Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2018-11-28 11:11:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new.19453 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "openssh" Wed Nov 28 11:11:24 2018 rev:123 rq:652023 version:7.9p1 Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh-askpass-gnome.changes 2018-10-23 20:34:05.768995508 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.19453/openssh-askpass-gnome.changes 2018-11-28 11:12:35.650966466 +0100 @@ -1,0 +2,7 @@ +Mon Oct 22 08:59:02 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> + +- Version update to 7.9p1 + * No actual changes for the askpass + * See main package changelog for details + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2018-10-23 20:34:06.312994858 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new.19453/openssh.changes 2018-11-28 11:12:35.750966326 +0100 @@ -1,0 +2,86 @@ +Mon Nov 26 11:07:42 UTC 2018 - Vítězslav Čížek <vcizek@suse.com> + +- Fix build with openssl < 1.1.0 + * add openssh-openssl-1_0_0-compatibility.patch + +------------------------------------------------------------------- +Wed Oct 31 00:27:41 UTC 2018 - Cristian Rodríguez <crrodriguez@opensuse.org> + +- openssh-7.7p1-audit.patch: fix sshd fatal error in + mm_answer_keyverify: buffer error: incomplete message [bnc#1114008] + +------------------------------------------------------------------- +Mon Oct 22 08:51:30 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> + +- Version update to 7.9p1 + * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms + option (see below) bans the use of DSA keys as certificate + authorities. + * sshd(8): the authentication success/failure log message has + changed format slightly. It now includes the certificate + fingerprint (previously it included only key ID and CA key + fingerprint). + * ssh(1), sshd(8): allow most port numbers to be specified using + service names from getservbyname(3) (typically /etc/services). + * sshd(8): support signalling sessions via the SSH protocol. + A limited subset of signals is supported and only for login or + command sessions (i.e. not subsystems) that were not subject to + a forced command via authorized_keys or sshd_config. bz#1424 + * ssh(1): support "ssh -Q sig" to list supported signature options. + Also "ssh -Q help" to show the full set of supported queries. + * ssh(1), sshd(8): add a CASignatureAlgorithms option for the + client and server configs to allow control over which signature + formats are allowed for CAs to sign certificates. For example, + this allows banning CAs that sign certificates using the RSA-SHA1 + signature algorithm. + * sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to + revoke keys specified by SHA256 hash. + * ssh-keygen(1): allow creation of key revocation lists directly + from base64-encoded SHA256 fingerprints. This supports revoking + keys using only the information contained in sshd(8) + authentication log messages. + +- Removed obsolete configuration option --with-tcp-wrappers, and + --with-opensc for s390 and s390x. + +- Removed patch merged upstream + * openssh-7.7p1-openssl_1.1.0.patch + +- Refreshed patches + * openssh-7.7p1-audit.patch + * openssh-7.7p1-disable_short_DH_parameters.patch + * openssh-7.7p1-fips.patch + * openssh-7.7p1-gssapi_key_exchange.patch + * openssh-7.7p1-seccomp_ipc_flock.patch + * openssh-7.7p1-cavstest-ctr.patch + * openssh-7.7p1-ldap.patch + +------------------------------------------------------------------- +Fri Oct 19 13:22:10 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> + +- Mention upstream bugs on multiple local patches +- Adjust service to not spam restart and reload only on fails + +------------------------------------------------------------------- +Fri Oct 19 13:11:34 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> + +- Update openssh-7.7p1-sftp_force_permissions.patch from the + upstream bug, and mention the bug in the spec + +------------------------------------------------------------------- +Fri Oct 19 08:36:52 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> + +- Drop patch openssh-7.7p1-allow_root_password_login.patch + * There is no reason to set less secure default value, if + users need the behaviour they can still set it up themselves +- Drop patch openssh-7.7p1-blocksigalrm.patch + * We had a bug way in past about this but it was never reproduced + or even confirmed in the ticket, thus rather drop the patch + +------------------------------------------------------------------- +Wed Oct 17 09:22:36 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> + +- Disable ssh1 protocol support as neither RH or Debian enable + this protocol by default anymore either. + +------------------------------------------------------------------- Old: ---- openssh-7.7p1-allow_root_password_login.patch openssh-7.7p1-blocksigalrm.patch openssh-7.7p1-openssl_1.1.0.patch openssh-7.8p1.tar.gz openssh-7.8p1.tar.gz.asc New: ---- openssh-7.9p1.tar.gz openssh-7.9p1.tar.gz.asc openssh-openssl-1_0_0-compatibility.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh-askpass-gnome.spec ++++++ --- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.462965326 +0100 +++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.462965326 +0100 @@ -18,7 +18,7 @@ %define _name openssh Name: openssh-askpass-gnome -Version: 7.8p1 +Version: 7.9p1 Release: 0 Summary: A GNOME-Based Passphrase Dialog for OpenSSH License: BSD-2-Clause ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.478965304 +0100 +++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.478965304 +0100 @@ -27,8 +27,7 @@ %bcond_without susefirewall %bcond_with tirpc %endif -%define _fwdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d -%define _fwdefdir %{_fwdir}/services +%define _fwdefdir %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services %define _appdefdir %( grep "configdirspec=" $( which xmkmf ) | sed -r 's,^[^=]+=.*-I(.*)/config.*$,\\1/app-defaults,' ) %define CHECKSUM_SUFFIX .hmac %define CHECKSUM_HMAC_KEY "HMAC_KEY:OpenSSH-FIPS@SLE" @@ -37,7 +36,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: openssh -Version: 7.8p1 +Version: 7.9p1 Release: 0 Summary: Secure Shell Client and Server (Remote Login Program) License: BSD-2-Clause AND MIT @@ -56,37 +55,49 @@ Source10: sshd.service Source11: README.FIPS Source12: cavs_driver-ssh.pl -Patch0: openssh-7.7p1-allow_root_password_login.patch Patch1: openssh-7.7p1-X11_trusted_forwarding.patch Patch3: openssh-7.7p1-enable_PAM_by_default.patch Patch4: openssh-7.7p1-eal3.patch -Patch5: openssh-7.7p1-blocksigalrm.patch Patch6: openssh-7.7p1-send_locale.patch Patch7: openssh-7.7p1-hostname_changes_when_forwarding_X.patch Patch8: openssh-7.7p1-remove_xauth_cookies_on_exit.patch Patch9: openssh-7.7p1-pts_names_formatting.patch Patch10: openssh-7.7p1-pam_check_locks.patch Patch11: openssh-7.7p1-disable_short_DH_parameters.patch +# https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Patch14: openssh-7.7p1-seccomp_stat.patch +# https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Patch15: openssh-7.7p1-seccomp_ipc_flock.patch +# https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Patch16: openssh-7.7p1-seccomp_ioctl_s390_EP11.patch +# Local FIPS patchset Patch17: openssh-7.7p1-fips.patch +# Local cavs patchset Patch18: openssh-7.7p1-cavstest-ctr.patch +# Local cavs patchset Patch19: openssh-7.7p1-cavstest-kdf.patch +# Local FIPS patchset Patch20: openssh-7.7p1-fips_checks.patch Patch21: openssh-7.7p1-seed-prng.patch +# https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Patch22: openssh-7.7p1-systemd-notify.patch Patch23: openssh-7.7p1-gssapi_key_exchange.patch +# https://bugzilla.mindrot.org/show_bug.cgi?id=1402 Patch24: openssh-7.7p1-audit.patch -Patch25: openssh-7.7p1-openssl_1.1.0.patch +# Local patch to disable runtime abi SSL checks, quite pointless for us Patch26: openssh-7.7p1-disable_openssl_abi_check.patch +# https://bugzilla.mindrot.org/show_bug.cgi?id=2641 Patch27: openssh-7.7p1-no_fork-no_pid_file.patch Patch28: openssh-7.7p1-host_ident.patch +# https://bugzilla.mindrot.org/show_bug.cgi?id=1844 Patch29: openssh-7.7p1-sftp_force_permissions.patch +# https://bugzilla.mindrot.org/show_bug.cgi?id=2143 Patch30: openssh-7.7p1-X_forward_with_disabled_ipv6.patch Patch31: openssh-7.7p1-ldap.patch +# https://bugzilla.mindrot.org/show_bug.cgi?id=2213 Patch32: openssh-7.7p1-IPv6_X_forwarding.patch Patch33: openssh-7.7p1-sftp_print_diagnostic_messages.patch +Patch34: openssh-openssl-1_0_0-compatibility.patch BuildRequires: audit-devel BuildRequires: autoconf BuildRequires: groff @@ -176,7 +187,6 @@ %configure \ --sysconfdir=%{_sysconfdir}/ssh \ --libexecdir=%{_libexecdir}/ssh \ - --with-tcp-wrappers \ --with-selinux \ --with-pid-dir=/run \ --with-systemd \ @@ -189,18 +199,13 @@ %else --with-sandbox=rlimit \ %endif -%ifnarch s390 s390x - --with-opensc \ -%endif --disable-strip \ --with-audit=linux \ --with-ldap \ --with-xauth=%{_bindir}/xauth \ --with-libedit \ - --with-ssh1 \ - --target=%{_target_cpu}-suse-linux \ + --target=%{_target_cpu}-suse-linux -### configure end make %{?_smp_mflags} %install ++++++ README.SUSE ++++++ --- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.518965247 +0100 +++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.518965247 +0100 @@ -5,16 +5,6 @@ * PAM authentication is enabled and mostly even required, do not turn it off. -* root authentiation with password is enabled by default (PermitRootLogin yes). - NOTE: this has security implications and is only done in order to not change - behaviour of the server in an update. We strongly suggest setting this option - either "prohibit-password" or even better to "no" (which disables direct - remote root login entirely). - -* SSH protocol version 1 is enabled for maximum compatibility. - NOTE: do not use protocol version 1. It is less secure then v2 and should - generally be phased out. - * DSA authentication is enabled by default for maximum compatibility. NOTE: do not use DSA authentication since it is being phased out for a reason - the size of DSA keys is limited by the standard to 1024 bits which cannot ++++++ openssh-7.7p1-audit.patch ++++++ ++++ 860 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh-7.7p1-audit.patch ++++ and /work/SRC/openSUSE:Factory/.openssh.new.19453/openssh-7.7p1-audit.patch ++++++ openssh-7.7p1-cavstest-ctr.patch ++++++ --- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.554965197 +0100 +++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.554965197 +0100 @@ -2,15 +2,11 @@ # Parent cc1022edba2c5eeb0facba08468f65afc2466b63 CAVS test for OpenSSH's own CTR encryption mode implementation -diff --git a/openssh-7.7p1/Makefile.in b/openssh-7.7p1/Makefile.in ---- openssh-7.7p1/Makefile.in -+++ openssh-7.7p1/Makefile.in -@@ -19,16 +19,17 @@ top_srcdir=@top_srcdir@ - - DESTDIR= - VPATH=@srcdir@ - SSH_PROGRAM=@bindir@/ssh - ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass +Index: openssh-7.9p1/Makefile.in +=================================================================== +--- openssh-7.9p1.orig/Makefile.in ++++ openssh-7.9p1/Makefile.in +@@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper @@ -18,17 +14,7 @@ PRIVSEP_PATH=@PRIVSEP_PATH@ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ STRIP_OPT=@STRIP_OPT@ - TEST_SHELL=@TEST_SHELL@ - - PATHS= -DSSHDIR=\"$(sysconfdir)\" \ - -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ - -D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \ -@@ -57,16 +58,18 @@ ENT=@ENT@ - XAUTH_PATH=@XAUTH_PATH@ - LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@ - EXEEXT=@EXEEXT@ - MANFMT=@MANFMT@ - MKDIR_P=@MKDIR_P@ +@@ -62,6 +63,8 @@ MKDIR_P=@MKDIR_P@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) @@ -37,17 +23,7 @@ XMSS_OBJS=\ ssh-xmss.o \ sshkey-xmss.o \ - xmss_commons.o \ - xmss_fast.o \ - xmss_hash.o \ - xmss_hash_address.o \ - xmss_wots.o -@@ -199,16 +202,20 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libss - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) - - sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o - $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) - +@@ -204,6 +207,10 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libss sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) @@ -58,17 +34,7 @@ # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) - - $(MANPAGES): $(MANPAGES_IN) - if test "$(MANTYPE)" = "cat"; then \ - manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \ - else \ -@@ -339,16 +346,17 @@ install-files: - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) - $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) +@@ -348,6 +355,7 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) @@ -76,15 +42,10 @@ $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 - $(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 - $(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 - $(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 - $(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5 - $(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5 -diff --git a/openssh-7.7p1/cavstest-ctr.c b/openssh-7.7p1/cavstest-ctr.c -new file mode 100644 +Index: openssh-7.9p1/cavstest-ctr.c +=================================================================== --- /dev/null -+++ openssh-7.7p1/cavstest-ctr.c ++++ openssh-7.9p1/cavstest-ctr.c @@ -0,0 +1,214 @@ +/* + * @@ -238,7 +199,7 @@ + usage(); + } + -+ SSLeay_add_all_algorithms(); ++ OpenSSL_add_all_algorithms(); + + c = cipher_by_name(algo); + if (c == NULL) { @@ -300,15 +261,11 @@ + printf("\n"); + return 0; +} -diff --git a/openssh-7.7p1/cipher.c b/openssh-7.7p1/cipher.c ---- openssh-7.7p1/cipher.c -+++ openssh-7.7p1/cipher.c -@@ -49,25 +49,16 @@ - #include "ssherr.h" - #include "digest.h" - - #include "openbsd-compat/openssl-compat.h" - +Index: openssh-7.9p1/cipher.c +=================================================================== +--- openssh-7.9p1.orig/cipher.c ++++ openssh-7.9p1/cipher.c +@@ -54,15 +54,6 @@ #include "fips.h" #include "log.h" @@ -324,20 +281,11 @@ struct sshcipher { char *name; u_int block_size; - u_int key_len; - u_int iv_len; /* defaults to block_size */ - u_int auth_len; - u_int flags; - #define CFLAG_CBC (1<<0) -diff --git a/openssh-7.7p1/cipher.h b/openssh-7.7p1/cipher.h ---- openssh-7.7p1/cipher.h -+++ openssh-7.7p1/cipher.h -@@ -41,17 +41,25 @@ - #include <openssl/evp.h> - #include "cipher-chachapoly.h" - #include "cipher-aesctr.h" - - #define CIPHER_ENCRYPT 1 +Index: openssh-7.9p1/cipher.h +=================================================================== +--- openssh-7.9p1.orig/cipher.h ++++ openssh-7.9p1/cipher.h +@@ -46,7 +46,15 @@ #define CIPHER_DECRYPT 0 struct sshcipher; @@ -354,8 +302,3 @@ const struct sshcipher *cipher_by_name(const char *); const char *cipher_warning_message(const struct sshcipher_ctx *); - int ciphers_valid(const char *); - char *cipher_alg_list(char, int); - int cipher_init(struct sshcipher_ctx **, const struct sshcipher *, - const u_char *, u_int, const u_char *, u_int, int); - int cipher_crypt(struct sshcipher_ctx *, u_int, u_char *, const u_char *, ++++++ openssh-7.7p1-disable_short_DH_parameters.patch ++++++ --- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.570965174 +0100 +++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.570965174 +0100 @@ -12,23 +12,23 @@ CVE-2015-4000 (LOGJAM) bsc#932483 -Index: openssh-7.8p1/dh.c +Index: openssh-7.9p1/dh.c =================================================================== ---- openssh-7.8p1.orig/dh.c -+++ openssh-7.8p1/dh.c -@@ -43,6 +43,8 @@ - #include "misc.h" - #include "ssherr.h" +--- openssh-7.9p1.orig/dh.c ++++ openssh-7.9p1/dh.c +@@ -45,6 +45,8 @@ + + #include "openbsd-compat/openssl-compat.h" +int dh_grp_min = DH_GRP_MIN; + static int parse_prime(int linenum, char *line, struct dhgroup *dhg) { -Index: openssh-7.8p1/dh.h +Index: openssh-7.9p1/dh.h =================================================================== ---- openssh-7.8p1.orig/dh.h -+++ openssh-7.8p1/dh.h +--- openssh-7.9p1.orig/dh.h ++++ openssh-7.9p1/dh.h @@ -50,6 +50,7 @@ u_int dh_estimate(int); * Max value from RFC4419. * Miniumum increased in light of DH precomputation attacks. @@ -37,11 +37,11 @@ #define DH_GRP_MIN 2048 #define DH_GRP_MAX 8192 -Index: openssh-7.8p1/kexgexc.c +Index: openssh-7.9p1/kexgexc.c =================================================================== ---- openssh-7.8p1.orig/kexgexc.c -+++ openssh-7.8p1/kexgexc.c -@@ -51,6 +51,9 @@ +--- openssh-7.9p1.orig/kexgexc.c ++++ openssh-7.9p1/kexgexc.c +@@ -53,6 +53,9 @@ #include "sshbuf.h" #include "misc.h" @@ -51,7 +51,7 @@ static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *); static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *); -@@ -63,7 +66,7 @@ kexgex_client(struct ssh *ssh) +@@ -65,7 +68,7 @@ kexgex_client(struct ssh *ssh) nbits = dh_estimate(kex->dh_need * 8); @@ -60,7 +60,7 @@ kex->max = DH_GRP_MAX; kex->nbits = nbits; if (datafellows & SSH_BUG_DHGEX_LARGE) -@@ -108,6 +111,12 @@ input_kex_dh_gex_group(int type, u_int32 +@@ -111,6 +114,12 @@ input_kex_dh_gex_group(int type, u_int32 goto out; if ((bits = BN_num_bits(p)) < 0 || (u_int)bits < kex->min || (u_int)bits > kex->max) { @@ -73,11 +73,11 @@ r = SSH_ERR_DH_GEX_OUT_OF_RANGE; goto out; } -Index: openssh-7.8p1/kexgexs.c +Index: openssh-7.9p1/kexgexs.c =================================================================== ---- openssh-7.8p1.orig/kexgexs.c -+++ openssh-7.8p1/kexgexs.c -@@ -54,6 +54,9 @@ +--- openssh-7.9p1.orig/kexgexs.c ++++ openssh-7.9p1/kexgexs.c +@@ -56,6 +56,9 @@ #include "sshbuf.h" #include "misc.h" @@ -87,7 +87,7 @@ static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *); static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *); -@@ -82,13 +85,19 @@ input_kex_dh_gex_request(int type, u_int +@@ -85,13 +88,19 @@ input_kex_dh_gex_request(int type, u_int kex->nbits = nbits; kex->min = min; kex->max = max; @@ -109,10 +109,10 @@ r = SSH_ERR_DH_GEX_OUT_OF_RANGE; goto out; } -Index: openssh-7.8p1/readconf.c +Index: openssh-7.9p1/readconf.c =================================================================== ---- openssh-7.8p1.orig/readconf.c -+++ openssh-7.8p1/readconf.c +--- openssh-7.9p1.orig/readconf.c ++++ openssh-7.9p1/readconf.c @@ -67,6 +67,7 @@ #include "uidswap.h" #include "myproposal.h" @@ -130,7 +130,7 @@ oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs, oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys, -@@ -291,6 +292,7 @@ static struct { +@@ -292,6 +293,7 @@ static struct { { "remotecommand", oRemoteCommand }, { "visualhostkey", oVisualHostKey }, { "kexalgorithms", oKexAlgorithms }, @@ -138,7 +138,7 @@ { "ipqos", oIPQoS }, { "requesttty", oRequestTTY }, { "proxyusefdpass", oProxyUseFdpass }, -@@ -312,6 +314,9 @@ static struct { +@@ -313,6 +315,9 @@ static struct { { NULL, oBadOption } }; @@ -148,7 +148,7 @@ /* * Adds a local TCP/IP port forward to options. Never returns if there is an * error. -@@ -1206,6 +1211,10 @@ parse_int: +@@ -1216,6 +1221,10 @@ parse_int: options->kex_algorithms = xstrdup(arg); break; @@ -159,15 +159,15 @@ case oHostKeyAlgorithms: charptr = &options->hostkeyalgorithms; parse_keytypes: -@@ -1835,6 +1844,7 @@ initialize_options(Options * options) +@@ -1860,6 +1869,7 @@ initialize_options(Options * options) options->ciphers = NULL; options->macs = NULL; options->kex_algorithms = NULL; + options->kex_dhmin = -1; options->hostkeyalgorithms = NULL; + options->ca_sign_algorithms = NULL; options->num_identity_files = 0; - options->num_certificate_files = 0; -@@ -1988,6 +1998,13 @@ fill_default_options(Options * options) +@@ -2014,6 +2024,13 @@ fill_default_options(Options * options) options->connection_attempts = 1; if (options->number_of_password_prompts == -1) options->number_of_password_prompts = 3; @@ -181,22 +181,22 @@ /* options->hostkeyalgorithms, default set in myproposals.h */ if (options->add_keys_to_agent == -1) options->add_keys_to_agent = 0; -Index: openssh-7.8p1/readconf.h +Index: openssh-7.9p1/readconf.h =================================================================== ---- openssh-7.8p1.orig/readconf.h -+++ openssh-7.8p1/readconf.h -@@ -67,6 +67,7 @@ typedef struct { - char *macs; /* SSH2 macs in order of preference. */ +--- openssh-7.9p1.orig/readconf.h ++++ openssh-7.9p1/readconf.h +@@ -68,6 +68,7 @@ typedef struct { char *hostkeyalgorithms; /* SSH2 server key types in order of preference. */ char *kex_algorithms; /* SSH2 kex methods in order of preference. */ -+ int kex_dhmin; /* minimum bit length of the DH group parameter */ + char *ca_sign_algorithms; /* Allowed CA signature algorithms */ ++ int kex_dhmin; /* minimum bit length of the DH group parameter */ char *hostname; /* Real host to connect. */ char *host_key_alias; /* hostname alias for .ssh/known_hosts */ char *proxy_command; /* Proxy command for connecting the host. */ -Index: openssh-7.8p1/servconf.c +Index: openssh-7.9p1/servconf.c =================================================================== ---- openssh-7.8p1.orig/servconf.c -+++ openssh-7.8p1/servconf.c +--- openssh-7.9p1.orig/servconf.c ++++ openssh-7.9p1/servconf.c @@ -64,6 +64,10 @@ #include "auth.h" #include "myproposal.h" @@ -213,10 +213,10 @@ options->macs = NULL; options->kex_algorithms = NULL; + options->kex_dhmin = -1; + options->ca_sign_algorithms = NULL; options->fwd_opts.gateway_ports = -1; options->fwd_opts.streamlocal_bind_mask = (mode_t)-1; - options->fwd_opts.streamlocal_bind_unlink = -1; -@@ -263,6 +268,14 @@ fill_default_server_options(ServerOption +@@ -267,6 +272,14 @@ fill_default_server_options(ServerOption if (options->use_pam_check_locks == -1) options->use_pam_check_locks = 0; @@ -231,16 +231,16 @@ /* Standard Options */ if (options->num_host_key_files == 0) { /* fill default hostkeys for protocols */ -@@ -490,7 +503,7 @@ typedef enum { +@@ -494,7 +507,7 @@ typedef enum { sHostCertificate, sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, -- sKexAlgorithms, sIPQoS, sVersionAddendum, -+ sKexAlgorithms, sKexDHMin, sIPQoS, sVersionAddendum, +- sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum, ++ sKexAlgorithms, sKexDHMin, sCASignatureAlgorithms, sIPQoS, sVersionAddendum, sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, sAuthenticationMethods, sHostKeyAgent, sPermitUserRC, sStreamLocalBindMask, sStreamLocalBindUnlink, -@@ -631,6 +644,7 @@ static struct { +@@ -635,6 +648,7 @@ static struct { { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, @@ -248,7 +248,7 @@ { "ipqos", sIPQoS, SSHCFG_ALL }, { "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL }, { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL }, -@@ -1726,6 +1740,10 @@ process_server_config_line(ServerOptions +@@ -1735,6 +1749,10 @@ process_server_config_line(ServerOptions options->kex_algorithms = xstrdup(arg); break; @@ -259,7 +259,7 @@ case sSubsystem: if (options->num_subsystems >= MAX_SUBSYSTEMS) { fatal("%s line %d: too many subsystems defined.", -@@ -2540,6 +2558,7 @@ dump_config(ServerOptions *o) +@@ -2549,6 +2567,7 @@ dump_config(ServerOptions *o) dump_cfg_int(sClientAliveInterval, o->client_alive_interval); dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max); dump_cfg_oct(sStreamLocalBindMask, o->fwd_opts.streamlocal_bind_mask); @@ -267,10 +267,10 @@ /* formatted integer arguments */ dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login); -Index: openssh-7.8p1/servconf.h +Index: openssh-7.9p1/servconf.h =================================================================== ---- openssh-7.8p1.orig/servconf.h -+++ openssh-7.8p1/servconf.h +--- openssh-7.9p1.orig/servconf.h ++++ openssh-7.9p1/servconf.h @@ -103,6 +103,7 @@ typedef struct { char *ciphers; /* Supported SSH2 ciphers. */ char *macs; /* Supported SSH2 macs. */ @@ -279,10 +279,10 @@ struct ForwardOptions fwd_opts; /* forwarding options */ SyslogFacility log_facility; /* Facility for system logging. */ LogLevel log_level; /* Level for system logging. */ -Index: openssh-7.8p1/ssh_config +Index: openssh-7.9p1/ssh_config =================================================================== ---- openssh-7.8p1.orig/ssh_config -+++ openssh-7.8p1/ssh_config +--- openssh-7.9p1.orig/ssh_config ++++ openssh-7.9p1/ssh_config @@ -17,6 +17,11 @@ # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. @@ -295,11 +295,11 @@ Host * # ForwardAgent no # ForwardX11 no -Index: openssh-7.8p1/ssh_config.0 +Index: openssh-7.9p1/ssh_config.0 =================================================================== ---- openssh-7.8p1.orig/ssh_config.0 -+++ openssh-7.8p1/ssh_config.0 -@@ -595,6 +595,23 @@ DESCRIPTION +--- openssh-7.9p1.orig/ssh_config.0 ++++ openssh-7.9p1/ssh_config.0 +@@ -610,6 +610,23 @@ DESCRIPTION The list of available key exchange algorithms may also be obtained using "ssh -Q kex". @@ -323,11 +323,11 @@ LocalCommand Specifies a command to execute on the local machine after successfully connecting to the server. The command string -Index: openssh-7.8p1/ssh_config.5 +Index: openssh-7.9p1/ssh_config.5 =================================================================== ---- openssh-7.8p1.orig/ssh_config.5 -+++ openssh-7.8p1/ssh_config.5 -@@ -1025,6 +1025,22 @@ diffie-hellman-group14-sha1 +--- openssh-7.9p1.orig/ssh_config.5 ++++ openssh-7.9p1/ssh_config.5 +@@ -1047,6 +1047,22 @@ diffie-hellman-group14-sha1 .Pp The list of available key exchange algorithms may also be obtained using .Qq ssh -Q kex . @@ -350,10 +350,10 @@ .It Cm LocalCommand Specifies a command to execute on the local machine after successfully connecting to the server. -Index: openssh-7.8p1/sshd_config +Index: openssh-7.9p1/sshd_config =================================================================== ---- openssh-7.8p1.orig/sshd_config -+++ openssh-7.8p1/sshd_config +--- openssh-7.9p1.orig/sshd_config ++++ openssh-7.9p1/sshd_config @@ -19,6 +19,13 @@ #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key @@ -368,11 +368,11 @@ # Ciphers and keying #RekeyLimit default none -Index: openssh-7.8p1/sshd_config.0 +Index: openssh-7.9p1/sshd_config.0 =================================================================== ---- openssh-7.8p1.orig/sshd_config.0 -+++ openssh-7.8p1/sshd_config.0 -@@ -545,6 +545,23 @@ DESCRIPTION +--- openssh-7.9p1.orig/sshd_config.0 ++++ openssh-7.9p1/sshd_config.0 +@@ -555,6 +555,23 @@ DESCRIPTION The list of available key exchange algorithms may also be obtained using "ssh -Q kex". @@ -396,11 +396,11 @@ ListenAddress Specifies the local addresses sshd(8) should listen on. The following forms may be used: -Index: openssh-7.8p1/sshd_config.5 +Index: openssh-7.9p1/sshd_config.5 =================================================================== ---- openssh-7.8p1.orig/sshd_config.5 -+++ openssh-7.8p1/sshd_config.5 -@@ -912,6 +912,22 @@ diffie-hellman-group14-sha256,diffie-hel +--- openssh-7.9p1.orig/sshd_config.5 ++++ openssh-7.9p1/sshd_config.5 +@@ -923,6 +923,22 @@ diffie-hellman-group14-sha256,diffie-hel .Pp The list of available key exchange algorithms may also be obtained using .Qq ssh -Q kex . ++++++ openssh-7.7p1-fips.patch ++++++ --- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.582965158 +0100 +++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.582965158 +0100 @@ -3,10 +3,10 @@ FIPS 140-2 compliance. Perform selftests on start and use only FIPS approved algorithms. -Index: openssh-7.8p1/Makefile.in +Index: openssh-7.9p1/Makefile.in =================================================================== ---- openssh-7.8p1.orig/Makefile.in -+++ openssh-7.8p1/Makefile.in +--- openssh-7.9p1.orig/Makefile.in ++++ openssh-7.9p1/Makefile.in @@ -102,6 +102,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \ platform-pledge.o platform-tracing.o platform-misc.o @@ -16,10 +16,10 @@ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect2.o mux.o -Index: openssh-7.8p1/cipher-ctr.c +Index: openssh-7.9p1/cipher-ctr.c =================================================================== ---- openssh-7.8p1.orig/cipher-ctr.c -+++ openssh-7.8p1/cipher-ctr.c +--- openssh-7.9p1.orig/cipher-ctr.c ++++ openssh-7.9p1/cipher-ctr.c @@ -27,6 +27,8 @@ #include "xmalloc.h" #include "log.h" @@ -38,10 +38,10 @@ #endif return (&aes_ctr); } -Index: openssh-7.8p1/cipher.c +Index: openssh-7.9p1/cipher.c =================================================================== ---- openssh-7.8p1.orig/cipher.c -+++ openssh-7.8p1/cipher.c +--- openssh-7.9p1.orig/cipher.c ++++ openssh-7.9p1/cipher.c @@ -51,6 +51,8 @@ #include "openbsd-compat/openssl-compat.h" @@ -131,10 +131,10 @@ if (strcmp(c->name, name) == 0) return c; return NULL; -Index: openssh-7.8p1/dh.h +Index: openssh-7.9p1/dh.h =================================================================== ---- openssh-7.8p1.orig/dh.h -+++ openssh-7.8p1/dh.h +--- openssh-7.9p1.orig/dh.h ++++ openssh-7.9p1/dh.h @@ -52,6 +52,7 @@ u_int dh_estimate(int); */ #define DH_GRP_MIN_RFC 1024 @@ -143,10 +143,10 @@ #define DH_GRP_MAX 8192 /* -Index: openssh-7.8p1/fips.c +Index: openssh-7.9p1/fips.c =================================================================== --- /dev/null -+++ openssh-7.8p1/fips.c ++++ openssh-7.9p1/fips.c @@ -0,0 +1,237 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -385,10 +385,10 @@ + return dh; +} + -Index: openssh-7.8p1/fips.h +Index: openssh-7.9p1/fips.h =================================================================== --- /dev/null -+++ openssh-7.8p1/fips.h ++++ openssh-7.9p1/fips.h @@ -0,0 +1,45 @@ +/* + * Copyright (c) 2012 Petr Cerny. All rights reserved. @@ -435,10 +435,10 @@ + +#endif + -Index: openssh-7.8p1/hmac.c +Index: openssh-7.9p1/hmac.c =================================================================== ---- openssh-7.8p1.orig/hmac.c -+++ openssh-7.8p1/hmac.c +--- openssh-7.9p1.orig/hmac.c ++++ openssh-7.9p1/hmac.c @@ -144,7 +144,7 @@ hmac_test(void *key, size_t klen, void * size_t i; u_char digest[16]; @@ -448,10 +448,10 @@ printf("ssh_hmac_start failed"); if (ssh_hmac_init(ctx, key, klen) < 0 || ssh_hmac_update(ctx, m, mlen) < 0 || -Index: openssh-7.8p1/kex.c +Index: openssh-7.9p1/kex.c =================================================================== ---- openssh-7.8p1.orig/kex.c -+++ openssh-7.8p1/kex.c +--- openssh-7.9p1.orig/kex.c ++++ openssh-7.9p1/kex.c @@ -54,6 +54,8 @@ #include "sshbuf.h" #include "digest.h" @@ -547,11 +547,11 @@ free(s); return 0; } -Index: openssh-7.8p1/kexgexc.c +Index: openssh-7.9p1/kexgexc.c =================================================================== ---- openssh-7.8p1.orig/kexgexc.c -+++ openssh-7.8p1/kexgexc.c -@@ -51,8 +51,7 @@ +--- openssh-7.9p1.orig/kexgexc.c ++++ openssh-7.9p1/kexgexc.c +@@ -53,8 +53,7 @@ #include "sshbuf.h" #include "misc.h" @@ -561,7 +561,7 @@ static int input_kex_dh_gex_group(int, u_int32_t, struct ssh *); static int input_kex_dh_gex_reply(int, u_int32_t, struct ssh *); -@@ -66,7 +65,7 @@ kexgex_client(struct ssh *ssh) +@@ -68,7 +67,7 @@ kexgex_client(struct ssh *ssh) nbits = dh_estimate(kex->dh_need * 8); @@ -570,11 +570,11 @@ kex->max = DH_GRP_MAX; kex->nbits = nbits; if (datafellows & SSH_BUG_DHGEX_LARGE) -Index: openssh-7.8p1/kexgexs.c +Index: openssh-7.9p1/kexgexs.c =================================================================== ---- openssh-7.8p1.orig/kexgexs.c -+++ openssh-7.8p1/kexgexs.c -@@ -54,8 +54,7 @@ +--- openssh-7.9p1.orig/kexgexs.c ++++ openssh-7.9p1/kexgexs.c +@@ -56,8 +56,7 @@ #include "sshbuf.h" #include "misc.h" @@ -584,7 +584,7 @@ static int input_kex_dh_gex_request(int, u_int32_t, struct ssh *); static int input_kex_dh_gex_init(int, u_int32_t, struct ssh *); -@@ -85,9 +84,9 @@ input_kex_dh_gex_request(int type, u_int +@@ -88,9 +87,9 @@ input_kex_dh_gex_request(int type, u_int kex->nbits = nbits; kex->min = min; kex->max = max; @@ -596,10 +596,10 @@ nbits = MINIMUM(DH_GRP_MAX, nbits); if (kex->max < kex->min || kex->nbits < kex->min || -Index: openssh-7.8p1/mac.c +Index: openssh-7.9p1/mac.c =================================================================== ---- openssh-7.8p1.orig/mac.c -+++ openssh-7.8p1/mac.c +--- openssh-7.9p1.orig/mac.c ++++ openssh-7.9p1/mac.c @@ -40,6 +40,9 @@ #include "openbsd-compat/openssl-compat.h" @@ -679,11 +679,11 @@ if (strcmp(name, m->name) != 0) continue; if (mac != NULL) -Index: openssh-7.8p1/myproposal.h +Index: openssh-7.9p1/myproposal.h =================================================================== ---- openssh-7.8p1.orig/myproposal.h -+++ openssh-7.8p1/myproposal.h -@@ -141,6 +141,8 @@ +--- openssh-7.9p1.orig/myproposal.h ++++ openssh-7.9p1/myproposal.h +@@ -151,6 +151,8 @@ #else /* WITH_OPENSSL */ @@ -692,10 +692,10 @@ #define KEX_SERVER_KEX \ "curve25519-sha256," \ "curve25519-sha256@libssh.org" -Index: openssh-7.8p1/readconf.c +Index: openssh-7.9p1/readconf.c =================================================================== ---- openssh-7.8p1.orig/readconf.c -+++ openssh-7.8p1/readconf.c +--- openssh-7.9p1.orig/readconf.c ++++ openssh-7.9p1/readconf.c @@ -68,6 +68,7 @@ #include "myproposal.h" #include "digest.h" @@ -704,7 +704,7 @@ /* Format of the configuration file: -@@ -1800,6 +1801,23 @@ option_clear_or_none(const char *o) +@@ -1825,6 +1826,23 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } @@ -728,7 +728,7 @@ /* * Initializes options to special values that indicate that they have not yet * been set. Read_config_file will only set options with this value. Options -@@ -1999,9 +2017,9 @@ fill_default_options(Options * options) +@@ -2025,9 +2043,9 @@ fill_default_options(Options * options) if (options->number_of_password_prompts == -1) options->number_of_password_prompts = 3; if (options->kex_dhmin == -1) @@ -740,7 +740,7 @@ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX); } dh_grp_min = options->kex_dhmin; -@@ -2086,6 +2104,8 @@ fill_default_options(Options * options) +@@ -2112,6 +2130,8 @@ fill_default_options(Options * options) options->canonicalize_hostname = SSH_CANONICALISE_NO; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -749,19 +749,19 @@ if (options->update_hostkeys == -1) options->update_hostkeys = 0; -@@ -2110,6 +2130,7 @@ fill_default_options(Options * options) - free(all_mac); - free(all_kex); +@@ -2594,6 +2614,7 @@ dump_client_config(Options *o, const cha + KEX_DEFAULT_PK_ALG, all_key) != 0) + fatal("%s: kex_assemble_names failed", __func__); free(all_key); -+ filter_fips_algorithms(options); ++ filter_fips_algorithms(o); - #define CLEAR_ON_NONE(v) \ - do { \ -Index: openssh-7.8p1/readconf.h -=================================================================== ---- openssh-7.8p1.orig/readconf.h -+++ openssh-7.8p1/readconf.h -@@ -197,6 +197,7 @@ typedef struct { + /* Most interesting options first: user, host, port */ + dump_cfg_string(oUser, o->user); +Index: openssh-7.9p1/readconf.h +=================================================================== +--- openssh-7.9p1.orig/readconf.h ++++ openssh-7.9p1/readconf.h +@@ -198,6 +198,7 @@ typedef struct { #define SSH_STRICT_HOSTKEY_YES 2 #define SSH_STRICT_HOSTKEY_ASK 3 @@ -769,10 +769,10 @@ void initialize_options(Options *); void fill_default_options(Options *); void fill_default_options_for_canonicalization(Options *); -Index: openssh-7.8p1/servconf.c +Index: openssh-7.9p1/servconf.c =================================================================== ---- openssh-7.8p1.orig/servconf.c -+++ openssh-7.8p1/servconf.c +--- openssh-7.9p1.orig/servconf.c ++++ openssh-7.9p1/servconf.c @@ -65,6 +65,7 @@ #include "myproposal.h" #include "digest.h" @@ -781,7 +781,7 @@ /* import from dh.c */ extern int dh_grp_min; -@@ -194,6 +195,23 @@ option_clear_or_none(const char *o) +@@ -195,6 +196,23 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } @@ -805,16 +805,16 @@ static void assemble_algorithms(ServerOptions *o) { -@@ -220,6 +238,8 @@ assemble_algorithms(ServerOptions *o) - free(all_mac); +@@ -224,6 +242,8 @@ assemble_algorithms(ServerOptions *o) free(all_kex); free(all_key); + free(all_sig); + + filter_fips_algorithms_s(o); } static void -@@ -269,9 +289,9 @@ fill_default_server_options(ServerOption +@@ -273,9 +293,9 @@ fill_default_server_options(ServerOption options->use_pam_check_locks = 0; if (options->kex_dhmin == -1) @@ -826,7 +826,7 @@ options->kex_dhmin = MINIMUM(options->kex_dhmin, DH_GRP_MAX); } dh_grp_min = options->kex_dhmin; -@@ -419,6 +439,8 @@ fill_default_server_options(ServerOption +@@ -423,6 +443,8 @@ fill_default_server_options(ServerOption options->fwd_opts.streamlocal_bind_unlink = 0; if (options->fingerprint_hash == -1) options->fingerprint_hash = SSH_FP_HASH_DEFAULT; @@ -835,10 +835,10 @@ if (options->disable_forwarding == -1) options->disable_forwarding = 0; if (options->expose_userauth_info == -1) -Index: openssh-7.8p1/ssh-keygen.c +Index: openssh-7.9p1/ssh-keygen.c =================================================================== ---- openssh-7.8p1.orig/ssh-keygen.c -+++ openssh-7.8p1/ssh-keygen.c +--- openssh-7.9p1.orig/ssh-keygen.c ++++ openssh-7.9p1/ssh-keygen.c @@ -61,6 +61,8 @@ #include "utf8.h" #include "authfd.h" @@ -848,7 +848,7 @@ #ifdef WITH_OPENSSL # define DEFAULT_KEY_TYPE_NAME "rsa" #else -@@ -965,11 +967,13 @@ do_fingerprint(struct passwd *pw) +@@ -996,11 +998,13 @@ do_fingerprint(struct passwd *pw) static void do_gen_all_hostkeys(struct passwd *pw) { @@ -864,7 +864,7 @@ #ifdef WITH_OPENSSL { "rsa", "RSA" ,_PATH_HOST_RSA_KEY_FILE }, { "dsa", "DSA", _PATH_HOST_DSA_KEY_FILE }, -@@ -984,6 +988,17 @@ do_gen_all_hostkeys(struct passwd *pw) +@@ -1015,6 +1019,17 @@ do_gen_all_hostkeys(struct passwd *pw) { NULL, NULL, NULL } }; @@ -882,7 +882,7 @@ int first = 0; struct stat st; struct sshkey *private, *public; -@@ -991,6 +1006,12 @@ do_gen_all_hostkeys(struct passwd *pw) +@@ -1022,6 +1037,12 @@ do_gen_all_hostkeys(struct passwd *pw) int i, type, fd, r; FILE *f; @@ -895,7 +895,7 @@ for (i = 0; key_types[i].key_type; i++) { public = private = NULL; prv_tmp = pub_tmp = prv_file = pub_file = NULL; -@@ -2727,6 +2748,15 @@ main(int argc, char **argv) +@@ -2817,6 +2838,15 @@ main(int argc, char **argv) key_type_name = DEFAULT_KEY_TYPE_NAME; type = sshkey_type_from_name(key_type_name); @@ -911,11 +911,11 @@ type_bits_valid(type, key_type_name, &bits); if (!quiet) -Index: openssh-7.8p1/ssh_config.0 +Index: openssh-7.9p1/ssh_config.0 =================================================================== ---- openssh-7.8p1.orig/ssh_config.0 -+++ openssh-7.8p1/ssh_config.0 -@@ -343,6 +343,9 @@ DESCRIPTION +--- openssh-7.9p1.orig/ssh_config.0 ++++ openssh-7.9p1/ssh_config.0 +@@ -353,6 +353,9 @@ DESCRIPTION Specifies the hash algorithm used when displaying key fingerprints. Valid options are: md5 and sha256 (the default). @@ -925,7 +925,7 @@ ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. The argument must -@@ -612,6 +615,9 @@ DESCRIPTION +@@ -627,6 +630,9 @@ DESCRIPTION resort and all efforts