From 60b83e28be746cfebac7f67ff0c3e9859a91a789 Mon Sep 17 00:00:00 2001 From: renmingshuai Date: Thu, 11 Jan 2024 08:09:17 +0000 Subject: [PATCH] sync from 22.03-lts-sp1 --- ...port-Allow-writev-is-seccomp-sandbox.patch | 30 ++ ...-ss.patch => backport-CVE-2023-48795.patch | 228 +++++----- ...r-hostnames-with-most-shell-metachar.patch | 2 +- ...-seed_rng-until-after-closefrom-call.patch | 39 ++ ...compat_kex_proposal-test-to-portable.patch | 51 +++ ...-addresses-if-platform-lacks-support.patch | 52 +++ ...m-Add-scp-s-path-to-test-sshd-s-PATH.patch | 37 ++ ...ignal-mask-early-in-main-sshd-may-ha.patch | 53 +++ ...tes-from-the_banana-rather-than-bana.patch | 32 ++ ...that-there-is-a-terminating-newline-.patch | 48 +++ ...dynamic-remote-port-forwarding-in-es.patch | 46 ++ ...-of-skipping-the-all-tokens-test-if-.patch | 44 ++ ...umber-of-entries-in-SSH2_MSG_EXT_INF.patch | 41 -- ...am-Refactor-creation-of-KEX-proposal.patch | 402 ------------------ ...yntax-fix.-From-ren-mingshuai-vi-git.patch | 26 ++ ...omatic-way-of-coping-with-signed-cha.patch | 40 ++ ...enSSL-is-not-available-skip-parts-of.patch | 51 +++ ...eam-avoid-printf-s-NULL-if-using-ssh.patch | 42 ++ ...-in-PermitRemoteOpen-which-caused-it.patch | 109 +++++ ...user-s-umask-if-it-is-more-restricti.patch | 37 ++ ...regression-test-for-PermitRemoteOpen.patch | 138 ++++++ ...-test-compat_kex_proposal-by-dtucker.patch | 125 ++++++ ...-use-correct-type-with-sizeof-ok-djm.patch | 34 ++ openssh.spec | 157 ++++--- ...-if-there-is-no-openssl-on-local-pat.patch | 100 ----- 25 files changed, 1239 insertions(+), 725 deletions(-) create mode 100644 backport-Allow-writev-is-seccomp-sandbox.patch rename backport-CVE-2023-48795-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch => backport-CVE-2023-48795.patch (70%) create mode 100644 backport-Defer-seed_rng-until-after-closefrom-call.patch create mode 100644 backport-adapt-compat_kex_proposal-test-to-portable.patch create mode 100644 backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch create mode 100644 backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch create mode 100644 backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch create mode 100644 backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch create mode 100644 backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch create mode 100644 backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch create mode 100644 backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch delete mode 100644 backport-upstream-Limit-number-of-entries-in-SSH2_MSG_EXT_INF.patch delete mode 100644 backport-upstream-Refactor-creation-of-KEX-proposal.patch create mode 100644 backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch create mode 100644 backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch create mode 100644 backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch create mode 100644 backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch create mode 100644 backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch create mode 100644 backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch create mode 100644 backport-upstream-regression-test-for-PermitRemoteOpen.patch create mode 100644 backport-upstream-test-compat_kex_proposal-by-dtucker.patch create mode 100644 backport-upstream-use-correct-type-with-sizeof-ok-djm.patch delete mode 100644 skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch diff --git a/backport-Allow-writev-is-seccomp-sandbox.patch b/backport-Allow-writev-is-seccomp-sandbox.patch new file mode 100644 index 0000000..fe35f7d --- /dev/null +++ b/backport-Allow-writev-is-seccomp-sandbox.patch @@ -0,0 +1,30 @@ +From 6283f4bd83eee714d0f5fc55802eff836b06fea8 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Sat, 14 Jan 2023 22:02:44 +1100 +Subject: [PATCH] Allow writev is seccomp sandbox. + +This seems to be used by recent glibcs at least in some configurations. +From bz#3512, ok djm@ +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=6283f4bd83eee714d0f5fc55802eff836b06fea8 +--- + sandbox-seccomp-filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index cec43c46..4ab49eb6 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -312,6 +312,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_write + SC_ALLOW(__NR_write), + #endif ++#ifdef __NR_writev ++ SC_ALLOW(__NR_writev), ++#endif + #ifdef __NR_socketcall + SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN), + SC_DENY(__NR_socketcall, EACCES), +-- +2.27.0 + diff --git a/backport-CVE-2023-48795-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch b/backport-CVE-2023-48795.patch similarity index 70% rename from backport-CVE-2023-48795-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch rename to backport-CVE-2023-48795.patch index 7731dcd..689d500 100644 --- a/backport-CVE-2023-48795-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch +++ b/backport-CVE-2023-48795.patch @@ -1,7 +1,7 @@ -From 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 Mon Sep 17 00:00:00 2001 +From 802a7af111c9ddb438ca4fd8c5cc35534e199fda Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 18 Dec 2023 14:45:17 +0000 -Subject: [PATCH] upstream: implement "strict key exchange" in ssh and sshd +Subject: upstream: implement "strict key exchange" in ssh and sshd This adds a protocol extension to improve the integrity of the SSH transport protocol, particular in and around the initial key exchange @@ -13,19 +13,24 @@ with markus@ OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14 -Reference:https://github.com/openssh/openssh-portable/commit/1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 -Conflict:upstream: Fix signature algorithm selection logic for UpdateHostkeys on the server side +Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 +Last-Update: 2023-12-21 + +Patch-Name: CVE-2023-48795.patch + +Reference:https://sources.debian.org/src/openssh/1%3A8.4p1-5%2Bdeb11u3/debian/patches/CVE-2023-48795.patch/ +Conflict:NA --- - PROTOCOL | 28 +++++++++++++- - kex.c | 80 +++++++++++++++++++++++++++++---------- - kex.h | 3 +- - packet.c | 103 +++++++++++++++++++++++++++++--------------------- - packet.h | 3 +- - sshconnect2.c | 13 ++----- - 6 files changed, 152 insertions(+), 78 deletions(-) + PROTOCOL | 26 +++++++++++++++++ + kex.c | 68 ++++++++++++++++++++++++++++++++----------- + kex.h | 1 + + packet.c | 80 ++++++++++++++++++++++++++++++++++++++------------- + sshconnect2.c | 14 +++------ + sshd.c | 8 ++++-- + 6 files changed, 149 insertions(+), 48 deletions(-) diff --git a/PROTOCOL b/PROTOCOL -index 3141cda..9f02bb9 100644 +index f75c1c0..89bddfe 100644 --- a/PROTOCOL +++ b/PROTOCOL @@ -102,6 +102,32 @@ OpenSSH supports the use of ECDH in Curve25519 for key exchange as @@ -61,23 +66,11 @@ index 3141cda..9f02bb9 100644 2. Connection protocol changes 2.1. connection: Channel write close extension "eow@openssh.com" -@@ -575,4 +601,4 @@ OpenSSH's connection multiplexing uses messages as described in - PROTOCOL.mux over a Unix domain socket for communications between a - master instance and later clients. - --$OpenBSD: PROTOCOL,v 1.42 2021/08/09 23:47:44 djm Exp $ -+$OpenBSD: PROTOCOL,v 1.50 2023/12/18 14:45:17 djm Exp $ diff --git a/kex.c b/kex.c -index 2afa087..5e437f9 100644 +index 7c5f635..77eb7c0 100644 --- a/kex.c +++ b/kex.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: kex.c,v 1.178 2023/03/12 10:40:39 dtucker Exp $ */ -+/* $OpenBSD: kex.c,v 1.183 2023/12/18 14:45:17 djm Exp $ */ - /* - * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. - * -@@ -73,7 +73,7 @@ +@@ -72,7 +72,7 @@ #endif /* prototype */ @@ -86,7 +79,7 @@ index 2afa087..5e437f9 100644 static int kex_input_newkeys(int, u_int32_t, struct ssh *); static const char *proposal_names[PROPOSAL_MAX] = { -@@ -218,6 +218,18 @@ kex_names_valid(const char *names) +@@ -215,6 +215,18 @@ kex_names_valid(const char *names) return 1; } @@ -105,7 +98,7 @@ index 2afa087..5e437f9 100644 /* * Concatenate algorithm names, avoiding duplicates in the process. * Caller must free returned string. -@@ -225,7 +237,7 @@ kex_names_valid(const char *names) +@@ -222,7 +234,7 @@ kex_names_valid(const char *names) char * kex_names_cat(const char *a, const char *b) { @@ -114,7 +107,7 @@ index 2afa087..5e437f9 100644 size_t len; if (a == NULL || *a == '\0') -@@ -242,10 +254,8 @@ kex_names_cat(const char *a, const char *b) +@@ -239,10 +251,8 @@ kex_names_cat(const char *a, const char *b) } strlcpy(ret, a, len); for ((p = strsep(&cp, ",")); p && *p != '\0'; (p = strsep(&cp, ","))) { @@ -126,41 +119,7 @@ index 2afa087..5e437f9 100644 if (strlcat(ret, ",", len) >= len || strlcat(ret, p, len) >= len) { free(tmp); -@@ -375,15 +385,23 @@ kex_proposal_populate_entries(struct ssh *ssh, char *prop[PROPOSAL_MAX], - const char *defpropclient[PROPOSAL_MAX] = { KEX_CLIENT }; - const char **defprop = ssh->kex->server ? defpropserver : defpropclient; - u_int i; -+ char *cp; - - if (prop == NULL) - fatal_f("proposal missing"); - -+ /* Append EXT_INFO signalling to KexAlgorithms */ -+ if (kexalgos == NULL) -+ kexalgos = defprop[PROPOSAL_KEX_ALGS]; -+ if ((cp = kex_names_cat(kexalgos, ssh->kex->server ? -+ "kex-strict-s-v00@openssh.com" : -+ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL) -+ fatal_f("kex_names_cat"); -+ - for (i = 0; i < PROPOSAL_MAX; i++) { - switch(i) { - case PROPOSAL_KEX_ALGS: -- prop[i] = compat_kex_proposal(ssh, -- kexalgos ? kexalgos : defprop[i]); -+ prop[i] = compat_kex_proposal(ssh, cp); - break; - case PROPOSAL_ENC_ALGS_CTOS: - case PROPOSAL_ENC_ALGS_STOC: -@@ -404,6 +422,7 @@ kex_proposal_populate_entries(struct ssh *ssh, char *prop[PROPOSAL_MAX], - prop[i] = xstrdup(defprop[i]); - } - } -+ free(cp); - } - - void -@@ -531,7 +550,12 @@ kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh) +@@ -474,7 +484,12 @@ kex_protocol_error(int type, u_int32_t seq, struct ssh *ssh) { int r; @@ -170,20 +129,23 @@ index 2afa087..5e437f9 100644 + ssh_packet_disconnect(ssh, "strict KEX violation: " + "unexpected packet type %u (seqnr %u)", type, seq); + } -+ error_f("type %u seq %u", type, seq); ++ error("%s: type %u seq %u", __func__, type, seq); if ((r = sshpkt_start(ssh, SSH2_MSG_UNIMPLEMENTED)) != 0 || (r = sshpkt_put_u32(ssh, seq)) != 0 || (r = sshpkt_send(ssh)) != 0) -@@ -606,7 +630,7 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) - if (ninfo >= 1024) { - error("SSH2_MSG_EXT_INFO with too many entries, expected " - "<=1024, received %u", ninfo); -- return SSH_ERR_INVALID_FORMAT; +@@ -546,6 +561,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) + ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); + if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) + return r; ++ if (ninfo >= 1024) { ++ error("SSH2_MSG_EXT_INFO with too many entries, expected " ++ "<=1024, received %u", ninfo); + return dispatch_protocol_error(type, seq, ssh); - } ++ } for (i = 0; i < ninfo; i++) { if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) -@@ -708,7 +732,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) + return r; +@@ -646,7 +666,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) error_f("no kex"); return SSH_ERR_INTERNAL_ERROR; } @@ -192,7 +154,7 @@ index 2afa087..5e437f9 100644 ptr = sshpkt_ptr(ssh, &dlen); if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) return r; -@@ -744,7 +768,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) +@@ -682,7 +702,7 @@ kex_input_kexinit(int type, u_int32_t seq, struct ssh *ssh) if (!