packages/openssh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!244 sync from 22.03-lts-sp1

Browse Source 
From: @renmingshuai 
Reviewed-by: @robertxw 
Signed-off-by: @robertxw
This commit is contained in:
openeuler-ci-bot 2024-01-11 11:40:21 +00:00 committed by Gitee
commit b8e94bdde6
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
25 changed files with 1243 additions and 729 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
backport-Allow-writev-is-seccomp-sandbox.patch Normal file
View File

@ -0,0 +1,30 @@
From 6283f4bd83eee714d0f5fc55802eff836b06fea8 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Sat, 14 Jan 2023 22:02:44 +1100
Subject: [PATCH] Allow writev is seccomp sandbox.
This seems to be used by recent glibcs at least in some configurations.
From bz#3512, ok djm@
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=6283f4bd83eee714d0f5fc55802eff836b06fea8
---
sandbox-seccomp-filter.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index cec43c46..4ab49eb6 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -312,6 +312,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_write
SC_ALLOW(__NR_write),
#endif
+#ifdef __NR_writev
+ SC_ALLOW(__NR_writev),
+#endif
#ifdef __NR_socketcall
SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
SC_DENY(__NR_socketcall, EACCES),
--
2.27.0

228
backport-CVE-2023-48795-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch → backport-CVE-2023-48795.patch
View File

@ -1,7 +1,7 @@
From 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Mon Sep 17 00:00:00 2001
From 802a7af111c9ddb438ca4fd8c5cc35534e199fda Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 18 Dec 2023 14:45:17 +0000
Subject: [PATCH] upstream: implement "strict key exchange" in ssh and sshd
Subject: upstream: implement "strict key exchange" in ssh and sshd
This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
@ -13,19 +13,24 @@ with markus@
OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
Reference:https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
Conflict:upstream: Fix signature algorithm selection logic for UpdateHostkeys on the server side
Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
Last-Update: 2023-12-21
Patch-Name: CVE-2023-48795.patch
Reference:https://sources.debian.org/src/openssh/1%3A8.4p1-5%2Bdeb11u3/debian/patches/CVE-2023-48795.patch/
Conflict:NA
---
PROTOCOL | 28 +++++++++++++-
kex.c | 80 +++++++++++++++++++++++++++++----------
kex.h | 3 +-
packet.c | 103 +++++++++++++++++++++++++++++---------------------
packet.h | 3 +-
sshconnect2.c | 13 ++-----
6 files changed, 152 insertions(+), 78 deletions(-)
PROTOCOL | 26 +++++++++++++++++
kex.c | 68 ++++++++++++++++++++++++++++++++-----------
kex.h | 1 +
packet.c | 80 ++++++++++++++++++++++++++++++++++++++-------------
sshconnect2.c | 14 +++------
sshd.c | 8 ++++--
6 files changed, 149 insertions(+), 48 deletions(-)
diff --git a/PROTOCOL b/PROTOCOL
index 3141cda..9f02bb9 100644
index f75c1c0..89bddfe 100644
--- a/PROTOCOL
+++ b/PROTOCOL
@@ -102,6 +102,32 @@ OpenSSH supports the use of ECDH in Curve25519 for key exchange as
@ -61,23 +66,11 @@ index 3141cda..9f02bb9 100644
2. Connection protocol changes
2.1. connection: Channel write close extension "eow@openssh.com"
@@ -575,4 +601,4 @@ OpenSSH's connection multiplexing uses messages as described in
PROTOCOL.mux over a Unix domain socket for communications between a
master instance and later clients.
-$OpenBSD: PROTOCOL,v 1.42 2021/08/09 23:47:44 djm Exp $
+$OpenBSD: PROTOCOL,v 1.50 2023/12/18 14:45:17 djm Exp $
diff --git a/kex.c b/kex.c
index 2afa087..5e437f9 100644
index 7c5f635..77eb7c0 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.178 2023/03/12 10:40:39 dtucker Exp $ */
+/* $OpenBSD: kex.c,v 1.183 2023/12/18 14:45:17 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@@ -73,7 +73,7 @@
@@ -72,7 +72,7 @@
#endif
/* prototype */
@ -86,7 +79,7 @@ index 2afa087..5e437f9 100644
static int kex_input_newkeys(int, u_int32_t, struct ssh *);
static const char *proposal_names[PROPOSAL_MAX] = {
@@ -218,6 +218,18 @@ kex_names_valid(const char *names)
@@ -215,6 +215,18 @@ kex_names_valid(const char *names)
return 1;
}
@ -105,7 +98,7 @@ index 2afa087..5e437f9 100644
/*
* Concatenate algorithm names, avoiding duplicates in the process.
* Caller must free returned string.
@@ -225,7 +237,7 @@ kex_names_valid(const char *names)
@@ -222,7 +234,7 @@ kex_names_valid(const char *names)
char *
kex_names_cat(const char *a, const char *b)
{
@ -114,7 +107,7 @@ index 2afa087..5e437f9 100644
size_t len;
if (a == NULL || *a == '\0')
@@ -242,10 +254,8 @@ kex_names_cat(const char *a, const char *b)
@@ -239,10 +251,8 @@ kex_names_cat(const char *a, const char *b)
}
strlcpy(ret, a, len);
for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) {
@ -126,41 +119,7 @@ index 2afa087..5e437f9 100644
if (strlcat(ret, ",", len) >= len ||
strlcat(ret, p, len) >= len) {
free(tmp);
@@ -375,15 +385,23 @@ kex_proposal_populate_entries(struct ssh *ssh, char *prop[PROPOSAL_MAX],
const char *defpropclient[PROPOSAL_MAX] = { KEX_CLIENT };
const char **defprop = ssh->kex->server ? defpropserver : defpropclient;
u_int i;
+ char *cp;
if (prop == NULL)
fatal_f("proposal missing");
+ /* Append EXT_INFO signalling to KexAlgorithms */
+ if (kexalgos == NULL)
+ kexalgos = defprop[PROPOSAL_KEX_ALGS];
+ if ((cp = kex_names_cat(kexalgos, ssh->kex->server ?
+ "kex-strict-s-v00@openssh.com" :
+ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
+ fatal_f("kex_names_cat");
+
for (i = 0; i < PROPOSAL_MAX; i++) {
switch(i) {
case PROPOSAL_KEX_ALGS:
- prop[i] = compat_kex_proposal(ssh,
- kexalgos ? kexalgos : defprop[i]);
+ prop[i] = compat_kex_proposal(ssh, cp);
break;
case PROPOSAL_ENC_ALGS_CTOS:
case PROPOSAL_ENC_ALGS_STOC:
@@ -404,6 +422,7 @@ kex_proposal_populate_entries(struct ssh *ssh, char *prop[PROPOSAL_MAX],
prop[i] = xstrdup(defprop[i]);
}
}
+ free(cp);
}
void
@@ -531,7 +550,12 @@ kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
@@ -474,7 +484,12 @@ kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh)
{
int r;
@ -170,20 +129,23 @@ index 2afa087..5e437f9 100644
+ ssh_packet_disconnect(ssh, "strict KEX violation: "
+ "unexpected packet type %u (seqnr %u)", type, seq);
+ }
+ error_f("type %u seq %u", type, seq);
+ error("%s: type %u seq %u", __func__, type, seq);
if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 ||
(r = sshpkt_put_u32(ssh, seq)) != 0 ||
(r = sshpkt_send(ssh)) != 0)
@@ -606,7 +630,7 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
if (ninfo >= 1024) {
error("SSH2_MSG_EXT_INFO with too many entries, expected "
"<=1024, received %u", ninfo);
- return SSH_ERR_INVALID_FORMAT;
@@ -546,6 +561,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
return r;
+ if (ninfo >= 1024) {
+ error("SSH2_MSG_EXT_INFO with too many entries, expected "
+ "<=1024, received %u", ninfo);
+ return dispatch_protocol_error(type, seq, ssh);
}
+ }
for (i = 0; i < ninfo; i++) {
if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
@@ -708,7 +732,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
return r;
@@ -646,7 +666,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
error_f("no kex");
return SSH_ERR_INTERNAL_ERROR;
}
@ -192,7 +154,7 @@ index 2afa087..5e437f9 100644
ptr = sshpkt_ptr(ssh, &dlen);
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
return r;
@@ -744,7 +768,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
@@ -682,7 +702,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh)
if (!(kex->flags & KEX_INIT_SENT))
if ((r = kex_send_kexinit(ssh)) != 0)
return r;
@ -201,7 +163,7 @@ index 2afa087..5e437f9 100644
return r;
if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL)
@@ -1022,7 +1046,13 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
@@ -960,7 +980,13 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX])
}
static int
@ -216,7 +178,7 @@ index 2afa087..5e437f9 100644
{
struct kex *kex = ssh->kex;
struct newkeys *newkeys;
@@ -1047,13 +1077,23 @@ kex_choose_conf(struct ssh *ssh)
@@ -985,13 +1011,23 @@ kex_choose_conf(struct ssh *ssh)
sprop=peer;
}
@ -238,7 +200,7 @@ index 2afa087..5e437f9 100644
+ "kex-strict-s-v00@openssh.com");
+ }
+ if (kex->kex_strict) {
+ debug3_f("will use strict KEX ordering");
+ debug3("%s: will use strict KEX ordering", __func__);
+ if (seq != 0)
+ ssh_packet_disconnect(ssh,
+ "strict KEX violation: "
@ -248,16 +210,10 @@ index 2afa087..5e437f9 100644
/* Algorithm Negotiation */
diff --git a/kex.h b/kex.h
index 87ba7c8..1374a8c 100644
index eabae1d..5d3895c 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.118 2023/03/06 12:14:48 dtucker Exp $ */
+/* $OpenBSD: kex.h,v 1.120 2023/12/18 14:45:17 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -153,6 +153,7 @@ struct kex {
@@ -155,6 +155,7 @@ struct kex {
u_int kex_type;
char *server_sig_algs;
int ext_info_c;
@ -266,16 +222,10 @@ index 87ba7c8..1374a8c 100644
struct sshbuf *peer;
struct sshbuf *client_version;
diff --git a/packet.c b/packet.c
index 96ff2ac..95c1dd1 100644
index f3231e1..16b87f5 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.301 2021/07/16 09:00:23 djm Exp $ */
+/* $OpenBSD: packet.c,v 1.313 2023/12/18 14:45:17 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1221,8 +1221,13 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
@@ -1228,8 +1228,13 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
sshbuf_dump(state->output, stderr);
#endif
/* increment sequence number for outgoing packets */
@ -290,19 +240,20 @@ index 96ff2ac..95c1dd1 100644
if (++state->p_send.packets == 0)
if (!(ssh->compat & SSH_BUG_NOREKEY))
return SSH_ERR_NEED_REKEY;
@@ -1230,6 +1235,11 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
@@ -1237,6 +1242,12 @@ ssh_packet_send2_wrapped(struct ssh *ssh)
state->p_send.bytes += len;
sshbuf_reset(state->outgoing_packet);
+ if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
+ debug_f("resetting send seqnr %u", state->p_send.seqnr);
+ debug("%s: resetting send seqnr %u", __func__,
+ state->p_send.seqnr);
+ state->p_send.seqnr = 0;
+ }
+
if (type == SSH2_MSG_NEWKEYS)
r = ssh_set_newkeys(ssh, MODE_OUT);
else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side)
@@ -1362,8 +1372,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
@@ -1370,8 +1381,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
/* Stay in the loop until we have received a complete packet. */
for (;;) {
/* Try to read a packet from the buffer. */
@ -312,7 +263,7 @@ index 96ff2ac..95c1dd1 100644
break;
/* If we got a packet, return it. */
if (*typep != SSH_MSG_NONE)
@@ -1650,10 +1636,16 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
@@ -1658,10 +1668,16 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0)
goto out;
}
@ -330,18 +281,19 @@ index 96ff2ac..95c1dd1 100644
if (++state->p_read.packets == 0)
if (!(ssh->compat & SSH_BUG_NOREKEY))
return SSH_ERR_NEED_REKEY;
@@ -1719,6 +1711,10 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
@@ -1727,6 +1743,11 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
#endif
/* reset for next packet */
state->packlen = 0;
+ if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {
+ debug_f("resetting read seqnr %u", state->p_read.seqnr);
+ debug("%s: resetting read seqnr %u", __func__,
+ state->p_read.seqnr);
+ state->p_read.seqnr = 0;
+ }
if ((r = ssh_packet_check_rekey(ssh)) != 0)
return r;
@@ -1739,10 +1735,39 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
@@ -1747,10 +1768,39 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
r = ssh_packet_read_poll2(ssh, typep, seqnr_p);
if (r != 0)
return r;
@ -351,7 +303,7 @@ index 96ff2ac..95c1dd1 100644
+ if (*typep == 0) {
+ /* no message ready */
+ return 0;
}
+ }
+ state->keep_alive_timeouts = 0;
+ DBG(debug("received packet type %d", *typep));
+
@ -369,7 +321,7 @@ index 96ff2ac..95c1dd1 100644
+ ssh_remote_port(ssh), reason, msg);
+ free(msg);
+ return SSH_ERR_DISCONNECTED;
+ }
}
+
+ /*
+ * Do not implicitly handle any messages here during initial
@ -384,7 +336,7 @@ index 96ff2ac..95c1dd1 100644
switch (*typep) {
case SSH2_MSG_IGNORE:
debug3("Received SSH2_MSG_IGNORE");
@@ -1757,19 +1782,6 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
@@ -1765,19 +1815,6 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
debug("Remote: %.900s", msg);
free(msg);
break;
@ -404,7 +356,7 @@ index 96ff2ac..95c1dd1 100644
case SSH2_MSG_UNIMPLEMENTED:
if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0)
return r;
@@ -2288,6 +2300,7 @@ kex_to_blob(struct sshbuf *m, struct kex *kex)
@@ -2321,6 +2358,7 @@ kex_to_blob(struct sshbuf *m, struct kex *kex)
(r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 ||
(r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 ||
(r = sshbuf_put_u32(m, kex->kex_type)) != 0 ||
@ -412,7 +364,7 @@ index 96ff2ac..95c1dd1 100644
(r = sshbuf_put_stringb(m, kex->my)) != 0 ||
(r = sshbuf_put_stringb(m, kex->peer)) != 0 ||
(r = sshbuf_put_stringb(m, kex->client_version)) != 0 ||
@@ -2450,6 +2463,7 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp)
@@ -2483,6 +2521,7 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp)
(r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 ||
(r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 ||
(r = sshbuf_get_u32(m, &kex->kex_type)) != 0 ||
@ -420,35 +372,29 @@ index 96ff2ac..95c1dd1 100644
(r = sshbuf_get_stringb(m, kex->my)) != 0 ||
(r = sshbuf_get_stringb(m, kex->peer)) != 0 ||
(r = sshbuf_get_stringb(m, kex->client_version)) != 0 ||
@@ -2778,6 +2792,7 @@ sshpkt_disconnect(struct ssh *ssh, const char *fmt,...)
@@ -2810,6 +2849,7 @@ sshpkt_disconnect(struct ssh *ssh, const char *fmt,...)
vsnprintf(buf, sizeof(buf), fmt, args);
va_end(args);
+ debug2_f("sending SSH2_MSG_DISCONNECT: %s", buf);
+ debug2("%s: sending SSH2_MSG_DISCONNECT: %s", __func__, buf);
if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 ||
(r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 ||
(r = sshpkt_put_cstring(ssh, buf)) != 0 ||
diff --git a/packet.h b/packet.h
index b3d4280..047c111 100644
--- a/packet.h
+++ b/packet.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.h,v 1.93 2021/07/16 09:00:23 djm Exp $ */
+/* $OpenBSD: packet.h,v 1.96 2023/12/18 14:45:17 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/sshconnect2.c b/sshconnect2.c
index 9267534..701e02d 100644
index 82846b5..1827f65 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.364 2023/03/06 12:14:48 dtucker Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.370 2023/12/18 14:45:17 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -427,7 +427,6 @@ struct cauthmethod {
@@ -236,7 +236,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
fatal_fr(r, "kex_assemble_namelist");
free(all_key);
- if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
+ if ((s = kex_names_cat(options.kex_algorithms,
+ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL)
fatal_f("kex_names_cat");
myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s);
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
@@ -430,7 +431,6 @@ struct cauthmethod {
};
static int input_userauth_service_accept(int, u_int32_t, struct ssh *);
@ -456,7 +402,7 @@ index 9267534..701e02d 100644
static int input_userauth_success(int, u_int32_t, struct ssh *);
static int input_userauth_failure(int, u_int32_t, struct ssh *);
static int input_userauth_banner(int, u_int32_t, struct ssh *);
@@ -548,7 +547,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
@@ -554,7 +554,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
ssh->authctxt = &authctxt;
ssh_dispatch_init(ssh, &input_userauth_error);
@ -465,7 +411,7 @@ index 9267534..701e02d 100644
ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept);
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */
pubkey_cleanup(ssh);
@@ -604,13 +603,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh)
@@ -602,13 +602,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh)
return r;
}
@ -479,7 +425,7 @@ index 9267534..701e02d 100644
void
userauth(struct ssh *ssh, char *authlist)
{
@@ -692,6 +684,7 @@ input_userauth_success(int type, u_int32_t seq, struct ssh *ssh)
@@ -690,6 +683,7 @@ input_userauth_success(int type, u_int32_t seq, struct ssh *ssh)
free(authctxt->methoddata);
authctxt->methoddata = NULL;
authctxt->success = 1; /* break out */
@ -487,6 +433,34 @@ index 9267534..701e02d 100644
return 0;
}
diff --git a/sshd.c b/sshd.c
index ed5f075..e544b0c 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2494,10 +2494,13 @@ do_ssh2_kex(struct ssh *ssh)
char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
struct kex *kex;
char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL;
+ char *s;
int r;
- myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh,
- options.kex_algorithms);
+ if ((s = kex_names_cat(options.kex_algorithms,
+ "kex-strict-s-v00@openssh.com")) == NULL)
+ fatal("%s: kex_names_cat", __func__);
+ myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s);
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc =
compat_cipher_proposal(ssh, options.ciphers);
@@ -2615,6 +2618,7 @@ do_ssh2_kex(struct ssh *ssh)
free(prop_kex);
free(prop_enc);
free(prop_hostkey);
+ free(s);
debug("KEX done");
}
--
2.33.0

