Projects
Factory:RISC-V:Base
openssh
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 4
View file
_service:tar_scm:openssh.spec
Changed
@@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 3 +%global openssh_release 4 Name: openssh Version: 9.1p1 @@ -44,7 +44,6 @@ Patch10: openssh-6.6p1-privsep-selinux.patch Patch12: openssh-6.6p1-keycat.patch Patch13: openssh-6.6p1-allow-ip-opts.patch -Patch14: openssh-6.6p1-keyperm.patch Patch15: openssh-5.9p1-ipv6man.patch Patch16: openssh-5.8p2-sigpipe.patch Patch17: openssh-7.2p2-x11.patch @@ -89,9 +88,29 @@ Patch65: openssh-Add-sw64-architecture.patch Patch74: add-strict-scp-check-for-CVE-2020-15778.patch Patch77: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch -Patch78: skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch -Patch79: backport-upstream-CVE-2023-25136-fix-double-free-caused.patch -Patch80: set-ssh-config.patch +Patch78: backport-upstream-CVE-2023-25136-fix-double-free-caused.patch +Patch79: set-ssh-config.patch +Patch80: backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch +Patch81: backport-upstream-use-correct-type-with-sizeof-ok-djm.patch +Patch82: backport-Defer-seed_rng-until-after-closefrom-call.patch +Patch83: backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch +Patch84: backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch +Patch85: backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch +Patch86: backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch +Patch87: backport-upstream-regression-test-for-PermitRemoteOpen.patch +Patch88: backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch +Patch89: backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch +Patch90: backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch +Patch91: backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch +Patch92: backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch +Patch93: backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch +Patch94: backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch +Patch95: backport-Allow-writev-is-seccomp-sandbox.patch +Patch96: backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch +Patch97: backport-upstream-when-restoring-non-blocking-mode-to-stdio-f.patch +Patch98: backport-upstream-test-compat_kex_proposal-by-dtucker.patch +Patch99: backport-adapt-compat_kex_proposal-test-to-portable.patch +Patch100: backport-upstream-Move-scp-path-setting-to-a-helper-function.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -232,6 +251,26 @@ %patch78 -p1 %patch79 -p1 %patch80 -p1 +%patch81 -p1 +%patch82 -p1 +%patch83 -p1 +%patch84 -p1 +%patch85 -p1 +%patch86 -p1 +%patch87 -p1 +%patch88 -p1 +%patch89 -p1 +%patch90 -p1 +%patch91 -p1 +%patch92 -p1 +%patch93 -p1 +%patch94 -p1 +%patch95 -p1 +%patch96 -p1 +%patch97 -p1 +%patch98 -p1 +%patch99 -p1 +%patch100 -p1 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 @@ -428,6 +467,12 @@ %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Sat Mar 18 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-4 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:backport some upstreams patches and delete unused patches + * Tue Feb 28 2023 renmingshuai<renmingshuai@huawei.com> - 9.1p1-3 - Type:bugfix - CVE:NA
View file
_service:tar_scm:backport-Allow-writev-is-seccomp-sandbox.patch
Added
@@ -0,0 +1,30 @@ +From 6283f4bd83eee714d0f5fc55802eff836b06fea8 Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtucker@dtucker.net> +Date: Sat, 14 Jan 2023 22:02:44 +1100 +Subject: PATCH Allow writev is seccomp sandbox. + +This seems to be used by recent glibcs at least in some configurations. +From bz#3512, ok djm@ +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=6283f4bd83eee714d0f5fc55802eff836b06fea8 +--- + sandbox-seccomp-filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index cec43c46..4ab49eb6 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -312,6 +312,9 @@ static const struct sock_filter preauth_insns = { + #ifdef __NR_write + SC_ALLOW(__NR_write), + #endif ++#ifdef __NR_writev ++ SC_ALLOW(__NR_writev), ++#endif + #ifdef __NR_socketcall + SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN), + SC_DENY(__NR_socketcall, EACCES), +-- +2.27.0 +
View file
_service:tar_scm:backport-Defer-seed_rng-until-after-closefrom-call.patch
Added
@@ -0,0 +1,39 @@ +From cf1a9852d7fc93e4abc4168aed09529a57427cdc Mon Sep 17 00:00:00 2001 +From: Darren Tucker <dtucker@dtucker.net> +Date: Wed, 9 Nov 2022 09:23:47 +1100 +Subject: PATCH Defer seed_rng until after closefrom call. + +seed_rng will initialize OpenSSL, and some engine providers (eg Intel's +QAT) will open descriptors for their own use. bz#3483, patch from +joel.d.schuetze at intel.com, ok djm@ +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=cf1a9852d7fc93e4abc4168aed09529a57427cdc +--- + sshd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sshd.c b/sshd.c +index b4bb7d65..808d91ef 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1580,8 +1580,6 @@ main(int ac, char **av) + /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ + sanitise_stdfd(); + +- seed_rng(); +- + /* Initialize configuration options to their default values. */ + initialize_server_options(&options); + +@@ -1703,6 +1701,8 @@ main(int ac, char **av) + else + closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); + ++ seed_rng(); ++ + /* If requested, redirect the logs to the specified logfile. */ + if (logfile != NULL) + log_redirect_stderr_to(logfile); +-- +2.27.0 +
View file
_service:tar_scm:backport-adapt-compat_kex_proposal-test-to-portable.patch
Added
@@ -0,0 +1,51 @@ +From 9fe207565b4ab0fe5d1ac5bb85e39188d96fb214 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Thu, 2 Feb 2023 23:17:49 +1100 +Subject: PATCH adapt compat_kex_proposal() test to portable + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=9fe207565b4ab0fe5d1ac5bb85e39188d96fb214 +--- + Makefile.in | 1 + + regress/unittests/kex/test_proposal.c | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/Makefile.in b/Makefile.in +index 18f6ac9e..c0ebfa04 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -616,6 +616,7 @@ regress/unittests/conversion/test_conversion$(EXEEXT): \ + UNITTESTS_TEST_KEX_OBJS=\ + regress/unittests/kex/tests.o \ + regress/unittests/kex/test_kex.o \ ++ regress/unittests/kex/test_proposal.o \ + $(SKOBJS) + + regress/unittests/kex/test_kex$(EXEEXT): ${UNITTESTS_TEST_KEX_OBJS} \ +diff --git a/regress/unittests/kex/test_proposal.c b/regress/unittests/kex/test_proposal.c +index b89ff59b..d6cf0f5d 100644 +--- a/regress/unittests/kex/test_proposal.c ++++ b/regress/unittests/kex/test_proposal.c +@@ -5,14 +5,18 @@ + * Placed in the public domain + */ + ++#include "includes.h" ++ + #include <sys/types.h> + #include <signal.h> + #include <stdio.h> ++#ifdef HAVE_STDINT_H + #include <stdint.h> ++#endif + #include <stdlib.h> + #include <string.h> + +-#include "test_helper.h" ++#include "../test_helper/test_helper.h" + + #include "compat.h" + #include "ssherr.h" +-- +2.27.0 +
View file
_service:tar_scm:backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch
Added