(kex->flags & KEX_INIT_SENT)) if ((r = kex_send_kexinit(ssh)) != 0) return r; @@ -201,7 +163,7 @@ index 2afa087..5e437f9 100644 return r; if (kex->kex_type < KEX_MAX && kex->kex[kex->kex_type] != NULL) -@@ -1022,7 +1046,13 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) +@@ -960,7 +980,13 @@ proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) } static int @@ -216,7 +178,7 @@ index 2afa087..5e437f9 100644 { struct kex *kex = ssh->kex; struct newkeys *newkeys; -@@ -1047,13 +1077,23 @@ kex_choose_conf(struct ssh *ssh) +@@ -985,13 +1011,23 @@ kex_choose_conf(struct ssh *ssh) sprop=peer; } @@ -238,7 +200,7 @@ index 2afa087..5e437f9 100644 + "kex-strict-s-v00@openssh.com"); + } + if (kex->kex_strict) { -+ debug3_f("will use strict KEX ordering"); ++ debug3("%s: will use strict KEX ordering", __func__); + if (seq != 0) + ssh_packet_disconnect(ssh, + "strict KEX violation: " @@ -248,16 +210,10 @@ index 2afa087..5e437f9 100644 /* Algorithm Negotiation */ diff --git a/kex.h b/kex.h -index 87ba7c8..1374a8c 100644 +index eabae1d..5d3895c 100644 --- a/kex.h +++ b/kex.h -@@ -1,4 +1,4 @@ --/* $OpenBSD: kex.h,v 1.118 2023/03/06 12:14:48 dtucker Exp $ */ -+/* $OpenBSD: kex.h,v 1.120 2023/12/18 14:45:17 djm Exp $ */ - - /* - * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. -@@ -153,6 +153,7 @@ struct kex { +@@ -155,6 +155,7 @@ struct kex { u_int kex_type; char *server_sig_algs; int ext_info_c; @@ -266,16 +222,10 @@ index 87ba7c8..1374a8c 100644 struct sshbuf *peer; struct sshbuf *client_version; diff --git a/packet.c b/packet.c -index 96ff2ac..95c1dd1 100644 +index f3231e1..16b87f5 100644 --- a/packet.c +++ b/packet.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: packet.c,v 1.301 2021/07/16 09:00:23 djm Exp $ */ -+/* $OpenBSD: packet.c,v 1.313 2023/12/18 14:45:17 djm Exp $ */ - /* - * Author: Tatu Ylonen - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -@@ -1221,8 +1221,13 @@ ssh_packet_send2_wrapped(struct ssh *ssh) +@@ -1228,8 +1228,13 @@ ssh_packet_send2_wrapped(struct ssh *ssh) sshbuf_dump(state->output, stderr); #endif /* increment sequence number for outgoing packets */ @@ -290,19 +240,20 @@ index 96ff2ac..95c1dd1 100644 if (++state->p_send.packets == 0) if (!(ssh->compat & SSH_BUG_NOREKEY)) return SSH_ERR_NEED_REKEY; -@@ -1230,6 +1235,11 @@ ssh_packet_send2_wrapped(struct ssh *ssh) +@@ -1237,6 +1242,12 @@ ssh_packet_send2_wrapped(struct ssh *ssh) state->p_send.bytes += len; sshbuf_reset(state->outgoing_packet); + if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) { -+ debug_f("resetting send seqnr %u", state->p_send.seqnr); ++ debug("%s: resetting send seqnr %u", __func__, ++ state->p_send.seqnr); + state->p_send.seqnr = 0; + } + if (type == SSH2_MSG_NEWKEYS) r = ssh_set_newkeys(ssh, MODE_OUT); else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side) -@@ -1362,8 +1372,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) +@@ -1370,8 +1381,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) /* Stay in the loop until we have received a complete packet. */ for (;;) { /* Try to read a packet from the buffer. */ @@ -312,7 +263,7 @@ index 96ff2ac..95c1dd1 100644 break; /* If we got a packet, return it. */ if (*typep != SSH_MSG_NONE) -@@ -1650,10 +1636,16 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) +@@ -1658,10 +1668,16 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0) goto out; } @@ -330,18 +281,19 @@ index 96ff2ac..95c1dd1 100644 if (++state->p_read.packets == 0) if (!(ssh->compat & SSH_BUG_NOREKEY)) return SSH_ERR_NEED_REKEY; -@@ -1719,6 +1711,10 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) +@@ -1727,6 +1743,11 @@ ssh_packet_read_poll2(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) #endif /* reset for next packet */ state->packlen = 0; + if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) { -+ debug_f("resetting read seqnr %u", state->p_read.seqnr); ++ debug("%s: resetting read seqnr %u", __func__, ++ state->p_read.seqnr); + state->p_read.seqnr = 0; + } if ((r = ssh_packet_check_rekey(ssh)) != 0) return r; -@@ -1739,10 +1735,39 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) +@@ -1747,10 +1768,39 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) r = ssh_packet_read_poll2(ssh, typep, seqnr_p); if (r != 0) return r; @@ -351,7 +303,7 @@ index 96ff2ac..95c1dd1 100644 + if (*typep == 0) { + /* no message ready */ + return 0; - } ++ } + state->keep_alive_timeouts = 0; + DBG(debug("received packet type %d", *typep)); + @@ -369,7 +321,7 @@ index 96ff2ac..95c1dd1 100644 + ssh_remote_port(ssh), reason, msg); + free(msg); + return SSH_ERR_DISCONNECTED; -+ } + } + + /* + * Do not implicitly handle any messages here during initial @@ -384,7 +336,7 @@ index 96ff2ac..95c1dd1 100644 switch (*typep) { case SSH2_MSG_IGNORE: debug3("Received SSH2_MSG_IGNORE"); -@@ -1757,19 +1782,6 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) +@@ -1765,19 +1815,6 @@ ssh_packet_read_poll_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) debug("Remote: %.900s", msg); free(msg); break; @@ -404,7 +356,7 @@ index 96ff2ac..95c1dd1 100644 case SSH2_MSG_UNIMPLEMENTED: if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0) return r; -@@ -2288,6 +2300,7 @@ kex_to_blob(struct sshbuf *m, struct kex *kex) +@@ -2321,6 +2358,7 @@ kex_to_blob(struct sshbuf *m, struct kex *kex) (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 || (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 || (r = sshbuf_put_u32(m, kex->kex_type)) != 0 || @@ -412,7 +364,7 @@ index 96ff2ac..95c1dd1 100644 (r = sshbuf_put_stringb(m, kex->my)) != 0 || (r = sshbuf_put_stringb(m, kex->peer)) != 0 || (r = sshbuf_put_stringb(m, kex->client_version)) != 0 || -@@ -2450,6 +2463,7 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp) +@@ -2483,6 +2521,7 @@ kex_from_blob(struct sshbuf *m, struct kex **kexp) (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 || (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 || (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 || @@ -420,35 +372,29 @@ index 96ff2ac..95c1dd1 100644 (r = sshbuf_get_stringb(m, kex->my)) != 0 || (r = sshbuf_get_stringb(m, kex->peer)) != 0 || (r = sshbuf_get_stringb(m, kex->client_version)) != 0 || -@@ -2778,6 +2792,7 @@ sshpkt_disconnect(struct ssh *ssh, const char *fmt,...) +@@ -2810,6 +2849,7 @@ sshpkt_disconnect(struct ssh *ssh, const char *fmt,...) vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); -+ debug2_f("sending SSH2_MSG_DISCONNECT: %s", buf); ++ debug2("%s: sending SSH2_MSG_DISCONNECT: %s", __func__, buf); if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 || (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 || (r = sshpkt_put_cstring(ssh, buf)) != 0 || -diff --git a/packet.h b/packet.h -index b3d4280..047c111 100644 ---- a/packet.h -+++ b/packet.h -@@ -1,4 +1,4 @@ --/* $OpenBSD: packet.h,v 1.93 2021/07/16 09:00:23 djm Exp $ */ -+/* $OpenBSD: packet.h,v 1.96 2023/12/18 14:45:17 djm Exp $ */ - - /* - * Author: Tatu Ylonen diff --git a/sshconnect2.c b/sshconnect2.c -index 9267534..701e02d 100644 +index 82846b5..1827f65 100644 --- a/sshconnect2.c +++ b/sshconnect2.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: sshconnect2.c,v 1.364 2023/03/06 12:14:48 dtucker Exp $ */ -+/* $OpenBSD: sshconnect2.c,v 1.370 2023/12/18 14:45:17 djm Exp $ */ - /* - * Copyright (c) 2000 Markus Friedl. All rights reserved. - * Copyright (c) 2008 Damien Miller. All rights reserved. -@@ -427,7 +427,6 @@ struct cauthmethod { +@@ -236,7 +236,8 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) + fatal_fr(r, "kex_assemble_namelist"); + free(all_key); + +- if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) ++ if ((s = kex_names_cat(options.kex_algorithms, ++ "ext-info-c,kex-strict-c-v00@openssh.com")) == NULL) + fatal_f("kex_names_cat"); + myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = +@@ -430,7 +431,6 @@ struct cauthmethod { }; static int input_userauth_service_accept(int, u_int32_t, struct ssh *); @@ -456,7 +402,7 @@ index 9267534..701e02d 100644 static int input_userauth_success(int, u_int32_t, struct ssh *); static int input_userauth_failure(int, u_int32_t, struct ssh *); static int input_userauth_banner(int, u_int32_t, struct ssh *); -@@ -548,7 +547,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, +@@ -554,7 +554,7 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, ssh->authctxt = &authctxt; ssh_dispatch_init(ssh, &input_userauth_error); @@ -465,7 +411,7 @@ index 9267534..701e02d 100644 ssh_dispatch_set(ssh, SSH2_MSG_SERVICE_ACCEPT, &input_userauth_service_accept); ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &authctxt.success); /* loop until success */ pubkey_cleanup(ssh); -@@ -604,13 +603,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh) +@@ -602,13 +602,6 @@ input_userauth_service_accept(int type, u_int32_t seq, struct ssh *ssh) return r; } @@ -479,7 +425,7 @@ index 9267534..701e02d 100644 void userauth(struct ssh *ssh, char *authlist) { -@@ -692,6 +684,7 @@ input_userauth_success(int type, u_int32_t seq, struct ssh *ssh) +@@ -690,6 +683,7 @@ input_userauth_success(int type, u_int32_t seq, struct ssh *ssh) free(authctxt->methoddata); authctxt->methoddata = NULL; authctxt->success = 1; /* break out */ @@ -487,6 +433,34 @@ index 9267534..701e02d 100644 return 0; } +diff --git a/sshd.c b/sshd.c +index ed5f075..e544b0c 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -2494,10 +2494,13 @@ do_ssh2_kex(struct ssh *ssh) + char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; + struct kex *kex; + char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL; ++ char *s; + int r; + +- myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, +- options.kex_algorithms); ++ if ((s = kex_names_cat(options.kex_algorithms, ++ "kex-strict-s-v00@openssh.com")) == NULL) ++ fatal("%s: kex_names_cat", __func__); ++ myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = + myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc = + compat_cipher_proposal(ssh, options.ciphers); +@@ -2615,6 +2618,7 @@ do_ssh2_kex(struct ssh *ssh) + free(prop_kex); + free(prop_enc); + free(prop_hostkey); ++ free(s); + debug("KEX done"); + } + -- 2.33.0 diff --git a/backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch b/backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch index 223a10b..d1af122 100644 --- a/backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch +++ b/backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch @@ -38,7 +38,7 @@ index 35c48e62d..48d93ddf2 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ --/* $OpenBSD: ssh.c,v 1.575 2022/07/01 00:36:30 djm Exp $ */ +-/* $OpenBSD: ssh.c,v 1.578 2022/10/13 09:09:28 jsg Exp $ */ +/* $OpenBSD: ssh.c,v 1.599 2023/12/18 14:47:44 djm Exp $ */ /* * Author: Tatu Ylonen diff --git a/backport-Defer-seed_rng-until-after-closefrom-call.patch b/backport-Defer-seed_rng-until-after-closefrom-call.patch new file mode 100644 index 0000000..fd61de3 --- /dev/null +++ b/backport-Defer-seed_rng-until-after-closefrom-call.patch @@ -0,0 +1,39 @@ +From cf1a9852d7fc93e4abc4168aed09529a57427cdc Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Wed, 9 Nov 2022 09:23:47 +1100 +Subject: [PATCH] Defer seed_rng until after closefrom call. + +seed_rng will initialize OpenSSL, and some engine providers (eg Intel's +QAT) will open descriptors for their own use. bz#3483, patch from +joel.d.schuetze at intel.com, ok djm@ +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=cf1a9852d7fc93e4abc4168aed09529a57427cdc +--- + sshd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sshd.c b/sshd.c +index b4bb7d65..808d91ef 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1580,8 +1580,6 @@ main(int ac, char **av) + /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ + sanitise_stdfd(); + +- seed_rng(); +- + /* Initialize configuration options to their default values. */ + initialize_server_options(&options); + +@@ -1703,6 +1701,8 @@ main(int ac, char **av) + else + closefrom(REEXEC_DEVCRYPTO_RESERVED_FD); + ++ seed_rng(); ++ + /* If requested, redirect the logs to the specified logfile. */ + if (logfile != NULL) + log_redirect_stderr_to(logfile); +-- +2.27.0 + diff --git a/backport-adapt-compat_kex_proposal-test-to-portable.patch b/backport-adapt-compat_kex_proposal-test-to-portable.patch new file mode 100644 index 0000000..2871639 --- /dev/null +++ b/backport-adapt-compat_kex_proposal-test-to-portable.patch @@ -0,0 +1,51 @@ +From 9fe207565b4ab0fe5d1ac5bb85e39188d96fb214 Mon Sep 17 00:00:00 2001 +From: Damien Miller +Date: Thu, 2 Feb 2023 23:17:49 +1100 +Subject: [PATCH] adapt compat_kex_proposal() test to portable + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=9fe207565b4ab0fe5d1ac5bb85e39188d96fb214 +--- + Makefile.in | 1 + + regress/unittests/kex/test_proposal.c | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/Makefile.in b/Makefile.in +index 18f6ac9e..c0ebfa04 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -616,6 +616,7 @@ regress/unittests/conversion/test_conversion$(EXEEXT): \ + UNITTESTS_TEST_KEX_OBJS=\ + regress/unittests/kex/tests.o \ + regress/unittests/kex/test_kex.o \ ++ regress/unittests/kex/test_proposal.o \ + $(SKOBJS) + + regress/unittests/kex/test_kex$(EXEEXT): ${UNITTESTS_TEST_KEX_OBJS} \ +diff --git a/regress/unittests/kex/test_proposal.c b/regress/unittests/kex/test_proposal.c +index b89ff59b..d6cf0f5d 100644 +--- a/regress/unittests/kex/test_proposal.c ++++ b/regress/unittests/kex/test_proposal.c +@@ -5,14 +5,18 @@ + * Placed in the public domain + */ + ++#include "includes.h" ++ + #include + #include + #include ++#ifdef HAVE_STDINT_H + #include ++#endif + #include + #include + +-#include "test_helper.h" ++#include "../test_helper/test_helper.h" + + #include "compat.h" + #include "ssherr.h" +-- +2.27.0 + diff --git a/backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch b/backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch new file mode 100644 index 0000000..4ae1885 --- /dev/null +++ b/backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch @@ -0,0 +1,52 @@ +From dd1249bd5c45128a908395c61b26996a70f82205 Mon Sep 17 00:00:00 2001 +From: Damien Miller +Date: Sun, 8 Jan 2023 12:08:59 +1100 +Subject: [PATCH] don't test IPv6 addresses if platform lacks support + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=dd1249bd5c45128a908395c61b26996a70f82205 + +--- + regress/dynamic-forward.sh | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh +index f6c2393..1bfe05a 100644 +--- a/regress/dynamic-forward.sh ++++ b/regress/dynamic-forward.sh +@@ -17,6 +17,11 @@ else + fi + trace "will use ProxyCommand $proxycmd" + ++# This is a reasonable proxy for IPv6 support. ++if ! config_defined HAVE_STRUCT_IN6_ADDR ; then ++ SKIP_IPV6=yes ++fi ++ + start_ssh() { + direction="$1" + arg="$2" +@@ -96,14 +101,16 @@ for d in D R; do + stop_ssh + + verbose "PermitRemoteOpen=explicit" +- start_ssh $d \ +- PermitRemoteOpen="127.0.0.1:$PORT [::1]:$PORT localhost:$PORT" ++ permit="127.0.0.1:$PORT [::1]:$PORT localhost:$PORT" ++ test -z "$SKIP_IPV6" || permit="127.0.0.1:$PORT localhost:$PORT" ++ start_ssh $d PermitRemoteOpen="$permit" + check_socks $d Y + stop_ssh + + verbose "PermitRemoteOpen=disallowed" +- start_ssh $d \ +- PermitRemoteOpen="127.0.0.1:1 [::1]:1 localhost:1" ++ permit="127.0.0.1:1 [::1]:1 localhost:1" ++ test -z "$SKIP_IPV6" || permit="127.0.0.1:1 localhost:1" ++ start_ssh $d PermitRemoteOpen="$permit" + check_socks $d N + stop_ssh + done +-- +2.27.0 + diff --git a/backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch b/backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch new file mode 100644 index 0000000..ff5a0c9 --- /dev/null +++ b/backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch @@ -0,0 +1,37 @@ +From 6e6f88647042b3cde54a628545c2f5fb656a9327 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" +Date: Fri, 13 Jan 2023 04:23:00 +0000 +Subject: [PATCH] upstream: Add scp's path to test sshd's PATH. + +If the scp we're testing is fully qualified (eg it's not in the system +PATH) then add its path to the under-test sshd's PATH so we can find +it. Prompted by bz#3518. + +OpenBSD-Regress-ID: 7df4f5a0be3aa135495b7e5a6719d3cbc26cc4c0 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=6e6f88647042b3cde54a628545c2f5fb656a9327 +--- + regress/test-exec.sh | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/regress/test-exec.sh b/regress/test-exec.sh +index c51f8eac..5a6afac5 100644 +--- a/regress/test-exec.sh ++++ b/regress/test-exec.sh +@@ -529,6 +529,13 @@ cat << EOF > $OBJ/sshd_config + Subsystem sftp $SFTPSERVER + EOF + ++# If we're testing a non-installed scp, add its directory to sshd's PATH ++# so we can test it. ++case "$SCP" in ++/*) PATH_WITH_SCP="`dirname $SCP`:$PATH" ++ echo " SetEnv PATH='$PATH_WITH_SCP'" >>$OBJ/sshd_config ;; ++esac ++ + # This may be necessary if /usr/src and/or /usr/obj are group-writable, + # but if you aren't careful with permissions then the unit tests could + # be abused to locally escalate privileges. +-- +2.27.0 + diff --git a/backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch b/backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch new file mode 100644 index 0000000..22db428 --- /dev/null +++ b/backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch @@ -0,0 +1,53 @@ +From 93f2ce8c050a7a2a628646c00b40b9b53fef93ef Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Fri, 16 Dec 2022 06:56:47 +0000 +Subject: [PATCH] upstream: Clear signal mask early in main(); sshd may have + been + +started with one or more signals masked (sigprocmask(2) is not cleared +on fork/exec) and this could interfere with various things, e.g. the +login grace timer. + +Execution environments that fail to clear the signal mask before running +sshd are clearly broken, but apparently they do exist. + +Reported by Sreedhar Balasubramanian; ok dtucker@ + +OpenBSD-Commit-ID: 77078c0b1c53c780269fc0c416f121d05e3010ae +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=93f2ce8c050a7a2a628646c00b40b9b53fef93ef +--- + sshd.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sshd.c b/sshd.c +index 6bb3a962..72525525 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshd.c,v 1.589 2022/07/01 03:39:44 dtucker Exp $ */ ++/* $OpenBSD: sshd.c,v 1.594 2022/12/16 06:56:47 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -1546,13 +1546,17 @@ main(int ac, char **av) + int keytype; + Authctxt *authctxt; + struct connection_info *connection_info = NULL; ++ sigset_t sigmask; + + #ifdef HAVE_SECUREWARE + (void)set_auth_parameters(ac, av); + #endif + __progname = ssh_get_progname(av[0]); + ++ sigemptyset(&sigmask); ++ sigprocmask(SIG_SETMASK, &sigmask, NULL); ++ + OpenSSL_add_all_algorithms(); + /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */ + saved_argc = ac; + rexec_argc = ac; +-- +2.27.0 + diff --git a/backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch b/backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch new file mode 100644 index 0000000..f1c5b50 --- /dev/null +++ b/backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch @@ -0,0 +1,32 @@ +From 018d671d78145f03d6f07ae9d64d51321da70325 Mon Sep 17 00:00:00 2001 +From: "tb@openbsd.org" +Date: Wed, 4 Jan 2023 22:48:57 +0000 +Subject: [PATCH] upstream: Copy bytes from the_banana[] rather than banana() + +Fixes test failure due to segfault seen on arm64 with xonly snap. + +ok djm + +OpenBSD-Regress-ID: 86e2aa4bbd1dff1bc4ebb2969c0d6474485be046 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=018d671d78145f03d6f07ae9d64d51321da70325 +--- + regress/unittests/sshkey/test_sshkey.c | 2 +- + 1 file changed, 1 insertions(+), 1 deletions(-) + +diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c +index 982907ce..cc359aea 100644 +--- a/regress/unittests/sshkey/test_sshkey.c ++++ b/regress/unittests/sshkey/test_sshkey.c +@@ -144,7 +144,7 @@ banana(u_char *s, size_t l) + memcpy(s + o, "nanananana", l - o); + break; + } +- memcpy(s + o, banana, sizeof(the_banana)); ++ memcpy(s + o, the_banana, sizeof(the_banana)); + } + } + +-- +2.27.0 + diff --git a/backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch b/backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch new file mode 100644 index 0000000..a577b15 --- /dev/null +++ b/backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch @@ -0,0 +1,48 @@ +From 3c379c9a849a635cc7f05cbe49fe473ccf469ef9 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" +Date: Thu, 9 Feb 2023 09:54:11 +0000 +Subject: [PATCH] upstream: Ensure that there is a terminating newline when + adding a new + +entry to known_hosts. bz#3529, with git+openssh at limpsquid.nl, ok deraadt@ +markus@ + +OpenBSD-Commit-ID: fa8d90698da1886570512b96f051e266eac105e0 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=3c379c9a849a635cc7f05cbe49fe473ccf469ef9 +--- + hostfile.