Compare commits
2 Commits
206625f14e
...
2dd5536906
| Author | SHA1 | Date | |
|---|---|---|---|
| 2dd5536906 | |||
| e6f77535ec |
File diff suppressed because it is too large
Load Diff
118
openssh/openssh-9.7p1-negotiate-supported-algs.patch
Normal file
118
openssh/openssh-9.7p1-negotiate-supported-algs.patch
Normal file
@ -0,0 +1,118 @@
|
||||
diff -up openssh-9.3p1/regress/hostkey-agent.sh.xxx openssh-9.3p1/regress/hostkey-agent.sh
|
||||
--- openssh-9.3p1/regress/hostkey-agent.sh.xxx 2023-05-29 18:15:56.311236887 +0200
|
||||
+++ openssh-9.3p1/regress/hostkey-agent.sh 2023-05-29 18:16:07.598503551 +0200
|
||||
@@ -17,8 +17,21 @@ trace "make CA key"
|
||||
|
||||
${SSHKEYGEN} -qt ed25519 -f $OBJ/agent-ca -N '' || fatal "ssh-keygen CA"
|
||||
|
||||
+PUBKEY_ACCEPTED_ALGOS=`$SSH -G "example.com" | \
|
||||
+ grep -i "PubkeyAcceptedAlgorithms" | cut -d ' ' -f2- | tr "," "|"`
|
||||
+SSH_ACCEPTED_KEYTYPES=`echo "$SSH_KEYTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
|
||||
+echo $PUBKEY_ACCEPTED_ALGOS | grep "rsa"
|
||||
+r=$?
|
||||
+if [ $r == 0 ]; then
|
||||
+echo $SSH_ACCEPTED_KEYTYPES | grep "rsa"
|
||||
+r=$?
|
||||
+if [ $r -ne 0 ]; then
|
||||
+SSH_ACCEPTED_KEYTYPES="$SSH_ACCEPTED_KEYTYPES ssh-rsa"
|
||||
+fi
|
||||
+fi
|
||||
+
|
||||
trace "load hostkeys"
|
||||
-for k in $SSH_KEYTYPES ; do
|
||||
+for k in $SSH_ACCEPTED_KEYTYPES ; do
|
||||
${SSHKEYGEN} -qt $k -f $OBJ/agent-key.$k -N '' || fatal "ssh-keygen $k"
|
||||
${SSHKEYGEN} -s $OBJ/agent-ca -qh -n localhost-with-alias \
|
||||
-I localhost-with-alias $OBJ/agent-key.$k.pub || \
|
||||
@@ -32,12 +48,16 @@ rm $OBJ/agent-ca # Don't need CA private
|
||||
|
||||
unset SSH_AUTH_SOCK
|
||||
|
||||
-for k in $SSH_KEYTYPES ; do
|
||||
+for k in $SSH_ACCEPTED_KEYTYPES ; do
|
||||
verbose "key type $k"
|
||||
+ hka=$k
|
||||
+ if [ $k = "ssh-rsa" ]; then
|
||||
+ hka="rsa-sha2-512"
|
||||
+ fi
|
||||
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
|
||||
- echo "HostKeyAlgorithms $k" >> $OBJ/sshd_proxy
|
||||
+ echo "HostKeyAlgorithms $hka" >> $OBJ/sshd_proxy
|
||||
echo "Hostkey $OBJ/agent-key.${k}" >> $OBJ/sshd_proxy
|
||||
- opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
|
||||
+ opts="-oHostKeyAlgorithms=$hka -F $OBJ/ssh_proxy"
|
||||
( printf 'localhost-with-alias,127.0.0.1,::1 ' ;