@@ -0,0 +1,52 @@ +From dd1249bd5c45128a908395c61b26996a70f82205 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Sun, 8 Jan 2023 12:08:59 +1100 +Subject: PATCH don't test IPv6 addresses if platform lacks support + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=dd1249bd5c45128a908395c61b26996a70f82205 + +--- + regress/dynamic-forward.sh | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh +index f6c2393..1bfe05a 100644 +--- a/regress/dynamic-forward.sh ++++ b/regress/dynamic-forward.sh +@@ -17,6 +17,11 @@ else + fi + trace "will use ProxyCommand $proxycmd" + ++# This is a reasonable proxy for IPv6 support. ++if ! config_defined HAVE_STRUCT_IN6_ADDR ; then ++ SKIP_IPV6=yes ++fi ++ + start_ssh() { + direction="$1" + arg="$2" +@@ -96,14 +101,16 @@ for d in D R; do + stop_ssh + + verbose "PermitRemoteOpen=explicit" +- start_ssh $d \ +- PermitRemoteOpen="127.0.0.1:$PORT ::1:$PORT localhost:$PORT" ++ permit="127.0.0.1:$PORT ::1:$PORT localhost:$PORT" ++ test -z "$SKIP_IPV6" || permit="127.0.0.1:$PORT localhost:$PORT" ++ start_ssh $d PermitRemoteOpen="$permit" + check_socks $d Y + stop_ssh + + verbose "PermitRemoteOpen=disallowed" +- start_ssh $d \ +- PermitRemoteOpen="127.0.0.1:1 ::1:1 localhost:1" ++ permit="127.0.0.1:1 ::1:1 localhost:1" ++ test -z "$SKIP_IPV6" || permit="127.0.0.1:1 localhost:1" ++ start_ssh $d PermitRemoteOpen="$permit" + check_socks $d N + stop_ssh + done +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch
Added
@@ -0,0 +1,37 @@ +From 6e6f88647042b3cde54a628545c2f5fb656a9327 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Fri, 13 Jan 2023 04:23:00 +0000 +Subject: PATCH upstream: Add scp's path to test sshd's PATH. + +If the scp we're testing is fully qualified (eg it's not in the system +PATH) then add its path to the under-test sshd's PATH so we can find +it. Prompted by bz#3518. + +OpenBSD-Regress-ID: 7df4f5a0be3aa135495b7e5a6719d3cbc26cc4c0 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=6e6f88647042b3cde54a628545c2f5fb656a9327 +--- + regress/test-exec.sh | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/regress/test-exec.sh b/regress/test-exec.sh +index c51f8eac..5a6afac5 100644 +--- a/regress/test-exec.sh ++++ b/regress/test-exec.sh +@@ -529,6 +529,13 @@ cat << EOF > $OBJ/sshd_config + Subsystem sftp $SFTPSERVER + EOF + ++# If we're testing a non-installed scp, add its directory to sshd's PATH ++# so we can test it. ++case "$SCP" in ++/*) PATH_WITH_SCP="`dirname $SCP`:$PATH" ++ echo " SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_config ;; ++esac ++ + # This may be necessary if /usr/src and/or /usr/obj are group-writable, + # but if you aren't careful with permissions then the unit tests could + # be abused to locally escalate privileges. +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch
Added
@@ -0,0 +1,52 @@ +From 93f2ce8c050a7a2a628646c00b40b9b53fef93ef Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Fri, 16 Dec 2022 06:56:47 +0000 +Subject: PATCH upstream: Clear signal mask early in main(); sshd may have + been + +started with one or more signals masked (sigprocmask(2) is not cleared +on fork/exec) and this could interfere with various things, e.g. the +login grace timer. + +Execution environments that fail to clear the signal mask before running +sshd are clearly broken, but apparently they do exist. + +Reported by Sreedhar Balasubramanian; ok dtucker@ + +OpenBSD-Commit-ID: 77078c0b1c53c780269fc0c416f121d05e3010ae +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=93f2ce8c050a7a2a628646c00b40b9b53fef93ef +--- + sshd.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sshd.c b/sshd.c +index cd42bd5..da39226 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshd.c,v 1.591 2022/09/17 10:34:29 djm Exp $ */ ++/* $OpenBSD: sshd.c,v 1.594 2022/12/16 06:56:47 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -1650,12 +1650,16 @@ main(int ac, char **av) + int keytype; + Authctxt *authctxt; + struct connection_info *connection_info = NULL; ++ sigset_t sigmask; + + #ifdef HAVE_SECUREWARE + (void)set_auth_parameters(ac, av); + #endif + __progname = ssh_get_progname(av0); + ++ sigemptyset(&sigmask); ++ sigprocmask(SIG_SETMASK, &sigmask, NULL); ++ + /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ + saved_argc = ac; + rexec_argc = ac; +-- +2.23.0 +
View file
_service:tar_scm:backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch
Added
@@ -0,0 +1,32 @@ +From 018d671d78145f03d6f07ae9d64d51321da70325 Mon Sep 17 00:00:00 2001 +From: "tb@openbsd.org" <tb@openbsd.org> +Date: Wed, 4 Jan 2023 22:48:57 +0000 +Subject: PATCH upstream: Copy bytes from the_banana rather than banana() + +Fixes test failure due to segfault seen on arm64 with xonly snap. + +ok djm + +OpenBSD-Regress-ID: 86e2aa4bbd1dff1bc4ebb2969c0d6474485be046 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=018d671d78145f03d6f07ae9d64d51321da70325 +--- + regress/unittests/sshkey/test_sshkey.c | 2 +- + 1 file changed, 1 insertions(+), 1 deletions(-) + +diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c +index 982907ce..cc359aea 100644 +--- a/regress/unittests/sshkey/test_sshkey.c ++++ b/regress/unittests/sshkey/test_sshkey.c +@@ -144,7 +144,7 @@ banana(u_char *s, size_t l) + memcpy(s + o, "nanananana", l - o); + break; + } +- memcpy(s + o, banana, sizeof(the_banana)); ++ memcpy(s + o, the_banana, sizeof(the_banana)); + } + } + +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch
Added
@@ -0,0 +1,48 @@ +From 3c379c9a849a635cc7f05cbe49fe473ccf469ef9 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Thu, 9 Feb 2023 09:54:11 +0000 +Subject: PATCH upstream: Ensure that there is a terminating newline when + adding a new + +entry to known_hosts. bz#3529, with git+openssh at limpsquid.nl, ok deraadt@ +markus@ + +OpenBSD-Commit-ID: fa8d90698da1886570512b96f051e266eac105e0 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=3c379c9a849a635cc7f05cbe49fe473ccf469ef9 +--- + hostfile.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/hostfile.c b/hostfile.c +index bd49e3ac..f5fa8084 100644 +--- a/hostfile.c ++++ b/hostfile.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: hostfile.c,v 1.93 2022/01/06 22:02:52 djm Exp $ */ ++/* $OpenBSD: hostfile.c,v 1.94 2023/02/09 09:54:11 dtucker Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -520,9 +520,17 @@ add_host_to_hostfile(const char *filename, const char *host, + if (key == NULL) + return 1; /* XXX ? */ + hostfile_create_user_ssh_dir(filename, 0); +- f = fopen(filename, "a"); ++ f = fopen(filename, "a+"); + if (!f) + return 0; ++ /* Make sure we have a terminating newline. */ ++ if (fseek(f, -1L, SEEK_END) == 0 && fgetc(f) != '\n') ++ if (fputc('\n', f) != '\n') { ++ error("Failed to add terminating newline to %s: %s", ++ filename, strerror(errno)); ++ fclose(f); ++ return 0; ++ } + success = write_host_entry(f, host, NULL, key, store_hash); + fclose(f); + return success; +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch
Added
