24525860 upgrade OpenSSH to 7.3p1
24320031 problem in UTILITY/OPENSSH
24461706 problem in UTILITY/OPENSSH
--- a/components/openssh/Makefile Mon Sep 19 14:01:08 2016 -0700
+++ b/components/openssh/Makefile Tue Sep 20 03:54:40 2016 -0700
@@ -27,19 +27,19 @@
include ../../make-rules/shared-macros.mk
COMPONENT_NAME= openssh
-COMPONENT_VERSION= 7.2p2
+COMPONENT_VERSION= 7.3p1
HUMAN_VERSION= $(COMPONENT_VERSION)
# Version for IPS. The encoding rules are:
# OpenSSH <x>.<y>p<n> => IPS <x>.<y>.0.<n>
# OpenSSH <x>.<y>.<z>p<n> => IPS <x>.<y>.<z>.<n>
-IPS_COMPONENT_VERSION= 7.2.0.2
+IPS_COMPONENT_VERSION= 7.3.0.1
COMPONENT_PROJECT_URL= http://www.openssh.org/
-COMPONENT_ARCHIVE_HASH= sha256:a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c
+COMPONENT_ARCHIVE_HASH= sha256:3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc
COMPONENT_ARCHIVE_URL= http://mirrors.sonic.net/pub/OpenBSD/OpenSSH/portable/$(COMPONENT_ARCHIVE)
-TPNO_OPENSSH= 27414
+TPNO_OPENSSH= 30602
TPNO_GSSKEX= 20377
# Because of set up requirements, test suite is in stc gate.
@@ -64,9 +64,9 @@
CFLAGS += -DPAM_BUGFIX
CFLAGS += -DOPTION_DEFAULT_VALUE
CFLAGS += -DPER_SESSION_XAUTHFILE
-CFLAGS += -DWITHOUT_CAST128
+CFLAGS += -DOPENSSL_NO_CAST
CFLAGS += -DENABLE_OPENSSL_FIPS
-CFLAGS += -DWITHOUT_ARCFOUR
+CFLAGS += -DOPENSSL_NO_RC4
CFLAGS += -DWITHOUT_HMAC_MD5
# We need to disable lazyloading of dynamic dependent libraries. During the
--- a/components/openssh/patches/014-disable_banner.patch Mon Sep 19 14:01:08 2016 -0700
+++ b/components/openssh/patches/014-disable_banner.patch Tue Sep 20 03:54:40 2016 -0700
@@ -6,54 +6,54 @@
# In the future, if this feature is accepted by the upsteam in a later release,
# we will remove this patch when we upgrade to that release.
#
-diff -pur old/readconf.c new/readconf.c
---- old/readconf.c 2015-03-28 21:57:35.551727235 +0100
-+++ new/readconf.c 2015-03-28 22:06:01.694836272 +0100
-@@ -150,6 +150,9 @@ typedef enum {
+--- orig/readconf.c Mon Aug 15 15:45:25 2016
++++ new/readconf.c Mon Aug 15 15:53:23 2016
+@@ -163,6 +163,9 @@
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
+#ifdef DISABLE_BANNER
-+ oDisableBanner,
++ oDisableBanner,
+#endif
oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
- oVisualHostKey, oUseRoaming,
+ oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
-@@ -254,6 +257,9 @@ static struct {
+@@ -271,6 +274,9 @@
{ "controlmaster", oControlMaster },
{ "controlpersist", oControlPersist },
{ "hashknownhosts", oHashKnownHosts },
+#ifdef DISABLE_BANNER
-+ { "disablebanner", oDisableBanner },
++ { "disablebanner", oDisableBanner },
+#endif
+ { "include", oInclude },
{ "tunnel", oTunnel },
{ "tunneldevice", oTunnelDevice },
- { "localcommand", oLocalCommand },
-@@ -754,6 +760,17 @@ static const struct multistate multistat
+@@ -794,6 +800,18 @@
{ NULL, -1 }
};
++
+#ifdef DISABLE_BANNER
+static const struct multistate multistate_disablebanner[] = {
-+ { "true", SSH_DISABLEBANNER_YES },
-+ { "false", SSH_DISABLEBANNER_NO },
-+ { "yes", SSH_DISABLEBANNER_YES },
-+ { "no", SSH_DISABLEBANNER_NO },
-+ { "in-exec-mode", SSH_DISABLEBANNER_INEXECMODE },
-+ { NULL, -1 }
++ { "true", SSH_DISABLEBANNER_YES },
++ { "false", SSH_DISABLEBANNER_NO },
++ { "yes", SSH_DISABLEBANNER_YES },
++ { "no", SSH_DISABLEBANNER_NO },
++ { "in-exec-mode", SSH_DISABLEBANNER_INEXECMODE },
++ { NULL, -1 }
+};
+#endif
+
/*
* Processes a single option line as used in the configuration files. This
* only sets those values that have not already been set.
-@@ -1514,6 +1531,13 @@ parse_int:
- *charptr = xstrdup(arg);
- break;
+@@ -1657,6 +1675,13 @@
+ charptr = &options->identity_agent;
+ goto parse_string;
+#ifdef DISABLE_BANNER
-+ case oDisableBanner:
-+ intptr = &options->disable_banner;
++ case oDisableBanner:
++ intptr = &options->disable_banner;
+ multistate_ptr = multistate_disablebanner;
+ goto parse_multistate;
+#endif
@@ -61,32 +61,31 @@
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
-@@ -1684,6 +1708,9 @@ initialize_options(Options * options)
+@@ -1847,6 +1872,9 @@
options->ip_qos_bulk = -1;
options->request_tty = -1;
options->proxy_use_fdpass = -1;
+#ifdef DISABLE_BANNER
-+ options->disable_banner = -1;
++ options->disable_banner = -1;
+#endif
options->ignored_unknown = NULL;
options->num_canonical_domains = 0;
options->num_permitted_cnames = 0;
-@@ -1871,6 +1898,10 @@ fill_default_options(Options * options)
+@@ -2041,6 +2069,10 @@
options->canonicalize_fallback_local = 1;
if (options->canonicalize_hostname == -1)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
+#ifdef DISABLE_BANNER
-+ if (options->disable_banner == -1)
-+ options->disable_banner = 0;
++ if (options->disable_banner == -1)
++ options->disable_banner = 0;
+#endif
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
if (options->update_hostkeys == -1)
-diff -pur old/readconf.h new/readconf.h
---- old/readconf.h 2015-03-17 06:49:20.000000000 +0100
-+++ new/readconf.h 2015-03-28 21:57:35.684348892 +0100
-@@ -153,6 +153,9 @@ typedef struct {
- char *hostbased_key_types;
+--- orig/readconf.h Mon Aug 15 15:45:28 2016
++++ new/readconf.h Mon Aug 15 15:55:00 2016
+@@ -169,6 +169,9 @@
+ char *jump_extra;
char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
+#ifdef DISABLE_BANNER
@@ -95,23 +94,22 @@
} Options;
#define SSH_CANONICALISE_NO 0
-@@ -178,6 +181,12 @@ typedef struct {
+@@ -195,6 +198,12 @@
#define SSH_UPDATE_HOSTKEYS_YES 1
#define SSH_UPDATE_HOSTKEYS_ASK 2
+#ifdef DISABLE_BANNER
-+#define SSH_DISABLEBANNER_NO 0
-+#define SSH_DISABLEBANNER_YES 1
-+#define SSH_DISABLEBANNER_INEXECMODE 2
++#define SSH_DISABLEBANNER_NO 0
++#define SSH_DISABLEBANNER_YES 1
++#define SSH_DISABLEBANNER_INEXECMODE 2
+#endif
+
void initialize_options(Options *);
void fill_default_options(Options *);
void fill_default_options_for_canonicalization(Options *);
-diff -pur old/ssh_config.5 new/ssh_config.5
---- old/ssh_config.5 2015-03-28 21:57:35.544033907 +0100
-+++ new/ssh_config.5 2015-03-28 21:57:35.684635985 +0100
-@@ -566,6 +566,14 @@ If set to a time in seconds, or a time i
+--- orig/ssh_config.5 Mon Aug 15 15:45:37 2016
++++ new/ssh_config.5 Mon Aug 15 15:57:36 2016
+@@ -643,6 +643,14 @@
then the backgrounded master connection will automatically terminate
after it has remained idle (with no client connections) for the
specified time.
@@ -122,14 +120,13 @@
+.Pp
+The default value is no, which means that the banner is displayed unless the
+log level is QUIET, FATAL, or ERROR. See also the Banner option in
-+.Xr sshd_config 4 . This option applies to protocol version 2 only.
+++.Xr sshd_config 5 . This option applies to protocol version 2 only.
.It Cm DynamicForward
Specifies that a TCP port on the local machine be forwarded
over the secure channel, and the application
-diff -pur old/sshconnect2.c new/sshconnect2.c
---- old/sshconnect2.c 2015-03-17 06:49:20.000000000 +0100
-+++ new/sshconnect2.c 2015-03-28 21:57:35.684940995 +0100
-@@ -81,6 +81,10 @@ extern char *client_version_string;
+--- orig/sshconnect2.c Mon Aug 15 15:45:44 2016
++++ new/sshconnect2.c Thu Aug 18 18:28:20 2016
+@@ -82,6 +82,10 @@
extern char *server_version_string;
extern Options options;
@@ -140,24 +137,24 @@
/*
* SSH2 key exchange
*/
-@@ -480,7 +484,20 @@ input_userauth_banner(int type, u_int32_
- debug3("input_userauth_banner");
- raw = packet_get_string(&len);
+@@ -502,7 +506,20 @@
+ debug3("%s", __func__);
+ msg = packet_get_string(&len);
lang = packet_get_string(NULL);
+
+#ifdef DISABLE_BANNER
-+ /*
-+ * Banner is a warning message according to RFC 4252. So, never print
-+ * a banner in error log level or lower. If the log level is higher,
-+ * use DisableBanner option to decide whether to display it or not.
-+ */
-+ if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO &&
++ /*
++ * Banner is a warning message according to RFC 4252. So, never print
++ * a banner in error log level or lower. If the log level is higher,
++ * use DisableBanner option to decide whether to display it or not.
++ */
++ if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO &&
+ (options.disable_banner == SSH_DISABLEBANNER_NO ||
+ (options.disable_banner == SSH_DISABLEBANNER_INEXECMODE &&
-+ buffer_len(&command) == 0))) {
++ buffer_len(&command) == 0)))
+#else
- if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
+ if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO)
+#endif
- if (len > 65536)
- len = 65536;
- msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
+ fmprintf(stderr, "%s", msg);
+ free(msg);
+ free(lang);
--- a/components/openssh/patches/015-pam_conversation_fix.patch Mon Sep 19 14:01:08 2016 -0700
+++ b/components/openssh/patches/015-pam_conversation_fix.patch Tue Sep 20 03:54:40 2016 -0700
@@ -4,9 +4,9 @@
# 2009, but it was not accepted by the upstream. For more information, see
# https://bugzilla.mindrot.org/show_bug.cgi?id=1681.
#
---- orig/auth-pam.c Mon Oct 27 14:40:01 2014
-+++ new/auth-pam.c Tue Oct 28 12:40:59 2014
-@@ -1111,11 +1111,13 @@
+--- orig/auth-pam.c Mon Aug 15 16:16:17 2016
++++ new/auth-pam.c Mon Aug 15 16:26:40 2016
+@@ -1138,11 +1138,13 @@
free(env);
}
@@ -20,25 +20,25 @@
static int
sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
struct pam_response **resp, void *data)
-@@ -1137,6 +1139,17 @@
+@@ -1164,6 +1166,17 @@
for (i = 0; i < n; ++i) {
switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
case PAM_PROMPT_ECHO_OFF:
+#ifdef PAM_BUGFIX
+ /*
+ * PAM conversation function for the password userauth
-+ * method (non-interactive) really cannot do any
-+ * prompting. We set the PAM_AUTHTOK item in
++ * method (non-interactive) really cannot do any
++ * prompting. We set the PAM_AUTHTOK item in
+ * sshpam_auth_passwd()to avoid conversation. If some
-+ * modules still try to converse, then the password
-+ * userauth will fail.