2
backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
View File

@ -38,7 +38,7 @@ index 35c48e62d..48d93ddf2 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.575 2022/07/01 00:36:30 djm Exp $ */
-/* $OpenBSD: ssh.c,v 1.578 2022/10/13 09:09:28 jsg Exp $ */
+/* $OpenBSD: ssh.c,v 1.599 2023/12/18 14:47:44 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>

39
backport-Defer-seed_rng-until-after-closefrom-call.patch Normal file
View File

@ -0,0 +1,39 @@
From cf1a9852d7fc93e4abc4168aed09529a57427cdc Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Wed, 9 Nov 2022 09:23:47 +1100
Subject: [PATCH] Defer seed_rng until after closefrom call.
seed_rng will initialize OpenSSL, and some engine providers (eg Intel's
QAT) will open descriptors for their own use. bz#3483, patch from
joel.d.schuetze at intel.com, ok djm@
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=cf1a9852d7fc93e4abc4168aed09529a57427cdc
---
sshd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sshd.c b/sshd.c
index b4bb7d65..808d91ef 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1580,8 +1580,6 @@ main(int ac, char **av)
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
- seed_rng();
-
/* Initialize configuration options to their default values. */
initialize_server_options(&options);
@@ -1703,6 +1701,8 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
+ seed_rng();
+
/* If requested, redirect the logs to the specified logfile. */
if (logfile != NULL)
log_redirect_stderr_to(logfile);
--
2.27.0

51
backport-adapt-compat_kex_proposal-test-to-portable.patch Normal file
View File

