[openssh] 6.7p1-1 + 0.9.3-4
Petr Lautrbach
plautrba at fedoraproject.org
Tue Jan 20 12:29:51 UTC 2015
commit 190035191329fb89efefd8189969117a94fcaeda
Author: Petr Lautrbach <plautrba at redhat.com>
Date: Tue Jan 20 13:18:45 2015 +0100
6.7p1-1 + 0.9.3-4
.gitignore | 1 +
openssh-5.6p1-exit-deadlock.patch | 14 -
openssh-5.9p1-edns.patch | 72 --
openssh-6.2p1-vendor.patch | 135 ++-
openssh-6.6.1p1-audit-pfs.patch | 212 ----
openssh-6.6.1p1-log-in-chroot.patch | 44 +-
openssh-6.6.1p1-selinux-contexts.patch | 14 +-
openssh-6.6p1-GSSAPIEnablek5users.patch | 38 +-
openssh-6.6p1-ctr-cavstest.patch | 14 +-
openssh-6.6p1-entropy.patch | 36 +-
openssh-6.6p1-fingerprint.patch | 415 -------
openssh-6.6p1-force_krb.patch | 25 +-
openssh-6.6p1-gsskex.patch | 257 ++---
openssh-6.6p1-keycat.patch | 36 +-
openssh-6.6p1-keyperm.patch | 13 +-
openssh-6.6p1-kuserok.patch | 50 +-
openssh-6.6p1-role-mls.patch | 75 +-
...-6.6p1-audit.patch => openssh-6.7p1-audit.patch | 450 ++++---
openssh-6.7p1-fingerprint.patch | 1271 ++++++++++++--------
...sh-6.6p1-fips.patch => openssh-6.7p1-fips.patch | 340 ++----
...sh-6.6p1-ldap.patch => openssh-6.7p1-ldap.patch | 30 +-
openssh.spec | 42 +-
pam_ssh_agent_auth-0.9.3-fingerprint-hash.patch | 64 +
sources | 2 +-
24 files changed, 1601 insertions(+), 2049 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index e407e89..b64821a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-6.3p1.tar.gz
/openssh-6.4p1.tar.gz
/openssh-6.6p1.tar.gz
+/openssh-6.7p1.tar.gz
diff --git a/openssh-6.2p1-vendor.patch b/openssh-6.2p1-vendor.patch
index ddccd2c..583a486 100644
--- a/openssh-6.2p1-vendor.patch
+++ b/openssh-6.2p1-vendor.patch
@@ -1,7 +1,8 @@
-diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac
---- openssh-6.2p1/configure.ac.vendor 2013-03-25 19:34:01.277495179 +0100
-+++ openssh-6.2p1/configure.ac 2013-03-25 19:34:01.377495818 +0100
-@@ -4420,6 +4420,12 @@ AC_ARG_WITH([lastlog],
+diff --git a/configure.ac b/configure.ac
+index 6553074..8dedb95 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -4676,6 +4676,12 @@ AC_ARG_WITH([lastlog],
fi
]
)
@@ -14,7 +15,7 @@ diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac
dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the
-@@ -4681,6 +4687,7 @@ echo " Translate v4 in v6 hack
+@@ -4938,6 +4944,7 @@ echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE"
@@ -22,10 +23,11 @@ diff -up openssh-6.2p1/configure.ac.vendor openssh-6.2p1/configure.ac
echo ""
-diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
---- openssh-6.2p1/servconf.c.vendor 2013-03-25 19:34:01.197494668 +0100
-+++ openssh-6.2p1/servconf.c 2013-03-25 19:34:01.379495831 +0100
-@@ -128,6 +128,7 @@ initialize_server_options(ServerOptions
+diff --git a/servconf.c b/servconf.c
+index e3ebaac..c8a3f28 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -141,6 +141,7 @@ initialize_server_options(ServerOptions *options)
options->max_authtries = -1;
options->max_sessions = -1;
options->banner = NULL;
@@ -33,17 +35,16 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
-@@ -287,6 +288,9 @@ fill_default_server_options(ServerOption
+@@ -310,6 +311,8 @@ fill_default_server_options(ServerOptions *options)
options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
+ if (options->show_patchlevel == -1)
+ options->show_patchlevel = 0;
-+
- /* Turn privilege separation on by default */
- if (use_privsep == -1)
- use_privsep = PRIVSEP_NOSANDBOX;
-@@ -324,7 +328,7 @@ typedef enum {
+ if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
+ options->fwd_opts.streamlocal_bind_mask = 0177;
+ if (options->fwd_opts.streamlocal_bind_unlink == -1)
+@@ -353,7 +356,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
sMaxStartups, sMaxAuthTries, sMaxSessions,
@@ -52,7 +53,7 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
-@@ -439,6 +443,7 @@ static struct {
+@@ -467,6 +470,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL },
@@ -60,7 +61,7 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
-@@ -1163,6 +1168,10 @@ process_server_config_line(ServerOptions
+@@ -1263,6 +1267,10 @@ process_server_config_line(ServerOptions *options, char *line,
multistate_ptr = multistate_privsep;
goto parse_multistate;
@@ -71,18 +72,19 @@ diff -up openssh-6.2p1/servconf.c.vendor openssh-6.2p1/servconf.c
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
-@@ -1950,6 +1959,7 @@ dump_config(ServerOptions *o)
+@@ -2081,6 +2089,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression);
- dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
+ dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
+ dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
- dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
-diff -up openssh-6.2p1/servconf.h.vendor openssh-6.2p1/servconf.h
---- openssh-6.2p1/servconf.h.vendor 2013-01-09 05:56:45.000000000 +0100
-+++ openssh-6.2p1/servconf.h 2013-03-25 19:34:01.379495831 +0100
-@@ -147,6 +147,7 @@ typedef struct {
+ dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
+diff --git a/servconf.h b/servconf.h
+index 49b228b..21719e2 100644
+--- a/servconf.h
++++ b/servconf.h
+@@ -149,6 +149,7 @@ typedef struct {
int max_authtries;
int max_sessions;
char *banner; /* SSH-2 banner message */
@@ -90,10 +92,34 @@ diff -up openssh-6.2p1/servconf.h.vendor openssh-6.2p1/servconf.h
int use_dns;
int client_alive_interval; /*
* poke the client this often to
-diff -up openssh-6.2p1/sshd_config.vendor openssh-6.2p1/sshd_config
---- openssh-6.2p1/sshd_config.vendor 2013-03-25 19:34:01.380495837 +0100
-+++ openssh-6.2p1/sshd_config 2013-03-25 19:44:43.471296362 +0100
-@@ -118,6 +118,7 @@ UsePrivilegeSeparation sandbox # Defaul
+diff --git a/sshd.c b/sshd.c
+index afe9afa..193b206 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -432,7 +432,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
+ }
+
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+- major, minor, SSH_VERSION,
++ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
+ *options.version_addendum == '\0' ? "" : " ",
+ options.version_addendum, newline);
+
+@@ -1677,7 +1677,8 @@ main(int ac, char **av)
+ exit(1);
+ }
+
+- debug("sshd version %s, %s", SSH_VERSION,
++ debug("sshd version %s, %s",
++ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
+ #ifdef WITH_OPENSSL
+ SSLeay_version(SSLEAY_VERSION)
+ #else
+diff --git a/sshd_config b/sshd_config
+index 3092ac6..da3db5d 100644
+--- a/sshd_config
++++ b/sshd_config
+@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Default for new installations.
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
@@ -101,10 +127,11 @@ diff -up openssh-6.2p1/sshd_config.vendor openssh-6.2p1/sshd_config
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
-diff -up openssh-6.2p1/sshd_config.0.vendor openssh-6.2p1/sshd_config.0
---- openssh-6.2p1/sshd_config.0.vendor 2013-03-25 19:34:01.361495716 +0100
-+++ openssh-6.2p1/sshd_config.0 2013-03-25 19:34:01.381495844 +0100
-@@ -595,6 +595,11 @@ DESCRIPTION
+diff --git a/sshd_config.0 b/sshd_config.0
+index 43867d3..a3898c3 100644
+--- a/sshd_config.0
++++ b/sshd_config.0
+@@ -700,6 +700,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 1024.
@@ -113,13 +140,14 @@ diff -up openssh-6.2p1/sshd_config.0.vendor openssh-6.2p1/sshd_config.0
+ the binary in the server identification string. The patch level
+ is set at compile-time. The default is M-bM-^@M-^\noM-bM-^@M-^].
+
- StrictModes
- Specifies whether sshd(8) should check file modes and ownership
- of the user's files and home directory before accepting login.
-diff -up openssh-6.2p1/sshd_config.5.vendor openssh-6.2p1/sshd_config.5
---- openssh-6.2p1/sshd_config.5.vendor 2013-03-25 19:34:01.362495722 +0100
-+++ openssh-6.2p1/sshd_config.5 2013-03-25 19:34:01.382495850 +0100
-@@ -1019,6 +1019,14 @@ This option applies to protocol version
+ StreamLocalBindMask
+ Sets the octal file creation mode mask (umask) used when creating
+ a Unix-domain socket file for local or remote port forwarding.
+diff --git a/sshd_config.5 b/sshd_config.5
+index 89a0cf2..cccb310 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -1200,6 +1200,13 @@ This option applies to protocol version 1 only.
.It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024.
@@ -130,29 +158,6 @@ diff -up openssh-6.2p1/sshd_config.5.vendor openssh-6.2p1/sshd_config.5
+The patch level is set at compile-time.
+The default is
+.Dq no .
-+This option applies to protocol version 1 only.
