From 78ed5a82583770fa533a26b1717f407cb35418a3 Mon Sep 17 00:00:00 2001 From: Andy Fiddaman Date: Tue, 19 Dec 2023 08:47:25 +0000 Subject: [PATCH] openssh - update from 9.3p2 to 9.6p1 --- build/openssh/build.sh | 2 +- build/openssh/patches/0002-PAM-Support.patch | 4 +- build/openssh/patches/0003-lastlogin.patch | 2 +- ...ages-into-illumos-numbering-adjust-t.patch | 62 +++++----- .../0006-GSS-store-creds-for-Solaris.patch | 4 +- .../0008-Add-DisableBanner-option.patch | 32 ++--- .../patches/0009-PAM-conversation-fix.patch | 10 +- .../0010-PAM-enhancements-for-Solaris.patch | 34 ++--- .../0013-Solaris-Auditing-support.patch | 8 +- ...login-to-a-role-if-PAM-is-ok-with-it.patch | 10 +- .../patches/0016-PAM-setcred-failures.patch | 4 +- .../patches/0018-Per-session-xauthfile.patch | 4 +- .../patches/0019-PubKeyPlugin-support.patch | 18 +-- ...onfig-to-check-for-GSSAPI-on-illumos.patch | 4 +- ...d-options-based-on-etc-default-login.patch | 6 +- ...LC_-environment-variables-from-clien.patch | 8 +- ...-Restore-tcpwrappers-libwrap-support.patch | 4 +- build/openssh/patches/series | 1 - build/openssh/patches/sk-dummy-openssl.patch | 117 ------------------ 19 files changed, 108 insertions(+), 226 deletions(-) delete mode 100644 build/openssh/patches/sk-dummy-openssl.patch diff --git a/build/openssh/build.sh b/build/openssh/build.sh index 4109725241..23146d602a 100755 --- a/build/openssh/build.sh +++ b/build/openssh/build.sh @@ -18,7 +18,7 @@ . ../../lib/functions.sh PROG=openssh -VER=9.3p2 +VER=9.6p1 PKG=network/openssh SUMMARY="OpenSSH Client and utilities" DESC="OpenSSH Secure Shell protocol Client and associated Utilities" diff --git a/build/openssh/patches/0002-PAM-Support.patch b/build/openssh/patches/0002-PAM-Support.patch index c1434ed278..d4afac67db 100644 --- a/build/openssh/patches/0002-PAM-Support.patch +++ b/build/openssh/patches/0002-PAM-Support.patch @@ -13,7 +13,7 @@ Subject: [PATCH 02/34] PAM Support diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c --- a~/servconf.c 1970-01-01 00:00:00 +++ a/servconf.c 1970-01-01 00:00:00 -@@ -280,7 +280,12 @@ fill_default_server_options(ServerOption +@@ -279,7 +279,12 @@ fill_default_server_options(ServerOption /* Portable-specific options */ if (options->use_pam == -1) @@ -26,7 +26,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c /* Standard Options */ if (options->num_host_key_files == 0) { -@@ -1398,8 +1403,17 @@ process_server_config_line_depth(ServerO +@@ -1366,8 +1371,17 @@ process_server_config_line_depth(ServerO switch (opcode) { /* Portable-specific options */ case sUsePAM: diff --git a/build/openssh/patches/0003-lastlogin.patch b/build/openssh/patches/0003-lastlogin.patch index cf3d73bb67..68bd551527 100644 --- a/build/openssh/patches/0003-lastlogin.patch +++ b/build/openssh/patches/0003-lastlogin.patch @@ -17,7 +17,7 @@ diff -wpruN '--exclude=*.orig' a~/sshd_config.4 a/sshd_config.4 .It Cm PrintMotd Specifies whether .Xr sshd 8 -@@ -2074,7 +2074,8 @@ This file should be writable by root onl +@@ -2078,7 +2078,8 @@ This file should be writable by root onl .El .Sh SEE ALSO .Xr sftp-server 8 , diff --git a/build/openssh/patches/0004-Reorganise-man-pages-into-illumos-numbering-adjust-t.patch b/build/openssh/patches/0004-Reorganise-man-pages-into-illumos-numbering-adjust-t.patch index 25f51fa11a..842c1f8150 100644 --- a/build/openssh/patches/0004-Reorganise-man-pages-into-illumos-numbering-adjust-t.patch +++ b/build/openssh/patches/0004-Reorganise-man-pages-into-illumos-numbering-adjust-t.patch @@ -67,16 +67,16 @@ diff -wpruN '--exclude=*.orig' a~/Makefile.in a/Makefile.in diff -wpruN '--exclude=*.orig' a~/contrib/ssh-copy-id.1 a/contrib/ssh-copy-id.1 --- a~/contrib/ssh-copy-id.1 1970-01-01 00:00:00 +++ a/contrib/ssh-copy-id.1 1970-01-01 00:00:00 -@@ -102,7 +102,7 @@ options, respectively. - Rather than specifying these as command line options, it is often better to use (per-host) settings in +@@ -114,7 +114,7 @@ Rather than specifying these as command + it is often better to use (per-host) settings in .Xr ssh 1 Ns 's configuration file: -.Xr ssh_config 5 . +.Xr ssh_config 4 . - .El - .Pp - Default behaviour without -@@ -195,4 +195,4 @@ option, rather than + .It Fl x + This option is for debugging the + .Nm +@@ -218,4 +218,4 @@ option, rather than .Sh "SEE ALSO" .Xr ssh 1 , .Xr ssh-agent 1 , @@ -170,7 +170,7 @@ diff -wpruN '--exclude=*.orig' a~/sftp.1 a/sftp.1 diff -wpruN '--exclude=*.orig' a~/ssh-add.1 a/ssh-add.1 --- a~/ssh-add.1 1970-01-01 00:00:00 +++ a/ssh-add.1 1970-01-01 00:00:00 -@@ -236,7 +236,7 @@ files are usable by performing sign and +@@ -244,7 +244,7 @@ files are usable by performing sign and Set a maximum lifetime when adding identities to an agent. The lifetime may be specified in seconds or in a time format specified in @@ -179,7 +179,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh-add.1 a/ssh-add.1 .It Fl v Verbose mode. Causes -@@ -330,7 +330,7 @@ is unable to contact the authentication +@@ -338,7 +338,7 @@ is unable to contact the authentication .Xr ssh-agent 1 , .Xr ssh-askpass 1 , .Xr ssh-keygen 1 , @@ -199,7 +199,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh-agent.1 a/ssh-agent.1 +.Xr ssh_config 4 for a description of pattern-list syntax. The default list is - .Dq /usr/lib/*,/usr/local/lib/* . + .Dq usr/lib*/*,/usr/local/lib*/* . @@ -166,7 +166,7 @@ does not look like it's a csh style of s .It Fl t Ar life Set a default value for the maximum lifetime of identities added to the agent. @@ -339,7 +339,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh-keyscan.1 a/ssh-keyscan.1 diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 --- a~/ssh.1 1970-01-01 00:00:00 +++ a/ssh.1 1970-01-01 00:00:00 -@@ -170,7 +170,7 @@ listed in order of preference. +@@ -172,7 +172,7 @@ listed in order of preference. See the .Cm Ciphers keyword in @@ -348,7 +348,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 for more information. .Pp .It Fl D Xo -@@ -427,7 +427,7 @@ before each operation that changes the m +@@ -429,7 +429,7 @@ before each operation that changes the m Refer to the description of .Cm ControlMaster in @@ -357,7 +357,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 for details. .Pp .It Fl m Ar mac_spec -@@ -498,7 +498,7 @@ Can be used to give options in the forma +@@ -500,7 +500,7 @@ Can be used to give options in the forma This is useful for specifying options for which there is no separate command-line flag. For full details of the options listed below, and their possible values, see @@ -366,7 +366,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 .Pp .Bl -tag -width Ds -offset indent -compact .It AddKeysToAgent -@@ -701,7 +701,7 @@ Specifying a remote +@@ -715,7 +715,7 @@ Specifying a remote will only succeed if the server's .Cm GatewayPorts option is enabled (see @@ -375,7 +375,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 .Pp If the .Ar port -@@ -723,7 +723,7 @@ Refer to the description of +@@ -737,7 +737,7 @@ Refer to the description of and .Cm ControlMaster in @@ -384,7 +384,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 for details. .Pp .It Fl s -@@ -807,7 +807,7 @@ See also the +@@ -821,7 +821,7 @@ See also the and .Cm TunnelDevice directives in @@ -393,7 +393,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 .Pp If the .Cm Tunnel -@@ -836,7 +836,7 @@ Refer to the +@@ -850,7 +850,7 @@ Refer to the option and the .Cm ForwardX11Trusted directive in @@ -402,7 +402,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 for more information. .Pp .It Fl x -@@ -858,7 +858,7 @@ By default this information is sent to s +@@ -872,7 +872,7 @@ By default this information is sent to s may additionally obtain configuration data from a per-user configuration file and a system-wide configuration file. The file format and configuration options are described in @@ -411,7 +411,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 .Sh AUTHENTICATION The OpenSSH SSH client supports SSH protocol 2. .Pp -@@ -1001,7 +1001,7 @@ See +@@ -1015,7 +1015,7 @@ See and (optionally) the .Cm AddKeysToAgent directive in @@ -420,7 +420,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 for more information. .Pp Keyboard-interactive authentication works as follows: -@@ -1133,7 +1133,7 @@ for dynamic port-forwardings. +@@ -1147,7 +1147,7 @@ for dynamic port-forwardings. allows the user to execute a local command if the .Ic PermitLocalCommand option is enabled in @@ -429,7 +429,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 Basic help is available, using the .Fl h option. -@@ -1321,7 +1321,7 @@ Are you sure you want to continue connec +@@ -1335,7 +1335,7 @@ Are you sure you want to continue connec See the .Cm VerifyHostKeyDNS option in @@ -438,7 +438,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 for more information. .Sh SSH-BASED VIRTUAL PRIVATE NETWORKS .Nm -@@ -1331,7 +1331,7 @@ using the +@@ -1345,7 +1345,7 @@ using the network pseudo-device, allowing two networks to be joined securely. The @@ -447,7 +447,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 configuration option .Cm PermitTunnel controls whether the server supports this, -@@ -1511,7 +1511,7 @@ change their environment. +@@ -1525,7 +1525,7 @@ change their environment. For more information, see the .Cm PermitUserEnvironment option in @@ -456,7 +456,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 .Sh FILES .Bl -tag -width Ds -compact .It Pa ~/.rhosts -@@ -1519,7 +1519,7 @@ This file is used for host-based authent +@@ -1533,7 +1533,7 @@ This file is used for host-based authent On some machines this file may need to be world-readable if the user's home directory is on an NFS partition, because @@ -465,7 +465,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 reads it as root. Additionally, this file must be owned by the user, and must not have write permissions for anyone else. -@@ -1544,7 +1544,7 @@ and not accessible by others. +@@ -1558,7 +1558,7 @@ and not accessible by others. Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging in as this user. The format of this file is described in the @@ -474,7 +474,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 manual page. This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. -@@ -1552,7 +1552,7 @@ permissions are read/write for the user, +@@ -1566,7 +1566,7 @@ permissions are read/write for the user, .It Pa ~/.ssh/config This is the per-user configuration file. The file format and configuration options are described in @@ -483,7 +483,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not writable by others. .Pp -@@ -1591,7 +1591,7 @@ sensitive and can (but need not) be read +@@ -1605,7 +1605,7 @@ sensitive and can (but need not) be read Contains a list of host keys for all hosts the user has logged into that are not already in the systemwide list of known host keys. See @@ -492,7 +492,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 for further details of the format of this file. .Pp .It Pa ~/.ssh/rc -@@ -1600,7 +1600,7 @@ Commands in this file are executed by +@@ -1614,7 +1614,7 @@ Commands in this file are executed by when the user logs in, just before the user's shell (or command) is started. See the @@ -501,7 +501,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 manual page for more information. .Pp .It Pa /etc/hosts.equiv -@@ -1616,7 +1616,7 @@ rlogin/rsh. +@@ -1630,7 +1630,7 @@ rlogin/rsh. .It Pa /etc/ssh/ssh_config Systemwide configuration file. The file format and configuration options are described in @@ -510,7 +510,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 .Pp .It Pa /etc/ssh/ssh_host_key .It Pa /etc/ssh/ssh_host_dsa_key -@@ -1633,7 +1633,7 @@ system administrator to contain the publ +@@ -1647,7 +1647,7 @@ system administrator to contain the publ organization. It should be world-readable. See @@ -519,7 +519,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 for further details of the format of this file. .Pp .It Pa /etc/ssh/sshrc -@@ -1641,7 +1641,7 @@ Commands in this file are executed by +@@ -1655,7 +1655,7 @@ Commands in this file are executed by .Nm when the user logs in, just before the user's shell (or command) is started. See the @@ -528,7 +528,7 @@ diff -wpruN '--exclude=*.orig' a~/ssh.1 a/ssh.1 manual page for more information. .El .Sh EXIT STATUS -@@ -1656,9 +1656,9 @@ if an error occurred. +@@ -1670,9 +1670,9 @@ if an error occurred. .Xr ssh-keygen 1 , .Xr ssh-keyscan 1 , .Xr tun 4 , diff --git a/build/openssh/patches/0006-GSS-store-creds-for-Solaris.patch b/build/openssh/patches/0006-GSS-store-creds-for-Solaris.patch index bcdddb0999..3791c536be 100644 --- a/build/openssh/patches/0006-GSS-store-creds-for-Solaris.patch +++ b/build/openssh/patches/0006-GSS-store-creds-for-Solaris.patch @@ -6,7 +6,7 @@ Subject: [PATCH 06/34] GSS store creds for Solaris diff -wpruN '--exclude=*.orig' a~/configure.ac a/configure.ac --- a~/configure.ac 1970-01-01 00:00:00 +++ a/configure.ac 1970-01-01 00:00:00 -@@ -1151,6 +1151,9 @@ mips-sony-bsd|mips-sony-newsos4) +@@ -1161,6 +1161,9 @@ mips-sony-bsd|mips-sony-newsos4) ], ) TEST_SHELL=$SHELL # let configure find us a capable shell @@ -121,7 +121,7 @@ diff -wpruN '--exclude=*.orig' a~/gss-serv.c a/gss-serv.c diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c --- a~/servconf.c 1970-01-01 00:00:00 +++ a/servconf.c 1970-01-01 00:00:00 -@@ -605,7 +605,11 @@ static struct { +@@ -604,7 +604,11 @@ static struct { { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL }, #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL }, diff --git a/build/openssh/patches/0008-Add-DisableBanner-option.patch b/build/openssh/patches/0008-Add-DisableBanner-option.patch index efe4f17290..86bdba6455 100644 --- a/build/openssh/patches/0008-Add-DisableBanner-option.patch +++ b/build/openssh/patches/0008-Add-DisableBanner-option.patch @@ -1,7 +1,7 @@ diff -wpruN '--exclude=*.orig' a~/readconf.c a/readconf.c --- a~/readconf.c 1970-01-01 00:00:00 +++ a/readconf.c 1970-01-01 00:00:00 -@@ -163,6 +163,9 @@ typedef enum { +@@ -167,6 +167,9 @@ typedef enum { oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, @@ -11,7 +11,7 @@ diff -wpruN '--exclude=*.orig' a~/readconf.c a/readconf.c oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oRemoteCommand, oVisualHostKey, -@@ -289,6 +292,9 @@ static struct { +@@ -294,6 +297,9 @@ static struct { { "controlpersist", oControlPersist }, { "hashknownhosts", oHashKnownHosts }, { "include", oInclude }, @@ -21,7 +21,7 @@ diff -wpruN '--exclude=*.orig' a~/readconf.c a/readconf.c { "tunnel", oTunnel }, { "tunneldevice", oTunnelDevice }, { "localcommand", oLocalCommand }, -@@ -922,6 +928,17 @@ parse_multistate_value(const char *arg, +@@ -1011,6 +1017,17 @@ parse_multistate_value(const char *arg, return -1; } @@ -39,9 +39,9 @@ diff -wpruN '--exclude=*.orig' a~/readconf.c a/readconf.c /* * Processes a single option line as used in the configuration files. This * only sets those values that have not already been set. -@@ -2188,6 +2205,13 @@ parse_pubkey_algos: - intptr = &options->required_rsa_size; - goto parse_int; +@@ -2353,6 +2370,13 @@ parse_pubkey_algos: + } + break; +#ifdef DISABLE_BANNER + case oDisableBanner: @@ -53,7 +53,7 @@ diff -wpruN '--exclude=*.orig' a~/readconf.c a/readconf.c case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); -@@ -2424,6 +2448,9 @@ initialize_options(Options * options) +@@ -2589,6 +2613,9 @@ initialize_options(Options * options) options->stdin_null = -1; options->fork_after_authentication = -1; options->proxy_use_fdpass = -1; @@ -63,7 +63,7 @@ diff -wpruN '--exclude=*.orig' a~/readconf.c a/readconf.c options->ignored_unknown = NULL; options->num_canonical_domains = 0; options->num_permitted_cnames = 0; -@@ -2625,6 +2652,10 @@ fill_default_options(Options * options) +@@ -2794,6 +2821,10 @@ fill_default_options(Options * options) options->canonicalize_fallback_local = 1; if (options->canonicalize_hostname == -1) options->canonicalize_hostname = SSH_CANONICALISE_NO; @@ -77,8 +77,8 @@ diff -wpruN '--exclude=*.orig' a~/readconf.c a/readconf.c diff -wpruN '--exclude=*.orig' a~/readconf.h a/readconf.h --- a~/readconf.h 1970-01-01 00:00:00 +++ a/readconf.h 1970-01-01 00:00:00 -@@ -181,6 +181,9 @@ typedef struct { - int enable_escape_commandline; /* ~C commandline */ +@@ -186,6 +186,9 @@ typedef struct { + u_int num_channel_timeouts; char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ +#ifdef DISABLE_BANNER @@ -87,9 +87,9 @@ diff -wpruN '--exclude=*.orig' a~/readconf.h