Projects
Factory:RISC-V:Base
openssh
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 4
View file
_service:tar_scm:openssh.spec
Changed
@@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 3 +%global openssh_release 4 Name: openssh Version: 9.1p1 @@ -44,7 +44,6 @@ Patch10: openssh-6.6p1-privsep-selinux.patch Patch12: openssh-6.6p1-keycat.patch Patch13: openssh-6.6p1-allow-ip-opts.patch -Patch14: openssh-6.6p1-keyperm.patch Patch15: openssh-5.9p1-ipv6man.patch Patch16: openssh-5.8p2-sigpipe.patch Patch17: openssh-7.2p2-x11.patch @@ -89,9 +88,29 @@ Patch65: openssh-Add-sw64-architecture.patch Patch74: add-strict-scp-check-for-CVE-2020-15778.patch Patch77: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch -Patch78: skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch -Patch79: backport-upstream-CVE-2023-25136-fix-double-free-caused.patch -Patch80: set-ssh-config.patch +Patch78: backport-upstream-CVE-2023-25136-fix-double-free-caused.patch +Patch79: set-ssh-config.patch +Patch80: backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch +Patch81: backport-upstream-use-correct-type-with-sizeof-ok-djm.patch +Patch82: backport-Defer-seed_rng-until-after-closefrom-call.patch +Patch83: backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch +Patch84: backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch +Patch85: backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch +Patch86: backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch +Patch87: backport-upstream-regression-test-for-PermitRemoteOpen.patch +Patch88: backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch +Patch89: backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch +Patch90: backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch +Patch91: backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch +Patch92: backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch +Patch93: backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch +Patch94: backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch +Patch95: backport-Allow-writev-is-seccomp-sandbox.patch +Patch96: backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch +Patch97: backport-upstream-when-restoring-non-blocking-mode-to-stdio-f.patch +Patch98: backport-upstream-test-compat_kex_proposal-by-dtucker.patch +Patch99: backport-adapt-compat_kex_proposal-test-to-portable.patch +Patch100: backport-upstream-Move-scp-path-setting-to-a-helper-function.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -232,6 +251,26 @@ %patch78 -p1 %patch79 -p1 %patch80 -p1 +%patch81 -p1 +%patch82 -p1 +%patch83 -p1 +%patch84 -p1 +%patch85 -p1 +%patch86 -p1 +%patch87 -p1 +%patch88 -p1 +%patch89 -p1 +%patch90 -p1 +%patch91 -p1 +%patch92 -p1 +%patch93 -p1 +%patch94 -p1 +%patch95 -p1 +%patch96 -p1 +%patch97 -p1 +%patch98 -p1 +%patch99 -p1 +%patch100 -p1 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 @@ -428,6 +467,12 @@ %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Sat Mar 18 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-4 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:backport some upstreams patches and delete unused patches + * Tue Feb 28 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-3 - Type:bugfix - CVE:NA
View file
_service:tar_scm:backport-Allow-writev-is-seccomp-sandbox.patch
Added
@@ -0,0 +1,30 @@ +From 6283f4bd83eee714d0f5fc55802eff836b06fea8 Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtucker@dtucker.net> +Date: Sat, 14 Jan 2023 22:02:44 +1100 +Subject: PATCH Allow writev is seccomp sandbox. + +This seems to be used by recent glibcs at least in some configurations. +From bz#3512, ok djm@ +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=6283f4bd83eee714d0f5fc55802eff836b06fea8 +--- + sandbox-seccomp-filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index cec43c46..4ab49eb6 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -312,6 +312,9 @@ static const struct sock_filter preauth_insns = { + #ifdef __NR_write + SC_ALLOW(__NR_write), + #endif ++#ifdef __NR_writev ++ SC_ALLOW(__NR_writev), ++#endif + #ifdef __NR_socketcall + SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN), + SC_DENY(__NR_socketcall, EACCES), +-- +2.27.0 +
View file
_service:tar_scm:backport-Defer-seed_rng-until-after-closefrom-call.patch
Added
@@ -0,0 +1,39 @@ +From cf1a9852d7fc93e4abc4168aed09529a57427cdc Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtucker@dtucker.net> +Date: Wed, 9 Nov 2022 09:23:47 +1100 +Subject: PATCH Defer seed_rng until after closefrom call. + +seed_rng will initialize OpenSSL, and some engine providers (eg Intel's +QAT) will open descriptors for their own use. bz#3483, patch from +joel.d.schuetze at intel.com, ok djm@ +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=cf1a9852d7fc93e4abc4168aed09529a57427cdc +--- + sshd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sshd.c b/sshd.c +index b4bb7d65..808d91ef 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1580,8 +1580,6 @@ main(int ac, char **av) + /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ + sanitise_stdfd(); + +- seed_rng(); +- + /* Initialize configuration options to their default values. */ + initialize_server_options(&options); + +@@ -1703,6 +1701,8 @@ main(int ac, char **av) + else + closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); + ++ seed_rng(); ++ + /* If requested, redirect the logs to the specified logfile. */ + if (logfile != NULL) + log_redirect_stderr_to(logfile); +-- +2.27.0 +
View file
_service:tar_scm:backport-adapt-compat_kex_proposal-test-to-portable.patch
Added
@@ -0,0 +1,51 @@ +From 9fe207565b4ab0fe5d1ac5bb85e39188d96fb214 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Thu, 2 Feb 2023 23:17:49 +1100 +Subject: PATCH adapt compat_kex_proposal() test to portable + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=9fe207565b4ab0fe5d1ac5bb85e39188d96fb214 +--- + Makefile.in | 1 + + regress/unittests/kex/test_proposal.c | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/Makefile.in b/Makefile.in +index 18f6ac9e..c0ebfa04 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -616,6 +616,7 @@ regress/unittests/conversion/test_conversion$(EXEEXT): \ + UNITTESTS_TEST_KEX_OBJS=\ + regress/unittests/kex/tests.o \ + regress/unittests/kex/test_kex.o \ ++ regress/unittests/kex/test_proposal.o \ + $(SKOBJS) + + regress/unittests/kex/test_kex$(EXEEXT): ${UNITTESTS_TEST_KEX_OBJS} \ +diff --git a/regress/unittests/kex/test_proposal.c b/regress/unittests/kex/test_proposal.c +index b89ff59b..d6cf0f5d 100644 +--- a/regress/unittests/kex/test_proposal.c ++++ b/regress/unittests/kex/test_proposal.c +@@ -5,14 +5,18 @@ + * Placed in the public domain + */ + ++#include "includes.h" ++ + #include <sys/types.h> + #include <signal.h> + #include <stdio.h> ++#ifdef HAVE_STDINT_H + #include <stdint.h> ++#endif + #include <stdlib.h> + #include <string.h> + +-#include "test_helper.h" ++#include "../test_helper/test_helper.h" + + #include "compat.h" + #include "ssherr.h" +-- +2.27.0 +
View file
_service:tar_scm:backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch
Added
@@ -0,0 +1,52 @@ +From dd1249bd5c45128a908395c61b26996a70f82205 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Sun, 8 Jan 2023 12:08:59 +1100 +Subject: PATCH don't test IPv6 addresses if platform lacks support + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=dd1249bd5c45128a908395c61b26996a70f82205 + +--- + regress/dynamic-forward.sh | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh +index f6c2393..1bfe05a 100644 +--- a/regress/dynamic-forward.sh ++++ b/regress/dynamic-forward.sh +@@ -17,6 +17,11 @@ else + fi + trace "will use ProxyCommand $proxycmd" + ++# This is a reasonable proxy for IPv6 support. ++if ! config_defined HAVE_STRUCT_IN6_ADDR ; then ++ SKIP_IPV6=yes ++fi ++ + start_ssh() { + direction="$1" + arg="$2" +@@ -96,14 +101,16 @@ for d in D R; do + stop_ssh + + verbose "PermitRemoteOpen=explicit" +- start_ssh $d \ +- PermitRemoteOpen="127.0.0.1:$PORT ::1:$PORT localhost:$PORT" ++ permit="127.0.0.1:$PORT ::1:$PORT localhost:$PORT" ++ test -z "$SKIP_IPV6" || permit="127.0.0.1:$PORT localhost:$PORT" ++ start_ssh $d PermitRemoteOpen="$permit" + check_socks $d Y + stop_ssh + + verbose "PermitRemoteOpen=disallowed" +- start_ssh $d \ +- PermitRemoteOpen="127.0.0.1:1 ::1:1 localhost:1" ++ permit="127.0.0.1:1 ::1:1 localhost:1" ++ test -z "$SKIP_IPV6" || permit="127.0.0.1:1 localhost:1" ++ start_ssh $d PermitRemoteOpen="$permit" + check_socks $d N + stop_ssh + done +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch
Added