- .It Cm StrictModes
- Specifies whether
- .Xr sshd 8
-diff -up openssh-6.2p1/sshd.c.vendor openssh-6.2p1/sshd.c
---- openssh-6.2p1/sshd.c.vendor 2013-03-25 19:34:01.332495531 +0100
-+++ openssh-6.2p1/sshd.c 2013-03-25 19:44:11.864112092 +0100
-@@ -442,7 +442,7 @@ sshd_exchange_identification(int sock_in
- }
-
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-- major, minor, SSH_VERSION,
-+ major, minor, (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
- *options.version_addendum == '\0' ? "" : " ",
- options.version_addendum, newline);
-
-@@ -1675,7 +1675,8 @@ main(int ac, char **av)
- exit(1);
- }
-
-- debug("sshd version %s, %s", SSH_VERSION,
-+ debug("sshd version %s, %s",
-+ (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION,
- SSLeay_version(SSLEAY_VERSION));
-
- /* Store privilege separation user for later use if required. */
+ .It Cm StreamLocalBindMask
+ Sets the octal file creation mode mask
+ .Pq umask
diff --git a/openssh-6.6.1p1-log-in-chroot.patch b/openssh-6.6.1p1-log-in-chroot.patch
index bccf39b..bca27be 100644
--- a/openssh-6.6.1p1-log-in-chroot.patch
+++ b/openssh-6.6.1p1-log-in-chroot.patch
@@ -40,10 +40,10 @@ index ae7df25..30c3310 100644
int log_is_on_stderr(void);
void log_redirect_stderr_to(const char *);
diff --git a/monitor.c b/monitor.c
-index 7461fae..da2f766 100644
+index 7ebc76e..d97e640 100644
--- a/monitor.c
+++ b/monitor.c
-@@ -364,6 +364,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
+@@ -378,6 +378,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
close(pmonitor->m_log_sendfd);
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
@@ -52,7 +52,7 @@ index 7461fae..da2f766 100644
authctxt = _authctxt;
memset(authctxt, 0, sizeof(*authctxt));
-@@ -472,6 +474,8 @@ monitor_child_postauth(struct monitor *pmonitor)
+@@ -486,6 +488,8 @@ monitor_child_postauth(struct monitor *pmonitor)
close(pmonitor->m_recvfd);
pmonitor->m_recvfd = -1;
@@ -61,7 +61,7 @@ index 7461fae..da2f766 100644
monitor_set_child_handler(pmonitor->m_pid);
signal(SIGHUP, &monitor_child_handler);
signal(SIGTERM, &monitor_child_handler);
-@@ -552,7 +556,7 @@ monitor_read_log(struct monitor *pmonitor)
+@@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonitor)
if (log_level_name(level) == NULL)
fatal("%s: invalid log level %u (corrupted message?)",
__func__, level);
@@ -70,7 +70,7 @@ index 7461fae..da2f766 100644
buffer_free(&logmsg);
free(msg);
-@@ -2083,13 +2087,28 @@ monitor_init(void)
+@@ -2107,13 +2111,28 @@ monitor_init(void)
mm_init_compression(mon->m_zlib);
}
@@ -119,7 +119,7 @@ index ff79fbb..00c2028 100644
struct Authctxt;
diff --git a/session.c b/session.c
-index e4add93..bc4a8dd 100644
+index 9c94d8e..40a681e 100644
--- a/session.c
+++ b/session.c
@@ -160,6 +160,8 @@ login_cap_t *lc;
@@ -131,7 +131,7 @@ index e4add93..bc4a8dd 100644
/* Name and directory of socket for authentication agent forwarding. */
static char *auth_sock_name = NULL;
static char *auth_sock_dir = NULL;
-@@ -523,8 +525,8 @@ do_exec_no_pty(Session *s, const char *command)
+@@ -505,8 +507,8 @@ do_exec_no_pty(Session *s, const char *command)
is_child = 1;
/* Child. Reinitialize the log since the pid has changed. */
@@ -142,7 +142,7 @@ index e4add93..bc4a8dd 100644
/*
* Create a new session and process group since the 4.4BSD
-@@ -692,8 +694,8 @@ do_exec_pty(Session *s, const char *command)
+@@ -674,8 +676,8 @@ do_exec_pty(Session *s, const char *command)
close(ptymaster);
/* Child. Reinitialize the log because the pid has changed. */
@@ -153,7 +153,7 @@ index e4add93..bc4a8dd 100644
/* Close the master side of the pseudo tty. */
close(ptyfd);
-@@ -797,6 +799,7 @@ do_exec(Session *s, const char *command)
+@@ -779,6 +781,7 @@ do_exec(Session *s, const char *command)
int ret;
const char *forced = NULL;
char session_type[1024], *tty = NULL;
@@ -161,7 +161,7 @@ index e4add93..bc4a8dd 100644
if (options.adm_forced_command) {
original_command = command;
-@@ -854,6 +857,10 @@ do_exec(Session *s, const char *command)
+@@ -836,6 +839,10 @@ do_exec(Session *s, const char *command)
tty += 5;
}
@@ -172,7 +172,7 @@ index e4add93..bc4a8dd 100644
verbose("Starting session: %s%s%s for %s from %.200s port %d",
session_type,
tty == NULL ? "" : " on ",
-@@ -1681,14 +1688,6 @@ child_close_fds(void)
+@@ -1677,14 +1684,6 @@ child_close_fds(void)
* descriptors left by system functions. They will be closed later.
*/
endpwent();
@@ -187,7 +187,7 @@ index e4add93..bc4a8dd 100644
}
/*
-@@ -1834,8 +1833,6 @@ do_child(Session *s, const char *command)
+@@ -1830,8 +1829,6 @@ do_child(Session *s, const char *command)
exit(1);
}
@@ -196,7 +196,7 @@ index e4add93..bc4a8dd 100644
if (!options.use_login)
do_rc_files(s, shell);
-@@ -1859,9 +1856,17 @@ do_child(Session *s, const char *command)
+@@ -1855,9 +1852,17 @@ do_child(Session *s, const char *command)
argv[i] = NULL;
optind = optreset = 1;
__progname = argv[0];
@@ -227,10 +227,10 @@ index 7e644ab..e162b7a 100644
+ return (sftp_server_main(argc, argv, user_pw, 0));
}
diff --git a/sftp-server.c b/sftp-server.c
-index b8eb59c..a0e644c 100644
+index 0177130..8fa7fc7 100644
--- a/sftp-server.c
+++ b/sftp-server.c
-@@ -1437,7 +1437,7 @@ sftp_server_usage(void)
+@@ -1440,7 +1440,7 @@ sftp_server_usage(void)
}
int
@@ -239,7 +239,7 @@ index b8eb59c..a0e644c 100644
{
fd_set *rset, *wset;
int i, in, out, max, ch, skipargs = 0, log_stderr = 0;
-@@ -1450,7 +1450,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
+@@ -1453,7 +1453,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
extern char *__progname;
__progname = ssh_get_progname(argv[0]);
@@ -248,15 +248,15 @@ index b8eb59c..a0e644c 100644
pw = pwcopy(user_pw);
-@@ -1521,7 +1521,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
+@@ -1524,7 +1524,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
}
}
- log_init(__progname, log_level, log_facility, log_stderr);
+ log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
- if ((cp = getenv("SSH_CONNECTION")) != NULL) {
- client_addr = xstrdup(cp);
+ #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+ /*
diff --git a/sftp.h b/sftp.h
index 2bde8bb..ddf1a39 100644
--- a/sftp.h
@@ -269,10 +269,10 @@ index 2bde8bb..ddf1a39 100644
+int sftp_server_main(int, char **, struct passwd *, int);
void sftp_server_cleanup_exit(int) __attribute__((noreturn));
diff --git a/sshd.c b/sshd.c
-index 3eee75a..9c00bcb 100644
+index 39b9c08..ca55d7f 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -745,7 +745,7 @@ privsep_postauth(Authctxt *authctxt)
+@@ -737,7 +737,7 @@ privsep_postauth(Authctxt *authctxt)
}
/* New socket pair */
@@ -281,7 +281,7 @@ index 3eee75a..9c00bcb 100644
pmonitor->m_pid = fork();
if (pmonitor->m_pid == -1)
-@@ -763,6 +763,11 @@ privsep_postauth(Authctxt *authctxt)
+@@ -755,6 +755,11 @@ privsep_postauth(Authctxt *authctxt)
close(pmonitor->m_sendfd);
pmonitor->m_sendfd = -1;
diff --git a/openssh-6.6.1p1-selinux-contexts.patch b/openssh-6.6.1p1-selinux-contexts.patch
index a831a15..425ffda 100644
--- a/openssh-6.6.1p1-selinux-contexts.patch
+++ b/openssh-6.6.1p1-selinux-contexts.patch
@@ -1,16 +1,16 @@
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
-index 0077dd7..e3f2ced 100644
+index 8f32464..18a2ca4 100644
--- a/openbsd-compat/port-linux-sshd.c
+++ b/openbsd-compat/port-linux-sshd.c
-@@ -31,6 +31,7 @@
- #include "xmalloc.h"
+@@ -32,6 +32,7 @@
+ #include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
#include "servconf.h"
#include "port-linux.h"
+#include "misc.h"
#include "key.h"
#include "hostfile.h"
#include "auth.h"
-@@ -444,7 +445,7 @@ sshd_selinux_setup_exec_context(char *pwname)
+@@ -445,7 +446,7 @@ sshd_selinux_setup_exec_context(char *pwname)
void
sshd_selinux_copy_context(void)
{
@@ -19,7 +19,7 @@ index 0077dd7..e3f2ced 100644
if (!sshd_selinux_enabled())
return;
-@@ -460,6 +461,58 @@ sshd_selinux_copy_context(void)
+@@ -461,6 +462,58 @@ sshd_selinux_copy_context(void)
}
}
@@ -104,10 +104,10 @@ index cb51f99..8b7cda2 100644
#ifdef LINUX_OOM_ADJUST
diff --git a/sshd.c b/sshd.c
-index 512c7ed..3eee75a 100644
+index 2871fe9..39b9c08 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -637,7 +637,7 @@ privsep_preauth_child(void)
+@@ -629,7 +629,7 @@ privsep_preauth_child(void)
demote_sensitive_data();
#ifdef WITH_SELINUX
diff --git a/openssh-6.6p1-GSSAPIEnablek5users.patch b/openssh-6.6p1-GSSAPIEnablek5users.patch
index a60d608..a51e199 100644
--- a/openssh-6.6p1-GSSAPIEnablek5users.patch
+++ b/openssh-6.6p1-GSSAPIEnablek5users.patch
@@ -1,5 +1,5 @@
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
-index 0a4930e..a7c0c5f 100644
+index 961c564..0fcfd7b 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
@@ -20,27 +20,27 @@ index 0a4930e..a7c0c5f 100644
k5login_exists);
}
diff --git a/servconf.c b/servconf.c
-index d482e79..ad5869b 100644
+index e4164b1..87a311b 100644
--- a/servconf.c
+++ b/servconf.c
-@@ -158,6 +158,7 @@ initialize_server_options(ServerOptions *options)
- options->ip_qos_bulk = -1;
+@@ -164,6 +164,7 @@ initialize_server_options(ServerOptions *options)
options->version_addendum = NULL;
+ options->fingerprint_hash = -1;
options->use_kuserok = -1;
+ options->enable_k5users = -1;
}
void
-@@ -315,6 +316,8 @@ fill_default_server_options(ServerOptions *options)
- options->show_patchlevel = 0;
+@@ -331,6 +332,8 @@ fill_default_server_options(ServerOptions *options)
+ options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
if (options->use_kuserok == -1)
options->use_kuserok = 1;
+ if (options->enable_k5users == -1)
+ options->enable_k5users = 0;
-
/* Turn privilege separation on by default */
if (use_privsep == -1)
-@@ -356,7 +359,7 @@ typedef enum {
+ use_privsep = PRIVSEP_NOSANDBOX;
+@@ -371,7 +374,7 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
@@ -49,7 +49,7 @@ index d482e79..ad5869b 100644