|
||||
cat $OBJ/agent-key.$k.pub) > $OBJ/known_hosts
|
||||
SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
|
||||
@@ -50,15 +70,16 @@ for k in $SSH_KEYTYPES ; do
|
||||
done
|
||||
|
||||
SSH_CERTTYPES=`ssh -Q key-sig | grep 'cert-v01@openssh.com'`
|
||||
+SSH_ACCEPTED_CERTTYPES=`echo "$SSH_CERTTYPES" | egrep "$PUBKEY_ACCEPTED_ALGOS"`
|
||||
|
||||
# Prepare sshd_proxy for certificates.
|
||||
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
|
||||
HOSTKEYALGS=""
|
||||
-for k in $SSH_CERTTYPES ; do
|
||||
+for k in $SSH_ACCEPTED_CERTTYPES ; do
|
||||
test -z "$HOSTKEYALGS" || HOSTKEYALGS="${HOSTKEYALGS},"
|
||||
HOSTKEYALGS="${HOSTKEYALGS}${k}"
|
||||
done
|
||||
-for k in $SSH_KEYTYPES ; do
|
||||
+for k in $SSH_ACCEPTED_KEYTYPES ; do
|
||||
echo "Hostkey $OBJ/agent-key.${k}.pub" >> $OBJ/sshd_proxy
|
||||
echo "HostCertificate $OBJ/agent-key.${k}-cert.pub" >> $OBJ/sshd_proxy
|
||||
test -f $OBJ/agent-key.${k}.pub || fatal "no $k key"
|
||||
@@ -70,7 +93,7 @@ echo "HostKeyAlgorithms $HOSTKEYALGS" >>
|
||||
( printf '@cert-authority localhost-with-alias ' ;
|
||||
cat $OBJ/agent-ca.pub) > $OBJ/known_hosts
|
||||
|
||||
-for k in $SSH_CERTTYPES ; do
|
||||
+for k in $SSH_ACCEPTED_CERTTYPES ; do
|
||||
verbose "cert type $k"
|
||||
opts="-oHostKeyAlgorithms=$k -F $OBJ/ssh_proxy"
|
||||
SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
|
||||
diff -up openssh-9.3p1/sshconnect2.c.xxx openssh-9.3p1/sshconnect2.c
|
||||
--- openssh-9.3p1/sshconnect2.c.xxx 2023-04-26 17:37:35.100827792 +0200
|
||||
+++ openssh-9.3p1/sshconnect2.c 2023-04-26 17:50:31.860748877 +0200
|
||||
@@ -221,7 +221,7 @@
|
||||
const struct ssh_conn_info *cinfo)
|
||||
{
|
||||
char *myproposal[PROPOSAL_MAX];
|
||||
- char *all_key, *hkalgs = NULL;
|
||||
+ char *s, *all_key, *hkalgs = NULL, *filtered_algs = NULL;
|
||||
int r, use_known_hosts_order = 0;
|
||||
|
||||
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||
@@ -257,10 +257,22 @@
|
||||
if (use_known_hosts_order)
|
||||
hkalgs = order_hostkeyalgs(host, hostaddr, port, cinfo);
|
||||
|
||||
+ filtered_algs = hkalgs ? match_filter_allowlist(hkalgs, options.pubkey_accepted_algos)
|
||||
+ : match_filter_allowlist(options.hostkeyalgorithms,
|
||||
+ options.pubkey_accepted_algos);
|
||||
+ if (filtered_algs == NULL) {
|
||||
+ if (hkalgs)
|
||||
+ fatal_f("No match between algorithms for %s (host %s) and pubkey accepted algorithms %s",
|
||||
+ hkalgs, host, options.pubkey_accepted_algos);
|
||||
+ else
|
||||
+ fatal_f("No match between host key algorithms %s and pubkey accepted algorithms %s",
|
||||
+ options.hostkeyalgorithms, options.pubkey_accepted_algos);
|
||||
+ }
|
||||
+
|
||||
kex_proposal_populate_entries(ssh, myproposal,
|
||||
options.kex_algorithms, options.ciphers, options.macs,
|
||||
compression_alg_list(options.compression),
|
||||
- hkalgs ? hkalgs : options.hostkeyalgorithms);
|
||||
+ filtered_algs);
|
||||
|
||||
#if defined(GSSAPI) && defined(WITH_OPENSSL)
|
||||
if (options.gss_keyex) {
|
||||
@@ -304,6 +316,7 @@
|
||||
#endif
|
||||
|
||||
free(hkalgs);
|
||||
+ free(filtered_algs);
|
||||
|
||||
/* start key exchange */
|
||||
if ((r = kex_setup(ssh, myproposal)) != 0)
|
||||
@ -1,6 +1,6 @@
|
||||