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/hostfile.c b/hostfile.c +index bd49e3ac..f5fa8084 100644 +--- a/hostfile.c ++++ b/hostfile.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: hostfile.c,v 1.91 2021/07/05 01:16:46 dtucker Exp $ */ ++/* $OpenBSD: hostfile.c,v 1.94 2023/02/09 09:54:11 dtucker Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -520,9 +520,17 @@ add_host_to_hostfile(const char *filename, const char *host, + if (key == NULL) + return 1; /* XXX ? */ + hostfile_create_user_ssh_dir(filename, 0); +- f = fopen(filename, "a"); ++ f = fopen(filename, "a+"); + if (!f) + return 0; ++ /* Make sure we have a terminating newline. */ ++ if (fseek(f, -1L, SEEK_END) == 0 && fgetc(f) != '\n') ++ if (fputc('\n', f) != '\n') { ++ error("Failed to add terminating newline to %s: %s", ++ filename, strerror(errno)); ++ fclose(f); ++ return 0; ++ } + success = write_host_entry(f, host, NULL, key, store_hash); + fclose(f); + return success; +-- +2.27.0 + diff --git a/backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch b/backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch new file mode 100644 index 0000000..3abd870 --- /dev/null +++ b/backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch @@ -0,0 +1,46 @@ +From 650de7ecd3567b5a5dbf16dd1eb598bd8c20bca8 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" +Date: Thu, 10 Nov 2022 23:03:10 +0000 +Subject: [PATCH] upstream: Handle dynamic remote port forwarding in escape + commandline's + +-R processing. bz#3499, ok djm@ + +OpenBSD-Commit-ID: 194ee4cfe7ed0e2b8ad0727f493c798a50454208 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=650de7ecd3567b5a5dbf16dd1eb598bd8c20bca8 +--- + clientloop.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/clientloop.c b/clientloop.c +index 289d0b68..02349ccb 100644 +--- a/clientloop.c ++++ b/clientloop.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: clientloop.c,v 1.370 2021/08/29 23:44:07 djm Exp $ */ ++/* $OpenBSD: clientloop.c,v 1.382 2022/11/10 23:03:10 dtucker Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -846,8 +846,15 @@ process_cmdline(struct ssh *ssh) + } + logit("Canceled forwarding."); + } else { +- if (!parse_forward(&fwd, s, dynamic, remote)) { +- logit("Bad forwarding specification."); ++ /* -R specs can be both dynamic or not, so check both. */ ++ if (remote) { ++ if (!parse_forward(&fwd, s, 0, remote) && ++ !parse_forward(&fwd, s, 1, remote)) { ++ logit("Bad remote forwarding specification."); ++ goto out; ++ } ++ } else if (!parse_forward(&fwd, s, dynamic, remote)) { ++ logit("Bad local forwarding specification."); + goto out; + } + if (local || dynamic) { +-- +2.27.0 + diff --git a/backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch b/backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch new file mode 100644 index 0000000..6e8d770 --- /dev/null +++ b/backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch @@ -0,0 +1,44 @@ +From 4d87a00f704e0365e11c3c38b170c1275ec461fc Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" +Date: Sat, 14 Jan 2023 09:57:08 +0000 +Subject: [PATCH] upstream: Instead of skipping the all-tokens test if we don't + have + +OpenSSL (since we use it to compute the hash), put the hash at the end and +just omit it if we don't have it. Prompted by bz#3521. + +OpenBSD-Regress-ID: c79ecba64250ed3b6417294b6c965e6b12ca5eea +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=4d87a00f704e0365e11c3c38b170c1275ec461fc +--- +diff --git a/regress/percent.sh b/regress/percent.sh +index ed5c604d..3dfa8d2d 100644 +--- a/regress/percent.sh ++++ b/regress/percent.sh +@@ -12,6 +12,7 @@ USER=`id -u -n` + USERID=`id -u` + HOST=`hostname | cut -f1 -d.` + HOSTNAME=`hostname` ++HASH="" + + # Localcommand is evaluated after connection because %T is not available + # until then. Because of this we use a different method of exercising it, +@@ -98,10 +99,13 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ + # containing %d for UserKnownHostsFile + if [ "$i" != "userknownhostsfile" ]; then + trial $i '%d' $HOME ++ in='%%/%i/%h/%d/%L/%l/%n/%p/%r/%u' ++ out="%/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" + if [ ! -z "${HASH}" ]; then +- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ +- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" ++ in="$in/%C" ++ out="$out/$HASH" + fi ++ trial $i "$in" "$out" + fi + done + +-- +2.27.0 + diff --git a/backport-upstream-Limit-number-of-entries-in-SSH2_MSG_EXT_INF.patch b/backport-upstream-Limit-number-of-entries-in-SSH2_MSG_EXT_INF.patch deleted file mode 100644 index d511e48..0000000 --- a/backport-upstream-Limit-number-of-entries-in-SSH2_MSG_EXT_INF.patch +++ /dev/null @@ -1,41 +0,0 @@ -From d95af508e78c0cd3dce56b83853baaa59ae295cf Mon Sep 17 00:00:00 2001 -From: "dtucker@openbsd.org" -Date: Sun, 12 Mar 2023 10:40:39 +0000 -Subject: [PATCH] upstream: Limit number of entries in SSH2_MSG_EXT_INFO - -request. This is already constrained by the maximum SSH packet size but this -makes it explicit. Prompted by Coverity CID 291868, ok djm@ markus@ - -OpenBSD-Commit-ID: aea023819aa44a2dcb9dd0fbec10561896fc3a09 - -Conflict:NA -Reference:https://github.com/openssh/openssh-portable/commit/d95af508e78c0cd3dce56b83853baaa59ae295cf ---- - kex.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/kex.c b/kex.c -index b681c58..2afa087 100644 ---- a/kex.c -+++ b/kex.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: kex.c,v 1.176 2023/03/06 12:14:48 dtucker Exp $ */ -+/* $OpenBSD: kex.c,v 1.178 2023/03/12 10:40:39 dtucker Exp $ */ - /* - * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. - * -@@ -603,6 +603,11 @@ kex_input_ext_info(int type, u_int32_t seq, struct ssh *ssh) - ssh_dispatch_set(ssh, SSH2_MSG_EXT_INFO, &kex_protocol_error); - if ((r = sshpkt_get_u32(ssh, &ninfo)) != 0) - return r; -+ if (ninfo >= 1024) { -+ error("SSH2_MSG_EXT_INFO with too many entries, expected " -+ "<=1024, received %u", ninfo); -+ return SSH_ERR_INVALID_FORMAT; -+ } - for (i = 0; i < ninfo; i++) { - if ((r = sshpkt_get_cstring(ssh, &name, NULL)) != 0) - return r; --- -2.33.0 - diff --git a/backport-upstream-Refactor-creation-of-KEX-proposal.patch b/backport-upstream-Refactor-creation-of-KEX-proposal.patch deleted file mode 100644 index 29be862..0000000 --- a/backport-upstream-Refactor-creation-of-KEX-proposal.patch +++ /dev/null @@ -1,402 +0,0 @@ -From 9641753e0fd146204d57b2a4165f552a81afade4 Mon Sep 17 00:00:00 2001 -From: "dtucker@openbsd.org" -Date: Mon, 6 Mar 2023 12:14:48 +0000 -Subject: [PATCH] upstream: Refactor creation of KEX proposal. - -This adds kex_proposal_populate_entries (and corresponding free) which -populates the KEX proposal array with dynamically allocated strings. -This replaces the previous mix of static and dynamic that has been the -source of previous leaks and bugs. Remove unused compat functions. -With & ok djm@. - -OpenBSD-Commit-ID: f2f99da4aae2233cb18bf9c749320c5e040a9c7b - -Reference:https://github.com/openssh/openssh-portable/commit/9641753e0fd146204d57b2a4165f552a81afade4 -Conflict:Remove now-unused compat bit SSH_BUG_RSASIGMD5 - gssapi-keyex ---- - compat.c | 35 ++------------------------ - compat.h | 6 ++--- - kex.c | 58 ++++++++++++++++++++++++++++++++++++++++++- - kex.h | 5 +++- - sshconnect2.c | 68 +++++++++++++++++++-------------------------------- - sshd.c | 37 +++++++++------------------- - 6 files changed, 102 insertions(+), 107 deletions(-) - -diff --git a/compat.c b/compat.c -index 555a372..4f8a1fb 100644 ---- a/compat.c -+++ b/compat.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: compat.c,v 1.121 2023/02/02 12:10:05 djm Exp $ */ -+/* $OpenBSD: compat.c,v 1.126 2023/03/06 12:14:48 dtucker Exp $ */ - /* - * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. - * -@@ -36,7 +36,6 @@ - #include "compat.h" - #include "log.h" - #include "match.h" --#include "kex.h" - - /* determine bug flags from SSH protocol banner */ - void -@@ -158,37 +157,7 @@ compat_banner(struct ssh *ssh, const char *version) - - /* Always returns pointer to allocated memory, caller must free. */ - char * --compat_cipher_proposal(struct ssh *ssh, char *cipher_prop) --{ -- if (!(ssh->compat & SSH_BUG_BIGENDIANAES)) -- return xstrdup(cipher_prop); -- debug2_f("original cipher proposal: %s", cipher_prop); -- if ((cipher_prop = match_filter_denylist(cipher_prop, "aes*")) == NULL) -- fatal("match_filter_denylist failed"); -- debug2_f("compat cipher proposal: %s", cipher_prop); -- if (*cipher_prop == '\0') -- fatal("No supported ciphers found"); -- return cipher_prop; --} -- --/* Always returns pointer to allocated memory, caller must free. */ --char * --compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) --{ -- if (!(ssh->compat & SSH_BUG_RSASIGMD5)) -- return xstrdup(pkalg_prop); -- debug2_f("original public key proposal: %s", pkalg_prop); -- if ((pkalg_prop = match_filter_denylist(pkalg_prop, "ssh-rsa")) == NULL) -- fatal("match_filter_denylist failed"); -- debug2_f("compat public key proposal: %s", pkalg_prop); -- if (*pkalg_prop == '\0') -- fatal("No supported PK algorithms found"); -- return pkalg_prop; --} -- --/* Always returns pointer to allocated memory, caller must free. */ --char * --compat_kex_proposal(struct ssh *ssh, char *p) -+compat_kex_proposal(struct ssh *ssh, const char *p) - { - char *cp = NULL, *cp2 = NULL; - -diff --git a/compat.h b/compat.h -index 167409b..013c855 100644 ---- a/compat.h -+++ b/compat.h -@@ -1,4 +1,4 @@ --/* $OpenBSD: compat.h,v 1.57 2021/06/06 03:40:39 djm Exp $ */ -+/* $OpenBSD: compat.h,v 1.62 2023/03/06 12:14:48 dtucker Exp $ */ - - /* - * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. -@@ -61,7 +61,5 @@ - struct ssh; - - void compat_banner(struct ssh *, const char *); --char *compat_cipher_proposal(struct ssh *, char *); --char *compat_pkalg_proposal(struct ssh *, char *); --char *compat_kex_proposal(struct ssh *, char *); -+char *compat_kex_proposal(struct ssh *, const char *); - #endif -diff --git a/kex.c b/kex.c -index e8c2741..b681c58 100644 ---- a/kex.c -+++ b/kex.