@@ -0,0 +1,46 @@ +From 650de7ecd3567b5a5dbf16dd1eb598bd8c20bca8 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Thu, 10 Nov 2022 23:03:10 +0000 +Subject: PATCH upstream: Handle dynamic remote port forwarding in escape + commandline's + +-R processing. bz#3499, ok djm@ + +OpenBSD-Commit-ID: 194ee4cfe7ed0e2b8ad0727f493c798a50454208 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=650de7ecd3567b5a5dbf16dd1eb598bd8c20bca8 +--- + clientloop.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/clientloop.c b/clientloop.c +index 289d0b68..02349ccb 100644 +--- a/clientloop.c ++++ b/clientloop.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: clientloop.c,v 1.380 2022/06/03 04:30:46 djm Exp $ */ ++/* $OpenBSD: clientloop.c,v 1.382 2022/11/10 23:03:10 dtucker Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -846,8 +846,15 @@ process_cmdline(struct ssh *ssh) + } + logit("Canceled forwarding."); + } else { +- if (!parse_forward(&fwd, s, dynamic, remote)) { +- logit("Bad forwarding specification."); ++ /* -R specs can be both dynamic or not, so check both. */ ++ if (remote) { ++ if (!parse_forward(&fwd, s, 0, remote) && ++ !parse_forward(&fwd, s, 1, remote)) { ++ logit("Bad remote forwarding specification."); ++ goto out; ++ } ++ } else if (!parse_forward(&fwd, s, dynamic, remote)) { ++ logit("Bad local forwarding specification."); + goto out; + } + if (local || dynamic) { +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch
Added
@@ -0,0 +1,44 @@ +From 4d87a00f704e0365e11c3c38b170c1275ec461fc Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Sat, 14 Jan 2023 09:57:08 +0000 +Subject: PATCH upstream: Instead of skipping the all-tokens test if we don't + have + +OpenSSL (since we use it to compute the hash), put the hash at the end and +just omit it if we don't have it. Prompted by bz#3521. + +OpenBSD-Regress-ID: c79ecba64250ed3b6417294b6c965e6b12ca5eea +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=4d87a00f704e0365e11c3c38b170c1275ec461fc +--- +diff --git a/regress/percent.sh b/regress/percent.sh +index ed5c604d..3dfa8d2d 100644 +--- a/regress/percent.sh ++++ b/regress/percent.sh +@@ -12,6 +12,7 @@ USER=`id -u -n` + USERID=`id -u` + HOST=`hostname | cut -f1 -d.` + HOSTNAME=`hostname` ++HASH="" + + # Localcommand is evaluated after connection because %T is not available + # until then. Because of this we use a different method of exercising it, +@@ -98,10 +99,13 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ + # containing %d for UserKnownHostsFile + if "$i" != "userknownhostsfile" ; then + trial $i '%d' $HOME ++ in='%%/%i/%h/%d/%L/%l/%n/%p/%r/%u' ++ out="%/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" + if ! -z "${HASH}" ; then +- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ +- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" ++ in="$in/%C" ++ out="$out/$HASH" + fi ++ trial $i "$in" "$out" + fi + done + +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-Move-scp-path-setting-to-a-helper-function.patch
Added
@@ -0,0 +1,150 @@ +From 625f6bc39840167dafb3bf5b6a3e18503ac986e8 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Fri, 13 Jan 2023 04:47:34 +0000 +Subject: PATCH upstream: Move scp path setting to a helper function. +The + previous + +commit to add scp to the test sshd's path causes the t-envpass test to +fail +when the test scp is given using a fully qualified path. Put this in a +helper function and only call it from the scp tests. + +OpenBSD-Regress-ID: 7533dc1c4265c1de716abb062957994195b36df4 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=625f6bc39840167dafb3bf5b6a3e18503ac986e8 +--- + regress/multiplex.sh | 3 ++- + regress/scp-uri.sh | 4 +++- + regress/scp.sh | 4 +++- + regress/scp3.sh | 6 ++++-- + regress/test-exec.sh | 21 +++++++++++++-------- + 5 files changed, 25 insertions(+), 13 deletions(-) + +diff --git a/regress/multiplex.sh b/regress/multiplex.sh +index 6317099..046194c 100644 +--- a/regress/multiplex.sh ++++ b/regress/multiplex.sh +@@ -1,4 +1,4 @@ +-# $OpenBSD: multiplex.sh,v 1.34 2022/06/03 04:31:54 djm Exp $ ++# $OpenBSD: multiplex.sh,v 1.35 2023/01/13 04:47:34 dtucker Exp $ + # Placed in the Public Domain. + + make_tmpdir +@@ -24,6 +24,7 @@ wait_for_mux_master_ready() + fatal "mux master never becomes ready" + } + ++maybe_add_scp_path_to_sshd + start_sshd + + start_mux_master() +diff --git a/regress/scp-uri.sh b/regress/scp-uri.sh +index 20ac3c8..eacbd45 100644 +--- a/regress/scp-uri.sh ++++ b/regress/scp-uri.sh +@@ -1,4 +1,4 @@ +-# $OpenBSD: scp-uri.sh,v 1.4 2021/08/10 03:35:45 djm Exp $ ++# $OpenBSD: scp-uri.sh,v 1.5 2023/01/13 04:47:34 dtucker Exp $ + # Placed in the Public Domain. + + tid="scp-uri" +@@ -9,6 +9,8 @@ COPY2=${OBJ}/copy2 + DIR=${COPY}.dd + DIR2=${COPY}.dd2 + ++maybe_add_scp_path_to_sshd ++ + SRC=`dirname ${SCRIPT}` + cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp + chmod 755 ${OBJ}/scp-ssh-wrapper.scp +diff --git a/regress/scp.sh b/regress/scp.sh +index f47c594..ef4399e 100644 +--- a/regress/scp.sh ++++ b/regress/scp.sh +@@ -1,4 +1,4 @@ +-# $OpenBSD: scp.sh,v 1.14 2022/05/15 23:48:07 djm Exp $ ++# $OpenBSD: scp.sh,v 1.18 2023/01/13 04:47:34 dtucker Exp $ + # Placed in the Public Domain. + + tid="scp" +@@ -16,6 +16,8 @@ COPY2=${OBJ}/copy2 + DIR=${COPY}.dd + DIR2=${COPY}.dd2 + ++maybe_add_scp_path_to_sshd ++ + SRC=`dirname ${SCRIPT}` + cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp + chmod 755 ${OBJ}/scp-ssh-wrapper.scp +diff --git a/regress/scp3.sh b/regress/scp3.sh +index 47db47c..dfb2d2f 100644 +--- a/regress/scp3.sh ++++ b/regress/scp3.sh +@@ -1,9 +1,9 @@ +-# $OpenBSD: scp3.sh,v 1.3 2021/08/10 03:35:45 djm Exp $ ++# $OpenBSD: scp3.sh,v 1.4 2023/01/13 04:47:34 dtucker Exp $ + # Placed in the Public Domain. + + tid="scp3" + +-#set -x ++set -x + + COPY2=${OBJ}/copy2 + DIR=${COPY}.dd +@@ -15,6 +15,8 @@ if $? -eq 1 ; then + skip "No scp on remote path." + fi + ++maybe_add_scp_path_to_sshd ++ + SRC=`dirname ${SCRIPT}` + cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp + chmod 755 ${OBJ}/scp-ssh-wrapper.scp +diff --git a/regress/test-exec.sh b/regress/test-exec.sh +index 7e311e8..df43f02 100644 +--- a/regress/test-exec.sh ++++ b/regress/test-exec.sh +@@ -1,4 +1,4 @@ +-# $OpenBSD: test-exec.sh,v 1.92 2022/07/25 07:12:45 dtucker Exp $ ++# $OpenBSD: test-exec.sh,v 1.94 2023/01/13 04:47:34 dtucker Exp $ + # Placed in the Public Domain. + + #SUDO=sudo +@@ -509,6 +509,18 @@ skip () + exit $RESULT + } + ++maybe_add_scp_path_to_sshd () ++{ ++ # If we're testing a non-installed scp, add its directory to sshd's ++ # PATH so we can test it. We don't do this for all tests as it ++ # breaks the SetEnv tests. ++ case "$SCP" in ++ /*) PATH_WITH_SCP="`dirname $SCP`:$PATH" ++ echo " SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_config ++ echo " SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_proxy ;; ++ esac ++} ++ + RESULT=0 + PIDFILE=$OBJ/pidfile + +@@ -529,13 +541,6 @@ cat << EOF > $OBJ/sshd_config + Subsystem sftp $SFTPSERVER + EOF + +-# If we're testing a non-installed scp, add its directory to sshd's PATH +-# so we can test it. +-case "$SCP" in +-/*) PATH_WITH_SCP="`dirname $SCP`:$PATH" +- echo " SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_config ;; +-esac +- + # This may be necessary if /usr/src and/or /usr/obj are group-writable, + # but if you aren't careful with permissions then the unit tests could + # be abused to locally escalate privileges. +-- +2.23.0 +
View file
_service:tar_scm:backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch
Added
@@ -0,0 +1,26 @@ +From 923c3f437f439cfca238fba37e97a7041782f615 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Sat, 14 Jan 2023 10:05:54 +0000 +Subject: PATCH upstream: Shell syntax fix. From ren mingshuai vi github + PR#369. + +OpenBSD-Regress-ID: 6696b2eeefe128099fc3d7ea9f23252cc35156f9 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=923c3f437f439cfca238fba37e97a7041782f615 +--- +diff --git a/regress/yes-head.sh b/regress/yes-head.sh +index 2759eb8c..1bde504f 100644 +--- a/regress/yes-head.sh ++++ b/regress/yes-head.sh +@@ -6,7 +6,7 @@ tid="yes pipe head" + lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` + if $? -ne 0 ; then + fail "yes|head test failed" +- lines = 0; +++ lines=0 + fi + if $lines -ne 2000 ; then + fail "yes|head returns $lines lines instead of 2000" +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch