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
-@@ -430,6 +433,7 @@ static struct {
+@@ -447,6 +450,7 @@ static struct {
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
@@ -57,7 +57,7 @@ index d482e79..ad5869b 100644
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
-@@ -437,6 +441,7 @@ static struct {
+@@ -454,6 +458,7 @@ static struct {
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
@@ -65,7 +65,7 @@ index d482e79..ad5869b 100644
#endif
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
-@@ -1536,6 +1541,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1566,6 +1571,10 @@ process_server_config_line(ServerOptions *options, char *line,
intptr = &options->use_kuserok;
goto parse_flag;
@@ -76,7 +76,7 @@ index d482e79..ad5869b 100644
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
-@@ -1824,6 +1833,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+@@ -1884,6 +1893,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
M_CP_INTOPT(use_kuserok);
@@ -84,19 +84,19 @@ index d482e79..ad5869b 100644
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
-@@ -2076,6 +2086,7 @@ dump_config(ServerOptions *o)
- dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+@@ -2143,6 +2153,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
+ dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
+ dump_cfg_fmtint(sGssEnablek5users, o->enable_k5users);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff --git a/servconf.h b/servconf.h
-index 5117dfa..d63cb71 100644
+index cf2a505..070a8ed 100644
--- a/servconf.h
+++ b/servconf.h
-@@ -173,7 +173,8 @@ typedef struct {
+@@ -175,7 +175,8 @@ typedef struct {
int num_permitted_opens;
@@ -107,7 +107,7 @@ index 5117dfa..d63cb71 100644
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff --git a/sshd_config b/sshd_config
-index 43671f6..6ab00ed 100644
+index 0d9454d..e731de1 100644
--- a/sshd_config
+++ b/sshd_config
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
@@ -119,10 +119,10 @@ index 43671f6..6ab00ed 100644
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff --git a/sshd_config.5 b/sshd_config.5
-index e0e5fff..aa9525d 100644
+index eb4dd9e..ce1229b 100644
--- a/sshd_config.5
+++ b/sshd_config.5
-@@ -505,6 +505,12 @@ on logout.
+@@ -548,6 +548,12 @@ on logout.
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
diff --git a/openssh-6.6p1-ctr-cavstest.patch b/openssh-6.6p1-ctr-cavstest.patch
index 1997fa6..c752d62 100644
--- a/openssh-6.6p1-ctr-cavstest.patch
+++ b/openssh-6.6p1-ctr-cavstest.patch
@@ -1,5 +1,5 @@
diff --git a/Makefile.in b/Makefile.in
-index 4ab6717..581b121 100644
+index b225217..bbc3034 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
@@ -10,16 +10,16 @@ index 4ab6717..581b121 100644
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
+@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
- LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
- canohost.o channels.o cipher.o cipher-aes.o \
-@@ -180,6 +181,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o
+ LIBOPENSSH_OBJS=\
+ ssherr.o \
+@@ -190,6 +191,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
@@ -29,7 +29,7 @@ index 4ab6717..581b121 100644
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-@@ -288,6 +292,7 @@ install-files:
+@@ -310,6 +314,7 @@ install-files:
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
diff --git a/openssh-6.6p1-entropy.patch b/openssh-6.6p1-entropy.patch
index 67bd30f..6076165 100644
--- a/openssh-6.6p1-entropy.patch
+++ b/openssh-6.6p1-entropy.patch
@@ -1,8 +1,8 @@
diff --git a/entropy.c b/entropy.c
-index 2d483b3..b361a04 100644
+index 1e9d52a..d24e724 100644
--- a/entropy.c
+++ b/entropy.c
-@@ -234,6 +234,9 @@ seed_rng(void)
+@@ -227,6 +227,9 @@ seed_rng(void)
memset(buf, '\0', sizeof(buf));
#endif /* OPENSSL_PRNG_ONLY */
@@ -13,12 +13,12 @@ index 2d483b3..b361a04 100644
fatal("PRNG is not seeded");
}
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
-index b912dbe..9206337 100644
+index 843225d..041bbab 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
- COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
+ COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
@@ -27,7 +27,7 @@ index b912dbe..9206337 100644
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
new file mode 100644
-index 0000000..92a617c
+index 0000000..da84bf2
--- /dev/null
+++ b/openbsd-compat/port-linux-prng.c
@@ -0,0 +1,59 @@
@@ -63,6 +63,7 @@ index 0000000..92a617c
+
+#include "log.h"
+#include "xmalloc.h"
++#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
+#include "servconf.h"
+#include "port-linux.h"
+#include "key.h"
@@ -72,10 +73,9 @@ index 0000000..92a617c
+void
+linux_seed(void)
+{
-+ int len;
+ char *env = getenv("SSH_USE_STRONG_RNG");
+ char *random = "/dev/random";
-+ size_t ienv, randlen = 14;
++ size_t len, ienv, randlen = 14;
+
+ if (!env || !strcmp(env, "0"))
+ random = "/dev/urandom";
@@ -91,7 +91,7 @@ index 0000000..92a617c
+ }
+}
diff --git a/ssh-add.0 b/ssh-add.0
-index ba43fee..0b2629a 100644
+index f16165a..17d22cf 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -82,6 +82,16 @@ ENVIRONMENT
@@ -112,10 +112,10 @@ index ba43fee..0b2629a 100644
~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of
diff --git a/ssh-add.1 b/ssh-add.1
-index 4812448..16305bf 100644
+index 04d1840..db883a4 100644
--- a/ssh-add.1
+++ b/ssh-add.1
-@@ -161,6 +161,20 @@ to make this work.)
+@@ -170,6 +170,20 @@ to make this work.)
Identifies the path of a
.Ux Ns -domain
socket used to communicate with the agent.
@@ -137,10 +137,10 @@ index 4812448..16305bf 100644
.Sh FILES
.Bl -tag -width Ds
diff --git a/ssh-agent.1 b/ssh-agent.1
-index 281ecbd..1a9a635 100644
+index d7e791b..7332f0d 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
-@@ -201,6 +201,24 @@ sockets used to contain the connection to the authentication agent.
+@@ -189,6 +189,24 @@ sockets used to contain the connection to the authentication agent.
These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits.
.El
@@ -166,10 +166,10 @@ index 281ecbd..1a9a635 100644
.Xr ssh 1 ,
.Xr ssh-add 1 ,
diff --git a/ssh-keygen.1 b/ssh-keygen.1
-index 12e00d4..1b51a4a 100644
+index 276dacc..a09d9b1 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
-@@ -832,6 +832,24 @@ Contains Diffie-Hellman groups used for DH-GEX.
+@@ -841,6 +841,24 @@ Contains Diffie-Hellman groups used for DH-GEX.
The file format is described in
.Xr moduli 5 .
.El
@@ -224,10 +224,10 @@ index 69d0829..02d79f8 100644
.Xr ssh 1 ,
.Xr ssh-keygen 1 ,
diff --git a/ssh.1 b/ssh.1
-index 929904b..f65e42f 100644
+index 4a476c2..410a04a 100644
--- a/ssh.1
+++ b/ssh.1
-@@ -1309,6 +1309,23 @@ For more information, see the
+@@ -1299,6 +1299,23 @@ For more information, see the
.Cm PermitUserEnvironment
option in
.Xr sshd_config 5 .
@@ -252,10 +252,10 @@ index 929904b..f65e42f 100644
.Bl -tag -width Ds -compact
.It Pa ~/.rhosts
diff --git a/sshd.8 b/sshd.8
-index c2c237f..058d37a 100644
+index cb866b5..adcaaf9 100644
--- a/sshd.8
+++ b/sshd.8
-@@ -951,6 +951,24 @@ concurrently for different ports, this contains the process ID of the one
+@@ -945,6 +945,24 @@ concurrently for different ports, this contains the process ID of the one
started last).
The content of this file is not sensitive; it can be world-readable.
.El
diff --git a/openssh-6.6p1-force_krb.patch b/openssh-6.6p1-force_krb.patch
index a242394..b7bc826 100644
--- a/openssh-6.6p1-force_krb.patch
+++ b/openssh-6.6p1-force_krb.patch
@@ -1,5 +1,5 @@
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
-index 42de994..60de320 100644
+index 413b845..54dd383 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -32,7 +32,9 @@
@@ -12,12 +12,7 @@ index 42de994..60de320 100644
#include "xmalloc.h"
#include "key.h"
-@@ -40,10 +42,12 @@
- #include "auth.h"
- #include "log.h"
- #include "servconf.h"
-+#include "misc.h"
-
+@@ -45,6 +47,7 @@
#include "buffer.h"
#include "ssh-gss.h"
@@ -25,7 +20,7 @@ index 42de994..60de320 100644
extern ServerOptions options;
#ifdef HEIMDAL
-@@ -55,6 +59,13 @@ extern ServerOptions options;
+@@ -56,6 +59,13 @@ extern ServerOptions options;
# include <gssapi/gssapi_krb5.h>
#endif
@@ -39,7 +34,7 @@ index 42de994..60de320 100644
static krb5_context krb_context = NULL;
/* Initialise the krb5 library, for the stuff that GSSAPI won't do */
-@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
+@@ -88,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
krb5_principal princ;
int retval;
const char *errmsg;
@@ -47,7 +42,7 @@ index 42de994..60de320 100644
if (ssh_gssapi_krb5_init() == 0)
return 0;
-@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
+@@ -99,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
krb5_free_error_message(krb_context, errmsg);
return 0;
}
@@ -71,7 +66,7 @@ index 42de994..60de320 100644
} else
retval = 0;
-@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
+@@ -110,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
return retval;
}
@@ -208,10 +203,10 @@ index 42de994..60de320 100644
/* This writes out any forwarded credentials from the structure populated
* during userauth. Called after we have setuid to the user */
diff --git a/session.c b/session.c
-index b5dc144..ba4589b 100644
+index 28659ec..9c94d8e 100644
--- a/session.c
+++ b/session.c
-@@ -806,6 +806,29 @@ do_exec(Session *s, const char *command)
+@@ -789,6 +789,29 @@ do_exec(Session *s, const char *command)
command = forced_command;
forced = "(key-option)";
}
@@ -257,10 +252,10 @@ index 0374c88..509109a 100644
/* draft-ietf-secsh-gsskeyex-06 */
diff --git a/sshd.8 b/sshd.8
-index 058d37a..5c4f15b 100644
+index adcaaf9..824163b 100644
--- a/sshd.8
+++ b/sshd.8
-@@ -327,6 +327,7 @@ Finally, the server and the client enter an authentication dialog.
