diff --git a/backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch b/backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch new file mode 100644 index 0000000000000000000000000000000000000000..60f4b9d47db0487ec19267d3015378eef6cd186d --- /dev/null +++ b/backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch @@ -0,0 +1,34 @@ +From ea7ecc2c3ae39fdf5c6ad97b7bc0b47a98847f43 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Sat, 23 Jul 2022 14:36:38 +1000 +Subject: [PATCH] Skip scp3 test if there's no scp on remote path. + +scp -3 ends up using the scp that's in the remote path and will fail if +one is not available. Based on a patch from rapier at psc.edu. + +Reference:https://github.com/openssh/openssh-portable/commit/ea7ecc2c3ae39fdf5c6ad97b7bc0b47a98847f43 +Conflict:NA +--- + regress/scp3.sh | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/regress/scp3.sh b/regress/scp3.sh +index f71b1567..47db47cd 100644 +--- a/regress/scp3.sh ++++ b/regress/scp3.sh +@@ -9,6 +9,12 @@ COPY2=${OBJ}/copy2 + DIR=${COPY}.dd + DIR2=${COPY}.dd2 + ++$SSH -F $OBJ/ssh_proxy somehost \ ++ 'IFS=":"; for i in $PATH;do [ -x "$i/scp" ] && exit 0; done; exit 1' ++if [ $? -eq 1 ]; then ++ skip "No scp on remote path." ++fi ++ + SRC=`dirname ${SCRIPT}` + cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp + chmod 755 ${OBJ}/scp-ssh-wrapper.scp +-- +2.23.0 + diff --git a/feature-add-SMx-support.patch b/feature-add-SMx-support.patch index 41a14dbc70edd0d4c492439c14d7618e09e6f98d..d7fe61c8e37cf401cad502fd17ace6eac53a43c1 100644 --- a/feature-add-SMx-support.patch +++ b/feature-add-SMx-support.patch @@ -20,23 +20,24 @@ FingerprintHash sm3 kex.h | 3 + kexecdh.c | 23 +- kexgen.c | 3 + - kexsm2.c | 406 ++++++++++++++++++++++++++++++++++ + kexsm2.c | 406 ++++++++++++++++++++++++++ mac.c | 1 + pathnames.h | 1 + regress/agent.sh | 9 + regress/keytype.sh | 2 + + regress/knownhosts-command.sh | 1 + regress/misc/fuzz-harness/sig_fuzz.cc | 4 + regress/unittests/kex/test_kex.c | 3 + ssh-ecdsa.c | 6 +- ssh-keygen.c | 12 +- ssh-keyscan.c | 12 +- - ssh-sm2.c | 230 +++++++++++++++++++ + ssh-sm2.c | 230 +++++++++++++++ ssh_api.c | 2 + sshconnect2.c | 1 + sshd.c | 7 + - sshkey.c | 62 +++++- + sshkey.c | 62 +++- sshkey.h | 9 + - 26 files changed, 793 insertions(+), 16 deletions(-) + 27 files changed, 794 insertions(+), 16 deletions(-) create mode 100644 kexsm2.c create mode 100644 ssh-sm2.c @@ -75,7 +76,7 @@ index 9f092f7..163b4b5 100644 case KEY_ECDSA_SK_CERT: #endif diff --git a/authfile.c b/authfile.c -index d7827ed..8990137 100644 +index 666730b..dce1e84 100644 --- a/authfile.c +++ b/authfile.c @@ -343,6 +343,7 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase, @@ -686,7 +687,7 @@ index a094888..0a805ad 100644 /* * Configuration file in user's home directory. This file need not be diff --git a/regress/agent.sh b/regress/agent.sh -index f187b67..38a0e97 100644 +index f187b67..42a5124 100644 --- a/regress/agent.sh +++ b/regress/agent.sh @@ -87,9 +87,18 @@ fi @@ -728,28 +729,40 @@ index f1c0451..2665bd6 100644 esac } +diff --git a/regress/knownhosts-command.sh b/regress/knownhosts-command.sh +index 8472ec8..7f56fb1 100644 +--- a/regress/knownhosts-command.sh ++++ b/regress/knownhosts-command.sh +@@ -41,6 +41,7 @@ ${SSH} -F $OBJ/ssh_proxy x true && fail "ssh connect succeeded with bad exit" + for keytype in ${SSH_HOSTKEY_TYPES} ; do + algs=$keytype + test "x$keytype" = "xssh-dss" && continue ++ test "x$keytype" = "xsm2" && continue + test "x$keytype" = "xssh-rsa" && algs=ssh-rsa,rsa-sha2-256,rsa-sha2-512 + verbose "keytype $keytype" + cat > $OBJ/knownhosts_command << _EOF diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc -index b32502b..8faad6e 100644 +index b32502b..f260692 100644 --- a/regress/misc/fuzz-harness/sig_fuzz.cc +++ b/regress/misc/fuzz-harness/sig_fuzz.cc -@@ -33,6 +33,7 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen) +@@ -30,6 +30,7 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen) + static struct sshkey *ecdsa256 = generate_or_die(KEY_ECDSA, 256); + static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384); + static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521); ++ static struct sshkey *sm2 = generate_or_die(KEY_SM2, 256); #endif struct sshkey_sig_details *details = NULL; static struct sshkey *ed25519 = generate_or_die(KEY_ED25519, 0); -+ static struct sshkey *sm2 = generate_or_die(KEY_SM2, 256); - static const char *data = "If everyone started announcing his nose had " - "run away, I don’t know how it would all end"; - static const size_t dlen = strlen(data); -@@ -56,6 +57,9 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen) - #endif - sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); +@@ -53,6 +54,9 @@ int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen) + sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); sshkey_sig_details_free(details); -+ details = NULL; + details = NULL; + sshkey_verify(sm2, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); + sshkey_sig_details_free(details); - return 0; - } - ++ details = NULL; + #endif + sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, NULL, 0, &details); + sshkey_sig_details_free(details); diff --git a/regress/unittests/kex/test_kex.c b/regress/unittests/kex/test_kex.c index 3bd71a9..312e8f2 100644 --- a/regress/unittests/kex/test_kex.c @@ -803,7 +816,7 @@ index b036796..6697be6 100644 return SSH_ERR_INVALID_ARGUMENT; diff --git a/ssh-keygen.c b/ssh-keygen.c -index e04bade..7fc616c 100644 +index b9c4dce..bd6ea16 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -192,6 +192,7 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp) @@ -1163,7 +1176,7 @@ index d3c6617..adc2598 100644 #endif /* WITH_OPENSSL */ ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client; diff --git a/sshconnect2.c b/sshconnect2.c -index aa32ece..e90eb89 100644 +index fafc0a2..9a01f1a 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -327,6 +327,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, @@ -1175,7 +1188,7 @@ index aa32ece..e90eb89 100644 # ifdef GSSAPI if (options.gss_keyex) { diff --git a/sshd.c b/sshd.c -index b7b0c18..dd7cdee 100644 +index 8424e33..57d70fe 100644 --- a/sshd.c +++ b/sshd.c @@ -706,6 +706,7 @@ list_hostkey_types(void) @@ -1221,7 +1234,7 @@ index b7b0c18..dd7cdee 100644 case KEY_ED25519: case KEY_ECDSA_SK: case KEY_ED25519_SK: -@@ -2570,6 +2576,7 @@ do_ssh2_kex(struct ssh *ssh) +@@ -2572,6 +2578,7 @@ do_ssh2_kex(struct ssh *ssh) kex->kex[KEX_DH_GEX_SHA256] = kexgex_server; # ifdef OPENSSL_HAS_ECC kex->kex[KEX_ECDH_SHA2] = kex_gen_server; @@ -1554,5 +1567,5 @@ index 43eef5e..3b84096 100644 #if !defined(WITH_OPENSSL) -- -1.8.3.1 +2.23.0 diff --git a/openssh.spec b/openssh.spec index ba225c54257a0a815408351c52d38c011237fd66..8e74f92c8b48be17ce44bf420ced83c7b0be295e 100644 --- a/openssh.spec +++ b/openssh.spec @@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 16 +%global openssh_release 17 Name: openssh Version: 8.8p1 @@ -105,7 +105,9 @@ Patch72: backport-upstream-double-free-in-error-path-from-Eusgor-via-G.pa Patch73: add-strict-scp-check-for-CVE-2020-15778.patch Patch74: backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch Patch75: backport-upstream-avoid-integer-overflow-of-auth-attempts-har.patch -Patch76: skip-some-tests.patch +Patch76: backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch +Patch77: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch +Patch78: skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -261,6 +263,8 @@ popd %patch74 -p1 %patch75 -p1 %patch76 -p1 +%patch77 -p1 +%patch78 -p1 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 @@ -332,10 +336,7 @@ make popd %check -#to run tests use "--with check" -%if %{?