@@ -0,0 +1,37 @@ +From 6e6f88647042b3cde54a628545c2f5fb656a9327 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Fri, 13 Jan 2023 04:23:00 +0000 +Subject: PATCH upstream: Add scp's path to test sshd's PATH. + +If the scp we're testing is fully qualified (eg it's not in the system +PATH) then add its path to the under-test sshd's PATH so we can find +it. Prompted by bz#3518. + +OpenBSD-Regress-ID: 7df4f5a0be3aa135495b7e5a6719d3cbc26cc4c0 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=6e6f88647042b3cde54a628545c2f5fb656a9327 +--- + regress/test-exec.sh | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/regress/test-exec.sh b/regress/test-exec.sh +index c51f8eac..5a6afac5 100644 +--- a/regress/test-exec.sh ++++ b/regress/test-exec.sh +@@ -529,6 +529,13 @@ cat << EOF > $OBJ/sshd_config + Subsystem sftp $SFTPSERVER + EOF + ++# If we're testing a non-installed scp, add its directory to sshd's PATH ++# so we can test it. ++case "$SCP" in ++/*) PATH_WITH_SCP="`dirname $SCP`:$PATH" ++ echo " SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_config ;; ++esac ++ + # This may be necessary if /usr/src and/or /usr/obj are group-writable, + # but if you aren't careful with permissions then the unit tests could + # be abused to locally escalate privileges. +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch
Added
@@ -0,0 +1,52 @@ +From 93f2ce8c050a7a2a628646c00b40b9b53fef93ef Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Fri, 16 Dec 2022 06:56:47 +0000 +Subject: PATCH upstream: Clear signal mask early in main(); sshd may have + been + +started with one or more signals masked (sigprocmask(2) is not cleared +on fork/exec) and this could interfere with various things, e.g. the +login grace timer. + +Execution environments that fail to clear the signal mask before running +sshd are clearly broken, but apparently they do exist. + +Reported by Sreedhar Balasubramanian; ok dtucker@ + +OpenBSD-Commit-ID: 77078c0b1c53c780269fc0c416f121d05e3010ae +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=93f2ce8c050a7a2a628646c00b40b9b53fef93ef +--- + sshd.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sshd.c b/sshd.c +index cd42bd5..da39226 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshd.c,v 1.591 2022/09/17 10:34:29 djm Exp $ */ ++/* $OpenBSD: sshd.c,v 1.594 2022/12/16 06:56:47 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -1650,12 +1650,16 @@ main(int ac, char **av) + int keytype; + Authctxt *authctxt; + struct connection_info *connection_info = NULL; ++ sigset_t sigmask; + + #ifdef HAVE_SECUREWARE + (void)set_auth_parameters(ac, av); + #endif + __progname = ssh_get_progname(av0); + ++ sigemptyset(&sigmask); ++ sigprocmask(SIG_SETMASK, &sigmask, NULL); ++ + /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ + saved_argc = ac; + rexec_argc = ac; +-- +2.23.0 +
View file
_service:tar_scm:backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch
Added
@@ -0,0 +1,32 @@ +From 018d671d78145f03d6f07ae9d64d51321da70325 Mon Sep 17 00:00:00 2001 +From: "tb@openbsd.org" <tb@openbsd.org> +Date: Wed, 4 Jan 2023 22:48:57 +0000 +Subject: PATCH upstream: Copy bytes from the_banana rather than banana() + +Fixes test failure due to segfault seen on arm64 with xonly snap. + +ok djm + +OpenBSD-Regress-ID: 86e2aa4bbd1dff1bc4ebb2969c0d6474485be046 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=018d671d78145f03d6f07ae9d64d51321da70325 +--- + regress/unittests/sshkey/test_sshkey.c | 2 +- + 1 file changed, 1 insertions(+), 1 deletions(-) + +diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c +index 982907ce..cc359aea 100644 +--- a/regress/unittests/sshkey/test_sshkey.c ++++ b/regress/unittests/sshkey/test_sshkey.c +@@ -144,7 +144,7 @@ banana(u_char *s, size_t l) + memcpy(s + o, "nanananana", l - o); + break; + } +- memcpy(s + o, banana, sizeof(the_banana)); ++ memcpy(s + o, the_banana, sizeof(the_banana)); + } + } + +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch
Added
@@ -0,0 +1,48 @@ +From 3c379c9a849a635cc7f05cbe49fe473ccf469ef9 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Thu, 9 Feb 2023 09:54:11 +0000 +Subject: PATCH upstream: Ensure that there is a terminating newline when + adding a new + +entry to known_hosts. bz#3529, with git+openssh at limpsquid.nl, ok deraadt@ +markus@ + +OpenBSD-Commit-ID: fa8d90698da1886570512b96f051e266eac105e0 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=3c379c9a849a635cc7f05cbe49fe473ccf469ef9 +--- + hostfile.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/hostfile.c b/hostfile.c +index bd49e3ac..f5fa8084 100644 +--- a/hostfile.c ++++ b/hostfile.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: hostfile.c,v 1.93 2022/01/06 22:02:52 djm Exp $ */ ++/* $OpenBSD: hostfile.c,v 1.94 2023/02/09 09:54:11 dtucker Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -520,9 +520,17 @@ add_host_to_hostfile(const char *filename, const char *host, + if (key == NULL) + return 1; /* XXX ? */ + hostfile_create_user_ssh_dir(filename, 0); +- f = fopen(filename, "a"); ++ f = fopen(filename, "a+"); + if (!f) + return 0; ++ /* Make sure we have a terminating newline. */ ++ if (fseek(f, -1L, SEEK_END) == 0 && fgetc(f) != '\n') ++ if (fputc('\n', f) != '\n') { ++ error("Failed to add terminating newline to %s: %s", ++ filename, strerror(errno)); ++ fclose(f); ++ return 0; ++ } + success = write_host_entry(f, host, NULL, key, store_hash); + fclose(f); + return success; +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch
Added
@@ -0,0 +1,46 @@ +From 650de7ecd3567b5a5dbf16dd1eb598bd8c20bca8 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Thu, 10 Nov 2022 23:03:10 +0000 +Subject: PATCH upstream: Handle dynamic remote port forwarding in escape + commandline's + +-R processing. bz#3499, ok djm@ + +OpenBSD-Commit-ID: 194ee4cfe7ed0e2b8ad0727f493c798a50454208 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=650de7ecd3567b5a5dbf16dd1eb598bd8c20bca8 +--- + clientloop.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/clientloop.c b/clientloop.c +index 289d0b68..02349ccb 100644 +--- a/clientloop.c ++++ b/clientloop.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: clientloop.c,v 1.380 2022/06/03 04:30:46 djm Exp $ */ ++/* $OpenBSD: clientloop.c,v 1.382 2022/11/10 23:03:10 dtucker Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -846,8 +846,15 @@ process_cmdline(struct ssh *ssh) + } + logit("Canceled forwarding."); + } else { +- if (!parse_forward(&fwd, s, dynamic, remote)) { +- logit("Bad forwarding specification."); ++ /* -R specs can be both dynamic or not, so check both. */ ++ if (remote) { ++ if (!parse_forward(&fwd, s, 0, remote) && ++ !parse_forward(&fwd, s, 1, remote)) { ++ logit("Bad remote forwarding specification."); ++ goto out; ++ } ++ } else if (!parse_forward(&fwd, s, dynamic, remote)) { ++ logit("Bad local forwarding specification."); + goto out; + } + if (local || dynamic) { +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch
Added
@@ -0,0 +1,44 @@ +From 4d87a00f704e0365e11c3c38b170c1275ec461fc Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Sat, 14 Jan 2023 09:57:08 +0000 +Subject: PATCH upstream: Instead of skipping the all-tokens test if we don't + have + +OpenSSL (since we use it to compute the hash), put the hash at the end and +just omit it if we don't have it. Prompted by bz#3521. + +OpenBSD-Regress-ID: c79ecba64250ed3b6417294b6c965e6b12ca5eea +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=4d87a00f704e0365e11c3c38b170c1275ec461fc +--- +diff --git a/regress/percent.sh b/regress/percent.sh +index ed5c604d..3dfa8d2d 100644 +--- a/regress/percent.sh ++++ b/regress/percent.sh +@@ -12,6 +12,7 @@ USER=`id -u -n` + USERID=`id -u` + HOST=`hostname | cut -f1 -d.` + HOSTNAME=`hostname` ++HASH="" + + # Localcommand is evaluated after connection because %T is not available + # until then. Because of this we use a different method of exercising it, +@@ -98,10 +99,13 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ + # containing %d for UserKnownHostsFile + if "$i" != "userknownhostsfile" ; then + trial $i '%d' $HOME ++ in='%%/%i/%h/%d/%L/%l/%n/%p/%r/%u' ++ out="%/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" + if ! -z "${HASH}" ; then +- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ +- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" ++ in="$in/%C" ++ out="$out/$HASH" + fi ++ trial $i "$in" "$out" + fi + done + +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-Move-scp-path-setting-to-a-helper-function.patch
Added