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: kex.c,v 1.168 2021/04/03 06:18:40 djm Exp $ */ -+/* $OpenBSD: kex.c,v 1.176 2023/03/06 12:14:48 dtucker Exp $ */ - /* - * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. - * -@@ -60,6 +60,7 @@ - #include "misc.h" - #include "dispatch.h" - #include "monitor.h" -+#include "myproposal.h" - #include "xmalloc.h" - - #include "ssherr.h" -@@ -359,6 +360,61 @@ kex_assemble_names(char **listp, const char *def, const char *all) - return r; - } - -+/* -+ * Fill out a proposal array with dynamically allocated values, which may -+ * be modified as required for compatibility reasons. -+ * Any of the options may be NULL, in which case the default is used. -+ * Array contents must be freed by calling kex_proposal_free_entries. -+ */ -+void -+kex_proposal_populate_entries(struct ssh *ssh, char *prop[PROPOSAL_MAX], -+ const char *kexalgos, const char *ciphers, const char *macs, -+ const char *comp, const char *hkalgs) -+{ -+ const char *defpropserver[PROPOSAL_MAX] = { KEX_SERVER }; -+ const char *defpropclient[PROPOSAL_MAX] = { KEX_CLIENT }; -+ const char **defprop = ssh->kex->server ? defpropserver : defpropclient; -+ u_int i; -+ -+ if (prop == NULL) -+ fatal_f("proposal missing"); -+ -+ for (i = 0; i < PROPOSAL_MAX; i++) { -+ switch(i) { -+ case PROPOSAL_KEX_ALGS: -+ prop[i] = compat_kex_proposal(ssh, -+ kexalgos ? kexalgos : defprop[i]); -+ break; -+ case PROPOSAL_ENC_ALGS_CTOS: -+ case PROPOSAL_ENC_ALGS_STOC: -+ prop[i] = xstrdup(ciphers ? ciphers : defprop[i]); -+ break; -+ case PROPOSAL_MAC_ALGS_CTOS: -+ case PROPOSAL_MAC_ALGS_STOC: -+ prop[i] = xstrdup(macs ? macs : defprop[i]); -+ break; -+ case PROPOSAL_COMP_ALGS_CTOS: -+ case PROPOSAL_COMP_ALGS_STOC: -+ prop[i] = xstrdup(comp ? comp : defprop[i]); -+ break; -+ case PROPOSAL_SERVER_HOST_KEY_ALGS: -+ prop[i] = xstrdup(hkalgs ? hkalgs : defprop[i]); -+ break; -+ default: -+ prop[i] = xstrdup(defprop[i]); -+ } -+ } -+} -+ -+void -+kex_proposal_free_entries(char *prop[PROPOSAL_MAX]) -+{ -+ u_int i; -+ -+ for (i = 0; i < PROPOSAL_MAX; i++) -+ free(prop[i]); -+} -+ - /* Validate GSS KEX method name list */ - int - kex_gss_names_valid(const char *names) -diff --git a/kex.h b/kex.h -index 8b95227..87ba7c8 100644 ---- a/kex.h -+++ b/kex.h -@@ -1,4 +1,4 @@ --/* $OpenBSD: kex.h,v 1.114 2021/01/31 22:55:29 djm Exp $ */ -+/* $OpenBSD: kex.h,v 1.118 2023/03/06 12:14:48 dtucker Exp $ */ - - /* - * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. -@@ -192,6 +192,9 @@ char *kex_alg_list(char); - char *kex_gss_alg_list(char); - char *kex_names_cat(const char *, const char *); - int kex_assemble_names(char **, const char *, const char *); -+void kex_proposal_populate_entries(struct ssh *, char *prop[PROPOSAL_MAX], -+ const char *, const char *, const char *, const char *, const char *); -+void kex_proposal_free_entries(char *prop[PROPOSAL_MAX]); - int kex_gss_names_valid(const char *); - - int kex_exchange_identification(struct ssh *, int, const char *); -diff --git a/sshconnect2.c b/sshconnect2.c -index eb0df92..9267534 100644 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: sshconnect2.c,v 1.359 2022/07/01 03:39:44 dtucker Exp $ */ -+/* $OpenBSD: sshconnect2.c,v 1.364 2023/03/06 12:14:48 dtucker Exp $ */ - /* - * Copyright (c) 2000 Markus Friedl. All rights reserved. - * Copyright (c) 2008 Damien Miller. All rights reserved. -@@ -58,7 +58,6 @@ - #include "cipher.h" - #include "sshkey.h" - #include "kex.h" --#include "myproposal.h" - #include "sshconnect.h" - #include "authfile.h" - #include "dh.h" -@@ -216,11 +215,9 @@ void - ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, - const struct ssh_conn_info *cinfo) - { -- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; -- char *s, *all_key; -- char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL; -- int r, use_known_hosts_order = 0; -- -+ char *myproposal[PROPOSAL_MAX]; -+ char *s, *all_key, *hkalgs = NULL; -+ int r; - #if defined(GSSAPI) && defined(WITH_OPENSSL) - char *orig = NULL, *gss = NULL; - char *gss_host = NULL; -@@ -230,15 +227,9 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, - xxx_hostaddr = hostaddr; - xxx_conn_info = cinfo; - -- /* -- * If the user has not specified HostkeyAlgorithms, or has only -- * appended or removed algorithms from that list then prefer algorithms -- * that are in the list that are supported by known_hosts keys. -- */ -- if (options.hostkeyalgorithms == NULL || -- options.hostkeyalgorithms[0] == '-' || -- options.hostkeyalgorithms[0] == '+') -- use_known_hosts_order = 1; -+ if (options.rekey_limit || options.rekey_interval) -+ ssh_packet_set_rekey_limits(ssh, options.rekey_limit, -+ options.rekey_interval); - - /* Expand or fill in HostkeyAlgorithms */ - all_key = sshkey_alg_list(0, 0, 1, ','); -@@ -249,25 +240,22 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, - - if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) - fatal_f("kex_names_cat"); -- myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s); -- myproposal[PROPOSAL_ENC_ALGS_CTOS] = -- myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc = -- compat_cipher_proposal(ssh, options.ciphers); -- myproposal[PROPOSAL_COMP_ALGS_CTOS] = -- myproposal[PROPOSAL_COMP_ALGS_STOC] = -- (char *)compression_alg_list(options.compression); -- myproposal[PROPOSAL_MAC_ALGS_CTOS] = -- myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; -- if (use_known_hosts_order) { -- /* Query known_hosts and prefer algorithms that appear there */ -- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey = -- compat_pkalg_proposal(ssh, -- order_hostkeyalgs(host, hostaddr, port, cinfo)); -- } else { -- /* Use specified HostkeyAlgorithms exactly */ -- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey = -- compat_pkalg_proposal(ssh, options.hostkeyalgorithms); -- } -+ -+ /* -+ * If the user has not specified HostkeyAlgorithms, or has only -+ * appended or removed algorithms from that list then prefer algorithms -+ * that are in the list that are supported by known_hosts keys. -+ */ -+ if (options.hostkeyalgorithms == NULL || -+ options.hostkeyalgorithms[0] == '-' || -+ options.hostkeyalgorithms[0] == '+') -+ hkalgs = order_hostkeyalgs(host, hostaddr, port, cinfo); -+ -+ kex_proposal_populate_entries(ssh, myproposal, s, options.ciphers, -+ options.macs, compression_alg_list(options.compression), -+ hkalgs ? hkalgs : options.hostkeyalgorithms); -+ -+ free(hkalgs); - - #if defined(GSSAPI) && defined(WITH_OPENSSL) - if (options.gss_keyex) { -@@ -310,10 +298,6 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, - } - #endif - -- if (options.rekey_limit || options.rekey_interval) -- ssh_packet_set_rekey_limits(ssh, options.rekey_limit, -- options.rekey_interval); -- - /* start key exchange */ - if ((r = kex_setup(ssh, myproposal)) != 0) - fatal_r(r, "kex_setup"); -@@ -357,6 +341,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, - ssh_dispatch_run_fatal(ssh, DISPATCH_BLOCK, &ssh->kex->done); - - /* remove ext-info from the KEX proposals for rekeying */ -+ free(myproposal[PROPOSAL_KEX_ALGS]); - myproposal[PROPOSAL_KEX_ALGS] = - compat_kex_proposal(ssh, options.kex_algorithms); - #if defined(GSSAPI) && defined(WITH_OPENSSL) -@@ -380,10 +365,7 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port, - (r = ssh_packet_write_wait(ssh)) != 0) - fatal_fr(r, "send packet"); - #endif -- /* Free only parts of proposal that were dynamically allocated here. */ -- free(prop_kex); -- free(prop_enc); -- free(prop_hostkey); -+ kex_proposal_free_entries(myproposal); - } - - /* -diff --git a/sshd.c b/sshd.c -index dd7e1d4..aa3c3b7 100644 ---- a/sshd.c -+++ b/sshd.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: sshd.c,v 1.589 2022/07/01 03:39:44 dtucker Exp $ */ -+/* $OpenBSD: sshd.c,v 1.599 2023/03/06 12:14:48 dtucker Exp $ */ - /* - * Author: Tatu Ylonen - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -@@ -107,7 +107,6 @@ - #include "digest.h" - #include "sshkey.h" - #include "kex.h" --#include "myproposal.h" - #include "authfile.h" - #include "pathnames.h" - #include "atomicio.h" -@@ -2524,33 +2523,23 @@ sshd_hostkey_sign(struct ssh *ssh, struct sshkey *privkey, - static void - do_ssh2_kex(struct ssh *ssh) - { -- char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; -+ char *hkalgs = NULL, *myproposal[PROPOSAL_MAX]; -+ const char *compression = NULL; - struct kex *kex; -- char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL; - int r; - -- myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, -- options.kex_algorithms); -- myproposal[PROPOSAL_ENC_ALGS_CTOS] = -- myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc = -- compat_cipher_proposal(ssh, options.ciphers); -- myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(ssh, -- options.ciphers); -- myproposal[PROPOSAL_MAC_ALGS_CTOS] = -- myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; -- -- if (options.compression == COMP_NONE) { -- myproposal[PROPOSAL_COMP_ALGS_CTOS] = -- myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; -- } -- - if (options.rekey_limit || options.rekey_interval) - ssh_packet_set_rekey_limits(ssh, options.rekey_limit, - options.rekey_interval); -- /* coverity[leaked_storage : FALSE]*/ -- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey = -- compat_pkalg_proposal(ssh, list_hostkey_types()); - -+ if (options.compression == COMP_NONE) -+ compression = "none"; -+ hkalgs = list_hostkey_types(); -+ -+ kex_proposal_populate_entries(ssh, myproposal, options.kex_algorithms, -+ options.ciphers, options.macs, compression, hkalgs); -+ -+ free(hkalgs); - #if defined(GSSAPI) && defined(WITH_OPENSSL) - { - char *orig; -@@ -2645,9 +2634,7 @@ do_ssh2_kex(struct ssh *ssh) - (r = ssh_packet_write_wait(ssh)) != 0) - fatal_fr(r, "send test"); - #endif -- free(prop_kex); -- free(prop_enc); -- free(prop_hostkey); -+ kex_proposal_free_entries(myproposal); - debug("KEX done"); - } - --- -2.33.0 - diff --git a/backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch b/backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch new file mode 100644 index 0000000..9262ca5 --- /dev/null +++ b/backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch @@ -0,0 +1,26 @@ +From 923c3f437f439cfca238fba37e97a7041782f615 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" +Date: Sat, 14 Jan 2023 10:05:54 +0000 +Subject: [PATCH] upstream: Shell syntax fix. From ren mingshuai vi github + PR#369. + +OpenBSD-Regress-ID: 6696b2eeefe128099fc3d7ea9f23252cc35156f9 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=923c3f437f439cfca238fba37e97a7041782f615 +--- +diff --git a/regress/yes-head.sh b/regress/yes-head.sh +index 2759eb8c..1bde504f 100644 +--- a/regress/yes-head.sh ++++ b/regress/yes-head.sh +@@ -6,7 +6,7 @@ tid="yes pipe head" + lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)` + if [ $? -ne 0 ]; then + fail "yes|head test failed" +- lines = 0; +++ lines=0 + fi + if [ $lines -ne 2000 ]; then + fail "yes|head returns $lines lines instead of 2000" +-- +2.27.0 + diff --git a/backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch b/backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch new file mode 100644 index 0000000..e7a24fe --- /dev/null +++ b/backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch @@ -0,0 +1,40 @@ +From 5a7a7acab2f466dc1d7467b5d05d35268c3137aa Mon Sep 17 00:00:00 2001 +From: "deraadt@openbsd.org" +Date: Thu, 15 Dec 2022 18:20:39 +0000 +Subject: [PATCH] upstream: The idiomatic way of coping with signed char vs + unsigned + +char (which did not come from stdio read functions) in the presence of +ctype macros, is to always cast to (unsigned char). casting to (int) +for a "macro" which is documented to take int, is weird. And sadly wrong, +because of the sing extension risk.. same diff from florian + +OpenBSD-Commit-ID: 65b9a49a68e22ff3a0ebd593f363e9f22dd73fea +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=5a7a7acab2f466dc1d7467b5d05d35268c3137aa +--- + misc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/misc.c b/misc.c +index 977c097e..41244da9 100644 +--- a/misc.c ++++ b/misc.