+@@ -324,6 +324,7 @@ Finally, the server and the client enter an authentication dialog.
The client tries to authenticate itself using
host-based authentication,
public key authentication,
diff --git a/openssh-6.6p1-gsskex.patch b/openssh-6.6p1-gsskex.patch
index 826acd4..6efa67d 100644
--- a/openssh-6.6p1-gsskex.patch
+++ b/openssh-6.6p1-gsskex.patch
@@ -1,8 +1,8 @@
diff --git a/Makefile.in b/Makefile.in
-index 581b121..2ad26ff 100644
+index bbc3034..c9891e0 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -77,6 +77,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
+@@ -87,6 +87,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
@@ -10,7 +10,7 @@ index 581b121..2ad26ff 100644
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
ssh-pkcs11.o krl.o smult_curve25519_ref.o \
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
-@@ -96,7 +97,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+@@ -106,7 +107,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
kexc25519s.o auth-krb5.o \
@@ -20,10 +20,10 @@ index 581b121..2ad26ff 100644
sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \
diff --git a/auth2-gss.c b/auth2-gss.c
-index 4756dd7..ad65059 100644
+index 4803e7e..222e3e0 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
-@@ -52,6 +52,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
+@@ -53,6 +53,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_errtok(int, u_int32_t, void *);
@@ -64,7 +64,7 @@ index 4756dd7..ad65059 100644
/*
* We only support those mechanisms that we know about (ie ones that we know
* how to check local user kuserok and the like)
-@@ -235,7 +269,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
+@@ -236,7 +270,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
packet_check_eom();
@@ -74,7 +74,7 @@ index 4756dd7..ad65059 100644
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-@@ -277,7 +312,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
+@@ -278,7 +313,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
gssbuf.length = buffer_len(&b);
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -84,7 +84,7 @@ index 4756dd7..ad65059 100644
else
logit("GSSAPI MIC check failed");
-@@ -294,6 +330,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
+@@ -295,6 +331,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
}
@@ -98,10 +98,10 @@ index 4756dd7..ad65059 100644
"gssapi-with-mic",
userauth_gssapi,
diff --git a/auth2.c b/auth2.c
-index 5f4f26f..0f52b68 100644
+index d6fbc93..124d02b 100644
--- a/auth2.c
+++ b/auth2.c
-@@ -69,6 +69,7 @@ extern Authmethod method_passwd;
+@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
#ifdef GSSAPI
@@ -109,7 +109,7 @@ index 5f4f26f..0f52b68 100644
extern Authmethod method_gssapi;
#endif
-@@ -76,6 +77,7 @@ Authmethod *authmethods[] = {
+@@ -77,6 +78,7 @@ Authmethod *authmethods[] = {
&method_none,
&method_pubkey,
#ifdef GSSAPI
@@ -118,7 +118,7 @@ index 5f4f26f..0f52b68 100644
#endif
&method_passwd,
diff --git a/clientloop.c b/clientloop.c
-index 59ad3a2..9c60108 100644
+index 397c965..20ce0b5 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -111,6 +111,10 @@
@@ -132,7 +132,7 @@ index 59ad3a2..9c60108 100644
/* import options */
extern Options options;
-@@ -1608,6 +1612,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
+@@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
/* Do channel operations unless rekeying in progress. */
if (!rekeying) {
channel_after_select(readset, writeset);
@@ -149,7 +149,7 @@ index 59ad3a2..9c60108 100644
debug("need rekeying");
xxx_kex->done = 0;
diff --git a/configure.ac b/configure.ac
-index 74e77db..9bde04e 100644
+index 8dedb95..2c4adac 100644
--- a/configure.ac
+++ b/configure.ac
@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -526,10 +526,10 @@ index b39281b..a3a2289 100644
+
#endif /* GSSAPI */
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
-index 759fa10..42de994 100644
+index 795992d..413b845 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
-@@ -120,7 +120,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+@@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
krb5_error_code problem;
krb5_principal princ;
OM_uint32 maj_status, min_status;
@@ -538,7 +538,7 @@ index 759fa10..42de994 100644
const char *errmsg;
if (client->creds == NULL) {
-@@ -180,11 +180,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+@@ -181,11 +181,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
return;
}
@@ -569,7 +569,7 @@ index 759fa10..42de994 100644
#ifdef USE_PAM
if (options.use_pam)
-@@ -193,9 +208,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+@@ -194,9 +209,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
krb5_cc_close(krb_context, ccache);
@@ -646,7 +646,7 @@ index 759fa10..42de994 100644
ssh_gssapi_mech gssapi_kerberos_mech = {
"toWM5Slw5Ew8Mqkay+al2g==",
"Kerberos",
-@@ -203,7 +285,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
+@@ -204,7 +286,8 @@ ssh_gssapi_mech gssapi_kerberos_mech = {
NULL,
&ssh_gssapi_krb5_userok,
NULL,
@@ -657,7 +657,7 @@ index 759fa10..42de994 100644
#endif /* KRB5 */
diff --git a/gss-serv.c b/gss-serv.c
-index e61b37b..14f540e 100644
+index 5c59924..2289e8e 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -45,15 +45,20 @@
@@ -684,7 +684,7 @@ index e61b37b..14f540e 100644
#ifdef KRB5
extern ssh_gssapi_mech gssapi_kerberos_mech;
@@ -100,25 +105,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
- char lname[MAXHOSTNAMELEN];
+ char lname[NI_MAXHOST];
gss_OID_set oidset;
- gss_create_empty_oid_set(&status, &oidset);
@@ -693,40 +693,40 @@ index e61b37b..14f540e 100644
+ gss_create_empty_oid_set(&status, &oidset);
+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
-- if (gethostname(lname, MAXHOSTNAMELEN)) {
+- if (gethostname(lname, sizeof(lname))) {
- gss_release_oid_set(&status, &oidset);
- return (-1);
- }
-+ if (gethostname(lname, MAXHOSTNAMELEN)) {
++ if (gethostname(lname, sizeof(lname))) {
+ gss_release_oid_set(&status, &oidset);
+ return (-1);
+ }
-+
++
+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+ gss_release_oid_set(&status, &oidset);
+ return (ctx->major);
+ }
-+
++
+ if ((ctx->major = gss_acquire_cred(&ctx->minor,
-+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
-+ NULL, NULL)))
++ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
+ ssh_gssapi_error(ctx);
- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
gss_release_oid_set(&status, &oidset);
return (ctx->major);
-+ } else {
-+ ctx->name = GSS_C_NO_NAME;
-+ ctx->creds = GSS_C_NO_CREDENTIAL;
- }
+- }
-
- if ((ctx->major = gss_acquire_cred(&ctx->minor,
- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
- ssh_gssapi_error(ctx);
--
++ } else {
++ ctx->name = GSS_C_NO_NAME;
++ ctx->creds = GSS_C_NO_CREDENTIAL;
++ return GSS_S_COMPLETE;
++ }
+
- gss_release_oid_set(&status, &oidset);
- return (ctx->major);
-+ return GSS_S_COMPLETE;
}
/* Privileged */
@@ -796,8 +796,7 @@ index e61b37b..14f540e 100644
+
+ ctx->major = gss_compare_name(&ctx->minor, client->name,
+ new_name, &equal);
-
-- gss_buffer_desc ename;
++
+ if (GSS_ERROR(ctx->major)) {
+ ssh_gssapi_error(ctx);
+ return (ctx->major);
@@ -809,7 +808,8 @@ index e61b37b..14f540e 100644
+ }
+
+ debug("Marking rekeyed credentials for export");
-+
+
+- gss_buffer_desc ename;
+ gss_release_name(&ctx->minor, &client->name);
+ gss_release_cred(&ctx->minor, &client->creds);
+ client->name = new_name;
@@ -991,10 +991,10 @@ index e61b37b..14f540e 100644
#endif
diff --git a/kex.c b/kex.c
-index 74e2b86..bce2ab8 100644
+index a173e70..4563920 100644
--- a/kex.c
+++ b/kex.c
-@@ -51,6 +51,10 @@
+@@ -53,6 +53,10 @@
#include "roaming.h"
#include "digest.h"
@@ -1005,10 +1005,10 @@ index 74e2b86..bce2ab8 100644
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256
-@@ -90,6 +94,11 @@ static const struct kexalg kexalgs[] = {
+@@ -94,6 +98,11 @@ static const struct kexalg kexalgs[] = {
#ifdef HAVE_EVP_SHA256
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
- #endif
+ #endif /* HAVE_EVP_SHA256 */
+#ifdef GSSAPI
+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
@@ -1017,7 +1017,7 @@ index 74e2b86..bce2ab8 100644
{ NULL, -1, -1, -1},
};
-@@ -119,6 +128,12 @@ kex_alg_by_name(const char *name)
+@@ -123,6 +132,12 @@ kex_alg_by_name(const char *name)
for (k = kexalgs; k->name != NULL; k++) {
if (strcmp(k->name, name) == 0)
return k;
@@ -1031,7 +1031,7 @@ index 74e2b86..bce2ab8 100644
return NULL;
}
diff --git a/kex.h b/kex.h
-index c85680e..313bb51 100644
+index 4c40ec8..1c76c08 100644
--- a/kex.h
+++ b/kex.h
@@ -76,6 +76,11 @@ enum kex_exchange {
@@ -1412,10 +1412,10 @@ index 0000000..e90b567
+#endif /* GSSAPI */
diff --git a/kexgsss.c b/kexgsss.c
new file mode 100644
-index 0000000..6d7518c
+index 0000000..b880998
--- /dev/null
+++ b/kexgsss.c
-@@ -0,0 +1,288 @@
+@@ -0,0 +1,289 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
@@ -1460,6 +1460,7 @@ index 0000000..6d7518c
+#include "dh.h"
+#include "ssh-gss.h"
+#include "monitor_wrap.h"
++#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
+#include "servconf.h"
+
+extern ServerOptions options;
@@ -1704,35 +1705,11 @@ index 0000000..6d7518c
+ ssh_gssapi_rekey_creds();
+}
+#endif /* GSSAPI */
-diff --git a/key.c b/key.c
-index eb98ea8..900b9e3 100644
---- a/key.c
-+++ b/key.c
-@@ -1013,6 +1013,7 @@ static const struct keytype keytypes[] = {
- KEY_DSA_CERT_V00, 0, 1 },
- { "ssh-ed25519-cert-v01 at openssh.com", "ED25519-CERT",
- KEY_ED25519_CERT, 0, 1 },