-+ */
-+ goto fail;
++ * modules still try to converse, then the password
++ * userauth will fail.
++ */
++ goto fail;
+#else
if (sshpam_password == NULL)
goto fail;
if ((reply[i].resp = strdup(sshpam_password)) == NULL)
-@@ -1143,6 +1156,7 @@
+@@ -1170,6 +1183,7 @@
goto fail;
reply[i].resp_retcode = PAM_SUCCESS;
break;
@@ -46,7 +46,7 @@
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
len = strlen(PAM_MSG_MEMBER(msg, i, msg));
-@@ -1178,6 +1192,9 @@
+@@ -1205,6 +1219,9 @@
int
sshpam_auth_passwd(Authctxt *authctxt, const char *password)
{
@@ -55,35 +55,35 @@
+#endif
int flags = (options.permit_empty_passwd == 0 ?
PAM_DISALLOW_NULL_AUTHTOK : 0);
-
-@@ -1197,6 +1214,15 @@
+ char *fake = NULL;
+@@ -1225,6 +1242,15 @@
options.permit_root_login != PERMIT_YES))
- sshpam_password = badpw;
+ sshpam_password = fake = fake_password(password);
+#ifdef PAM_BUGFIX
-+ sshpam_err = pam_set_item(sshpam_handle, PAM_AUTHTOK, password);
-+ if (sshpam_err != PAM_SUCCESS) {
-+ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
-+ pam_strerror(sshpam_handle, sshpam_err));
-+ return 0;
-+ }
++ sshpam_err = pam_set_item(sshpam_handle, PAM_AUTHTOK, password);
++ if (sshpam_err != PAM_SUCCESS) {
++ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
++ pam_strerror(sshpam_handle, sshpam_err));
++ return 0;
++ }
+#endif
+
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&passwd_conv);
if (sshpam_err != PAM_SUCCESS)
-@@ -1205,6 +1231,16 @@
-
- sshpam_err = pam_authenticate(sshpam_handle, flags);
- sshpam_password = NULL;
+@@ -1236,6 +1262,16 @@
+ free(fake);
+ if (sshpam_err == PAM_MAXTRIES)
+ sshpam_set_maxtries_reached(1);
+
+#ifdef PAM_BUGFIX
+ set_item_rtn = pam_set_item(sshpam_handle, PAM_AUTHTOK, NULL);
-+ if (set_item_rtn != PAM_SUCCESS) {
-+ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
-+ pam_strerror(sshpam_handle, set_item_rtn));
-+ return 0;
-+ }
++ if (set_item_rtn != PAM_SUCCESS) {
++ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
++ pam_strerror(sshpam_handle, set_item_rtn));
++ return 0;
++ }
+#endif
+
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
--- a/components/openssh/patches/023-gsskex.patch Mon Sep 19 14:01:08 2016 -0700
+++ b/components/openssh/patches/023-gsskex.patch Tue Sep 20 03:54:40 2016 -0700
@@ -6,6 +6,17 @@
# Default value for GSSAPIKeyExchange changed to yes to match SunSSH behavior.
# New files kexgssc.c and kexgsss.c moved to ../sources/ and made cstyle clean.
#
+# Update Sep 5, 2016:
+# Upstream renamed and moved canohost.c`get_canonical_hostname to sshd-specific
+# auth.c`auth_get_canonical_hostname. In Solaris specific GSS-API key exchange
+# code we need this functionality on the client side too, for canonicalizing
+# server hostbased service principal. We have moved remote_hostname back to
+# canohost.c.
+#
+# TODO:
+# When we upgrade Kerberos in Solaris to future version 1.15, we will use
+# krb5_expand_hostname for hostname canonicalization instead.
+#
# Upstream rejected GSS-API key exchange several times before.
#
diff -pur old/Makefile.in new/Makefile.in
@@ -28,6 +39,109 @@
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o sftp_provider.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
+diff -pur old/auth.c new/auth.c
+--- old/auth.c
++++ new/auth.c
+@@ -786,99 +786,6 @@ fakepw(void)
+ }
+
+ /*
+- * Returns the remote DNS hostname as a string. The returned string must not
+- * be freed. NB. this will usually trigger a DNS query the first time it is
+- * called.
+- * This function does additional checks on the hostname to mitigate some
+- * attacks on legacy rhosts-style authentication.
+- * XXX is RhostsRSAAuthentication vulnerable to these?
+- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+- */
+-
+-static char *
+-remote_hostname(struct ssh *ssh)
+-{
+- struct sockaddr_storage from;
+- socklen_t fromlen;
+- struct addrinfo hints, *ai, *aitop;
+- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+- const char *ntop = ssh_remote_ipaddr(ssh);
+-
+- /* Get IP address of client. */
+- fromlen = sizeof(from);
+- memset(&from, 0, sizeof(from));
+- if (getpeername(ssh_packet_get_connection_in(ssh),
+- (struct sockaddr *)&from, &fromlen) < 0) {
+- debug("getpeername failed: %.100s", strerror(errno));
+- return strdup(ntop);
+- }
+-
+- ipv64_normalise_mapped(&from, &fromlen);
+- if (from.ss_family == AF_INET6)
+- fromlen = sizeof(struct sockaddr_in6);
+-
+- debug3("Trying to reverse map address %.100s.", ntop);
+- /* Map the IP address to a host name. */
+- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+- NULL, 0, NI_NAMEREQD) != 0) {
+- /* Host name not found. Use ip address. */
+- return strdup(ntop);
+- }
+-
+- /*
+- * if reverse lookup result looks like a numeric hostname,
+- * someone is trying to trick us by PTR record like following:
+- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
+- */
+- memset(&hints, 0, sizeof(hints));
+- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+- hints.ai_flags = AI_NUMERICHOST;
+- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+- name, ntop);
+- freeaddrinfo(ai);
+- return strdup(ntop);
+- }
+-
+- /* Names are stored in lowercase. */
+- lowercase(name);
+-
+- /*
+- * Map it back to an IP address and check that the given
+- * address actually is an address of this host. This is
+- * necessary because anyone with access to a name server can
+- * define arbitrary names for an IP address. Mapping from
+- * name to IP address can be trusted better (but can still be
+- * fooled if the intruder has access to the name server of
+- * the domain).
+- */
+- memset(&hints, 0, sizeof(hints));
+- hints.ai_family = from.ss_family;
+- hints.ai_socktype = SOCK_STREAM;
+- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+- logit("reverse mapping checking getaddrinfo for %.700s "
+- "[%s] failed.", name, ntop);
+- return strdup(ntop);
+- }
+- /* Look for the address from the list of addresses. */
+- for (ai = aitop; ai; ai = ai->ai_next) {
+- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+- (strcmp(ntop, ntop2) == 0))
+- break;
+- }
+- freeaddrinfo(aitop);
+- /* If we reached the end of the list, the address was not there. */
+- if (ai == NULL) {
+- /* Address not found for the host name. */
+- logit("Address %.100s maps to %.600s, but this does not "
+- "map back to the address.", ntop, name);
+- return strdup(ntop);
+- }
+- return strdup(name);
+-}
+-
+-/*
+ * Return the canonical name of the host in the other side of the current
+ * connection. The host name is cached, so it is efficient to call this
+ * several times.
diff -pur old/auth2-gss.c new/auth2-gss.c
--- old/auth2-gss.c
+++ new/auth2-gss.c
@@ -112,6 +226,120 @@
&method_gssapi,
#endif
&method_passwd,
+diff -pur old/canohost.c new/canohost.c
+--- old/canohost.c
++++ new/canohost.c
+@@ -202,3 +202,97 @@ get_local_port(int sock)
+ {
+ return get_sock_port(sock, 1);
+ }
++
++/*
++ * Returns the remote DNS hostname as a string. The returned string must not
++ * be freed. NB. this will usually trigger a DNS query the first time it is
++ * called.
++ * This function does additional checks on the hostname to mitigate some
++ * attacks on legacy rhosts-style authentication.
++ * XXX is RhostsRSAAuthentication vulnerable to these?
++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
++ */
++
++/* Oracle Solaris - moved out of auth.c for use in GSSKEX in sshconnect2.c */
++char *
++remote_hostname(struct ssh *ssh)
++{
++ struct sockaddr_storage from;
++ socklen_t fromlen;
++ struct addrinfo hints, *ai, *aitop;
++ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
++ const char *ntop = ssh_remote_ipaddr(ssh);
++
++ /* Get IP address of client. */
++ fromlen = sizeof(from);
++ memset(&from, 0, sizeof(from));
++ if (getpeername(ssh_packet_get_connection_in(ssh),
++ (struct sockaddr *)&from, &fromlen) < 0) {
++ debug("getpeername failed: %.100s", strerror(errno));
++ return strdup(ntop);
++ }
++
++ ipv64_normalise_mapped(&from, &fromlen);
++ if (from.ss_family == AF_INET6)
++ fromlen = sizeof(struct sockaddr_in6);
++
++ debug3("Trying to reverse map address %.100s.", ntop);
++ /* Map the IP address to a host name. */
++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
++ NULL, 0, NI_NAMEREQD) != 0) {
++ /* Host name not found. Use ip address. */
++ return strdup(ntop);
++ }
++
++ /*
++ * if reverse lookup result looks like a numeric hostname,
++ * someone is trying to trick us by PTR record like following:
++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
++ */
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
++ hints.ai_flags = AI_NUMERICHOST;
++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
++ name, ntop);
++ freeaddrinfo(ai);
++ return strdup(ntop);
++ }
++
++ /* Names are stored in lowercase. */
++ lowercase(name);
++
++ /*
++ * Map it back to an IP address and check that the given
++ * address actually is an address of this host. This is
++ * necessary because anyone with access to a name server can
++ * define arbitrary names for an IP address. Mapping from
++ * name to IP address can be trusted better (but can still be
++ * fooled if the intruder has access to the name server of
++ * the domain).
