PR#63: Draft: Update to OpenSSH 9.6 - rpms/openssh

		`@@ -58,3 +58,5 @@`
		`/openssh-9.0p1.tar.gz.asc`
		`/openssh-9.3p1.tar.gz`
		`/openssh-9.3p1.tar.gz.asc`
		`+ /openssh-9.6p1.tar.gz`
		`+ /openssh-9.6p1.tar.gz.asc`

openssh-6.6.1p1-selinux-contexts.patch

file modified

+10 -12

		`@@ -93,19 +93,17 @@`
		`#endif`

		`diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c`
		`- index 22ea8ef..1fc963d 100644`
		`- --- a/openbsd-compat/port-linux.c`
		`- +++ b/openbsd-compat/port-linux.c`
		`- @@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname)`
		`- strlcpy(newctx + len, newname, newlen - len);`
		`- if ((cx = index(cx + 1, ':')))`
		`- strlcat(newctx, cx, newlen);`
		`- - debug3("%s: setting context from '%s' to '%s'", __func__,`
		`- + debug_f("setting context from '%s' to '%s'",`
		`- oldctx, newctx);`
		`+ --- a/openbsd-compat/port-linux.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)`
		`+ +++ b/openbsd-compat/port-linux.c (date 1703108053912)`
		`+ @@ -207,7 +207,7 @@`
		`+ xasprintf(&newctx, "%.*s%s%s", (int)(cx - oldctx + 1), oldctx,`
		`+ newname, cx2 == NULL ? "" : cx2);`
		`+`
		`+ - debug3_f("setting context from '%s' to '%s'", oldctx, newctx);`
		`+ + debug_f("setting context from '%s' to '%s'", oldctx, newctx);`
		`if (setcon(newctx) < 0)`
		`- do_log2(log_level, "%s: setcon %s from %s failed with %s",`
		`- __func__, newctx, oldctx, strerror(errno));`
		`+ do_log2_f(log_level, "setcon %s from %s failed with %s",`
		`+ newctx, oldctx, strerror(errno));`
		`diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h`
		`index cb51f99..8b7cda2 100644`
		`--- a/openbsd-compat/port-linux.h`

openssh-7.2p2-x11.patch

file modified

+13 -11

		`@@ -1,21 +1,23 @@`
		`- diff -up openssh-7.2p2/channels.c.x11 openssh-7.2p2/channels.c`
		`- --- openssh-7.2p2/channels.c.x11 2016-03-09 19:04:48.000000000 +0100`
		`- +++ openssh-7.2p2/channels.c 2016-06-03 10:42:04.775164520 +0200`
		`- @@ -3990,21 +3990,24 @@ x11_create_display_inet(int x11_display_`
		`+ diff --git a/channels.c b/channels.c`
		`+ --- a/channels.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)`
		`+ +++ b/channels.c (date 1703026069921)`
		`+ @@ -5075,11 +5075,13 @@`
		`}`
		`-`
		`+`
		`static int`
		`-connect_local_xsocket_path(const char *pathname)`
		`+connect_local_xsocket_path(const char *pathname, int len)`
		`{`
		`int sock;`
		`struct sockaddr_un addr;`
		`-`
		`- + if (len <= 0)`
		`- + return -1;`
		`+`
		`+ + if (len <= 0)`
		`+ + return -1;`
		`sock = socket(AF_UNIX, SOCK_STREAM, 0);`
		`- if (sock == -1)`
		`+ if (sock == -1) {`
		`error("socket: %.100s", strerror(errno));`
		`+ @@ -5087,11 +5089,12 @@`
		`+ }`
		`memset(&addr, 0, sizeof(addr));`
		`addr.sun_family = AF_UNIX;`
		`- strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);`
		`@@ -29,8 +31,8 @@`
		`- error("connect %.100s: %.100s", addr.sun_path, strerror(errno));`
		`return -1;`
		`}`
		`-`
		`- @@ -4012,8 +4015,18 @@ static int`
		`+`
		`+ @@ -5099,8 +5102,18 @@`
		`connect_local_xsocket(u_int dnr)`
		`{`
		`char buf[1024];`

openssh-7.8p1-role-mls.patch

file modified

+5 -5

		`@@ -23,7 +23,7 @@`
		`if ((style = strchr(user, ':')) != NULL)`
		`*style++ = 0;`

		`- @@ -296,8 +304,15 @@ input_userauth_request(int type, u_int32`
		`+ @@ -314,8 +314,15 @@ input_userauth_request(int type, u_int32`
		`use_privsep ? " [net]" : "");`
		`authctxt->service = xstrdup(service);`
		`authctxt->style = style ? xstrdup(style) : NULL;`
		`@@ -34,12 +34,12 @@`
		`+ if (use_privsep) {`
		`mm_inform_authserv(service, style);`
		`+#ifdef WITH_SELINUX`
		`- + mm_inform_authrole(role);`
		`+ + mm_inform_authrole(role);`
		`+#endif`
		`- + }`
		`+ + }`
		`userauth_banner(ssh);`
		`- if (auth2_setup_methods_lists(authctxt) != 0)`
		`- ssh_packet_disconnect(ssh,`
		`+ if ((r = kex_server_update_ext_info(ssh)) != 0)`
		`+ fatal_fr(r, "kex_server_update_ext_info failed");`
		`diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c`
		`--- openssh/auth2-gss.c.role-mls 2018-08-20 07:57:29.000000000 +0200`
		`+++ openssh/auth2-gss.c 2018-08-22 11:15:42.459799171 +0200`

openssh-8.0p1-gssapi-keyex.patch

file modified

+224 -18

		`@@ -140,12 +140,11 @@`
		`* connection. The host name is cached, so it is efficient to call this`
		`* several times.`
		`diff --git a/auth2-gss.c b/auth2-gss.c`
		`- index 9351e042..d6446c0c 100644`
		`- --- a/auth2-gss.c`
		`- +++ b/auth2-gss.c`
		`+ --- a/auth2-gss.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)`
		`+ +++ b/auth2-gss.c (date 1703107508323)`
		`@@ -1,7 +1,7 @@`
		`- /* $OpenBSD: auth2-gss.c,v 1.33 2021/12/19 22:12:07 djm Exp $ */`
		`-`
		`+ /* $OpenBSD: auth2-gss.c,v 1.34 2023/03/31 04:22:27 djm Exp $ */`
		`+`
		`/*`
		`- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.`
		`+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.`
		`@@ -1256,19 +1255,18 @@`