-+ { "null", "null", KEY_NULL, 0, 0 },
- { NULL, NULL, -1, -1, 0 }
- };
-
-diff --git a/key.h b/key.h
-index 0e3eea5..d51ed81 100644
---- a/key.h
-+++ b/key.h
-@@ -46,6 +46,7 @@ enum types {
- KEY_ED25519_CERT,
- KEY_RSA_CERT_V00,
- KEY_DSA_CERT_V00,
-+ KEY_NULL,
- KEY_UNSPEC
- };
- enum fp_type {
diff --git a/monitor.c b/monitor.c
-index 229fada..aa70945 100644
+index d3f87e1..7ebc76e 100644
--- a/monitor.c
+++ b/monitor.c
-@@ -178,6 +178,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
+@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
@@ -1741,7 +1718,7 @@ index 229fada..aa70945 100644
#endif
#ifdef SSH_AUDIT_EVENTS
-@@ -253,11 +255,18 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -261,11 +263,18 @@ struct mon_table mon_dispatch_proto20[] = {
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -1757,10 +1734,10 @@ index 229fada..aa70945 100644
+ {MONITOR_REQ_GSSSIGN, 0, mm_answer_gss_sign},
+ {MONITOR_REQ_GSSUPCREDS, 0, mm_answer_gss_updatecreds},
+#endif
+ #ifdef WITH_OPENSSL
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
- {MONITOR_REQ_SIGN, 0, mm_answer_sign},
- {MONITOR_REQ_PTY, 0, mm_answer_pty},
-@@ -366,6 +375,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
+ #endif
+@@ -380,6 +389,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
/* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -1771,7 +1748,7 @@ index 229fada..aa70945 100644
} else {
mon_dispatch = mon_dispatch_proto15;
-@@ -471,6 +484,10 @@ monitor_child_postauth(struct monitor *pmonitor)
+@@ -488,6 +501,10 @@ monitor_child_postauth(struct monitor *pmonitor)
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1782,9 +1759,9 @@ index 229fada..aa70945 100644
} else {
mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1866,6 +1883,13 @@ mm_get_kex(Buffer *m)
- kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+@@ -1893,6 +1910,13 @@ mm_get_kex(Buffer *m)
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+ #endif
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#ifdef GSSAPI
+ if (options.gss_keyex) {
@@ -1796,7 +1773,7 @@ index 229fada..aa70945 100644
kex->server = 1;
kex->hostkey_type = buffer_get_int(m);
kex->kex_type = buffer_get_int(m);
-@@ -2073,6 +2097,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
+@@ -2100,6 +2124,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
OM_uint32 major;
u_int len;
@@ -1806,7 +1783,7 @@ index 229fada..aa70945 100644
goid.elements = buffer_get_string(m, &len);
goid.length = len;
-@@ -2100,6 +2127,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -2127,6 +2154,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
OM_uint32 flags = 0; /* GSI needs this */
u_int len;
@@ -1816,7 +1793,7 @@ index 229fada..aa70945 100644
in.value = buffer_get_string(m, &len);
in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2117,6 +2147,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -2144,6 +2174,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -1824,7 +1801,7 @@ index 229fada..aa70945 100644
}
return (0);
}
-@@ -2128,6 +2159,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
+@@ -2155,6 +2186,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
OM_uint32 ret;
u_int len;
@@ -1834,7 +1811,7 @@ index 229fada..aa70945 100644
gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len;
mic.value = buffer_get_string(m, &len);
-@@ -2154,7 +2188,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -2181,7 +2215,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
{
int authenticated;
@@ -1847,7 +1824,7 @@ index 229fada..aa70945 100644
buffer_clear(m);
buffer_put_int(m, authenticated);
-@@ -2167,5 +2205,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -2194,5 +2232,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
@@ -1935,10 +1912,10 @@ index 20e2b4a..ff79fbb 100644
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
diff --git a/monitor_wrap.c b/monitor_wrap.c
-index d1b6d99..d1e1caa 100644
+index 82f114c..7e991e6 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
-@@ -1290,7 +1290,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+@@ -1300,7 +1300,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
}
int
@@ -1947,7 +1924,7 @@ index d1b6d99..d1e1caa 100644
{
Buffer m;
int authenticated = 0;
-@@ -1307,5 +1307,50 @@ mm_ssh_gssapi_userok(char *user)
+@@ -1317,5 +1317,50 @@ mm_ssh_gssapi_userok(char *user)
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated);
}
@@ -2015,10 +1992,10 @@ index 9d5e5ba..93929e0 100644
#ifdef USE_PAM
diff --git a/readconf.c b/readconf.c
-index dc884c9..7613ff2 100644
+index 3f5c58b..1c07766 100644
--- a/readconf.c
+++ b/readconf.c
-@@ -141,6 +141,8 @@ typedef enum {
+@@ -143,6 +143,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2027,7 +2004,7 @@ index dc884c9..7613ff2 100644
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
-@@ -183,10 +185,19 @@ static struct {
+@@ -187,10 +189,19 @@ static struct {
{ "afstokenpassing", oUnsupported },
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
@@ -2047,7 +2024,7 @@ index dc884c9..7613ff2 100644
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
-@@ -841,10 +852,30 @@ parse_time:
+@@ -868,10 +879,30 @@ parse_time:
intptr = &options->gss_authentication;
goto parse_flag;
@@ -2078,7 +2055,7 @@ index dc884c9..7613ff2 100644
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
-@@ -1497,7 +1528,12 @@ initialize_options(Options * options)
+@@ -1553,7 +1584,12 @@ initialize_options(Options * options)
options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
@@ -2091,7 +2068,7 @@ index dc884c9..7613ff2 100644
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
-@@ -1616,8 +1652,14 @@ fill_default_options(Options * options)
+@@ -1677,8 +1713,14 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@@ -2107,10 +2084,10 @@ index dc884c9..7613ff2 100644
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff --git a/readconf.h b/readconf.h
-index 75e3f8f..5cc97f0 100644
+index a028306..1dbe509 100644
--- a/readconf.h
+++ b/readconf.h
-@@ -54,7 +54,12 @@ typedef struct {
+@@ -45,7 +45,12 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
@@ -2150,10 +2127,10 @@ index b093a91..4c8da00 100644
type_has_legacy() {
case $1 in
diff --git a/regress/kextype.sh b/regress/kextype.sh
-index 8c2ac09..a2a87ca 100644
+index 6f952f4..bcb609b 100644
--- a/regress/kextype.sh
+++ b/regress/kextype.sh
-@@ -9,6 +9,9 @@ cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
+@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy
tries="1 2 3 4"
for k in `${SSH} -Q kex`; do
@@ -2164,10 +2141,10 @@ index 8c2ac09..a2a87ca 100644
for i in $tries; do
${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
diff --git a/regress/rekey.sh b/regress/rekey.sh
-index cf9401e..31fb0f7 100644
+index fd452b0..1148197 100644
--- a/regress/rekey.sh
+++ b/regress/rekey.sh
-@@ -30,6 +30,9 @@ increase_datafile_size 300
+@@ -38,6 +38,9 @@ increase_datafile_size 300
opts=""
for i in `${SSH} -Q kex`; do
@@ -2177,7 +2154,7 @@ index cf9401e..31fb0f7 100644
opts="$opts KexAlgorithms=$i"
done
for i in `${SSH} -Q cipher`; do
-@@ -48,6 +51,9 @@ done
+@@ -56,6 +59,9 @@ done
if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
for c in `${SSH} -Q cipher-auth`; do
for kex in `${SSH} -Q kex`; do
@@ -2185,13 +2162,13 @@ index cf9401e..31fb0f7 100644
+ continue
+ fi
verbose "client rekey $c $kex"
- ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex
+ ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
done
diff --git a/servconf.c b/servconf.c
-index f763317..68fb9ef 100644
+index c8a3f28..179c20d 100644
--- a/servconf.c
+++ b/servconf.c
-@@ -108,7 +108,10 @@ initialize_server_options(ServerOptions *options)
+@@ -110,7 +110,10 @@ initialize_server_options(ServerOptions *options)
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
@@ -2202,7 +2179,7 @@ index f763317..68fb9ef 100644
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
-@@ -245,8 +248,14 @@ fill_default_server_options(ServerOptions *options)
+@@ -253,8 +256,14 @@ fill_default_server_options(ServerOptions *options)
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@@ -2217,7 +2194,7 @@ index f763317..68fb9ef 100644
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
-@@ -344,7 +353,8 @@ typedef enum {
+@@ -359,7 +368,8 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2227,7 +2204,7 @@ index f763317..68fb9ef 100644
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
-@@ -411,10 +421,20 @@ static struct {
+@@ -428,10 +438,20 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2248,7 +2225,7 @@ index f763317..68fb9ef 100644
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1091,10 +1111,22 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1113,10 +1133,22 @@ process_server_config_line(ServerOptions *options, char *line,
intptr = &options->gss_authentication;
goto parse_flag;
@@ -2271,7 +2248,7 @@ index f763317..68fb9ef 100644
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
-@@ -2005,6 +2037,9 @@ dump_config(ServerOptions *o)
+@@ -2070,6 +2102,9 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@@ -2282,10 +2259,10 @@ index f763317..68fb9ef 100644
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication,
diff --git a/servconf.h b/servconf.h
-index 4572066..37cfa9b 100644
+index 21719e2..397698b 100644
--- a/servconf.h
+++ b/servconf.h
-@@ -112,7 +112,10 @@ typedef struct {
+@@ -113,7 +113,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2398,7 +2375,7 @@ index a99d7f0..0374c88 100644