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: misc.c,v 1.170 2021/09/26 14:01:03 djm Exp $ */ ++/* $OpenBSD: misc.c,v 1.179 2022/12/15 18:20:39 deraadt Exp $ */ + /* + * Copyright (c) 2000 Markus Friedl. All rights reserved. + * Copyright (c) 2005-2020 Damien Miller. All rights reserved. +@@ -95,7 +95,7 @@ rtrim(char *s) + if ((i = strlen(s)) == 0) + return; + for (i--; i > 0; i--) { +- if (isspace((int)s[i])) ++ if (isspace((unsigned char)s[i])) + s[i] = '\0'; + } + } +-- +2.27.0 + diff --git a/backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch b/backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch new file mode 100644 index 0000000..5d59c1d --- /dev/null +++ b/backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch @@ -0,0 +1,51 @@ +From d77fc611a62f2dfee0b654c31a50a814b13310dd Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" +Date: Fri, 6 Jan 2023 12:33:33 +0000 +Subject: [PATCH] upstream: When OpenSSL is not available, skip parts of + percent test + +that require it. Based on github pr#368 from ren mingshuai. + +OpenBSD-Regress-ID: 49a375b2cf61ccb95b52e75e2e025cd10988ebb2 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=d77fc611a62f2dfee0b654c31a50a814b13310dd +--- + regress/percent.sh | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/regress/percent.sh b/regress/percent.sh +index bb81779a..ed5c604d 100644 +--- a/regress/percent.sh ++++ b/regress/percent.sh +@@ -79,10 +79,12 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ + trial $i '%T' NONE + fi + # Matches implementation in readconf.c:ssh_connection_hash() +- HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | +- $OPENSSL_BIN sha1 | cut -f2 -d' '` ++ if [ ! -z "${OPENSSL_BIN}" ]; then ++ HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | ++ $OPENSSL_BIN sha1 | cut -f2 -d' '` ++ trial $i '%C' $HASH ++ fi + trial $i '%%' '%' +- trial $i '%C' $HASH + trial $i '%i' $USERID + trial $i '%h' 127.0.0.1 + trial $i '%L' $HOST +@@ -96,8 +98,10 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ + # containing %d for UserKnownHostsFile + if [ "$i" != "userknownhostsfile" ]; then + trial $i '%d' $HOME +- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ +- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" ++ if [ ! -z "${HASH}" ]; then ++ trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ ++ "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" ++ fi + fi + done + +-- +2.27.0 + diff --git a/backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch b/backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch new file mode 100644 index 0000000..d1c920c --- /dev/null +++ b/backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch @@ -0,0 +1,42 @@ +From f673b49f3be3eb51074fbb8a405beb6cd0f7d93e Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Fri, 13 Jan 2023 02:44:02 +0000 +Subject: [PATCH] upstream: avoid printf("%s", NULL) if using ssh + +-oUserKnownHostsFile=none and a hostkey in one of the system known hosts file +changes; ok dtucker@ + +OpenBSD-Commit-ID: 7ca87614bfc6da491315536a7f2301434a9fe614 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=f673b49f3be3eb51074fbb8a405beb6cd0f7d93e +--- + sshconnect.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/sshconnect.c b/sshconnect.c +index 0fca52b2..792bc34b 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshconnect.c,v 1.355 2021/07/02 05:11:21 dtucker Exp $ */ ++/* $OpenBSD: sshconnect.c,v 1.361 2023/01/13 02:44:02 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -1276,8 +1276,11 @@ check_host_key(char *hostname, const struct ssh_conn_info *cinfo, + } + /* The host key has changed. */ + warn_changed_key(host_key); +- error("Add correct host key in %.100s to get rid of this message.", +- user_hostfiles[0]); ++ if (num_user_hostfiles > 0 || num_system_hostfiles > 0) { ++ error("Add correct host key in %.100s to get rid " ++ "of this message.", num_user_hostfiles > 0 ? ++ user_hostfiles[0] : system_hostfiles[0]); ++ } + error("Offending %s key in %s:%lu", + sshkey_type(host_found->key), + host_found->file, host_found->line); +-- +2.27.0 + diff --git a/backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch b/backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch new file mode 100644 index 0000000..d27f45e --- /dev/null +++ b/backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch @@ -0,0 +1,109 @@ +From b3daa8dc582348d6ab8150bc1e571b7aa08c5388 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Mon, 2 Jan 2023 07:03:30 +0000 +Subject: [PATCH] upstream: fix bug in PermitRemoteOpen which caused it to + ignore its + +first argument unless it was one of the special keywords "any" or "none". + +Reported by Georges Chaudy in bz3515; ok dtucker@ + +OpenBSD-Commit-ID: c5678a39f1ff79993d5ae3cfac5746a4ae148ea5 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=b3daa8dc582348d6ab8150bc1e571b7aa08c5388 +--- + readconf.c | 62 +++++++++++++++++++++++++++++------------------------- + 1 file changed, 33 insertions(+), 29 deletions(-) + +diff --git a/readconf.c b/readconf.c +index 45c1c22..aa106eb 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: readconf.c,v 1.363 2021/09/16 05:36:03 djm Exp $ */ ++/* $OpenBSD: readconf.c,v 1.371 2023/01/02 07:03:30 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -1611,38 +1611,38 @@ parse_pubkey_algos: + case oPermitRemoteOpen: + uintptr = &options->num_permitted_remote_opens; + cppptr = &options->permitted_remote_opens; +- arg = argv_next(&ac, &av); +- if (!arg || *arg == '\0') +- fatal("%s line %d: missing %s specification", +- filename, linenum, lookup_opcode_name(opcode)); + uvalue = *uintptr; /* modified later */ +- if (strcmp(arg, "any") == 0 || strcmp(arg, "none") == 0) { +- if (*activep && uvalue == 0) { +- *uintptr = 1; +- *cppptr = xcalloc(1, sizeof(**cppptr)); +- (*cppptr)[0] = xstrdup(arg); +- } +- break; +- } ++ i = 0; + while ((arg = argv_next(&ac, &av)) != NULL) { + arg2 = xstrdup(arg); + ch = '\0'; +- p = hpdelim2(&arg, &ch); +- if (p == NULL || ch == '/') { +- fatal("%s line %d: missing host in %s", +- filename, linenum, +- lookup_opcode_name(opcode)); +- } +- p = cleanhostname(p); +- /* +- * don't want to use permitopen_port to avoid +- * dependency on channels.[ch] here. +- */ +- if (arg == NULL || +- (strcmp(arg, "*") != 0 && a2port(arg) <= 0)) { +- fatal("%s line %d: bad port number in %s", +- filename, linenum, +- lookup_opcode_name(opcode)); ++ /* Allow any/none only in first position */ ++ if (strcasecmp(arg, "none") == 0 || ++ strcasecmp(arg, "any") == 0) { ++ if (i > 0 || ac > 0) { ++ error("%s line %d: keyword %s \"%s\" " ++ "argument must appear alone.", ++ filename, linenum, keyword, arg); ++ goto out; ++ } ++ } else { ++ p = hpdelim(&arg); ++ if (p == NULL) { ++ fatal("%s line %d: missing host in %s", ++ filename, linenum, ++ lookup_opcode_name(opcode)); ++ } ++ p = cleanhostname(p); ++ /* ++ * don't want to use permitopen_port to avoid ++ * dependency on channels.[ch] here. ++ */ ++ if (arg == NULL || (strcmp(arg, "*") != 0 && ++ a2port(arg) <= 0)) { ++ fatal("%s line %d: bad port number " ++ "in %s", filename, linenum, ++ lookup_opcode_name(opcode)); ++ } + } + if (*activep && uvalue == 0) { + opt_array_append(filename, linenum, +@@ -1650,7 +1650,11 @@ parse_pubkey_algos: + cppptr, uintptr, arg2); + } + free(arg2); ++ i++; + } ++ if (i == 0) ++ fatal("%s line %d: missing %s specification", ++ filename, linenum, lookup_opcode_name(opcode)); + break; + + case oClearAllForwardings: +-- +2.27.0 + diff --git a/backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch b/backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch new file mode 100644 index 0000000..d3ac67e --- /dev/null +++ b/backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch @@ -0,0 +1,37 @@ +From 5ee2b8ccfcf4b606f450eb0ff2305e311f68b0be Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 6 Oct 2022 22:42:37 +0000 +Subject: [PATCH] upstream: honour user's umask if it is more restrictive then + the ssh + +default (022); based on patch from Alex Henrie, ok dtucker@ deraadt@ + +OpenBSD-Commit-ID: fe1b9e15fc9a4f49fc338e848ce14d8727abe82d +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=5ee2b8ccfcf4b606f450eb0ff2305e311f68b0be +--- + ssh.