		`/* Privileged */`
		`diff --git a/kex.c b/kex.c`
		`- index ce85f043..574c7609 100644`
		`- --- a/kex.c`
		`- +++ b/kex.c`
		`- @@ -57,6 +57,10 @@`
		`+ --- a/kex.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)`
		`+ +++ b/kex.c (date 1703107711046)`
		`+ @@ -64,6 +64,10 @@`
		`#include "digest.h"`
		`#include "xmalloc.h"`
		`-`
		`+`
		`+#ifdef GSSAPI`
		`+#include "ssh-gss.h"`
		`+#endif`
		`+`
		`/* prototype */`
		`- static int kex_choose_conf(struct ssh *);`
		`+ static int kex_choose_conf(struct ssh *, uint32_t seq);`
		`static int kex_input_newkeys(int, u_int32_t, struct ssh *);`
		`@@ -115,15 +120,28 @@ static const struct kexalg kexalgs[] = {`
		`#endif /* HAVE_EVP_SHA256 \|\| !WITH_OPENSSL */`
		`@@ -3400,7 +3398,7 @@`
		`.It HashKnownHosts`
		`.It Host`
		`.It HostbasedAcceptedAlgorithms`
		`- @@ -579,6 +585,8 @@ flag),`
		`+ @@ -624,6 +624,8 @@`
		`(supported message integrity codes),`
		`.Ar kex`
		`(key exchange algorithms),`
		`@@ -3408,7 +3406,7 @@`
		`+(GSSAPI key exchange algorithms),`
		`.Ar key`
		`(key types),`
		`- .Ar key-cert`
		`+ .Ar key-ca-sign`
		`diff --git a/ssh.c b/ssh.c`
		`index 15aee569..110cf9c1 100644`
		`--- a/ssh.c`
		`@@ -3434,9 +3432,8 @@`
		`if (cp == NULL)`
		`fatal("Unsupported query \"%s\"", optarg);`
		`diff --git a/ssh_config b/ssh_config`
		`- index 5e8ef548..1ff999b6 100644`
		`- --- a/ssh_config`
		`- +++ b/ssh_config`
		`+ --- a/ssh_config (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)`
		`+ +++ b/ssh_config (date 1703107827108)`
		`@@ -24,6 +24,8 @@`
		`# HostbasedAuthentication no`
		`# GSSAPIAuthentication no`
		`@@ -3444,7 +3441,7 @@`
		`+# GSSAPIKeyExchange no`
		`+# GSSAPITrustDNS no`
		`# BatchMode no`
		`- # CheckHostIP yes`
		`+ # CheckHostIP no`
		`# AddressFamily any`
		`diff --git a/ssh_config.5 b/ssh_config.5`
		`index 06a32d31..3f490697 100644`
		`@@ -4027,4 +4024,213 @@`
		`+ KEY_NULL,`
		`KEY_UNSPEC`
		`};`
		`-`
		`+`
		`+ diff --git a/packet.h b/packet.h`
		`+ --- a/packet.h (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)`
		`+ +++ b/packet.h (date 1703172586447)`
		`+ @@ -1,4 +1,4 @@`
		`+ -/* $OpenBSD: packet.h,v 1.96 2023/12/18 14:45:17 djm Exp $ */`
		`+ +/* $OpenBSD: packet.h,v 1.95 2023/08/28 03:31:16 djm Exp $ */`
		`+`
		`+ /*`
		`+ * Author: Tatu Ylonen <ylo@cs.hut.fi>`
		`+ @@ -124,6 +124,7 @@`
		`+ int ssh_packet_send2(struct ssh *);`
		`+`
		`+ int ssh_packet_read(struct ssh *);`
		`+ +int ssh_packet_read_expect(struct ssh *, u_int type);`
		`+ int ssh_packet_read_poll(struct ssh *);`
		`+ int ssh_packet_read_poll2(struct ssh , u_char , u_int32_t *seqnr_p);`
		`+ int ssh_packet_process_incoming(struct ssh , const char buf, u_int len);`
		`+ diff --git a/packet.c b/packet.c`
		`+ --- a/packet.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)`
		`+ +++ b/packet.c (date 1703172586447)`
		`+ @@ -1,4 +1,4 @@`
		`+ -/* $OpenBSD: packet.c,v 1.313 2023/12/18 14:45:17 djm Exp $ */`
		`+ +/* $OpenBSD: packet.c,v 1.312 2023/08/28 03:31:16 djm Exp $ */`
		`+ /*`
		`+ * Author: Tatu Ylonen <ylo@cs.hut.fi>`
		`+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland`
		`+ @@ -1207,13 +1207,8 @@`
		`+ sshbuf_dump(state->output, stderr);`
		`+ #endif`
		`+ /* increment sequence number for outgoing packets */`
		`+ - if (++state->p_send.seqnr == 0) {`
		`+ - if ((ssh->kex->flags & KEX_INITIAL) != 0) {`
		`+ - ssh_packet_disconnect(ssh, "outgoing sequence number "`
		`+ - "wrapped during initial key exchange");`
		`+ - }`
		`+ + if (++state->p_send.seqnr == 0)`
		`+ logit("outgoing seqnr wraps around");`
		`+ - }`
		`+ if (++state->p_send.packets == 0)`
		`+ if (!(ssh->compat & SSH_BUG_NOREKEY))`
		`+ return SSH_ERR_NEED_REKEY;`
		`+ @@ -1221,11 +1216,6 @@`
		`+ state->p_send.bytes += len;`
		`+ sshbuf_reset(state->outgoing_packet);`
		`+`
		`+ - if (type == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {`
		`+ - debug_f("resetting send seqnr %u", state->p_send.seqnr);`
		`+ - state->p_send.seqnr = 0;`
		`+ - }`
		`+ -`
		`+ if (type == SSH2_MSG_NEWKEYS)`
		`+ r = ssh_set_newkeys(ssh, MODE_OUT);`
		`+ else if (type == SSH2_MSG_USERAUTH_SUCCESS && state->server_side)`
		`+ @@ -1354,7 +1344,8 @@`
		`+ /* Stay in the loop until we have received a complete packet. */`
		`+ for (;;) {`
		`+ /* Try to read a packet from the buffer. */`
		`+ - if ((r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p)) != 0)`
		`+ + r = ssh_packet_read_poll_seqnr(ssh, typep, seqnr_p);`
		`+ + if (r != 0)`
		`+ break;`
		`+ /* If we got a packet, return it. */`
		`+ if (*typep != SSH_MSG_NONE)`
		`+ @@ -1425,6 +1416,29 @@`
		`+ return type;`
		`+ }`
		`+`
		`+ +/*`
		`+ + * Waits until a packet has been received, verifies that its type matches`
		`+ + * that given, and gives a fatal error and exits if there is a mismatch.`
		`+ + */`
		`+ +`
		`+ +int`
		`+ +ssh_packet_read_expect(struct ssh *ssh, u_int expected_type)`
		`+ +{`
		`+ + int r;`
		`+ + u_char type;`
		`+ +`
		`+ + if ((r = ssh_packet_read_seqnr(ssh, &type, NULL)) != 0)`