should be made to fix the (broken) counterparty. @@ -935,11 +935,11 @@ LocalCommand Specifies a command to execute on the local machine after successfully connecting to the server. The command string -Index: openssh-7.8p1/ssh_config.5 +Index: openssh-7.9p1/ssh_config.5 =================================================================== ---- openssh-7.8p1.orig/ssh_config.5 -+++ openssh-7.8p1/ssh_config.5 -@@ -628,6 +628,8 @@ Valid options are: +--- openssh-7.9p1.orig/ssh_config.5 ++++ openssh-7.9p1/ssh_config.5 +@@ -642,6 +642,8 @@ Valid options are: and .Cm sha256 (the default). @@ -948,7 +948,7 @@ .It Cm ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. -@@ -1041,6 +1043,9 @@ maximum backward compatibility, using it +@@ -1063,6 +1065,9 @@ maximum backward compatibility, using it security and thus should be viewed as a temporary fix of last resort and all efforts should be made to fix the (broken) counterparty. @@ -958,10 +958,10 @@ .It Cm LocalCommand Specifies a command to execute on the local machine after successfully connecting to the server. -Index: openssh-7.8p1/sshd.c +Index: openssh-7.9p1/sshd.c =================================================================== ---- openssh-7.8p1.orig/sshd.c -+++ openssh-7.8p1/sshd.c +--- openssh-7.9p1.orig/sshd.c ++++ openssh-7.9p1/sshd.c @@ -123,6 +123,8 @@ #include "version.h" #include "ssherr.h" @@ -971,11 +971,11 @@ /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) -Index: openssh-7.8p1/sshd_config.0 +Index: openssh-7.9p1/sshd_config.0 =================================================================== ---- openssh-7.8p1.orig/sshd_config.0 -+++ openssh-7.8p1/sshd_config.0 -@@ -338,6 +338,9 @@ DESCRIPTION +--- openssh-7.9p1.orig/sshd_config.0 ++++ openssh-7.9p1/sshd_config.0 +@@ -348,6 +348,9 @@ DESCRIPTION Specifies the hash algorithm used when logging key fingerprints. Valid options are: md5 and sha256. The default is sha256. @@ -985,7 +985,7 @@ ForceCommand Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if -@@ -562,6 +565,9 @@ DESCRIPTION +@@ -572,6 +575,9 @@ DESCRIPTION resort and all efforts should be made to fix the (broken) counterparty. @@ -995,11 +995,11 @@ ListenAddress Specifies the local addresses sshd(8) should listen on. The following forms may be used: -Index: openssh-7.8p1/sshd_config.5 +Index: openssh-7.9p1/sshd_config.5 =================================================================== ---- openssh-7.8p1.orig/sshd_config.5 -+++ openssh-7.8p1/sshd_config.5 -@@ -592,6 +592,8 @@ and +--- openssh-7.9p1.orig/sshd_config.5 ++++ openssh-7.9p1/sshd_config.5 +@@ -603,6 +603,8 @@ and .Cm sha256 . The default is .Cm sha256 . ++++++ openssh-7.7p1-gssapi_key_exchange.patch ++++++ ++++ 1356 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/openssh/openssh-7.7p1-gssapi_key_exchange.patch ++++ and /work/SRC/openSUSE:Factory/.openssh.new.19453/openssh-7.7p1-gssapi_key_exchange.patch ++++++ openssh-7.7p1-ldap.patch ++++++ --- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.602965130 +0100 +++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.602965130 +0100 @@ -10,10 +10,10 @@ # internal versions. ssh-keyconverter consequently fails to link as it lacks # the proper flags, and libopenbsd-compat doesn't contain the b64_* functions) -Index: openssh-7.8p1/HOWTO.ldap-keys +Index: openssh-7.9p1/HOWTO.ldap-keys =================================================================== --- /dev/null -+++ openssh-7.8p1/HOWTO.ldap-keys ++++ openssh-7.9p1/HOWTO.ldap-keys @@ -0,0 +1,108 @@ + +HOW TO START @@ -123,10 +123,10 @@ + - frederic peters. + - Finlay dobbie. + - Stefan Fisher. -Index: openssh-7.8p1/Makefile.in +Index: openssh-7.9p1/Makefile.in =================================================================== ---- openssh-7.8p1.orig/Makefile.in -+++ openssh-7.8p1/Makefile.in +--- openssh-7.9p1.orig/Makefile.in ++++ openssh-7.9p1/Makefile.in @@ -24,6 +24,8 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas SFTP_SERVER=$(libexecdir)/sftp-server SSH_KEYSIGN=$(libexecdir)/ssh-keysign @@ -146,7 +146,7 @@ XMSS_OBJS=\ ssh-xmss.o \ sshkey-xmss.o \ -@@ -132,8 +137,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw +@@ -130,8 +135,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ sandbox-solaris.o uidswap.o @@ -157,7 +157,7 @@ MANTYPE = @MANTYPE@ CONFIGFILES=sshd_config.out ssh_config.out moduli.out -@@ -208,6 +213,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) +@@ -206,6 +211,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) @@ -167,7 +167,7 @@ sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o $(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -@@ -363,6 +371,10 @@ install-files: +@@ -361,6 +369,10 @@ install-files: $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) @@ -178,7 +178,7 @@ $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) cavstest-ctr$(EXEEXT) $(DESTDIR)$(libexecdir)/cavstest-ctr$(EXEEXT) -@@ -381,6 +393,10 @@ install-files: +@@ -379,6 +391,10 @@ install-files: $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 @@ -189,7 +189,7 @@ install-sysconf: $(MKDIR_P) $(DESTDIR)$(sysconfdir) -@@ -404,6 +420,13 @@ install-sysconf: +@@ -402,6 +418,13 @@ install-sysconf: else \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ fi @@ -203,7 +203,7 @@ host-key: ssh-keygen$(EXEEXT) @if [ -z "$(DESTDIR)" ] ; then \ -@@ -441,6 +464,8 @@ uninstall: +@@ -439,6 +462,8 @@ uninstall: -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) @@ -212,7 +212,7 @@ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -@@ -452,6 +477,7 @@ uninstall: +@@ -450,6 +475,7 @@ uninstall: -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 @@ -220,11 +220,11 @@ regress-prep: $(MKDIR_P) `pwd`/regress/unittests/test_helper -Index: openssh-7.8p1/configure.ac +Index: openssh-7.9p1/configure.ac =================================================================== ---- openssh-7.8p1.orig/configure.ac -+++ openssh-7.8p1/configure.ac -@@ -1680,6 +1680,106 @@ AC_ARG_WITH([audit], +--- openssh-7.9p1.orig/configure.ac ++++ openssh-7.9p1/configure.ac +@@ -1671,6 +1671,106 @@ AC_ARG_WITH([audit], esac ] ) @@ -331,10 +331,10 @@ AC_ARG_WITH([pie], [ --with-pie Build Position Independent Executables if possible], [ if test "x$withval" = "xno"; then -Index: openssh-7.8p1/ldap-helper.c +Index: openssh-7.9p1/ldap-helper.c =================================================================== --- /dev/null -+++ openssh-7.8p1/ldap-helper.c ++++ openssh-7.9p1/ldap-helper.c @@ -0,0 +1,155 @@ +/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -491,10 +491,10 @@ +void *buffer_get_string(struct sshbuf *b, u_int *l) { return NULL; } +void buffer_put_string(struct sshbuf *b, const void *f, u_int l) {} + -Index: openssh-7.8p1/ldap-helper.h +Index: openssh-7.9p1/ldap-helper.h =================================================================== --- /dev/null -+++ openssh-7.8p1/ldap-helper.h ++++ openssh-7.9p1/ldap-helper.h @@ -0,0 +1,32 @@ +/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -528,10 +528,10 @@ +extern int config_warning_config_file; + +#endif /* LDAP_HELPER_H */ -Index: openssh-7.8p1/ldap.conf +Index: openssh-7.9p1/ldap.conf =================================================================== --- /dev/null -+++ openssh-7.8p1/ldap.conf ++++ openssh-7.9p1/ldap.conf @@ -0,0 +1,88 @@ +# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $ +# @@ -621,10 +621,10 @@ +#tls_cert +#tls_key + -Index: openssh-7.8p1/ldapbody.c +Index: openssh-7.9p1/ldapbody.c =================================================================== --- /dev/null -+++ openssh-7.8p1/ldapbody.c ++++ openssh-7.9p1/ldapbody.c @@ -0,0 +1,494 @@ +/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1120,10 +1120,10 @@ + return; +} + -Index: openssh-7.8p1/ldapbody.h +Index: openssh-7.9p1/ldapbody.h =================================================================== --- /dev/null -+++ openssh-7.8p1/ldapbody.h ++++ openssh-7.9p1/ldapbody.h @@ -0,0 +1,37 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1162,10 +1162,10 @@ + +#endif /* LDAPBODY_H */ + -Index: openssh-7.8p1/ldapconf.c +Index: openssh-7.9p1/ldapconf.c =================================================================== --- /dev/null -+++ openssh-7.8p1/ldapconf.c ++++ openssh-7.9p1/ldapconf.c @@ -0,0 +1,711 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1878,10 +1878,10 @@ + dump_cfg_string(lSSH_Filter, options.ssh_filter); +} + -Index: openssh-7.8p1/ldapconf.h +Index: openssh-7.9p1/ldapconf.h =================================================================== --- /dev/null -+++ openssh-7.8p1/ldapconf.h ++++ openssh-7.9p1/ldapconf.h @@ -0,0 +1,71 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -1954,10 +1954,10 @@ +void dump_config(void); + +#endif /* LDAPCONF_H */ -Index: openssh-7.8p1/ldapincludes.h +Index: openssh-7.9p1/ldapincludes.h =================================================================== --- /dev/null -+++ openssh-7.8p1/ldapincludes.h ++++ openssh-7.9p1/ldapincludes.h @@ -0,0 +1,41 @@ +/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2000,10 +2000,10 @@ +#endif + +#endif /* LDAPINCLUDES_H */ -Index: openssh-7.8p1/ldapmisc.c +Index: openssh-7.9p1/ldapmisc.c =================================================================== --- /dev/null -+++ openssh-7.8p1/ldapmisc.c ++++ openssh-7.9p1/ldapmisc.c @@ -0,0 +1,79 @@ + +#include "ldapincludes.h" @@ -2084,10 +2084,10 @@ +} +#endif + -Index: openssh-7.8p1/ldapmisc.h +Index: openssh-7.9p1/ldapmisc.h =================================================================== --- /dev/null -+++ openssh-7.8p1/ldapmisc.h ++++ openssh-7.9p1/ldapmisc.h @@ -0,0 +1,35 @@ +/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */ +/* @@ -2124,10 +2124,10 @@ + +#endif /* LDAPMISC_H */ + -Index: openssh-7.8p1/openbsd-compat/base64.c +Index: openssh-7.9p1/openbsd-compat/base64.c =================================================================== ---- openssh-7.8p1.orig/openbsd-compat/base64.c -+++ openssh-7.8p1/openbsd-compat/base64.c +--- openssh-7.9p1.orig/openbsd-compat/base64.c ++++ openssh-7.9p1/openbsd-compat/base64.c @@ -46,7 +46,7 @@ #include "includes.h" @@ -2155,10 +2155,10 @@ /* skips all whitespace anywhere. converts characters, four at a time, starting at (or after) -Index: openssh-7.8p1/openbsd-compat/base64.h +Index: openssh-7.9p1/openbsd-compat/base64.h =================================================================== ---- openssh-7.8p1.orig/openbsd-compat/base64.h -+++ openssh-7.8p1/openbsd-compat/base64.h +--- openssh-7.9p1.orig/openbsd-compat/base64.h ++++ openssh-7.9p1/openbsd-compat/base64.h @@ -45,16 +45,16 @@ #include "includes.h" @@ -2180,10 +2180,10 @@ int b64_pton(char const *src, u_char *target, size_t targsize); # endif /* !HAVE_B64_PTON */ # define __b64_pton(a,b,c) b64_pton(a,b,c) -Index: openssh-7.8p1/openssh-lpk-openldap.schema +Index: openssh-7.9p1/openssh-lpk-openldap.schema =================================================================== --- /dev/null -+++ openssh-7.8p1/openssh-lpk-openldap.schema ++++ openssh-7.9p1/openssh-lpk-openldap.schema @@ -0,0 +1,21 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2206,10 +2206,10 @@ + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -Index: openssh-7.8p1/openssh-lpk-sun.schema +Index: openssh-7.9p1/openssh-lpk-sun.schema =================================================================== --- /dev/null -+++ openssh-7.8p1/openssh-lpk-sun.schema ++++ openssh-7.9p1/openssh-lpk-sun.schema @@ -0,0 +1,23 @@ +# +# LDAP Public Key Patch schema for use with openssh-ldappubkey @@ -2234,10 +2234,10 @@ + DESC 'MANDATORY: OpenSSH LPK objectclass' + MUST ( sshPublicKey $ uid ) + ) -Index: openssh-7.8p1/ssh-ldap-helper.8 +Index: openssh-7.9p1/ssh-ldap-helper.8 =================================================================== --- /dev/null -+++ openssh-7.8p1/ssh-ldap-helper.8 ++++ openssh-7.9p1/ssh-ldap-helper.8 @@ -0,0 +1,79 @@ +.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" @@ -2318,19 +2318,19 @@ +OpenSSH 5.5 + PKA-LDAP . +.Sh AUTHORS +.An Jan F. Chadima Aq jchadima@redhat.com -Index: openssh-7.8p1/ssh-ldap-wrapper +Index: openssh-7.9p1/ssh-ldap-wrapper =================================================================== --- /dev/null -+++ openssh-7.8p1/ssh-ldap-wrapper ++++ openssh-7.9p1/ssh-ldap-wrapper @@ -0,0 +1,4 @@ +#!/bin/sh + +exec @LIBEXECDIR@/ssh-ldap-helper -s "$1" + -Index: openssh-7.8p1/ssh-ldap.conf.5 +Index: openssh-7.9p1/ssh-ldap.conf.5 =================================================================== --- /dev/null -+++ openssh-7.8p1/ssh-ldap.conf.5 ++++ openssh-7.9p1/ssh-ldap.conf.5 @@ -0,0 +1,376 @@ +.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $ +.\" ++++++ openssh-7.7p1-seccomp_ipc_flock.patch ++++++ --- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.618965107 +0100 +++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.618965107 +0100 @@ -15,15 +15,11 @@ Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> -diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c ---- openssh-7.7p1/sandbox-seccomp-filter.c -+++ openssh-7.7p1/sandbox-seccomp-filter.c -@@ -167,16 +167,19 @@ static const struct sock_filter preauth_ - SC_ALLOW(__NR_exit_group), - #endif - #ifdef __NR_geteuid - SC_ALLOW(__NR_geteuid), - #endif +Index: openssh-7.9p1/sandbox-seccomp-filter.c +=================================================================== +--- openssh-7.9p1.orig/sandbox-seccomp-filter.c ++++ openssh-7.9p1/sandbox-seccomp-filter.c +@@ -175,6 +175,9 @@ static const struct sock_filter preauth_ #ifdef __NR_geteuid32 SC_ALLOW(__NR_geteuid32), #endif @@ -33,17 +29,7 @@ #ifdef __NR_getpgid SC_ALLOW(__NR_getpgid), #endif - #ifdef __NR_getpid - SC_ALLOW(__NR_getpid), - #endif - #ifdef __NR_getrandom - SC_ALLOW(__NR_getrandom), -@@ -185,16 +188,19 @@ static const struct sock_filter preauth_ - SC_ALLOW(__NR_gettimeofday), - #endif - #ifdef __NR_getuid - SC_ALLOW(__NR_getuid), - #endif +@@ -193,6 +196,9 @@ static const struct sock_filter preauth_ #ifdef __NR_getuid32 SC_ALLOW(__NR_getuid32), #endif @@ -53,8 +39,3 @@ #ifdef __NR_madvise SC_ALLOW(__NR_madvise), #endif - #ifdef __NR_mmap - SC_ALLOW(__NR_mmap), - #endif - #ifdef __NR_mmap2 - SC_ALLOW(__NR_mmap2), ++++++ openssh-7.7p1-sftp_force_permissions.patch ++++++ --- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:36.630965090 +0100 +++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:36.630965090 +0100 @@ -1,123 +1,100 @@ -# HG changeset patch -# Parent 37bba3ff816d9ab93ddcf23389a4eb29d7716006 -additional option for sftp-server to force file mode for new files -FATE#312774 -http://lists.mindrot.org/pipermail/openssh-unix-dev/2010-November/029044.htm... -http://marc.info/?l=openssh-unix-dev&m=128896838930893 - -diff --git a/openssh-7.7p1/sftp-server.8 b/openssh-7.7p1/sftp-server.8 ---- openssh-7.7p1/sftp-server.8 -+++ openssh-7.7p1/sftp-server.8 -@@ -33,16 +33,17 @@ - .Bk -words - .Op Fl ehR - .Op Fl d Ar start_directory - .Op Fl f Ar log_facility - .Op Fl l Ar log_level +--- original/sftp-server.8 2016-12-19 04:59:41.000000000 +0000 ++++ original/sftp-server.8 2017-11-23 08:47:01.267239186 +0000 +@@ -38,6 +38,7 @@ .Op Fl P Ar blacklisted_requests .Op Fl p Ar whitelisted_requests .Op Fl u Ar umask -+.Op Fl m Ar force_file_permissions ++.Op Fl m Ar force_file_dir_perms .Ek .Nm .Fl Q Ar protocol_feature - .Sh DESCRIPTION - .Nm - is a program that speaks the server side of SFTP protocol - to stdout and expects client requests from stdin. - .Nm -@@ -133,16 +134,20 @@ Places this instance of - into a read-only mode. - Attempts