@@ -0,0 +1,150 @@ +From 625f6bc39840167dafb3bf5b6a3e18503ac986e8 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Fri, 13 Jan 2023 04:47:34 +0000 +Subject: PATCH upstream: Move scp path setting to a helper function. +The + previous + +commit to add scp to the test sshd's path causes the t-envpass test to +fail +when the test scp is given using a fully qualified path. Put this in a +helper function and only call it from the scp tests. + +OpenBSD-Regress-ID: 7533dc1c4265c1de716abb062957994195b36df4 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=625f6bc39840167dafb3bf5b6a3e18503ac986e8 +--- + regress/multiplex.sh | 3 ++- + regress/scp-uri.sh | 4 +++- + regress/scp.sh | 4 +++- + regress/scp3.sh | 6 ++++-- + regress/test-exec.sh | 21 +++++++++++++-------- + 5 files changed, 25 insertions(+), 13 deletions(-) + +diff --git a/regress/multiplex.sh b/regress/multiplex.sh +index 6317099..046194c 100644 +--- a/regress/multiplex.sh ++++ b/regress/multiplex.sh +@@ -1,4 +1,4 @@ +-# $OpenBSD: multiplex.sh,v 1.34 2022/06/03 04:31:54 djm Exp $ ++# $OpenBSD: multiplex.sh,v 1.35 2023/01/13 04:47:34 dtucker Exp $ + # Placed in the Public Domain. + + make_tmpdir +@@ -24,6 +24,7 @@ wait_for_mux_master_ready() + fatal "mux master never becomes ready" + } + ++maybe_add_scp_path_to_sshd + start_sshd + + start_mux_master() +diff --git a/regress/scp-uri.sh b/regress/scp-uri.sh +index 20ac3c8..eacbd45 100644 +--- a/regress/scp-uri.sh ++++ b/regress/scp-uri.sh +@@ -1,4 +1,4 @@ +-# $OpenBSD: scp-uri.sh,v 1.4 2021/08/10 03:35:45 djm Exp $ ++# $OpenBSD: scp-uri.sh,v 1.5 2023/01/13 04:47:34 dtucker Exp $ + # Placed in the Public Domain. + + tid="scp-uri" +@@ -9,6 +9,8 @@ COPY2=${OBJ}/copy2 + DIR=${COPY}.dd + DIR2=${COPY}.dd2 + ++maybe_add_scp_path_to_sshd ++ + SRC=`dirname ${SCRIPT}` + cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp + chmod 755 ${OBJ}/scp-ssh-wrapper.scp +diff --git a/regress/scp.sh b/regress/scp.sh +index f47c594..ef4399e 100644 +--- a/regress/scp.sh ++++ b/regress/scp.sh +@@ -1,4 +1,4 @@ +-# $OpenBSD: scp.sh,v 1.14 2022/05/15 23:48:07 djm Exp $ ++# $OpenBSD: scp.sh,v 1.18 2023/01/13 04:47:34 dtucker Exp $ + # Placed in the Public Domain. + + tid="scp" +@@ -16,6 +16,8 @@ COPY2=${OBJ}/copy2 + DIR=${COPY}.dd + DIR2=${COPY}.dd2 + ++maybe_add_scp_path_to_sshd ++ + SRC=`dirname ${SCRIPT}` + cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp + chmod 755 ${OBJ}/scp-ssh-wrapper.scp +diff --git a/regress/scp3.sh b/regress/scp3.sh +index 47db47c..dfb2d2f 100644 +--- a/regress/scp3.sh ++++ b/regress/scp3.sh +@@ -1,9 +1,9 @@ +-# $OpenBSD: scp3.sh,v 1.3 2021/08/10 03:35:45 djm Exp $ ++# $OpenBSD: scp3.sh,v 1.4 2023/01/13 04:47:34 dtucker Exp $ + # Placed in the Public Domain. + + tid="scp3" + +-#set -x ++set -x + + COPY2=${OBJ}/copy2 + DIR=${COPY}.dd +@@ -15,6 +15,8 @@ if $? -eq 1 ; then + skip "No scp on remote path." + fi + ++maybe_add_scp_path_to_sshd ++ + SRC=`dirname ${SCRIPT}` + cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp + chmod 755 ${OBJ}/scp-ssh-wrapper.scp +diff --git a/regress/test-exec.sh b/regress/test-exec.sh +index 7e311e8..df43f02 100644 +--- a/regress/test-exec.sh ++++ b/regress/test-exec.sh +@@ -1,4 +1,4 @@ +-# $OpenBSD: test-exec.sh,v 1.92 2022/07/25 07:12:45 dtucker Exp $ ++# $OpenBSD: test-exec.sh,v 1.94 2023/01/13 04:47:34 dtucker Exp $ + # Placed in the Public Domain. + + #SUDO=sudo +@@ -509,6 +509,18 @@ skip () + exit $RESULT + } + ++maybe_add_scp_path_to_sshd () ++{ ++ # If we're testing a non-installed scp, add its directory to sshd's ++ # PATH so we can test it. We don't do this for all tests as it ++ # breaks the SetEnv tests. ++ case "$SCP" in ++ /*) PATH_WITH_SCP="`dirname $SCP`:$PATH" ++ echo " SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_config ++ echo " SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_proxy ;; ++ esac ++} ++ + RESULT=0 + PIDFILE=$OBJ/pidfile + +@@ -529,13 +541,6 @@ cat << EOF > $OBJ/sshd_config + Subsystem sftp $SFTPSERVER + EOF + +-# If we're testing a non-installed scp, add its directory to sshd's PATH +-# so we can test it. +-case "$SCP" in +-/*) PATH_WITH_SCP="`dirname $SCP`:$PATH" +- echo " SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_config ;; +-esac +- + # This may be necessary if /usr/src and/or /usr/obj are group-writable, + # but if you aren't careful with permissions then the unit tests could + # be abused to locally escalate privileges. +-- +2.23.0 +
View file
_service:tar_scm:backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch
Added
@@ -0,0 +1,26 @@ +From 923c3f437f439cfca238fba37e97a7041782f615 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Sat, 14 Jan 2023 10:05:54 +0000 +Subject: PATCH upstream: Shell syntax fix. From ren mingshuai vi github + PR#369. + +OpenBSD-Regress-ID: 6696b2eeefe128099fc3d7ea9f23252cc35156f9 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=923c3f437f439cfca238fba37e97a7041782f615 +--- +diff --git a/regress/yes-head.sh b/regress/yes-head.sh +index 2759eb8c..1bde504f 100644 +--- a/regress/yes-head.sh ++++ b/regress/yes-head.sh +@@ -6,7 +6,7 @@ tid="yes pipe head" + lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` + if $? -ne 0 ; then + fail "yes|head test failed" +- lines = 0; +++ lines=0 + fi + if $lines -ne 2000 ; then + fail "yes|head returns $lines lines instead of 2000" +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch
Added
@@ -0,0 +1,40 @@ +From 5a7a7acab2f466dc1d7467b5d05d35268c3137aa Mon Sep 17 00:00:00 2001 +From: "deraadt@openbsd.org" <deraadt@openbsd.org> +Date: Thu, 15 Dec 2022 18:20:39 +0000 +Subject: PATCH upstream: The idiomatic way of coping with signed char vs + unsigned + +char (which did not come from stdio read functions) in the presence of +ctype macros, is to always cast to (unsigned char). casting to (int) +for a "macro" which is documented to take int, is weird. And sadly wrong, +because of the sing extension risk.. same diff from florian + +OpenBSD-Commit-ID: 65b9a49a68e22ff3a0ebd593f363e9f22dd73fea +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=5a7a7acab2f466dc1d7467b5d05d35268c3137aa +--- + misc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/misc.c b/misc.c +index 977c097e..41244da9 100644 +--- a/misc.c ++++ b/misc.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: misc.c,v 1.177 2022/08/11 01:56:51 djm Exp $ */ ++/* $OpenBSD: misc.c,v 1.179 2022/12/15 18:20:39 deraadt Exp $ */ + /* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2005-2020 Damien Miller. All rights reserved. +@@ -95,7 +95,7 @@ rtrim(char *s) + if ((i = strlen(s)) == 0) + return; + for (i--; i > 0; i--) { +- if (isspace((int)si)) ++ if (isspace((unsigned char)si)) + si = '\0'; + } + } +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch
Added
@@ -0,0 +1,51 @@ +From d77fc611a62f2dfee0b654c31a50a814b13310dd Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Fri, 6 Jan 2023 12:33:33 +0000 +Subject: PATCH upstream: When OpenSSL is not available, skip parts of + percent test + +that require it. Based on github pr#368 from ren mingshuai. + +OpenBSD-Regress-ID: 49a375b2cf61ccb95b52e75e2e025cd10988ebb2 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=d77fc611a62f2dfee0b654c31a50a814b13310dd +--- + regress/percent.sh | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/regress/percent.sh b/regress/percent.sh +index bb81779a..ed5c604d 100644 +--- a/regress/percent.sh ++++ b/regress/percent.sh +@@ -79,10 +79,12 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ + trial $i '%T' NONE + fi + # Matches implementation in readconf.c:ssh_connection_hash() +- HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | +- $OPENSSL_BIN sha1 | cut -f2 -d' '` ++ if ! -z "${OPENSSL_BIN}" ; then ++ HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | ++ $OPENSSL_BIN sha1 | cut -f2 -d' '` ++ trial $i '%C' $HASH ++ fi + trial $i '%%' '%' +- trial $i '%C' $HASH + trial $i '%i' $USERID + trial $i '%h' 127.0.0.1 + trial $i '%L' $HOST +@@ -96,8 +98,10 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ + # containing %d for UserKnownHostsFile + if "$i" != "userknownhostsfile" ; then + trial $i '%d' $HOME +- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ +- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" ++ if ! -z "${HASH}" ; then ++ trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ ++ "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" ++ fi + fi + done + +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch
Added
@@ -0,0 +1,42 @@ +From f673b49f3be3eb51074fbb8a405beb6cd0f7d93e Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Fri, 13 Jan 2023 02:44:02 +0000 +Subject: PATCH upstream: avoid printf("%s", NULL) if using ssh + +-oUserKnownHostsFile=none and a hostkey in one of the system known hosts file +changes; ok dtucker@ + +OpenBSD-Commit-ID: 7ca87614bfc6da491315536a7f2301434a9fe614 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=f673b49f3be3eb51074fbb8a405beb6cd0f7d93e +--- + sshconnect.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/sshconnect.c b/sshconnect.c +index 0fca52b2..792bc34b 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshconnect.c,v 1.358 2022/08/26 08:16:27 djm Exp $ */ ++/* $OpenBSD: sshconnect.c,v 1.361 2023/01/13 02:44:02 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -1276,8 +1276,11 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, + } + /* The host key has changed. */ + warn_changed_key(host_key); +- error("Add correct host key in %.100s to get rid of this message.", +- user_hostfiles0); ++ if (num_user_hostfiles > 0 || num_system_hostfiles > 0) { ++ error("Add correct host key in %.100s to get rid " ++ "of this message.", num_user_hostfiles > 0 ? ++ user_hostfiles0 : system_hostfiles0); ++ } + error("Offending %s key in %s:%lu", + sshkey_type(host_found->key), + host_found->file, host_found->line); +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch
Added