_with_check:1}%{!?_with_check:0} make tests -%endif %install mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh @@ -462,6 +463,12 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog +* Fri Jan 06 2023 renmingshuai - 8.8p1-17 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix test failure and enable make tests + * Tue Jan 03 2023 renmingshuai - 8.8p1-16 - Type:bugfix - CVE:NA diff --git a/skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch b/skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch new file mode 100644 index 0000000000000000000000000000000000000000..ebb9a53023dd2c7f23fa3cd7b11d91b3a8e30d9a --- /dev/null +++ b/skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch @@ -0,0 +1,38 @@ +From e32af8efd8d36f8349761615b73cb3174e52134a Mon Sep 17 00:00:00 2001 +From: chengyechun +Date: Thu, 5 Jan 2023 22:45:10 +0800 +Subject: [PATCH] skip scp test if there is no scp on remote path as scp3.sh + did + +--- + regress/multiplex.sh | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/regress/multiplex.sh b/regress/multiplex.sh +index 4744fa3..8ab0f59 100644 +--- a/regress/multiplex.sh ++++ b/regress/multiplex.sh +@@ -67,11 +67,15 @@ echo "get ${DATA} ${COPY}" | \ + test -f ${COPY} || fail "sftp: failed copy ${DATA}" + cmp ${DATA} ${COPY} || fail "sftp: corrupted copy of ${DATA}" + +-rm -f ${COPY} +-trace "scp transfer over multiplexed connection and check result" +-${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_REGRESS_LOGFILE 2>&1 +-test -f ${COPY} || fail "scp: failed copy ${DATA}" +-cmp ${DATA} ${COPY} || fail "scp: corrupted copy of ${DATA}" ++$SSH -F $OBJ/ssh_proxy somehost \ ++ 'IFS=":"; for i in $PATH;do [ -x "$i/scp" ] && exit 0; done; exit 1' ++if [ $? -eq 0 ]; then ++ rm -f ${COPY} ++ trace "scp transfer over multiplexed connection and check result" ++ ${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_REGRESS_LOGFILE 2>&1 ++ test -f ${COPY} || fail "scp: failed copy ${DATA}" ++ cmp ${DATA} ${COPY} || fail "scp: corrupted copy of ${DATA}" ++fi + + rm -f ${COPY} + verbose "test $tid: forward" +-- +2.23.0 + diff --git a/skip-some-tests.patch b/skip-some-tests.patch deleted file mode 100644 index 410c99a233a620e19ef358f32cec4c3577dff8fa..0000000000000000000000000000000000000000 --- a/skip-some-tests.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 64c8904769459923e0bae2feb51c2fe3619809e3 Mon Sep 17 00:00:00 2001 -From: renmingshuai -Date: Tue, 3 Jan 2023 10:41:01 +0800 -Subject: [PATCH] skip some tests - ---- - regress/Makefile | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/regress/Makefile b/regress/Makefile -index 99f64a7..105e825 100644 ---- a/regress/Makefile -+++ b/regress/Makefile -@@ -53,7 +53,6 @@ LTESTS= connect \ - keygen-sshfp \ - key-options \ - scp \ -- scp3 \ - scp-uri \ - sftp \ - sftp-chroot \ -@@ -66,14 +65,12 @@ LTESTS= connect \ - reconfigure \ - dynamic-forward \ - forwarding \ -- multiplex \ - reexec \ - brokenkeys \ - sshcfgparse \ - cfgparse \ - cfgmatch \ - cfgmatchlisten \ -- percent \ - addrmatch \ - localcommand \ - forcecommand \ --- -2.23.0 - diff --git a/skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch b/skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch new file mode 100644 index 0000000000000000000000000000000000000000..f56ed5b68aaa41b57396af03a98a315929b482af --- /dev/null +++ b/skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch @@ -0,0 +1,100 @@ +From a0772385f1b4086aacdc6d84a3daea4b2ef26f30 Mon Sep 17 00:00:00 2001 +From: chengyechun +Date: Thu, 5 Jan 2023 23:43:22 +0800 +Subject: [PATCH] skip tests for '%C' if there is no openssl on local path + +--- + regress/percent.sh | 24 +++++++++++---- + ...t-if-there-is-no-openssl-on-local-pa.patch | 30 +++++++++++++++++++ + 2 files changed, 48 insertions(+), 6 deletions(-) + create mode 100644 skip-percent-test-if-there-is-no-openssl-on-local-pa.patch + +diff --git a/regress/percent.sh b/regress/percent.sh +index 7ed4184..9c112eb 100644 +--- a/regress/percent.sh ++++ b/regress/percent.sh +@@ -13,6 +13,10 @@ USERID=`id -u` + HOST=`hostname | cut -f1 -d.` + HOSTNAME=`hostname` + ++# Check if there is openssl in local PATH ++NOOPENSSL=0 ++for i in $PATH;do [ -x "$i/openssl" ] && NOOPENSSL=1; done ++ + # Localcommand is evaluated after connection because %T is not available + # until then. Because of this we use a different method of exercising it, + # and we can't override the remote user otherwise authentication will fail. +@@ -77,11 +81,14 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ + if [ "$i" = "$localcommand" ]; then + trial $i '%T' NONE + fi +- # Matches implementation in readconf.c:ssh_connection_hash() +- HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | +- $OPENSSL_BIN sha1 | cut -f2 -d' '` ++ # skip tests for '%C' since no openssl in local PATH ++ if [ $NOOPENSSL -eq 1 ]; then ++ # Matches implementation in readconf.c:ssh_connection_hash() ++ HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | ++ $OPENSSL_BIN sha1 | cut -f2 -d' '` ++ fi + trial $i '%%' '%' +- trial $i '%C' $HASH ++ if [ $NOOPENSSL -eq 1 ]; then trial $i '%C' $HASH; fi + trial $i '%i' $USERID + trial $i '%h' 127.0.0.1 + trial $i '%L' $HOST +@@ -95,8 +102,13 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ + # containing %d for UserKnownHostsFile + if [ "$i" != "userknownhostsfile" ]; then + trial $i '%d' $HOME +- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ +- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" ++ if [ $NOOPENSSL -eq 0 ]; then ++ trial $i '%%/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ ++ "%/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" ++ else ++ trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ ++ "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" ++ fi + fi + done + +diff --git a/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch b/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch +new file mode 100644 +index 0000000..c7af5d9 +--- /dev/null ++++ b/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch +@@ -0,0 +1,30 @@ ++From 1da9e48b41ab6eca157d4fa3b74490510d9006ae Mon Sep 17 00:00:00 2001 ++From: chengyechun ++Date: Thu, 5 Jan 2023 23:43:22 +0800 ++Subject: [PATCH] skip percent test if there is no openssl on local path as ++ scp3 did ++ ++--- ++ regress/percent.sh | 6 ++++++ ++ 1 file changed, 6 insertions(+) ++ ++diff --git a/regress/percent.sh b/regress/percent.sh ++index 7ed4184..08afbc8 100644 ++--- a/regress/percent.sh +++++ b/regress/percent.sh ++@@ -8,6 +8,12 @@ if [ -x "/usr/xpg4/bin/id" ]; then ++ export PATH ++ fi ++ +++NOOPENSSL=0 +++for i in $PATH;do [ -x "$i/openssl" ] && $OPENSSL=1; done +++if [ $? -eq 0 ]; then +++ skip "No openssl on local path." +++fi +++ ++ USER=`id -u -n` ++ USERID=`id -u` ++ HOST=`hostname | cut -f1 -d.` ++-- ++2.23.0 ++ +-- +2.23.0 +