Hello community, here is the log from the commit of package openssh for openSUSE:Factory checked in at 2014-04-26 17:02:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openssh (Old) and /work/SRC/openSUSE:Factory/.openssh.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openssh" Changes: -------- --- /work/SRC/openSUSE:Factory/openssh/openssh.changes 2014-04-17 14:43:48.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openssh.new/openssh.changes 2014-04-26 17:02:04.000000000 +0200 @@ -1,0 +2,7 @@ +Thu Apr 24 01:33:45 UTC 2014 - pce...@suse.com + +- curve25519 key exchange fix (-curve25519-6.6.1p1.patch) +- patch re-ordering (-audit3-key_auth_usage-fips.patch, + -audit4-kex_results-fips.patch) + +------------------------------------------------------------------- Old: ---- openssh-6.6p1-audit3_fips-key_auth_usage.patch openssh-6.6p1-audit4_fips-kex_results.patch New: ---- openssh-6.6p1-audit3-key_auth_usage-fips.patch openssh-6.6p1-audit4-kex_results-fips.patch openssh-6.6p1-curve25519-6.6.1p1.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssh.spec ++++++ --- /var/tmp/diff_new_pack.5tvv9G/_old 2014-04-26 17:02:05.000000000 +0200 +++ /var/tmp/diff_new_pack.5tvv9G/_new 2014-04-26 17:02:05.000000000 +0200 @@ -108,6 +108,7 @@ Source8: sysconfig.ssh Source9: sshd-gen-keys-start Source10: sshd.service +Patch0: openssh-6.6p1-curve25519-6.6.1p1.patch Patch1: openssh-6.6p1-key-converter.patch Patch2: openssh-6.6p1-X11-forwarding.patch Patch3: openssh-6.6p1-lastlog.patch @@ -128,9 +129,9 @@ Patch18: openssh-6.6p1-audit1-remove_duplicit_audit.patch Patch19: openssh-6.6p1-audit2-better_audit_of_user_actions.patch Patch20: openssh-6.6p1-audit3-key_auth_usage.patch -Patch21: openssh-6.6p1-audit3_fips-key_auth_usage.patch +Patch21: openssh-6.6p1-audit3-key_auth_usage-fips.patch Patch22: openssh-6.6p1-audit4-kex_results.patch -Patch23: openssh-6.6p1-audit4_fips-kex_results.patch +Patch23: openssh-6.6p1-audit4-kex_results-fips.patch Patch24: openssh-6.6p1-audit5-session_key_destruction.patch Patch25: openssh-6.6p1-audit6-server_key_destruction.patch Patch26: openssh-6.6p1-audit7-libaudit_compat.patch @@ -180,6 +181,7 @@ %prep %setup -q +%patch0 -p2 #patch1 -p2 %patch2 -p2 %patch3 -p2 ++++++ openssh-6.6p1-X_forward_with_disabled_ipv6.patch ++++++ --- /var/tmp/diff_new_pack.5tvv9G/_old 2014-04-26 17:02:05.000000000 +0200 +++ /var/tmp/diff_new_pack.5tvv9G/_new 2014-04-26 17:02:05.000000000 +0200 @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 73eb63cbbd603bf8c13995c478333c1b5a2a020a +# Parent 1055b218140c3cc19228c47878a68740363d80dd Do not throw away already open sockets for X11 forwarding if another socket family is not available for bind() ++++++ openssh-6.6p1-audit2-better_audit_of_user_actions.patch ++++++ --- /var/tmp/diff_new_pack.5tvv9G/_old 2014-04-26 17:02:05.000000000 +0200 +++ /var/tmp/diff_new_pack.5tvv9G/_new 2014-04-26 17:02:05.000000000 +0200 @@ -849,7 +849,7 @@ diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c --- a/openssh-6.6p1/sshd.c +++ b/openssh-6.6p1/sshd.c -@@ -2529,13 +2529,14 @@ cleanup_exit(int i) +@@ -2532,13 +2532,14 @@ cleanup_exit(int i) if (kill(pmonitor->m_pid, SIGKILL) != 0 && errno != ESRCH) error("%s: kill(%d): %s", __func__, ++++++ openssh-6.6p1-audit3-key_auth_usage-fips.patch ++++++ # HG changeset patch # Parent 5482d21e8bd06309af51dea77a5f3668859fb2a0 diff --git a/openssh-6.6p1/auth-rsa.c b/openssh-6.6p1/auth-rsa.c --- a/openssh-6.6p1/auth-rsa.c +++ b/openssh-6.6p1/auth-rsa.c @@ -94,16 +94,20 @@ int auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[SSH_DIGEST_MAX_LENGTH]) { u_char buf[2 * SSH_DIGEST_MAX_LENGTH], mdbuf[SSH_DIGEST_MAX_LENGTH]; struct ssh_digest_ctx *md; int len; int dgst; size_t dgst_len; + int rv; +#ifdef SSH_AUDIT_EVENTS + char *fp; +#endif /* don't allow short keys */ if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) { error("%s: RSA modulus too small: %d < minimum %d bits", __func__, BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE); return (0); } @@ -121,22 +125,28 @@ auth_rsa_verify_response(Key *key, BIGNU if ((md = ssh_digest_start(dgst)) == NULL || ssh_digest_update(md, buf, 2 * dgst_len) < 0 || ssh_digest_update(md, session_id, dgst_len) < 0 || ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0) fatal("%s: md5 failed", __func__); ssh_digest_free(md); /* Verify that the response is the original challenge. */ - if (timingsafe_bcmp(response, mdbuf, dgst_len) != 0) { - /* Wrong answer. */ - return (0); + rv = timingsafe_bcmp(response, mdbuf, dgst_len) == 0; + +#ifdef SSH_AUDIT_EVENTS + fp = key_fingerprint(key, key_fp_type_select(), SSH_FP_HEX); + if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) { + debug("unsuccessful audit"); + rv = 0; } - /* Correct answer. */ - return (1); + free(fp); +#endif + + return rv; } /* * Performs the RSA authentication challenge-response dialog with the client, * and returns true (non-zero) if the client gave the correct answer to * our challenge; returns zero if the client gives a wrong answer. */ ++++++ openssh-6.6p1-audit4-kex_results-fips.patch ++++++ # HG changeset patch # Parent 274a545b591567f1378c1086ad3ba40c911a8bd6 diff --git a/openssh-6.6p1/Makefile.in b/openssh-6.6p1/Makefile.in --- a/openssh-6.6p1/Makefile.in +++ b/openssh-6.6p1/Makefile.in @@ -72,17 +72,18 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \ monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ ssh-pkcs11.o krl.o smult_curve25519_ref.o \ kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ ssh-ed25519.o digest-openssl.o hmac.o \ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \ - fips.o + fips.o \ + auditstub.o SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o mux.o \ roaming_common.o roaming_client.o SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ audit.o audit-bsm.o audit-linux.o platform.o \ sshpty.o sshlogin.o servconf.o serverloop.o \ diff --git a/openssh-6.6p1/cipher.c b/openssh-6.6p1/cipher.c --- a/openssh-6.6p1/cipher.c +++ b/openssh-6.6p1/cipher.c @@ -54,30 +54,16 @@ /* compatibility with old or broken OpenSSL versions */ #include "openbsd-compat/openssl-compat.h" extern const EVP_CIPHER *evp_ssh1_bf(void); extern const EVP_CIPHER *evp_ssh1_3des(void); extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); -struct Cipher { - char *name; - int number; /* for ssh1 only */ - u_int block_size; - u_int key_len; - u_int iv_len; /* defaults to block_size */ - u_int auth_len; - u_int discard_len; - u_int flags; -#define CFLAG_CBC (1<<0) -#define CFLAG_CHACHAPOLY (1<<1) - const EVP_CIPHER *(*evptype)(void); -}; - static const struct Cipher ciphers_all[] = { { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null }, { "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc }, { "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des }, { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf }, { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, { "blowfish-cbc", diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c --- a/openssh-6.6p1/sshd.c +++ b/openssh-6.6p1/sshd.c @@ -119,16 +119,18 @@ #endif #include "monitor_wrap.h" #include "roaming.h" #include "ssh-sandbox.h" #include "version.h" #include "fips.h" +#include "audit.h" + #ifdef LIBWRAP #include <tcpd.h> #include <syslog.h> int allow_severity; int deny_severity; #endif /* LIBWRAP */ #ifndef O_NOCTTY ++++++ openssh-6.6p1-audit5-session_key_destruction.patch ++++++ --- /var/tmp/diff_new_pack.5tvv9G/_old 2014-04-26 17:02:05.000000000 +0200 +++ /var/tmp/diff_new_pack.5tvv9G/_new 2014-04-26 17:02:05.000000000 +0200 @@ -942,7 +942,7 @@ verbose("Closing connection to %.500s port %d", remote_ip, remote_port); #ifdef USE_PAM -@@ -2523,26 +2532,38 @@ do_ssh2_kex(void) +@@ -2526,26 +2535,38 @@ do_ssh2_kex(void) #endif debug("KEX done"); } ++++++ openssh-6.6p1-audit6-server_key_destruction.patch ++++++ --- /var/tmp/diff_new_pack.5tvv9G/_old 2014-04-26 17:02:05.000000000 +0200 +++ /var/tmp/diff_new_pack.5tvv9G/_new 2014-04-26 17:02:05.000000000 +0200 @@ -721,7 +721,7 @@ BN_clear_free(session_key_int); /* Set the session key. From this on all communications will be encrypted. */ -@@ -2553,16 +2603,18 @@ cleanup_exit(int i) +@@ -2556,16 +2606,18 @@ cleanup_exit(int i) debug("Killing privsep child %d", pmonitor->m_pid); if (kill(pmonitor->m_pid, SIGKILL) != 0 && errno != ESRCH) ++++++ openssh-6.6p1-curve25519-6.6.1p1.patch ++++++ # Date: Sun, 20 Apr 2014 17:14:08 +1000 (EST) # From: Damien Miller <d...@mindrot.org> # To: openssh-unix-...@mindrot.org # Subject: bad bignum encoding for curve25519-sha...@libssh.org # Message-ID: <alpine.bso.2.11.1404201713390.26...@natsu.mindrot.org> # # Hi, # # So I screwed up when writing the support for the curve25519 KEX method # that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left # leading zero bytes where they should have been skipped. The impact of # this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a # peer that implements curve25519-sha...@libssh.org properly about 0.2% # of the time (one in every 512ish connections). # # We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256 # key exchange for previous versions, but I'd recommend distributors # of OpenSSH apply this patch so the affected code doesn't become # too entrenched in LTS releases. # # The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as # to distinguish itself from the incorrect versions so the compatibility # code to disable the affected KEX isn't activated. # # I've committed this on the 6.6 branch too. # # Apologies for the hassle. # # -d diff --git a/openssh-6.6p1/bufaux.c b/openssh-6.6p1/bufaux.c --- a/openssh-6.6p1/bufaux.c +++ b/openssh-6.6p1/bufaux.c @@ -1,9 +1,9 @@ -/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ +/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */ /* * Author: Tatu Ylonen <y...@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <y...@cs.hut.fi>, Espoo, Finland * All rights reserved * Auxiliary functions for storing and retrieving various data types to/from * Buffers. * * As far as I am concerned, the code I have written for this software @@ -367,16 +367,19 @@ buffer_get_bignum2_as_string(Buffer *buf void buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l) { u_char *buf, *p; int pad = 0; if (l > 8 * 1024) fatal("%s: length %u too long", __func__, l); + /* Skip leading zero bytes */ + for (; l > 0 && *s == 0; l--, s++) + ; p = buf = xmalloc(l + 1); /* * If most significant bit is set then prepend a zero byte to * avoid interpretation as a negative number. */ if (l > 0 && (s[0] & 0x80) != 0) { *p++ = '\0'; pad = 1; diff --git a/openssh-6.6p1/compat.c b/openssh-6.6p1/compat.c --- a/openssh-6.6p1/compat.c +++ b/openssh-6.6p1/compat.c @@ -90,16 +90,19 @@ compat_datafellows(const char *version) SSH_OLD_FORWARD_ADDR}, { "OpenSSH_2.*," "OpenSSH_3.0*," "OpenSSH_3.1*", SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR}, { "OpenSSH_3.