a/readconf.h } Options; #define SSH_PUBKEY_AUTH_NO 0x00 -@@ -221,6 +224,12 @@ typedef struct { - #define SSH_STRICT_HOSTKEY_YES 2 - #define SSH_STRICT_HOSTKEY_ASK 3 +@@ -231,6 +234,12 @@ typedef struct { + #define SSH_KEYSTROKE_CHAFF_MIN_MS 1024 + #define SSH_KEYSTROKE_CHAFF_RNG_MS 2048 +#ifdef DISABLE_BANNER +#define SSH_DISABLEBANNER_NO 0 @@ -99,11 +99,11 @@ diff -wpruN '--exclude=*.orig' a~/readconf.h a/readconf.h + const char *kex_default_pk_alg(void); char *ssh_connection_hash(const char *thishost, const char *host, - const char *portstr, const char *user); + const char *portstr, const char *user, const char *jump_host); diff -wpruN '--exclude=*.orig' a~/ssh_config.4 a/ssh_config.4 --- a~/ssh_config.4 1970-01-01 00:00:00 +++ a/ssh_config.4 1970-01-01 00:00:00 -@@ -611,6 +611,14 @@ If set to a time in seconds, or a time i +@@ -700,6 +700,14 @@ If set to a time in seconds, or a time i then the backgrounded master connection will automatically terminate after it has remained idle (with no client connections) for the specified time. @@ -132,7 +132,7 @@ diff -wpruN '--exclude=*.orig' a~/sshconnect2.c a/sshconnect2.c /* * SSH2 key exchange */ -@@ -585,8 +589,28 @@ input_userauth_banner(int type, u_int32_ +@@ -586,8 +590,28 @@ input_userauth_banner(int type, u_int32_ if ((r = sshpkt_get_cstring(ssh, &msg, &len)) != 0 || (r = sshpkt_get_cstring(ssh, NULL, NULL)) != 0) goto out; diff --git a/build/openssh/patches/0009-PAM-conversation-fix.patch b/build/openssh/patches/0009-PAM-conversation-fix.patch index 99909e831e..6ccc2ff510 100644 --- a/build/openssh/patches/0009-PAM-conversation-fix.patch +++ b/build/openssh/patches/0009-PAM-conversation-fix.patch @@ -6,7 +6,7 @@ Subject: [PATCH 09/34] PAM conversation fix diff -wpruN '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c --- a~/auth-pam.c 1970-01-01 00:00:00 +++ a/auth-pam.c 1970-01-01 00:00:00 -@@ -1279,11 +1279,13 @@ free_pam_environment(char **env) +@@ -1281,11 +1281,13 @@ free_pam_environment(char **env) free(env); } @@ -20,7 +20,7 @@ diff -wpruN '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c static int sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg, struct pam_response **resp, void *data) -@@ -1305,12 +1307,24 @@ sshpam_passwd_conv(int n, sshpam_const s +@@ -1307,12 +1309,24 @@ sshpam_passwd_conv(int n, sshpam_const s for (i = 0; i < n; ++i) { switch (PAM_MSG_MEMBER(msg, i, msg_style)) { case PAM_PROMPT_ECHO_OFF: @@ -45,7 +45,7 @@ diff -wpruN '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c case PAM_ERROR_MSG: case PAM_TEXT_INFO: len = strlen(PAM_MSG_MEMBER(msg, i, msg)); -@@ -1347,6 +1361,9 @@ static struct pam_conv passwd_conv = { s +@@ -1349,6 +1363,9 @@ static struct pam_conv passwd_conv = { s int sshpam_auth_passwd(Authctxt *authctxt, const char *password) { @@ -55,7 +55,7 @@ diff -wpruN '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c int flags = (options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); char *fake = NULL; -@@ -1367,6 +1384,15 @@ sshpam_auth_passwd(Authctxt *authctxt, c +@@ -1369,6 +1386,15 @@ sshpam_auth_passwd(Authctxt *authctxt, c options.permit_root_login != PERMIT_YES)) sshpam_password = fake = fake_password(password); @@ -71,7 +71,7 @@ diff -wpruN '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&passwd_conv); if (sshpam_err != PAM_SUCCESS) -@@ -1378,6 +1404,16 @@ sshpam_auth_passwd(Authctxt *authctxt, c +@@ -1380,6 +1406,16 @@ sshpam_auth_passwd(Authctxt *authctxt, c free(fake); if (sshpam_err == PAM_MAXTRIES) sshpam_set_maxtries_reached(1); diff --git a/build/openssh/patches/0010-PAM-enhancements-for-Solaris.patch b/build/openssh/patches/0010-PAM-enhancements-for-Solaris.patch index 67a4f543ae..47a1466757 100644 --- a/build/openssh/patches/0010-PAM-enhancements-for-Solaris.patch +++ b/build/openssh/patches/0010-PAM-enhancements-for-Solaris.patch @@ -161,7 +161,7 @@ diff -wpruN '--exclude=*.orig' a~/auth.h a/auth.h diff -wpruN '--exclude=*.orig' a~/auth2.c a/auth2.c --- a~/auth2.c 1970-01-01 00:00:00 +++ a/auth2.c 1970-01-01 00:00:00 -@@ -294,9 +294,17 @@ input_userauth_request(int type, u_int32 +@@ -305,9 +305,17 @@ input_userauth_request(int type, u_int32 #endif } #ifdef USE_PAM @@ -180,7 +180,7 @@ diff -wpruN '--exclude=*.orig' a~/auth2.c a/auth2.c ssh_packet_set_log_preamble(ssh, "%suser %s", authctxt->valid ? "authenticating " : "invalid ", user); setproctitle("%s%s", authctxt->valid ? user : "unknown", -@@ -331,6 +339,18 @@ input_userauth_request(int type, u_int32 +@@ -344,6 +352,18 @@ input_userauth_request(int type, u_int32 /* try to authenticate user */ m = authmethod_lookup(authctxt, method); if (m != NULL && authctxt->failures < options.max_authtries) { @@ -199,7 +199,7 @@ diff -wpruN '--exclude=*.orig' a~/auth2.c a/auth2.c debug2("input_userauth_request: try method %s", method); authenticated = m->userauth(ssh, method); } -@@ -356,6 +376,10 @@ userauth_finish(struct ssh *ssh, int aut +@@ -369,6 +389,10 @@ userauth_finish(struct ssh *ssh, int aut char *methods; int r, partial = 0; @@ -210,7 +210,7 @@ diff -wpruN '--exclude=*.orig' a~/auth2.c a/auth2.c if (authenticated) { if (!authctxt->valid) { fatal("INTERNAL ERROR: authenticated invalid user %s", -@@ -379,6 +403,25 @@ userauth_finish(struct ssh *ssh, int aut +@@ -392,6 +416,25 @@ userauth_finish(struct ssh *ssh, int aut } if (authenticated && options.num_auth_methods != 0) { @@ -236,7 +236,7 @@ diff -wpruN '--exclude=*.orig' a~/auth2.c a/auth2.c if (!auth2_update_methods_lists(authctxt, method, submethod)) { authenticated = 0; partial = 1; -@@ -396,7 +439,19 @@ userauth_finish(struct ssh *ssh, int aut +@@ -409,7 +452,19 @@ userauth_finish(struct ssh *ssh, int aut return; #ifdef USE_PAM @@ -269,7 +269,7 @@ diff -wpruN '--exclude=*.orig' a~/monitor.c a/monitor.c int mm_answer_authpassword(struct ssh *, int, struct sshbuf *); int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *); int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *); -@@ -193,10 +196,17 @@ struct mon_table mon_dispatch_proto20[] +@@ -190,10 +193,17 @@ struct mon_table mon_dispatch_proto20[] {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, @@ -287,7 +287,7 @@ diff -wpruN '--exclude=*.orig' a~/monitor.c a/monitor.c {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, {MONITOR_REQ_PAM_INIT_CTX, MON_ONCE, mm_answer_pam_init_ctx}, {MONITOR_REQ_PAM_QUERY, 0, mm_answer_pam_query}, -@@ -303,6 +313,25 @@ monitor_child_preauth(struct ssh *ssh, s +@@ -300,6 +310,25 @@ monitor_child_preauth(struct ssh *ssh, s /* Special handling for multiple required authentications */ if (options.num_auth_methods != 0) { @@ -313,7 +313,7 @@ diff -wpruN '--exclude=*.orig' a~/monitor.c a/monitor.c if (authenticated && !auth2_update_methods_lists(authctxt, auth_method, auth_submethod)) { -@@ -320,8 +349,21 @@ monitor_child_preauth(struct ssh *ssh, s +@@ -317,8 +346,21 @@ monitor_child_preauth(struct ssh *ssh, s !auth_root_allowed(ssh, auth_method)) authenticated = 0; #ifdef USE_PAM @@ -335,7 +335,7 @@ diff -wpruN '--exclude=*.orig' a~/monitor.c a/monitor.c struct sshbuf *m; if ((m = sshbuf_new()) == NULL) -@@ -800,6 +842,11 @@ mm_answer_pwnamallow(struct ssh *ssh, in +@@ -802,6 +844,11 @@ mm_answer_pwnamallow(struct ssh *ssh, in monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); @@ -347,7 +347,7 @@ diff -wpruN '--exclude=*.orig' a~/monitor.c a/monitor.c #ifdef USE_PAM if (options.use_pam) monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); -@@ -823,6 +870,27 @@ int mm_answer_auth2_read_banner(struct s +@@ -825,6 +872,27 @@ int mm_answer_auth2_read_banner(struct s return (0); } @@ -419,7 +419,7 @@ diff -wpruN '--exclude=*.orig' a~/monitor_wrap.c a/monitor_wrap.c diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c --- a~/servconf.c 1970-01-01 00:00:00 +++ a/servconf.c 1970-01-01 00:00:00 -@@ -198,6 +198,18 @@ initialize_server_options(ServerOptions +@@ -197,6 +197,18 @@ initialize_server_options(ServerOptions options->channel_timeouts = NULL; options->num_channel_timeouts = 0; options->unused_connection_timeout = -1; @@ -438,7 +438,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c } /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ -@@ -437,6 +449,12 @@ fill_default_server_options(ServerOption +@@ -436,6 +448,12 @@ fill_default_server_options(ServerOption options->ip_qos_bulk = IPTOS_DSCP_CS1; if (options->version_addendum == NULL) options->version_addendum = xstrdup(""); @@ -451,7 +451,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) options->fwd_opts.streamlocal_bind_mask = 0177; if (options->fwd_opts.streamlocal_bind_unlink == -1) -@@ -528,6 +546,9 @@ typedef enum { +@@ -527,6 +545,9 @@ typedef enum { sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sHostCertificate, sInclude, @@ -461,7 +461,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum, -@@ -679,6 +700,10 @@ static struct { +@@ -678,6 +699,10 @@ static struct { { "forcecommand", sForceCommand, SSHCFG_ALL }, { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, @@ -472,7 +472,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, -@@ -2569,6 +2594,37 @@ process_server_config_line_depth(ServerO +@@ -2558,6 +2583,37 @@ process_server_config_line_depth(ServerO } goto parse_time; @@ -513,7 +513,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c diff -wpruN '--exclude=*.orig' a~/servconf.h a/servconf.h --- a~/servconf.h 1970-01-01 00:00:00 +++ a/servconf.h 1970-01-01 00:00:00 -@@ -73,6 +73,10 @@ struct listenaddr { +@@ -71,6 +71,10 @@ struct listenaddr { struct addrinfo *addrs; }; @@ -524,7 +524,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.h a/servconf.h typedef struct { u_int num_ports; u_int ports_from_cmdline; -@@ -225,6 +229,12 @@ typedef struct { +@@ -223,6 +227,12 @@ typedef struct { u_int num_auth_methods; char **auth_methods; diff --git a/build/openssh/patches/0013-Solaris-Auditing-support.patch b/build/openssh/patches/0013-Solaris-Auditing-support.patch index 5629c7fefa..e6487edee0 100644 --- a/build/openssh/patches/0013-Solaris-Auditing-support.patch +++ b/build/openssh/patches/0013-Solaris-Auditing-support.patch @@ -1,7 +1,7 @@ diff -wpruN '--exclude=*.orig' a~/INSTALL a/INSTALL --- a~/INSTALL 1970-01-01 00:00:00 +++ a/INSTALL 1970-01-01 00:00:00 -@@ -107,9 +107,13 @@ http://www.gnu.org/software/automake/ +@@ -103,9 +103,13 @@ http://www.gnu.org/software/automake/ Basic Security Module (BSM): @@ -18,7 +18,7 @@ diff -wpruN '--exclude=*.orig' a~/INSTALL a/INSTALL makedepend: -@@ -175,8 +179,9 @@ name). +@@ -171,8 +175,9 @@ name). There are a few other options to the configure script: --with-audit=[module] enable additional auditing via the specified module. @@ -699,7 +699,7 @@ diff -wpruN '--exclude=*.orig' a~/audit.h a/audit.h diff -wpruN '--exclude=*.orig' a~/configure.ac a/configure.ac --- a~/configure.ac 1970-01-01 00:00:00 +++ a/configure.ac 1970-01-01 00:00:00 -@@ -1751,7 +1751,7 @@ AC_ARG_WITH([libedit], +@@ -1761,7 +1761,7 @@ AC_ARG_WITH([libedit], AUDIT_MODULE=none AC_ARG_WITH([audit], @@ -708,7 +708,7 @@ diff -wpruN '--exclude=*.orig' a~/configure.ac a/configure.ac [ AC_MSG_CHECKING([for supported audit module]) case "$withval" in -@@ -1788,6 +1788,13 @@ AC_ARG_WITH([audit], +@@ -1798,6 +1798,13 @@ AC_ARG_WITH([audit], SSHDLIBS="$SSHDLIBS -laudit" AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module]) ;; diff --git a/build/openssh/patches/0015-Enable-login-to-a-role-if-PAM-is-ok-with-it.patch b/build/openssh/patches/0015-Enable-login-to-a-role-if-PAM-is-ok-with-it.patch index f39bf81814..715dcb47ac 100644 --- a/build/openssh/patches/0015-Enable-login-to-a-role-if-PAM-is-ok-with-it.patch +++ b/build/openssh/patches/0015-Enable-login-to-a-role-if-PAM-is-ok-with-it.patch @@ -1,7 +1,7 @@ diff -wpruN '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c --- a~/auth-pam.c 1970-01-01 00:00:00 +++ a/auth-pam.c 1970-01-01 00:00:00 -@@ -1211,6 +1211,20 @@ do_pam_account(void) +@@ -1213,6 +1213,20 @@ do_pam_account(void) return (sshpam_account_status); } @@ -78,7 +78,7 @@ diff -wpruN '--exclude=*.orig' a~/auth2-hostbased.c a/auth2-hostbased.c diff -wpruN '--exclude=*.orig' a~/auth2.c a/auth2.c --- a~/auth2.c 1970-01-01 00:00:00 +++ a/auth2.c 1970-01-01 00:00:00 -@@ -402,6 +402,14 @@ userauth_finish(struct ssh *ssh, int aut +@@ -415,6 +415,14 @@ userauth_finish(struct ssh *ssh, int aut #endif } @@ -96,7 +96,7 @@ diff -wpruN '--exclude=*.orig' a~/auth2.c a/auth2.c diff -wpruN '--exclude=*.orig' a~/monitor.c a/monitor.c --- a~/monitor.c 1970-01-01 00:00:00 +++ a/monitor.c 1970-01-01 00:00:00 -@@ -389,6 +389,12 @@ monitor_child_preauth(struct ssh *ssh, s +@@ -391,6 +391,12 @@ monitor_child_preauth(struct ssh *ssh, s } } @@ -109,7 +109,7 @@ diff -wpruN '--exclude=*.orig' a~/monitor.c a/monitor.c if (!authctxt->valid) fatal_f("authenticated invalid user"); if (strcmp(auth_method, "unknown") == 0) -@@ -592,14 +598,16 @@ monitor_reset_key_state(void) +@@ -594,14 +600,16 @@ monitor_reset_key_state(void) { /* reset state */ free(key_blob); @@ -127,7 +127,7 @@ diff -wpruN '--exclude=*.orig' a~/monitor.c a/monitor.c hostbased_chost = NULL; } -@@ -1072,6 +1080,11 @@ mm_answer_pam_account(struct ssh *ssh, i +@@ -1074,6 +1082,11 @@ mm_answer_pam_account(struct ssh *ssh, i if (!options.use_pam) fatal("%s: PAM not enabled", __func__); diff --git a/build/openssh/patches/0016-PAM-setcred-failures.patch b/build/openssh/patches/0016-PAM-setcred-failures.patch index b25be40969..8f6dc87a11 100644 --- a/build/openssh/patches/0016-PAM-setcred-failures.patch +++ b/build/openssh/patches/0016-PAM-setcred-failures.patch @@ -1,7 +1,7 @@ diff -wpruN '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c --- a~/auth-pam.c 1970-01-01 00:00:00 +++ a/auth-pam.c 1970-01-01 00:00:00 -@@ -1244,12 +1244,19 @@ do_pam_setcred(int init) +@@ -1246,12 +1246,19 @@ do_pam_setcred(int init) sshpam_cred_established = 1; return; } @@ -21,7 +21,7 @@ diff -wpruN '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c } static int -@@ -1345,10 +1352,16 @@ do_pam_session(struct ssh *ssh) +@@ -1347,10 +1354,16 @@ do_pam_session(struct ssh *ssh) if (sshpam_err == PAM_SUCCESS) sshpam_session_open = 1; else { diff --git a/build/openssh/patches/0018-Per-session-xauthfile.patch b/build/openssh/patches/0018-Per-session-xauthfile.patch index f8e4617605..20b2ef5c54 100644 --- a/build/openssh/patches/0018-Per-session-xauthfile.patch +++ b/build/openssh/patches/0018-Per-session-xauthfile.patch @@ -196,7 +196,7 @@ diff -wpruN '--exclude=*.orig' a~/session.c a/session.c static char * sig2name(int sig) { -@@ -2446,6 +2569,9 @@ session_close(struct ssh *ssh, Session * +@@ -2453,6 +2576,9 @@ session_close(struct ssh *ssh, Session * free(s->auth_display); free(s->auth_data); free(s->auth_proto); @@ -206,7 +206,7 @@ diff -wpruN '--exclude=*.orig' a~/session.c a/session.c free(s->subsys); if (s->env != NULL) { for (i = 0; i < s->num_env; i++) { -@@ -2701,6 +2827,10 @@ do_cleanup(struct ssh *ssh, Authctxt *au +@@ -2708,6 +2834,10 @@ do_cleanup(struct ssh *ssh, Authctxt *au auth_info_file = NULL; } diff --git a/build/openssh/patches/0019-PubKeyPlugin-support.patch b/build/openssh/patches/0019-PubKeyPlugin-support.patch index 27f6f0f8f2..e36b2de8f0 100644 --- a/build/openssh/patches/0019-PubKeyPlugin-support.patch +++ b/build/openssh/patches/0019-PubKeyPlugin-support.patch @@ -52,7 +52,7 @@ diff -wpruN '--exclude=*.orig' a~/auth2-pubkey.c a/auth2-pubkey.c static int userauth_pubkey(struct ssh *ssh, const char *method) { -@@ -741,6 +757,124 @@ user_key_command_allowed2(struct passwd +@@ -745,6 +761,124 @@ user_key_command_allowed2(struct passwd return found_key; } @@ -177,21 +177,21 @@ diff -wpruN '--exclude=*.orig' a~/auth2-pubkey.c a/auth2-pubkey.c /* * Check whether key authenticates and authorises the user. */ -@@ -786,6 +920,10 @@ user_key_allowed(struct ssh *ssh, struct +@@ -796,6 +930,10 @@ user_key_allowed(struct ssh *ssh, struct sshauthopt_free(opts); opts = NULL; + success = user_key_allowed_from_plugin(pw, key); + if (success > 0) -+ return success; ++ goto out; + if ((success = user_key_command_allowed2(pw, key, remote_ip, - remote_host, &opts)) != 0) + remote_host, conn_id, rdomain, &opts)) != 0) goto out; diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c --- a~/servconf.c 1970-01-01 00:00:00 +++ a/servconf.c 1970-01-01 00:00:00 -@@ -210,6 +210,7 @@ initialize_server_options(ServerOptions +@@ -209,6 +209,7 @@ initialize_server_options(ServerOptions */ options->pam_service_per_authmethod = 1; #endif @@ -199,7 +199,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c } /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ -@@ -558,6 +559,7 @@ typedef enum { +@@ -557,6 +558,7 @@ typedef enum { sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, sRequiredRSASize, sChannelTimeout, sUnusedConnectionTimeout, @@ -207,7 +207,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c sDeprecated, sIgnore, sUnsupported } ServerOpCodes; -@@ -724,6 +726,7 @@ static struct { +@@ -723,6 +725,7 @@ static struct { { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, { "rdomain", sRDomain, SSHCFG_ALL }, { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, @@ -215,7 +215,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL }, { "channeltimeout", sChannelTimeout, SSHCFG_ALL }, -@@ -2625,6 +2628,18 @@ process_server_config_line_depth(ServerO +@@ -2614,6 +2617,18 @@ process_server_config_line_depth(ServerO } break; @@ -237,7 +237,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c diff -wpruN '--exclude=*.orig' a~/servconf.h a/servconf.h --- a~/servconf.h 1970-01-01 00:00:00 +++ a/servconf.h 1970-01-01 00:00:00 -@@ -237,6 +237,7 @@ typedef struct { +@@ -235,6 +235,7 @@ typedef struct { int fingerprint_hash; int expose_userauth_info; diff --git a/build/openssh/patches/0026-Don-t-use-krb5-config-to-check-for-GSSAPI-on-illumos.patch b/build/openssh/patches/0026-Don-t-use-krb5-config-to-check-for-GSSAPI-on-illumos.patch index e17e4f0137..ce0dc2cb5e 100644 --- a/build/openssh/patches/0026-Don-t-use-krb5-config-to-check-for-GSSAPI-on-illumos.patch +++ b/build/openssh/patches/0026-Don-t-use-krb5-config-to-check-for-GSSAPI-on-illumos.patch @@ -6,7 +6,7 @@ Subject: [PATCH 26/34] Don't use krb5-config to check for GSSAPI on illumos diff -wpruN '--exclude=*.orig' a~/configure.ac a/configure.ac --- a~/configure.ac 1970-01-01 00:00:00 +++ a/configure.ac 1970-01-01 00:00:00 -@@ -4732,6 +4732,11 @@ AC_ARG_WITH([kerberos5], +@@ -4739,6 +4739,11 @@ AC_ARG_WITH([kerberos5], AC_PATH_TOOL([KRB5CONF], [krb5-config], [$KRB5ROOT/bin/krb5-config], [$KRB5ROOT/bin:$PATH]) @@ -18,7 +18,7 @@ diff -wpruN '--exclude=*.orig' a~/configure.ac a/configure.ac if test -x $KRB5CONF ; then K5CFLAGS="`$KRB5CONF --cflags`" K5LIBS="`$KRB5CONF --libs`" -@@ -4773,7 +4778,7 @@ AC_ARG_WITH([kerberos5], +@@ -4780,7 +4785,7 @@ AC_ARG_WITH([kerberos5], AC_CHECK_LIB([des], [des_cbc_encrypt], [K5LIBS="$K5LIBS -ldes"]) ], [ AC_MSG_RESULT([no]) diff --git a/build/openssh/patches/0027-Set-default-sshd-options-based-on-etc-default-login.patch b/build/openssh/patches/0027-Set-default-sshd-options-based-on-etc-default-login.patch index 43be547bea..8901bd66cb 100644 --- a/build/openssh/patches/0027-Set-default-sshd-options-based-on-etc-default-login.patch +++ b/build/openssh/patches/0027-Set-default-sshd-options-based-on-etc-default-login.patch @@ -17,7 +17,7 @@ diff -wpruN '--exclude=*.orig' a~/pathnames.h a/pathnames.h diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c --- a~/servconf.c 1970-01-01 00:00:00 +++ a/servconf.c 1970-01-01 00:00:00 -@@ -37,6 +37,7 @@ +@@ -36,6 +36,7 @@ #include #include #include @@ -25,7 +25,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c #include #ifdef HAVE_UTIL_H #include -@@ -220,6 +221,64 @@ option_clear_or_none(const char *o) +@@ -219,6 +220,64 @@ option_clear_or_none(const char *o) return o == NULL || strcasecmp(o, "none") == 0; } @@ -90,7 +90,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c static void assemble_algorithms(ServerOptions *o) { -@@ -300,6 +359,8 @@ fill_default_server_options(ServerOption +@@ -299,6 +358,8 @@ fill_default_server_options(ServerOption options->use_pam = 0; #endif diff --git a/build/openssh/patches/0029-Accept-LANG-and-LC_-environment-variables-from-clien.patch b/build/openssh/patches/0029-Accept-LANG-and-LC_-environment-variables-from-clien.patch index ff5d1c9cb7..592c416e63 100644 --- a/build/openssh/patches/0029-Accept-LANG-and-LC_-environment-variables-from-clien.patch +++ b/build/openssh/patches/0029-Accept-LANG-and-LC_-environment-variables-from-clien.patch @@ -10,7 +10,7 @@ behaviour (at least the parts that are most commonly used). diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c --- a~/servconf.c 1970-01-01 00:00:00 +++ a/servconf.c 1970-01-01 00:00:00 -@@ -174,7 +174,7 @@ initialize_server_options(ServerOptions +@@ -173,7 +173,7 @@ initialize_server_options(ServerOptions options->client_alive_interval = -1; options->client_alive_count_max = -1; options->num_authkeys_files = 0; @@ -19,7 +19,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c options->num_setenv = 0; options->permit_tun = -1; options->permitted_opens = NULL; -@@ -489,6 +489,33 @@ fill_default_server_options(ServerOption +@@ -488,6 +488,33 @@ fill_default_server_options(ServerOption options->max_sessions = DEFAULT_SESSIONS_MAX; if (options->use_dns == -1) options->use_dns = 0; @@ -53,7 +53,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c if (options->client_alive_interval == -1) options->client_alive_interval = 0; if (options->client_alive_count_max == -1) -@@ -2198,8 +2225,12 @@ process_server_config_line_depth(ServerO +@@ -2186,8 +2213,12 @@ process_server_config_line_depth(ServerO if (*arg == '\0' || strchr(arg, '=') != NULL) fatal("%s line %d: Invalid environment name.", filename, linenum); @@ -66,7 +66,7 @@ diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c opt_array_append(filename, linenum, keyword, &options->accept_env, &options->num_accept_env, arg); -@@ -2894,7 +2925,7 @@ copy_set_server_options(ServerOptions *d +@@ -2924,7 +2955,7 @@ copy_set_server_options(ServerOptions *d } while(0) #define M_CP_STRARRAYOPT(s, num_s) do {\ u_int i; \ diff --git a/build/openssh/patches/0031-Restore-tcpwrappers-libwrap-support.patch b/build/openssh/patches/0031-Restore-tcpwrappers-libwrap-support.patch index 7acd6666a9..595bc0ad84 100644 --- a/build/openssh/patches/0031-Restore-tcpwrappers-libwrap-support.patch +++ b/build/openssh/patches/0031-Restore-tcpwrappers-libwrap-support.patch @@ -1,7 +1,7 @@ diff -wpruN '--exclude=*.orig' a~/configure.ac a/configure.ac --- a~/configure.ac 1970-01-01 00:00:00 +++ a/configure.ac 1970-01-01 00:00:00 -@@ -1646,6 +1646,62 @@ else +@@ -1656,6 +1656,62 @@ else AC_MSG_RESULT([no]) fi @@ -64,7 +64,7 @@ diff -wpruN '--exclude=*.orig' a~/configure.ac a/configure.ac # Check whether user wants to use ldns LDNS_MSG="no" AC_ARG_WITH(ldns, -@@ -5644,6 +5700,7 @@ echo " PAM support +@@ -5660,6 +5716,7 @@ echo " PAM support echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" diff --git a/build/openssh/patches/series b/build/openssh/patches/series index 3625e617b3..a5e7cdffc8 100644 --- a/build/openssh/patches/series +++ b/build/openssh/patches/series @@ -21,4 +21,3 @@ sshd_config.patch 0029-Accept-LANG-and-LC_-environment-variables-from-clien.patch 0031-Restore-tcpwrappers-libwrap-support.patch test.patch -sk-dummy-openssl.patch diff --git a/build/openssh/patches/sk-dummy-openssl.patch b/build/openssh/patches/sk-dummy-openssl.patch deleted file mode 100644 index 5fb319c7be..0000000000 --- a/build/openssh/patches/sk-dummy-openssl.patch +++ /dev/null @@ -1,117 +0,0 @@ - -This backs out: - - https://github.com/openssh/openssh-portable/commit/e3e62deb549fde215b777d - use libc SHA256 functions - -Since the way that it works around a conflict between libc and openssl's -SHA256/512 functions only works with openssl 1.0 - -diff -wpruN '--exclude=*.orig' a~/regress/misc/sk-dummy/sk-dummy.c a/regress/misc/sk-dummy/sk-dummy.c ---- a~/regress/misc/sk-dummy/sk-dummy.c 1970-01-01 00:00:00 -+++ a/regress/misc/sk-dummy/sk-dummy.c 1970-01-01 00:00:00 -@@ -24,9 +24,6 @@ - #include - #include - #include --#ifdef HAVE_SHA2_H --#include --#endif - - #include "crypto_api.h" - #include "sk-api.h" -@@ -36,9 +33,6 @@ - #endif - - #ifdef WITH_OPENSSL --/* We don't use sha2 from OpenSSL and they can conflict with system sha2.h */ --#define OPENSSL_NO_SHA --#define USE_LIBC_SHA2 /* NetBSD 9 */ - #include - #include - #include -@@ -326,7 +320,7 @@ sig_ecdsa(const uint8_t *message, size_t - BIO *bio = NULL; - EVP_PKEY *pk = NULL; - EC_KEY *ec = NULL; -- SHA2_CTX ctx; -+ SHA256_CTX ctx; - uint8_t apphash[SHA256_DIGEST_LENGTH]; - uint8_t sighash[SHA256_DIGEST_LENGTH]; - uint8_t countbuf[4]; -@@ -356,9 +350,9 @@ sig_ecdsa(const uint8_t *message, size_t - } - /* Prepare data to be signed */ - dump("message", message, message_len); -- SHA256Init(&ctx); -- SHA256Update(&ctx, (const u_char *)application, strlen(application)); -- SHA256Final(apphash, &ctx); -+ SHA256_Init(&ctx); -+ SHA256_Update(&ctx, (const u_char *)application, strlen(application)); -+ SHA256_Final(apphash, &ctx); - dump("apphash", apphash, sizeof(apphash)); - countbuf[0] = (counter >> 24) & 0xff; - countbuf[1] = (counter >> 16) & 0xff; -@@ -366,12 +360,12 @@ sig_ecdsa(const uint8_t *message, size_t - countbuf[3] = counter & 0xff; - dump("countbuf", countbuf, sizeof(countbuf)); - dump("flags", &flags, sizeof(flags)); -- SHA256Init(&ctx); -- SHA256Update(&ctx, apphash, sizeof(apphash)); -- SHA256Update(&ctx, &flags, sizeof(flags)); -- SHA256Update(&ctx, countbuf, sizeof(countbuf)); -- SHA256Update(&ctx, message, message_len); -- SHA256Final(sighash, &ctx); -+ SHA256_Init(&ctx); -+ SHA256_Update(&ctx, apphash, sizeof(apphash)); -+ SHA256_Update(&ctx, &flags, sizeof(flags)); -+ SHA256_Update(&ctx, countbuf, sizeof(countbuf)); -+ SHA256_Update(&ctx, message, message_len); -+ SHA256_Final(sighash, &ctx); - dump("sighash", sighash, sizeof(sighash)); - /* create and encode signature */ - if ((sig = ECDSA_do_sign(sighash, sizeof(sighash), ec)) == NULL) { -@@ -417,7 +411,7 @@ sig_ed25519(const uint8_t *message, size - { - size_t o; - int ret = -1; -- SHA2_CTX ctx; -+ SHA256_CTX ctx; - uint8_t apphash[SHA256_DIGEST_LENGTH]; - uint8_t signbuf[sizeof(apphash) + sizeof(flags) + - sizeof(counter) + SHA256_DIGEST_LENGTH]; -@@ -435,9 +429,9 @@ sig_ed25519(const uint8_t *message, size - } - /* Prepare data to be signed */ - dump("message", message, message_len); -- SHA256Init(&ctx); -- SHA256Update(&ctx, (const u_char *)application, strlen(application)); -- SHA256Final(apphash, &ctx); -+ SHA256_Init(&ctx); -+ SHA256_Update(&ctx, (const u_char *)application, strlen(application)); -+ SHA256_Final(apphash, &ctx); - dump("apphash", apphash, sizeof(apphash)); - - memcpy(signbuf, apphash, sizeof(apphash)); -@@ -495,7 +489,7 @@ sk_sign(uint32_t alg, const uint8_t *dat - { - struct sk_sign_response *response = NULL; - int ret = SSH_SK_ERR_GENERAL; -- SHA2_CTX ctx; -+ SHA256_CTX ctx; - uint8_t message[32]; - - if (sign_response == NULL) { -@@ -509,9 +503,9 @@ sk_sign(uint32_t alg, const uint8_t *dat - skdebug(__func__, "calloc response failed"); - goto out; - } -- SHA256Init(&ctx); -- SHA256Update(&ctx, data, datalen); -- SHA256Final(message, &ctx); -+ SHA256_Init(&ctx); -+ SHA256_Update(&ctx, data, datalen); -+ SHA256_Final(message, &ctx); - response->flags = flags; - response->counter = 0x12345678; - switch(alg) {