#endif /* _SSH_GSS_H */
diff --git a/ssh_config b/ssh_config
-index 6d1abaf..b0d343b 100644
+index 3f83c40..4a0fb82 100644
--- a/ssh_config
+++ b/ssh_config
@@ -26,6 +26,8 @@
@@ -2411,10 +2388,10 @@ index 6d1abaf..b0d343b 100644
# CheckHostIP yes
# AddressFamily any
diff --git a/ssh_config.5 b/ssh_config.5
-index b580392..e7accd6 100644
+index f9ede7a..e6649ac 100644
--- a/ssh_config.5
+++ b/ssh_config.5
-@@ -682,11 +682,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
+@@ -701,11 +701,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
@@ -2460,11 +2437,11 @@ index b580392..e7accd6 100644
Indicates that
.Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
-index adbbfc7..cadf234 100644
+index 4724b66..703f8e4 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
-@@ -158,9 +158,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
- {
+@@ -159,9 +159,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+ char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
Kex *kex;
+#ifdef GSSAPI
@@ -2498,9 +2475,9 @@ index adbbfc7..cadf234 100644
if (options.ciphers == (char *)-1) {
logit("No valid ciphers for protocol version 2 given, using defaults.");
options.ciphers = NULL;
-@@ -196,6 +221,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
- if (options.kex_algorithms != NULL)
- myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+@@ -199,6 +224,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+ myproposal[PROPOSAL_KEX_ALGS]);
+#ifdef GSSAPI
+ /* If we've got GSSAPI algorithms, then we also support the
@@ -2516,9 +2493,9 @@ index adbbfc7..cadf234 100644
if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
(time_t)options.rekey_interval);
-@@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
- kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
+@@ -213,10 +249,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+ #endif
kex->kex[KEX_C25519_SHA256] = kexc25519_client;
+#ifdef GSSAPI
+ if (options.gss_keyex) {
@@ -2547,7 +2524,7 @@ index adbbfc7..cadf234 100644
xxx_kex = kex;
dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
-@@ -301,6 +357,7 @@ void input_gssapi_token(int type, u_int32_t, void *);
+@@ -306,6 +362,7 @@ void input_gssapi_token(int type, u_int32_t, void *);
void input_gssapi_hash(int type, u_int32_t, void *);
void input_gssapi_error(int, u_int32_t, void *);
void input_gssapi_errtok(int, u_int32_t, void *);
@@ -2555,7 +2532,7 @@ index adbbfc7..cadf234 100644
#endif
void userauth(Authctxt *, char *);
-@@ -316,6 +373,11 @@ static char *authmethods_get(void);
+@@ -321,6 +378,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
@@ -2567,7 +2544,7 @@ index adbbfc7..cadf234 100644
{"gssapi-with-mic",
userauth_gssapi,
NULL,
-@@ -613,19 +675,31 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -617,19 +679,31 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
@@ -2601,7 +2578,7 @@ index adbbfc7..cadf234 100644
ok = 1; /* Mechanism works */
} else {
mech++;
-@@ -722,8 +796,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
+@@ -726,8 +800,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
{
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
@@ -2612,7 +2589,7 @@ index adbbfc7..cadf234 100644
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
-@@ -832,6 +906,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
+@@ -836,6 +910,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
free(msg);
free(lang);
}
@@ -2662,21 +2639,10 @@ index adbbfc7..cadf234 100644
int
diff --git a/sshd.c b/sshd.c
-index 24ab272..e4e406e 100644
+index f7b8aba..2871fe9 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -122,6 +122,10 @@
- #include "ssh-sandbox.h"
- #include "version.h"
-
-+#ifdef USE_SECURITY_SESSION_API
-+#include <Security/AuthSession.h>
-+#endif
-+
- #ifdef LIBWRAP
- #include <tcpd.h>
- #include <syslog.h>
-@@ -1744,10 +1748,13 @@ main(int ac, char **av)
+@@ -1761,10 +1761,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
}
@@ -2690,7 +2656,7 @@ index 24ab272..e4e406e 100644
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting.");
exit(1);
-@@ -2488,6 +2495,48 @@ do_ssh2_kex(void)
+@@ -2501,6 +2504,49 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types());
@@ -2736,12 +2702,13 @@ index 24ab272..e4e406e 100644
+ }
+#endif
+
++
/* start key exchange */
kex = kex_setup(myproposal);
- kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
-@@ -2496,6 +2545,13 @@ do_ssh2_kex(void)
- kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
+ #ifdef WITH_OPENSSL
+@@ -2511,6 +2557,13 @@ do_ssh2_kex(void)
kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+ #endif
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#ifdef GSSAPI
+ if (options.gss_keyex) {
@@ -2754,7 +2721,7 @@ index 24ab272..e4e406e 100644
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
diff --git a/sshd_config b/sshd_config
-index c1b7c03..adfd7b1 100644
+index 7061f75..f4796fc 100644
--- a/sshd_config
+++ b/sshd_config
@@ -91,6 +91,8 @@ ChallengeResponseAuthentication no
@@ -2767,10 +2734,10 @@ index c1b7c03..adfd7b1 100644
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
diff --git a/sshd_config.5 b/sshd_config.5
-index 95b5f8c..1fb002d 100644
+index cccb310..8ad79d9 100644
--- a/sshd_config.5
+++ b/sshd_config.5
-@@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
+@@ -536,12 +536,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
diff --git a/openssh-6.6p1-keycat.patch b/openssh-6.6p1-keycat.patch
index d30dedb..4cbe95d 100644
--- a/openssh-6.6p1-keycat.patch
+++ b/openssh-6.6p1-keycat.patch
@@ -17,7 +17,7 @@ index 0000000..630ec62
+
+
diff --git a/Makefile.in b/Makefile.in
-index 411eadb..4ab6717 100644
+index f02aa1e..b225217 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
@@ -28,16 +28,16 @@ index 411eadb..4ab6717 100644
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -64,7 +65,7 @@ EXEEXT=@EXEEXT@
+@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
- LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
- canohost.o channels.o cipher.o cipher-aes.o \
-@@ -176,6 +177,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
+ LIBOPENSSH_OBJS=\
+ ssherr.o \
+@@ -186,6 +187,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
@@ -47,7 +47,7 @@ index 411eadb..4ab6717 100644
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-@@ -283,6 +287,7 @@ install-files:
+@@ -305,6 +309,7 @@ install-files:
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi
@@ -56,10 +56,10 @@ index 411eadb..4ab6717 100644
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
-index c0ae0d4..cb0f931 100644
+index 12f5afd..269e642 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
-@@ -600,6 +600,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
+@@ -602,6 +602,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
_exit(1);
}
@@ -75,10 +75,10 @@ index c0ae0d4..cb0f931 100644
options.authorized_keys_command, user_pw->pw_name, NULL);
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
-index d04f4ed..0077dd7 100644
+index 265bd3a..8f32464 100644
--- a/openbsd-compat/port-linux-sshd.c
+++ b/openbsd-compat/port-linux-sshd.c
-@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt;
+@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
extern int inetd_flag;
extern int rexeced_flag;
@@ -99,7 +99,7 @@ index d04f4ed..0077dd7 100644
/* Send audit message */
static int
sshd_selinux_send_audit_message(int success, security_context_t default_context,
-@@ -307,7 +321,7 @@ sshd_selinux_getctxbyname(char *pwname,
+@@ -308,7 +322,7 @@ sshd_selinux_getctxbyname(char *pwname,
/* Setup environment variables for pam_selinux */
static int
@@ -108,7 +108,7 @@ index d04f4ed..0077dd7 100644
{
const char *reqlvl;
char *role;
-@@ -318,16 +332,16 @@ sshd_selinux_setup_pam_variables(void)
+@@ -319,16 +333,16 @@ sshd_selinux_setup_pam_variables(void)
ssh_selinux_get_role_level(&role, &reqlvl);
@@ -128,7 +128,7 @@ index d04f4ed..0077dd7 100644
if (role != NULL)
free(role);
-@@ -335,6 +349,24 @@ sshd_selinux_setup_pam_variables(void)
+@@ -336,6 +350,24 @@ sshd_selinux_setup_pam_variables(void)
return rv;
}
@@ -153,7 +153,7 @@ index d04f4ed..0077dd7 100644
/* Set the execution context to the default for the specified user */
void
sshd_selinux_setup_exec_context(char *pwname)
-@@ -343,7 +375,7 @@ sshd_selinux_setup_exec_context(char *pwname)
+@@ -344,7 +376,7 @@ sshd_selinux_setup_exec_context(char *pwname)
int r = 0;
security_context_t default_ctx = NULL;
@@ -162,7 +162,7 @@ index d04f4ed..0077dd7 100644
return;
if (options.use_pam) {
-@@ -414,7 +446,7 @@ sshd_selinux_copy_context(void)
+@@ -415,7 +447,7 @@ sshd_selinux_copy_context(void)
{
security_context_t *ctx;
@@ -187,10 +187,10 @@ index b18893c..cb51f99 100644
#ifdef LINUX_OOM_ADJUST
diff --git a/platform.c b/platform.c
-index 0d39ab2..0dae387 100644
+index 84c47fa..6d876cb 100644
--- a/platform.c
+++ b/platform.c
-@@ -102,7 +102,7 @@ platform_setusercontext(struct passwd *pw)
+@@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *pw)
{
#ifdef WITH_SELINUX
/* Cache selinux status for later use */
diff --git a/openssh-6.6p1-keyperm.patch b/openssh-6.6p1-keyperm.patch
index fccb328..fbe33b0 100644
--- a/openssh-6.6p1-keyperm.patch
+++ b/openssh-6.6p1-keyperm.patch
@@ -1,15 +1,16 @@
-diff -up openssh-6.6p1/authfile.c.keyperm openssh-6.6p1/authfile.c
---- openssh-6.6p1/authfile.c.keyperm 2014-02-04 01:20:15.000000000 +0100
-+++ openssh-6.6p1/authfile.c 2014-05-05 15:20:43.075246776 +0200