diff -up openssh-8.7p1/compat.c.sshrsacheck openssh-8.7p1/compat.c
|
||||
--- openssh-8.7p1/compat.c.sshrsacheck 2023-01-12 13:29:06.338710923 +0100
|
||||
+++ openssh-8.7p1/compat.c 2023-01-12 13:29:06.357711165 +0100
|
||||
diff -up openssh-9.7p1/compat.c.sshrsacheck openssh-9.7p1/compat.c
|
||||
--- openssh-9.7p1/compat.c.sshrsacheck 2023-01-12 13:29:06.338710923 +0100
|
||||
+++ openssh-9.7p1/compat.c 2023-01-12 13:29:06.357711165 +0100
|
||||
@@ -43,6 +43,7 @@ void
|
||||
compat_banner(struct ssh *ssh, const char *version)
|
||||
{
|
||||
@ -31,9 +31,9 @@ diff -up openssh-8.7p1/compat.c.sshrsacheck openssh-8.7p1/compat.c
|
||||
}
|
||||
|
||||
/* Always returns pointer to allocated memory, caller must free. */
|
||||
diff -up openssh-8.7p1/compat.h.sshrsacheck openssh-8.7p1/compat.h
|
||||
--- openssh-8.7p1/compat.h.sshrsacheck 2021-08-20 06:03:49.000000000 +0200
|
||||
+++ openssh-8.7p1/compat.h 2023-01-12 13:29:06.358711178 +0100
|
||||
diff -up openssh-9.7p1/compat.h.sshrsacheck openssh-9.7p1/compat.h
|
||||
--- openssh-9.7p1/compat.h.sshrsacheck 2021-08-20 06:03:49.000000000 +0200
|
||||
+++ openssh-9.7p1/compat.h 2023-01-12 13:29:06.358711178 +0100
|
||||
@@ -30,7 +30,7 @@
|
||||
#define SSH_BUG_UTF8TTYMODE 0x00000001
|
||||
#define SSH_BUG_SIGTYPE 0x00000002
|
||||
@ -43,9 +43,9 @@ diff -up openssh-8.7p1/compat.h.sshrsacheck openssh-8.7p1/compat.h
|
||||
#define SSH_OLD_SESSIONID 0x00000010
|
||||
/* #define unused 0x00000020 */
|
||||
#define SSH_BUG_DEBUG 0x00000040
|
||||
diff -up openssh-8.7p1/monitor.c.sshrsacheck openssh-8.7p1/monitor.c
|
||||
--- openssh-8.7p1/monitor.c.sshrsacheck 2023-01-20 13:07:54.279676981 +0100
|
||||
+++ openssh-8.7p1/monitor.c 2023-01-20 15:01:07.007821379 +0100
|
||||
diff -up openssh-9.7p1/monitor.c.sshrsacheck openssh-9.7p1/monitor.c
|
||||
--- openssh-9.7p1/monitor.c.sshrsacheck 2023-01-20 13:07:54.279676981 +0100
|
||||
+++ openssh-9.7p1/monitor.c 2023-01-20 15:01:07.007821379 +0100
|
||||
@@ -660,11 +660,12 @@ mm_answer_sign(struct ssh *ssh, int sock
|
||||
struct sshkey *key;
|
||||
struct sshbuf *sigbuf = NULL;
|
||||
@ -94,9 +94,9 @@ diff -up openssh-8.7p1/monitor.c.sshrsacheck openssh-8.7p1/monitor.c
|
||||
is_proof ? "hostkey proof" : "KEX", siglen);
|
||||
|
||||
sshbuf_reset(m);
|
||||
diff -up openssh-8.7p1/regress/cert-userkey.sh.sshrsacheck openssh-8.7p1/regress/cert-userkey.sh
|
||||
--- openssh-8.7p1/regress/cert-userkey.sh.sshrsacheck 2023-01-25 14:26:52.885963113 +0100
|
||||
+++ openssh-8.7p1/regress/cert-userkey.sh 2023-01-25 14:27:25.757219800 +0100
|
||||
diff -up openssh-9.7p1/regress/cert-userkey.sh.sshrsacheck openssh-9.7p1/regress/cert-userkey.sh
|
||||
--- openssh-9.7p1/regress/cert-userkey.sh.sshrsacheck 2023-01-25 14:26:52.885963113 +0100
|
||||
+++ openssh-9.7p1/regress/cert-userkey.sh 2023-01-25 14:27:25.757219800 +0100
|
||||
@@ -7,7 +7,8 @@ rm -f $OBJ/authorized_keys_$USER $OBJ/us
|
||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
|
||||
@ -107,9 +107,9 @@ diff -up openssh-8.7p1/regress/cert-userkey.sh.sshrsacheck openssh-8.7p1/regress
|
||||
EXTRA_TYPES=""
|
||||
rsa=""
|
||||
|
||||
diff -up openssh-8.7p1/regress/Makefile.sshrsacheck openssh-8.7p1/regress/Makefile
|
||||