++ */
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = from.ss_family;
++ hints.ai_socktype = SOCK_STREAM;
++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
++ logit("reverse mapping checking getaddrinfo for %.700s "
++ "[%s] failed.", name, ntop);
++ return strdup(ntop);
++ }
++ /* Look for the address from the list of addresses. */
++ for (ai = aitop; ai; ai = ai->ai_next) {
++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
++ (strcmp(ntop, ntop2) == 0))
++ break;
++ }
++ freeaddrinfo(aitop);
++ /* If we reached the end of the list, the address was not there. */
++ if (ai == NULL) {
++ /* Address not found for the host name. */
++ logit("Address %.100s maps to %.600s, but this does not "
++ "map back to the address.", ntop, name);
++ return strdup(ntop);
++ }
++ return strdup(name);
++}
+diff -pur old/canohost.h new/canohost.h
+--- old/canohost.h
++++ new/canohost.h
+@@ -21,6 +21,9 @@ char *get_local_ipaddr(int);
+ char *get_local_name(int);
+ int get_local_port(int);
+
++#include "packet.h"
++char *remote_hostname(struct ssh *);
++
+ #endif /* _CANOHOST_H */
+
+ void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
diff -pur old/gss-genr.c new/gss-genr.c
--- old/gss-genr.c
+++ new/gss-genr.c
@@ -420,7 +648,7 @@
diff -pur old/kex.c new/kex.c
--- old/kex.c
+++ new/kex.c
-@@ -54,6 +54,10 @@
+@@ -55,6 +55,10 @@
#include "sshbuf.h"
#include "digest.h"
@@ -431,7 +659,7 @@
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256
-@@ -107,6 +111,11 @@ static const struct kexalg kexalgs[] = {
+@@ -111,6 +115,11 @@ static const struct kexalg kexalgs[] = {
#if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
@@ -443,7 +671,7 @@
{ NULL, -1, -1, -1},
};
-@@ -138,7 +147,7 @@ kex_alg_by_name(const char *name)
+@@ -142,7 +151,7 @@ kex_alg_by_name(const char *name)
const struct kexalg *k;
for (k = kexalgs; k->name != NULL; k++) {
@@ -455,7 +683,7 @@
diff -pur old/kex.h new/kex.h
--- old/kex.h
+++ new/kex.h
-@@ -92,6 +92,9 @@ enum kex_exchange {
+@@ -98,6 +98,9 @@ enum kex_exchange {
KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2,
KEX_C25519_SHA256,
@@ -465,7 +693,7 @@
KEX_MAX
};
-@@ -140,6 +143,10 @@ struct kex {
+@@ -146,6 +149,10 @@ struct kex {
u_int flags;
int hash_alg;
int ec_nid;
@@ -476,7 +704,7 @@
char *client_version_string;
char *server_version_string;
char *failed_choice;
-@@ -189,6 +196,10 @@ int kexecdh_client(struct ssh *);
+@@ -195,6 +202,10 @@ int kexecdh_client(struct ssh *);
int kexecdh_server(struct ssh *);
int kexc25519_client(struct ssh *);
int kexc25519_server(struct ssh *);
@@ -485,12 +713,12 @@
+int kexgss_server(struct ssh *);
+#endif
- int kex_dh_hash(const char *, const char *,
+ int kex_dh_hash(int, const char *, const char *,
const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
diff -pur old/monitor.c new/monitor.c
--- old/monitor.c
+++ new/monitor.c
-@@ -159,6 +159,7 @@ int mm_answer_gss_setup_ctx(int, Buffer
+@@ -161,6 +161,7 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
@@ -498,7 +726,7 @@
#endif
#ifdef SSH_AUDIT_EVENTS
-@@ -243,11 +244,17 @@ struct mon_table mon_dispatch_proto20[]
+@@ -245,11 +246,17 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -516,7 +744,7 @@
#ifdef WITH_OPENSSL
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
#endif
-@@ -362,6 +369,10 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -364,6 +371,10 @@ monitor_child_preauth(Authctxt *_authctx
/* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -527,7 +755,7 @@
} else {
mon_dispatch = mon_dispatch_proto15;
-@@ -501,6 +512,10 @@ monitor_child_postauth(struct monitor *p
+@@ -503,6 +514,10 @@ monitor_child_postauth(struct monitor *p
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -538,7 +766,7 @@
} else {
mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1924,6 +1939,13 @@ monitor_apply_keystate(struct monitor *p
+@@ -1939,6 +1954,13 @@ monitor_apply_keystate(struct monitor *p
# endif
#endif /* WITH_OPENSSL */
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -552,7 +780,7 @@
kex->load_host_public_key=&get_hostkey_public_by_type;
kex->load_host_private_key=&get_hostkey_private_by_type;
kex->host_key_index=&get_hostkey_index;
-@@ -2023,6 +2045,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
+@@ -2038,6 +2060,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
OM_uint32 major;
u_int len;
@@ -562,7 +790,7 @@
goid.elements = buffer_get_string(m, &len);
goid.length = len;
-@@ -2050,6 +2075,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -2065,6 +2090,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
OM_uint32 flags = 0; /* GSI needs this */
u_int len;
@@ -572,7 +800,7 @@
in.value = buffer_get_string(m, &len);
in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2067,6 +2095,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -2082,6 +2110,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -580,7 +808,7 @@
}
return (0);
}
-@@ -2078,6 +2107,9 @@ mm_answer_gss_checkmic(int sock, Buffer
+@@ -2093,6 +2122,9 @@ mm_answer_gss_checkmic(int sock, Buffer
OM_uint32 ret;
u_int len;
@@ -590,7 +818,7 @@
gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len;
mic.value = buffer_get_string(m, &len);
-@@ -2104,6 +2136,9 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2119,6 +2151,9 @@ mm_answer_gss_userok(int sock, Buffer *m
{
int authenticated;
@@ -600,7 +828,7 @@
authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
buffer_clear(m);
-@@ -2117,5 +2152,47 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2132,5 +2167,47 @@ mm_answer_gss_userok(int sock, Buffer *m
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
@@ -664,7 +892,7 @@
diff -pur old/monitor_wrap.c new/monitor_wrap.c
--- old/monitor_wrap.c
+++ new/monitor_wrap.c
-@@ -1103,5 +1103,28 @@ mm_ssh_gssapi_userok(char *user)
+@@ -1108,5 +1108,28 @@ mm_ssh_gssapi_userok(char *user)
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated);
}
@@ -696,7 +924,7 @@
diff -pur old/monitor_wrap.h new/monitor_wrap.h
--- old/monitor_wrap.h
+++ new/monitor_wrap.h
-@@ -60,6 +60,7 @@ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssct
+@@ -62,6 +62,7 @@ OM_uint32 mm_ssh_gssapi_accept_ctx(Gssct
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
int mm_ssh_gssapi_userok(char *user);
OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
@@ -707,7 +935,7 @@
diff -pur old/readconf.c new/readconf.c
--- old/readconf.c
+++ new/readconf.c
-@@ -148,6 +148,7 @@ typedef enum {
+@@ -160,6 +160,7 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -715,7 +943,7 @@
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
-@@ -199,11 +200,15 @@ static struct {
+@@ -211,11 +212,15 @@ static struct {
{ "gssauthentication", oGssAuthentication }, /* alias */
{ "gssapidelegatecredentials", oGssDelegateCreds },
{ "gssdelegatecreds", oGssDelegateCreds }, /* alias */
@@ -731,7 +959,7 @@
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
-@@ -965,6 +970,10 @@ parse_time:
+@@ -1002,6 +1007,10 @@ parse_time:
intptr = &options->gss_authentication;
goto parse_flag;
@@ -742,7 +970,7 @@
case oGssDelegateCreds:
intptr = &options->gss_deleg_creds;
goto parse_flag;
-@@ -1694,6 +1703,7 @@ initialize_options(Options * options)
+@@ -1824,6 +1833,7 @@ initialize_options(Options * options)
options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
@@ -750,7 +978,7 @@
options->gss_deleg_creds = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
-@@ -1834,6 +1844,12 @@ fill_default_options(Options * options)
+@@ -1979,6 +1989,12 @@ fill_default_options(Options * options)
#else
options->gss_authentication = 0;
#endif
@@ -798,7 +1026,7 @@
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->gss_strict_acceptor == -1)
-@@ -449,6 +456,7 @@ typedef enum {
+@@ -457,6 +464,7 @@ typedef enum {
sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
@@ -806,7 +1034,7 @@
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
-@@ -526,6 +534,8 @@ static struct {
+@@ -534,6 +542,8 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssauthentication", sGssAuthentication, SSHCFG_ALL }, /* alias */
@@ -815,7 +1043,7 @@
#ifdef USE_GSS_STORE_CRED
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
#else /* USE_GSS_STORE_CRED */
-@@ -535,6 +545,8 @@ static struct {
+@@ -543,6 +553,8 @@ static struct {
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssauthentication", sUnsupported, SSHCFG_ALL }, /* alias */
@@ -824,7 +1052,7 @@
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
#endif
-@@ -1319,6 +1331,10 @@ process_server_config_line(ServerOptions
+@@ -1328,6 +1340,10 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication;
goto parse_flag;
@@ -835,7 +1063,7 @@
case sGssCleanupCreds:
intptr = &options->gss_cleanup_creds;
goto parse_flag;
-@@ -2373,6 +2389,7 @@ dump_config(ServerOptions *o)
+@@ -2416,6 +2432,7 @@ dump_config(ServerOptions *o)
#endif
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -923,7 +1151,7 @@
diff -pur old/sshconnect2.c new/sshconnect2.c
--- old/sshconnect2.c
+++ new/sshconnect2.c
-@@ -164,11 +164,35 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -165,11 +165,35 @@ ssh_kex2(char *host, struct sockaddr *ho
char *s;
struct kex *kex;
int r;
@@ -945,7 +1173,7 @@
+ * client to the key exchange algorithm proposal */
+ orig = myproposal[PROPOSAL_KEX_ALGS];
+
-+ gss_host = (char *)get_canonical_hostname(1);
++ gss_host = (char *)remote_hostname(active_state);
+
+ gss = ssh_gssapi_client_mechanisms(gss_host);
+ if (gss) {
@@ -960,7 +1188,7 @@
fatal("%s: kex_names_cat", __func__);
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
-@@ -199,6 +223,17 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -196,6 +220,17 @@ ssh_kex2(char *host, struct sockaddr *ho
order_hostkeyalgs(host, hostaddr, port));
}
@@ -1021,7 +1249,7 @@
{"gssapi-with-mic",
userauth_gssapi,
NULL,
-@@ -678,7 +732,10 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -672,7 +726,10 @@ userauth_gssapi(Authctxt *authctxt)
* once. */
if (gss_supported == NULL)
@@ -1033,7 +1261,7 @@
/* Check to see if the mechanism is usable before we offer it */
while (mech < gss_supported->count && !ok) {
-@@ -782,8 +839,8 @@ input_gssapi_response(int type, u_int32_
+@@ -776,8 +833,8 @@ input_gssapi_response(int type, u_int32_
{
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
@@ -1044,7 +1272,7 @@
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
-@@ -896,6 +953,48 @@ input_gssapi_error(int type, u_int32_t p
+@@ -890,6 +947,48 @@ input_gssapi_error(int type, u_int32_t p
free(lang);
return 0;
}
@@ -1096,7 +1324,7 @@
diff -pur old/sshd.c new/sshd.c
--- old/sshd.c
+++ new/sshd.c
-@@ -1833,10 +1833,13 @@ main(int ac, char **av)
+@@ -1892,10 +1892,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
}
@@ -1110,7 +1338,7 @@
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting.");
exit(1);
-@@ -2596,6 +2599,48 @@ do_ssh2_kex(void)
+@@ -2656,6 +2659,48 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types());
@@ -1159,7 +1387,7 @@
/* start key exchange */
if ((r = kex_setup(active_state, myproposal)) != 0)
fatal("kex_setup: %s", ssh_err(r));
-@@ -2610,6 +2655,13 @@ do_ssh2_kex(void)
+@@ -2673,6 +2718,13 @@ do_ssh2_kex(void)
# endif
#endif
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -1176,7 +1404,7 @@
diff -pur old/sshd_config.5 new/sshd_config.5
--- old/sshd_config.5
+++ new/sshd_config.5
-@@ -623,6 +623,11 @@ The default is
+@@ -632,6 +632,11 @@ The default is
Specifies whether user authentication based on GSSAPI is allowed.