Added
@@ -0,0 +1,40 @@ +From 5a7a7acab2f466dc1d7467b5d05d35268c3137aa Mon Sep 17 00:00:00 2001 +From: "deraadt@openbsd.org" <deraadt@openbsd.org> +Date: Thu, 15 Dec 2022 18:20:39 +0000 +Subject: PATCH upstream: The idiomatic way of coping with signed char vs + unsigned + +char (which did not come from stdio read functions) in the presence of +ctype macros, is to always cast to (unsigned char). casting to (int) +for a "macro" which is documented to take int, is weird. And sadly wrong, +because of the sing extension risk.. same diff from florian + +OpenBSD-Commit-ID: 65b9a49a68e22ff3a0ebd593f363e9f22dd73fea +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=5a7a7acab2f466dc1d7467b5d05d35268c3137aa +--- + misc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/misc.c b/misc.c +index 977c097e..41244da9 100644 +--- a/misc.c ++++ b/misc.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: misc.c,v 1.177 2022/08/11 01:56:51 djm Exp $ */ ++/* $OpenBSD: misc.c,v 1.179 2022/12/15 18:20:39 deraadt Exp $ */ + /* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2005-2020 Damien Miller. All rights reserved. +@@ -95,7 +95,7 @@ rtrim(char *s) + if ((i = strlen(s)) == 0) + return; + for (i--; i > 0; i--) { +- if (isspace((int)si)) ++ if (isspace((unsigned char)si)) + si = '\0'; + } + } +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch
Added
@@ -0,0 +1,51 @@ +From d77fc611a62f2dfee0b654c31a50a814b13310dd Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Fri, 6 Jan 2023 12:33:33 +0000 +Subject: PATCH upstream: When OpenSSL is not available, skip parts of + percent test + +that require it. Based on github pr#368 from ren mingshuai. + +OpenBSD-Regress-ID: 49a375b2cf61ccb95b52e75e2e025cd10988ebb2 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=d77fc611a62f2dfee0b654c31a50a814b13310dd +--- + regress/percent.sh | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/regress/percent.sh b/regress/percent.sh +index bb81779a..ed5c604d 100644 +--- a/regress/percent.sh ++++ b/regress/percent.sh +@@ -79,10 +79,12 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ + trial $i '%T' NONE + fi + # Matches implementation in readconf.c:ssh_connection_hash() +- HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | +- $OPENSSL_BIN sha1 | cut -f2 -d' '` ++ if ! -z "${OPENSSL_BIN}" ; then ++ HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | ++ $OPENSSL_BIN sha1 | cut -f2 -d' '` ++ trial $i '%C' $HASH ++ fi + trial $i '%%' '%' +- trial $i '%C' $HASH + trial $i '%i' $USERID + trial $i '%h' 127.0.0.1 + trial $i '%L' $HOST +@@ -96,8 +98,10 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ + # containing %d for UserKnownHostsFile + if "$i" != "userknownhostsfile" ; then + trial $i '%d' $HOME +- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ +- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" ++ if ! -z "${HASH}" ; then ++ trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ ++ "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" ++ fi + fi + done + +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch
Added
@@ -0,0 +1,42 @@ +From f673b49f3be3eb51074fbb8a405beb6cd0f7d93e Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Fri, 13 Jan 2023 02:44:02 +0000 +Subject: PATCH upstream: avoid printf("%s", NULL) if using ssh + +-oUserKnownHostsFile=none and a hostkey in one of the system known hosts file +changes; ok dtucker@ + +OpenBSD-Commit-ID: 7ca87614bfc6da491315536a7f2301434a9fe614 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=f673b49f3be3eb51074fbb8a405beb6cd0f7d93e +--- + sshconnect.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/sshconnect.c b/sshconnect.c +index 0fca52b2..792bc34b 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshconnect.c,v 1.358 2022/08/26 08:16:27 djm Exp $ */ ++/* $OpenBSD: sshconnect.c,v 1.361 2023/01/13 02:44:02 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -1276,8 +1276,11 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, + } + /* The host key has changed. */ + warn_changed_key(host_key); +- error("Add correct host key in %.100s to get rid of this message.", +- user_hostfiles0); ++ if (num_user_hostfiles > 0 || num_system_hostfiles > 0) { ++ error("Add correct host key in %.100s to get rid " ++ "of this message.", num_user_hostfiles > 0 ? ++ user_hostfiles0 : system_hostfiles0); ++ } + error("Offending %s key in %s:%lu", + sshkey_type(host_found->key), + host_found->file, host_found->line); +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch
Added
@@ -0,0 +1,113 @@ +From b3daa8dc582348d6ab8150bc1e571b7aa08c5388 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 2 Jan 2023 07:03:30 +0000 +Subject: PATCH upstream: fix bug in PermitRemoteOpen which caused it +to + ignore its + +first argument unless it was one of the special keywords "any" or +"none". + +Reported by Georges Chaudy in bz3515; ok dtucker@ + +OpenBSD-Commit-ID: c5678a39f1ff79993d5ae3cfac5746a4ae148ea5 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=b3daa8dc582348d6ab8150bc1e571b7aa08c5388 +--- + readconf.c | 67 +++++++++++++++++++++++++++++------------------------- + 1 file changed, 36 insertions(+), 31 deletions(-) + +diff --git a/readconf.c b/readconf.c +index 284da26..ccac632 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: readconf.c,v 1.369 2022/09/17 10:33:18 djm Exp $ */ ++/* $OpenBSD: readconf.c,v 1.371 2023/01/02 07:03:30 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -1613,45 +1613,50 @@ parse_pubkey_algos: + case oPermitRemoteOpen: + uintptr = &options->num_permitted_remote_opens; + cppptr = &options->permitted_remote_opens; +- arg = argv_next(&ac, &av); +- if (!arg || *arg == '\0') +- fatal("%s line %d: missing %s specification", +- filename, linenum, lookup_opcode_name(opcode)); + uvalue = *uintptr; /* modified later */ +- if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) { +- if (*activep && uvalue == 0) { +- *uintptr = 1; +- *cppptr = xcalloc(1, sizeof(**cppptr)); +- (*cppptr)0 = xstrdup(arg); +- } +- break; +- } ++ i = 0; + while ((arg = argv_next(&ac, &av)) != NULL) { + arg2 = xstrdup(arg); +- p = hpdelim(&arg); +- if (p == NULL) { +- fatal("%s line %d: missing host in %s", +- filename, linenum, +- lookup_opcode_name(opcode)); +- } +- p = cleanhostname(p); +- /* +- * don't want to use permitopen_port to avoid +- * dependency on channels.ch here. +- */ +- if (arg == NULL || +- (strcmp(arg, "*") != 0 && a2port(arg) <= 0)) { +- fatal("%s line %d: bad port number in %s", +- filename, linenum, +- lookup_opcode_name(opcode)); +- } +- if (*activep && uvalue == 0) { ++ /* Allow any/none only in first position */ ++ if (strcasecmp(arg, "none") == 0 || ++ strcasecmp(arg, "any") == 0) { ++ if (i > 0 || ac > 0) { ++ error("%s line %d: keyword %s \"%s\" " ++ "argument must appear alone.", ++ filename, linenum, keyword, arg); ++ goto out; ++ } ++ } else { ++ p = hpdelim(&arg); ++ if (p == NULL) { ++ fatal("%s line %d: missing host in %s", ++ filename, linenum, ++ lookup_opcode_name(opcode)); ++ } ++ p = cleanhostname(p); ++ /* ++ * don't want to use permitopen_port to avoid ++ * dependency on channels.ch here. ++ */ ++ if (arg == NULL || (strcmp(arg, "*") != 0 && ++ a2port(arg) <= 0)) { ++ fatal("%s line %d: bad port number " ++ "in %s", filename, linenum, ++ lookup_opcode_name(opcode)); ++ } ++ } ++ ++ if (*activep && uvalue == 0) { + opt_array_append(filename, linenum, + lookup_opcode_name(opcode), + cppptr, uintptr, arg2); + } + free(arg2); ++ i++; + } ++ if (i == 0) ++ fatal("%s line %d: missing %s specification", ++ filename, linenum, lookup_opcode_name(opcode)); + break; + + case oClearAllForwardings: +-- +2.23.0 +