@ -0,0 +1,51 @@
From 9fe207565b4ab0fe5d1ac5bb85e39188d96fb214 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Thu, 2 Feb 2023 23:17:49 +1100
Subject: [PATCH] adapt compat_kex_proposal() test to portable
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=9fe207565b4ab0fe5d1ac5bb85e39188d96fb214
---
Makefile.in | 1 +
regress/unittests/kex/test_proposal.c | 6 +++++-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/Makefile.in b/Makefile.in
index 18f6ac9e..c0ebfa04 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -616,6 +616,7 @@ regress/unittests/conversion/test_conversion$(EXEEXT): \
UNITTESTS_TEST_KEX_OBJS=\
regress/unittests/kex/tests.o \
regress/unittests/kex/test_kex.o \
+ regress/unittests/kex/test_proposal.o \
$(SKOBJS)
regress/unittests/kex/test_kex$(EXEEXT): ${UNITTESTS_TEST_KEX_OBJS} \
diff --git a/regress/unittests/kex/test_proposal.c b/regress/unittests/kex/test_proposal.c
index b89ff59b..d6cf0f5d 100644
--- a/regress/unittests/kex/test_proposal.c
+++ b/regress/unittests/kex/test_proposal.c
@@ -5,14 +5,18 @@
* Placed in the public domain
*/
+#include "includes.h"
+
#include <sys/types.h>
#include <signal.h>
#include <stdio.h>
+#ifdef HAVE_STDINT_H
#include <stdint.h>
+#endif
#include <stdlib.h>
#include <string.h>
-#include "test_helper.h"
+#include "../test_helper/test_helper.h"
#include "compat.h"
#include "ssherr.h"
--
2.27.0

52
backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch Normal file
View File

@ -0,0 +1,52 @@
From dd1249bd5c45128a908395c61b26996a70f82205 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Sun, 8 Jan 2023 12:08:59 +1100
Subject: [PATCH] don't test IPv6 addresses if platform lacks support
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=dd1249bd5c45128a908395c61b26996a70f82205
---
regress/dynamic-forward.sh | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh
index f6c2393..1bfe05a 100644
--- a/regress/dynamic-forward.sh
+++ b/regress/dynamic-forward.sh
@@ -17,6 +17,11 @@ else
fi
trace "will use ProxyCommand $proxycmd"
+# This is a reasonable proxy for IPv6 support.
+if ! config_defined HAVE_STRUCT_IN6_ADDR ; then
+ SKIP_IPV6=yes
+fi
+
start_ssh() {
direction="$1"
arg="$2"
@@ -96,14 +101,16 @@ for d in D R; do
stop_ssh
verbose "PermitRemoteOpen=explicit"
- start_ssh $d \
- PermitRemoteOpen="127.0.0.1:$PORT [::1]:$PORT localhost:$PORT"
+ permit="127.0.0.1:$PORT [::1]:$PORT localhost:$PORT"
+ test -z "$SKIP_IPV6" || permit="127.0.0.1:$PORT localhost:$PORT"
+ start_ssh $d PermitRemoteOpen="$permit"
check_socks $d Y
stop_ssh
verbose "PermitRemoteOpen=disallowed"
- start_ssh $d \
- PermitRemoteOpen="127.0.0.1:1 [::1]:1 localhost:1"
+ permit="127.0.0.1:1 [::1]:1 localhost:1"
+ test -z "$SKIP_IPV6" || permit="127.0.0.1:1 localhost:1"
+ start_ssh $d PermitRemoteOpen="$permit"
check_socks $d N
stop_ssh
done
--
2.27.0

37
backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch Normal file
View File

@ -0,0 +1,37 @@
From 6e6f88647042b3cde54a628545c2f5fb656a9327 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Fri, 13 Jan 2023 04:23:00 +0000
Subject: [PATCH] upstream: Add scp's path to test sshd's PATH.
If the scp we're testing is fully qualified (eg it's not in the system
PATH) then add its path to the under-test sshd's PATH so we can find
it. Prompted by bz#3518.
OpenBSD-Regress-ID: 7df4f5a0be3aa135495b7e5a6719d3cbc26cc4c0
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=6e6f88647042b3cde54a628545c2f5fb656a9327
---
regress/test-exec.sh | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index c51f8eac..5a6afac5 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -529,6 +529,13 @@ cat << EOF > $OBJ/sshd_config
Subsystem sftp $SFTPSERVER
EOF
+# If we're testing a non-installed scp, add its directory to sshd's PATH
+# so we can test it.
+case "$SCP" in
+/*) PATH_WITH_SCP="`dirname $SCP`:$PATH"
+ echo " SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_config ;;
+esac
+
# This may be necessary if /usr/src and/or /usr/obj are group-writable,
# but if you aren't careful with permissions then the unit tests could
# be abused to locally escalate privileges.
--
2.27.0

53
backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch Normal file
View File

@ -0,0 +1,53 @@
From 93f2ce8c050a7a2a628646c00b40b9b53fef93ef Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 16 Dec 2022 06:56:47 +0000
Subject: [PATCH] upstream: Clear signal mask early in main(); sshd may have
been
started with one or more signals masked (sigprocmask(2) is not cleared
on fork/exec) and this could interfere with various things, e.g. the
login grace timer.
Execution environments that fail to clear the signal mask before running
sshd are clearly broken, but apparently they do exist.
Reported by Sreedhar Balasubramanian; ok dtucker@
OpenBSD-Commit-ID: 77078c0b1c53c780269fc0c416f121d05e3010ae
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=93f2ce8c050a7a2a628646c00b40b9b53fef93ef
---
sshd.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/sshd.c b/sshd.c
index 6bb3a962..72525525 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.589 2022/07/01 03:39:44 dtucker Exp $ */
+/* $OpenBSD: sshd.c,v 1.594 2022/12/16 06:56:47 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1546,13 +1546,17 @@ main(int ac, char **av)
int keytype;
Authctxt *authctxt;
struct connection_info *connection_info = NULL;
+ sigset_t sigmask;
#ifdef HAVE_SECUREWARE
(void)set_auth_parameters(ac, av);
#endif
__progname = ssh_get_progname(av[0]);
+ sigemptyset(&sigmask);
+ sigprocmask(SIG_SETMASK, &sigmask, NULL);
+
OpenSSL_add_all_algorithms();
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
--
2.27.0

32
backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch Normal file
View File

@ -0,0 +1,32 @@
From 018d671d78145f03d6f07ae9d64d51321da70325 Mon Sep 17 00:00:00 2001
From: "tb@openbsd.org" <tb@openbsd.org>
Date: Wed, 4 Jan 2023 22:48:57 +0000
Subject: [PATCH] upstream: Copy bytes from the_banana[] rather than banana()
Fixes test failure due to segfault seen on arm64 with xonly snap.
ok djm
OpenBSD-Regress-ID: 86e2aa4bbd1dff1bc4ebb2969c0d6474485be046
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=018d671d78145f03d6f07ae9d64d51321da70325
---
regress/unittests/sshkey/test_sshkey.c | 2 +-
1 file changed, 1 insertions(+), 1 deletions(-)
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index 982907ce..cc359aea 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -144,7 +144,7 @@ banana(u_char *s, size_t l)
memcpy(s + o, "nanananana", l - o);
break;
}
- memcpy(s + o, banana, sizeof(the_banana));
+ memcpy(s + o, the_banana, sizeof(the_banana));
}
}
--
2.27.0

48
backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch Normal file
View File

@ -0,0 +1,48 @@
From 3c379c9a849a635cc7f05cbe49fe473ccf469ef9 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Thu, 9 Feb 2023 09:54:11 +0000
Subject: [PATCH] upstream: Ensure that there is a terminating newline when
adding a new
entry to known_hosts. bz#3529, with git+openssh at limpsquid.nl, ok deraadt@
markus@
OpenBSD-Commit-ID: fa8d90698da1886570512b96f051e266eac105e0
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=3c379c9a849a635cc7f05cbe49fe473ccf469ef9
---
hostfile.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/hostfile.c b/hostfile.c
index bd49e3ac..f5fa8084 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hostfile.c,v 1.91 2021/07/05 01:16:46 dtucker Exp $ */
+/* $OpenBSD: hostfile.c,v 1.94 2023/02/09 09:54:11 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -520,9 +520,17 @@ add_host_to_hostfile(const char *filename, const char *host,
if (key == NULL)
return 1; /* XXX ? */
hostfile_create_user_ssh_dir(filename, 0);
- f = fopen(filename, "a");
+ f = fopen(filename, "a+");
if (!f)
return 0;
+ /* Make sure we have a terminating newline. */
+ if (fseek(f, -1L, SEEK_END) == 0 && fgetc(f) != '\n')
+ if (fputc('\n', f) != '\n') {
+ error("Failed to add terminating newline to %s: %s",
+ filename, strerror(errno));
+ fclose(f);
+ return 0;
+ }
success = write_host_entry(f, host, NULL, key, store_hash);
fclose(f);
return success;
--
2.27.0

46
backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch Normal file
View File

@ -0,0 +1,46 @@
From 650de7ecd3567b5a5dbf16dd1eb598bd8c20bca8 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Thu, 10 Nov 2022 23:03:10 +0000
Subject: [PATCH] upstream: Handle dynamic remote port forwarding in escape
commandline's
-R processing. bz#3499, ok djm@
OpenBSD-Commit-ID: 194ee4cfe7ed0e2b8ad0727f493c798a50454208
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=650de7ecd3567b5a5dbf16dd1eb598bd8c20bca8
---
clientloop.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/clientloop.c b/clientloop.c
index 289d0b68..02349ccb 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.370 2021/08/29 23:44:07 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.382 2022/11/10 23:03:10 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -846,8 +846,15 @@ process_cmdline(struct ssh *ssh)
}
logit("Canceled forwarding.");
} else {
- if (!parse_forward(&fwd, s, dynamic, remote)) {
- logit("Bad forwarding specification.");
+ /* -R specs can be both dynamic or not, so check both. */
+ if (remote) {
+ if (!parse_forward(&fwd, s, 0, remote) &&
+ !parse_forward(&fwd, s, 1, remote)) {
+ logit("Bad remote forwarding specification.");
+ goto out;
+ }
+ } else if (!parse_forward(&fwd, s, dynamic, remote)) {
+ logit("Bad local forwarding specification.");
goto out;
}
if (local || dynamic) {
--
2.27.0