to open files for writing, as well as other operations that change - the state of the filesystem, will be denied. - .It Fl u Ar umask - Sets an explicit +@@ -138,6 +139,10 @@ .Xr umask 2 to be applied to newly-created files and directories, instead of the user's default mask. -+.It Fl m Ar force_file_permissions -+Sets explicit file permissions to be applied to newly-created files instead -+of the default or client requested mode. Numeric values include: ++.It Fl m Ar force_file_dir_perms ++Sets explicit permissions to be applied to newly-created files and directories ++instead of the default or client requested mode. Numeric values include: +777, 755, 750, 666, 644, 640, etc. Option -u is ineffective if -m is set. .El .Pp On some systems, - .Nm - must be able to access - .Pa /dev/log - for logging to work, and use of - .Nm -diff --git a/openssh-7.7p1/sftp-server.c b/openssh-7.7p1/sftp-server.c ---- openssh-7.7p1/sftp-server.c -+++ openssh-7.7p1/sftp-server.c -@@ -71,16 +71,20 @@ static u_int version; - static int init_done; - - /* Disable writes */ - static int readonly; - - /* Requests that are allowed/denied */ - static char *request_whitelist, *request_blacklist; +--- original/sftp-server.c 2016-12-19 04:59:41.000000000 +0000 ++++ original/sftp-server.c 2017-11-23 13:07:08.481765581 +0000 +@@ -65,6 +65,10 @@ + /* Version of client */ + static u_int version; -+/* Force file permissions */ ++/* Force file and directory permissions */ +int permforce = 0; +long permforcemode; + - /* portable attributes, etc. */ - typedef struct Stat Stat; + /* SSH2_FXP_INIT received */ + static int init_done; - struct Stat { +@@ -679,6 +683,7 @@ + Attrib a; char *name; - char *long_name; - Attrib attrib; - }; -@@ -685,16 +689,20 @@ process_open(u_int32_t id) + int r, handle, fd, flags, mode, status = SSH2_FX_FAILURE; ++ mode_t old_umask = 0; + if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 || (r = sshbuf_get_u32(iqueue, &pflags)) != 0 || /* portable flags */ - (r = decode_attrib(iqueue, &a)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); - +@@ -688,6 +693,10 @@ debug3("request %u: open flags %d", id, pflags); flags = flags_from_portable(pflags); mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666; -+ if (permforce == 1) { ++ if (permforce == 1) { /* Force perm if -m is set */ + mode = permforcemode; -+ (void)umask(0); /* so umask does not interfere */ ++ old_umask = umask(0); /* so umask does not interfere */ + } logit("open \"%s\" flags %s mode 0%o", name, string_from_portable(pflags), mode); if (readonly && - ((flags & O_ACCMODE) != O_RDONLY || - (flags & (O_CREAT|O_TRUNC)) != 0)) { - verbose("Refusing open request in read-only mode"); - status = SSH2_FX_PERMISSION_DENIED; - } else { -@@ -1487,17 +1495,18 @@ sftp_server_cleanup_exit(int i) - static void - sftp_server_usage(void) - { - extern char *__progname; +@@ -709,6 +718,8 @@ + } + } + } ++ if (permforce == 1) ++ (void) umask(old_umask); /* restore umask to something sane */ + if (status != SSH2_FX_OK) + send_status(id, status); + free(name); +@@ -1110,6 +1121,7 @@ + Attrib a; + char *name; + int r, mode, status = SSH2_FX_FAILURE; ++ mode_t old_umask = 0; + + if ((r = sshbuf_get_cstring(iqueue, &name, NULL)) != 0 || + (r = decode_attrib(iqueue, &a)) != 0) +@@ -1117,9 +1129,16 @@ + mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? + a.perm & 07777 : 0777; ++ if (permforce == 1) { /* Force perm if -m is set */ ++ mode = permforcemode; ++ old_umask = umask(0); /* so umask does not interfere */ ++ } ++ + debug3("request %u: mkdir", id); + logit("mkdir name \"%s\" mode 0%o", name, mode); + r = mkdir(name, mode); ++ if (permforce == 1) ++ (void) umask(old_umask); /* restore umask to something sane */ + status = (r == -1) ? errno_to_portable(errno) : SSH2_FX_OK; + send_status(id, status); + free(name); +@@ -1490,7 +1509,7 @@ fprintf(stderr, "usage: %s [-ehR] [-d start_directory] [-f log_facility] " "[-l log_level]\n\t[-P blacklisted_requests] " - "[-p whitelisted_requests] [-u umask]\n" -+ "[-p whitelisted_requests] [-u umask]\n\t" -+ "[-m force_file_permissions]\n" ++ "[-p whitelisted_requests] [-u umask] [-m force_file_dir_perms]\n" " %s -Q protocol_feature\n", __progname, __progname); exit(1); - } - - int - sftp_server_main(int argc, char **argv, struct passwd *user_pw) - { -@@ -1516,17 +1525,17 @@ sftp_server_main(int argc, char **argv, - - ssh_malloc_init(); /* must be called before any mallocs */ - __progname = ssh_get_progname(argv[0]); - log_init(__progname, log_level, log_facility, log_stderr); - +@@ -1516,7 +1535,7 @@ pw = pwcopy(user_pw); while (!skipargs && (ch = getopt(argc, argv, @@ -126,32 +103,19 @@ switch (ch) { case 'Q': if (strcasecmp(optarg, "requests") != 0) { - fprintf(stderr, "Invalid query type\n"); - exit(1); - } - for (i = 0; handlers[i].handler != NULL; i++) - printf("%s\n", handlers[i].name); -@@ -1576,16 +1585,23 @@ sftp_server_main(int argc, char **argv, - case 'u': - errno = 0; - mask = strtol(optarg, &cp, 8); - if (mask < 0 || mask > 0777 || *cp != '\0' || - cp == optarg || (mask == 0 && errno != 0)) +@@ -1576,6 +1595,15 @@ fatal("Invalid umask \"%s\"", optarg); (void)umask((mode_t)mask); break; + case 'm': ++ /* Force permissions on file and directory received via sftp */ + permforce = 1; + permforcemode = strtol(optarg, &cp, 8); -+ if (permforcemode < 0 || permforcemode > 0777 || *cp != '\0' || -+ cp == optarg || (permforcemode == 0 && errno != 0)) -+ fatal("Invalid umask \"%s\"", optarg); ++ if (permforcemode < 0 || permforcemode > 0777 || ++ *cp != '\0' || (permforcemode == 0 && ++ errno != 0)) ++ fatal("Invalid file mode \"%s\"", optarg); + break; case 'h': default: sftp_server_usage(); - } - } - - log_init(__progname, log_level, log_facility, log_stderr); - ++++++ openssh-7.8p1.tar.gz -> openssh-7.9p1.tar.gz ++++++ ++++ 12283 lines of diff (skipped) ++++++ openssh-openssl-1_0_0-compatibility.patch ++++++ Index: openssh-7.9p1/openbsd-compat/openssl-compat.c =================================================================== --- openssh-7.9p1.orig/openbsd-compat/openssl-compat.c 2018-11-26 11:47:17.417925053 +0100 +++ openssh-7.9p1/openbsd-compat/openssl-compat.c 2018-11-26 11:52:47.127727580 +0100 @@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void) ENGINE_load_builtin_engines(); ENGINE_register_all_complete(); -#if OPENSSL_VERSION_NUMBER < 0x10001000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L OPENSSL_config(NULL); #else OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | Index: openssh-7.9p1/gss-genr.c =================================================================== --- openssh-7.9p1.orig/gss-genr.c 2018-11-26 11:47:17.417925053 +0100 +++ openssh-7.9p1/gss-genr.c 2018-11-26 12:01:40.354642746 +0100 @@ -114,7 +114,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup if ((buf = sshbuf_new()) == NULL) fatal("%s: sshbuf_new failed", __func__); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + md = EVP_MD_CTX_create(); +#else md = EVP_MD_CTX_new(); +#endif oidpos = 0; for (i = 0; i < gss_supported->count; i++) { if (gss_supported->elements[i].length < 128 && @@ -156,7 +160,11 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup oidpos++; } } +#if OPENSSL_VERSION_NUMBER < 0x10100000L + EVP_MD_CTX_destroy(md); +#else EVP_MD_CTX_free(md); +#endif gss_enc2oid[oidpos].oid = NULL; gss_enc2oid[oidpos].encoded = NULL; ++++++ sshd.service ++++++ --- /var/tmp/diff_new_pack.tFM0X3/_old 2018-11-28 11:12:37.018964545 +0100 +++ /var/tmp/diff_new_pack.tFM0X3/_new 2018-11-28 11:12:37.022964540 +0100 @@ -10,7 +10,8 @@ ExecStart=/usr/sbin/sshd -D $SSHD_OPTS ExecReload=/bin/kill -HUP $MAINPID KillMode=process -Restart=always +Restart=on-failure +RestartPreventExitStatus=255 TasksMax=infinity [Install]