The default on Solaris is
.Dq yes .
--- a/components/openssh/patches/033-without_cast128.patch Mon Sep 19 14:01:08 2016 -0700
+++ b/components/openssh/patches/033-without_cast128.patch Tue Sep 20 03:54:40 2016 -0700
@@ -12,26 +12,16 @@
# relevant ssh implementations also provide several more common encryption
# algorithms (aes256-ctr, aes128-cbc, ...) on top of cast128-cbc.
#
+# Update Aug 29, 2016:
+# This used to be implemented by Solaris specific macro WITHOUT_CAST,
+# but now upstream OPENSSL_NO_CAST is used instead. This patch now just
+# removes cast references from manpages.
+#
# This is a Solaris specific patch and it is not likely to be accepted upstream.
#
-diff -pur old/cipher.c new/cipher.c
---- old/cipher.c
-+++ new/cipher.c
-@@ -88,8 +88,10 @@ static const struct sshcipher ciphers[]
- { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
- { "blowfish-cbc",
- SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
-+#ifndef WITHOUT_CAST128
- { "cast128-cbc",
- SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc },
-+#endif
- { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 },
- { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 },
- { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 },
-diff -pur old/ssh_config.5 new/ssh_config.5
---- old/ssh_config.5
-+++ new/ssh_config.5
-@@ -478,8 +478,6 @@ arcfour256
+--- orig/ssh_config.5 Mon Aug 15 17:22:20 2016
++++ new/ssh_config.5 Mon Aug 15 17:25:28 2016
+@@ -478,8 +478,6 @@
.It
blowfish-cbc
.It
@@ -40,10 +30,20 @@
[email protected]
.El
.Pp
-diff -pur old/sshd.8 new/sshd.8
---- old/sshd.8
-+++ new/sshd.8
-@@ -307,7 +307,7 @@ For protocol 2,
+--- orig/sshd_config.5 Mon Aug 15 17:22:29 2016
++++ new/sshd_config.5 Mon Aug 15 17:25:58 2016
+@@ -479,8 +479,6 @@
+ .It
+ blowfish-cbc
+ .It
+-cast128-cbc
+-.It
+ [email protected]
+ .El
+ .Pp
+--- orig/sshd.8 Mon Aug 15 17:22:36 2016
++++ new/sshd.8 Mon Aug 15 17:26:48 2016
+@@ -307,7 +307,7 @@
forward security is provided through a Diffie-Hellman key agreement.
This key agreement results in a shared session key.
The rest of the session is encrypted using a symmetric cipher, currently
@@ -52,15 +52,3 @@
The client selects the encryption algorithm
to use from those offered by the server.
Additionally, session integrity is provided
-diff -pur old/sshd_config.5 new/sshd_config.5
---- old/sshd_config.5
-+++ new/sshd_config.5
-@@ -472,8 +472,6 @@ arcfour256
- .It
- blowfish-cbc
- .It
--cast128-cbc
--.It
- [email protected]
- .El
- .Pp
--- a/components/openssh/patches/034-getaddrinfo_with_ai_addrconfig.patch Mon Sep 19 14:01:08 2016 -0700
+++ b/components/openssh/patches/034-getaddrinfo_with_ai_addrconfig.patch Tue Sep 20 03:54:40 2016 -0700
@@ -8,9 +8,10 @@
# In the future, if this fix is accepted by the upsteam in a later release, we
# will remove this patch when we upgrade to that release.
#
---- a/canohost.c Sun Oct 25 20:11:35 2015
-+++ b/canohost.c Sun Oct 25 20:11:57 2015
-@@ -113,6 +113,10 @@
+diff -pur old/canohost.c new/canohost.c
+--- old/canohost.c
++++ new/canohost.c
+@@ -274,6 +274,10 @@ remote_hostname(struct ssh *ssh)
memset(&hints, 0, sizeof(hints));
hints.ai_family = from.ss_family;
hints.ai_socktype = SOCK_STREAM;
@@ -20,10 +21,11 @@
+#endif /* AI_ADDRCONFIG */
if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
logit("reverse mapping checking getaddrinfo for %.700s "
- "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
---- a/channels.c Sun Oct 25 19:30:33 2015
-+++ b/channels.c Sun Oct 25 19:54:36 2015
-@@ -2853,8 +2853,12 @@
+ "[%s] failed.", name, ntop);
+diff -pur old/channels.c new/channels.c
+--- old/channels.c
++++ new/channels.c
+@@ -2856,8 +2856,12 @@ channel_setup_fwd_listener_tcpip(int typ
*/
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
@@ -37,7 +39,7 @@
snprintf(strport, sizeof strport, "%d", fwd->listen_port);
if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) {
if (addr == NULL) {
-@@ -3736,6 +3740,10 @@
+@@ -3740,6 +3744,10 @@ connect_to(const char *name, int port, c
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
hints.ai_socktype = SOCK_STREAM;
@@ -48,7 +50,7 @@
snprintf(strport, sizeof strport, "%d", port);
if ((gaierr = getaddrinfo(name, strport, &hints, &cctx.aitop)) != 0) {
error("connect_to %.100s: unknown host (%s)", name,
-@@ -3908,8 +3916,12 @@
+@@ -3912,8 +3920,12 @@ x11_create_display_inet(int x11_display_
port = 6000 + display_number;
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
@@ -62,7 +64,7 @@
snprintf(strport, sizeof strport, "%d", port);
if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr));
-@@ -4090,6 +4102,10 @@
+@@ -4094,6 +4106,10 @@ x11_connect_display(void)
memset(&hints, 0, sizeof(hints));
hints.ai_family = IPv4or6;
hints.ai_socktype = SOCK_STREAM;
@@ -73,72 +75,10 @@
snprintf(strport, sizeof strport, "%u", 6000 + display_number);
if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
error("%.100s: unknown host. (%s)", buf,
---- a/servconf.c Sun Oct 25 19:39:38 2015
-+++ b/servconf.c Sun Oct 25 19:45:16 2015
-@@ -722,6 +722,10 @@
- hints.ai_family = options->address_family;
- hints.ai_socktype = SOCK_STREAM;
- hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
-+#ifdef AI_ADDRCONFIG
-+ if (hints.ai_family == AF_UNSPEC)
-+ hints.ai_flags |= AI_ADDRCONFIG;
-+#endif /* AI_ADDRCONFIG */
- snprintf(strport, sizeof strport, "%d", port);
- if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
- fatal("bad addr or host: %s (%s)",
---- a/ssh-keyscan.c Sun Oct 25 19:46:28 2015
-+++ b/ssh-keyscan.c Sun Oct 25 19:54:55 2015
-@@ -326,6 +326,10 @@
- memset(&hints, 0, sizeof(hints));
- hints.ai_family = IPv4or6;
- hints.ai_socktype = SOCK_STREAM;
-+#ifdef AI_ADDRCONFIG
-+ if (hints.ai_family == AF_UNSPEC)
-+ hints.ai_flags = AI_ADDRCONFIG;
-+#endif /* AI_ADDRCONFIG */
- if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
- error("getaddrinfo %s: %s", host, ssh_gai_strerror(gaierr));
- return -1;
---- a/ssh.c Sun Oct 25 19:49:46 2015
-+++ b/ssh.c Sun Oct 25 19:55:15 2015
-@@ -259,6 +259,10 @@
- hints.ai_socktype = SOCK_STREAM;
- if (cname != NULL)
- hints.ai_flags = AI_CANONNAME;
-+#ifdef AI_ADDRCONFIG
-+ if (hints.ai_family == AF_UNSPEC)
-+ hints.ai_flags |= AI_ADDRCONFIG;
-+#endif /* AI_ADDRCONFIG */
- if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0) {
- if (logerr || (gaierr != EAI_NONAME && gaierr != EAI_NODATA))
- loglevel = SYSLOG_LEVEL_ERROR;
-@@ -298,6 +302,10 @@
- AF_UNSPEC : options.address_family;
- hints.ai_socktype = SOCK_STREAM;
- hints.ai_flags = AI_NUMERICHOST|AI_NUMERICSERV;
-+#ifdef AI_ADDRCONFIG
-+ if (hints.ai_family == AF_UNSPEC)
-+ hints.ai_flags |= AI_ADDRCONFIG;
-+#endif /* AI_ADDRCONFIG */
- if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0) {
- debug2("%s: could not resolve name %.100s as address: %s",
- __func__, name, ssh_gai_strerror(gaierr));
---- a/sshconnect.c Sun Oct 25 19:57:46 2015
-+++ b/sshconnect.c Sun Oct 25 19:58:19 2015
-@@ -292,6 +292,10 @@
- hints.ai_socktype = ai->ai_socktype;
- hints.ai_protocol = ai->ai_protocol;
- hints.ai_flags = AI_PASSIVE;
-+#ifdef AI_ADDRCONFIG
-+ if (hints.ai_family == AF_UNSPEC)
-+ hints.ai_flags |= AI_ADDRCONFIG;
-+#endif /* AI_ADDRCONFIG */
- gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
- if (gaierr) {
- error("getaddrinfo: %s: %s", options.bind_address,
---- a/regress/netcat.c Sun Oct 25 19:59:44 2015
-+++ b/regress/netcat.c Sun Oct 25 20:07:05 2015
-@@ -371,6 +371,10 @@
+diff -pur old/regress/netcat.c new/regress/netcat.c
+--- old/regress/netcat.c
++++ new/regress/netcat.c
+@@ -334,6 +334,10 @@ main(int argc, char *argv[])
hints.ai_protocol = uflag ? IPPROTO_UDP : IPPROTO_TCP;
if (nflag)
hints.ai_flags |= AI_NUMERICHOST;
@@ -149,7 +89,7 @@
}
if (xflag) {
-@@ -399,6 +403,10 @@
+@@ -362,6 +366,10 @@ main(int argc, char *argv[])
proxyhints.ai_protocol = IPPROTO_TCP;
if (nflag)
proxyhints.ai_flags |= AI_NUMERICHOST;
@@ -160,7 +100,7 @@
}
if (lflag) {
-@@ -673,6 +681,10 @@
+@@ -636,6 +644,10 @@ remote_connect(const char *host, const c
ahints.ai_socktype = uflag ? SOCK_DGRAM : SOCK_STREAM;
ahints.ai_protocol = uflag ? IPPROTO_UDP : IPPROTO_TCP;
ahints.ai_flags = AI_PASSIVE;
@@ -171,7 +111,7 @@
if ((error = getaddrinfo(sflag, pflag, &ahints, &ares)))
errx(1, "getaddrinfo: %s", gai_strerror(error));
-@@ -1422,8 +1434,12 @@
+@@ -1385,8 +1397,12 @@ decode_addrport(const char *h, const cha
bzero(&hints, sizeof(hints));
hints.ai_family = v4only ? PF_INET : PF_UNSPEC;
@@ -185,3 +125,70 @@
r = getaddrinfo(h, p, &hints, &res);
/* Don't fatal when attempting to convert a numeric address */
if (r != 0) {
+diff -pur old/servconf.c new/servconf.c
+--- old/servconf.c
++++ new/servconf.c
+@@ -735,6 +735,10 @@ add_one_listen_addr(ServerOptions *optio