@@ -0,0 +1,113 @@ +From b3daa8dc582348d6ab8150bc1e571b7aa08c5388 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 2 Jan 2023 07:03:30 +0000 +Subject: PATCH upstream: fix bug in PermitRemoteOpen which caused it +to + ignore its + +first argument unless it was one of the special keywords "any" or +"none". + +Reported by Georges Chaudy in bz3515; ok dtucker@ + +OpenBSD-Commit-ID: c5678a39f1ff79993d5ae3cfac5746a4ae148ea5 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=b3daa8dc582348d6ab8150bc1e571b7aa08c5388 +--- + readconf.c | 67 +++++++++++++++++++++++++++++------------------------- + 1 file changed, 36 insertions(+), 31 deletions(-) + +diff --git a/readconf.c b/readconf.c +index 284da26..ccac632 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: readconf.c,v 1.369 2022/09/17 10:33:18 djm Exp $ */ ++/* $OpenBSD: readconf.c,v 1.371 2023/01/02 07:03:30 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -1613,45 +1613,50 @@ parse_pubkey_algos: + case oPermitRemoteOpen: + uintptr = &options->num_permitted_remote_opens; + cppptr = &options->permitted_remote_opens; +- arg = argv_next(&ac, &av); +- if (!arg || *arg == '\0') +- fatal("%s line %d: missing %s specification", +- filename, linenum, lookup_opcode_name(opcode)); + uvalue = *uintptr; /* modified later */ +- if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) { +- if (*activep && uvalue == 0) { +- *uintptr = 1; +- *cppptr = xcalloc(1, sizeof(**cppptr)); +- (*cppptr)0 = xstrdup(arg); +- } +- break; +- } ++ i = 0; + while ((arg = argv_next(&ac, &av)) != NULL) { + arg2 = xstrdup(arg); +- p = hpdelim(&arg); +- if (p == NULL) { +- fatal("%s line %d: missing host in %s", +- filename, linenum, +- lookup_opcode_name(opcode)); +- } +- p = cleanhostname(p); +- /* +- * don't want to use permitopen_port to avoid +- * dependency on channels.ch here. +- */ +- if (arg == NULL || +- (strcmp(arg, "*") != 0 && a2port(arg) <= 0)) { +- fatal("%s line %d: bad port number in %s", +- filename, linenum, +- lookup_opcode_name(opcode)); +- } +- if (*activep && uvalue == 0) { ++ /* Allow any/none only in first position */ ++ if (strcasecmp(arg, "none") == 0 || ++ strcasecmp(arg, "any") == 0) { ++ if (i > 0 || ac > 0) { ++ error("%s line %d: keyword %s \"%s\" " ++ "argument must appear alone.", ++ filename, linenum, keyword, arg); ++ goto out; ++ } ++ } else { ++ p = hpdelim(&arg); ++ if (p == NULL) { ++ fatal("%s line %d: missing host in %s", ++ filename, linenum, ++ lookup_opcode_name(opcode)); ++ } ++ p = cleanhostname(p); ++ /* ++ * don't want to use permitopen_port to avoid ++ * dependency on channels.ch here. ++ */ ++ if (arg == NULL || (strcmp(arg, "*") != 0 && ++ a2port(arg) <= 0)) { ++ fatal("%s line %d: bad port number " ++ "in %s", filename, linenum, ++ lookup_opcode_name(opcode)); ++ } ++ } ++ ++ if (*activep && uvalue == 0) { + opt_array_append(filename, linenum, + lookup_opcode_name(opcode), + cppptr, uintptr, arg2); + } + free(arg2); ++ i++; + } ++ if (i == 0) ++ fatal("%s line %d: missing %s specification", ++ filename, linenum, lookup_opcode_name(opcode)); + break; + + case oClearAllForwardings: +-- +2.23.0 +
View file
_service:tar_scm:backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch
Added
@@ -0,0 +1,37 @@ +From 5ee2b8ccfcf4b606f450eb0ff2305e311f68b0be Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Thu, 6 Oct 2022 22:42:37 +0000 +Subject: PATCH upstream: honour user's umask if it is more restrictive then + the ssh + +default (022); based on patch from Alex Henrie, ok dtucker@ deraadt@ + +OpenBSD-Commit-ID: fe1b9e15fc9a4f49fc338e848ce14d8727abe82d +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=5ee2b8ccfcf4b606f450eb0ff2305e311f68b0be +--- + ssh.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssh.c b/ssh.c +index 25be53d5..e711dbd2 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh.c,v 1.576 2022/09/17 10:33:18 djm Exp $ */ ++/* $OpenBSD: ssh.c,v 1.577 2022/10/06 22:42:37 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -679,7 +679,7 @@ main(int ac, char **av) + * writable only by the owner, which is ok for all files for which we + * don't set the modes explicitly. + */ +- umask(022); ++ umask(022 | umask(077)); + + msetlocale(); + +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-regression-test-for-PermitRemoteOpen.patch
Added
@@ -0,0 +1,138 @@ +From 845ceecea2ac311b0c267f9ecbd34862e1876fc6 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 2 Jan 2023 07:03:57 +0000 +Subject: PATCH upstream: regression test for PermitRemoteOpen + +OpenBSD-Regress-ID: 8271aafbf5c21950cd5bf966f08e585cebfe630c +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=845ceecea2ac311b0c267f9ecbd34862e1876fc6 +--- + regress/dynamic-forward.sh | 84 ++++++++++++++++++++++++++++++-------- + 1 file changed, 66 insertions(+), 18 deletions(-) + +diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh +index 84f8ee19..f6c2393d 100644 +--- a/regress/dynamic-forward.sh ++++ b/regress/dynamic-forward.sh +@@ -1,10 +1,12 @@ +-# $OpenBSD: dynamic-forward.sh,v 1.13 2017/09/21 19:18:12 markus Exp $ ++# $OpenBSD: dynamic-forward.sh,v 1.14 2023/01/02 07:03:57 djm Exp $ + # Placed in the Public Domain. + + tid="dynamic forwarding" + + FWDPORT=`expr $PORT + 1` + ++cp $OBJ/ssh_config $OBJ/ssh_config.orig ++ + if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then + proxycmd="nc -x 127.0.0.1:$FWDPORT -X" + elif have_prog connect; then +@@ -15,16 +17,16 @@ else + fi + trace "will use ProxyCommand $proxycmd" + +-start_sshd +- +-for d in D R; do ++start_ssh() { ++ direction="$1" ++ arg="$2" + n=0 + error="1" +- trace "start dynamic forwarding, fork to background" +- ++ trace "start dynamic -$direction forwarding, fork to background" ++ (cat $OBJ/ssh_config.orig ; echo "$arg") > $OBJ/ssh_config + while "$error" -ne 0 -a "$n" -lt 3 ; do + n=`expr $n + 1` +- ${SSH} -F $OBJ/ssh_config -f -$d $FWDPORT -q \ ++ ${SSH} -F $OBJ/ssh_config -f -$direction $FWDPORT -q \ + -oExitOnForwardFailure=yes somehost exec sh -c \ + \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' + error=$? +@@ -36,18 +38,9 @@ for d in D R; do + if "$error" -ne 0 ; then + fatal "failed to start dynamic forwarding" + fi ++} + +- for s in 4 5; do +- for h in 127.0.0.1 localhost; do +- trace "testing ssh socks version $s host $h (-$d)" +- ${SSH} -F $OBJ/ssh_config \ +- -o "ProxyCommand ${proxycmd}${s} $h $PORT" \ +- somehost cat ${DATA} > ${COPY} +- test -f ${COPY} || fail "failed copy ${DATA}" +- cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" +- done +- done +- ++stop_ssh() { + if -f $OBJ/remote_pid ; then + remote=`cat $OBJ/remote_pid` + trace "terminate remote shell, pid $remote" +@@ -57,5 +50,60 @@ for d in D R; do + else + fail "no pid file: $OBJ/remote_pid" + fi ++} ++ ++check_socks() { ++ direction=$1 ++ expect_success=$2 ++ for s in 4 5; do ++ for h in 127.0.0.1 localhost; do ++ trace "testing ssh socks version $s host $h (-$direction)" ++ ${SSH} -F $OBJ/ssh_config \ ++ -o "ProxyCommand ${proxycmd}${s} $h $PORT 2>/dev/null" \ ++ somehost cat ${DATA} > ${COPY} ++ r=$? ++ if "x$expect_success" = "xY" ; then ++ if $r -ne 0 ; then ++ fail "ssh failed with exit status $r" ++ fi ++ test -f ${COPY} || fail "failed copy ${DATA}" ++ cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" ++ elif $r -eq 0 ; then ++ fail "ssh unexpectedly succeeded" ++ fi ++ done ++ done ++} ++ ++start_sshd ++ ++for d in D R; do ++ verbose "test -$d forwarding" ++ start_ssh $d ++ check_socks $d Y ++ stop_ssh ++ test "x$d" = "xR" || continue ++ ++ # Test PermitRemoteOpen ++ verbose "PermitRemoteOpen=any" ++ start_ssh $d PermitRemoteOpen=any ++ check_socks $d Y ++ stop_ssh ++ ++ verbose "PermitRemoteOpen=none" ++ start_ssh $d PermitRemoteOpen=none ++ check_socks $d N ++ stop_ssh ++ ++ verbose "PermitRemoteOpen=explicit" ++ start_ssh $d \ ++ PermitRemoteOpen="127.0.0.1:$PORT ::1:$PORT localhost:$PORT" ++ check_socks $d Y ++ stop_ssh + ++ verbose "PermitRemoteOpen=disallowed" ++ start_ssh $d \ ++ PermitRemoteOpen="127.0.0.1:1 ::1:1 localhost:1" ++ check_socks $d N ++ stop_ssh + done +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-test-compat_kex_proposal-by-dtucker.patch
Added
@@ -0,0 +1,125 @@ +From 903c556b938fff2d7bff8da2cc460254430963c5 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Thu, 2 Feb 2023 12:12:52 +0000 +Subject: PATCH upstream: test compat_kex_proposal(); by dtucker@ + +OpenBSD-Regress-ID: 0e404ee264db546f9fdbf53390689ab5f8d38bf2 + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=903c556b938fff2d7bff8da2cc460254430963c5 +--- + regress/unittests/kex/test_proposal.c | 79 +++++++++++++++++++++++++++ + regress/unittests/kex/tests.c | 4 +- + 2 files changed, 82 insertions(+), 1 deletion(-) + create mode 100644 regress/unittests/kex/test_proposal.c + +diff --git a/regress/unittests/kex/test_proposal.c b/regress/unittests/kex/test_proposal.c +new file mode 100644 +index 0000000..b89ff59 +--- /dev/null ++++ b/regress/unittests/kex/test_proposal.c +@@ -0,0 +1,79 @@ ++/* $OpenBSD: test_proposal.c,v 1.1 2023/02/02 12:12:52 djm Exp $ */ ++/* ++ * Regress test KEX ++ * ++ * Placed in the public domain ++ */ ++ ++#include <sys/types.h> ++#include <signal.h> ++#include <stdio.h> ++#include <stdint.h> ++#include <stdlib.h> ++#include <string.h> ++ ++#include "test_helper.h" ++ ++#include "compat.h" ++#include "ssherr.h" ++#include "sshbuf.h" ++#include "kex.h" ++#include "packet.h" ++#include "xmalloc.h" ++ ++void kex_proposal(void); ++ ++#define CURVE25519 "curve25519-sha256@libssh.org" ++#define DHGEX1 "diffie-hellman-group-exchange-sha1" ++#define DHGEX256 "diffie-hellman-group-exchange-sha256" ++#define KEXALGOS CURVE25519","DHGEX256","DHGEX1 ++void ++kex_proposal(void) ++{ ++ size_t i; ++ struct ssh ssh; ++ char *result, *out, *in; ++ struct { ++ char *in; /* TODO: make this const */ ++ char *out; ++ int compat; ++ } tests = { ++ { KEXALGOS, KEXALGOS, 0}, ++ { KEXALGOS, DHGEX256","DHGEX1, SSH_BUG_CURVE25519PAD }, ++ { KEXALGOS, CURVE25519, SSH_OLD_DHGEX }, ++ { "a,"KEXALGOS, "a", SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX }, ++ /* TODO: enable once compat_kex_proposal doesn't fatal() */ ++ /* { KEXALGOS, "", SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX }, */ ++ }; ++ ++ TEST_START("compat_kex_proposal"); ++ for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) { ++ ssh.compat = testsi.compat; ++ /* match entire string */ ++ result = compat_kex_proposal(&ssh, testsi.in); ++ ASSERT_STRING_EQ(result, testsi.out); ++ free(result); ++ /* match at end */ ++ in = kex_names_cat("a", testsi.in); ++ out = kex_names_cat("a", testsi.out); ++ result = compat_kex_proposal(&ssh, in); ++ ASSERT_STRING_EQ(result, out); ++ free(result); free(in); free(out); ++ /* match at start */ ++ in = kex_names_cat(testsi.in, "a"); ++ out = kex_names_cat(testsi.out, "a"); ++ result = compat_kex_proposal(&ssh, in); ++ ASSERT_STRING_EQ(result, out); ++ free(result); free(in); free(out); ++ /* match in middle */ ++ xasprintf(&in, "a,%s,b", testsi.in); ++ if (*(testsi.out) == '\0') ++ out = xstrdup("a,b"); ++ else ++ xasprintf(&out, "a,%s,b", testsi.out); ++ result = compat_kex_proposal(&ssh, in); ++ ASSERT_STRING_EQ(result, out); ++ free(result); free(in); free(out); ++ } ++ TEST_DONE(); ++} +diff --git a/regress/unittests/kex/tests.c b/regress/unittests/kex/tests.c +index e7036ec..2a83daf 100644 +--- a/regress/unittests/kex/tests.c ++++ b/regress/unittests/kex/tests.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: tests.c,v 1.1 2015/01/15 23:41:29 markus Exp $ */ ++/* $OpenBSD: tests.c,v 1.2 2023/02/02 12:12:52 djm Exp $ */ + /* + * Placed in the public domain + */ +@@ -6,9 +6,11 @@ + #include "../test_helper/test_helper.h" + + void kex_tests(void); ++void kex_proposal(void); + + void + tests(void) + { + kex_tests(); ++ kex_proposal(); + } +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-use-correct-type-with-sizeof-ok-djm.patch
Added
@@ -0,0 +1,34 @@ +From 18376847b8043ba967eabbe23692ef74c9a3fddc Mon Sep 17 00:00:00 2001 +From: "jsg@openbsd.org" <jsg@openbsd.org> +Date: Thu, 13 Oct 2022 09:09:28 +0000 +Subject: PATCH upstream: use correct type with sizeof ok djm@ + +OpenBSD-Commit-ID: d6c882c2e8a42ff831a5b3cbc2c961ecb2dd6143 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=18376847b8043ba967eabbe23692ef74c9a3fddc +--- + ssh.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssh.c b/ssh.c +index e711dbd2..21cbd7c3 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh.c,v 1.577 2022/10/06 22:42:37 djm Exp $ */ ++/* $OpenBSD: ssh.c,v 1.578 2022/10/13 09:09:28 jsg Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -1579,7 +1579,7 @@ main(int ac, char **av) + if (options.hostbased_authentication) { + sensitive_data.nkeys = 10; + sensitive_data.keys = xcalloc(sensitive_data.nkeys, +- sizeof(struct sshkey)); ++ sizeof(*sensitive_data.keys)); + + /* XXX check errors? */ + #define L_PUBKEY(p,o) do { \ +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-when-restoring-non-blocking-mode-to-stdio-f.patch
Added
@@ -0,0 +1,92 @@ +From 35253af01d8c0ab444c8377402121816e71c71f5 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 18 Jan 2023 02:00:10 +0000 +Subject: PATCH upstream: when restoring non-blocking mode to stdio +fds, + restore + +exactly the flags that ssh started with and don't just clobber them with +zero, as this could also remove the append flag from the set; + +bz3523; ok dtucker@ + +OpenBSD-Commit-ID: 1336b03e881db7564a4b66014eb24c5230e9a0c0 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=35253af01d8c0ab444c8377402121816e71c71f5 +--- + channels.c | 19 ++++++++++++++----- + channels.h | 3 ++- + 2 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/channels.c b/channels.c +index ea4d8da..cee4d2c 100644 +--- a/channels.c ++++ b/channels.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: channels.c,v 1.420 2022/09/19 08:49:50 djm Exp $ */ ++/* $OpenBSD: channels.c,v 1.427 2023/01/18 02:00:10 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -337,16 +337,19 @@ channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd, + */ + if (rfd != -1 && !isatty(rfd) && + (val = fcntl(rfd, F_GETFL)) != -1 && !(val & O_NONBLOCK)) { ++ c->restore_flags0 = val; + c->restore_block |= CHANNEL_RESTORE_RFD; + set_nonblock(rfd); + } + if (wfd != -1 && !isatty(wfd) && + (val = fcntl(wfd, F_GETFL)) != -1 && !(val & O_NONBLOCK)) { ++ c->restore_flags1 = val; + c->restore_block |= CHANNEL_RESTORE_WFD; + set_nonblock(wfd); + } + if (efd != -1 && !isatty(efd) && + (val = fcntl(efd, F_GETFL)) != -1 && !(val & O_NONBLOCK)) { ++ c->restore_flags2 = val; + c->restore_block |= CHANNEL_RESTORE_EFD; + set_nonblock(efd); + } +@@ -428,10 +431,16 @@ channel_close_fd(struct ssh *ssh, Channel *c, int *fdp) + if (fd == -1) + return 0; + +- if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD) != 0) || +- (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD) != 0) || +- (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD) != 0)) +- (void)fcntl(*fdp, F_SETFL, 0); /* restore blocking */ ++ /* restore blocking */ ++ if (*fdp == c->rfd && ++ (c->restore_block & CHANNEL_RESTORE_RFD) != 0) ++ (void)fcntl(*fdp, F_SETFL, c->restore_flags0); ++ else if (*fdp == c->wfd && ++ (c->restore_block & CHANNEL_RESTORE_WFD) != 0) ++ (void)fcntl(*fdp, F_SETFL, c->restore_flags1); ++ else if (*fdp == c->efd && ++ (c->restore_block & CHANNEL_RESTORE_EFD) != 0) ++ (void)fcntl(*fdp, F_SETFL, c->restore_flags2); + + if (*fdp == c->rfd) { + c->io_want &= ~SSH_CHAN_IO_RFD; +diff --git a/channels.h b/channels.h +index 7d8a83e..9b1b11e 100644 +--- a/channels.h ++++ b/channels.h +@@ -1,4 +1,4 @@ +-/* $OpenBSD: channels.h,v 1.143 2022/05/05 00:56:58 djm Exp $ */ ++/* $OpenBSD: channels.h,v 1.148 2023/01/18 02:00:10 djm Exp $ */ + + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> +@@ -153,6 +153,7 @@ struct Channel { + * this way post-IO handlers are not + * accidentally called if a FD gets reused */ + int restore_block; /* fd mask to restore blocking status */ ++ int restore_flags3; /* flags to restore */ + struct sshbuf *input; /* data read from socket, to be sent over + * encrypted connection */ + struct sshbuf *output; /* data received over encrypted connection for +-- +2.23.0 +
View file
_service:tar_scm:bugfix-openssh-6.6p1-log-usepam-no.patch
Deleted
@@ -1,42 +0,0 @@ -From 31883f21eff4265b68bb36f67b254adb524db6ae Mon Sep 17 00:00:00 2001 -From: guoxiaoqi <guoxiaoqi2@huawei.com> -Date: Thu, 16 Apr 2020 14:51:44 +0800 -Subject: PATCH bugfix-openssh-6.6p1-log-usepam-no - ---- - sshd.c | 4 ++-- - sshd_config | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/sshd.c b/sshd.c -index c6c03ae..c291a5e 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -1812,9 +1812,9 @@ main(int ac, char **av) - parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, - cfg, &includes, NULL); - -- /* 'UsePAM no' is not supported in Fedora */ -+ /* 'UsePAM no' is not supported in openEuler */ - if (! options.use_pam) -- logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems."); -+ logit("WARNING: 'UsePAM no' is not supported in openEuler and may cause several problems."); - - #ifdef WITH_OPENSSL - if (options.moduli_file != NULL) -diff --git a/sshd_config b/sshd_config -index e125992..ebc28b3 100644 ---- a/sshd_config -+++ b/sshd_config -@@ -87,7 +87,7 @@ AuthorizedKeysFile .ssh/authorized_keys - # If you just want the PAM account and session checks to run without - # PAM authentication, then enable this but set PasswordAuthentication - # and KbdInteractiveAuthentication to 'no'. --# WARNING: 'UsePAM no' is not supported in Fedora and may cause several -+# WARNING: 'UsePAM no' is not supported in openEuler and may cause several - # problems. - #UsePAM no - --- -2.23.0 -
View file
_service:tar_scm:openssh-6.3p1-ctr-evp-fast.patch
Deleted
@@ -1,101 +0,0 @@ -diff -up openssh-5.9p1/cipher-ctr.c.ctr-evp openssh-5.9p1/cipher-ctr.c ---- openssh-5.9p1/cipher-ctr.c.ctr-evp 2012-01-11 09:24:06.000000000 +0100 -+++ openssh-5.9p1/cipher-ctr.c 2012-01-11 15:54:04.675956600 +0100 -@@ -38,7 +38,7 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, in - - struct ssh_aes_ctr_ctx - { -- AES_KEY aes_ctx; -+ EVP_CIPHER_CTX ecbctx; - u_char aes_counterAES_BLOCK_SIZE; - }; - -@@ -63,21 +63,42 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char - { - struct ssh_aes_ctr_ctx *c; - size_t n = 0; -- u_char bufAES_BLOCK_SIZE; -+ u_char ctrbufAES_BLOCK_SIZE*256; -+ u_char bufAES_BLOCK_SIZE*256; - - if (len == 0) - return (1); - if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) - return (0); - -- while ((len--) > 0) { -+ for (; len > 0; len -= sizeof(u_int)) { -+ u_int r,a,b; -+ - if (n == 0) { -- AES_encrypt(c->aes_counter, buf, &c->aes_ctx); -- ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE); -+ int outl, i, buflen; -+ -+ buflen = MIN(len, sizeof(ctrbuf)); -+ -+ for(i = 0; i < buflen; i += AES_BLOCK_SIZE) { -+ memcpy(&ctrbufi, c->aes_counter, AES_BLOCK_SIZE); -+ ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE); -+ } -+ -+ EVP_EncryptUpdate(&c->ecbctx, buf, &outl, -+ ctrbuf, buflen); - } -- *(dest++) = *(src++) ^ bufn; -- n = (n + 1) % AES_BLOCK_SIZE; -+ -+ memcpy(&a, src, sizeof(a)); -+ memcpy(&b, &bufn, sizeof(b)); -+ r = a ^ b; -+ memcpy(dest, &r, sizeof(r)); -+ src += sizeof(a); -+ dest += sizeof(r); -+ -+ n = (n + sizeof(b)) % sizeof(buf); - } -+ memset(ctrbuf, '\0', sizeof(ctrbuf)); -+ memset(buf, '\0', sizeof(buf)); - return (1); - } - -@@ -91,9 +112,28 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, co - c = xmalloc(sizeof(*c)); - EVP_CIPHER_CTX_set_app_data(ctx, c); - } -- if (key != NULL) -- AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, -- &c->aes_ctx); -+ -+ EVP_CIPHER_CTX_init(&c->ecbctx); -+ -+ if (key != NULL) { -+ const EVP_CIPHER *cipher; -+ switch(EVP_CIPHER_CTX_key_length(ctx)*8) { -+ case 128: -+ cipher = EVP_aes_128_ecb(); -+ break; -+ case 192: -+ cipher = EVP_aes_192_ecb(); -+ break; -+ case 256: -+ cipher = EVP_aes_256_ecb(); -+ break; -+ default: -+ fatal("ssh_aes_ctr_init: wrong aes key length"); -+ } -+ if(!EVP_EncryptInit_ex(&c->ecbctx, cipher, NULL, key, NULL)) -+ fatal("ssh_aes_ctr_init: cannot initialize aes encryption"); -+ EVP_CIPHER_CTX_set_padding(&c->ecbctx, 0); -+ } - if (iv != NULL) - memcpy(c->aes_counter, iv, AES_BLOCK_SIZE); - return (1); -@@ -105,6 +145,7 @@ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx) - struct ssh_aes_ctr_ctx *c; - - if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { -+ EVP_CIPHER_CTX_cleanup(&c->ecbctx); - memset(c, 0, sizeof(*c)); - free(c); - EVP_CIPHER_CTX_set_app_data(ctx, NULL);