*", SSH_OLD_FORWARD_ADDR }, { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, { "OpenSSH_4*", 0 }, { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, + { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, + { "OpenSSH_6.5*," + "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, { "OpenSSH*", SSH_NEW_OPENSSH }, { "*MindTerm*", 0 }, { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| SSH_OLD_SESSIONID|SSH_BUG_DEBUG| SSH_BUG_RSASIGMD5|SSH_BUG_HBSERVICE| SSH_BUG_FIRSTKEX }, { "2.1 *", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| SSH_OLD_SESSIONID|SSH_BUG_DEBUG| @@ -246,22 +249,34 @@ compat_cipher_proposal(char *cipher_prop debug2("%s: original cipher proposal: %s", __func__, cipher_prop); cipher_prop = filter_proposal(cipher_prop, "aes*"); debug2("%s: compat cipher proposal: %s", __func__, cipher_prop); if (*cipher_prop == '\0') fatal("No supported ciphers found"); return cipher_prop; } - char * compat_pkalg_proposal(char *pkalg_prop) { if (!(datafellows & SSH_BUG_RSASIGMD5)) return pkalg_prop; debug2("%s: original public key proposal: %s", __func__, pkalg_prop); pkalg_prop = filter_proposal(pkalg_prop, "ssh-rsa"); debug2("%s: compat public key proposal: %s", __func__, pkalg_prop); if (*pkalg_prop == '\0') fatal("No supported PK algorithms found"); return pkalg_prop; } +char * +compat_kex_proposal(char *kex_prop) +{ + if (!(datafellows & SSH_BUG_CURVE25519PAD)) + return kex_prop; + debug2("%s: original KEX proposal: %s", __func__, kex_prop); + kex_prop = filter_proposal(kex_prop, "curve25519-sha...@libssh.org"); + debug2("%s: compat KEX proposal: %s", __func__, kex_prop); + if (*kex_prop == '\0') + fatal("No supported key exchange algorithms found"); + return kex_prop; +} + diff --git a/openssh-6.6p1/compat.h b/openssh-6.6p1/compat.h --- a/openssh-6.6p1/compat.h +++ b/openssh-6.6p1/compat.h @@ -54,20 +54,22 @@ #define SSH_BUG_DUMMYCHAN 0x00100000 #define SSH_BUG_EXTEOF 0x00200000 #define SSH_BUG_PROBE 0x00400000 #define SSH_BUG_FIRSTKEX 0x00800000 #define SSH_OLD_FORWARD_ADDR 0x01000000 #define SSH_BUG_RFWD_ADDR 0x02000000 #define SSH_NEW_OPENSSH 0x04000000 #define SSH_BUG_DYNAMIC_RPORT 0x08000000 +#define SSH_BUG_CURVE25519PAD 0x10000000 void enable_compat13(void); void enable_compat20(void); void compat_datafellows(const char *); int proto_spec(const char *); char *compat_cipher_proposal(char *); char *compat_pkalg_proposal(char *); +char *compat_kex_proposal(char *); extern int compat13; extern int compat20; extern int datafellows; #endif diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c --- a/openssh-6.6p1/sshconnect2.c +++ b/openssh-6.6p1/sshconnect2.c @@ -190,16 +190,18 @@ ssh_kex2(char *host, struct sockaddr *ho else { /* Prefer algorithms that we already have keys for */ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( order_hostkeyalgs(host, hostaddr, port)); } if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( + myproposal[PROPOSAL_KEX_ALGS]); if (options.rekey_limit || options.rekey_interval) packet_set_rekey_limits((u_int32_t)options.rekey_limit, (time_t)options.rekey_interval); /* start key exchange */ kex = kex_setup(myproposal); kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client; diff --git a/openssh-6.6p1/sshd.c b/openssh-6.6p1/sshd.c --- a/openssh-6.6p1/sshd.c +++ b/openssh-6.6p1/sshd.c @@ -2457,16 +2457,19 @@ do_ssh2_kex(void) myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; } else if (options.compression == COMP_DELAYED) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_STOC] = "none,z...