+ hints.ai_family = options->address_family;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
++#ifdef AI_ADDRCONFIG
++ if (hints.ai_family == AF_UNSPEC)
++ hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ snprintf(strport, sizeof strport, "%d", port);
+ if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
+ fatal("bad addr or host: %s (%s)",
+diff -pur old/ssh-keyscan.c new/ssh-keyscan.c
+--- old/ssh-keyscan.c
++++ new/ssh-keyscan.c
+@@ -365,6 +365,10 @@ tcpconnect(char *host)
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = IPv4or6;
+ hints.ai_socktype = SOCK_STREAM;
++#ifdef AI_ADDRCONFIG
++ if (hints.ai_family == AF_UNSPEC)
++ hints.ai_flags = AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
+ error("getaddrinfo %s: %s", host, ssh_gai_strerror(gaierr));
+ return -1;
+diff -pur old/ssh.c new/ssh.c
+--- old/ssh.c
++++ new/ssh.c
+@@ -254,6 +254,10 @@ resolve_host(const char *name, int port,
+ hints.ai_socktype = SOCK_STREAM;
+ if (cname != NULL)
+ hints.ai_flags = AI_CANONNAME;
++#ifdef AI_ADDRCONFIG
++ if (hints.ai_family == AF_UNSPEC)
++ hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0) {
+ if (logerr || (gaierr != EAI_NONAME && gaierr != EAI_NODATA))
+ loglevel = SYSLOG_LEVEL_ERROR;
+@@ -293,6 +297,10 @@ resolve_addr(const char *name, int port,
+ AF_UNSPEC : options.address_family;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_flags = AI_NUMERICHOST|AI_NUMERICSERV;
++#ifdef AI_ADDRCONFIG
++ if (hints.ai_family == AF_UNSPEC)
++ hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ if ((gaierr = getaddrinfo(name, strport, &hints, &res)) != 0) {
+ debug2("%s: could not resolve name %.100s as address: %s",
+ __func__, name, ssh_gai_strerror(gaierr));
+diff -pur old/sshconnect.c new/sshconnect.c
+--- old/sshconnect.c
++++ new/sshconnect.c
+@@ -293,6 +293,10 @@ ssh_create_socket(int privileged, struct
+ hints.ai_socktype = ai->ai_socktype;
+ hints.ai_protocol = ai->ai_protocol;
+ hints.ai_flags = AI_PASSIVE;
++#ifdef AI_ADDRCONFIG
++ if (hints.ai_family == AF_UNSPEC)
++ hints.ai_flags |= AI_ADDRCONFIG;
++#endif /* AI_ADDRCONFIG */
+ gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
+ if (gaierr) {
+ error("getaddrinfo: %s: %s", options.bind_address,
--- a/components/openssh/patches/035-fips.patch Mon Sep 19 14:01:08 2016 -0700
+++ b/components/openssh/patches/035-fips.patch Tue Sep 20 03:54:40 2016 -0700
@@ -45,7 +45,15 @@
diff -pur old/digest-openssl.c new/digest-openssl.c
--- old/digest-openssl.c
+++ new/digest-openssl.c
-@@ -53,8 +53,22 @@ struct ssh_digest {
+@@ -31,6 +31,7 @@
+ #include "sshbuf.h"
+ #include "digest.h"
+ #include "ssherr.h"
++#include "misc.h"
+
+ #ifndef HAVE_EVP_RIPEMD160
+ # define EVP_ripemd160 NULL
+@@ -53,8 +54,22 @@ struct ssh_digest {
const EVP_MD *(*mdfunc)(void);
};
@@ -68,7 +76,7 @@
{ SSH_DIGEST_MD5, "MD5", 16, EVP_md5 },
{ SSH_DIGEST_RIPEMD160, "RIPEMD160", 20, EVP_ripemd160 },
{ SSH_DIGEST_SHA1, "SHA1", 20, EVP_sha1 },
-@@ -67,6 +81,9 @@ const struct ssh_digest digests[] = {
+@@ -67,6 +82,9 @@ const struct ssh_digest digests[] = {
static const struct ssh_digest *
ssh_digest_by_alg(int alg)
{
@@ -78,7 +86,7 @@
if (alg < 0 || alg >= SSH_DIGEST_MAX)
return NULL;
if (digests[alg].id != alg) /* sanity */
-@@ -79,6 +96,9 @@ ssh_digest_by_alg(int alg)
+@@ -79,6 +97,9 @@ ssh_digest_by_alg(int alg)
int
ssh_digest_alg_by_name(const char *name)
{
@@ -91,7 +99,15 @@
diff -pur old/gss-genr.c new/gss-genr.c
--- old/gss-genr.c
+++ new/gss-genr.c
-@@ -100,6 +100,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+@@ -44,6 +44,7 @@
+ #include "cipher.h"
+ #include "key.h"
+ #include "kex.h"
++#include "misc.h"
+ #include <openssl/evp.h>
+
+ #include "ssh-gss.h"
+@@ -100,6 +101,7 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
char deroid[2];
const EVP_MD *evp_md = EVP_md5();
EVP_MD_CTX md;
@@ -99,7 +115,7 @@
if (gss_enc2oid != NULL) {
for (i = 0; gss_enc2oid[i].encoded != NULL; i++)
-@@ -112,6 +113,14 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+@@ -112,6 +114,14 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
buffer_init(&buf);
@@ -114,7 +130,7 @@
oidpos = 0;
for (i = 0; i < gss_supported->count; i++) {
if (gss_supported->elements[i].length < 128 &&
-@@ -119,7 +128,6 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+@@ -119,7 +129,6 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
deroid[0] = SSH_GSS_OIDTYPE;
deroid[1] = gss_supported->elements[i].length;
@@ -122,7 +138,7 @@
EVP_DigestInit(&md, evp_md);
EVP_DigestUpdate(&md, deroid, 2);
EVP_DigestUpdate(&md,
-@@ -151,6 +159,12 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
+@@ -151,6 +160,12 @@ ssh_gssapi_kex_mechs(gss_OID_set gss_sup
oidpos++;
}
}
@@ -138,7 +154,7 @@
diff -pur old/kex.c new/kex.c
--- old/kex.c
+++ new/kex.c
-@@ -89,7 +89,40 @@ struct kexalg {
+@@ -90,7 +90,43 @@ struct kexalg {
int ec_nid;
int hash_alg;
};
@@ -149,7 +165,10 @@
+static const struct kexalg kexalgs_fips[] = {
+#ifdef WITH_OPENSSL
+ { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
-+ { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
++ { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
++ { KEX_DH14_SHA256, KEX_DH_GRP14_SHA256, 0, SSH_DIGEST_SHA256 },
++ { KEX_DH16_SHA512, KEX_DH_GRP16_SHA512, 0, SSH_DIGEST_SHA512 },
++ { KEX_DH18_SHA512, KEX_DH_GRP18_SHA512, 0, SSH_DIGEST_SHA512 },
+ { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+#ifdef HAVE_EVP_SHA256
+ { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
@@ -178,7 +197,7 @@
+#endif
#ifdef WITH_OPENSSL
{ KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
- { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
+ { KEX_DH14_SHA1, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
diff -pur old/mac.c new/mac.c
--- old/mac.c
+++ new/mac.c
@@ -219,7 +238,7 @@
diff -pur old/misc.c new/misc.c
--- old/misc.c
+++ new/misc.c
-@@ -39,12 +39,15 @@
+@@ -39,12 +39,16 @@
#include <string.h>
#include <time.h>
#include <unistd.h>
@@ -231,11 +250,12 @@
#include <netinet/tcp.h>
+#include <openssl/crypto.h>
++#include <openssl/err.h>
+
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
-@@ -78,6 +81,60 @@ chop(char *s)
+@@ -78,6 +82,60 @@ chop(char *s)
}
@@ -299,7 +319,7 @@
diff -pur old/misc.h new/misc.h
--- old/misc.h
+++ new/misc.h
-@@ -38,6 +38,11 @@ struct ForwardOptions {
+@@ -40,6 +40,11 @@ struct ForwardOptions {
char *chop(char *);
char *strdelim(char **);
@@ -314,7 +334,7 @@
diff -pur old/myproposal.h new/myproposal.h
--- old/myproposal.h
+++ new/myproposal.h
-@@ -83,19 +83,31 @@
+@@ -88,21 +88,33 @@
# else
# define KEX_CURVE25519_METHODS ""
# endif
@@ -323,21 +343,23 @@
+#define KEX_COMMON_KEX_DFLT \
KEX_CURVE25519_METHODS \
KEX_ECDH_METHODS \
- KEX_SHA256_METHODS
+ KEX_SHA2_METHODS
-#define KEX_SERVER_KEX KEX_COMMON_KEX \
+#define KEX_SERVER_KEX_DFLT KEX_COMMON_KEX_DFLT \
+ KEX_SHA2_GROUP14 \
"diffie-hellman-group14-sha1" \
-#define KEX_CLIENT_KEX KEX_COMMON_KEX \
+#define KEX_CLIENT_KEX_DFLT KEX_COMMON_KEX_DFLT \
"diffie-hellman-group-exchange-sha1," \
+ KEX_SHA2_GROUP14 \
"diffie-hellman-group14-sha1"
-#define KEX_DEFAULT_PK_ALG \
+#define KEX_COMMON_KEX_FIPS \
+ KEX_ECDH_METHODS \
-+ KEX_SHA256_METHODS
++ KEX_SHA2_METHODS
+
+#define KEX_SERVER_KEX_FIPS KEX_COMMON_KEX_FIPS \
+ "diffie-hellman-group14-sha1" \
@@ -350,7 +372,7 @@
HOSTKEY_ECDSA_CERT_METHODS \
"[email protected]," \
"[email protected]," \
-@@ -105,17 +117,32 @@
+@@ -112,17 +124,32 @@
"rsa-sha2-256," \
"ssh-rsa"
@@ -386,7 +408,7 @@
"[email protected]," \
"[email protected]," \
"[email protected]," \
-@@ -127,7 +154,42 @@
+@@ -134,7 +161,42 @@
"hmac-sha2-512," \
"hmac-sha1"
@@ -473,7 +495,7 @@
diff -pur old/ssh-agent.c new/ssh-agent.c
--- old/ssh-agent.c
+++ new/ssh-agent.c
-@@ -1199,6 +1199,7 @@ main(int ac, char **av)
+@@ -1196,6 +1196,7 @@ main(int ac, char **av)
struct timeval *tvp = NULL;
size_t len;
mode_t prev_mask;
@@ -481,9 +503,9 @@
ssh_malloc_init(); /* must be called before any mallocs */
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
-@@ -1213,6 +1214,9 @@ main(int ac, char **av)
- prctl(PR_SET_DUMPABLE, 0);
- #endif
+@@ -1207,6 +1208,9 @@ main(int ac, char **av)
+
+ platform_disable_tracing(0); /* strict=no */
+#ifdef ENABLE_OPENSSL_FIPS
+ fips_err = ssh_FIPS_mode_set_if_capable();
@@ -491,7 +513,7 @@
#ifdef WITH_OPENSSL
OpenSSL_add_all_algorithms();
#endif
-@@ -1343,8 +1347,19 @@ main(int ac, char **av)
+@@ -1337,8 +1341,19 @@ main(int ac, char **av)
printf(format, SSH_AUTHSOCKET_ENV_NAME, socket_name,
SSH_AUTHSOCKET_ENV_NAME);
printf("echo Agent pid %ld;\n", (long)parent_pid);
@@ -514,7 +536,7 @@
diff -pur old/ssh-keygen.1 new/ssh-keygen.1
--- old/ssh-keygen.1
+++ new/ssh-keygen.1
-@@ -283,6 +283,8 @@ and
+@@ -284,6 +284,8 @@ and
.Dq sha256 .