		`+ + return r;`
		`+ + if (type != expected_type) {`
		`+ + if ((r = sshpkt_disconnect(ssh,`
		`+ + "Protocol error: expected packet type %d, got %d",`
		`+ + expected_type, type)) != 0)`
		`+ + return r;`
		`+ + return SSH_ERR_PROTOCOL_ERROR;`
		`+ + }`
		`+ + return 0;`
		`+ +}`
		`+ +`
		`+ static int`
		`+ ssh_packet_read_poll2_mux(struct ssh ssh, u_char typep, u_int32_t *seqnr_p)`
		`+ {`
		`+ @@ -1615,16 +1629,10 @@`
		`+ if ((r = sshbuf_consume(state->input, mac->mac_len)) != 0)`
		`+ goto out;`
		`+ }`
		`+ -`
		`+ if (seqnr_p != NULL)`
		`+ *seqnr_p = state->p_read.seqnr;`
		`+ - if (++state->p_read.seqnr == 0) {`
		`+ - if ((ssh->kex->flags & KEX_INITIAL) != 0) {`
		`+ - ssh_packet_disconnect(ssh, "incoming sequence number "`
		`+ - "wrapped during initial key exchange");`
		`+ - }`
		`+ + if (++state->p_read.seqnr == 0)`
		`+ logit("incoming seqnr wraps around");`
		`+ - }`
		`+ if (++state->p_read.packets == 0)`
		`+ if (!(ssh->compat & SSH_BUG_NOREKEY))`
		`+ return SSH_ERR_NEED_REKEY;`
		`+ @@ -1690,10 +1698,6 @@`
		`+ #endif`
		`+ /* reset for next packet */`
		`+ state->packlen = 0;`
		`+ - if (*typep == SSH2_MSG_NEWKEYS && ssh->kex->kex_strict) {`
		`+ - debug_f("resetting read seqnr %u", state->p_read.seqnr);`
		`+ - state->p_read.seqnr = 0;`
		`+ - }`
		`+`
		`+ if ((r = ssh_packet_check_rekey(ssh)) != 0)`
		`+ return r;`
		`+ @@ -1716,39 +1720,10 @@`
		`+ r = ssh_packet_read_poll2(ssh, typep, seqnr_p);`
		`+ if (r != 0)`
		`+ return r;`
		`+ - if (*typep == 0) {`
		`+ - /* no message ready */`
		`+ - return 0;`
		`+ - }`
		`+ - state->keep_alive_timeouts = 0;`
		`+ - DBG(debug("received packet type %d", *typep));`
		`+ -`
		`+ - /* Always process disconnect messages */`
		`+ - if (*typep == SSH2_MSG_DISCONNECT) {`
		`+ - if ((r = sshpkt_get_u32(ssh, &reason)) != 0 \|\|`
		`+ - (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)`
		`+ - return r;`
		`+ - /* Ignore normal client exit notifications */`
		`+ - do_log2(ssh->state->server_side &&`
		`+ - reason == SSH2_DISCONNECT_BY_APPLICATION ?`
		`+ - SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,`
		`+ - "Received disconnect from %s port %d:"`
		`+ - "%u: %.400s", ssh_remote_ipaddr(ssh),`
		`+ - ssh_remote_port(ssh), reason, msg);`
		`+ - free(msg);`
		`+ - return SSH_ERR_DISCONNECTED;`
		`+ + if (*typep) {`
		`+ + state->keep_alive_timeouts = 0;`
		`+ + DBG(debug("received packet type %d", *typep));`
		`+ }`
		`+ -`
		`+ - /*`
		`+ - * Do not implicitly handle any messages here during initial`
		`+ - * KEX when in strict mode. They will be need to be allowed`
		`+ - * explicitly by the KEX dispatch table or they will generate`
		`+ - * protocol errors.`
		`+ - */`
		`+ - if (ssh->kex != NULL &&`
		`+ - (ssh->kex->flags & KEX_INITIAL) && ssh->kex->kex_strict)`
		`+ - return 0;`
		`+ - /* Implicitly handle transport-level messages */`
		`+ switch (*typep) {`
		`+ case SSH2_MSG_IGNORE:`
		`+ debug3("Received SSH2_MSG_IGNORE");`
		`+ @@ -1763,6 +1738,19 @@`
		`+ debug("Remote: %.900s", msg);`
		`+ free(msg);`
		`+ break;`
		`+ + case SSH2_MSG_DISCONNECT:`
		`+ + if ((r = sshpkt_get_u32(ssh, &reason)) != 0 \|\|`
		`+ + (r = sshpkt_get_string(ssh, &msg, NULL)) != 0)`
		`+ + return r;`
		`+ + /* Ignore normal client exit notifications */`
		`+ + do_log2(ssh->state->server_side &&`
		`+ + reason == SSH2_DISCONNECT_BY_APPLICATION ?`
		`+ + SYSLOG_LEVEL_INFO : SYSLOG_LEVEL_ERROR,`
		`+ + "Received disconnect from %s port %d:"`
		`+ + "%u: %.400s", ssh_remote_ipaddr(ssh),`
		`+ + ssh_remote_port(ssh), reason, msg);`
		`+ + free(msg);`
		`+ + return SSH_ERR_DISCONNECTED;`
		`+ case SSH2_MSG_UNIMPLEMENTED:`
		`+ if ((r = sshpkt_get_u32(ssh, &seqnr)) != 0)`
		`+ return r;`
		`+ @@ -2254,7 +2242,6 @@`
		`+ (r = sshbuf_put_u32(m, kex->hostkey_type)) != 0 \|\|`
		`+ (r = sshbuf_put_u32(m, kex->hostkey_nid)) != 0 \|\|`
		`+ (r = sshbuf_put_u32(m, kex->kex_type)) != 0 \|\|`
		`+ - (r = sshbuf_put_u32(m, kex->kex_strict)) != 0 \|\|`
		`+ (r = sshbuf_put_stringb(m, kex->my)) != 0 \|\|`
		`+ (r = sshbuf_put_stringb(m, kex->peer)) != 0 \|\|`
		`+ (r = sshbuf_put_stringb(m, kex->client_version)) != 0 \|\|`
		`+ @@ -2417,7 +2404,6 @@`
		`+ (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_type)) != 0 \|\|`
		`+ (r = sshbuf_get_u32(m, (u_int *)&kex->hostkey_nid)) != 0 \|\|`
		`+ (r = sshbuf_get_u32(m, &kex->kex_type)) != 0 \|\|`
		`+ - (r = sshbuf_get_u32(m, &kex->kex_strict)) != 0 \|\|`
		`+ (r = sshbuf_get_stringb(m, kex->my)) != 0 \|\|`
		`+ (r = sshbuf_get_stringb(m, kex->peer)) != 0 \|\|`
		`+ (r = sshbuf_get_stringb(m, kex->client_version)) != 0 \|\|`
		`+ @@ -2746,7 +2732,6 @@`
		`+ vsnprintf(buf, sizeof(buf), fmt, args);`
		`+ va_end(args);`
		`+`
		`+ - debug2_f("sending SSH2_MSG_DISCONNECT: %s", buf);`
		`+ if ((r = sshpkt_start(ssh, SSH2_MSG_DISCONNECT)) != 0 \|\|`
		`+ (r = sshpkt_put_u32(ssh, SSH2_DISCONNECT_PROTOCOL_ERROR)) != 0 \|\|`
		`+ (r = sshpkt_put_cstring(ssh, buf)) != 0 \|\|`