--- openssh-8.7p1/regress/Makefile.sshrsacheck 2023-01-20 13:07:54.169676051 +0100
|
||||
+++ openssh-8.7p1/regress/Makefile 2023-01-20 13:07:54.290677074 +0100
|
||||
diff -up openssh-9.7p1/regress/Makefile.sshrsacheck openssh-9.7p1/regress/Makefile
|
||||
--- openssh-9.7p1/regress/Makefile.sshrsacheck 2023-01-20 13:07:54.169676051 +0100
|
||||
+++ openssh-9.7p1/regress/Makefile 2023-01-20 13:07:54.290677074 +0100
|
||||
@@ -2,7 +2,8 @@
|
||||
|
||||
tests: prep file-tests t-exec unit
|
||||
@ -120,9 +120,9 @@ diff -up openssh-8.7p1/regress/Makefile.sshrsacheck openssh-8.7p1/regress/Makefi
|
||||
|
||||
# File based tests
|
||||
file-tests: $(REGRESS_TARGETS)
|
||||
diff -up openssh-8.7p1/regress/test-exec.sh.sshrsacheck openssh-8.7p1/regress/test-exec.sh
|
||||
--- openssh-8.7p1/regress/test-exec.sh.sshrsacheck 2023-01-25 14:24:54.778040819 +0100
|
||||
+++ openssh-8.7p1/regress/test-exec.sh 2023-01-25 14:26:39.500858590 +0100
|
||||
diff -up openssh-9.7p1/regress/test-exec.sh.sshrsacheck openssh-9.7p1/regress/test-exec.sh
|
||||
--- openssh-9.7p1/regress/test-exec.sh.sshrsacheck 2023-01-25 14:24:54.778040819 +0100
|
||||
+++ openssh-9.7p1/regress/test-exec.sh 2023-01-25 14:26:39.500858590 +0100
|
||||
@@ -581,8 +581,9 @@ maybe_filter_sk() {
|
||||
fi
|
||||
}
|
||||
@ -135,10 +135,10 @@ diff -up openssh-8.7p1/regress/test-exec.sh.sshrsacheck openssh-8.7p1/regress/te
|
||||
|
||||
for t in ${SSH_KEYTYPES}; do
|
||||
# generate user key
|
||||
diff -up openssh-8.7p1/regress/unittests/kex/test_kex.c.sshrsacheck openssh-8.7p1/regress/unittests/kex/test_kex.c
|
||||
--- openssh-8.7p1/regress/unittests/kex/test_kex.c.sshrsacheck 2023-01-26 13:34:52.645743677 +0100
|
||||
+++ openssh-8.7p1/regress/unittests/kex/test_kex.c 2023-01-26 13:36:56.220745823 +0100
|
||||
@@ -97,7 +97,8 @@ do_kex_with_key(char *kex, int keytype,
|
||||
diff -up openssh-9.7p1/regress/unittests/kex/test_kex.c.sshrsacheck openssh-9.7p1/regress/unittests/kex/test_kex.c
|
||||
--- openssh-9.7p1/regress/unittests/kex/test_kex.c.nosha1hostproof 2024-03-11 11:20:49.000000000 +0600
|
||||
+++ openssh-9.7p1/regress/unittests/kex/test_kex.c 2024-03-21 21:26:44.502547206 +0600
|
||||
@@ -96,7 +96,8 @@
|
||||
memcpy(kex_params.proposal, myproposal, sizeof(myproposal));
|
||||
if (kex != NULL)
|
||||
kex_params.proposal[PROPOSAL_KEX_ALGS] = kex;
|
||||
@ -148,18 +148,19 @@ diff -up openssh-8.7p1/regress/unittests/kex/test_kex.c.sshrsacheck openssh-8.7p
|
||||
ASSERT_PTR_NE(keyname, NULL);
|
||||
kex_params.proposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = keyname;
|
||||
ASSERT_INT_EQ(ssh_init(&client, 0, &kex_params), 0);
|
||||
@@ -180,7 +181,7 @@ do_kex(char *kex)
|
||||
{
|
||||
@@ -180,7 +181,7 @@
|
||||
#ifdef WITH_OPENSSL
|
||||
do_kex_with_key(kex, KEY_RSA, 2048);
|
||||
#ifdef WITH_DSA
|
||||
- do_kex_with_key(kex, KEY_DSA, 1024);
|
||||
+ /* do_kex_with_key(kex, KEY_DSA, 1024); */
|
||||
#endif
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
do_kex_with_key(kex, KEY_ECDSA, 256);
|
||||
#endif /* OPENSSL_HAS_ECC */
|
||||
diff -up openssh-8.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck openssh-8.7p1/regress/unittests/sshkey/test_file.c
|
||||
