-crypto-policies.patch
# Use OpenSSL high-level API to produce and verify signatures (#1707485) # Use OpenSSL high-level API to produce and verify signatures (#1707485)
@ -196,11 +189,12 @@ Patch964: openssh-8.0p1-openssl-kdf.patch
Patch965: openssh-8.2p1-visibility.patch Patch965: openssh-8.2p1-visibility.patch
# Do not break X11 without IPv6 # Do not break X11 without IPv6
Patch966: openssh-8.2p1-x11-without-ipv6.patch Patch966: openssh-8.2p1-x11-without-ipv6.patch
Patch967: openssh-8.4p1-ssh-copy-id.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=3232
Patch968: openssh-8.4p1-sandbox-seccomp.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=3213 # https://bugzilla.mindrot.org/show_bug.cgi?id=3213
Patch969: openssh-8.4p1-debian-compat.patch Patch969: openssh-8.4p1-debian-compat.patch
# ssh-keygen printing fingerprint issue with Windows keys (#1901518)
Patch974: openssh-8.0p1-keygen-strip-doseol.patch
# sshd provides PAM an incorrect error code (#1879503)
Patch975: openssh-8.0p1-preserve-pam-errors.patch
License: BSD License: BSD
Requires: /sbin/nologin Requires: /sbin/nologin
@ -221,11 +215,13 @@ BuildRequires: pam-devel
BuildRequires: openssl-devel >= 0.9.8j BuildRequires: openssl-devel >= 0.9.8j
BuildRequires: perl-podlators BuildRequires: perl-podlators
BuildRequires: systemd-devel BuildRequires: systemd-devel
BuildRequires: systemd-rpm-macros
BuildRequires: gcc make BuildRequires: gcc make
BuildRequires: p11-kit-devel BuildRequires: p11-kit-devel
BuildRequires: libfido2-devel BuildRequires: libfido2-devel
Recommends: p11-kit Recommends: p11-kit
Obsoletes: openssh-ldap < 8.3p1-4 Obsoletes: openssh-ldap < 8.3p1-4
Obsoletes: openssh-cavs < 8.4p1-5
%if %{kerberos5} %if %{kerberos5}
BuildRequires: krb5-devel BuildRequires: krb5-devel
@ -267,14 +263,10 @@ Requires: openssh = %{version}-%{release}
Summary: A passphrase dialog for OpenSSH and X Summary: A passphrase dialog for OpenSSH and X
Requires: openssh = %{version}-%{release} Requires: openssh = %{version}-%{release}
%package cavs
Summary: CAVS tests for FIPS validation
Requires: openssh = %{version}-%{release}
%package -n pam_ssh_agent_auth %package -n pam_ssh_agent_auth
Summary: PAM module for authentication with ssh-agent Summary: PAM module for authentication with ssh-agent
Version: %{pam_ssh_agent_ver} Version: %{pam_ssh_agent_ver}
Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.2 Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}
License: BSD License: BSD
%description %description
@ -311,10 +303,6 @@ OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains into and executing commands on a remote machine. This package contains
an X11 passphrase dialog for OpenSSH. an X11 passphrase dialog for OpenSSH.
%description cavs
This package contains test binaries and scripts to make FIPS validation
easier. Now contains CTR and KDF CAVS test driver.
%description -n pam_ssh_agent_auth %description -n pam_ssh_agent_auth
This package contains a PAM module which can be used to authenticate This package contains a PAM module which can be used to authenticate
users using ssh keys stored in a ssh-agent. Through the use of the users using ssh keys stored in a ssh-agent. Through the use of the
@ -355,8 +343,6 @@ popd
%patch707 -p1 -b .redhat %patch707 -p1 -b .redhat
%patch711 -p1 -b .log-usepam-no %patch711 -p1 -b .log-usepam-no
%patch712 -p1 -b .evp-ctr %patch712 -p1 -b .evp-ctr
%patch713 -p1 -b .ctr-cavs
%patch714 -p1 -b .kdf-cavs
# #
%patch800 -p1 -b .gsskex %patch800 -p1 -b .gsskex
%patch801 -p1 -b .force_krb %patch801 -p1 -b .force_krb
@ -378,15 +364,14 @@ popd
%patch950 -p1 -b .sandbox %patch950 -p1 -b .sandbox
%patch951 -p1 -b .pkcs11-uri %patch951 -p1 -b .pkcs11-uri
%patch953 -p1 -b .scp-ipv6 %patch953 -p1 -b .scp-ipv6
%patch958 -p1 -b .ssh-copy-id
%patch962 -p1 -b .crypto-policies %patch962 -p1 -b .crypto-policies
%patch963 -p1 -b .openssl-evp %patch963 -p1 -b .openssl-evp
%patch964 -p1 -b .openssl-kdf %patch964 -p1 -b .openssl-kdf
%patch965 -p1 -b .visibility %patch965 -p1 -b .visibility
%patch966 -p1 -b .x11-ipv6 %patch966 -p1 -b .x11-ipv6
%patch967 -p1 -b .ssh-copy-id
%patch968 -p1 -b .seccomp
%patch969 -p0 -b .debian %patch969 -p0 -b .debian
%patch974 -p1 -b .keygen-strip-doseol
%patch975 -p1 -b .preserve-pam-errors
%patch200 -p1 -b .audit %patch200 -p1 -b .audit
%patch201 -p1 -b .audit-race %patch201 -p1 -b .audit-race
@ -438,7 +423,7 @@ fi
--datadir=%{_datadir}/openssh \ --datadir=%{_datadir}/openssh \
--with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \ --with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
--with-privsep-path=%{_var}/empty/sshd \ --with-privsep-path=%{_datadir}/empty.sshd \
--disable-strip \ --disable-strip \
--without-zlib-version-check \ --without-zlib-version-check \
--with-ssl-engine \ --with-ssl-engine \
@ -515,7 +500,6 @@ mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
%make_install %make_install
install -d $RPM_BUILD_ROOT/etc/pam.d/ install -d $RPM_BUILD_ROOT/etc/pam.d/
@ -532,10 +516,12 @@ install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
install -d -m755 $RPM_BUILD_ROOT/%{_userunitdir}
install -m644 %{SOURCE16} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service
install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
%if ! %{no_gnome_askpass} %if ! %{no_gnome_askpass}
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
@ -566,7 +552,7 @@ getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :
getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || : getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :
getent passwd sshd >/dev/null || \ getent passwd sshd >/dev/null || \
useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \ useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
-s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || : -s /sbin/nologin -r -d /usr/share/empty.sshd sshd 2> /dev/null || :
%post server %post server
%systemd_post sshd.service sshd.socket %systemd_post sshd.service sshd.socket
@ -588,6 +574,12 @@ test -f %{sysconfig_anaconda} && \
%postun server %postun server
%systemd_postun_with_restart sshd.service %systemd_postun_with_restart sshd.service
%post clients
%systemd_user_post ssh-agent.service
%preun clients
%systemd_user_preun ssh-agent.service
%files %files
%license LICENCE %license LICENCE
%doc CREDITS ChangeLog OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO %doc CREDITS ChangeLog OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
@ -622,9 +614,10 @@ test -f %{sysconfig_anaconda} && \
%attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1* %attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8* %attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8* %attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
%attr(0644,root,root) %{_userunitdir}/ssh-agent.service
%files server %files server
%dir %attr(0711,root,root) %{_var}/empty/sshd %dir %attr(0711,root,root) %{_datadir}/empty.sshd
%attr(0755,root,root) %{_sbindir}/sshd %attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen %attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
@ -642,7 +635,6 @@ test -f %{sysconfig_anaconda} && \
%attr(0644,root,root) %{_unitdir}/sshd.socket %attr(0644,root,root) %{_unitdir}/sshd.socket
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target %attr(0644,root,root) %{_unitdir}/sshd-keygen.target
%attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
%files keycat %files keycat
%doc HOWTO.ssh-keycat %doc HOWTO.ssh-keycat
@ -656,11 +648,6 @@ test -f %{sysconfig_anaconda} && \
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass %attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
%endif %endif
%files cavs
%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs_driver.pl
%if %{pam_ssh_agent} %if %{pam_ssh_agent}
%files -n pam_ssh_agent_auth %files -n pam_ssh_agent_auth
%license pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE %license pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
@ -669,6 +656,29 @@ test -f %{sysconfig_anaconda} && \
%endif %endif
%changelog %changelog
* Mon Apr 19 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.6p1-1 + 0.10.4-3
- New upstream release (#1950819)
- ssh-keygen printing fingerprint issue with Windows keys (#1901518)
- sshd provides PAM an incorrect error code (#1879503)
* Tue Mar 09 2021 Rex Dieter <rdieter@fedoraproject.org> - 8.5p1-2
- ssh-agent.serivce is user unit (#1761817#27)
* Wed Mar 03 2021 Jakub Jelen <jjelen@redhat.com> - 8.5p1-1 + 0.10.4-2
- New upstream release (#1934336)
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 8.4p1-5.2
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 8.4p1-5.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Jan 22 2021 Jakub Jelen <jjelen@redhat.com> - 8.4p1-5 + 0.10.4-1
- Use /usr/share/empty.sshd instead of /var/empty/sshd
- Allow emptu labels in PKCS#11 tokens (#1919007)
- Drop openssh-cavs subpackage
* Tue Dec 01 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-4 + 0.10.4-1 * Tue Dec 01 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-4 + 0.10.4-1
- Remove "PasswordAuthentication yes" from vendor configuration as it is - Remove "PasswordAuthentication yes" from vendor configuration as it is
already default and it might be hard to override. already default and it might be hard to override.