openssh-8.7p1-minrsabits.patch

file modified

+10 -12

		`@@ -1,23 +1,21 @@`
		`diff --git a/readconf.c b/readconf.c`
		`- index 7f26c680..42be690b 100644`
		`- --- a/readconf.c`
		`- +++ b/readconf.c`
		`- @@ -320,6 +320,7 @@ static struct {`
		`+ --- a/readconf.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)`
		`+ +++ b/readconf.c (date 1703169891147)`
		`+ @@ -326,6 +326,7 @@`
		`{ "securitykeyprovider", oSecurityKeyProvider },`
		`{ "knownhostscommand", oKnownHostsCommand },`
		`- { "requiredrsasize", oRequiredRSASize },`
		`+ { "requiredrsasize", oRequiredRSASize },`
		`+ { "rsaminsize", oRequiredRSASize }, /* alias */`
		`{ "enableescapecommandline", oEnableEscapeCommandline },`
		`-`
		`- { NULL, oBadOption }`
		`+ { "obscurekeystroketiming", oObscureKeystrokeTiming },`
		`+ { "channeltimeout", oChannelTimeout },`
		`diff --git a/servconf.c b/servconf.c`
		`- index 29df0463..423772b1 100644`
		`- --- a/servconf.c`
		`- +++ b/servconf.c`
		`- @@ -676,6 +680,7 @@ static struct {`
		`+ --- a/servconf.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)`
		`+ +++ b/servconf.c (date 1703169891148)`
		`+ @@ -691,6 +691,7 @@`
		`{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL },`
		`{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL },`
		`- { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },`
		`+ { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL },`
		`+ { "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */`
		`{ "channeltimeout", sChannelTimeout, SSHCFG_ALL },`
		`{ "unusedconnectiontimeout", sUnusedConnectionTimeout, SSHCFG_ALL },`