44
backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch Normal file
View File

@ -0,0 +1,44 @@
From 4d87a00f704e0365e11c3c38b170c1275ec461fc Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Sat, 14 Jan 2023 09:57:08 +0000
Subject: [PATCH] upstream: Instead of skipping the all-tokens test if we don't
have
OpenSSL (since we use it to compute the hash), put the hash at the end and
just omit it if we don't have it. Prompted by bz#3521.
OpenBSD-Regress-ID: c79ecba64250ed3b6417294b6c965e6b12ca5eea
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=4d87a00f704e0365e11c3c38b170c1275ec461fc
---
diff --git a/regress/percent.sh b/regress/percent.sh
index ed5c604d..3dfa8d2d 100644
--- a/regress/percent.sh
+++ b/regress/percent.sh
@@ -12,6 +12,7 @@ USER=`id -u -n`
USERID=`id -u`
HOST=`hostname | cut -f1 -d.`
HOSTNAME=`hostname`
+HASH=""
# Localcommand is evaluated after connection because %T is not available
# until then. Because of this we use a different method of exercising it,
@@ -98,10 +99,13 @@ for i in matchexec localcommand remotecommand controlpath identityagent \
# containing %d for UserKnownHostsFile
if [ "$i" != "userknownhostsfile" ]; then
trial $i '%d' $HOME
+ in='%%/%i/%h/%d/%L/%l/%n/%p/%r/%u'
+ out="%/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
if [ ! -z "${HASH}" ]; then
- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \
- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
+ in="$in/%C"
+ out="$out/$HASH"
fi
+ trial $i "$in" "$out"
fi
done
--
2.27.0

41
backport-upstream-Limit-number-of-entries-in-SSH2_MSG_EXT_INF.patch
View File

@ -1,41 +0,0 @@
From d95af508e78c0cd3dce56b83853baaa59ae295cf Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Sun, 12 Mar 2023 10:40:39 +0000
Subject: [PATCH] upstream: Limit number of entries in SSH2_MSG_EXT_INFO
request. This is already constrained by the maximum SSH packet size but this
makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@
OpenBSD-Commit-ID: aea023819aa44a2dcb9dd0fbec10561896fc3a09
Conflict:NA
Reference:https://github.com/openssh/openssh-portable/commit/d95af508e78c0cd3dce56b83853baaa59ae295cf
---
kex.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kex.c b/kex.c
index b681c58..2afa087 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.176 2023/03/06 12:14:48 dtucker Exp $ */
+/* $OpenBSD: kex.c,v 1.178 2023/03/12 10:40:39 dtucker Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@@ -603,6 +603,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh)
ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error);
if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0)
return r;
+ if (ninfo >= 1024) {
+ error("SSH2_MSG_EXT_INFO with too many entries, expected "
+ "<=1024, received %u", ninfo);
+ return SSH_ERR_INVALID_FORMAT;
+ }
for (i = 0; i < ninfo; i++) {
if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0)
return r;
--
2.33.0