--- openssh-8.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck 2023-01-26 12:04:55.946343408 +0100
|
||||
+++ openssh-8.7p1/regress/unittests/sshkey/test_file.c 2023-01-26 12:06:35.235164432 +0100
|
||||
|
||||
diff -up openssh-9.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck openssh-9.7p1/regress/unittests/sshkey/test_file.c
|
||||
--- openssh-9.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck 2023-01-26 12:04:55.946343408 +0100
|
||||
+++ openssh-9.7p1/regress/unittests/sshkey/test_file.c 2023-01-26 12:06:35.235164432 +0100
|
||||
@@ -110,6 +110,7 @@ sshkey_file_tests(void)
|
||||
sshkey_free(k2);
|
||||
TEST_DONE();
|
||||
@ -177,10 +178,10 @@ diff -up openssh-8.7p1/regress/unittests/sshkey/test_file.c.sshrsacheck openssh-
|
||||
|
||||
TEST_START("load RSA cert with SHA512 signature");
|
||||
ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1_sha512"), &k2), 0);
|
||||
diff -up openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c.sshrsacheck openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c
|
||||
--- openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c.sshrsacheck 2023-01-26 12:10:37.533168013 +0100
|
||||
+++ openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c 2023-01-26 12:15:35.637631860 +0100
|
||||
@@ -333,13 +333,14 @@ sshkey_fuzz_tests(void)
|
||||
diff -up openssh-9.7p1/regress/unittests/sshkey/test_fuzz.c.sshrsacheck openssh-9.7p1/regress/unittests/sshkey/test_fuzz.c
|
||||
--- openssh-9.7p1/regress/unittests/sshkey/test_fuzz.c.nosha1hostproof 2024-03-11 11:20:49.000000000 +0600
|
||||
+++ openssh-9.7p1/regress/unittests/sshkey/test_fuzz.c 2024-03-21 21:28:07.606026626 +0600
|
||||
@@ -338,13 +338,14 @@
|
||||
TEST_DONE();
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
@ -196,25 +197,25 @@ diff -up openssh-8.7p1/regress/unittests/sshkey/test_fuzz.c.sshrsacheck openssh-
|
||||
|
||||
TEST_START("fuzz RSA SHA256 sig");
|
||||
buf = load_file("rsa_1");
|
||||
@@ -357,6 +358,7 @@ sshkey_fuzz_tests(void)
|
||||
@@ -362,6 +363,7 @@
|
||||
sshkey_free(k1);
|
||||
TEST_DONE();
|
||||
|
||||
+ /* Skip this test, SHA1 signatures are not supported
|
||||
+/* Skip this test, SHA1 signatures are not supported
|
||||
#ifdef WITH_DSA
|
||||
TEST_START("fuzz DSA sig");
|
||||
buf = load_file("dsa_1");
|
||||
ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
|
||||
@@ -364,6 +366,7 @@ sshkey_fuzz_tests(void)
|
||||
sig_fuzz(k1, NULL);
|
||||
@@ -371,6 +373,7 @@
|
||||
sshkey_free(k1);
|
||||
TEST_DONE();
|
||||
+ */
|
||||
#endif
|
||||
+*/
|
||||
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
TEST_START("fuzz ECDSA sig");
|
||||
diff -up openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c
|
||||
--- openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck 2023-01-26 11:02:52.339413463 +0100
|
||||
+++ openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c 2023-01-26 11:58:42.324253896 +0100
|
||||
diff -up openssh-9.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck openssh-9.7p1/regress/unittests/sshkey/test_sshkey.c
|
||||
--- openssh-9.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck 2023-01-26 11:02:52.339413463 +0100
|
||||
+++ openssh-9.7p1/regress/unittests/sshkey/test_sshkey.c 2023-01-26 11:58:42.324253896 +0100