The default is
.Dq sha256 .
@@ -526,7 +548,7 @@
diff -pur old/ssh-keygen.c new/ssh-keygen.c
--- old/ssh-keygen.c
+++ new/ssh-keygen.c
-@@ -2267,11 +2267,18 @@ main(int argc, char **argv)
+@@ -2273,11 +2273,18 @@ main(int argc, char **argv)
__progname = ssh_get_progname(argv[0]);
@@ -576,7 +598,7 @@
diff -pur old/ssh.1 new/ssh.1
--- old/ssh.1
+++ new/ssh.1
-@@ -91,6 +91,9 @@ If
+@@ -92,6 +92,9 @@ If
is specified,
it is executed on the remote host instead of a login shell.
.Pp
@@ -589,7 +611,7 @@
diff -pur old/ssh.c new/ssh.c
--- old/ssh.c
+++ new/ssh.c
-@@ -606,6 +606,11 @@ main(int ac, char **av)
+@@ -609,6 +609,11 @@ main(int ac, char **av)
*/
initialize_options(&options);
@@ -601,7 +623,7 @@
/* Parse command-line arguments. */
host = NULL;
use_syslog = 0;
-@@ -1016,6 +1021,10 @@ main(int ac, char **av)
+@@ -1028,6 +1033,10 @@ main(int ac, char **av)
#endif
);
@@ -615,7 +637,7 @@
diff -pur old/ssh_api.c new/ssh_api.c
--- old/ssh_api.c
+++ new/ssh_api.c
-@@ -81,6 +81,10 @@ ssh_init(struct ssh **sshp, int is_serve
+@@ -79,6 +79,10 @@ ssh_init(struct ssh **sshp, int is_serve
int r;
if (!called) {
@@ -652,7 +674,7 @@
.It Cm ForwardAgent
Specifies whether the connection to the authentication agent (if any)
will be forwarded to the remote machine.
-@@ -1200,6 +1209,16 @@ [email protected],[email protected]
+@@ -1249,6 +1258,16 @@ [email protected],[email protected]
hmac-sha2-256,hmac-sha2-512,hmac-sha1
.Ed
.Pp
@@ -703,7 +725,7 @@
diff -pur old/sshd.c new/sshd.c
--- old/sshd.c
+++ new/sshd.c
-@@ -430,10 +430,18 @@ sshd_exchange_identification(int sock_in
+@@ -431,10 +431,18 @@ sshd_exchange_identification(struct ssh
minor = PROTOCOL_MINOR_1;
}
@@ -722,7 +744,7 @@
/* Send our protocol version identification. */
if (atomicio(vwrite, sock_out, server_version_string,
-@@ -1503,6 +1511,10 @@ main(int ac, char **av)
+@@ -1562,6 +1570,10 @@ main(int ac, char **av)
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
@@ -733,7 +755,7 @@
/* Initialize configuration options to their default values. */
initialize_server_options(&options);
-@@ -1653,6 +1665,10 @@ main(int ac, char **av)
+@@ -1712,6 +1724,10 @@ main(int ac, char **av)
SYSLOG_FACILITY_AUTH : options.log_facility,
log_stderr || !inetd_flag);
@@ -747,7 +769,7 @@
diff -pur old/sshd_config.5 new/sshd_config.5
--- old/sshd_config.5
+++ new/sshd_config.5
-@@ -482,6 +482,13 @@ aes128-ctr,aes192-ctr,aes256-ctr,
+@@ -489,6 +489,13 @@ aes128-ctr,aes192-ctr,aes256-ctr,
[email protected],[email protected]
.Ed
.Pp
@@ -761,7 +783,7 @@
The list of available ciphers may also be obtained using the
.Fl Q
option of
-@@ -576,6 +583,8 @@ and
+@@ -585,6 +592,8 @@ and
.Dq sha256 .
The default is
.Dq sha256 .
@@ -770,7 +792,7 @@
.It Cm ForceCommand
Forces the execution of the command specified by
.Cm ForceCommand ,
-@@ -1025,6 +1034,16 @@ [email protected],[email protected]
+@@ -1034,6 +1043,16 @@ [email protected],[email protected]
hmac-sha2-256,hmac-sha2-512,hmac-sha1
.Ed
.Pp
--- a/components/openssh/patches/036-fipsrandom.patch Mon Sep 19 14:01:08 2016 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,119 +0,0 @@
-#
-# Replace arc4random* calls with FIPS compliant implementation in FIPS mode.
-#
-# Once libc:arc4random* are FIPS compliant (20816957), this patch will be
-# dropped.
-#
-# This is a temporary patch and is not intented for upstream contribution.
-#
-diff -pur old/misc.c new/misc.c
---- old/misc.c
-+++ new/misc.c
-@@ -1164,3 +1164,87 @@ sock_set_v6only(int s)
- error("setsockopt IPV6_V6ONLY: %s", strerror(errno));
- #endif
- }
-+
-+#ifdef ENABLE_OPENSSL_FIPS
-+/* cancel arc4random* -> fips_arc4random* defines from misc.h */
-+#undef arc4random
-+#undef arc4random_buf
-+#undef arc4random_stir
-+#undef arc4random_uniform
-+
-+/* FIPS compliant alternative for arc4random */
-+static uint32_t
-+fips_arc4random_impl()
-+{
-+ unsigned int r = 0;
-+
-+ if (RAND_bytes((unsigned char *)&r, sizeof (r)) <= 0) {
-+ fatal("RAND_bytes() failed. Aborting the process");
-+ }
-+
-+ return (r);
-+}
-+
-+uint32_t
-+fips_arc4random()
-+{
-+ if (!ssh_FIPS_mode())
-+ return arc4random();
-+ else
-+ return fips_arc4random_impl();
-+}
-+
-+/* implementation taken from openbsd-compat/arc4random.c */
-+void
-+fips_arc4random_buf(void *_buf, size_t n)
-+{
-+ size_t i;
-+ uint32_t r = 0;
-+ char *buf = (char *)_buf;
-+
-+ if (!ssh_FIPS_mode())
-+ return arc4random_buf(_buf, n);
-+
-+ for (i = 0; i < n; i++) {
-+ if (i % 4 == 0)
-+ r = fips_arc4random_impl();
-+ buf[i] = r & 0xff;
-+ r >>= 8;
-+ }
-+ explicit_bzero(&r, sizeof(r));
-+}
-+
-+void
-+fips_arc4random_stir(void)
-+{
-+ if (!ssh_FIPS_mode())
-+ return arc4random_stir();
-+}
-+
-+/* implementation taken from openbsd-compat/arc4random.c */
-+uint32_t
-+fips_arc4random_uniform(uint32_t upper_bound)
-+{
-+ uint32_t r, min;
-+
-+ if (upper_bound < 2)
-+ return 0;
-+
-+ /* 2**32 % x == (2**32 - x) % x */
-+ min = -upper_bound % upper_bound;
-+
-+ /*
-+ * This could theoretically loop forever but each retry has
-+ * p > 0.5 (worst case, usually far better) of selecting a
-+ * number inside the range we need, so it should rarely need
-+ * to re-roll.
-+ */
-+ for (;;) {
-+ r = fips_arc4random_impl();
-+ if (r >= min)
-+ break;
-+ }
-+
-+ return r % upper_bound;
-+}
-+#endif /* ENABLE_OPENSSL_FIPS */
-diff -pur old/misc.h new/misc.h
---- old/misc.h
-+++ new/misc.h
-@@ -140,4 +140,16 @@ char *read_passphrase(const char *, int)
- int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
- int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
-
-+#ifdef ENABLE_OPENSSL_FIPS
-+/* arc4random* FIPS alternatives */
-+uint32_t fips_arc4random(void);
-+void fips_arc4random_buf(void *, size_t);
-+void fips_arc4random_stir(void);
-+uint32_t fips_arc4random_uniform(uint32_t upper_bound);
-+#define arc4random fips_arc4random
-+#define arc4random_buf fips_arc4random_buf
-+#define arc4random_stir fips_arc4random_stir
-+#define arc4random_uniform fips_arc4random_uniform
-+#endif /* ENABLE_OPENSSL_FIPS */
-+
- #endif /* _MISC_H */
--- a/components/openssh/patches/040-default_config_files.patch Mon Sep 19 14:01:08 2016 -0700
+++ b/components/openssh/patches/040-default_config_files.patch Tue Sep 20 03:54:40 2016 -0700
@@ -30,9 +30,9 @@
diff -pur old/sshd_config new/sshd_config
--- old/sshd_config
+++ new/sshd_config
-@@ -1,133 +1,96 @@
--# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
-+# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $
+@@ -1,132 +1,96 @@
+-# $OpenBSD: sshd_config,v 1.99 2016/07/11 03:19:44 tedu Exp $
++# $OpenBSD: sshd_config,v 1.99 2016/07/11 03:19:44 tedu Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -79,7 +79,6 @@
-#RekeyLimit default none
-
-# Logging
--# obsoletes QuietMode and FascistLogging
-#SyslogFacility AUTH
-#LogLevel INFO
+# X11 tunneling options
--- a/components/openssh/patches/041-pam_ctx_preserve.patch Mon Sep 19 14:01:08 2016 -0700
+++ b/components/openssh/patches/041-pam_ctx_preserve.patch Tue Sep 20 03:54:40 2016 -0700
@@ -22,11 +22,10 @@
# Reported upstream:
# https://bugzilla.mindrot.org/show_bug.cgi?id=2548
#
-
diff -pur old/auth-pam.c new/auth-pam.c
--- old/auth-pam.c
+++ new/auth-pam.c
-@@ -97,6 +97,7 @@
+@@ -98,6 +98,7 @@
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
@@ -34,7 +33,7 @@
extern ServerOptions options;
extern Buffer loginmsg;
-@@ -109,38 +110,26 @@ extern u_int utmp_len;
+@@ -110,38 +111,26 @@ extern u_int utmp_len;
#endif
/*
@@ -83,7 +82,7 @@
static mysig_t sshpam_oldsig;
static void
-@@ -149,78 +138,22 @@ sshpam_sigchld_handler(int sig)
+@@ -150,85 +139,25 @@ sshpam_sigchld_handler(int sig)
signal(SIGCHLD, SIG_DFL);
if (cleanup_ctxt == NULL)
return; /* handler called after PAM cleanup, shouldn't happen */
@@ -92,12 +91,16 @@
<= 0) {
- /* PAM thread has not exitted, privsep slave must have */
- kill(cleanup_ctxt->pam_thread, SIGTERM);
-- if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0)
+- while (waitpid(cleanup_ctxt->pam_thread,
+- &sshpam_thread_status, 0) == -1) {
+ /* callback child has not exited, privsep slave must have */
+ kill(cleanup_ctxt->pam_child, SIGTERM);
-+ if (waitpid(cleanup_ctxt->pam_child, &sshpam_child_status, 0)
- <= 0)
- return; /* could not wait */
++ while (waitpid(cleanup_ctxt->pam_child,
++ &sshpam_child_status, 0) == -1) {
+ if (errno == EINTR)
+ continue;
+ return;
+ }
}
- if (WIFSIGNALED(sshpam_thread_status) &&
- WTERMSIG(sshpam_thread_status) == SIGTERM)
@@ -158,7 +161,11 @@
- if (sshpam_thread_status != -1)
- return (sshpam_thread_status);
- signal(SIGCHLD, sshpam_oldsig);
-- waitpid(thread, &status, 0);
+- while (waitpid(thread, &status, 0) == -1) {
+- if (errno == EINTR)
+- continue;
+- fatal("%s: waitpid: %s", __func__, strerror(errno));
+- }
- return (status);
+ if (WIFSIGNALED(sshpam_child_status) &&
+ WTERMSIG(sshpam_child_status) == SIGTERM)
@@ -173,7 +180,7 @@
static pam_handle_t *sshpam_handle = NULL;
static int sshpam_err = 0;
-@@ -290,55 +223,11 @@ sshpam_password_change_required(int reqd
+@@ -298,55 +227,11 @@ sshpam_password_change_required(int reqd
}
}
@@ -231,7 +238,7 @@
struct pam_response **resp, void *data)
{
Buffer buffer;
-@@ -420,48 +309,84 @@ sshpam_thread_conv(int n, sshpam_const s
+@@ -411,48 +296,85 @@ sshpam_thread_conv(int n, sshpam_const s
}
/*
@@ -310,15 +317,15 @@
+ close(ctxt->pam_csock);
+ ctxt->pam_csock = -1;
+}
-+
+
+- sshpam_conv.conv = sshpam_thread_conv;
+int
+get_pam_done(void *ctxt)
+{
+ struct pam_ctxt *pctxt = (struct pam_ctxt *)ctxt;
+ return (pctxt->pam_done);
+}
-
-- sshpam_conv.conv = sshpam_thread_conv;
++
+/*
+ * Perform PAM authentication.