402
backport-upstream-Refactor-creation-of-KEX-proposal.patch
View File

@ -1,402 +0,0 @@
From 9641753e0fd146204d57b2a4165f552a81afade4 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Mon, 6 Mar 2023 12:14:48 +0000
Subject: [PATCH] upstream: Refactor creation of KEX proposal.
This adds kex_proposal_populate_entries (and corresponding free) which
populates the KEX proposal array with dynamically allocated strings.
This replaces the previous mix of static and dynamic that has been the
source of previous leaks and bugs. Remove unused compat functions.
With & ok djm@.
OpenBSD-Commit-ID: f2f99da4aae2233cb18bf9c749320c5e040a9c7b
Reference:https://github.com/openssh/openssh-portable/commit/9641753e0fd146204d57b2a4165f552a81afade4
Conflict:Remove now-unused compat bit SSH_BUG_RSASIGMD5
gssapi-keyex
---
compat.c | 35 ++------------------------
compat.h | 6 ++---
kex.c | 58 ++++++++++++++++++++++++++++++++++++++++++-
kex.h | 5 +++-
sshconnect2.c | 68 +++++++++++++++++++--------------------------------
sshd.c | 37 +++++++++-------------------
6 files changed, 102 insertions(+), 107 deletions(-)
diff --git a/compat.c b/compat.c
index 555a372..4f8a1fb 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.121 2023/02/02 12:10:05 djm Exp $ */
+/* $OpenBSD: compat.c,v 1.126 2023/03/06 12:14:48 dtucker Exp $ */
/*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
*
@@ -36,7 +36,6 @@
#include "compat.h"
#include "log.h"
#include "match.h"
-#include "kex.h"
/* determine bug flags from SSH protocol banner */
void
@@ -158,37 +157,7 @@ compat_banner(struct ssh *ssh, const char *version)
/* Always returns pointer to allocated memory, caller must free. */
char *
-compat_cipher_proposal(struct ssh *ssh, char *cipher_prop)
-{
- if (!(ssh->compat & SSH_BUG_BIGENDIANAES))
- return xstrdup(cipher_prop);
- debug2_f("original cipher proposal: %s", cipher_prop);
- if ((cipher_prop = match_filter_denylist(cipher_prop, "aes*")) == NULL)
- fatal("match_filter_denylist failed");
- debug2_f("compat cipher proposal: %s", cipher_prop);
- if (*cipher_prop == '\0')
- fatal("No supported ciphers found");
- return cipher_prop;
-}
-
-/* Always returns pointer to allocated memory, caller must free. */
-char *
-compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
-{
- if (!(ssh->compat & SSH_BUG_RSASIGMD5))
- return xstrdup(pkalg_prop);
- debug2_f("original public key proposal: %s", pkalg_prop);
- if ((pkalg_prop = match_filter_denylist(pkalg_prop, "ssh-rsa")) == NULL)
- fatal("match_filter_denylist failed");
- debug2_f("compat public key proposal: %s", pkalg_prop);
- if (*pkalg_prop == '\0')
- fatal("No supported PK algorithms found");
- return pkalg_prop;
-}
-
-/* Always returns pointer to allocated memory, caller must free. */
-char *
-compat_kex_proposal(struct ssh *ssh, char *p)
+compat_kex_proposal(struct ssh *ssh, const char *p)
{
char *cp = NULL, *cp2 = NULL;
diff --git a/compat.h b/compat.h
index 167409b..013c855 100644
--- a/compat.h
+++ b/compat.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.h,v 1.57 2021/06/06 03:40:39 djm Exp $ */
+/* $OpenBSD: compat.h,v 1.62 2023/03/06 12:14:48 dtucker Exp $ */
/*
* Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved.
@@ -61,7 +61,5 @@
struct ssh;
void compat_banner(struct ssh *, const char *);
-char *compat_cipher_proposal(struct ssh *, char *);
-char *compat_pkalg_proposal(struct ssh *, char *);
-char *compat_kex_proposal(struct ssh *, char *);
+char *compat_kex_proposal(struct ssh *, const char *);
#endif
diff --git a/kex.c b/kex.c
index e8c2741..b681c58 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.168 2021/04/03 06:18:40 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.176 2023/03/06 12:14:48 dtucker Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@@ -60,6 +60,7 @@
#include "misc.h"
#include "dispatch.h"
#include "monitor.h"
+#include "myproposal.h"
#include "xmalloc.h"
#include "ssherr.h"
@@ -359,6 +360,61 @@ kex_assemble_names(char **listp, const char *def, const char *all)
return r;
}
+/*
+ * Fill out a proposal array with dynamically allocated values, which may
+ * be modified as required for compatibility reasons.
+ * Any of the options may be NULL, in which case the default is used.
+ * Array contents must be freed by calling kex_proposal_free_entries.
+ */
+void
+kex_proposal_populate_entries(struct ssh *ssh, char *prop[PROPOSAL_MAX],
+ const char *kexalgos, const char *ciphers, const char *macs,
+ const char *comp, const char *hkalgs)
+{
+ const char *defpropserver[PROPOSAL_MAX] = { KEX_SERVER };
+ const char *defpropclient[PROPOSAL_MAX] = { KEX_CLIENT };
+ const char **defprop = ssh->kex->server ? defpropserver : defpropclient;
+ u_int i;
+
+ if (prop == NULL)
+ fatal_f("proposal missing");
+
+ for (i = 0; i < PROPOSAL_MAX; i++) {
+ switch(i) {
+ case PROPOSAL_KEX_ALGS:
+ prop[i] = compat_kex_proposal(ssh,
+ kexalgos ? kexalgos : defprop[i]);
+ break;
+ case PROPOSAL_ENC_ALGS_CTOS:
+ case PROPOSAL_ENC_ALGS_STOC:
+ prop[i] = xstrdup(ciphers ? ciphers : defprop[i]);
+ break;
+ case PROPOSAL_MAC_ALGS_CTOS:
+ case PROPOSAL_MAC_ALGS_STOC:
+ prop[i] = xstrdup(macs ? macs : defprop[i]);
+ break;
+ case PROPOSAL_COMP_ALGS_CTOS:
+ case PROPOSAL_COMP_ALGS_STOC:
+ prop[i] = xstrdup(comp ? comp : defprop[i]);
+ break;
+ case PROPOSAL_SERVER_HOST_KEY_ALGS:
+ prop[i] = xstrdup(hkalgs ? hkalgs : defprop[i]);
+ break;
+ default:
+ prop[i] = xstrdup(defprop[i]);
+ }
+ }
+}
+
+void
+kex_proposal_free_entries(char *prop[PROPOSAL_MAX])
+{
+ u_int i;
+
+ for (i = 0; i < PROPOSAL_MAX; i++)
+ free(prop[i]);
+}
+
/* Validate GSS KEX method name list */
int
kex_gss_names_valid(const char *names)
diff --git a/kex.h b/kex.h
index 8b95227..87ba7c8 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.114 2021/01/31 22:55:29 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.118 2023/03/06 12:14:48 dtucker Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -192,6 +192,9 @@ char *kex_alg_list(char);
char *kex_gss_alg_list(char);
char *kex_names_cat(const char *, const char *);
int kex_assemble_names(char **, const char *, const char *);
+void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX],
+ const char *, const char *, const char *, const char *, const char *);
+void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]);
int kex_gss_names_valid(const char *);
int kex_exchange_identification(struct ssh *, int, const char *);
diff --git a/sshconnect2.c b/sshconnect2.c
index eb0df92..9267534 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.359 2022/07/01 03:39:44 dtucker Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.364 2023/03/06 12:14:48 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2008 Damien Miller. All rights reserved.
@@ -58,7 +58,6 @@
#include "cipher.h"
#include "sshkey.h"
#include "kex.h"
-#include "myproposal.h"
#include "sshconnect.h"
#include "authfile.h"
#include "dh.h"
@@ -216,11 +215,9 @@ void
ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
const struct ssh_conn_info *cinfo)
{
- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
- char *s, *all_key;
- char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL;
- int r, use_known_hosts_order = 0;
-
+ char *myproposal[PROPOSAL_MAX];
+ char *s, *all_key, *hkalgs = NULL;
+ int r;
#if defined(GSSAPI) && defined(WITH_OPENSSL)
char *orig = NULL, *gss = NULL;
char *gss_host = NULL;
@@ -230,15 +227,9 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
xxx_hostaddr = hostaddr;
xxx_conn_info = cinfo;
- /*
- * If the user has not specified HostkeyAlgorithms, or has only
- * appended or removed algorithms from that list then prefer algorithms
- * that are in the list that are supported by known_hosts keys.
- */
- if (options.hostkeyalgorithms == NULL ||
- options.hostkeyalgorithms[0] == '-' ||
- options.hostkeyalgorithms[0] == '+')
- use_known_hosts_order = 1;
+ if (options.rekey_limit || options.rekey_interval)
+ ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
+ options.rekey_interval);
/* Expand or fill in HostkeyAlgorithms */
all_key = sshkey_alg_list(0, 0, 1, ',');
@@ -249,25 +240,22 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
fatal_f("kex_names_cat");
- myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s);
- myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc =
- compat_cipher_proposal(ssh, options.ciphers);
- myproposal[PROPOSAL_COMP_ALGS_CTOS] =
- myproposal[PROPOSAL_COMP_ALGS_STOC] =
- (char *)compression_alg_list(options.compression);
- myproposal[PROPOSAL_MAC_ALGS_CTOS] =
- myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
- if (use_known_hosts_order) {
- /* Query known_hosts and prefer algorithms that appear there */
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
- compat_pkalg_proposal(ssh,
- order_hostkeyalgs(host, hostaddr, port, cinfo));
- } else {
- /* Use specified HostkeyAlgorithms exactly */
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
- compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
- }
+
+ /*
+ * If the user has not specified HostkeyAlgorithms, or has only
+ * appended or removed algorithms from that list then prefer algorithms
+ * that are in the list that are supported by known_hosts keys.
+ */
+ if (options.hostkeyalgorithms == NULL ||
+ options.hostkeyalgorithms[0] == '-' ||
+ options.hostkeyalgorithms[0] == '+')
+ hkalgs = order_hostkeyalgs(host, hostaddr, port, cinfo);
+
+ kex_proposal_populate_entries(ssh, myproposal, s, options.ciphers,
+ options.macs, compression_alg_list(options.compression),
+ hkalgs ? hkalgs : options.hostkeyalgorithms);
+
+ free(hkalgs);
#if defined(GSSAPI) && defined(WITH_OPENSSL)
if (options.gss_keyex) {
@@ -310,10 +298,6 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
}
#endif
- if (options.rekey_limit || options.rekey_interval)
- ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
- options.rekey_interval);
-
/* start key exchange */
if ((r = kex_setup(ssh, myproposal)) != 0)
fatal_r(r, "kex_setup");
@@ -357,6 +341,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done);
/* remove ext-info from the KEX proposals for rekeying */
+ free(myproposal[PROPOSAL_KEX_ALGS]);
myproposal[PROPOSAL_KEX_ALGS] =
compat_kex_proposal(ssh, options.kex_algorithms);
#if defined(GSSAPI) && defined(WITH_OPENSSL)
@@ -380,10 +365,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port,
(r = ssh_packet_write_wait(ssh)) != 0)
fatal_fr(r, "send packet");
#endif
- /* Free only parts of proposal that were dynamically allocated here. */
- free(prop_kex);
- free(prop_enc);
- free(prop_hostkey);
+ kex_proposal_free_entries(myproposal);
}
/*
diff --git a/sshd.c b/sshd.c
index dd7e1d4..aa3c3b7 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.589 2022/07/01 03:39:44 dtucker Exp $ */
+/* $OpenBSD: sshd.c,v 1.599 2023/03/06 12:14:48 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -107,7 +107,6 @@
#include "digest.h"
#include "sshkey.h"
#include "kex.h"
-#include "myproposal.h"
#include "authfile.h"
#include "pathnames.h"
#include "atomicio.h"
@@ -2524,33 +2523,23 @@ sshd_hostkey_sign(struct ssh *ssh, struct sshkey *privkey,
static void
do_ssh2_kex(struct ssh *ssh)
{
- char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
+ char *hkalgs = NULL, *myproposal[PROPOSAL_MAX];
+ const char *compression = NULL;
struct kex *kex;
- char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL;
int r;
- myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh,
- options.kex_algorithms);
- myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc =
- compat_cipher_proposal(ssh, options.ciphers);
- myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(ssh,
- options.ciphers);
- myproposal[PROPOSAL_MAC_ALGS_CTOS] =
- myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
-
- if (options.compression == COMP_NONE) {
- myproposal[PROPOSAL_COMP_ALGS_CTOS] =
- myproposal[PROPOSAL_COMP_ALGS_STOC] = "none";
- }
-
if (options.rekey_limit || options.rekey_interval)
ssh_packet_set_rekey_limits(ssh, options.rekey_limit,
options.rekey_interval);
- /* coverity[leaked_storage : FALSE]*/
- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey =
- compat_pkalg_proposal(ssh, list_hostkey_types());
+ if (options.compression == COMP_NONE)
+ compression = "none";
+ hkalgs = list_hostkey_types();
+
+ kex_proposal_populate_entries(ssh, myproposal, options.kex_algorithms,
+ options.ciphers, options.macs, compression, hkalgs);
+
+ free(hkalgs);
#if defined(GSSAPI) && defined(WITH_OPENSSL)
{
char *orig;
@@ -2645,9 +2634,7 @@ do_ssh2_kex(struct ssh *ssh)
(r = ssh_packet_write_wait(ssh)) != 0)
fatal_fr(r, "send test");
#endif
- free(prop_kex);
- free(prop_enc);
- free(prop_hostkey);
+ kex_proposal_free_entries(myproposal);
debug("KEX done");
}
--
2.33.0

26
backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch Normal file
View File

@ -0,0 +1,26 @@
From 923c3f437f439cfca238fba37e97a7041782f615 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Sat, 14 Jan 2023 10:05:54 +0000
Subject: [PATCH] upstream: Shell syntax fix. From ren mingshuai vi github
PR#369.
OpenBSD-Regress-ID: 6696b2eeefe128099fc3d7ea9f23252cc35156f9
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=923c3f437f439cfca238fba37e97a7041782f615
---
diff --git a/regress/yes-head.sh b/regress/yes-head.sh
index 2759eb8c..1bde504f 100644
--- a/regress/yes-head.sh
+++ b/regress/yes-head.sh
@@ -6,7 +6,7 @@ tid="yes pipe head"
lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
if [ $? -ne 0 ]; then
fail "yes|head test failed"
- lines = 0;
++ lines=0
fi
if [ $lines -ne 2000 ]; then
fail "yes|head returns $lines lines instead of 2000"
--
2.27.0

40
backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch Normal file
View File

@ -0,0 +1,40 @@
From 5a7a7acab2f466dc1d7467b5d05d35268c3137aa Mon Sep 17 00:00:00 2001
From: "deraadt@openbsd.org" <deraadt@openbsd.org>
Date: Thu, 15 Dec 2022 18:20:39 +0000
Subject: [PATCH] upstream: The idiomatic way of coping with signed char vs
unsigned
char (which did not come from stdio read functions) in the presence of
ctype macros, is to always cast to (unsigned char). casting to (int)
for a "macro" which is documented to take int, is weird. And sadly wrong,
because of the sing extension risk.. same diff from florian
OpenBSD-Commit-ID: 65b9a49a68e22ff3a0ebd593f363e9f22dd73fea
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=5a7a7acab2f466dc1d7467b5d05d35268c3137aa
---
misc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/misc.c b/misc.c
index 977c097e..41244da9 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.170 2021/09/26 14:01:03 djm Exp $ */
+/* $OpenBSD: misc.c,v 1.179 2022/12/15 18:20:39 deraadt Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
@@ -95,7 +95,7 @@ rtrim(char *s)
if ((i = strlen(s)) == 0)
return;
for (i--; i > 0; i--) {
- if (isspace((int)s[i]))
+ if (isspace((unsigned char)s[i]))
s[i] = '\0';
}
}
--
2.27.0

51
backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch Normal file
View File