|
||||
@@ -60,6 +60,9 @@ build_cert(struct sshbuf *b, struct sshk
|
||||
u_char *sigblob;
|
||||
size_t siglen;
|
||||
@ -277,24 +278,26 @@ diff -up openssh-8.7p1/regress/unittests/sshkey/test_sshkey.c.sshrsacheck openss
|
||||
ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(b), sshbuf_len(b), &k4),
|
||||
SSH_ERR_KEY_CERT_INVALID_SIGN_KEY);
|
||||
ASSERT_PTR_EQ(k4, NULL);
|
||||
diff -up openssh-8.7p1/regress/unittests/sshsig/tests.c.sshrsacheck openssh-8.7p1/regress/unittests/sshsig/tests.c
|
||||
--- openssh-8.7p1/regress/unittests/sshsig/tests.c.sshrsacheck 2023-01-26 12:19:23.659513651 +0100
|
||||
+++ openssh-8.7p1/regress/unittests/sshsig/tests.c 2023-01-26 12:20:28.021044803 +0100
|
||||
@@ -102,9 +102,11 @@ tests(void)
|
||||
diff -up openssh-9.7p1/regress/unittests/sshsig/tests.c.sshrsacheck openssh-9.7p1/regress/unittests/sshsig/tests.c
|
||||
--- openssh-9.7p1/regress/unittests/sshsig/tests.c.nosha1hostproof 2024-03-11 11:20:49.000000000 +0600
|
||||
+++ openssh-9.7p1/regress/unittests/sshsig/tests.c 2024-03-21 21:29:14.951604758 +0600
|
||||
@@ -103,11 +103,13 @@
|
||||
check_sig("rsa.pub", "rsa.sig", msg, namespace);
|
||||
TEST_DONE();
|
||||
|
||||
+ /* Skip this test, SHA1 signatures are not supported
|
||||
+/* Skip this test, SHA1 signatures are not supported
|
||||
#ifdef WITH_DSA
|
||||
TEST_START("check DSA signature");
|
||||
check_sig("dsa.pub", "dsa.sig", msg, namespace);
|
||||
TEST_DONE();
|
||||
+ */
|
||||
#endif
|
||||
+*/
|
||||
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
TEST_START("check ECDSA signature");
|
||||
diff -up openssh-8.7p1/serverloop.c.sshrsacheck openssh-8.7p1/serverloop.c
|
||||
--- openssh-8.7p1/serverloop.c.sshrsacheck 2023-01-12 14:57:08.118400073 +0100
|
||||
+++ openssh-8.7p1/serverloop.c 2023-01-12 14:59:17.330470518 +0100
|
||||
diff -up openssh-9.7p1/serverloop.c.sshrsacheck openssh-9.7p1/serverloop.c
|
||||
--- openssh-9.7p1/serverloop.c.sshrsacheck 2023-01-12 14:57:08.118400073 +0100
|
||||
+++ openssh-9.7p1/serverloop.c 2023-01-12 14:59:17.330470518 +0100
|
||||
@@ -80,6 +80,7 @@
|
||||
#include "auth-options.h"
|
||||
#include "serverloop.h"
|
||||
@ -314,9 +317,9 @@ diff -up openssh-8.7p1/serverloop.c.sshrsacheck openssh-8.7p1/serverloop.c
|
||||
debug3_f("sign %s key (index %d) using sigalg %s",
|
||||
sshkey_type(key), ndx, sigalg == NULL ? "default" : sigalg);
|
||||
if ((r = sshbuf_put_cstring(sigbuf,
|
||||
diff -up openssh-8.7p1/sshconnect2.c.sshrsacheck openssh-8.7p1/sshconnect2.c
|
||||
--- openssh-8.7p1/sshconnect2.c.sshrsacheck 2023-01-25 15:33:29.140353651 +0100
|
||||
+++ openssh-8.7p1/sshconnect2.c 2023-01-25 15:59:34.225364883 +0100
|
||||
diff -up openssh-9.7p1/sshconnect2.c.sshrsacheck openssh-9.7p1/sshconnect2.c
|
||||
--- openssh-9.7p1/sshconnect2.c.sshrsacheck 2023-01-25 15:33:29.140353651 +0100
|
||||
+++ openssh-9.7p1/sshconnect2.c 2023-01-25 15:59:34.225364883 +0100
|
||||
@@ -1461,6 +1464,14 @@ identity_sign(struct identity *id, u_cha
|
||||
retried = 1;
|
||||
goto retry_pin;
|
||||
@ -332,9 +335,9 @@ diff -up openssh-8.7p1/sshconnect2.c.sshrsacheck openssh-8.7p1/sshconnect2.c
|
||||
goto out;
|
||||
}
|
||||
|
||||
diff -up openssh-8.7p1/sshd.c.sshrsacheck openssh-8.7p1/sshd.c