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssh.c b/ssh.c +index 25be53d5..e711dbd2 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh.c,v 1.575 2022/07/01 00:36:30 djm Exp $ */ ++/* $OpenBSD: ssh.c,v 1.577 2022/10/06 22:42:37 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -679,7 +679,7 @@ main(int ac, char **av) + * writable only by the owner, which is ok for all files for which we + * don't set the modes explicitly. + */ +- umask(022); ++ umask(022 | umask(077)); + + msetlocale(); + +-- +2.27.0 + diff --git a/backport-upstream-regression-test-for-PermitRemoteOpen.patch b/backport-upstream-regression-test-for-PermitRemoteOpen.patch new file mode 100644 index 0000000..cfe6105 --- /dev/null +++ b/backport-upstream-regression-test-for-PermitRemoteOpen.patch @@ -0,0 +1,138 @@ +From 845ceecea2ac311b0c267f9ecbd34862e1876fc6 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Mon, 2 Jan 2023 07:03:57 +0000 +Subject: [PATCH] upstream: regression test for PermitRemoteOpen + +OpenBSD-Regress-ID: 8271aafbf5c21950cd5bf966f08e585cebfe630c +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=845ceecea2ac311b0c267f9ecbd34862e1876fc6 +--- + regress/dynamic-forward.sh | 84 ++++++++++++++++++++++++++++++-------- + 1 file changed, 66 insertions(+), 18 deletions(-) + +diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh +index 84f8ee19..f6c2393d 100644 +--- a/regress/dynamic-forward.sh ++++ b/regress/dynamic-forward.sh +@@ -1,10 +1,12 @@ +-# $OpenBSD: dynamic-forward.sh,v 1.13 2017/09/21 19:18:12 markus Exp $ ++# $OpenBSD: dynamic-forward.sh,v 1.14 2023/01/02 07:03:57 djm Exp $ + # Placed in the Public Domain. + + tid="dynamic forwarding" + + FWDPORT=`expr $PORT + 1` + ++cp $OBJ/ssh_config $OBJ/ssh_config.orig ++ + if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then + proxycmd="nc -x 127.0.0.1:$FWDPORT -X" + elif have_prog connect; then +@@ -15,16 +17,16 @@ else + fi + trace "will use ProxyCommand $proxycmd" + +-start_sshd +- +-for d in D R; do ++start_ssh() { ++ direction="$1" ++ arg="$2" + n=0 + error="1" +- trace "start dynamic forwarding, fork to background" +- ++ trace "start dynamic -$direction forwarding, fork to background" ++ (cat $OBJ/ssh_config.orig ; echo "$arg") > $OBJ/ssh_config + while [ "$error" -ne 0 -a "$n" -lt 3 ]; do + n=`expr $n + 1` +- ${SSH} -F $OBJ/ssh_config -f -$d $FWDPORT -q \ ++ ${SSH} -F $OBJ/ssh_config -f -$direction $FWDPORT -q \ + -oExitOnForwardFailure=yes somehost exec sh -c \ + \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' + error=$? +@@ -36,18 +38,9 @@ for d in D R; do + if [ "$error" -ne 0 ]; then + fatal "failed to start dynamic forwarding" + fi ++} + +- for s in 4 5; do +- for h in 127.0.0.1 localhost; do +- trace "testing ssh socks version $s host $h (-$d)" +- ${SSH} -F $OBJ/ssh_config \ +- -o "ProxyCommand ${proxycmd}${s} $h $PORT" \ +- somehost cat ${DATA} > ${COPY} +- test -f ${COPY} || fail "failed copy ${DATA}" +- cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" +- done +- done +- ++stop_ssh() { + if [ -f $OBJ/remote_pid ]; then + remote=`cat $OBJ/remote_pid` + trace "terminate remote shell, pid $remote" +@@ -57,5 +50,60 @@ for d in D R; do + else + fail "no pid file: $OBJ/remote_pid" + fi ++} ++ ++check_socks() { ++ direction=$1 ++ expect_success=$2 ++ for s in 4 5; do ++ for h in 127.0.0.1 localhost; do ++ trace "testing ssh socks version $s host $h (-$direction)" ++ ${SSH} -F $OBJ/ssh_config \ ++ -o "ProxyCommand ${proxycmd}${s} $h $PORT 2>/dev/null" \ ++ somehost cat ${DATA} > ${COPY} ++ r=$? ++ if [ "x$expect_success" = "xY" ] ; then ++ if [ $r -ne 0 ] ; then ++ fail "ssh failed with exit status $r" ++ fi ++ test -f ${COPY} || fail "failed copy ${DATA}" ++ cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" ++ elif [ $r -eq 0 ] ; then ++ fail "ssh unexpectedly succeeded" ++ fi ++ done ++ done ++} ++ ++start_sshd ++ ++for d in D R; do ++ verbose "test -$d forwarding" ++ start_ssh $d ++ check_socks $d Y ++ stop_ssh ++ test "x$d" = "xR" || continue ++ ++ # Test PermitRemoteOpen ++ verbose "PermitRemoteOpen=any" ++ start_ssh $d PermitRemoteOpen=any ++ check_socks $d Y ++ stop_ssh ++ ++ verbose "PermitRemoteOpen=none" ++ start_ssh $d PermitRemoteOpen=none ++ check_socks $d N ++ stop_ssh ++ ++ verbose "PermitRemoteOpen=explicit" ++ start_ssh $d \ ++ PermitRemoteOpen="127.0.0.1:$PORT [::1]:$PORT localhost:$PORT" ++ check_socks $d Y ++ stop_ssh + ++ verbose "PermitRemoteOpen=disallowed" ++ start_ssh $d \ ++ PermitRemoteOpen="127.0.0.1:1 [::1]:1 localhost:1" ++ check_socks $d N ++ stop_ssh + done +-- +2.27.0 + diff --git a/backport-upstream-test-compat_kex_proposal-by-dtucker.patch b/backport-upstream-test-compat_kex_proposal-by-dtucker.patch new file mode 100644 index 0000000..a20af60 --- /dev/null +++ b/backport-upstream-test-compat_kex_proposal-by-dtucker.patch @@ -0,0 +1,125 @@ +From 903c556b938fff2d7bff8da2cc460254430963c5 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Thu, 2 Feb 2023 12:12:52 +0000 +Subject: [PATCH] upstream: test compat_kex_proposal(); by dtucker@ + +OpenBSD-Regress-ID: 0e404ee264db546f9fdbf53390689ab5f8d38bf2 + +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=903c556b938fff2d7bff8da2cc460254430963c5 +--- + regress/unittests/kex/test_proposal.c | 79 +++++++++++++++++++++++++++ + regress/unittests/kex/tests.c | 4 +- + 2 files changed, 82 insertions(+), 1 deletion(-) + create mode 100644 regress/unittests/kex/test_proposal.c + +diff --git a/regress/unittests/kex/test_proposal.c b/regress/unittests/kex/test_proposal.c +new file mode 100644 +index 0000000..b89ff59 +--- /dev/null ++++ b/regress/unittests/kex/test_proposal.c +@@ -0,0 +1,79 @@ ++/* $OpenBSD: test_proposal.c,v 1.1 2023/02/02 12:12:52 djm Exp $ */ ++/* ++ * Regress test KEX ++ * ++ * Placed in the public domain ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "test_helper.h" ++ ++#include "compat.h" ++#include "ssherr.h" ++#include "sshbuf.h" ++#include "kex.h" ++#include "packet.h" ++#include "xmalloc.h" ++ ++void kex_proposal(void); ++ ++#define CURVE25519 "curve25519-sha256@libssh.org" ++#define DHGEX1 "diffie-hellman-group-exchange-sha1" ++#define DHGEX256 "diffie-hellman-group-exchange-sha256" ++#define KEXALGOS CURVE25519","DHGEX256","DHGEX1 ++void ++kex_proposal(void) ++{ ++ size_t i; ++ struct ssh ssh; ++ char *result, *out, *in; ++ struct { ++ char *in; /* TODO: make this const */ ++ char *out; ++ int compat; ++ } tests[] = { ++ { KEXALGOS, KEXALGOS, 0}, ++ { KEXALGOS, DHGEX256","DHGEX1, SSH_BUG_CURVE25519PAD }, ++ { KEXALGOS, CURVE25519, SSH_OLD_DHGEX }, ++ { "a,"KEXALGOS, "a", SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX }, ++ /* TODO: enable once compat_kex_proposal doesn't fatal() */ ++ /* { KEXALGOS, "", SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX }, */ ++ }; ++ ++ TEST_START("compat_kex_proposal"); ++ for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) { ++ ssh.compat = tests[i].compat; ++ /* match entire string */ ++ result = compat_kex_proposal(&ssh, tests[i].in); ++ ASSERT_STRING_EQ(result, tests[i].out); ++ free(result); ++ /* match at end */ ++ in = kex_names_cat("a", tests[i].in); ++ out = kex_names_cat("a", tests[i].out); ++ result = compat_kex_proposal(&ssh, in); ++ ASSERT_STRING_EQ(result, out); ++ free(result); free(in); free(out); ++ /* match at start */ ++ in = kex_names_cat(tests[i].in, "a"); ++ out = kex_names_cat(tests[i].out, "a"); ++ result = compat_kex_proposal(&ssh, in); ++ ASSERT_STRING_EQ(result, out); ++ free(result); free(in); free(out); ++ /* match in middle */ ++ xasprintf(&in, "a,%s,b", tests[i].in); ++ if (*(tests[i].out) == '\0') ++ out = xstrdup("a,b"); ++ else ++ xasprintf(&out, "a,%s,b", tests[i].out); ++ result = compat_kex_proposal(&ssh, in); ++ ASSERT_STRING_EQ(result, out); ++ free(result); free(in); free(out); ++ } ++ TEST_DONE(); ++} +diff --git a/regress/unittests/kex/tests.c b/regress/unittests/kex/tests.c +index e7036ec..2a83daf 100644 +--- a/regress/unittests/kex/tests.c ++++ b/regress/unittests/kex/tests.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: tests.c,v 1.1 2015/01/15 23:41:29 markus Exp $ */ ++/* $OpenBSD: tests.c,v 1.2 2023/02/02 12:12:52 djm Exp $ */ + /* + * Placed in the public domain + */ +@@ -6,9 +6,11 @@ + #include "../test_helper/test_helper.h" + + void kex_tests(void); ++void kex_proposal(void); + + void + tests(void) + { + kex_tests(); ++ kex_proposal(); + } +-- +2.27.0 + diff --git a/backport-upstream-use-correct-type-with-sizeof-ok-djm.patch b/backport-upstream-use-correct-type-with-sizeof-ok-djm.patch new file mode 100644 index 0000000..bdd6ac7 --- /dev/null +++ b/backport-upstream-use-correct-type-with-sizeof-ok-djm.patch @@ -0,0 +1,34 @@ +From 18376847b8043ba967eabbe23692ef74c9a3fddc Mon Sep 17 00:00:00 2001 +From: "jsg@openbsd.org" +Date: Thu, 13 Oct 2022 09:09:28 +0000 +Subject: [PATCH] upstream: use correct type with sizeof ok djm@ + +OpenBSD-Commit-ID: d6c882c2e8a42ff831a5b3cbc2c961ecb2dd6143 +Conflict:NA +Reference:https://anongit.mindrot.org/openssh.git/commit?id=18376847b8043ba967eabbe23692ef74c9a3fddc +--- + ssh.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssh.c b/ssh.c +index e711dbd2..21cbd7c3 100644 +--- a/ssh.c ++++ b/ssh.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh.c,v 1.577 2022/10/06 22:42:37 djm Exp $ */ ++/* $OpenBSD: ssh.c,v 1.578 2022/10/13 09:09:28 jsg Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -1579,7 +1579,7 @@ main(int ac, char **av) + if (options.hostbased_authentication) { + sensitive_data.nkeys = 10; + sensitive_data.keys = xcalloc(sensitive_data.nkeys, +- sizeof(struct sshkey)); ++ sizeof(*sensitive_data.keys)); + + /* XXX check errors? */ + #define L_PUBKEY(p,o) do { \ +-- +2.27.0 + diff --git a/openssh.spec b/openssh.spec index d62a473..e747362 100644 --- a/openssh.spec +++ b/openssh.spec @@ -6,7 +6,7 @@ %{?no_gtk2:%global gtk2 0} %global sshd_uid 74 -%global openssh_release 23 +%global openssh_release 26 Name: openssh Version: 8.8p1 @@ -81,41 +81,56 @@ Patch50: backport-openssh-8.2p1-x11-without-ipv6.patch Patch51: backport-openssh-8.0p1-keygen-strip-doseol.patch Patch52: backport-openssh-8.0p1-preserve-pam-errors.patch Patch53: backport-openssh-8.7p1-scp-kill-switch.patch - Patch54: bugfix-sftp-when-parse_user_host_path-empty-path-should-be-allowed.patch Patch55: bugfix-openssh-6.6p1-log-usepam-no.patch Patch56: bugfix-openssh-add-option-check-username-splash.patch Patch57: feature-openssh-7.4-hima-sftpserver-oom-and-fix.patch Patch58: bugfix-openssh-fix-sftpserver.patch Patch59: set-sshd-config.patch -Patch6001: backport-fix-possible-NULL-deref-when-built-without-FIDO.patch -Patch60: feature-add-SMx-support.patch -Patch61: backport-upstream-a-little-extra-debugging.patch -Patch62: backport-upstream-better-debugging-for-connect_next.patch -Patch63: backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch +Patch60: backport-fix-possible-NULL-deref-when-built-without-FIDO.patch +Patch61: feature-add-SMx-support.patch +Patch62: backport-upstream-a-little-extra-debugging.patch +Patch63: backport-upstream-better-debugging-for-connect_next.patch Patch64: openssh-Add-sw64-architecture.patch -Patch65: backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch -Patch66: backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch -Patch67: backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch -Patch68: backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch -Patch69: backport-upstream-Always-return-allocated-strings-from-the-ke.patch -Patch70: backport-Don-t-leak-the-strings-allocated-by-order_h.patch -Patch71: backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch -Patch72: backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch -Patch73: add-loongarch.patch +Patch65: add-loongarch.patch +Patch66: backport-upstream-if-sshpkt-functions-fail-then-password-is-n.patch +Patch67: backport-upstream-Make-sure-not-to-fclose-the-same-fd-twice-i.patch +Patch68: backport-upstream-Donot-attempt-to-fprintf-a-null-identity-co.patch +Patch69: backport-upstream-ignore-SIGPIPE-earlier-in-main-specifically.patch +Patch70: backport-upstream-Always-return-allocated-strings-from-the-ke.patch +Patch71: backport-Don-t-leak-the-strings-allocated-by-order_h.patch +Patch72: backport-Return-ERANGE-from-getcwd-if-buffer-size-is-1.patch +Patch73: backport-upstream-double-free-in-error-path-from-Eusgor-via-G.patch Patch74: add-strict-scp-check-for-CVE-2020-15778.patch -Patch75: backport-upstream-avoid-integer-overflow-of-auth-attempts-har.patch -Patch76: backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch -Patch77: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch -Patch78: skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch -Patch79: set-ssh-config.patch -Patch80: backport-upstream-CVE-2023-25136-fix-double-free-caused.patch -Patch81: backport-fix-CVE-2023-38408-upstream-terminate-process.patch -Patch82: backport-upstream-In-channel_request_remote_forwarding-the-pa.patch -Patch83: backport-upstream-Refactor-creation-of-KEX-proposal.patch -Patch84: backport-upstream-Limit-number-of-entries-in-SSH2_MSG_EXT_INF.patch -Patch85: backport-CVE-2023-48795-upstream-implement-strict-key-exchange-in-ssh-and-ss.patch -Patch86: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch +Patch75: backport-upstream-ssh-keygen-Y-check-novalidate-requires-name.patch +Patch76: backport-upstream-avoid-integer-overflow-of-auth-attempts-har.patch +Patch77: backport-Skip-scp3-test-if-there-s-no-scp-on-remote-path.patch +Patch78: skip-scp-test-if-there-is-no-scp-on-remote-path-as-s.patch +Patch79: backport-upstream-CVE-2023-25136-fix-double-free-caused.patch +Patch80: set-ssh-config.patch +Patch81: backport-upstream-honour-user-s-umask-if-it-is-more-restricti.patch +Patch82: backport-upstream-use-correct-type-with-sizeof-ok-djm.patch +Patch83: backport-Defer-seed_rng-until-after-closefrom-call.patch +Patch84: backport-upstream-Handle-dynamic-remote-port-forwarding-in-es.patch +Patch85: backport-upstream-The-idiomatic-way-of-coping-with-signed-cha.patch +Patch86: backport-upstream-Clear-signal-mask-early-in-main-sshd-may-ha.patch +Patch87: backport-upstream-fix-bug-in-PermitRemoteOpen-which-caused-it.patch +Patch88: backport-upstream-regression-test-for-PermitRemoteOpen.patch +Patch89: backport-upstream-Copy-bytes-from-the_banana-rather-than-bana.patch +Patch90: backport-upstream-When-OpenSSL-is-not-available-skip-parts-of.patch +Patch91: backport-don-t-test-IPv6-addresses-if-platform-lacks-support.patch +Patch92: backport-upstream-avoid-printf-s-NULL-if-using-ssh.patch +Patch93: backport-upstream-Add-scp-s-path-to-test-sshd-s-PATH.patch +Patch94: backport-upstream-Instead-of-skipping-the-all-tokens-test-if-.patch +Patch95: backport-upstream-Shell-syntax-fix.-From-ren-mingshuai-vi-git.patch +Patch96: backport-Allow-writev-is-seccomp-sandbox.patch +Patch97: backport-upstream-Ensure-that-there-is-a-terminating-newline-.patch +Patch98: backport-upstream-test-compat_kex_proposal-by-dtucker.patch +Patch99: backport-adapt-compat_kex_proposal-test-to-portable.patch +Patch100: backport-fix-CVE-2023-38408-upstream-terminate-process.patch +Patch101: backport-upstream-In-channel_request_remote_forwarding-the-pa.patch +Patch102: backport-CVE-2023-51385-upstream-ban-user-hostnames-with-most-shell-metachar.patch +Patch103: backport-CVE-2023-48795.patch Requires: /sbin/nologin Requires: libselinux >= 2.3-5 audit-libs >= 1.0.8 @@ -253,7 +268,6 @@ popd %patch57 -p1 %patch58 -p1 %patch59 -p1 -%patch6001 -p1 %patch60 -p1 %patch61 -p1 %patch62 -p1 @@ -281,6 +295,23 @@ popd %patch84 -p1 %patch85 -p1 %patch86 -p1 +%patch87 -p1 +%patch88 -p1 +%patch89 -p1 +%patch90 -p1 +%patch91 -p1 +%patch92 -p1 +%patch93 -p1 +%patch94 -p1 +%patch95 -p1 +%patch96 -p1 +%patch97 -p1 +%patch98 -p1 +%patch99 -p1 +%patch100 -p1 +%patch101 -p1 +%patch102 -p1 +%patch103 -p1 autoreconf pushd pam_ssh_agent_auth-pam_ssh_agent_auth-0.10.4 @@ -477,89 +508,107 @@ getent passwd sshd >/dev/null || \ %attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %changelog -* Sat Dec 23 2023 renmingshuai - 8.8p1-23 +* Wed Jan 10 2024 renmingshuai - 8.8p1-26 +- Type:CVE +- CVE:CVE-2023-48795 +- SUG:NA +- DESC:fix CVE-2023-48795 by using the other patch instead + +* Sat Dec 23 2023 renmingshuai - 8.8p1-25 - Type:CVE - CVE:CVE-2023-48795,CVE-2023-51385 - SUG:NA - DESC:fix CVE-2023-48795 and CVE-2023-51385 -* Tue Aug 15 2023 renmingshuai - 8.8p1-22 +* Tue Aug 15 2023 renmingshuai - 8.8p1-24 - Type:bugfix - CVE:NA - SUG:NA - DESC:In channel_request_remote_forwarding the parameters -* Thu Jul 27 2023 renmingshuai - 8.8p1-21 +* Thu Jul 27 2023 renmingshuai - 8.8p1-23 - Type:CVE - CVE:CVE-2023-38408 - SUG:NA - DESC:fix CVE-2023-38408 -* Tue Jun 13 2023 renmingshuai - 8.8p1-20 +* Wed Jun 7 2023 renmingshuai - 8.8p1-22 - Type:bugfix - CVE:NA - SUG:NA -- DESC:fix misspeling and enable dt tests +- DESC:fix misspelling -* Sat May 27 2023 renmingshuai - 8.8p1-19 +* Sat May 27 2023 renmingshuai - 8.8p1-21 - Type:bugfix - CVE:NA - SUG:NA - DESC:fix environment variable -* Wed Mar 8 2023 renmingshuai - 8.8p1-18 +* Thu Mar 23 2023 renmingshuai - 8.8p1-20 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:backport some upstream patches and modify some patches numbers + +* Thu Mar 09 2023 renmingshuai - 8.8p1-19 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:set default ssh config + +* Mon Feb 06 2023 renmingshuai - 8.8p1-18 - Type:CVE - CVE:CVE-2023-25136 - SUG:NA - DESC:fix CVE-2023-25136 -* Tue Feb 28 2023 renmingshuai - 8.8p1-17 +* Fri Jan 06 2023 renmingshuai - 8.8p1-17 - Type:bugfix - CVE:NA - SUG:NA -- DESC:set default ssh_config +- DESC:fix test failure and enable make tests -* Fri Jan 06 2023 renmingshuai - 8.8p1-16 +* Tue Jan 03 2023 renmingshuai - 8.8p1-16 - Type:bugfix - CVE:NA - SUG:NA -- DESC:fix tests failure and enable make tests +- DESC:always make tests -* Tue Jan 03 2023 renmingshuai - 8.8p1-15 +* Thu Dec 29 2022 renmingshuai - 8.8p1-15 - Type:bugfix - CVE:NA - SUG:NA -- DESC:avoid integer overflow of auth attempts +- DESC:avoid integer overflow of auth attempts har -* Thu Dec 29 2022 renmingshuai - 8.8p1-14 +* Fri Dec 16 2022 renmingshuai - 8.8p1-14 - Type:bugfix - CVE:NA - SUG:NA -- DESC:add strict scp check for CVE-2020-15778 +- DESC:Fix ssh-keygen -Y check novalidate requires name -* Thu Dec 29 2022 renmingshuai - 8.8p1-13 -- Type:requirement +* Tue Dec 13 2022 renmingshuai - 8.8p1-13 +- Type:bugfix - CVE:NA - SUG:NA -- DESC:add loongarch +- DESC:add strict scp check for CVE-2020-15778 -* Thu Dec 29 2022 renmingshuai - 8.8p1-12 +* Tue Dec 13 2022 renmingshuai - 8.8p1-12 - Type:bugfix - CVE:NA - SUG:NA - DESC:backport some upstream patches -* Thu Dec 29 2022 renmingshuai - 8.8p1-11 -- Type:requirement +* Tue Dec 13 2022 renmingshuai - 8.8p1-11 +- Type:feature - CVE:NA - SUG:NA -- DESC:Add sw64 architecture +- DESC:Add loongarch64 architecture -* Thu Dec 29 2022 renmingshuai - 8.8p1-10 -- Type:bugfix +* Tue Dec 13 2022 renmingshuai - 8.8p1-10 +- Type:feature - CVE:NA - SUG:NA -- DESC:fix ssh-keygen -Y check novalidate requires name +- DESC:Add sw64 architecture * Wed Dec 7 2022 duyiwei - 8.8P1-9 - Type:bugfix diff --git a/skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch b/skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch deleted file mode 100644 index f56ed5b..0000000 --- a/skip-tests-for-C-if-there-is-no-openssl-on-local-pat.patch +++ /dev/null @@ -1,100 +0,0 @@ -From a0772385f1b4086aacdc6d84a3daea4b2ef26f30 Mon Sep 17 00:00:00 2001 -From: chengyechun -Date: Thu, 5 Jan 2023 23:43:22 +0800 -Subject: [PATCH] skip tests for '%C' if there is no openssl on local path - ---- - regress/percent.sh | 24 +++++++++++---- - ...t-if-there-is-no-openssl-on-local-pa.patch | 30 +++++++++++++++++++ - 2 files changed, 48 insertions(+), 6 deletions(-) - create mode 100644 skip-percent-test-if-there-is-no-openssl-on-local-pa.patch - -diff --git a/regress/percent.sh b/regress/percent.sh -index 7ed4184..9c112eb 100644 ---- a/regress/percent.sh -+++ b/regress/percent.sh -@@ -13,6 +13,10 @@ USERID=`id -u` - HOST=`hostname | cut -f1 -d.` - HOSTNAME=`hostname` - -+# Check if there is openssl in local PATH -+NOOPENSSL=0 -+for i in $PATH;do [ -x "$i/openssl" ] && NOOPENSSL=1; done -+ - # Localcommand is evaluated after connection because %T is not available - # until then. Because of this we use a different method of exercising it, - # and we can't override the remote user otherwise authentication will fail. -@@ -77,11 +81,14 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ - if [ "$i" = "$localcommand" ]; then - trial $i '%T' NONE - fi -- # Matches implementation in readconf.c:ssh_connection_hash() -- HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | -- $OPENSSL_BIN sha1 | cut -f2 -d' '` -+ # skip tests for '%C' since no openssl in local PATH -+ if [ $NOOPENSSL -eq 1 ]; then -+ # Matches implementation in readconf.c:ssh_connection_hash() -+ HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" | -+ $OPENSSL_BIN sha1 | cut -f2 -d' '` -+ fi - trial $i '%%' '%' -- trial $i '%C' $HASH -+ if [ $NOOPENSSL -eq 1 ]; then trial $i '%C' $HASH; fi - trial $i '%i' $USERID - trial $i '%h' 127.0.0.1 - trial $i '%L' $HOST -@@ -95,8 +102,13 @@ for i in matchexec localcommand remotecommand controlpath identityagent \ - # containing %d for UserKnownHostsFile - if [ "$i" != "userknownhostsfile" ]; then - trial $i '%d' $HOME -- trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ -- "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" -+ if [ $NOOPENSSL -eq 0 ]; then -+ trial $i '%%/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ -+ "%/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" -+ else -+ trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \ -+ "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER" -+ fi - fi - done - -diff --git a/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch b/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch -new file mode 100644 -index 0000000..c7af5d9 ---- /dev/null -+++ b/skip-percent-test-if-there-is-no-openssl-on-local-pa.patch -@@ -0,0 +1,30 @@ -+From 1da9e48b41ab6eca157d4fa3b74490510d9006ae Mon Sep 17 00:00:00 2001 -+From: chengyechun -+Date: Thu, 5 Jan 2023 23:43:22 +0800 -+Subject: [PATCH] skip percent test if there is no openssl on local path as -+ scp3 did -+ -+--- -+ regress/percent.sh | 6 ++++++ -+ 1 file changed, 6 insertions(+) -+ -+diff --git a/regress/percent.sh b/regress/percent.sh -+index 7ed4184..08afbc8 100644 -+--- a/regress/percent.sh -++++ b/regress/percent.sh -+@@ -8,6 +8,12 @@ if [ -x "/usr/xpg4/bin/id" ]; then -+ export PATH -+ fi -+ -++NOOPENSSL=0 -++for i in $PATH;do [ -x "$i/openssl" ] && $OPENSSL=1; done -++if [ $? -eq 0 ]; then -++ skip "No openssl on local path." -++fi -++ -+ USER=`id -u -n` -+ USERID=`id -u` -+ HOST=`hostname | cut -f1 -d.` -+-- -+2.23.0 -+ --- -2.23.0 - -- Gitee