@ -0,0 +1,51 @@
From d77fc611a62f2dfee0b654c31a50a814b13310dd Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Fri, 6 Jan 2023 12:33:33 +0000
Subject: [PATCH] upstream: When OpenSSL is not available, skip parts of
percent test
that require it. Based on github pr#368 from ren mingshuai.
OpenBSD-Regress-ID: 49a375b2cf61ccb95b52e75e2e025cd10988ebb2
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=d77fc611a62f2dfee0b654c31a50a814b13310dd
---
regress/percent.sh | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/regress/percent.sh b/regress/percent.sh
index bb81779a..ed5c604d 100644
--- a/regress/percent.sh
+++ b/regress/percent.sh
@@ -79,10 +79,12 @@ for i in matchexec localcommand remotecommand controlpath identityagent \
trial $i '%T' NONE
fi
# Matches implementation in readconf.c:ssh_connection_hash()
- HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" |
- $OPENSSL_BIN sha1 | cut -f2 -d' '`
+ if [ ! -z "${OPENSSL_BIN}" ]; then
+ HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" |
+ $OPENSSL_BIN sha1 | cut -f2 -d' '`
+ trial $i '%C' $HASH
+ fi
trial $i '%%' '%'
- trial $i '%C' $HASH
trial $i '%i' $USERID
trial $i '%h' 127.0.0.1
trial $i '%L' $HOST
@@ -96,8 +98,10 @@ for i in matchexec localcommand remotecommand controlpath identityagent \
# containing %d for UserKnownHostsFile
if [ "$i" != "userknownhostsfile" ]; then
trial $i '%d' $HOME
- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \
- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
+ if [ ! -z "${HASH}" ]; then
+ trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \
+ "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
+ fi
fi
done
--
2.27.0

42
backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch Normal file
View File

@ -0,0 +1,42 @@
From f673b49f3be3eb51074fbb8a405beb6cd0f7d93e Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 13 Jan 2023 02:44:02 +0000
Subject: [PATCH] upstream: avoid printf("%s", NULL) if using ssh
-oUserKnownHostsFile=none and a hostkey in one of the system known hosts file
changes; ok dtucker@
OpenBSD-Commit-ID: 7ca87614bfc6da491315536a7f2301434a9fe614
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=f673b49f3be3eb51074fbb8a405beb6cd0f7d93e
---
sshconnect.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/sshconnect.c b/sshconnect.c
index 0fca52b2..792bc34b 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.355 2021/07/02 05:11:21 dtucker Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.361 2023/01/13 02:44:02 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1276,8 +1276,11 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo,
}
/* The host key has changed. */
warn_changed_key(host_key);
- error("Add correct host key in %.100s to get rid of this message.",
- user_hostfiles[0]);
+ if (num_user_hostfiles > 0 || num_system_hostfiles > 0) {
+ error("Add correct host key in %.100s to get rid "
+ "of this message.", num_user_hostfiles > 0 ?
+ user_hostfiles[0] : system_hostfiles[0]);
+ }
error("Offending %s key in %s:%lu",
sshkey_type(host_found->key),
host_found->file, host_found->line);
--
2.27.0

109
backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch Normal file
View File

@ -0,0 +1,109 @@
From b3daa8dc582348d6ab8150bc1e571b7aa08c5388 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 2 Jan 2023 07:03:30 +0000
Subject: [PATCH] upstream: fix bug in PermitRemoteOpen which caused it to
ignore its
first argument unless it was one of the special keywords "any" or "none".
Reported by Georges Chaudy in bz3515; ok dtucker@
OpenBSD-Commit-ID: c5678a39f1ff79993d5ae3cfac5746a4ae148ea5
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=b3daa8dc582348d6ab8150bc1e571b7aa08c5388
---
readconf.c | 62 +++++++++++++++++++++++++++++-------------------------
1 file changed, 33 insertions(+), 29 deletions(-)
diff --git a/readconf.c b/readconf.c
index 45c1c22..aa106eb 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.363 2021/09/16 05:36:03 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.371 2023/01/02 07:03:30 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1611,38 +1611,38 @@ parse_pubkey_algos:
case oPermitRemoteOpen:
uintptr = &options->num_permitted_remote_opens;
cppptr = &options->permitted_remote_opens;
- arg = argv_next(&ac, &av);
- if (!arg || *arg == '\0')
- fatal("%s line %d: missing %s specification",
- filename, linenum, lookup_opcode_name(opcode));
uvalue = *uintptr; /* modified later */
- if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) {
- if (*activep && uvalue == 0) {
- *uintptr = 1;
- *cppptr = xcalloc(1, sizeof(**cppptr));
- (*cppptr)[0] = xstrdup(arg);
- }
- break;
- }
+ i = 0;
while ((arg = argv_next(&ac, &av)) != NULL) {
arg2 = xstrdup(arg);
ch = '\0';
- p = hpdelim2(&arg, &ch);
- if (p == NULL || ch == '/') {
- fatal("%s line %d: missing host in %s",
- filename, linenum,
- lookup_opcode_name(opcode));
- }
- p = cleanhostname(p);
- /*
- * don't want to use permitopen_port to avoid
- * dependency on channels.[ch] here.
- */
- if (arg == NULL ||
- (strcmp(arg, "*") != 0 && a2port(arg) <= 0)) {
- fatal("%s line %d: bad port number in %s",
- filename, linenum,
- lookup_opcode_name(opcode));
+ /* Allow any/none only in first position */
+ if (strcasecmp(arg, "none") == 0 ||
+ strcasecmp(arg, "any") == 0) {
+ if (i > 0 || ac > 0) {
+ error("%s line %d: keyword %s \"%s\" "
+ "argument must appear alone.",
+ filename, linenum, keyword, arg);
+ goto out;
+ }
+ } else {
+ p = hpdelim(&arg);
+ if (p == NULL) {
+ fatal("%s line %d: missing host in %s",
+ filename, linenum,
+ lookup_opcode_name(opcode));
+ }
+ p = cleanhostname(p);
+ /*
+ * don't want to use permitopen_port to avoid
+ * dependency on channels.[ch] here.
+ */
+ if (arg == NULL || (strcmp(arg, "*") != 0 &&
+ a2port(arg) <= 0)) {
+ fatal("%s line %d: bad port number "
+ "in %s", filename, linenum,
+ lookup_opcode_name(opcode));
+ }
}
if (*activep && uvalue == 0) {
opt_array_append(filename, linenum,
@@ -1650,7 +1650,11 @@ parse_pubkey_algos:
cppptr, uintptr, arg2);
}
free(arg2);
+ i++;
}
+ if (i == 0)
+ fatal("%s line %d: missing %s specification",
+ filename, linenum, lookup_opcode_name(opcode));
break;
case oClearAllForwardings:
--
2.27.0

37
backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch Normal file
View File

@ -0,0 +1,37 @@
From 5ee2b8ccfcf4b606f450eb0ff2305e311f68b0be Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Thu, 6 Oct 2022 22:42:37 +0000
Subject: [PATCH] upstream: honour user's umask if it is more restrictive then
the ssh
default (022); based on patch from Alex Henrie, ok dtucker@ deraadt@
OpenBSD-Commit-ID: fe1b9e15fc9a4f49fc338e848ce14d8727abe82d
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=5ee2b8ccfcf4b606f450eb0ff2305e311f68b0be
---
ssh.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ssh.c b/ssh.c
index 25be53d5..e711dbd2 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.575 2022/07/01 00:36:30 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.577 2022/10/06 22:42:37 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -679,7 +679,7 @@ main(int ac, char **av)
* writable only by the owner, which is ok for all files for which we
* don't set the modes explicitly.
*/
- umask(022);
+ umask(022 | umask(077));
msetlocale();
--
2.27.0

138
backport-upstream-regression-test-for-PermitRemoteOpen.patch Normal file
View File

@ -0,0 +1,138 @@
From 845ceecea2ac311b0c267f9ecbd34862e1876fc6 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 2 Jan 2023 07:03:57 +0000
Subject: [PATCH] upstream: regression test for PermitRemoteOpen
OpenBSD-Regress-ID: 8271aafbf5c21950cd5bf966f08e585cebfe630c
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=845ceecea2ac311b0c267f9ecbd34862e1876fc6
---
regress/dynamic-forward.sh | 84 ++++++++++++++++++++++++++++++--------
1 file changed, 66 insertions(+), 18 deletions(-)
diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh
index 84f8ee19..f6c2393d 100644
--- a/regress/dynamic-forward.sh
+++ b/regress/dynamic-forward.sh
@@ -1,10 +1,12 @@
-# $OpenBSD: dynamic-forward.sh,v 1.13 2017/09/21 19:18:12 markus Exp $
+# $OpenBSD: dynamic-forward.sh,v 1.14 2023/01/02 07:03:57 djm Exp $
# Placed in the Public Domain.
tid="dynamic forwarding"
FWDPORT=`expr $PORT + 1`
+cp $OBJ/ssh_config $OBJ/ssh_config.orig
+
if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then
proxycmd="nc -x 127.0.0.1:$FWDPORT -X"
elif have_prog connect; then
@@ -15,16 +17,16 @@ else
fi
trace "will use ProxyCommand $proxycmd"
-start_sshd
-
-for d in D R; do
+start_ssh() {
+ direction="$1"
+ arg="$2"
n=0
error="1"
- trace "start dynamic forwarding, fork to background"
-
+ trace "start dynamic -$direction forwarding, fork to background"
+ (cat $OBJ/ssh_config.orig ; echo "$arg") > $OBJ/ssh_config
while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
n=`expr $n + 1`
- ${SSH} -F $OBJ/ssh_config -f -$d $FWDPORT -q \
+ ${SSH} -F $OBJ/ssh_config -f -$direction $FWDPORT -q \
-oExitOnForwardFailure=yes somehost exec sh -c \
\'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
error=$?
@@ -36,18 +38,9 @@ for d in D R; do
if [ "$error" -ne 0 ]; then
fatal "failed to start dynamic forwarding"
fi
+}
- for s in 4 5; do
- for h in 127.0.0.1 localhost; do
- trace "testing ssh socks version $s host $h (-$d)"
- ${SSH} -F $OBJ/ssh_config \
- -o "ProxyCommand ${proxycmd}${s} $h $PORT" \
- somehost cat ${DATA} > ${COPY}
- test -f ${COPY} || fail "failed copy ${DATA}"
- cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
- done
- done
-
+stop_ssh() {
if [ -f $OBJ/remote_pid ]; then
remote=`cat $OBJ/remote_pid`
trace "terminate remote shell, pid $remote"
@@ -57,5 +50,60 @@ for d in D R; do
else
fail "no pid file: $OBJ/remote_pid"
fi
+}
+
+check_socks() {
+ direction=$1
+ expect_success=$2
+ for s in 4 5; do
+ for h in 127.0.0.1 localhost; do
+ trace "testing ssh socks version $s host $h (-$direction)"
+ ${SSH} -F $OBJ/ssh_config \
+ -o "ProxyCommand ${proxycmd}${s} $h $PORT 2>/dev/null" \
+ somehost cat ${DATA} > ${COPY}
+ r=$?
+ if [ "x$expect_success" = "xY" ] ; then
+ if [ $r -ne 0 ] ; then
+ fail "ssh failed with exit status $r"
+ fi
+ test -f ${COPY} || fail "failed copy ${DATA}"
+ cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
+ elif [ $r -eq 0 ] ; then
+ fail "ssh unexpectedly succeeded"
+ fi
+ done
+ done
+}
+
+start_sshd
+
+for d in D R; do
+ verbose "test -$d forwarding"
+ start_ssh $d
+ check_socks $d Y
+ stop_ssh
+ test "x$d" = "xR" || continue
+
+ # Test PermitRemoteOpen
+ verbose "PermitRemoteOpen=any"
+ start_ssh $d PermitRemoteOpen=any
+ check_socks $d Y
+ stop_ssh
+
+ verbose "PermitRemoteOpen=none"
+ start_ssh $d PermitRemoteOpen=none
+ check_socks $d N
+ stop_ssh
+
+ verbose "PermitRemoteOpen=explicit"
+ start_ssh $d \
+ PermitRemoteOpen="127.0.0.1:$PORT [::1]:$PORT localhost:$PORT"
+ check_socks $d Y
+ stop_ssh
+ verbose "PermitRemoteOpen=disallowed"
+ start_ssh $d \
+ PermitRemoteOpen="127.0.0.1:1 [::1]:1 localhost:1"
+ check_socks $d N
+ stop_ssh
done
--
2.27.0