View file
_service:tar_scm:backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch
Added
@@ -0,0 +1,37 @@ +From 5ee2b8ccfcf4b606f450eb0ff2305e311f68b0be Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Thu, 6 Oct 2022 22:42:37 +0000 +Subject: PATCH upstream: honour user's umask if it is more restrictive then + the ssh + +default (022); based on patch from Alex Henrie, ok dtucker@ deraadt@ + +OpenBSD-Commit-ID: fe1b9e15fc9a4f49fc338e848ce14d8727abe82d +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=5ee2b8ccfcf4b606f450eb0ff2305e311f68b0be +--- + ssh.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssh.c b/ssh.c +index 25be53d5..e711dbd2 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh.c,v 1.576 2022/09/17 10:33:18 djm Exp $ */ ++/* $OpenBSD: ssh.c,v 1.577 2022/10/06 22:42:37 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -679,7 +679,7 @@ main(int ac, char **av) + * writable only by the owner, which is ok for all files for which we + * don't set the modes explicitly. + */ +- umask(022); ++ umask(022 | umask(077)); + + msetlocale(); + +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-regression-test-for-PermitRemoteOpen.patch
Added
@@ -0,0 +1,138 @@ +From 845ceecea2ac311b0c267f9ecbd34862e1876fc6 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Mon, 2 Jan 2023 07:03:57 +0000 +Subject: PATCH upstream: regression test for PermitRemoteOpen + +OpenBSD-Regress-ID: 8271aafbf5c21950cd5bf966f08e585cebfe630c +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=845ceecea2ac311b0c267f9ecbd34862e1876fc6 +--- + regress/dynamic-forward.sh | 84 ++++++++++++++++++++++++++++++-------- + 1 file changed, 66 insertions(+), 18 deletions(-) + +diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh +index 84f8ee19..f6c2393d 100644 +--- a/regress/dynamic-forward.sh ++++ b/regress/dynamic-forward.sh +@@ -1,10 +1,12 @@ +-# $OpenBSD: dynamic-forward.sh,v 1.13 2017/09/21 19:18:12 markus Exp $ ++# $OpenBSD: dynamic-forward.sh,v 1.14 2023/01/02 07:03:57 djm Exp $ + # Placed in the Public Domain. + + tid="dynamic forwarding" + + FWDPORT=`expr $PORT + 1` + ++cp $OBJ/ssh_config $OBJ/ssh_config.orig ++ + if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then + proxycmd="nc -x 127.0.0.1:$FWDPORT -X" + elif have_prog connect; then +@@ -15,16 +17,16 @@ else + fi + trace "will use ProxyCommand $proxycmd" + +-start_sshd +- +-for d in D R; do ++start_ssh() { ++ direction="$1" ++ arg="$2" + n=0 + error="1" +- trace "start dynamic forwarding, fork to background" +- ++ trace "start dynamic -$direction forwarding, fork to background" ++ (cat $OBJ/ssh_config.orig ; echo "$arg") > $OBJ/ssh_config + while "$error" -ne 0 -a "$n" -lt 3 ; do + n=`expr $n + 1` +- ${SSH} -F $OBJ/ssh_config -f -$d $FWDPORT -q \ ++ ${SSH} -F $OBJ/ssh_config -f -$direction $FWDPORT -q \ + -oExitOnForwardFailure=yes somehost exec sh -c \ + \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' + error=$? +@@ -36,18 +38,9 @@ for d in D R; do + if "$error" -ne 0 ; then + fatal "failed to start dynamic forwarding" + fi ++} + +- for s in 4 5; do +- for h in 127.0.0.1 localhost; do +- trace "testing ssh socks version $s host $h (-$d)" +- ${SSH} -F $OBJ/ssh_config \ +- -o "ProxyCommand ${proxycmd}${s} $h $PORT" \ +- somehost cat ${DATA} > ${COPY} +- test -f ${COPY} || fail "failed copy ${DATA}" +- cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" +- done +- done +- ++stop_ssh() { + if -f $OBJ/remote_pid ; then + remote=`cat $OBJ/remote_pid` + trace "terminate remote shell, pid $remote" +@@ -57,5 +50,60 @@ for d in D R; do + else + fail "no pid file: $OBJ/remote_pid" + fi ++} ++ ++check_socks() { ++ direction=$1 ++ expect_success=$2 ++ for s in 4 5; do ++ for h in 127.0.0.1 localhost; do ++ trace "testing ssh socks version $s host $h (-$direction)" ++ ${SSH} -F $OBJ/ssh_config \ ++ -o "ProxyCommand ${proxycmd}${s} $h $PORT 2>/dev/null" \ ++ somehost cat ${DATA} > ${COPY} ++ r=$? ++ if "x$expect_success" = "xY" ; then ++ if $r -ne 0 ; then ++ fail "ssh failed with exit status $r" ++ fi ++ test -f ${COPY} || fail "failed copy ${DATA}" ++ cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" ++ elif $r -eq 0 ; then ++ fail "ssh unexpectedly succeeded" ++ fi ++ done ++ done ++} ++ ++start_sshd ++ ++for d in D R; do ++ verbose "test -$d forwarding" ++ start_ssh $d ++ check_socks $d Y ++ stop_ssh ++ test "x$d" = "xR" || continue ++ ++ # Test PermitRemoteOpen ++ verbose "PermitRemoteOpen=any" ++ start_ssh $d PermitRemoteOpen=any ++ check_socks $d Y ++ stop_ssh ++ ++ verbose "PermitRemoteOpen=none" ++ start_ssh $d PermitRemoteOpen=none ++ check_socks $d N ++ stop_ssh ++ ++ verbose "PermitRemoteOpen=explicit" ++ start_ssh $d \ ++ PermitRemoteOpen="127.0.0.1:$PORT ::1:$PORT localhost:$PORT" ++ check_socks $d Y ++ stop_ssh + ++ verbose "PermitRemoteOpen=disallowed" ++ start_ssh $d \ ++ PermitRemoteOpen="127.0.0.1:1 ::1:1 localhost:1" ++ check_socks $d N ++ stop_ssh + done +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-test-compat_kex_proposal-by-dtucker.patch
Added
@@ -0,0 +1,125 @@ +From 903c556b938fff2d7bff8da2cc460254430963c5 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Thu, 2 Feb 2023 12:12:52 +0000 +Subject: PATCH upstream: test compat_kex_proposal(); by dtucker@ + +OpenBSD-Regress-ID: 0e404ee264db546f9fdbf53390689ab5f8d38bf2 + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=903c556b938fff2d7bff8da2cc460254430963c5 +--- + regress/unittests/kex/test_proposal.c | 79 +++++++++++++++++++++++++++ + regress/unittests/kex/tests.c | 4 +- + 2 files changed, 82 insertions(+), 1 deletion(-) + create mode 100644 regress/unittests/kex/test_proposal.c + +diff --git a/regress/unittests/kex/test_proposal.c b/regress/unittests/kex/test_proposal.c +new file mode 100644 +index 0000000..b89ff59 +--- /dev/null ++++ b/regress/unittests/kex/test_proposal.c +@@ -0,0 +1,79 @@ ++/* $OpenBSD: test_proposal.c,v 1.1 2023/02/02 12:12:52 djm Exp $ */ ++/* ++ * Regress test KEX ++ * ++ * Placed in the public domain ++ */ ++ ++#include <sys/types.h> ++#include <signal.h> ++#include <stdio.h> ++#include <stdint.h> ++#include <stdlib.h> ++#include <string.h> ++ ++#include "test_helper.h" ++ ++#include "compat.h" ++#include "ssherr.h" ++#include "sshbuf.h" ++#include "kex.h" ++#include "packet.h" ++#include "xmalloc.h" ++ ++void kex_proposal(void); ++ ++#define CURVE25519 "curve25519-sha256@libssh.org" ++#define DHGEX1 "diffie-hellman-group-exchange-sha1" ++#define DHGEX256 "diffie-hellman-group-exchange-sha256" ++#define KEXALGOS CURVE25519","DHGEX256","DHGEX1 ++void ++kex_proposal(void) ++{ ++ size_t i; ++ struct ssh ssh; ++ char *result, *out, *in; ++ struct { ++ char *in; /* TODO: make this const */ ++ char *out; ++ int compat; ++ } tests = { ++ { KEXALGOS, KEXALGOS, 0}, ++ { KEXALGOS, DHGEX256","DHGEX1, SSH_BUG_CURVE25519PAD }, ++ { KEXALGOS, CURVE25519, SSH_OLD_DHGEX }, ++ { "a,"KEXALGOS, "a", SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX }, ++ /* TODO: enable once compat_kex_proposal doesn't fatal() */ ++ /* { KEXALGOS, "", SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX }, */ ++ }; ++ ++ TEST_START("compat_kex_proposal"); ++ for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) { ++ ssh.compat = testsi.compat; ++ /* match entire string */ ++ result = compat_kex_proposal(&ssh, testsi.in); ++ ASSERT_STRING_EQ(result, testsi.out); ++ free(result); ++ /* match at end */ ++ in = kex_names_cat("a", testsi.in); ++ out = kex_names_cat("a", testsi.out); ++ result = compat_kex_proposal(&ssh, in); ++ ASSERT_STRING_EQ(result, out); ++ free(result); free(in); free(out); ++ /* match at start */ ++ in = kex_names_cat(testsi.in, "a"); ++ out = kex_names_cat(testsi.out, "a"); ++ result = compat_kex_proposal(&ssh, in); ++ ASSERT_STRING_EQ(result, out); ++ free(result); free(in); free(out); ++ /* match in middle */ ++ xasprintf(&in, "a,%s,b", testsi.in); ++ if (*(testsi.out) == '\0') ++ out = xstrdup("a,b"); ++ else ++ xasprintf(&out, "a,%s,b", testsi.out); ++ result = compat_kex_proposal(&ssh, in); ++ ASSERT_STRING_EQ(result, out); ++ free(result); free(in); free(out); ++ } ++ TEST_DONE(); ++} +diff --git a/regress/unittests/kex/tests.c b/regress/unittests/kex/tests.c +index e7036ec..2a83daf 100644 +--- a/regress/unittests/kex/tests.c ++++ b/regress/unittests/kex/tests.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: tests.c,v 1.1 2015/01/15 23:41:29 markus Exp $ */ ++/* $OpenBSD: tests.c,v 1.2 2023/02/02 12:12:52 djm Exp $ */ + /* + * Placed in the public domain + */ +@@ -6,9 +6,11 @@ + #include "../test_helper/test_helper.h" + + void kex_tests(void); ++void kex_proposal(void); + + void + tests(void) + { + kex_tests(); ++ kex_proposal(); + } +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-use-correct-type-with-sizeof-ok-djm.patch
Added
@@ -0,0 +1,34 @@ +From 18376847b8043ba967eabbe23692ef74c9a3fddc Mon Sep 17 00:00:00 2001 +From: "jsg@openbsd.org" <jsg@openbsd.org> +Date: Thu, 13 Oct 2022 09:09:28 +0000 +Subject: PATCH upstream: use correct type with sizeof ok djm@ + +OpenBSD-Commit-ID: d6c882c2e8a42ff831a5b3cbc2c961ecb2dd6143 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=18376847b8043ba967eabbe23692ef74c9a3fddc +--- + ssh.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssh.c b/ssh.c +index e711dbd2..21cbd7c3 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh.c,v 1.577 2022/10/06 22:42:37 djm Exp $ */ ++/* $OpenBSD: ssh.c,v 1.578 2022/10/13 09:09:28 jsg Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -1579,7 +1579,7 @@ main(int ac, char **av) + if (options.hostbased_authentication) { + sensitive_data.nkeys = 10; + sensitive_data.keys = xcalloc(sensitive_data.nkeys, +- sizeof(struct sshkey)); ++ sizeof(*sensitive_data.keys)); + + /* XXX check errors? */ + #define L_PUBKEY(p,o) do { \ +-- +2.27.0 +
View file
_service:tar_scm:backport-upstream-when-restoring-non-blocking-mode-to-stdio-f.patch
Added
@@ -0,0 +1,92 @@ +From 35253af01d8c0ab444c8377402121816e71c71f5 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" <djm@openbsd.org> +Date: Wed, 18 Jan 2023 02:00:10 +0000 +Subject: PATCH upstream: when restoring non-blocking mode to stdio +fds, + restore + +exactly the flags that ssh started with and don't just clobber them with +zero, as this could also remove the append flag from the set; + +bz3523; ok dtucker@ + +OpenBSD-Commit-ID: 1336b03e881db7564a4b66014eb24c5230e9a0c0 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=35253af01d8c0ab444c8377402121816e71c71f5 +--- + channels.c | 19 ++++++++++++++----- + channels.h | 3 ++- + 2 files changed, 16 insertions(+), 6 deletions(-) + +diff --git a/channels.c b/channels.c +index ea4d8da..cee4d2c 100644 +--- a/channels.c ++++ b/channels.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: channels.c,v 1.420 2022/09/19 08:49:50 djm Exp $ */ ++/* $OpenBSD: channels.c,v 1.427 2023/01/18 02:00:10 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -337,16 +337,19 @@ channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd, + */ + if (rfd != -1 && !isatty(rfd) && + (val = fcntl(rfd, F_GETFL)) != -1 && !(val & O_NONBLOCK)) { ++ c->restore_flags0 = val; + c->restore_block |= CHANNEL_RESTORE_RFD; + set_nonblock(rfd); + } + if (wfd != -1 && !isatty(wfd) && + (val = fcntl(wfd, F_GETFL)) != -1 && !(val & O_NONBLOCK)) { ++ c->restore_flags1 = val; + c->restore_block |= CHANNEL_RESTORE_WFD; + set_nonblock(wfd); + } + if (efd != -1 && !isatty(efd) && + (val = fcntl(efd, F_GETFL)) != -1 && !(val & O_NONBLOCK)) { ++ c->restore_flags2 = val; + c->restore_block |= CHANNEL_RESTORE_EFD; + set_nonblock(efd); + } +@@ -428,10 +431,16 @@ channel_close_fd(struct ssh *ssh, Channel *c, int *fdp) + if (fd == -1) + return 0; + +- if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD) != 0) || +- (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD) != 0) || +- (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD) != 0)) +- (void)fcntl(*fdp, F_SETFL, 0); /* restore blocking */ ++ /* restore blocking */ ++ if (*fdp == c->rfd && ++ (c->restore_block & CHANNEL_RESTORE_RFD) != 0) ++ (void)fcntl(*fdp, F_SETFL, c->restore_flags0); ++ else if (*fdp == c->wfd && ++ (c->restore_block & CHANNEL_RESTORE_WFD) != 0) ++ (void)fcntl(*fdp, F_SETFL, c->restore_flags1); ++ else if (*fdp == c->efd && ++ (c->restore_block & CHANNEL_RESTORE_EFD) != 0) ++ (void)fcntl(*fdp, F_SETFL, c->restore_flags2); + + if (*fdp == c->rfd) { + c->io_want &= ~SSH_CHAN_IO_RFD; +diff --git a/channels.h b/channels.h +index 7d8a83e..9b1b11e 100644 +--- a/channels.h ++++ b/channels.h +@@ -1,4 +1,4 @@ +-/* $OpenBSD: channels.h,v 1.143 2022/05/05 00:56:58 djm Exp $ */ ++/* $OpenBSD: channels.h,v 1.148 2023/01/18 02:00:10 djm Exp $ */ + + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> +@@ -153,6 +153,7 @@ struct Channel { + * this way post-IO handlers are not + * accidentally called if a FD gets reused */ + int restore_block; /* fd mask to restore blocking status */ ++ int restore_flags3; /* flags to restore */ + struct sshbuf *input; /* data read from socket, to be sent over + * encrypted connection */ + struct sshbuf *output; /* data received over encrypted connection for +-- +2.23.0 +
View file
_service:tar_scm:bugfix-openssh-6.6p1-log-usepam-no.patch
Deleted
@@ -1,42 +0,0 @@ -From 31883f21eff4265b68bb36f67b254adb524db6ae Mon Sep 17 00:00:00 2001 -From: guoxiaoqi <guoxiaoqi2@huawei.com> -Date: Thu, 16 Apr 2020 14:51:44 +0800 -Subject: PATCH bugfix-openssh-6.6p1-log-usepam-no - ---- - sshd.c | 4 ++-- - sshd_config | 2 +- - 2 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/sshd.c b/sshd.c -index c6c03ae..c291a5e 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -1812,9 +1812,9 @@ main(int ac, char **av) - parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name, - cfg, &includes, NULL); - -- /* 'UsePAM no' is not supported in Fedora */ -+ /* 'UsePAM no' is not supported in openEuler */ - if (! options.use_pam) -- logit("WARNING: 'UsePAM no' is not supported in Fedora and may cause several problems."); -+ logit("WARNING: 'UsePAM no' is not supported in openEuler and may cause several problems."); - - #ifdef WITH_OPENSSL - if (options.moduli_file != NULL) -diff --git a/sshd_config b/sshd_config -index e125992..ebc28b3 100644 ---- a/sshd_config -+++ b/sshd_config -@@ -87,7 +87,7 @@ AuthorizedKeysFile .ssh/authorized_keys - # If you just want the PAM account and session checks to run without - # PAM authentication, then enable this but set PasswordAuthentication - # and KbdInteractiveAuthentication to 'no'. --# WARNING: 'UsePAM no' is not supported in Fedora and may cause several -+# WARNING: 'UsePAM no' is not supported in openEuler and may cause several - # problems. - #UsePAM no - --- -2.23.0 -