View File

@ -1,4 +1,4 @@
SHA512 (openssh-8.4p1.tar.gz) = d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce SHA512 (openssh-8.6p1.tar.gz) = 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6
SHA512 (openssh-8.4p1.tar.gz.asc) = 3d9a026db27729a5a56785db3824230ccf2a3beca4bb48ef465e44d869b944dbc5d443152a1b1be21bc9c213c465d3d7ca1f876a387d0a6b9682a0cfec3e6e32 SHA512 (openssh-8.6p1.tar.gz.asc) = ea75d7fe350fd1761ee5490b222249e9b8915b2a02a1d41979195f15d239def387e4c6467362ab9515d517087750fa66bc368f5baa15c325502f725172631967
SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2 SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21

14
ssh-agent.service Normal file
View File

@ -0,0 +1,14 @@
# Requires SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"
# set in environment, handled for example in plasma via
# /etc/xdg/plasma-workspace/env/ssh-agent.sh
[Unit]
ConditionEnvironment=!SSH_AGENT_PID
Description=OpenSSH key agent
Documentation=man:ssh-agent(1) man:ssh-add(1) man:ssh(1)
[Service]
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK
PassEnvironment=SSH_AGENT_PID
SuccessExitStatus=2
Type=forking

View File

@ -1 +0,0 @@
d /var/empty/sshd 711 root root -