openssh-8.7p1-recursive-scp.patch

file modified

+84 -83

		`@@ -1,28 +1,28 @@`
		`- diff -up openssh-8.7p1/scp.c.scp-sftpdirs openssh-8.7p1/scp.c`
		`- --- openssh-8.7p1/scp.c.scp-sftpdirs 2022-02-07 12:31:07.407740407 +0100`
		`- +++ openssh-8.7p1/scp.c 2022-02-07 12:31:07.409740424 +0100`
		`- @@ -1324,7 +1324,7 @@ source_sftp(int argc, char src, char t`
		`-`
		`+ diff --git a/scp.c b/scp.c`
		`+ --- a/scp.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)`
		`+ +++ b/scp.c (date 1703111453316)`
		`+ @@ -1372,7 +1372,7 @@`
		`+`
		`if (src_is_dir && iamrecursive) {`
		`- if (upload_dir(conn, src, abs_dst, pflag,`
		`+ if (sftp_upload_dir(conn, src, abs_dst, pflag,`
		`- SFTP_PROGRESS_ONLY, 0, 0, 1, 1) != 0) {`
		`+ SFTP_PROGRESS_ONLY, 0, 0, 1, 1, 1) != 0) {`
		`- error("failed to upload directory %s to %s", src, targ);`
		`- errs = 1;`
		`- }`
		`- diff -up openssh-8.7p1/sftp-client.c.scp-sftpdirs openssh-8.7p1/sftp-client.c`
		`- --- openssh-8.7p1/sftp-client.c.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200`
		`- +++ openssh-8.7p1/sftp-client.c 2022-02-07 12:47:59.117516131 +0100`
		`- @@ -971,7 +971,7 @@ do_fsetstat(struct sftp_conn *conn, cons`
		`-`
		`+ error("failed to upload directory %s to %s", src, targ);`
		`+ errs = 1;`
		`+ }`
		`+ diff --git a/sftp-client.c b/sftp-client.c`
		`+ --- a/sftp-client.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)`
		`+ +++ b/sftp-client.c (date 1703169614263)`
		`+ @@ -1003,7 +1003,7 @@`
		`+`
		`/* Implements both the realpath and expand-path operations */`
		`static char *`
		`- -do_realpath_expand(struct sftp_conn conn, const char path, int expand)`
		`- +do_realpath_expand(struct sftp_conn conn, const char path, int expand, int create_dir)`
		`+ -sftp_realpath_expand(struct sftp_conn conn, const char path, int expand)`
		`+ +sftp_realpath_expand(struct sftp_conn conn, const char path, int expand, int create_dir)`
		`{`
		`struct sshbuf *msg;`
		`u_int expected_id, count, id;`
		`- @@ -1033,11 +1033,43 @@ do_realpath_expand(struct sftp_conn *con`
		`+ @@ -1049,11 +1049,43 @@`
		`if ((r = sshbuf_get_u32(msg, &status)) != 0 \|\|`
		`(r = sshbuf_get_cstring(msg, &errmsg, NULL)) != 0)`
		`fatal_fr(r, "parse status");`
		`@@ -33,7 +33,7 @@`
		`- return NULL;`
		`+ if ((status == SSH2_FX_NO_SUCH_FILE) && create_dir) {`
		`+ memset(&a, '\0', sizeof(a));`
		`- + if ((r = do_mkdir(conn, path, &a, 0)) != 0) {`
		`+ + if ((r = sftp_mkdir(conn, path, &a, 0)) != 0) {`
		`+ sshbuf_free(msg);`
		`+ return NULL;`
		`+ }`
		`@@ -71,111 +71,112 @@`
		`} else if (type != SSH2_FXP_NAME)`
		`fatal("Expected SSH2_FXP_NAME(%u) packet, got %u",`
		`SSH2_FXP_NAME, type);`
		`- @@ -1039,9 +1067,9 @@ do_realpath_expand(struct sftp_conn *con`
		`+ @@ -1078,9 +1110,9 @@`
		`}`
		`-`
		`+`
		`char *`
		`- -do_realpath(struct sftp_conn conn, const char path)`
		`- +do_realpath(struct sftp_conn conn, const char path, int create_dir)`
		`+ -sftp_realpath(struct sftp_conn conn, const char path)`
		`+ +sftp_realpath(struct sftp_conn conn, const char path, int create_dir)`
		`{`
		`- - return do_realpath_expand(conn, path, 0);`
		`- + return do_realpath_expand(conn, path, 0, create_dir);`
		`+ - return sftp_realpath_expand(conn, path, 0);`
		`+ + return sftp_realpath_expand(conn, path, 0, create_dir);`
		`}`
		`-`
		`+`
		`int`
		`- @@ -1055,9 +1083,9 @@ do_expand_path(struct sftp_conn *conn, c`
		`+ @@ -1094,9 +1126,9 @@`
		`{`
		`- if (!can_expand_path(conn)) {`
		`+ if (!sftp_can_expand_path(conn)) {`
		`debug3_f("no server support, fallback to realpath");`
		`- - return do_realpath_expand(conn, path, 0);`
		`- + return do_realpath_expand(conn, path, 0, 0);`
		`+ - return sftp_realpath_expand(conn, path, 0);`
		`+ + return sftp_realpath_expand(conn, path, 0, 0);`
		`}`
		`- - return do_realpath_expand(conn, path, 1);`
		`- + return do_realpath_expand(conn, path, 1, 0);`
		`+ - return sftp_realpath_expand(conn, path, 1);`
		`+ + return sftp_realpath_expand(conn, path, 1, 0);`
		`}`
		`-`
		`+`
		`int`
		`- @@ -1807,7 +1835,7 @@ download_dir(struct sftp_conn *conn, con`
		`+ @@ -2016,7 +2048,7 @@`
		`char *src_canon;`
		`int ret;`
		`-`
		`- - if ((src_canon = do_realpath(conn, src)) == NULL) {`
		`- + if ((src_canon = do_realpath(conn, src, 0)) == NULL) {`
		`- error("download \"%s\": path canonicalization failed", src);`
		`- return -1;`
		`- }`
		`- @@ -2115,12 +2143,12 @@ upload_dir_internal(struct sftp_conn *co`
		`+`
		`+ - if ((src_canon = sftp_realpath(conn, src)) == NULL) {`
		`+ + if ((src_canon = sftp_realpath(conn, src, 0)) == NULL) {`
		`+ error("download \"%s\": path canonicalization failed", src);`
		`+ return -1;`
		`+ }`
		`+ @@ -2365,12 +2397,12 @@`
		`int`
		`- upload_dir(struct sftp_conn conn, const char src, const char *dst,`
		`+ sftp_upload_dir(struct sftp_conn conn, const char src, const char *dst,`
		`int preserve_flag, int print_flag, int resume, int fsync_flag,`
		`- int follow_link_flag, int inplace_flag)`
		`+ int follow_link_flag, int inplace_flag, int create_dir)`
		`{`
		`char *dst_canon;`
		`int ret;`
		`-`
		`- - if ((dst_canon = do_realpath(conn, dst)) == NULL) {`
		`- + if ((dst_canon = do_realpath(conn, dst, create_dir)) == NULL) {`
		`- error("upload \"%s\": path canonicalization failed", dst);`
		`- return -1;`
		`- }`
		`- @@ -2557,7 +2585,7 @@ crossload_dir(struct sftp_conn *from, st`
		`+`
		`+ - if ((dst_canon = sftp_realpath(conn, dst)) == NULL) {`
		`+ + if ((dst_canon = sftp_realpath(conn, dst, create_dir)) == NULL) {`
		`+ error("upload \"%s\": path canonicalization failed", dst);`
		`+ return -1;`
		`+ }`
		`+ @@ -2825,7 +2857,7 @@`
		`char *from_path_canon;`
		`int ret;`
		`-`
		`- - if ((from_path_canon = do_realpath(from, from_path)) == NULL) {`
		`- + if ((from_path_canon = do_realpath(from, from_path, 0)) == NULL) {`
		`- error("crossload \"%s\": path canonicalization failed",`
		`- from_path);`
		`- return -1;`
		`- diff -up openssh-8.7p1/sftp-client.h.scp-sftpdirs openssh-8.7p1/sftp-client.h`
		`- --- openssh-8.7p1/sftp-client.h.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200`
		`- +++ openssh-8.7p1/sftp-client.h 2022-02-07 12:31:07.410740433 +0100`
		`- @@ -111,7 +111,7 @@ int do_fsetstat(struct sftp_conn *, cons`
		`- int do_lsetstat(struct sftp_conn conn, const char path, Attrib *a);`
		`-`
		`+`
		`+ - if ((from_path_canon = sftp_realpath(from, from_path)) == NULL) {`
		`+ + if ((from_path_canon = sftp_realpath(from, from_path, 0)) == NULL) {`
		`+ error("crossload \"%s\": path canonicalization failed",`
		`+ from_path);`
		`+ return -1;`
		`+ diff --git a/sftp-client.h b/sftp-client.h`
		`+ --- a/sftp-client.h (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)`
		`+ +++ b/sftp-client.h (date 1703111691284)`
		`+ @@ -111,7 +111,7 @@`
		`+ int sftp_lsetstat(struct sftp_conn conn, const char path, Attrib *a);`
		`+`
		`/* Canonicalise 'path' - caller must free result */`
		`- -char do_realpath(struct sftp_conn , const char *);`
		`- +char do_realpath(struct sftp_conn , const char *, int);`
		`-`
		`+ -char sftp_realpath(struct sftp_conn , const char *);`
		`+ +char sftp_realpath(struct sftp_conn , const char *, int);`
		`+`
		`/* Canonicalisation with tilde expansion (requires server extension) */`
		`- char do_expand_path(struct sftp_conn , const char *);`
		`- @@ -159,7 +159,7 @@ int do_upload(struct sftp_conn *, const`
		`+ char sftp_expand_path(struct sftp_conn , const char *);`
		`+ @@ -163,7 +163,7 @@`
		`* times if 'pflag' is set`
		`*/`
		`- int upload_dir(struct sftp_conn , const char , const char *,`
		`+ int sftp_upload_dir(struct sftp_conn , const char , const char *,`
		`- int, int, int, int, int, int);`
		`+ int, int, int, int, int, int, int);`
		`-`
		`+`
		`/*`
		`* Download a 'from_path' from the 'from' connection and upload it to`
		`- diff -up openssh-8.7p1/sftp.c.scp-sftpdirs openssh-8.7p1/sftp.c`
		`- --- openssh-8.7p1/sftp.c.scp-sftpdirs 2021-08-20 06:03:49.000000000 +0200`
		`- +++ openssh-8.7p1/sftp.c 2022-02-07 12:31:07.411740442 +0100`
		`- @@ -760,7 +760,7 @@ process_put(struct sftp_conn *conn, cons`
		`- if (globpath_is_dir(g.gl_pathv[i]) && (rflag \|\| global_rflag)) {`
		`- if (upload_dir(conn, g.gl_pathv[i], abs_dst,`
		`+`
		`+ diff --git a/sftp.c b/sftp.c`
		`+ --- a/sftp.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)`
		`+ +++ b/sftp.c (date 1703168795365)`
		`+ @@ -807,7 +807,7 @@`
		`+ (rflag \|\| global_rflag)) {`
		`+ if (sftp_upload_dir(conn, g.gl_pathv[i], abs_dst,`
		`pflag \|\| global_pflag, 1, resume,`
		`- fflag \|\| global_fflag, 0, 0) == -1)`
		`+ fflag \|\| global_fflag, 0, 0, 0) == -1)`
		`err = -1;`
		`} else {`
		`- if (do_upload(conn, g.gl_pathv[i], abs_dst,`
		`- @@ -1577,7 +1577,7 @@ parse_dispatch_command(struct sftp_conn`
		`+ if (sftp_upload(conn, g.gl_pathv[i], abs_dst,`
		`+ @@ -1642,7 +1642,7 @@`
		`if (path1 == NULL \|\| *path1 == '\0')`
		`path1 = xstrdup(startdir);`
		`- path1 = make_absolute(path1, *pwd);`
		`- - if ((tmp = do_realpath(conn, path1)) == NULL) {`
		`- + if ((tmp = do_realpath(conn, path1, 0)) == NULL) {`
		`+ path1 = sftp_make_absolute(path1, *pwd);`
		`+ - if ((tmp = sftp_realpath(conn, path1)) == NULL) {`
		`+ + if ((tmp = sftp_realpath(conn, path1, 0)) == NULL) {`
		`err = 1;`
		`break;`
		`}`
		`- @@ -2160,7 +2160,7 @@ interactive_loop(struct sftp_conn *conn,`
		`+ @@ -2247,7 +2247,7 @@`
		`}`
		`#endif /* USE_LIBEDIT */`
		`-`
		`- - remote_path = do_realpath(conn, ".");`
		`- + remote_path = do_realpath(conn, ".", 0);`
		`- if (remote_path == NULL)`
		`+`
		`+ - if ((remote_path = sftp_realpath(conn, ".")) == NULL)`
		`+ + if ((remote_path = sftp_realpath(conn, ".", 0)) == NULL)`
		`fatal("Need cwd");`
		`startdir = xstrdup(remote_path);`
		`+`