+ *
@@ -333,6 +340,7 @@
+ struct pam_conv sshpam_conv;
+ int flags = (options.permit_empty_passwd == 0 ?
+ PAM_DISALLOW_NULL_AUTHTOK : 0);
++ struct ssh *ssh = active_state; /* XXX */
+
+ sshpam_conv.conv = sshpam_child_conv;
sshpam_conv.appdata_ptr = ctxt;
@@ -346,7 +354,7 @@
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&sshpam_conv);
if (sshpam_err != PAM_SUCCESS)
-@@ -484,60 +409,34 @@ sshpam_thread(void *ctxtp)
+@@ -477,63 +399,35 @@ sshpam_thread(void *ctxtp)
}
}
@@ -385,6 +393,8 @@
- /* XXX - can't do much about an error here */
- if (sshpam_err == PAM_ACCT_EXPIRED)
- ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer);
+- else if (sshpam_maxtries_reached)
+- ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer);
- else
- ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
- buffer_free(&buffer);
@@ -396,7 +406,7 @@
+ pam_strerror(sshpam_handle, sshpam_err),
+ sshpam_authctxt->valid ? "" : "illegal user ",
+ sshpam_authctxt->user,
-+ get_remote_name_or_ip(utmp_len, options.use_dns));
++ auth_get_canonical_hostname(ssh, options.use_dns));
+ relieve_from_duty(ctxt);
}
@@ -413,6 +423,7 @@
- close(ctxt->pam_psock);
- close(ctxt->pam_csock);
- memset(ctxt, 0, sizeof(*ctxt));
+- cleanup_ctxt = NULL;
+ if (ctxt != NULL && ctxt->pam_child != 0) {
+ signal(SIGCHLD, sshpam_oldsig);
+ /* callback child should have had exited by now */
@@ -423,18 +434,19 @@
+ close(ctxt->pam_csock);
+ if (sshpam_child_status == -1)
+ waitpid(ctxt->pam_child, &sshpam_child_status, 0);
- cleanup_ctxt = NULL;
++ cleanup_ctxt = NULL;
}
}
-@@ -686,7 +585,6 @@ derive_pam_service_name(Authctxt *authct
+
+@@ -681,7 +575,6 @@ derive_pam_service_name(Authctxt *authct
static int
sshpam_init(Authctxt *authctxt)
{
- extern char *__progname;
const char *pam_rhost, *pam_user, *user = authctxt->user;
const char **ptr_pam_user = &pam_user;
-
-@@ -792,6 +690,7 @@ sshpam_init_ctx(Authctxt *authctxt)
+ struct ssh *ssh = active_state; /* XXX */
+@@ -788,6 +681,7 @@ sshpam_init_ctx(Authctxt *authctxt)
{
struct pam_ctxt *ctxt;
int socks[2];
@@ -442,7 +454,7 @@
debug3("PAM: %s entering", __func__);
/*
-@@ -809,7 +708,7 @@ sshpam_init_ctx(Authctxt *authctxt)
+@@ -805,7 +699,7 @@ sshpam_init_ctx(Authctxt *authctxt)
ctxt = xcalloc(1, sizeof *ctxt);
@@ -451,7 +463,7 @@
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
error("PAM: failed create sockets: %s", strerror(errno));
free(ctxt);
-@@ -817,15 +716,29 @@ sshpam_init_ctx(Authctxt *authctxt)
+@@ -813,15 +707,29 @@ sshpam_init_ctx(Authctxt *authctxt)
}
ctxt->pam_psock = socks[0];
ctxt->pam_csock = socks[1];
@@ -485,11 +497,10 @@
return (ctxt);
}
-@@ -839,8 +752,11 @@ sshpam_query(void *ctx, char **name, cha
+@@ -836,8 +744,10 @@ sshpam_query(void *ctx, char **name, cha
u_char type;
char *msg;
size_t len, mlen;
-+ struct ssh *ssh;
+ int r;
debug3("PAM: %s entering", __func__);
@@ -497,7 +508,7 @@
buffer_init(&buffer);
*name = xstrdup("");
*info = xstrdup("");
-@@ -848,6 +764,17 @@ sshpam_query(void *ctx, char **name, cha
+@@ -845,6 +755,17 @@ sshpam_query(void *ctx, char **name, cha
**prompts = NULL;
plen = 0;
*echo_on = xmalloc(sizeof(u_int));
@@ -515,7 +526,7 @@
while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) {
type = buffer_get_char(&buffer);
msg = buffer_get_string(&buffer, NULL);
-@@ -879,15 +806,6 @@ sshpam_query(void *ctx, char **name, cha
+@@ -880,15 +801,6 @@ sshpam_query(void *ctx, char **name, cha
/* FALLTHROUGH */
case PAM_AUTH_ERR:
debug3("PAM: %s", pam_strerror(sshpam_handle, type));
@@ -531,7 +542,7 @@
/* FALLTHROUGH */
case PAM_SUCCESS:
if (**prompts != NULL) {
-@@ -898,25 +816,21 @@ sshpam_query(void *ctx, char **name, cha
+@@ -899,25 +811,20 @@ sshpam_query(void *ctx, char **name, cha
free(**prompts);
**prompts = NULL;
}
@@ -553,16 +564,15 @@
+ buffer_put_cstring(&buffer, buffer_ptr(&loginmsg));
+ if (!use_privsep) {
+ /* sync packet state with parrent */
-+ ssh = active_state;
+ r = ssh_packet_get_state(ssh, &buffer);
+ if (r != 0)
+ fatal("%s: get_state failed: %s",
-+ __func__, ssh_err(r));
++ __func__, ssh_err(r));
}
- error("PAM: %s for %s%.100s from %.100s", msg,
- sshpam_authctxt->valid ? "" : "illegal user ",
- sshpam_authctxt->user,
-- get_remote_name_or_ip(utmp_len, options.use_dns));
+- auth_get_canonical_hostname(ssh, options.use_dns));
- /* FALLTHROUGH */
+ ssh_msg_send(ctxt->pam_psock, type, &buffer);
+ /* callback child ends here */
@@ -571,7 +581,7 @@
default:
*num = 0;
**echo_on = 0;
-@@ -970,7 +884,7 @@ sshpam_free_ctx(void *ctxtp)
+@@ -997,7 +904,7 @@ sshpam_free_ctx(void *ctxtp)
struct pam_ctxt *ctxt = ctxtp;
debug3("PAM: %s entering", __func__);
@@ -583,22 +593,20 @@
diff -pur old/auth-pam.h new/auth-pam.h
--- old/auth-pam.h
+++ new/auth-pam.h
-@@ -45,9 +45,10 @@ int do_pam_putenv(char *, char *);
+@@ -45,7 +45,8 @@ int do_pam_putenv(char *, char *);
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
-void sshpam_thread_cleanup(void);
+void sshpam_child_cleanup(void);
++int get_pam_done(void *);
void sshpam_cleanup(void);
int sshpam_auth_passwd(Authctxt *, const char *);
- int is_pam_session_open(void);
-+int get_pam_done(void *);
-
- #endif /* USE_PAM */
+ int sshpam_get_maxtries_reached(void);
diff -pur old/monitor.c new/monitor.c
--- old/monitor.c
+++ new/monitor.c
-@@ -1179,12 +1179,38 @@ mm_answer_pam_init_ctx(int sock, Buffer
+@@ -1184,12 +1184,39 @@ mm_answer_pam_init_ctx(int sock, Buffer
sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
sshpam_authok = NULL;
buffer_clear(m);
@@ -629,6 +637,7 @@
+ buffer_len(&loginmsg));
+ buffer_clear(&loginmsg);
+ }
++ buffer_put_int(m, sshpam_get_maxtries_reached());
+ buffer_put_int(m, 0); /* num */
+ mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
+ return (0);
@@ -637,7 +646,7 @@
mm_request_send(sock, MONITOR_ANS_PAM_INIT_CTX, m);
return (0);
}
-@@ -1938,7 +1964,8 @@ monitor_apply_keystate(struct monitor *p
+@@ -1947,7 +1974,8 @@ monitor_apply_keystate(struct monitor *p
int r;
debug3("%s: packet_set_state", __func__);
@@ -650,7 +659,7 @@
diff -pur old/packet.c new/packet.c
--- old/packet.c
+++ new/packet.c
-@@ -2345,7 +2345,7 @@ ssh_packet_restore_state(struct ssh *ssh
+@@ -2449,7 +2449,7 @@ ssh_packet_get_output(struct ssh *ssh)
}
/* Reset after_authentication and reset compression in post-auth privsep */
@@ -659,7 +668,7 @@
ssh_packet_set_postauth(struct ssh *ssh)
{
struct sshcomp *comp;
-@@ -2682,8 +2682,7 @@ ssh_packet_set_state(struct ssh *ssh, st
+@@ -2775,8 +2775,7 @@ ssh_packet_set_state(struct ssh *ssh, st
cipher_set_keycontext(&state->send_context, keyout);
cipher_set_keycontext(&state->receive_context, keyin);
@@ -672,18 +681,18 @@
diff -pur old/packet.h new/packet.h
--- old/packet.h
+++ new/packet.h
-@@ -141,6 +141,7 @@ u_int ssh_packet_get_maxsize(struct ssh
+@@ -144,6 +144,7 @@ u_int ssh_packet_get_maxsize(struct ssh
int ssh_packet_get_state(struct ssh *, struct sshbuf *);
int ssh_packet_set_state(struct ssh *, struct sshbuf *);
+int ssh_packet_set_postauth(struct ssh *ssh);
const char *ssh_remote_ipaddr(struct ssh *);
-
+ int ssh_remote_port(struct ssh *);
diff -pur old/servconf.c new/servconf.c
--- old/servconf.c
+++ new/servconf.c
-@@ -433,6 +433,18 @@ fill_default_server_options(ServerOption
+@@ -435,6 +435,18 @@ fill_default_server_options(ServerOption
options->compression = 0;
}
#endif
@@ -705,7 +714,7 @@
diff -pur old/session.c new/session.c
--- old/session.c
+++ new/session.c
-@@ -2850,7 +2850,7 @@ do_cleanup(Authctxt *authctxt)
+@@ -2890,7 +2890,7 @@ do_cleanup(Authctxt *authctxt)
#ifdef USE_PAM
if (options.use_pam) {
sshpam_cleanup();
--- a/components/openssh/patches/043-protect_agent_sftpserver.patch Mon Sep 19 14:01:08 2016 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,96 +0,0 @@
-#
-# This patch is to make ssh-agent and sftp-server untraceable on Solaris
-# without using the sgid bit. The OpenSSH upstream contains code for
-# Linux to disable ptrace on these two programs. This patch provides the
-# equivalent Solaris implementation.