|
||||
--- openssh-8.7p1/sshd.c.sshrsacheck 2023-01-12 13:29:06.355711140 +0100
|
||||
+++ openssh-8.7p1/sshd.c 2023-01-12 13:29:06.358711178 +0100
|
||||
diff -up openssh-9.7p1/sshd.c.sshrsacheck openssh-9.7p1/sshd.c
|
||||
--- openssh-9.7p1/sshd.c.sshrsacheck 2023-01-12 13:29:06.355711140 +0100
|
||||
+++ openssh-9.7p1/sshd.c 2023-01-12 13:29:06.358711178 +0100
|
||||
@@ -1640,6 +1651,7 @@ main(int ac, char **av)
|
||||
Authctxt *authctxt;
|
||||
struct connection_info *connection_info = NULL;
|
||||
@ -387,9 +390,9 @@ diff -up openssh-8.7p1/sshd.c.sshrsacheck openssh-8.7p1/sshd.c
|
||||
/* Prepare the channels layer */
|
||||
channel_init_channels(ssh);
|
||||
channel_set_af(ssh, options.address_family);
|
||||
diff -up openssh-8.7p1/ssh-rsa.c.sshrsacheck openssh-8.7p1/ssh-rsa.c
|
||||
--- openssh-8.7p1/ssh-rsa.c.sshrsacheck 2023-01-20 13:07:54.180676144 +0100
|
||||
+++ openssh-8.7p1/ssh-rsa.c 2023-01-20 13:07:54.290677074 +0100
|
||||
diff -up openssh-9.7p1/ssh-rsa.c.sshrsacheck openssh-9.7p1/ssh-rsa.c
|
||||
--- openssh-9.7p1/ssh-rsa.c.sshrsacheck 2023-01-20 13:07:54.180676144 +0100
|
||||
+++ openssh-9.7p1/ssh-rsa.c 2023-01-20 13:07:54.290677074 +0100
|
||||
@@ -254,7 +254,8 @@ ssh_rsa_verify(const struct sshkey *key,
|
||||
ret = SSH_ERR_INVALID_ARGUMENT;
|
||||
goto out;
|
||||
@ -962,12 +962,12 @@ diff -up openssh-9.6p1/ssh-add.c.pkcs11-uri openssh-9.6p1/ssh-add.c
|
||||
goto done;
|
||||
}
|
||||
diff -up openssh-9.6p1/ssh-agent.c.pkcs11-uri openssh-9.6p1/ssh-agent.c
|
||||
--- openssh-9.6p1/ssh-agent.c.pkcs11-uri 2023-12-18 15:59:50.000000000 +0100
|
||||
+++ openssh-9.6p1/ssh-agent.c 2024-01-12 14:25:25.234942360 +0100
|
||||
@@ -1549,10 +1549,72 @@ add_p11_identity(struct sshkey *key, cha
|
||||
--- openssh-9.7p1/ssh-agent.c.pkcs11-uri 2023-12-18 15:59:50.000000000 +0100
|
||||
+++ openssh-9.7p1/ssh-agent.c 2024-01-12 14:25:25.234942360 +0100
|
||||
@@ -1553,10 +1553,73 @@
|
||||
idtab->nentries++;
|
||||
}
|
||||
|
||||
#ifdef ENABLE_PKCS11
|
||||
+static char *
|
||||
+sanitize_pkcs11_provider(const char *provider)
|
||||
+{
|
||||
@ -1029,6 +1029,7 @@ diff -up openssh-9.6p1/ssh-agent.c.pkcs11-uri openssh-9.6p1/ssh-agent.c
|
||||
+ return xstrdup(canonical_provider); /* simple path */
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+
|
||||
static void
|
||||
process_add_smartcard_key(SocketEntry *e)
|
||||
@ -1038,7 +1039,7 @@ diff -up openssh-9.6p1/ssh-agent.c.pkcs11-uri openssh-9.6p1/ssh-agent.c
|
||||
char **comments = NULL;
|
||||
int r, i, count = 0, success = 0, confirm = 0;
|
||||
u_int seconds = 0;
|
||||
@@ -1581,25 +1643,18 @@ process_add_smartcard_key(SocketEntry *e
|
||||
@@ -1585,25 +1648,18 @@
|
||||
"providers is disabled", provider);
|
||||
goto send;
|
||||
}
|
||||
@ -1069,7 +1070,7 @@ diff -up openssh-9.6p1/ssh-agent.c.pkcs11-uri openssh-9.6p1/ssh-agent.c
|
||||
}
|
||||
for (j = 0; j < ncerts; j++) {
|
||||
if (!sshkey_is_cert(certs[j]))
|
||||
@@ -1609,13 +1664,13 @@ process_add_smartcard_key(SocketEntry *e
|
||||
@@ -1613,13 +1669,13 @@
|
||||
if (pkcs11_make_cert(keys[i], certs[j], &k) != 0)
|
||||
continue;
|
||||
add_p11_identity(k, xstrdup(comments[i]),
|
||||