openssh-9.3p1-merged-openssl-evp.patch

file modified

+30 -29

		`@@ -659,15 +659,15 @@`
		`# ifdef OPENSSL_HAS_ECC`
		`# include <openssl/ec.h>`
		`# include <openssl/ecdsa.h>`
		`- @@ -268,6 +271,10 @@`
		`+ @@ -266,6 +266,10 @@`
		`const char sshkey_ssh_name_plain(const struct sshkey );`
		`- int sshkey_names_valid2(const char *, int);`
		`+ int sshkey_names_valid2(const char *, int, int);`
		`char *sshkey_alg_list(int, int, int, char);`
		`+int sshkey_calculate_signature(EVP_PKEY, int, u_char *,`
		`+ int , const u_char , size_t);`
		`+int sshkey_verify_signature(EVP_PKEY , int, const u_char ,`
		`+ size_t, u_char *, int);`
		`-`
		`+`
		`int sshkey_from_blob(const u_char , size_t, struct sshkey *);`
		`int sshkey_fromb(struct sshbuf , struct sshkey *);`
		`@@ -324,6 +331,13 @@`
		`@@ -695,11 +695,11 @@`
		`#if !defined(WITH_OPENSSL)`
		`# undef RSA`
		`# undef DSA`
		`- diff --color -ru -x regress -x autom4te.cache -x '.o' -x '.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11.c openssh-9.3p1-patched/ssh-pkcs11.c`
		`- --- openssh-9.3p1/ssh-pkcs11.c 2023-06-06 15:53:36.592443989 +0200`
		`- +++ openssh-9.3p1-patched/ssh-pkcs11.c 2023-06-06 15:52:25.626551768 +0200`
		`- @@ -777,8 +777,24 @@`
		`-`
		`+ diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c`
		`+ --- a/ssh-pkcs11.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)`
		`+ +++ b/ssh-pkcs11.c (date 1703110934679)`
		`+ @@ -620,8 +620,24 @@`
		`+`
		`return (0);`
		`}`
		`+`
		`@@ -711,7 +711,7 @@`
		`+ return 0;`
		`+}`
		`#endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */`
		`-`
		`+`
		`+int`
		`+is_rsa_pkcs11(RSA *rsa)`
		`+{`
		`@@ -720,16 +720,16 @@`
		`+ return 0;`
		`+}`
		`+`
		`- /* remove trailing spaces. Note, that this does NOT guarantee the buffer`
		`- * will be null terminated if there are no trailing spaces! */`
		`- static void`
		`- diff --color -ru -x regress -x autom4te.cache -x '.o' -x '.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11-client.c openssh-9.3p1-patched/ssh-pkcs11-client.c`
		`- --- openssh-9.3p1/ssh-pkcs11-client.c 2023-06-06 15:53:36.591443976 +0200`
		`- +++ openssh-9.3p1-patched/ssh-pkcs11-client.c 2023-06-06 15:52:25.626551768 +0200`
		`- @@ -225,8 +225,36 @@`
		`- static RSA_METHOD *helper_rsa;`
		`- #if defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW)`
		`- static EC_KEY_METHOD *helper_ecdsa;`
		`+ /* remove trailing spaces */`
		`+ static char *`
		`+ rmspace(u_char *buf, size_t len)`
		`+ diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c`
		`+ --- a/ssh-pkcs11-client.c (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)`
		`+ +++ b/ssh-pkcs11-client.c (date 1703110830967)`
		`+ @@ -402,8 +402,36 @@`
		`+ if (helper->nrsa == 0 && helper->nec == 0)`
		`+ helper_terminate(helper);`
		`+ }`
		`+`
		`+int`
		`+is_ecdsa_pkcs11(EC_KEY *ecdsa)`
		`@@ -744,8 +744,8 @@`
		`+ return 1;`
		`+ return 0;`
		`+}`
		`- #endif /* OPENSSL_HAS_ECC && HAVE_EC_KEY_METHOD_NEW */`
		`-`
		`+ #endif /* defined(OPENSSL_HAS_ECC) && defined(HAVE_EC_KEY_METHOD_NEW) */`
		`+`
		`+int`
		`+is_rsa_pkcs11(RSA *rsa)`
		`+{`
		`@@ -762,14 +762,15 @@`
		`+`
		`/* redirect private key crypto operations to the ssh-pkcs11-helper */`
		`static void`
		`- wrap_key(struct sshkey *k)`
		`- diff --color -ru -x regress -x autom4te.cache -x '.o' -x '.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-9.3p1/ssh-pkcs11.h openssh-9.3p1-patched/ssh-pkcs11.h`
		`- --- openssh-9.3p1/ssh-pkcs11.h 2023-06-06 15:53:36.592443989 +0200`
		`- +++ openssh-9.3p1-patched/ssh-pkcs11.h 2023-06-06 15:52:25.626551768 +0200`
		`- @@ -39,6 +39,11 @@`
		`- u_int32_t *);`
		`- #endif`
		`-`
		`+ wrap_key(struct helper helper, struct sshkey k)`
		`+ diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h`
		`+ --- a/ssh-pkcs11.h (revision 8241b9c0529228b4b86d88b1a6076fb9f97e4a99)`
		`+ +++ b/ssh-pkcs11.h (date 1703111023334)`
		`+ @@ -38,6 +38,12 @@`
		`+ /* Only available in ssh-pkcs11-client.c so far */`
		`+ int pkcs11_make_cert(const struct sshkey *,`
		`+ const struct sshkey , struct sshkey *);`
		`+ +`
		`+#ifdef HAVE_EC_KEY_METHOD_NEW`
		`+int is_ecdsa_pkcs11(EC_KEY *ecdsa);`
		`+#endif`