View file
_service:tar_scm:openssh-6.3p1-ctr-evp-fast.patch
Deleted
@@ -1,101 +0,0 @@ -diff -up openssh-5.9p1/cipher-ctr.c.ctr-evp openssh-5.9p1/cipher-ctr.c ---- openssh-5.9p1/cipher-ctr.c.ctr-evp 2012-01-11 09:24:06.000000000 +0100 -+++ openssh-5.9p1/cipher-ctr.c 2012-01-11 15:54:04.675956600 +0100 -@@ -38,7 +38,7 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, in - - struct ssh_aes_ctr_ctx - { -- AES_KEY aes_ctx; -+ EVP_CIPHER_CTX ecbctx; - u_char aes_counterAES_BLOCK_SIZE; - }; - -@@ -63,21 +63,42 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char - { - struct ssh_aes_ctr_ctx *c; - size_t n = 0; -- u_char bufAES_BLOCK_SIZE; -+ u_char ctrbufAES_BLOCK_SIZE*256; -+ u_char bufAES_BLOCK_SIZE*256; - - if (len == 0) - return (1); - if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) - return (0); - -- while ((len--) > 0) { -+ for (; len > 0; len -= sizeof(u_int)) { -+ u_int r,a,b; -+ - if (n == 0) { -- AES_encrypt(c->aes_counter, buf, &c->aes_ctx); -- ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE); -+ int outl, i, buflen; -+ -+ buflen = MIN(len, sizeof(ctrbuf)); -+ -+ for(i = 0; i < buflen; i += AES_BLOCK_SIZE) { -+ memcpy(&ctrbufi, c->aes_counter, AES_BLOCK_SIZE); -+ ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE); -+ } -+ -+ EVP_EncryptUpdate(&c->ecbctx, buf, &outl, -+ ctrbuf, buflen); - } -- *(dest++) = *(src++) ^ bufn; -- n = (n + 1) % AES_BLOCK_SIZE; -+ -+ memcpy(&a, src, sizeof(a)); -+ memcpy(&b, &bufn, sizeof(b)); -+ r = a ^ b; -+ memcpy(dest, &r, sizeof(r)); -+ src += sizeof(a); -+ dest += sizeof(r); -+ -+ n = (n + sizeof(b)) % sizeof(buf); - } -+ memset(ctrbuf, '\0', sizeof(ctrbuf)); -+ memset(buf, '\0', sizeof(buf)); - return (1); - } - -@@ -91,9 +112,28 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, co - c = xmalloc(sizeof(*c)); - EVP_CIPHER_CTX_set_app_data(ctx, c); - } -- if (key != NULL) -- AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, -- &c->aes_ctx); -+ -+ EVP_CIPHER_CTX_init(&c->ecbctx); -+ -+ if (key != NULL) { -+ const EVP_CIPHER *cipher; -+ switch(EVP_CIPHER_CTX_key_length(ctx)*8) { -+ case 128: -+ cipher = EVP_aes_128_ecb(); -+ break; -+ case 192: -+ cipher = EVP_aes_192_ecb(); -+ break; -+ case 256: -+ cipher = EVP_aes_256_ecb(); -+ break; -+ default: -+ fatal("ssh_aes_ctr_init: wrong aes key length"); -+ } -+ if(!EVP_EncryptInit_ex(&c->ecbctx, cipher, NULL, key, NULL)) -+ fatal("ssh_aes_ctr_init: cannot initialize aes encryption"); -+ EVP_CIPHER_CTX_set_padding(&c->ecbctx, 0); -+ } - if (iv != NULL) - memcpy(c->aes_counter, iv, AES_BLOCK_SIZE); - return (1); -@@ -105,6 +145,7 @@ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx) - struct ssh_aes_ctr_ctx *c; - - if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { -+ EVP_CIPHER_CTX_cleanup(&c->ecbctx); - memset(c, 0, sizeof(*c)); - free(c); - EVP_CIPHER_CTX_set_app_data(ctx, NULL);
View file
_service:tar_scm:openssh-6.6p1-keyperm.patch
Deleted
@@ -1,31 +0,0 @@ -diff -up openssh-8.2p1/authfile.c.keyperm openssh-8.2p1/authfile.c ---- openssh-8.2p1/authfile.c.keyperm 2020-02-14 01:40:54.000000000 +0100 -+++ openssh-8.2p1/authfile.c 2020-02-17 11:55:12.841729758 +0100 -@@ -31,6 +31,7 @@ - - #include <errno.h> - #include <fcntl.h> -+#include <grp.h> - #include <stdio.h> - #include <stdarg.h> - #include <stdlib.h> -@@ -101,7 +102,19 @@ sshkey_perm_ok(int fd, const char *filen - #ifdef HAVE_CYGWIN - if (check_ntsec(filename)) - #endif -+ - if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) { -+ if (st.st_mode & 040) { -+ struct group *gr; -+ -+ if ((gr = getgrnam("ssh_keys")) && (st.st_gid == gr->gr_gid)) { -+ /* The only additional bit is read -+ * for ssh_keys group, which is fine */ -+ if ((st.st_mode & 077) == 040 ) { -+ return 0; -+ } -+ } -+ } - error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); - error("@ WARNING: UNPROTECTED PRIVATE KEY FILE! @"); - error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
View file
_service:tar_scm:openssh-7.7p1-fips.patch
Deleted
@@ -1,667 +0,0 @@ -Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.7p1-fips.patch -diff -up openssh-8.6p1/dh.c.fips openssh-8.6p1/dh.c ---- openssh-8.6p1/dh.c.fips 2021-04-16 05:55:25.000000000 +0200 -+++ openssh-8.6p1/dh.c 2021-05-06 12:12:10.107634472 +0200 -@@ -36,6 +36,7 @@ - - #include <openssl/bn.h> - #include <openssl/dh.h> -+#include <openssl/fips.h> - - #include "dh.h" - #include "pathnames.h" -@@ -164,6 +164,12 @@ choose_dh(int min, int wantbits, int max - int best, bestcount, which, linenum; - struct dhgroup dhg; - -+ if (FIPS_mode()) { -+ verbose("Using arbitrary primes is not allowed in FIPS mode." -+ " Falling back to known groups."); -+ return (dh_new_group_fallback(max)); -+ } -+ - if ((f = fopen(get_moduli_filename(), "r")) == NULL) { - logit("WARNING: could not open %s (%s), using fixed modulus", - get_moduli_filename(), strerror(errno)); -@@ -502,4 +508,38 @@ dh_estimate(int bits) - return 8192; - } - -+/* -+ * Compares the received DH parameters with known-good groups, -+ * which might be either from group14, group16 or group18. -+ */ -+int -+dh_is_known_group(const DH *dh) -+{ -+ const BIGNUM *p, *g; -+ const BIGNUM *known_p, *known_g; -+ DH *known = NULL; -+ int bits = 0, rv = 0; -+ -+ DH_get0_pqg(dh, &p, NULL, &g); -+ bits = BN_num_bits(p); -+ -+ if (bits <= 3072) { -+ known = dh_new_group14(); -+ } else if (bits <= 6144) { -+ known = dh_new_group16(); -+ } else { -+ known = dh_new_group18(); -+ } -+ -+ DH_get0_pqg(known, &known_p, NULL, &known_g); -+ -+ if (BN_cmp(g, known_g) == 0 && -+ BN_cmp(p, known_p) == 0) { -+ rv = 1; -+ } -+ -+ DH_free(known); -+ return rv; -+} -+ - #endif /* WITH_OPENSSL */ -diff -up openssh-8.6p1/dh.h.fips openssh-8.6p1/dh.h ---- openssh-8.6p1/dh.h.fips 2021-05-06 12:08:36.498926877 +0200 -+++ openssh-8.6p1/dh.h 2021-05-06 12:11:28.393298005 +0200 -@@ -45,6 +45,7 @@ DH *dh_new_group_fallback(int); - - int dh_gen_key(DH *, int); - int dh_pub_is_valid(const DH *, const BIGNUM *); -+int dh_is_known_group(const DH *); - - u_int dh_estimate(int); - void dh_set_moduli_file(const char *); -diff -up openssh-8.6p1/kex.c.fips openssh-8.6p1/kex.c ---- openssh-8.6p1/kex.c.fips 2021-05-06 12:08:36.489926807 +0200 -+++ openssh-8.6p1/kex.c 2021-05-06 12:08:36.498926877 +0200 -@@ -39,6 +39,7 @@ - - #ifdef WITH_OPENSSL - #include <openssl/crypto.h> -+#include <openssl/fips.h> - #include <openssl/dh.h> - # ifdef HAVE_EVP_KDF_CTX_NEW_ID - # include <openssl/kdf.h> -@@ -203,7 +203,10 @@ kex_names_valid(const char *names) - for ((p = strsep(&cp, ",")); p && *p != '\0'; - (p = strsep(&cp, ","))) { - if (kex_alg_by_name(p) == NULL) { -- error("Unsupported KEX algorithm \"%.100s\"", p); -+ if (FIPS_mode()) -+ error("\"%.100s\" is