@ -1085,7 +1086,7 @@ diff -up openssh-9.6p1/ssh-agent.c.pkcs11-uri openssh-9.6p1/ssh-agent.c
|
||||
dest_constraints, ndest_constraints);
|
||||
keys[i] = NULL; /* transferred */
|
||||
comments[i] = NULL; /* transferred */
|
||||
@@ -1628,6 +1683,7 @@ process_add_smartcard_key(SocketEntry *e
|
||||
@@ -1632,6 +1688,7 @@
|
||||
send:
|
||||
free(pin);
|
||||
free(provider);
|
||||
@ -1093,7 +1094,7 @@ diff -up openssh-9.6p1/ssh-agent.c.pkcs11-uri openssh-9.6p1/ssh-agent.c
|
||||
free(keys);
|
||||
free(comments);
|
||||
free_dest_constraints(dest_constraints, ndest_constraints);
|
||||
@@ -1640,7 +1696,7 @@ send:
|
||||
@@ -1644,7 +1701,7 @@
|
||||
static void
|
||||
process_remove_smartcard_key(SocketEntry *e)
|
||||
{
|
||||
@ -1102,7 +1103,7 @@ diff -up openssh-9.6p1/ssh-agent.c.pkcs11-uri openssh-9.6p1/ssh-agent.c
|
||||
int r, success = 0;
|
||||
Identity *id, *nxt;
|
||||
|
||||
@@ -1652,30 +1708,29 @@ process_remove_smartcard_key(SocketEntry
|
||||
@@ -1656,30 +1713,29 @@
|
||||
}
|
||||
free(pin);
|
||||
|
||||
@ -56,10 +56,10 @@
|
||||
%{?static_openssl:%global static_libcrypto 1}
|
||||
|
||||
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
|
||||
%global openssh_ver 9.6p1
|
||||
%global openssh_ver 9.7p1
|
||||
%global openssh_rel 1
|
||||
%global pam_ssh_agent_ver 0.10.4
|
||||
%global pam_ssh_agent_rel 12
|
||||
%global pam_ssh_agent_rel 13
|
||||
|
||||
Summary: An open source implementation of SSH protocol version 2
|
||||
Name: openssh
|
||||
@ -164,7 +164,7 @@ Patch711: openssh-7.8p1-UsePAM-warning.patch
|
||||
# Reenable MONITOR_REQ_GSSCHECKMIC after gssapi-with-mic failures
|
||||
# upstream MR:
|
||||
# https://github.com/openssh-gsskex/openssh-gsskex/pull/21
|
||||
Patch800: openssh-9.6p1-gssapi-keyex.patch
|
||||
Patch800: openssh-9.7p1-gssapi-keyex.patch
|
||||
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
|
||||
Patch801: openssh-6.6p1-force_krb.patch
|
||||
# add new option GSSAPIEnablek5users and disable using ~/.k5users by default (#1169843)
|
||||
@ -204,7 +204,7 @@ Patch950: openssh-7.5p1-sandbox.patch
|
||||
# PKCS#11 URIs (upstream #2817, 2nd iteration)
|
||||
# https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11
|
||||
# git show > ~/devel/fedora/openssh/openssh-8.0p1-pkcs11-uri.patch
|
||||
Patch951: openssh-9.6p1-pkcs11-uri.patch
|
||||
Patch951: openssh-9.7p1-pkcs11-uri.patch
|
||||
# Unbreak scp between two IPv6 hosts (#1620333)
|
||||
Patch953: openssh-7.8p1-scp-ipv6.patch
|
||||
# Mention crypto-policies in manual pages (#1668325)
|
||||
@ -246,11 +246,11 @@ Patch1002: openssh-8.7p1-ssh-manpage.patch
|
||||
# Don't propose disallowed algorithms during hostkey negotiation
|
||||
# upstream MR:
|
||||
# https://github.com/openssh/openssh-portable/pull/323
|
||||
Patch1006: openssh-8.7p1-negotiate-supported-algs.patch
|
||||
Patch1006: openssh-9.7p1-negotiate-supported-algs.patch
|
||||
|
||||
Patch1012: openssh-9.0p1-evp-fips-dh.patch
|
||||
Patch1013: openssh-9.0p1-evp-fips-ecdh.patch
|
||||
Patch1014: openssh-8.7p1-nohostsha1proof.patch
|
||||
Patch1014: openssh-9.7p1-nohostsha1proof.patch
|
||||
|
||||
License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
|
||||
Requires: /sbin/nologin
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user