openssh-9.3p1-openssl-compat.patch

file removed

-40

		`@@ -1,40 +0,0 @@`
		`- --- openssh-9.3p1/openbsd-compat/openssl-compat.c 2023-03-15 22:28:19.000000000 +0100`
		`- +++ /home/dbelyavs/work/upstream/openssh-portable/openbsd-compat/openssl-compat.c 2023-05-25 14:19:42.870841944 +0200`
		`- @@ -33,10 +33,10 @@`
		`-`
		`- /*`
		`- * OpenSSL version numbers: MNNFFPPS: major minor fix patch status`
		`- - * We match major, minor, fix and status (not patch) for <1.0.0.`
		`- - * After that, we acceptable compatible fix versions (so we`
		`- - * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed`
		`- - * within a patch series.`
		`- + * Versions >=3 require only major versions to match.`
		`- + * For versions <3, we accept compatible fix versions (so we allow 1.0.1`
		`- + * to work with 1.0.0). Going backwards is only allowed within a patch series.`
		`- + * See https://www.openssl.org/policies/releasestrat.html`
		`- */`
		`-`
		`- int`
		`- @@ -48,15 +48,17 @@`
		`- if (headerver == libver)`
		`- return 1;`
		`-`
		`- - /* for versions < 1.0.0, major,minor,fix,status must match */`
		`- - if (headerver < 0x1000000f) {`
		`- - mask = 0xfffff00fL; /* major,minor,fix,status */`
		`- + /*`
		`- + * For versions >= 3.0, only the major and status must match.`
		`- + */`
		`- + if (headerver >= 0x3000000f) {`
		`- + mask = 0xf000000fL; /* major,status */`
		`- return (headerver & mask) == (libver & mask);`
		`- }`
		`-`
		`- /*`
		`- - * For versions >= 1.0.0, major,minor,status must match and library`
		`- - * fix version must be equal to or newer than the header.`
		`- + * For versions >= 1.0.0, but <3, major,minor,status must match and`
		`- + * library fix version must be equal to or newer than the header.`
		`- */`
		`- mask = 0xfff0000fL; /* major,minor,status */`
		`- hfix = (headerver & 0x000ff000) >> 12;`

openssh-9.3p1-upstream-cve-2023-38408.patch

file removed

-130

		`@@ -1,130 +0,0 @@`
		`- diff --git a/ssh-agent.c b/ssh-agent.c`
		`- index 618bb198..8ea831f4 100644`
		`- diff -up openssh-9.3p1/ssh-agent.c.cve openssh-9.3p1/ssh-agent.c`
		`- --- openssh-9.3p1/ssh-agent.c.cve 2023-07-21 15:38:13.237276580 +0200`
		`- +++ openssh-9.3p1/ssh-agent.c 2023-07-21 15:41:30.269943569 +0200`
		`- @@ -169,6 +169,12 @@ char socket_dir[PATH_MAX];`
		`- /* Pattern-list of allowed PKCS#11/Security key paths */`
		`- static char *allowed_providers;`
		`-`
		`- +/*`
		`- + * Allows PKCS11 providers or SK keys that use non-internal providers to`
		`- + * be added over a remote connection (identified by session-bind@openssh.com).`
		`- + */`
		`- +static int remote_add_provider;`
		`- +`
		`- /* locking */`
		`- #define LOCK_SIZE 32`
		`- #define LOCK_SALT_SIZE 16`
		`- @@ -1228,6 +1234,12 @@ process_add_identity(SocketEntry *e)`
		`- if (strcasecmp(sk_provider, "internal") == 0) {`
		`- debug_f("internal provider");`
		`- } else {`
		`- + if (e->nsession_ids != 0 && !remote_add_provider) {`
		`- + verbose("failed add of SK provider \"%.100s\": "`
		`- + "remote addition of providers is disabled",`
		`- + sk_provider);`
		`- + goto out;`
		`- + }`
		`- if (realpath(sk_provider, canonical_provider) == NULL) {`
		`- verbose("failed provider \"%.100s\": "`
		`- "realpath: %s", sk_provider,`
		`- @@ -1368,7 +1380,7 @@ no_identities(SocketEntry *e)`
		`-`
		`- #ifdef ENABLE_PKCS11`
		`- static char *`
		`- -sanitize_pkcs11_provider(const char *provider)`
		`- +sanitize_pkcs11_provider(SocketEntry e, const char provider)`
		`- {`
		`- struct pkcs11_uri *uri = NULL;`
		`- char sane_uri, module_path = NULL; /* default path */`
		`- @@ -1399,6 +1411,11 @@ sanitize_pkcs11_provider(const char *pro`
		`- module_path = strdup(provider); /* simple path */`
		`-`
		`- if (module_path != NULL) { /* do not validate default NULL path in URI */`
		`- + if (e->nsession_ids != 0 && !remote_add_provider) {`
		`- + verbose("failed PKCS#11 add of \"%.100s\": remote addition of "`
		`- + "providers is disabled", provider);`
		`- + return NULL;`
		`- + }`
		`- if (realpath(module_path, canonical_provider) == NULL) {`
		`- verbose("failed PKCS#11 provider \"%.100s\": realpath: %s",`
		`- module_path, strerror(errno));`
		`- @@ -1455,7 +1472,7 @@ process_add_smartcard_key(SocketEntry *e`
		`- goto send;`
		`- }`
		`-`
		`- - sane_uri = sanitize_pkcs11_provider(provider);`
		`- + sane_uri = sanitize_pkcs11_provider(e, provider);`
		`- if (sane_uri == NULL)`
		`- goto send;`
		`-`
		`- @@ -1516,7 +1533,7 @@ process_remove_smartcard_key(SocketEntry`
		`- }`
		`- free(pin);`
		`-`
		`- - sane_uri = sanitize_pkcs11_provider(provider);`
		`- + sane_uri = sanitize_pkcs11_provider(e, provider);`
		`- if (sane_uri == NULL)`
		`- goto send;`
		`-`
		`- @@ -2108,7 +2125,9 @@ main(int ac, char **av)`
		`- break;`
		`- case 'O':`
		`- if (strcmp(optarg, "no-restrict-websafe") == 0)`
		`- - restrict_websafe = 0;`
		`- + restrict_websafe = 0;`
		`- + else if (strcmp(optarg, "allow-remote-pkcs11") == 0)`
		`- + remote_add_provider = 1;`
		`- else`
		`- fatal("Unknown -O option");`
		`- break;`
		`- diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c`
		`- index 6be647ec..ebddf6c3 100644`
		`- --- a/ssh-pkcs11.c`
		`- +++ b/ssh-pkcs11.c`
		`- @@ -1537,10 +1537,8 @@ pkcs11_register_provider(char provider_id, char pin,`
		`- error("dlopen %s failed: %s", provider_module, dlerror());`
		`- goto fail;`
		`- }`
		`- - if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL) {`
		`- - error("dlsym(C_GetFunctionList) failed: %s", dlerror());`
		`- - goto fail;`
		`- - }`
		`- + if ((getfunctionlist = dlsym(handle, "C_GetFunctionList")) == NULL)`
		`- + fatal("dlsym(C_GetFunctionList) failed: %s", dlerror());`
		`-`
		`- p->module->handle = handle;`
		`- /* setup the pkcs11 callbacks */`
		`- --- a/ssh-agent.1 2023-03-15 22:28:19.000000000 +0100`
		`- +++ b/ssh-agent.1 2023-07-19 21:39:17.981406432 +0200`
		`- @@ -107,9 +107,27 @@`
		`- .It Fl O Ar option`
		`- Specify an option when starting`
		`- .Nm .`
		`- -Currently only one option is supported:`
		`- +Currently two options are supported:`
		`- +.Cm allow-remote-pkcs11`
		`- +and`
		`- .Cm no-restrict-websafe .`
		`- -This instructs`
		`- +.Pp`
		`- +The`
		`- +.Cm allow-remote-pkcs11`
		`- +option allows clients of a forwarded`
		`- +.Nm`
		`- +to load PKCS#11 or FIDO provider libraries.`
		`- +By default only local clients may perform this operation.`
		`- +Note that signalling that a`
		`- +.Nm`
		`- +client remote is performed by`
		`- +.Xr ssh 1 ,`
		`- +and use of other tools to forward access to the agent socket may circumvent`
		`- +this restriction.`
		`- +.Pp`
		`- +The`
		`- +.Cm no-restrict-websafe ,`
		`- +instructs`
		`- .Nm`
		`- to permit signatures using FIDO keys that might be web authentication`
		`- requests.`

openssh.spec

file modified

+9 -9

		`@@ -46,8 +46,8 @@`
		`%{?static_openssl:%global static_libcrypto 1}`

		`# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1`
		`- %global openssh_ver 9.3p1`
		`- %global openssh_rel 13`
		`+ %global openssh_ver 9.6p1`
		`+ %global openssh_rel 1`
		`%global pam_ssh_agent_ver 0.10.4`
		`%global pam_ssh_agent_rel 9`