125
backport-upstream-test-compat_kex_proposal-by-dtucker.patch Normal file
View File

@ -0,0 +1,125 @@
From 903c556b938fff2d7bff8da2cc460254430963c5 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Thu, 2 Feb 2023 12:12:52 +0000
Subject: [PATCH] upstream: test compat_kex_proposal(); by dtucker@
OpenBSD-Regress-ID: 0e404ee264db546f9fdbf53390689ab5f8d38bf2
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=903c556b938fff2d7bff8da2cc460254430963c5
---
regress/unittests/kex/test_proposal.c | 79 +++++++++++++++++++++++++++
regress/unittests/kex/tests.c | 4 +-
2 files changed, 82 insertions(+), 1 deletion(-)
create mode 100644 regress/unittests/kex/test_proposal.c
diff --git a/regress/unittests/kex/test_proposal.c b/regress/unittests/kex/test_proposal.c
new file mode 100644
index 0000000..b89ff59
--- /dev/null
+++ b/regress/unittests/kex/test_proposal.c
@@ -0,0 +1,79 @@
+/* $OpenBSD: test_proposal.c,v 1.1 2023/02/02 12:12:52 djm Exp $ */
+/*
+ * Regress test KEX
+ *
+ * Placed in the public domain
+ */
+
+#include <sys/types.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "test_helper.h"
+
+#include "compat.h"
+#include "ssherr.h"
+#include "sshbuf.h"
+#include "kex.h"
+#include "packet.h"
+#include "xmalloc.h"
+
+void kex_proposal(void);
+
+#define CURVE25519 "curve25519-sha256@libssh.org"
+#define DHGEX1 "diffie-hellman-group-exchange-sha1"
+#define DHGEX256 "diffie-hellman-group-exchange-sha256"
+#define KEXALGOS CURVE25519","DHGEX256","DHGEX1
+void
+kex_proposal(void)
+{
+ size_t i;
+ struct ssh ssh;
+ char *result, *out, *in;
+ struct {
+ char *in; /* TODO: make this const */
+ char *out;
+ int compat;
+ } tests[] = {
+ { KEXALGOS, KEXALGOS, 0},
+ { KEXALGOS, DHGEX256","DHGEX1, SSH_BUG_CURVE25519PAD },
+ { KEXALGOS, CURVE25519, SSH_OLD_DHGEX },
+ { "a,"KEXALGOS, "a", SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX },
+ /* TODO: enable once compat_kex_proposal doesn't fatal() */
+ /* { KEXALGOS, "", SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX }, */
+ };
+
+ TEST_START("compat_kex_proposal");
+ for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
+ ssh.compat = tests[i].compat;
+ /* match entire string */
+ result = compat_kex_proposal(&ssh, tests[i].in);
+ ASSERT_STRING_EQ(result, tests[i].out);
+ free(result);
+ /* match at end */
+ in = kex_names_cat("a", tests[i].in);
+ out = kex_names_cat("a", tests[i].out);
+ result = compat_kex_proposal(&ssh, in);
+ ASSERT_STRING_EQ(result, out);
+ free(result); free(in); free(out);
+ /* match at start */
+ in = kex_names_cat(tests[i].in, "a");
+ out = kex_names_cat(tests[i].out, "a");
+ result = compat_kex_proposal(&ssh, in);
+ ASSERT_STRING_EQ(result, out);
+ free(result); free(in); free(out);
+ /* match in middle */
+ xasprintf(&in, "a,%s,b", tests[i].in);
+ if (*(tests[i].out) == '\0')
+ out = xstrdup("a,b");
+ else
+ xasprintf(&out, "a,%s,b", tests[i].out);
+ result = compat_kex_proposal(&ssh, in);
+ ASSERT_STRING_EQ(result, out);
+ free(result); free(in); free(out);
+ }
+ TEST_DONE();
+}
diff --git a/regress/unittests/kex/tests.c b/regress/unittests/kex/tests.c
index e7036ec..2a83daf 100644
--- a/regress/unittests/kex/tests.c
+++ b/regress/unittests/kex/tests.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tests.c,v 1.1 2015/01/15 23:41:29 markus Exp $ */
+/* $OpenBSD: tests.c,v 1.2 2023/02/02 12:12:52 djm Exp $ */
/*
* Placed in the public domain
*/
@@ -6,9 +6,11 @@
#include "../test_helper/test_helper.h"
void kex_tests(void);
+void kex_proposal(void);
void
tests(void)
{
kex_tests();
+ kex_proposal();
}
--
2.27.0

34
backport-upstream-use-correct-type-with-sizeof-ok-djm.patch Normal file
View File

@ -0,0 +1,34 @@
From 18376847b8043ba967eabbe23692ef74c9a3fddc Mon Sep 17 00:00:00 2001
From: "jsg@openbsd.org" <jsg@openbsd.org>
Date: Thu, 13 Oct 2022 09:09:28 +0000
Subject: [PATCH] upstream: use correct type with sizeof ok djm@
OpenBSD-Commit-ID: d6c882c2e8a42ff831a5b3cbc2c961ecb2dd6143
Conflict:NA
Reference:https://anongit.mindrot.org/openssh.git/commit?id=18376847b8043ba967eabbe23692ef74c9a3fddc
---
ssh.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ssh.c b/ssh.c
index e711dbd2..21cbd7c3 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.577 2022/10/06 22:42:37 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.578 2022/10/13 09:09:28 jsg Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1579,7 +1579,7 @@ main(int ac, char **av)
if (options.hostbased_authentication) {
sensitive_data.nkeys = 10;
sensitive_data.keys = xcalloc(sensitive_data.nkeys,
- sizeof(struct sshkey));
+ sizeof(*sensitive_data.keys));
/* XXX check errors? */
#define L_PUBKEY(p,o) do { \
--
2.27.0