-#
-# This Solaris-specific patch has been contributed back to OpenSSH upstream.
-# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2584.
-# In the future, if this is accepted by the upsteam in a later release, we will
-# remove this patch when we upgrade to that release.
-#
---- orig/config.h.in Mon Jun 6 19:22:23 2016
-+++ new/config.h.in Mon Jun 6 19:25:05 2016
-@@ -962,6 +962,9 @@
- /* Define to 1 if you have the `setpcred' function. */
- #undef HAVE_SETPCRED
-
-+/* Define to 1 if you have the `setpflags' function. */
-+#undef HAVE_SETPFLAGS
-+
- /* Define to 1 if you have the `setppriv' function. */
- #undef HAVE_SETPPRIV
-
---- orig/configure.ac Mon Jun 6 16:03:27 2016
-+++ new/configure.ac Mon Jun 6 19:17:06 2016
-@@ -899,6 +899,8 @@
- else
- AC_MSG_RESULT([no])
- fi
-+
-+ AC_CHECK_FUNCS([setpflags])
- AC_CHECK_FUNCS([setppriv])
- AC_CHECK_FUNCS([priv_basicset])
- AC_CHECK_HEADERS([priv.h])
---- orig/sftp-server.c Tue Jun 7 11:16:34 2016
-+++ new/sftp-server.c Tue Jun 7 16:48:09 2016
-@@ -32,6 +32,9 @@
- #ifdef HAVE_SYS_PRCTL_H
- #include <sys/prctl.h>
- #endif
-+#ifdef HAVE_PRIV_H
-+#include <priv.h> /* For setpflags() and __PROC_PROTECT */
-+#endif
-
- #include <dirent.h>
- #include <errno.h>
-@@ -1588,6 +1591,11 @@
-
- log_init(__progname, log_level, log_facility, log_stderr);
-
-+#if defined(HAVE_SETPFLAGS) && defined(__PROC_PROTECT)
-+ /* On Solaris, we should make this process untraceable */
-+ if (setpflags(__PROC_PROTECT, 1) != 0)
-+ fatal("unable to make the process untraceable");
-+#else
- #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
- /*
- * On Linux, we should try to avoid making /proc/self/{mem,maps}
-@@ -1598,6 +1606,7 @@
- if (prctl(PR_SET_DUMPABLE, 0) != 0)
- fatal("unable to make the process undumpable");
- #endif /* defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) */
-+#endif
-
- /* Drop any fine-grained privileges we don't need */
- platform_pledge_sftp_server();
---- orig/ssh-agent.c Mon Jun 6 19:04:38 2016
-+++ new/ssh-agent.c Tue Jun 7 12:18:11 2016
-@@ -92,6 +92,10 @@
- #include <sys/prctl.h> /* For prctl() and PR_SET_DUMPABLE */
- #endif
-
-+#if defined(HAVE_PRIV_H)
-+#include <priv.h> /* For setpflags() and __PROC_PROTECT */
-+#endif
-+
- typedef enum {
- AUTH_UNUSED,
- AUTH_SOCKET,
-@@ -1209,10 +1213,16 @@
- setegid(getgid());
- setgid(getgid());
-
-+#if defined(HAVE_SETPFLAGS) && defined(__PROC_PROTECT)
-+ /* make it untraceable on Solaris */
-+ (void) setpflags(__PROC_PROTECT, 1);
-+
-+#else
- #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
- /* Disable ptrace on Linux without sgid bit */
- prctl(PR_SET_DUMPABLE, 0);
- #endif
-+#endif
-
- #ifdef ENABLE_OPENSSL_FIPS
- fips_err = ssh_FIPS_mode_set_if_capable();
--- a/components/openssh/patches/045-remove_unacceptable_algs.patch Mon Sep 19 14:01:08 2016 -0700
+++ b/components/openssh/patches/045-remove_unacceptable_algs.patch Tue Sep 20 03:54:40 2016 -0700
@@ -4,23 +4,12 @@
# and hmac-md5 Messages Authentication Codes (MACs). Besides that, disable
# deprecated 3des-cbc by default on client (already disabled on the server).
#
+# Update Aug 29, 2016:
+# Disabling arcfour used to be implemented by Solaris specific macro
+# WITHOUT_ARCFOUR, but now upstream OPENSSL_NO_RC4 is used instead.
+#
# Patch source: in-house
#
-diff -pur old/cipher.c new/cipher.c
---- old/cipher.c
-+++ new/cipher.c
-@@ -119,9 +119,11 @@ static const struct sshcipher ciphers[]
- { "cast128-cbc",
- SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc },
- #endif
-+#ifndef WITHOUT_ARCFOUR
- { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 },
- { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 },
- { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 },
-+#endif
- { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
- { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
- { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
diff -pur old/mac.c new/mac.c
--- old/mac.c
+++ new/mac.c
@@ -49,7 +38,7 @@
diff -pur old/myproposal.h new/myproposal.h
--- old/myproposal.h
+++ new/myproposal.h
-@@ -133,14 +133,14 @@
+@@ -140,14 +140,14 @@
AESGCM_CIPHER_MODES
#define KEX_CLIENT_ENCRYPT_DFLT KEX_SERVER_ENCRYPT_DFLT "," \
@@ -91,44 +80,6 @@
.Ed
.Pp
The following ciphers are FIPS-140 approved and are supported in FIPS-140 mode:
-diff -pur old/sshd_config.5 new/sshd_config.5
---- old/sshd_config.5
-+++ new/sshd_config.5
-@@ -464,12 +464,6 @@ [email protected]
- .It
- [email protected]
- .It
--arcfour
--.It
--arcfour128
--.It
--arcfour256
--.It
- blowfish-cbc
- .It
- [email protected]
-@@ -988,10 +982,6 @@ The supported MACs are:
- .Pp
- .Bl -item -compact -offset indent
- .It
--hmac-md5
--.It
--hmac-md5-96
--.It
- hmac-ripemd160
- .It
- hmac-sha1
-@@ -1006,10 +996,6 @@ [email protected]
- .It
- [email protected]
- .It
[email protected]
--.It
[email protected]
--.It
- [email protected]
- .It
- [email protected]
diff -pur old/sshd.8 new/sshd.8
--- old/sshd.8
+++ new/sshd.8
@@ -147,3 +98,41 @@
hmac-sha2-256 or hmac-sha2-512).
.Pp
Finally, the server and the client enter an authentication dialog.
+diff -pur old/sshd_config.5 new/sshd_config.5
+--- old/sshd_config.5
++++ new/sshd_config.5
+@@ -471,12 +471,6 @@ [email protected]
+ .It
+ [email protected]
+ .It
+-arcfour
+-.It
+-arcfour128
+-.It
+-arcfour256
+-.It
+ blowfish-cbc
+ .It
+ [email protected]
+@@ -1009,10 +1003,6 @@ The supported MACs are:
+ .Pp
+ .Bl -item -compact -offset indent
+ .It
+-hmac-md5
+-.It
+-hmac-md5-96
+-.It
+ hmac-ripemd160
+ .It
+ hmac-sha1
+@@ -1027,10 +1017,6 @@ [email protected]
+ .It
+ [email protected]
+ .It
[email protected]
+-.It
[email protected]
+-.It
+ [email protected]
+ .It
+ [email protected]
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/046-73_solaris_build_issue.patch Tue Sep 20 03:54:40 2016 -0700
@@ -0,0 +1,31 @@
+#
+# Unbreak ./configure on Solaris.
+#
+# Patch source: upstream
+# https://marc.info/?l=openssh-unix-dev&m=147011381114561&w=2
+#
+--- orig/configure.ac Thu Aug 18 14:41:57 2016
++++ new/configure.ac Thu Aug 18 14:44:59 2016
+@@ -751,6 +751,9 @@
+ use_pie=auto
+ check_for_libcrypt_later=1
+ check_for_openpty_ctty_bug=1
++ dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
++ dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
++ CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE"
+ AC_DEFINE([PAM_TTY_KLUDGE], [1],
+ [Work around problematic Linux PAM modules handling of PAM_TTY])
+ AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
+@@ -1790,11 +1793,8 @@
+ warn \
+ ])
+
+-dnl Wide character support. Linux man page says it needs _XOPEN_SOURCE.
+-saved_CFLAGS="$CFLAGS"
+-CFLAGS="$CFLAGS -D_XOPEN_SOURCE"
++dnl Wide character support.
+ AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
+-CFLAGS="$saved_CFLAGS"
+
+ AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM(
--- a/components/openssh/sources/kexgssc.c Mon Sep 19 14:01:08 2016 -0700
+++ b/components/openssh/sources/kexgssc.c Tue Sep 20 03:54:40 2016 -0700
@@ -63,7 +63,6 @@
Gssctxt *ctxt;
OM_uint32 maj_status, min_status, ret_flags;
uint_t klen, kout, slen = 0, strlen;
- DH *dh;
BIGNUM *dh_server_pub = NULL;
BIGNUM *shared_secret = NULL;
BIGNUM *p = NULL;
@@ -284,7 +283,9 @@
switch (kex->kex_type) {
case KEX_GSS_GRP1_SHA1:
case KEX_GSS_GRP14_SHA1:
- kex_dh_hash(kex->client_version_string,
+ kex_dh_hash(
+ kex->hash_alg,
+ kex->client_version_string,
kex->server_version_string,
buffer_ptr(kex->my), buffer_len(kex->my),
buffer_ptr(kex->peer), buffer_len(kex->peer),
--- a/components/openssh/sources/kexgsss.c Mon Sep 19 14:01:08 2016 -0700
+++ b/components/openssh/sources/kexgsss.c Tue Sep 20 03:54:40 2016 -0700
@@ -76,7 +76,6 @@
Gssctxt *ctxt = NULL;
uint_t slen, klen, kout;
uchar_t *kbuf;
- DH *dh;
int min = -1, max = -1, nbits = -1;
BIGNUM *shared_secret = NULL;
BIGNUM *dh_client_pub = NULL;
@@ -236,6 +235,7 @@
case KEX_GSS_GRP1_SHA1:
case KEX_GSS_GRP14_SHA1:
kex_dh_hash(
+ kex->hash_alg,
kex->client_version_string, kex->server_version_string,
buffer_ptr(kex->peer), buffer_len(kex->peer),
buffer_ptr(kex->my), buffer_len(kex->my),