@openssh.com"; } if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( + myproposal[PROPOSAL_KEX_ALGS]); + if (options.rekey_limit || options.rekey_interval) packet_set_rekey_limits((u_int32_t)options.rekey_limit, (time_t)options.rekey_interval); myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( list_hostkey_types()); /* start key exchange */ diff --git a/openssh-6.6p1/version.h b/openssh-6.6p1/version.h --- a/openssh-6.6p1/version.h +++ b/openssh-6.6p1/version.h @@ -1,6 +1,6 @@ /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ -#define SSH_VERSION "OpenSSH_6.6" +#define SSH_VERSION "OpenSSH_6.6.1" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE ++++++ openssh-6.6p1-fingerprint_hash.patch ++++++ --- /var/tmp/diff_new_pack.5tvv9G/_old 2014-04-26 17:02:05.000000000 +0200 +++ /var/tmp/diff_new_pack.5tvv9G/_new 2014-04-26 17:02:05.000000000 +0200 @@ -1,5 +1,5 @@ # HG changeset patch -# Parent a3a898b117b0f726e6cc923f18463de8e45e74f5 +# Parent 8b2615db484b7061edd15f3bee36958f790f790e # select fingerprint hash algorithms based on the environment variable # SSH_FP_TYPE_ENVVAR and append it to hex and randomart fingerprints @@ -690,7 +690,7 @@ diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c --- a/openssh-6.6p1/sshconnect2.c +++ b/openssh-6.6p1/sshconnect2.c -@@ -577,17 +577,17 @@ input_userauth_pk_ok(int type, u_int32_t +@@ -579,17 +579,17 @@ input_userauth_pk_ok(int type, u_int32_t goto done; } if (key->type != pktype) { @@ -709,7 +709,7 @@ * moved to the end of the queue. this also avoids confusion by * duplicate keys */ -@@ -988,17 +988,17 @@ sign_and_send_pubkey(Authctxt *authctxt, +@@ -990,17 +990,17 @@ sign_and_send_pubkey(Authctxt *authctxt, Buffer b; u_char *blob, *signature; u_int bloblen, slen; ++++++ openssh-6.6p1-fips-checks.patch ++++++ --- /var/tmp/diff_new_pack.5tvv9G/_old 2014-04-26 17:02:05.000000000 +0200 +++ /var/tmp/diff_new_pack.5tvv9G/_new 2014-04-26 17:02:05.000000000 +0200 @@ -1,5 +1,17 @@ # HG changeset patch -# Parent 12ad7b6077ef9c6b3a3a53b4f0084c3eb2f80fe7 +# Parent 717873621cf4991164c61caafd9ac07473231f10 +# Simple implementation of FIPS 140-2 selfchecks. Use OpenSSL to generate and +# verify checksums of binaries. Any hash iused in OpenSSH can be used (MD5 would +# obviously be a poor choice, since OpenSSL would barf and abort immediately in +# FIPS mode). SHA-2 seems to be a reasonable choice. +# +# The logic of the checks is as follows: decide whether FIPS mode is mandated +# (either by checking /proc/sys/crypto/fips_enabled or envoroinment variable +# SSH_FORCE_FIPS. In FIPS mode, checksums are required to match (inability to +# retrieve pre-calculated hash is a fatal error). In non-FIPS mode the checks +# still must be performed, unless the hashes are not installed. Thus if the hash +# file is not found (or the hash matches), proceed in non-FIPS mode and abort +# otherwise. diff --git a/openssh-6.6p1/fips-check.c b/openssh-6.6p1/fips-check.c new file mode 100644 ++++++ openssh-6.6p1-fips.patch ++++++ --- /var/tmp/diff_new_pack.5tvv9G/_old 2014-04-26 17:02:05.000000000 +0200 +++ /var/tmp/diff_new_pack.5tvv9G/_new 2014-04-26 17:02:05.000000000 +0200 @@ -2,7 +2,7 @@ # when OpenSSL is detected to be running in FIPS mode # # HG changeset patch -# Parent ff04a9a96b7c41e99445c68d91911a9a1474ffa2 +# Parent 844066cb9c0ec2b10eb1ace7134f7bced7cc802d diff --git a/openssh-6.6p1/Makefile.in b/openssh-6.6p1/Makefile.in --- a/openssh-6.6p1/Makefile.in @@ -66,7 +66,7 @@ + u_char buf[2 * SSH_DIGEST_MAX_LENGTH], mdbuf[SSH_DIGEST_MAX_LENGTH]; struct ssh_digest_ctx *md; int len; -+ int dgst; ++ int dgst; + size_t dgst_len; /* don't allow short keys */ @@ -78,7 +78,7 @@ } - /* The response is MD5 of decrypted challenge plus session id. */ -+ dgst = fips_correct_dgst(SSH_DIGEST_MD5); ++ dgst = fips_correct_dgst(SSH_DIGEST_MD5); + dgst_len = ssh_digest_bytes(dgst); + + /* The response is a hash of decrypted challenge plus session id. ++++++ openssh-6.6p1-gssapi_key_exchange.patch ++++++ --- /var/tmp/diff_new_pack.5tvv9G/_old 2014-04-26 17:02:05.000000000 +0200 +++ /var/tmp/diff_new_pack.5tvv9G/_new 2014-04-26 17:02:05.000000000 +0200 @@ -1,5 +1,5 @@ # HG changeset patch -# Parent b50b01e06558d268ae59e8be8c1a41fde44fc70d +# Parent 0b2761bdc8c2071a11ca24387c3f58be2fdbaa5e diff --git a/openssh-6.6p1/ChangeLog.gssapi b/openssh-6.6p1/ChangeLog.gssapi new file mode 100644 @@ -3239,14 +3239,14 @@ myproposal[PROPOSAL_ENC_ALGS_CTOS] = myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers; } else if (fips_mode()) { -@@ -203,32 +228,63 @@ ssh_kex2(char *host, struct sockaddr *ho - /* Prefer algorithms that we already have keys for */ - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = +@@ -205,32 +230,63 @@ ssh_kex2(char *host, struct sockaddr *ho compat_pkalg_proposal( order_hostkeyalgs(host, hostaddr, port)); } if (options.kex_algorithms != NULL) myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; + myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( + myproposal[PROPOSAL_KEX_ALGS]); +#ifdef GSSAPI + /* If we've got GSSAPI algorithms, then we also support the @@ -3291,7 +3291,7 @@ + kex->gss_host = options.gss_server_identity; + } else { + kex->gss_host = gss_host; -+ } ++ } + } +#endif + @@ -3303,7 +3303,7 @@ debug("Roaming not allowed by server"); options.use_roaming = 0; } -@@ -308,31 +364,37 @@ int userauth_hostbased(Authctxt *); +@@ -310,31 +366,37 @@ int userauth_hostbased(Authctxt *); #ifdef GSSAPI int userauth_gssapi(Authctxt *authctxt); @@ -3341,7 +3341,7 @@ {"gssapi", userauth_gssapi, NULL, -@@ -624,29 +686,41 @@ done: +@@ -626,29 +688,41 @@ done: int userauth_gssapi(Authctxt *authctxt) { @@ -3385,7 +3385,7 @@ if (!ok) return 0; -@@ -735,18 +809,18 @@ process_gssapi_token(void *ctxt, gss_buf +@@ -737,18 +811,18 @@ process_gssapi_token(void *ctxt, gss_buf } /* ARGSUSED */ @@ -3406,7 +3406,7 @@ /* Setup our OID */ oidv = packet_get_string(&oidlen); -@@ -845,16 +919,58 @@ input_gssapi_error(int type, u_int32_t p +@@ -847,16 +921,58 @@ input_gssapi_error(int type, u_int32_t p lang=packet_get_string(NULL); packet_check_eom(); @@ -3655,7 +3655,7 @@ * mode; it is just annoying to have the server exit just when you * are about to discover the bug. */ -@@ -2559,24 +2674,73 @@ do_ssh2_kex(void) +@@ -2562,24 +2677,73 @@ do_ssh2_kex(void) if (options.rekey_limit || options.rekey_interval) packet_set_rekey_limits((u_int32_t)options.rekey_limit, ++++++ openssh-6.6p1-gssapimitm.patch ++++++ --- /var/tmp/diff_new_pack.5tvv9G/_old 2014-04-26 17:02:05.000000000 +0200 +++ /var/tmp/diff_new_pack.5tvv9G/_new 2014-04-26 17:02:05.000000000 +0200 @@ -356,7 +356,7 @@ diff --git a/openssh-6.6p1/sshconnect2.c b/openssh-6.6p1/sshconnect2.c --- a/openssh-6.6p1/sshconnect2.c +++ b/openssh-6.6p1/sshconnect2.c -@@ -316,16 +316,21 @@ static char *authmethods_get(void); +@@ -318,16 +318,21 @@ static char *authmethods_get(void); Authmethod authmethods[] = { #ifdef GSSAPI @@ -378,7 +378,7 @@ NULL}, {"publickey", userauth_pubkey, -@@ -683,17 +688,19 @@ process_gssapi_token(void *ctxt, gss_buf +@@ -685,17 +690,19 @@ process_gssapi_token(void *ctxt, gss_buf packet_put_string(send_tok.value, send_tok.length); packet_send(); ++++++ openssh-6.6p1-seccomp_getuid.patch ++++++ --- /var/tmp/diff_new_pack.5tvv9G/_old 2014-04-26 17:02:05.000000000 +0200 +++ /var/tmp/diff_new_pack.5tvv9G/_new 2014-04-26 17:02:05.000000000 +0200 @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 47040f4641d43b039f19c8c902b0259729bb88e2 +# Parent bde6f1a808f345e141a976ebc3e37903c81a09cb add 'getuid' syscall to list of allowed ones to prevent the sanboxed thread from being killed by the seccomp filter -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org