-@@ -54,6 +54,7 @@
+diff --git a/authfile.c b/authfile.c
+index e93d867..4fc5b3d 100644
+--- a/authfile.c
++++ b/authfile.c
+@@ -32,6 +32,7 @@
#include <errno.h>
#include <fcntl.h>
+#include <grp.h>
- #include <stdarg.h>
#include <stdio.h>
+ #include <stdarg.h>
#include <stdlib.h>
-@@ -979,6 +980,13 @@ key_perm_ok(int fd, const char *filename
+@@ -207,6 +208,13 @@ sshkey_perm_ok(int fd, const char *filename)
#ifdef HAVE_CYGWIN
if (check_ntsec(filename))
#endif
diff --git a/openssh-6.6p1-kuserok.patch b/openssh-6.6p1-kuserok.patch
index f7c5a1c..b0b12a6 100644
--- a/openssh-6.6p1-kuserok.patch
+++ b/openssh-6.6p1-kuserok.patch
@@ -1,8 +1,8 @@
diff --git a/auth-krb5.c b/auth-krb5.c
-index 6c62bdf..11c8562 100644
+index 0089b18..8480261 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
-@@ -54,6 +54,21 @@
+@@ -55,6 +55,21 @@
extern ServerOptions options;
@@ -24,7 +24,7 @@ index 6c62bdf..11c8562 100644
static int
krb5_init(void *context)
{
-@@ -157,8 +172,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
+@@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
if (problem)
goto out;
@@ -37,7 +37,7 @@ index 6c62bdf..11c8562 100644
goto out;
}
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
-index 60de320..0a4930e 100644
+index 54dd383..961c564 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *,
@@ -175,27 +175,27 @@ index 60de320..0a4930e 100644
if ((fp = fopen(file, "r")) == NULL) {
int saved_errno = errno;
diff --git a/servconf.c b/servconf.c
-index 68fb9ef..904c869 100644
+index 179c20d..d17ed04 100644
--- a/servconf.c
+++ b/servconf.c
-@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions *options)
- options->ip_qos_interactive = -1;
+@@ -163,6 +163,7 @@ initialize_server_options(ServerOptions *options)
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
+ options->fingerprint_hash = -1;
+ options->use_kuserok = -1;
}
void
-@@ -312,6 +313,8 @@ fill_default_server_options(ServerOptions *options)
- options->version_addendum = xstrdup("");
- if (options->show_patchlevel == -1)
- options->show_patchlevel = 0;
+@@ -328,6 +329,8 @@ fill_default_server_options(ServerOptions *options)
+ options->fwd_opts.streamlocal_bind_unlink = 0;
+ if (options->fingerprint_hash == -1)
+ options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ if (options->use_kuserok == -1)
+ options->use_kuserok = 1;
-
/* Turn privilege separation on by default */
if (use_privsep == -1)
-@@ -338,7 +341,7 @@ typedef enum {
+ use_privsep = PRIVSEP_NOSANDBOX;
+@@ -353,7 +356,7 @@ typedef enum {
sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@@ -204,7 +204,7 @@ index 68fb9ef..904c869 100644
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
-@@ -410,11 +413,13 @@ static struct {
+@@ -427,11 +430,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
@@ -218,7 +218,7 @@ index 68fb9ef..904c869 100644
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1526,6 +1531,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1557,6 +1562,10 @@ process_server_config_line(ServerOptions *options, char *line,
*activep = value;
break;
@@ -229,7 +229,7 @@ index 68fb9ef..904c869 100644
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
-@@ -1811,6 +1820,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+@@ -1872,6 +1881,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
@@ -237,19 +237,19 @@ index 68fb9ef..904c869 100644
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
-@@ -2062,6 +2072,7 @@ dump_config(ServerOptions *o)
- dump_cfg_fmtint(sUseDNS, o->use_dns);
- dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+@@ -2130,6 +2140,7 @@ dump_config(ServerOptions *o)
+ dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
+ dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
+ dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
diff --git a/servconf.h b/servconf.h
-index 37cfa9b..5117dfa 100644
+index 397698b..cf2a505 100644
--- a/servconf.h
+++ b/servconf.h
-@@ -173,6 +173,7 @@ typedef struct {
+@@ -175,6 +175,7 @@ typedef struct {
int num_permitted_opens;
@@ -258,7 +258,7 @@ index 37cfa9b..5117dfa 100644
char *revoked_keys_file;
char *trusted_user_ca_keys;
diff --git a/sshd_config b/sshd_config
-index adfd7b1..e772ed5 100644
+index f4796fc..0d9454d 100644
--- a/sshd_config
+++ b/sshd_config
@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
@@ -270,10 +270,10 @@ index adfd7b1..e772ed5 100644
# GSSAPI options
GSSAPIAuthentication yes
diff --git a/sshd_config.5 b/sshd_config.5
-index 1fb002d..e0e5fff 100644
+index 8ad79d9..eb4dd9e 100644
--- a/sshd_config.5
+++ b/sshd_config.5
-@@ -697,6 +697,10 @@ Specifies whether to automatically destroy the user's ticket cache
+@@ -740,6 +740,10 @@ Specifies whether to automatically destroy the user's ticket cache
file on logout.
The default is
.Dq yes .
@@ -284,7 +284,7 @@ index 1fb002d..e0e5fff 100644
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
-@@ -862,6 +866,7 @@ Available keywords are
+@@ -961,6 +965,7 @@ Available keywords are
.Cm HostbasedUsesNameFromPacketOnly ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
diff --git a/openssh-6.6p1-role-mls.patch b/openssh-6.6p1-role-mls.patch
index 4740c99..02e81e6 100644
--- a/openssh-6.6p1-role-mls.patch
+++ b/openssh-6.6p1-role-mls.patch
@@ -25,7 +25,7 @@ index a1a2b52..b109a5a 100644
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
diff --git a/auth.h b/auth.h
-index 124e597..4605588 100644
+index d081c94..847cffd 100644
--- a/auth.h
+++ b/auth.h
@@ -59,6 +59,9 @@ struct Authctxt {
@@ -39,10 +39,10 @@ index 124e597..4605588 100644
char *info; /* Extra info for next auth_log */
#ifdef BSD_AUTH
diff --git a/auth1.c b/auth1.c
-index 0f870b3..df040bb 100644
+index 5038828..f0a98d2 100644
--- a/auth1.c
+++ b/auth1.c
-@@ -381,6 +381,9 @@ do_authentication(Authctxt *authctxt)
+@@ -382,6 +382,9 @@ do_authentication(Authctxt *authctxt)
{
u_int ulen;
char *user, *style = NULL;
@@ -52,7 +52,7 @@ index 0f870b3..df040bb 100644
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
-@@ -389,11 +392,24 @@ do_authentication(Authctxt *authctxt)
+@@ -390,11 +393,24 @@ do_authentication(Authctxt *authctxt)
user = packet_get_cstring(&ulen);
packet_check_eom();
@@ -78,10 +78,10 @@ index 0f870b3..df040bb 100644
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
diff --git a/auth2-gss.c b/auth2-gss.c
-index c28a705..4756dd7 100644
+index 447f896..4803e7e 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
-@@ -251,6 +251,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
+@@ -252,6 +252,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
@@ -89,7 +89,7 @@ index c28a705..4756dd7 100644
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
-@@ -263,7 +264,13 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
+@@ -264,7 +265,13 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
mic.value = packet_get_string(&len);
mic.length = len;
@@ -104,7 +104,7 @@ index c28a705..4756dd7 100644
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
-@@ -275,6 +282,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
+@@ -276,6 +283,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
logit("GSSAPI MIC check failed");
buffer_free(&b);
@@ -114,10 +114,10 @@ index c28a705..4756dd7 100644
authctxt->postponed = 0;
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
-index eca0069..95d678e 100644
+index b7ae353..41f1a3f 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
-@@ -112,7 +112,15 @@ userauth_hostbased(Authctxt *authctxt)
+@@ -113,7 +113,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
@@ -135,7 +135,7 @@ index eca0069..95d678e 100644
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
-index 749b11a..c0ae0d4 100644
+index 3f4f789..12f5afd 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -133,9 +133,11 @@ userauth_pubkey(Authctxt *authctxt)
@@ -153,10 +153,10 @@ index 749b11a..c0ae0d4 100644
free(userstyle);
buffer_put_cstring(&b,
diff --git a/auth2.c b/auth2.c
-index a5490c0..5f4f26f 100644
+index d9b440a..d6fbc93 100644
--- a/auth2.c
+++ b/auth2.c
-@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
@@ -166,7 +166,7 @@ index a5490c0..5f4f26f 100644
int authenticated = 0;
if (authctxt == NULL)
-@@ -226,6 +229,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@@ -178,7 +178,7 @@ index a5490c0..5f4f26f 100644
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
-@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+@@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
@@ -196,10 +196,10 @@ index a5490c0..5f4f26f 100644
if (auth2_setup_methods_lists(authctxt) != 0)
packet_disconnect("no authentication methods enabled");
diff --git a/misc.c b/misc.c
-index e4c8c32..f31cd91 100644
+index 94b05b0..651c21b 100644
--- a/misc.c
+++ b/misc.c
-@@ -430,6 +430,7 @@ char *
+@@ -431,6 +431,7 @@ char *
colon(char *cp)
{
int flag = 0;
@@ -207,7 +207,7 @@ index e4c8c32..f31cd91 100644
if (*cp == ':') /* Leading colon is part of file name. */
return NULL;
-@@ -445,6 +446,13 @@ colon(char *cp)
+@@ -446,6 +447,13 @@ colon(char *cp)
return (cp);
if (*cp == '/')
return NULL;
@@ -222,10 +222,10 @@ index e4c8c32..f31cd91 100644
return NULL;
}
diff --git a/monitor.c b/monitor.c
-index 531c4f9..229fada 100644
+index dbe29f1..d3f87e1 100644
--- a/monitor.c
+++ b/monitor.c
-@@ -145,6 +145,9 @@ int mm_answer_sign(int, Buffer *);
+@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);
@@ -235,7 +235,7 @@ index 531c4f9..229fada 100644