View file
_service:tar_scm:openssh-6.6p1-keyperm.patch
Deleted
@@ -1,31 +0,0 @@ -diff -up openssh-8.2p1/authfile.c.keyperm openssh-8.2p1/authfile.c ---- openssh-8.2p1/authfile.c.keyperm 2020-02-14 01:40:54.000000000 +0100 -+++ openssh-8.2p1/authfile.c 2020-02-17 11:55:12.841729758 +0100 -@@ -31,6 +31,7 @@ - - #include <errno.h> - #include <fcntl.h> -+#include <grp.h> - #include <stdio.h> - #include <stdarg.h> - #include <stdlib.h> -@@ -101,7 +102,19 @@ sshkey_perm_ok(int fd, const char *filen - #ifdef HAVE_CYGWIN - if (check_ntsec(filename)) - #endif -+ - if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) { -+ if (st.st_mode & 040) { -+ struct group *gr; -+ -+ if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid)) { -+ /* The only additional bit is read -+ * for ssh_keys group, which is fine */ -+ if ((st.st_mode & 077) == 040 ) { -+ return 0; -+ } -+ } -+ } - error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); - error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @"); - error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
View file
_service:tar_scm:openssh-7.7p1-fips.patch
Deleted
@@ -1,667 +0,0 @@ -Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.7p1-fips.patch -diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c ---- openssh-8.6p1/dh.c.fips 2021-04-16 05:55:25.000000000 +0200 -+++ openssh-8.6p1/dh.c 2021-05-06 12:12:10.107634472 +0200 -@@ -36,6 +36,7 @@ - - #include <openssl/bn.h> - #include <openssl/dh.h> -+#include <openssl/fips.h> - - #include "dh.h" - #include "pathnames.h" -@@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max - int best, bestcount, which, linenum; - struct dhgroup dhg; - -+ if (FIPS_mode()) { -+ verbose("Using arbitrary primes is not allowed in FIPS mode." -+ " Falling back to known groups."); -+ return (dh_new_group_fallback(max)); -+ } -+ - if ((f = fopen(get_moduli_filename(), "r")) == NULL) { - logit("WARNING: could not open %s (%s), using fixed modulus", - get_moduli_filename(), strerror(errno)); -@@ -502,4 +508,38 @@ dh_estimate(int bits) - return 8192; - } - -+/* -+ * Compares the received DH parameters with known-good groups, -+ * which might be either from group14, group16 or group18. -+ */ -+int -+dh_is_known_group(const DH *dh) -+{ -+ const BIGNUM *p, *g; -+ const BIGNUM *known_p, *known_g; -+ DH *known = NULL; -+ int bits = 0, rv = 0; -+ -+ DH_get0_pqg(dh, &p, NULL, &g); -+ bits = BN_num_bits(p); -+ -+ if (bits <= 3072) { -+ known = dh_new_group14(); -+ } else if (bits <= 6144) { -+ known = dh_new_group16(); -+ } else { -+ known = dh_new_group18(); -+ } -+ -+ DH_get0_pqg(known, &known_p, NULL, &known_g); -+ -+ if (BN_cmp(g, known_g) == 0 && -+ BN_cmp(p, known_p) == 0) { -+ rv = 1; -+ } -+ -+ DH_free(known); -+ return rv; -+} -+ - #endif /* WITH_OPENSSL */ -diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h ---- openssh-8.6p1/dh.h.fips 2021-05-06 12:08:36.498926877 +0200 -+++ openssh-8.6p1/dh.h 2021-05-06 12:11:28.393298005 +0200 -@@ -45,6 +45,7 @@ DH *dh_new_group_fallback(int); - - int dh_gen_key(DH *, int); - int dh_pub_is_valid(const DH *, const BIGNUM *); -+int dh_is_known_group(const DH *); - - u_int dh_estimate(int); - void dh_set_moduli_file(const char *); -diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c ---- openssh-8.6p1/kex.c.fips 2021-05-06 12:08:36.489926807 +0200 -+++ openssh-8.6p1/kex.c 2021-05-06 12:08:36.498926877 +0200 -@@ -39,6 +39,7 @@ - - #ifdef WITH_OPENSSL - #include <openssl/crypto.h> -+#include <openssl/fips.h> - #include <openssl/dh.h> - # ifdef HAVE_EVP_KDF_CTX_NEW_ID - # include <openssl/kdf.h> -@@ -203,7 +203,10 @@ kex_names_valid(const char *names) - for ((p = strsep(&cp, ",")); p && *p != '\0'; - (p = strsep(&cp, ","))) { - if (kex_alg_by_name(p) == NULL) { -- error("Unsupported KEX algorithm \"%.100s\"", p); -+ if (FIPS_mode()) -+ error("\"%.100s\" is not allowed in FIPS mode", p); -+ else -+ error("Unsupported KEX algorithm \"%.100s\"", p); - free(s); - return 0; - } -diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c ---- openssh-8.6p1/kexgexc.c.fips 2021-04-16 05:55:25.000000000 +0200 -+++ openssh-8.6p1/kexgexc.c 2021-05-06 12:08:36.498926877 +0200 -@@ -28,6 +28,7 @@ - - #ifdef WITH_OPENSSL - -+#include <openssl/fips.h> - #include <sys/types.h> - - #include <openssl/dh.h> -@@ -115,6 +116,10 @@ input_kex_dh_gex_group(int type, u_int32 - r = SSH_ERR_ALLOC_FAIL; - goto out; - } -+ if (FIPS_mode() && dh_is_known_group(kex->dh) == 0) { -+ r = SSH_ERR_INVALID_ARGUMENT; -+ goto out; -+ } - p = g = NULL; /* belong to kex->dh now */ - - /* generate and send 'e', client DH public key */ -diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h ---- openssh-8.6p1/myproposal.h.fips 2021-04-16 05:55:25.000000000 +0200 -+++ openssh-8.6p1/myproposal.h 2021-05-06 12:08:36.498926877 +0200 -@@ -57,6 +57,18 @@ - "rsa-sha2-512," \ - "rsa-sha2-256" - -+#define KEX_FIPS_PK_ALG \ -+ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ -+ "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ -+ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \ -+ "rsa-sha2-512-cert-v01@openssh.com," \ -+ "rsa-sha2-256-cert-v01@openssh.com," \ -+ "ecdsa-sha2-nistp256," \ -+ "ecdsa-sha2-nistp384," \ -+ "ecdsa-sha2-nistp521," \ -+ "rsa-sha2-512," \ -+ "rsa-sha2-256" -+ - #define KEX_SERVER_ENCRYPT \ - "chacha20-poly1305@openssh.com," \ - "aes128-ctr,aes192-ctr,aes256-ctr," \ -@@ -78,6 +92,27 @@ - - #define KEX_CLIENT_MAC KEX_SERVER_MAC - -+#define KEX_FIPS_ENCRYPT \ -+ "aes128-ctr,aes192-ctr,aes256-ctr," \ -+ "aes128-cbc,3des-cbc," \ -+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \ -+ "aes128-gcm@openssh.com,aes256-gcm@openssh.com" -+#define KEX_DEFAULT_KEX_FIPS \ -+ "ecdh-sha2-nistp256," \ -+ "ecdh-sha2-nistp384," \ -+ "ecdh-sha2-nistp521," \ -+ "diffie-hellman-group-exchange-sha256," \ -+ "diffie-hellman-group16-sha512," \ -+ "diffie-hellman-group18-sha512," \ -+ "diffie-hellman-group14-sha256" -+#define KEX_FIPS_MAC \ -+ "hmac-sha1," \ -+ "hmac-sha2-256," \ -+ "hmac-sha2-512," \ -+ "hmac-sha1-etm@openssh.com," \ -+ "hmac-sha2-256-etm@openssh.com," \ -+ "hmac-sha2-512-etm@openssh.com" -+ - /* Not a KEX value, but here so all the algorithm defaults are together */ - #define SSH_ALLOWED_CA_SIGALGS \ - "ssh-ed25519," \ -diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c ---- openssh-8.6p1/readconf.c.fips 2021-05-06 12:08:36.428926336 +0200 -+++ openssh-8.6p1/readconf.c 2021-05-06 12:08:36.499926885 +0200 -@@ -39,6 +39,7 @@ - #include <string.h> - #include <stdarg.h> - #include <unistd.h> -+#include <openssl/fips.h> - #ifdef USE_SYSTEM_GLOB - # include <glob.h> - #else -@@ -2538,11 +2538,16 @@ fill_default_options(Options * options) - all_key = sshkey_alg_list(0, 0, 1, ','); - all_sig = sshkey_alg_list(0, 1, 1, ','); - /* remove unsupported algos from default lists */ -- def_cipher = match_filter_allowlist(KEX_CLIENT_ENCRYPT, all_cipher); -- def_mac = match_filter_allowlist(KEX_CLIENT_MAC, all_mac); -- def_kex = match_filter_allowlist(KEX_CLIENT_KEX, all_kex); -- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key); -- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig); -+ def_cipher = match_filter_allowlist((FIPS_mode() ? -+ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher); -+ def_mac = match_filter_allowlist((FIPS_mode() ? -+ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac); -+ def_kex = match_filter_allowlist((FIPS_mode() ? -+ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex); -+ def_key = match_filter_allowlist((FIPS_mode() ? -+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key); -+ def_sig = match_filter_allowlist((FIPS_mode() ? -+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig); - #define ASSEMBLE(what, defaults, all) \ - do { \ - if ((r = kex_assemble_names(&options->what, \ -diff -up openssh-8.6p1/sandbox-seccomp-filter.c.fips openssh-8.6p1/sandbox-seccomp-filter.c ---- openssh-8.6p1/sandbox-seccomp-filter.c.fips 2021-05-06 12:08:36.463926606 +0200 -+++ openssh-8.6p1/sandbox-seccomp-filter.c 2021-05-06 12:08:36.499926885 +0200 -@@ -160,6 +160,9 @@ static const struct sock_filter preauth_ - #ifdef __NR_open - SC_DENY(__NR_open, EACCES), - #endif -+#ifdef __NR_socket -+ SC_DENY(__NR_socket, EACCES), -+#endif - #ifdef __NR_openat - SC_DENY(__NR_openat, EACCES), - #endif -diff -up openssh-8.6p1/servconf.c.fips openssh-8.6p1/servconf.c ---- openssh-8.6p1/servconf.c.fips 2021-05-06 12:08:36.455926545 +0200 -+++ openssh-8.6p1/servconf.c 2021-05-06 12:08:36.500926893 +0200 -@@ -38,6 +38,7 @@ - #include <limits.h> - #include <stdarg.h> - #include <errno.h> -+#include <openssl/fips.h> - #ifdef HAVE_UTIL_H - #include <util.h> - #endif -@@ -226,11 +226,16 @@ assemble_algorithms(ServerOptions *o) - all_key = sshkey_alg_list(0, 0, 1, ','); - all_sig = sshkey_alg_list(0, 1, 1, ','); - /* remove unsupported algos from default lists */ -- def_cipher = match_filter_allowlist(KEX_SERVER_ENCRYPT, all_cipher); -- def_mac = match_filter_allowlist(KEX_SERVER_MAC, all_mac); -- def_kex = match_filter_allowlist(KEX_SERVER_KEX, all_kex); -- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key); -- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig); -+ def_cipher = match_filter_allowlist((FIPS_mode() ? -+ KEX_FIPS_ENCRYPT : KEX_SERVER_ENCRYPT), all_cipher); -+ def_mac = match_filter_allowlist((FIPS_mode() ? -+ KEX_FIPS_MAC : KEX_SERVER_MAC), all_mac); -+ def_kex = match_filter_allowlist((FIPS_mode() ? -+ KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX), all_kex); -+ def_key = match_filter_allowlist((FIPS_mode() ? -+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key); -+ def_sig = match_filter_allowlist((FIPS_mode() ? -+ KEX_FIPS_PK_ALG : SSH_ALLOWED_CA_SIGALGS), all_sig); - #define ASSEMBLE(what, defaults, all) \ - do { \ - if ((r = kex_assemble_names(&o->what, defaults, all)) != 0) \ -diff -up openssh-8.6p1/ssh.c.fips openssh-8.6p1/ssh.c ---- openssh-8.6p1/ssh.c.fips 2021-05-06 12:08:36.467926637 +0200 -+++ openssh-8.6p1/ssh.c 2021-05-06 12:08:36.500926893 +0200 -@@ -77,6 +77,7 @@ - #include <openssl/evp.h> - #include <openssl/err.h> - #endif -+#include <openssl/fips.h> - #include "openbsd-compat/openssl-compat.h" - #include "openbsd-compat/sys-queue.h" - -@@ -1516,6 +1517,10 @@ main(int ac, char **av) - exit(0); - } - -+ if (FIPS_mode()) { -+ debug("FIPS mode initialized"); -+ } -+ - /* Expand SecurityKeyProvider if it refers to an environment variable */ - if (options.sk_provider != NULL && *options.sk_provider == '$' && - strlen(options.sk_provider) > 1) { -diff -up openssh-8.6p1/sshconnect2.c.fips openssh-8.6p1/sshconnect2.c ---- openssh-8.6p1/sshconnect2.c.fips 2021-05-06 12:08:36.485926777 +0200 -+++ openssh-8.6p1/sshconnect2.c 2021-05-06 12:08:36.501926900 +0200 -@@ -45,6 +45,8 @@ - #include <vis.h> - #endif - -+#include <openssl/fips.h> -+ - #include "openbsd-compat/sys-queue.h" - - #include "xmalloc.h" -@@ -269,36 +271,41 @@ ssh_kex2(struct ssh *ssh, char *host, st - - #if defined(GSSAPI) && defined(WITH_OPENSSL) - if (options.gss_keyex) { -- /* Add the GSSAPI mechanisms currently supported on this -- * client to the key exchange algorithm proposal */ -- orig = myproposalPROPOSAL_KEX_ALGS; -- -- if (options.gss_server_identity) { -- gss_host = xstrdup(options.gss_server_identity); -- } else if (options.gss_trust_dns) { -- gss_host = remote_hostname(ssh); -- /* Fall back to specified host if we are using proxy command -- * and can not use DNS on that socket */ -- if (strcmp(gss_host, "UNKNOWN") == 0) { -- free(gss_host); -+ if (FIPS_mode()) { -+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode"); -+ options.gss_keyex = 0; -+ } else { -+ /* Add the GSSAPI mechanisms currently supported on this -+ * client to the key exchange algorithm proposal */ -+ orig = myproposalPROPOSAL_KEX_ALGS; -+ -+ if (options.gss_server_identity) { -+ gss_host = xstrdup(options.gss_server_identity); -+ } else if (options.gss_trust_dns) { -+ gss_host = remote_hostname(ssh); -+ /* Fall back to specified host if we are using proxy command -+ * and can not use DNS on that socket */ -+ if (strcmp(gss_host, "UNKNOWN") == 0) { -+ free(gss_host); -+ gss_host = xstrdup(host); -+ } -+ } else { - gss_host = xstrdup(host); - } -- } else { -- gss_host = xstrdup(host); -- } - -- gss = ssh_gssapi_client_mechanisms(gss_host, -- options.gss_client_identity, options.gss_kex_algorithms); -- if (gss) { -- debug("Offering GSSAPI proposal: %s", gss); -- xasprintf(&myproposalPROPOSAL_KEX_ALGS, -- "%s,%s", gss, orig); -- -- /* If we've got GSSAPI algorithms, then we also support the -- * 'null' hostkey, as a last resort */ -- orig = myproposalPROPOSAL_SERVER_HOST_KEY_ALGS; -- xasprintf(&myproposalPROPOSAL_SERVER_HOST_KEY_ALGS, -- "%s,null", orig); -+ gss = ssh_gssapi_client_mechanisms(gss_host, -+ options.gss_client_identity, options.gss_kex_algorithms); -+ if (gss) { -+ debug("Offering GSSAPI proposal: %s", gss); -+ xasprintf(&myproposalPROPOSAL_KEX_ALGS, -+ "%s,%s", gss, orig); -+ -+ /* If we've got GSSAPI algorithms, then we also support the -+ * 'null' hostkey, as a last resort */ -+ orig = myproposalPROPOSAL_SERVER_HOST_KEY_ALGS; -+ xasprintf(&myproposalPROPOSAL_SERVER_HOST_KEY_ALGS, -+ "%s,null", orig); -+ } - } - } - #endif -diff -up openssh-8.6p1/sshd.c.fips openssh-8.6p1/sshd.c ---- openssh-8.6p1/sshd.c.fips 2021-05-06 12:08:36.493926838 +0200 -+++ openssh-8.6p1/sshd.c 2021-05-06 12:13:56.501492639 +0200 -@@ -66,6 +66,7 @@ - #endif - #include <pwd.h> - #include <signal.h> -+#include <syslog.h> - #include <stdarg.h> - #include <stdio.h> - #include <stdlib.h> -@@ -77,6 +78,7 @@ - #include <openssl/dh.h> - #include <openssl/bn.h> - #include <openssl/rand.h> -+#include <openssl/fips.h> - #include "openbsd-compat/openssl-compat.h" - #endif - -@@ -1619,6 +1621,7 @@ main(int ac, char **av) - #endif - __progname = ssh_get_progname(av0); - -+ OpenSSL_add_all_algorithms(); - /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ - saved_argc = ac; - rexec_argc = ac; -@@ -1931,6 +1931,13 @@ main(int ac, char **av) - &key, NULL)) != 0 && r != SSH_ERR_SYSTEM_ERROR) - do_log2_r(r, ll, "Unable to load host key \"%s\"", - options.host_key_filesi); -+ if (FIPS_mode() && key != NULL && (sshkey_type_plain(key->type) == KEY_ED25519_SK -+ || sshkey_type_plain(key->type) == KEY_ED25519)) { -+ logit_f("sshd: Ed25519 keys are not allowed in FIPS mode, skipping %s", options.host_key_filesi); -+ sshkey_free(key); -+ key = NULL; -+ continue; -+ } - if (sshkey_is_sk(key) && - key->sk_flags & SSH_SK_USER_PRESENCE_REQD) { - debug("host key %s requires user presence, ignoring", -@@ -2110,6 +2113,10 @@ main(int ac, char **av) - /* Reinitialize the log (because of the fork above). */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); - -+ if (FIPS_mode()) { -+ debug("FIPS mode initialized"); -+ } -+ - /* - * Chdir to the root directory so that the current disk can be - * unmounted if desired. -@@ -2494,10 +2501,14 @@ do_ssh2_kex(struct ssh *ssh) - if (strlen(myproposalPROPOSAL_SERVER_HOST_KEY_ALGS) == 0) - orig = NULL; - -- if (options.gss_keyex) -- gss = ssh_gssapi_server_mechanisms(); -- else -- gss = NULL; -+ if (options.gss_keyex) { -+ if (FIPS_mode()) { -+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode"); -+ options.gss_keyex = 0; -+ } else { -+ gss = ssh_gssapi_server_mechanisms(); -+ } -+ } - - if (gss && orig) - xasprintf(&newstr, "%s,%s", gss, orig); -diff -up openssh-8.6p1/sshkey.c.fips openssh-8.6p1/sshkey.c ---- openssh-8.6p1/sshkey.c.fips 2021-05-06 12:08:36.493926838 +0200 -+++ openssh-8.6p1/sshkey.c 2021-05-06 12:08:36.502926908 +0200 -@@ -34,6 +34,7 @@ - #include <openssl/evp.h> - #include <openssl/err.h> - #include <openssl/pem.h> -+#include <openssl/fips.h> - #endif - - #include "crypto_api.h" -@@ -57,6 +58,7 @@ - #define SSHKEY_INTERNAL - #include "sshkey.h" - #include "match.h" -+#include "log.h" - #include "ssh-sk.h" - - #ifdef WITH_XMSS -@@ -285,6 +285,18 @@ sshkey_alg_list(int certs_only, int plai - for (kt = keytypes; kt->type != -1; kt++) { - if (kt->name == NULL || kt->type == KEY_NULL) - continue; -+ if (FIPS_mode()) { -+ switch (kt->type) { -+ case KEY_ED25519: -+ case KEY_ED25519_SK: -+ case KEY_ED25519_CERT: -+ case KEY_ED25519_SK_CERT: -+ continue; -+ break; -+ default: -+ break; -+ } -+ } - if (!include_sigonly && kt->sigonly) - continue; - if ((certs_only && !kt->cert) || (plain_only && kt->cert)) -@@ -1503,6 +1503,20 @@ sshkey_read(struct sshkey *ret, char **c - return SSH_ERR_EC_CURVE_MISMATCH; - } - -+ switch (type) { -+ case KEY_ED25519: -+ case KEY_ED25519_SK: -+ case KEY_ED25519_CERT: -+ case KEY_ED25519_SK_CERT: -+ if (FIPS_mode()) { -+ sshkey_free(k); -+ logit_f("Ed25519 keys are not allowed in FIPS mode"); -+ return SSH_ERR_INVALID_ARGUMENT; -+ } -+ break; -+ default: -+ break; -+ } - /* Fill in ret from parsed key */ - ret->type = type; - if (sshkey_is_cert(ret)) { -@@ -2916,6 +2916,11 @@ sshkey_sign(struct sshkey *key, - break; - case KEY_ED25519_SK: - case KEY_ED25519_SK_CERT: -+ if (FIPS_mode()) { -+ logit_f("Ed25519 keys are not allowed in FIPS mode"); -+ return SSH_ERR_INVALID_ARGUMENT; -+ } -+ /* Fallthrough */ - case KEY_ECDSA_SK_CERT: - case KEY_ECDSA_SK: - r = sshsk_sign(sk_provider, key, sigp, lenp, data, -@@ -2973,6 +2978,10 @@ sshkey_verify(const struct sshkey *key, - return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat); - case KEY_ED25519_SK: - case KEY_ED25519_SK_CERT: -+ if (FIPS_mode()) { -+ logit_f("Ed25519 keys are not allowed in FIPS mode"); -+ return SSH_ERR_INVALID_ARGUMENT; -+ } - return ssh_ed25519_sk_verify(key, sig, siglen, data, dlen, - compat, detailsp); - #ifdef WITH_XMSS -diff -up openssh-8.6p1/ssh-keygen.c.fips openssh-8.6p1/ssh-keygen.c ---- openssh-8.6p1/ssh-keygen.c.fips 2021-05-06 12:08:36.467926637 +0200 -+++ openssh-8.6p1/ssh-keygen.c 2021-05-06 12:08:36.503926916 +0200 -@@ -20,6 +20,7 @@ - - #ifdef WITH_OPENSSL - #include <openssl/evp.h> -+#include <openssl/fips.h> - #include <openssl/pem.h> - #include "openbsd-compat/openssl-compat.h" - #endif -@@ -205,6 +205,12 @@ type_bits_valid(int type, const char *na - #endif - } - #ifdef WITH_OPENSSL -+ if (FIPS_mode()) { -+ if (type == KEY_DSA) -+ fatal("DSA keys are not allowed in FIPS mode"); -+ if (type == KEY_ED25519 || type == KEY_ED25519_SK) -+ fatal("ED25519 keys are not allowed in FIPS mode"); -+ } - switch (type) { - case KEY_DSA: - if (*bitsp != 1024) -@@ -1098,9 +1104,17 @@ do_gen_all_hostkeys(struct passwd *pw) - first = 1; - printf("%s: generating new host keys: ", __progname); - } -+ type = sshkey_type_from_name(key_typesi.key_type); -+ -+ /* Skip the keys that are not supported in FIPS mode */ -+ if (FIPS_mode() && (type == KEY_DSA || type == KEY_ED25519)) { -+ logit("Skipping %s key in FIPS mode", -+ key_typesi.key_type_display); -+ goto next; -+ } -+ - printf("%s ", key_typesi.key_type_display); - fflush(stdout); -- type = sshkey_type_from_name(key_typesi.key_type); - if ((fd = mkstemp(prv_tmp)) == -1) { - error("Could not save your private key in %s: %s", - prv_tmp, strerror(errno)); -diff -up openssh-8.7p1/kexgen.c.fips3 openssh-8.7p1/kexgen.c ---- openssh-8.7p1/kexgen.c.fips3 2022-07-11 16:11:21.973519913 +0200 -+++ openssh-8.7p1/kexgen.c 2022-07-11 16:25:31.172187365 +0200 -@@ -31,6 +31,7 @@ - #include <stdio.h> - #include <string.h> - #include <signal.h> -+#include <openssl/fips.h> - - #include "sshkey.h" - #include "kex.h" -@@ -115,10 +116,20 @@ kex_gen_client(struct ssh *ssh) - break; - #endif - case KEX_C25519_SHA256: -- r = kex_c25519_keypair(kex); -+ if (FIPS_mode()) { -+ logit_f("Key exchange type c25519 is not allowed in FIPS mode"); -+ r = SSH_ERR_INVALID_ARGUMENT; -+ } else { -+ r = kex_c25519_keypair(kex); -+ } - break; - case KEX_KEM_SNTRUP761X25519_SHA512: -- r = kex_kem_sntrup761x25519_keypair(kex); -+ if (FIPS_mode()) { -+ logit_f("Key exchange type sntrup761 is not allowed in FIPS mode"); -+ r = SSH_ERR_INVALID_ARGUMENT; -+ } else { -+ r = kex_kem_sntrup761x25519_keypair(kex); -+ } - break; - default: - r = SSH_ERR_INVALID_ARGUMENT; -@@ -186,11 +197,21 @@ input_kex_gen_reply(int type, u_int32_t - break; - #endif - case KEX_C25519_SHA256: -- r = kex_c25519_dec(kex, server_blob, &shared_secret); -+ if (FIPS_mode()) { -+ logit_f("Key exchange type c25519 is not allowed in FIPS mode"); -+ r = SSH_ERR_INVALID_ARGUMENT; -+ } else { -+ r = kex_c25519_dec(kex, server_blob, &shared_secret); -+ } - break; - case KEX_KEM_SNTRUP761X25519_SHA512: -- r = kex_kem_sntrup761x25519_dec(kex, server_blob, -- &shared_secret); -+ if (FIPS_mode()) { -+ logit_f("Key exchange type sntrup761 is not allowed in FIPS mode"); -+ r = SSH_ERR_INVALID_ARGUMENT; -+ } else { -+ r = kex_kem_sntrup761x25519_dec(kex, server_blob, -+ &shared_secret); -+ } - break; - default: - r = SSH_ERR_INVALID_ARGUMENT; -@@ -285,12 +306,22 @@ input_kex_gen_init(int type, u_int32_t s - break; - #endif - case KEX_C25519_SHA256: -- r = kex_c25519_enc(kex, client_pubkey, &server_pubkey, -- &shared_secret); -+ if (FIPS_mode()) { -+ logit_f("Key exchange type c25519 is not allowed in FIPS mode"); -+ r = SSH_ERR_INVALID_ARGUMENT; -+ } else { -+ r = kex_c25519_enc(kex, client_pubkey, &server_pubkey, -+ &shared_secret); -+ } - break; - case KEX_KEM_SNTRUP761X25519_SHA512: -- r = kex_kem_sntrup761x25519_enc(kex, client_pubkey, -- &server_pubkey, &shared_secret); -+ if (FIPS_mode()) { -+ logit_f("Key exchange type sntrup761 is not allowed in FIPS mode"); -+ r = SSH_ERR_INVALID_ARGUMENT; -+ } else { -+ r = kex_kem_sntrup761x25519_enc(kex, client_pubkey, -+ &server_pubkey, &shared_secret); -+ } - break; - default: - r = SSH_ERR_INVALID_ARGUMENT; -diff -up openssh-8.7p1/ssh-ed25519.c.fips3 openssh-8.7p1/ssh-ed25519.c ---- openssh-8.7p1/ssh-ed25519.c.fips3 2022-07-11 16:53:41.428343304 +0200 -+++ openssh-8.7p1/ssh-ed25519.c 2022-07-11 16:56:09.284663661 +0200 -@@ -24,6 +24,7 @@ - - #include <string.h> - #include <stdarg.h> -+#include <openssl/fips.h> - - #include "log.h" - #include "sshbuf.h" -@@ -52,6 +53,10 @@ ssh_ed25519_sign(const struct sshkey *ke - key->ed25519_sk == NULL || - datalen >= INT_MAX - crypto_sign_ed25519_BYTES) - return SSH_ERR_INVALID_ARGUMENT; -+ if (FIPS_mode()) { -+ logit_f("Ed25519 keys are not allowed in FIPS mode"); -+ return SSH_ERR_INVALID_ARGUMENT; -+ } - smlen = slen = datalen + crypto_sign_ed25519_BYTES; - if ((sig = malloc(slen)) == NULL) - return SSH_ERR_ALLOC_FAIL; -@@ -108,6 +113,10 @@ ssh_ed25519_verify(const struct sshkey * - datalen >= INT_MAX - crypto_sign_ed25519_BYTES || - signature == NULL || signaturelen == 0) - return SSH_ERR_INVALID_ARGUMENT; -+ if (FIPS_mode()) { -+ logit_f("Ed25519 keys are not allowed in FIPS mode"); -+ return SSH_ERR_INVALID_ARGUMENT; -+ } - - if ((b = sshbuf_from(signature, signaturelen)) == NULL) - return SSH_ERR_ALLOC_FAIL;
View file
_service:tar_scm:skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch
Deleted
@@ -1,100 +0,0 @@ -From a0772385f1b4086aacdc6d84a3daea4b2ef26f30 Mon Sep 17 00:00:00 2001 -From: chengyechun <chengyechun1@huawei.com> -Date: Thu, 5 Jan 2023 23:43:22 +0800 -Subject: PATCH skip tests for '%C' if there is no openssl on local path - ---- - regress/percent.sh | 24 +++++++++++---- - ...t-if-there-is-no-openssl-on-local-pa.patch | 30 +++++++++++++++++++ - 2 files changed, 48 insertions(+), 6 deletions(-) - create mode 100644 skip-percent-test-if-there-is-no-openssl-on-local-pa.patch - -diff --git a/regress/percent.sh b/regress/percent.sh -index 7ed4184..9c112eb 100644 ---- a/regress/percent.sh -+++ b/regress/percent.sh -@@ -13,6 +13,10 @@ USERID=`id -u` - HOST=`hostname | cut -f1 -d.` - HOSTNAME=`hostname` - -+# Check if there is openssl in local PATH -+NOOPENSSL=0 -+for i in $PATH;do -x "$i/openssl" && NOOPENSSL=1; done -+ - # Localcommand is evaluated after connection because %T is not available - # until then. Because of this we use a different method of exercising it, - # and we can't override the remote user otherwise authentication will fail. -@@ -77,11 +81,14 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ - if "$i" = "$localcommand" ; then - trial $i '%T' NONE - fi -- # Matches implementation in readconf.c:ssh_connection_hash() -- HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | -- $OPENSSL_BIN sha1 | cut -f2 -d' '` -+ # skip tests for '%C' since no openssl in local PATH -+ if $NOOPENSSL -eq 1 ; then -+ # Matches implementation in readconf.c:ssh_connection_hash() -+ HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | -+ $OPENSSL_BIN sha1 | cut -f2 -d' '` -+ fi - trial $i '%%' '%' -- trial $i '%C' $HASH -+ if $NOOPENSSL -eq 1 ; then trial $i '%C' $HASH; fi - trial $i '%i' $USERID - trial $i '%h' 127.0.0.1 - trial $i '%L' $HOST -@@ -95,8 +102,13 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ - # containing %d for UserKnownHostsFile - if "$i" != "userknownhostsfile" ; then - trial $i '%d' $HOME -- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ -- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" -+ if $NOOPENSSL -eq 0 ; then -+ trial $i '%%/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ -+ "%/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" -+ else -+ trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ -+ "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" -+ fi - fi - done - -diff --git a/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch b/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch -new file mode 100644 -index 0000000..c7af5d9 ---- /dev/null -+++ b/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch -@@ -0,0 +1,30 @@ -+From 1da9e48b41ab6eca157d4fa3b74490510d9006ae Mon Sep 17 00:00:00 2001 -+From: chengyechun <chengyechun1@huawei.com> -+Date: Thu, 5 Jan 2023 23:43:22 +0800 -+Subject: PATCH skip percent test if there is no openssl on local path as -+ scp3 did -+ -+--- -+ regress/percent.sh | 6 ++++++ -+ 1 file changed, 6 insertions(+) -+ -+diff --git a/regress/percent.sh b/regress/percent.sh -+index 7ed4184..08afbc8 100644 -+--- a/regress/percent.sh -++++ b/regress/percent.sh -+@@ -8,6 +8,12 @@ if -x "/usr/xpg4/bin/id" ; then -+ export PATH -+ fi -+ -++NOOPENSSL=0 -++for i in $PATH;do -x "$i/openssl" && $OPENSSL=1; done -++if $? -eq 0 ; then -++ skip "No openssl on local path." -++fi -++ -+ USER=`id -u -n` -+ USERID=`id -u` -+ HOST=`hostname | cut -f1 -d.` -+-- -+2.23.0 -+ --- -2.23.0 -
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2