not allowed in FIPS mode", p); -+ else -+ error("Unsupported KEX algorithm \"%.100s\"", p); - free(s); - return 0; - } -diff -up openssh-8.6p1/kexgexc.c.fips openssh-8.6p1/kexgexc.c ---- openssh-8.6p1/kexgexc.c.fips 2021-04-16 05:55:25.000000000 +0200 -+++ openssh-8.6p1/kexgexc.c 2021-05-06 12:08:36.498926877 +0200 -@@ -28,6 +28,7 @@ - - #ifdef WITH_OPENSSL - -+#include <openssl/fips.h> - #include <sys/types.h> - - #include <openssl/dh.h> -@@ -115,6 +116,10 @@ input_kex_dh_gex_group(int type, u_int32 - r = SSH_ERR_ALLOC_FAIL; - goto out; - } -+ if (FIPS_mode() && dh_is_known_group(kex->dh) == 0) { -+ r = SSH_ERR_INVALID_ARGUMENT; -+ goto out; -+ } - p = g = NULL; /* belong to kex->dh now */ - - /* generate and send 'e', client DH public key */ -diff -up openssh-8.6p1/myproposal.h.fips openssh-8.6p1/myproposal.h ---- openssh-8.6p1/myproposal.h.fips 2021-04-16 05:55:25.000000000 +0200 -+++ openssh-8.6p1/myproposal.h 2021-05-06 12:08:36.498926877 +0200 -@@ -57,6 +57,18 @@ - "rsa-sha2-512," \ - "rsa-sha2-256" - -+#define KEX_FIPS_PK_ALG \ -+ "ecdsa-sha2-nistp256-cert-v01@openssh.com," \ -+ "ecdsa-sha2-nistp384-cert-v01@openssh.com," \ -+ "ecdsa-sha2-nistp521-cert-v01@openssh.com," \ -+ "rsa-sha2-512-cert-v01@openssh.com," \ -+ "rsa-sha2-256-cert-v01@openssh.com," \ -+ "ecdsa-sha2-nistp256," \ -+ "ecdsa-sha2-nistp384," \ -+ "ecdsa-sha2-nistp521," \ -+ "rsa-sha2-512," \ -+ "rsa-sha2-256" -+ - #define KEX_SERVER_ENCRYPT \ - "chacha20-poly1305@openssh.com," \ - "aes128-ctr,aes192-ctr,aes256-ctr," \ -@@ -78,6 +92,27 @@ - - #define KEX_CLIENT_MAC KEX_SERVER_MAC - -+#define KEX_FIPS_ENCRYPT \ -+ "aes128-ctr,aes192-ctr,aes256-ctr," \ -+ "aes128-cbc,3des-cbc," \ -+ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \ -+ "aes128-gcm@openssh.com,aes256-gcm@openssh.com" -+#define KEX_DEFAULT_KEX_FIPS \ -+ "ecdh-sha2-nistp256," \ -+ "ecdh-sha2-nistp384," \ -+ "ecdh-sha2-nistp521," \ -+ "diffie-hellman-group-exchange-sha256," \ -+ "diffie-hellman-group16-sha512," \ -+ "diffie-hellman-group18-sha512," \ -+ "diffie-hellman-group14-sha256" -+#define KEX_FIPS_MAC \ -+ "hmac-sha1," \ -+ "hmac-sha2-256," \ -+ "hmac-sha2-512," \ -+ "hmac-sha1-etm@openssh.com," \ -+ "hmac-sha2-256-etm@openssh.com," \ -+ "hmac-sha2-512-etm@openssh.com" -+ - /* Not a KEX value, but here so all the algorithm defaults are together */ - #define SSH_ALLOWED_CA_SIGALGS \ - "ssh-ed25519," \ -diff -up openssh-8.6p1/readconf.c.fips openssh-8.6p1/readconf.c ---- openssh-8.6p1/readconf.c.fips 2021-05-06 12:08:36.428926336 +0200 -+++ openssh-8.6p1/readconf.c 2021-05-06 12:08:36.499926885 +0200 -@@ -39,6 +39,7 @@ - #include <string.h> - #include <stdarg.h> - #include <unistd.h> -+#include <openssl/fips.h> - #ifdef USE_SYSTEM_GLOB - # include <glob.h> - #else -@@ -2538,11 +2538,16 @@ fill_default_options(Options * options) - all_key = sshkey_alg_list(0, 0, 1, ','); - all_sig = sshkey_alg_list(0, 1, 1, ','); - /* remove unsupported algos from default lists */ -- def_cipher = match_filter_allowlist(KEX_CLIENT_ENCRYPT, all_cipher); -- def_mac = match_filter_allowlist(KEX_CLIENT_MAC, all_mac); -- def_kex = match_filter_allowlist(KEX_CLIENT_KEX, all_kex); -- def_key = match_filter_allowlist(KEX_DEFAULT_PK_ALG, all_key); -- def_sig = match_filter_allowlist(SSH_ALLOWED_CA_SIGALGS, all_sig); -+ def_cipher = match_filter_allowlist((FIPS_mode() ? -+ KEX_FIPS_ENCRYPT : KEX_CLIENT_ENCRYPT), all_cipher); -+ def_mac = match_filter_allowlist((FIPS_mode() ? -+ KEX_FIPS_MAC : KEX_CLIENT_MAC), all_mac); -+ def_kex = match_filter_allowlist((FIPS_mode() ? -+ KEX_DEFAULT_KEX_FIPS : KEX_CLIENT_KEX), all_kex); -+ def_key = match_filter_allowlist((FIPS_mode() ? -+ KEX_FIPS_PK_ALG : KEX_DEFAULT_PK_ALG), all_key); -+ def_sig = match_filter_allowlist((FIPS_mode() ?
View file
_service:tar_scm:skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch
Deleted
@@ -1,100 +0,0 @@ -From a0772385f1b4086aacdc6d84a3daea4b2ef26f30 Mon Sep 17 00:00:00 2001 -From: chengyechun <chengyechun1@huawei.com> -Date: Thu, 5 Jan 2023 23:43:22 +0800 -Subject: PATCH skip tests for '%C' if there is no openssl on local path - ---- - regress/percent.sh | 24 +++++++++++---- - ...t-if-there-is-no-openssl-on-local-pa.patch | 30 +++++++++++++++++++ - 2 files changed, 48 insertions(+), 6 deletions(-) - create mode 100644 skip-percent-test-if-there-is-no-openssl-on-local-pa.patch - -diff --git a/regress/percent.sh b/regress/percent.sh -index 7ed4184..9c112eb 100644 ---- a/regress/percent.sh -+++ b/regress/percent.sh -@@ -13,6 +13,10 @@ USERID=`id -u` - HOST=`hostname | cut -f1 -d.` - HOSTNAME=`hostname` - -+# Check if there is openssl in local PATH -+NOOPENSSL=0 -+for i in $PATH;do -x "$i/openssl" && NOOPENSSL=1; done -+ - # Localcommand is evaluated after connection because %T is not available - # until then. Because of this we use a different method of exercising it, - # and we can't override the remote user otherwise authentication will fail. -@@ -77,11 +81,14 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ - if "$i" = "$localcommand" ; then - trial $i '%T' NONE - fi -- # Matches implementation in readconf.c:ssh_connection_hash() -- HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | -- $OPENSSL_BIN sha1 | cut -f2 -d' '` -+ # skip tests for '%C' since no openssl in local PATH -+ if $NOOPENSSL -eq 1 ; then -+ # Matches implementation in readconf.c:ssh_connection_hash() -+ HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | -+ $OPENSSL_BIN sha1 | cut -f2 -d' '` -+ fi - trial $i '%%' '%' -- trial $i '%C' $HASH -+ if $NOOPENSSL -eq 1 ; then trial $i '%C' $HASH; fi - trial $i '%i' $USERID - trial $i '%h' 127.0.0.1 - trial $i '%L' $HOST -@@ -95,8 +102,13 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ - # containing %d for UserKnownHostsFile - if "$i" != "userknownhostsfile" ; then - trial $i '%d' $HOME -- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ -- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" -+ if $NOOPENSSL -eq 0 ; then -+ trial $i '%%/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ -+ "%/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" -+ else -+ trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ -+ "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" -+ fi - fi - done - -diff --git a/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch b/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch -new file mode 100644 -index 0000000..c7af5d9 ---- /dev/null -+++ b/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch -@@ -0,0 +1,30 @@ -+From 1da9e48b41ab6eca157d4fa3b74490510d9006ae Mon Sep 17 00:00:00 2001 -+From: chengyechun <chengyechun1@huawei.com> -+Date: Thu, 5 Jan 2023 23:43:22 +0800 -+Subject: PATCH skip percent test if there is no openssl on local path as -+ scp3 did -+ -+--- -+ regress/percent.sh | 6 ++++++ -+ 1 file changed, 6 insertions(+) -+ -+diff --git a/regress/percent.sh b/regress/percent.sh -+index 7ed4184..08afbc8 100644 -+--- a/regress/percent.sh -++++ b/regress/percent.sh -+@@ -8,6 +8,12 @@ if -x "/usr/xpg4/bin/id" ; then -+ export PATH -+ fi -+ -++NOOPENSSL=0 -++for i in $PATH;do -x "$i/openssl" && $OPENSSL=1; done -++if $? -eq 0 ; then -++ skip "No openssl on local path." -++fi -++ -+ USER=`id -u -n` -+ USERID=`id -u` -+ HOST=`hostname | cut -f1 -d.` -+-- -+2.23.0 -+ --- -2.23.0 -
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2