		`@@ -228,9 +228,6 @@`
		`Patch1012: openssh-9.0p1-evp-fips-dh.patch`
		`Patch1013: openssh-9.0p1-evp-fips-ecdh.patch`
		`Patch1014: openssh-8.7p1-nohostsha1proof.patch`
		`- Patch1015: openssh-9.3p1-upstream-cve-2023-38408.patch`
		`- # upstream b7afd8a4ecaca8afd3179b55e9db79c0ff210237`
		`- Patch1016: openssh-9.3p1-openssl-compat.patch`

		`License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant`
		`Requires: /sbin/nologin`
		`@@ -405,7 +402,8 @@`
		`%patch -P 948 -p1 -b .systemd`
		`%patch -P 949 -p1 -b .refactor`
		`%patch -P 950 -p1 -b .sandbox`
		`- %patch -P 951 -p1 -b .pkcs11-uri`
		`+ #TODO: Uncomment before merging`
		`+ #%patch -P 951 -p1 -b .pkcs11-uri`
		`%patch -P 953 -p1 -b .scp-ipv6`
		`%patch -P 962 -p1 -b .crypto-policies`
		`%patch -P 963 -p1 -b .openssl-evp`
		`@@ -433,10 +431,9 @@`
		`%patch -P 1012 -p1 -b .evp-fips-dh`
		`%patch -P 1013 -p1 -b .evp-fips-ecdh`
		`%patch -P 1014 -p1 -b .nosha1hostproof`
		`- %patch -P 1015 -p1 -b .cve-2023-38408`
		`- %patch -P 1016 -p1 -b .ossl-version`

		`- %patch -P 100 -p1 -b .coverity`
		`+ #TODO: Uncomment before merging`
		`+ #%patch -P 100 -p1 -b .coverity`

		`autoreconf`
		`pushd pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}`
		`@@ -744,6 +741,9 @@`
		`%endif`

		`%changelog`
		`+ * Tue Dec 26 2023 Daniel Milnes <daniel@daniel-milnes.uk> - 9.6p1`
		`+ - Update to OpenSSH 9.6`
		`+`
		`* Fri Dec 22 2023 Florian Weimer <fweimer@redhat.com> - 9.3p1-13.1`
		`- Fix type errors in downstream gssapi-keyex patch`

sources

file modified

+2 -2

		`@@ -1,4 +1,4 @@`
		`- SHA512 (openssh-9.3p1.tar.gz) = 087ff6fe5f6caab4c6c3001d906399e02beffad7277280f11187420c2939fd4befdcb14643862a657ce4cad2f115b82a0a1a2c99df6ee54dcd76b53647637c19`
		`- SHA512 (openssh-9.3p1.tar.gz.asc) = 6222378eb24a445c6c1db255392b405f5369b1af0e92f558d4ba05b0d83ab0d084cb8f4b91d7ae8636f333d970638a6635e2bc7af885135dd34992d87f2ef1f4`
		`+ SHA512 (openssh-9.6p1.tar.gz) = 0ebf81e39914c3a90d7777a001ec7376a94b37e6024baf3e972c58f0982b7ddef942315f5e01d56c00ff95603b4a20ee561ab918ecc55511df007ac138160509`
		`+ SHA512 (openssh-9.6p1.tar.gz.asc) = aec5a5bd6ce480a8e5b5879dc55f8186aec90fe61f085aa92ad7d07f324574aa781be09c83b7443a32848d091fd44fb12c1842d49cee77afc351e550ffcc096d`
		`SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2`
		`SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21`

thebeanogamer commented 5 months ago

Start the process of updating OpenSSH to 9.6. This is a best attempt, and it's not yet ready for merging.

Whilst I have been able to rebase most of the patches, I'm not confident enough in my rebase of openssh-8.0p1-pkcs11-uri.patch to include it here. This has also required me to disable openssh-6.7p1-coverity.patch as it builds on the first patch. If they've got the time, I'd appreciate @jjelen giving that a go that as the original author please.

Whilst the STI system tests appear to pass with this patchset, upstream's tests fail in the same place they did before (after the main tests, during the regression tests).
- Tests on rawhide: https://koji.fedoraproject.org/koji/taskinfo?taskID=110890575
- Tests on this branch (without the PKCS11 patch): https://koji.fedoraproject.org/koji/taskinfo?taskID=110895918

Scratch build: https://koji.fedoraproject.org/koji/taskinfo?taskID=110896733

Resolves:
- rhbz#2230781
- rhbz#2255851
- rhbz#2255125
- rhbz#2255272
- rhbz#2255273

If it's easier, I'm happy for this branch to be discarded and the package team to begin the 9.6 update from scratch.

1 new commit added

Update sources for 9.6

5 months ago

zuul commented 5 months ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
https://fedora.softwarefactory-project.io/zuul/buildset/b9efe0b2082840d988cf0150d39f1cab

check-for-arches : SUCCESS in 2m 19s
check-for-eln : SUCCESS in 18s
eln-rpm-scratch-build : SUCCESS in 12m 49s
rpm-scratch-build : SUCCESS in 11m 21s
rpm-scratch-build-s390x : SUCCESS in 10m 54s (non-voting)
rpm-scratch-build-ppc64le : SUCCESS in 13m 53s (non-voting)
rpm-scratch-build-i686 : SUCCESS in 11m 32s (non-voting)
rpm-scratch-build-aarch64 : SUCCESS in 14m 52s (non-voting)
rpm-linter : FAILURE in 6m 50s (non-voting)
rpm-rpminspect : FAILURE in 14m 21s (non-voting)
check-for-sti-tests : SUCCESS in 15s
check-for-fmf-tests : SUCCESS in 15s
rpm-install-test : SUCCESS in 2m 40s
rpm-sti-test : FAILURE in 6m 21s
Skipped 1 job

dbelyavs commented 4 months ago

Many thanks for your efforts! I currently start working on rebasing OpenSSH in rawhide and maybe in F39 and will look at your patches

dbelyavs commented 4 months ago

Upstream tests are mostly passing but the interop_tests are failing. I'm going to investigate it

dbelyavs commented 4 months ago

Many thanks for your contribution!
After some tuning and backporting openssh-8.0p1-pkcs11-uri.patch all tests are passing so I merged the PR based on your code changes.