165
openssh.spec
View File

@ -6,7 +6,7 @@
%{?no_gtk2:%global gtk2 0}
%global sshd_uid 74
%global openssh_release 23
%global openssh_release 26
Name: openssh
Version: 8.8p1
@ -81,41 +81,56 @@ Patch50: backport-openssh-8.2p1-x11-without-ipv6.patch
Patch51: backport-openssh-8.0p1-keygen-strip-doseol.patch
Patch52: backport-openssh-8.0p1-preserve-pam-errors.patch
Patch53: backport-openssh-8.7p1-scp-kill-switch.patch
Patch54: bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch
Patch55: bugfix-openssh-6.6p1-log-usepam-no.patch
Patch56: bugfix-openssh-add-option-check-username-splash.patch
Patch57: feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch
Patch58: bugfix-openssh-fix-sftpserver.patch
Patch59: set-sshd-config.patch
Patch6001: backport-fix-possible-NULL-deref-when-built-without-FIDO.patch
Patch60: feature-add-SMx-support.patch
Patch61: backport-upstream-a-little-extra-debugging.patch
Patch62: backport-upstream-better-debugging-for-connect_next.patch
Patch63: backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch
Patch60: backport-fix-possible-NULL-deref-when-built-without-FIDO.patch
Patch61: feature-add-SMx-support.patch
Patch62: backport-upstream-a-little-extra-debugging.patch
Patch63: backport-upstream-better-debugging-for-connect_next.patch
Patch64: openssh-Add-sw64-architecture.patch
Patch65: backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch
Patch66: backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch
Patch67: backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch
Patch68: backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch
Patch69: backport-upstream-Always-return-allocated-strings-from-the-ke.patch
Patch70: backport-Don-t-leak-the-strings-allocated-by-order_h.patch
Patch71: backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch
Patch72: backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch
Patch73: add-loongarch.patch
Patch65: add-loongarch.patch
Patch66: backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch
Patch67: backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch
Patch68: backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch
Patch69: backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch
Patch70: backport-upstream-Always-return-allocated-strings-from-the-ke.patch
Patch71: backport-Don-t-leak-the-strings-allocated-by-order_h.patch
Patch72: backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch
Patch73: backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch
Patch74: add-strict-scp-check-for-CVE-2020-15778.patch
Patch75: backport-upstream-avoid-integer-overflow-of-auth-attempts-har.patch
Patch76: backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch
Patch77: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch
Patch78: skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch
Patch79: set-ssh-config.patch
Patch80: backport-upstream-CVE-2023-25136-fix-double-free-caused.patch
Patch81: backport-fix-CVE-2023-38408-upstream-terminate-process.patch
Patch82: backport-upstream-In-channel_request_remote_forwarding-the-pa.patch
Patch83: backport-upstream-Refactor-creation-of-KEX-proposal.patch
Patch84: backport-upstream-Limit-number-of-entries-in-SSH2_MSG_EXT_INF.patch
Patch85: backport-CVE-2023-48795-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch
Patch86: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
Patch75: backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch
Patch76: backport-upstream-avoid-integer-overflow-of-auth-attempts-har.patch
Patch77: backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch
Patch78: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch
Patch79: backport-upstream-CVE-2023-25136-fix-double-free-caused.patch
Patch80: set-ssh-config.patch
Patch81: backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch
Patch82: backport-upstream-use-correct-type-with-sizeof-ok-djm.patch
Patch83: backport-Defer-seed_rng-until-after-closefrom-call.patch
Patch84: backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch
Patch85: backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch
Patch86: backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch
Patch87: backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch
Patch88: backport-upstream-regression-test-for-PermitRemoteOpen.patch
Patch89: backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch
Patch90: backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch
Patch91: backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch
Patch92: backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch
Patch93: backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch
Patch94: backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch
Patch95: backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch
Patch96: backport-Allow-writev-is-seccomp-sandbox.patch
Patch97: backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch
Patch98: backport-upstream-test-compat_kex_proposal-by-dtucker.patch
Patch99: backport-adapt-compat_kex_proposal-test-to-portable.patch
Patch100: backport-fix-CVE-2023-38408-upstream-terminate-process.patch
Patch101: backport-upstream-In-channel_request_remote_forwarding-the-pa.patch
Patch102: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch
Patch103: backport-CVE-2023-48795.patch
Requires: /sbin/nologin
Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8
@ -253,7 +268,6 @@ popd
%patch57 -p1
%patch58 -p1
%patch59 -p1
%patch6001 -p1
%patch60 -p1
%patch61 -p1
%patch62 -p1
@ -281,6 +295,23 @@ popd
%patch84 -p1
%patch85 -p1
%patch86 -p1
%patch87 -p1
%patch88 -p1
%patch89 -p1
%patch90 -p1
%patch91 -p1
%patch92 -p1
%patch93 -p1
%patch94 -p1
%patch95 -p1
%patch96 -p1
%patch97 -p1
%patch98 -p1
%patch99 -p1
%patch100 -p1
%patch101 -p1
%patch102 -p1
%patch103 -p1
autoreconf
pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4
@ -477,90 +508,108 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%changelog
* Sat Dec 23 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-23
* Wed Jan 10 2024 renmingshuai<renmingshuai@huawei.com> - 8.8p1-26
- Type:CVE
- CVE:CVE-2023-48795
- SUG:NA
- DESC:fix CVE-2023-48795 by using the other patch instead
* Sat Dec 23 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-25
- Type:CVE
- CVE:CVE-2023-48795,CVE-2023-51385
- SUG:NA
- DESC:fix CVE-2023-48795 and CVE-2023-51385
* Tue Aug 15 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-22
* Tue Aug 15 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-24
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:In channel_request_remote_forwarding the parameters
* Thu Jul 27 2023 renmingshuai <renmingshuai@huawei.com> - 8.8p1-21
* Thu Jul 27 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-23
- Type:CVE
- CVE:CVE-2023-38408
- SUG:NA
- DESC:fix CVE-2023-38408
* Tue Jun 13 2023 renmingshuai <renmingshuai@huawei.com> - 8.8p1-20
* Wed Jun 7 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-22
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix misspeling and enable dt tests
- DESC:fix misspelling
* Sat May 27 2023 renmingshuai <renmingshuai@huawei.com> - 8.8p1-19
* Sat May 27 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-21
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix environment variable
* Wed Mar 8 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-18
* Thu Mar 23 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-20
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:backport some upstream patches and modify some patches numbers
* Thu Mar 09 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-19
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:set default ssh config
* Mon Feb 06 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-18
- Type:CVE
- CVE:CVE-2023-25136
- SUG:NA
- DESC:fix CVE-2023-25136
* Tue Feb 28 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-17
* Fri Jan 06 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-17
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:set default ssh_config
- DESC:fix test failure and enable make tests
* Fri Jan 06 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-16
* Tue Jan 03 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-16
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix tests failure and enable make tests
- DESC:always make tests
* Tue Jan 03 2023 renmingshuai<renmingshuai@huawei.com> - 8.8p1-15
* Thu Dec 29 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-15
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:avoid integer overflow of auth attempts
- DESC:avoid integer overflow of auth attempts har
* Thu Dec 29 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-14
* Fri Dec 16 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-14
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:Fix ssh-keygen -Y check novalidate requires name
* Tue Dec 13 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-13
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:add strict scp check for CVE-2020-15778
* Thu Dec 29 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-13
- Type:requirement
- CVE:NA
- SUG:NA
- DESC:add loongarch
* Thu Dec 29 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-12
* Tue Dec 13 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-12
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:backport some upstream patches
* Thu Dec 29 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-11
- Type:requirement
* Tue Dec 13 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-11
- Type:feature
- CVE:NA
- SUG:NA
- DESC:Add loongarch64 architecture
* Tue Dec 13 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-10
- Type:feature
- CVE:NA
- SUG:NA
- DESC:Add sw64 architecture
* Thu Dec 29 2022 renmingshuai<renmingshuai@huawei.com> - 8.8p1-10
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix ssh-keygen -Y check novalidate requires name
* Wed Dec 7 2022 duyiwei<duyiwei@kylinos.cn> - 8.8P1-9
- Type:bugfix
- CVE:NA

100
skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch
View File

@ -1,100 +0,0 @@
From a0772385f1b4086aacdc6d84a3daea4b2ef26f30 Mon Sep 17 00:00:00 2001
From: chengyechun <chengyechun1@huawei.com>
Date: Thu, 5 Jan 2023 23:43:22 +0800
Subject: [PATCH] skip tests for '%C' if there is no openssl on local path
---
regress/percent.sh | 24 +++++++++++----
...t-if-there-is-no-openssl-on-local-pa.patch | 30 +++++++++++++++++++
2 files changed, 48 insertions(+), 6 deletions(-)
create mode 100644 skip-percent-test-if-there-is-no-openssl-on-local-pa.patch
diff --git a/regress/percent.sh b/regress/percent.sh
index 7ed4184..9c112eb 100644
--- a/regress/percent.sh
+++ b/regress/percent.sh
@@ -13,6 +13,10 @@ USERID=`id -u`
HOST=`hostname | cut -f1 -d.`
HOSTNAME=`hostname`
+# Check if there is openssl in local PATH
+NOOPENSSL=0
+for i in $PATH;do [ -x "$i/openssl" ] && NOOPENSSL=1; done
+
# Localcommand is evaluated after connection because %T is not available
# until then. Because of this we use a different method of exercising it,
# and we can't override the remote user otherwise authentication will fail.
@@ -77,11 +81,14 @@ for i in matchexec localcommand remotecommand controlpath identityagent \
if [ "$i" = "$localcommand" ]; then
trial $i '%T' NONE
fi
- # Matches implementation in readconf.c:ssh_connection_hash()
- HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" |
- $OPENSSL_BIN sha1 | cut -f2 -d' '`
+ # skip tests for '%C' since no openssl in local PATH
+ if [ $NOOPENSSL -eq 1 ]; then
+ # Matches implementation in readconf.c:ssh_connection_hash()
+ HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" |
+ $OPENSSL_BIN sha1 | cut -f2 -d' '`
+ fi
trial $i '%%' '%'
- trial $i '%C' $HASH
+ if [ $NOOPENSSL -eq 1 ]; then trial $i '%C' $HASH; fi
trial $i '%i' $USERID
trial $i '%h' 127.0.0.1
trial $i '%L' $HOST
@@ -95,8 +102,13 @@ for i in matchexec localcommand remotecommand controlpath identityagent \
# containing %d for UserKnownHostsFile
if [ "$i" != "userknownhostsfile" ]; then
trial $i '%d' $HOME
- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \
- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
+ if [ $NOOPENSSL -eq 0 ]; then
+ trial $i '%%/%i/%h/%d/%L/%l/%n/%p/%r/%u' \
+ "%/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
+ else
+ trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \
+ "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
+ fi
fi
done
diff --git a/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch b/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch
new file mode 100644
index 0000000..c7af5d9
--- /dev/null
+++ b/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch
@@ -0,0 +1,30 @@
+From 1da9e48b41ab6eca157d4fa3b74490510d9006ae Mon Sep 17 00:00:00 2001
+From: chengyechun <chengyechun1@huawei.com>
+Date: Thu, 5 Jan 2023 23:43:22 +0800
+Subject: [PATCH] skip percent test if there is no openssl on local path as
+ scp3 did
+
+---
+ regress/percent.sh | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/regress/percent.sh b/regress/percent.sh
+index 7ed4184..08afbc8 100644
+--- a/regress/percent.sh
++++ b/regress/percent.sh
+@@ -8,6 +8,12 @@ if [ -x "/usr/xpg4/bin/id" ]; then
+ export PATH
+ fi
+
++NOOPENSSL=0
++for i in $PATH;do [ -x "$i/openssl" ] && $OPENSSL=1; done
++if [ $? -eq 0 ]; then
++ skip "No openssl on local path."
++fi
++
+ USER=`id -u -n`
+ USERID=`id -u`
+ HOST=`hostname | cut -f1 -d.`
+--
+2.23.0
+
--
2.23.0