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -219,6 +222,9 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -227,6 +230,9 @@ struct mon_table mon_dispatch_proto20[] = {
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -245,7 +245,7 @@ index 531c4f9..229fada 100644
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
-@@ -805,6 +811,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
+@@ -824,6 +830,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -255,7 +255,7 @@ index 531c4f9..229fada 100644
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
#ifdef USE_PAM
-@@ -846,6 +855,25 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -865,6 +874,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0);
}
@@ -281,7 +281,7 @@ index 531c4f9..229fada 100644
int
mm_answer_authpassword(int sock, Buffer *m)
{
-@@ -1220,7 +1248,7 @@ static int
+@@ -1241,7 +1269,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
@@ -290,7 +290,7 @@ index 531c4f9..229fada 100644
u_int len;
int fail = 0;
-@@ -1246,6 +1274,8 @@ monitor_valid_userblob(u_char *data, u_int datalen)
+@@ -1267,6 +1295,8 @@ monitor_valid_userblob(u_char *data, u_int datalen)
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_cstring(&b, NULL);
@@ -299,7 +299,7 @@ index 531c4f9..229fada 100644
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
-@@ -1281,7 +1311,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
+@@ -1302,7 +1332,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
char *chost)
{
Buffer b;
@@ -308,7 +308,7 @@ index 531c4f9..229fada 100644
u_int len;
int fail = 0;
-@@ -1298,6 +1328,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
+@@ -1319,6 +1349,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_cstring(&b, NULL);
@@ -333,10 +333,10 @@ index 5bc41b5..20e2b4a 100644
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 1a47e41..d1b6d99 100644
+index 45dc169..82f114c 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
-@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *style)
+@@ -342,6 +342,25 @@ mm_inform_authserv(char *service, char *style)
buffer_free(&m);
}
@@ -377,12 +377,12 @@ index 18c2501..9d5e5ba 100644
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
-index 6ecfb93..b912dbe 100644
+index ab1a3e3..843225d 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
- COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
+ COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
+PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
@@ -391,10 +391,10 @@ index 6ecfb93..b912dbe 100644
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
new file mode 100644
-index 0000000..c18524e
+index 0000000..6310717
--- /dev/null
+++ b/openbsd-compat/port-linux-sshd.c
-@@ -0,0 +1,414 @@
+@@ -0,0 +1,415 @@
+/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh at redhat.com>
+ * Copyright (c) 2014 Petr Lautrbach <plautrba at redhat.com>
@@ -426,6 +426,7 @@ index 0000000..c18524e
+
+#include "log.h"
+#include "xmalloc.h"
++#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
+#include "servconf.h"
+#include "port-linux.h"
+#include "key.h"
@@ -868,10 +869,10 @@ index e3d1004..8ef6cc4 100644
#ifdef LINUX_OOM_ADJUST
diff --git a/platform.c b/platform.c
-index 30fc609..0d39ab2 100644
+index ee313da..84c47fa 100644
--- a/platform.c
+++ b/platform.c
-@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
+@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
}
#endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX
@@ -881,10 +882,10 @@ index 30fc609..0d39ab2 100644
}
diff --git a/sshd.c b/sshd.c
-index 7523de9..07f9926 100644
+index 481d001..41b317b 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -2138,6 +2138,9 @@ main(int ac, char **av)
+@@ -2144,6 +2144,9 @@ main(int ac, char **av)
restore_uid();
}
#endif
diff --git a/openssh-6.6p1-audit.patch b/openssh-6.7p1-audit.patch
similarity index 85%
rename from openssh-6.6p1-audit.patch
rename to openssh-6.7p1-audit.patch
index 2ee2012..4ce4b53 100644
--- a/openssh-6.6p1-audit.patch
+++ b/openssh-6.7p1-audit.patch
@@ -1,8 +1,8 @@
diff --git a/Makefile.in b/Makefile.in
-index 0f0d39f..9d8c2eb 100644
+index 8e11217..9311e16 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -82,7 +82,8 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
+@@ -92,7 +92,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
ssh-pkcs11.o krl.o smult_curve25519_ref.o \
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest-openssl.o hmac.o utf8_stringprep.o \
@@ -13,7 +13,7 @@ index 0f0d39f..9d8c2eb 100644
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
diff --git a/audit-bsm.c b/audit-bsm.c
-index 6135591..5160869 100644
+index 6135591..c7a1b47 100644
--- a/audit-bsm.c
+++ b/audit-bsm.c
@@ -375,10 +375,23 @@ audit_connection_from(const char *host, int port)
@@ -66,7 +66,7 @@ index 6135591..5160869 100644
+}
+
+void
-+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid, uid_t uid)
++audit_kex_body(int ctos, char *enc, char *mac, char *compress, char *pfs, pid_t pid, uid_t uid)
+{
+ /* not implemented */
+}
@@ -96,16 +96,17 @@ index 6135591..5160869 100644
+}
#endif /* BSM */
diff --git a/audit-linux.c b/audit-linux.c
-index b3ee2f4..946f7fa 100644
+index b3ee2f4..bff8180 100644
--- a/audit-linux.c
+++ b/audit-linux.c
-@@ -35,13 +35,24 @@
+@@ -35,13 +35,25 @@
#include "log.h"
#include "audit.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
++#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
+#include "servconf.h"
#include "canohost.h"
+#include "packet.h"
@@ -127,7 +128,7 @@ index b3ee2f4..946f7fa 100644
{
int audit_fd, rc, saved_errno;
-@@ -49,11 +60,11 @@ linux_audit_record_event(int uid, const char *username,
+@@ -49,11 +61,11 @@ linux_audit_record_event(int uid, const char *username,
if (audit_fd < 0) {
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT)
@@ -142,7 +143,7 @@ index b3ee2f4..946f7fa 100644
NULL, "login", username ? username : "(unknown)",
username == NULL ? uid : -1, hostname, ip, ttyn, success);
saved_errno = errno;
-@@ -65,35 +76,150 @@ linux_audit_record_event(int uid, const char *username,
+@@ -65,35 +77,154 @@ linux_audit_record_event(int uid, const char *username,
if ((rc == -EPERM) && (geteuid() != 0))
rc = 0;
errno = saved_errno;
@@ -224,8 +225,12 @@ index b3ee2f4..946f7fa 100644
+ buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
+ if ((rc < 0) && ((rc != -1) || (getuid() == 0)))
+ goto out;
++ /* is the fingerprint_prefix() still needed?
+ snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s%s rport=%d",
+ type, bits, key_fingerprint_prefix(), fp, get_remote_port());
++ */
++ snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d",
++ type, bits, fp, get_remote_port());
+ rc = audit_log_acct_message(audit_fd, AUDIT_USER_AUTH, NULL,
+ buf, audit_username(), -1, NULL, get_remote_ipaddr(), NULL, rv);
+out:
@@ -301,7 +306,7 @@ index b3ee2f4..946f7fa 100644
}
void
-@@ -101,21 +227,43 @@ audit_event(ssh_audit_event_t event)
+@@ -101,21 +232,43 @@ audit_event(ssh_audit_event_t event)
{
switch(event) {
case SSH_AUTH_SUCCESS:
@@ -349,7 +354,7 @@ index b3ee2f4..946f7fa 100644
break;
default:
-@@ -123,4 +271,135 @@ audit_event(ssh_audit_event_t event)
+@@ -123,4 +276,135 @@ audit_event(ssh_audit_event_t event)
}
}
@@ -379,17 +384,17 @@ index b3ee2f4..946f7fa 100644
+const static char *direction[] = { "from-server", "from-client", "both" };
+
+void
-+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
++audit_kex_body(int ctos, char *enc, char *mac, char *compress, char *pfs, pid_t pid,
+ uid_t uid)
+{
+#ifdef AUDIT_CRYPTO_SESSION
+ char buf[AUDIT_LOG_SIZE];
+ int audit_fd, audit_ok;
-+ Cipher *cipher = cipher_by_name(enc);
++ const Cipher *cipher = cipher_by_name(enc);
+ char *s;
+
-+ snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d mac=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d ",
-+ direction[ctos], enc, cipher ? 8 * cipher->key_len : 0, mac,
++ snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d mac=%s pfs=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d ",
++ direction[ctos], enc, cipher ? 8 * cipher->key_len : 0, mac, pfs,
+ (intmax_t)pid, (intmax_t)uid,
+ get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), get_local_port());
+ free(s);
@@ -486,7 +491,7 @@ index b3ee2f4..946f7fa 100644
+}
#endif /* USE_LINUX_AUDIT */
diff --git a/audit.c b/audit.c
-index ced57fa..ab9fb82 100644
+index ced57fa..18908b4 100644
--- a/audit.c
+++ b/audit.c
@@ -28,6 +28,7 @@
@@ -497,17 +502,27 @@ index ced57fa..ab9fb82 100644
#ifdef SSH_AUDIT_EVENTS
-@@ -36,6 +37,9 @@
+@@ -36,6 +37,11 @@
#include "key.h"
#include "hostfile.h"
#include "auth.h"
+#include "ssh-gss.h"
+#include "monitor_wrap.h"
+#include "xmalloc.h"
++#include "misc.h"
++#include "servconf.h"
/*
* Care must be taken when using this since it WILL NOT be initialized when
-@@ -71,13 +75,10 @@ audit_classify_auth(const char *method)
+@@ -43,6 +49,7 @@
+ * audit_event(CONNECTION_ABANDON) is called. Test for NULL before using.
+ */
+ extern Authctxt *the_authctxt;
++extern ServerOptions options;
+
+ /* Maybe add the audit class to struct Authmethod? */
+ ssh_audit_event_t
+@@ -71,13 +78,10 @@ audit_classify_auth(const char *method)
const char *
audit_username(void)
{
@@ -523,7 +538,7 @@ index ced57fa..ab9fb82 100644
return (the_authctxt->user);
}
-@@ -111,6 +112,40 @@ audit_event_lookup(ssh_audit_event_t ev)
+@@ -111,6 +115,40 @@ audit_event_lookup(ssh_audit_event_t ev)
return(event_lookup[i].name);
}
@@ -533,7 +548,7 @@ index ced57fa..ab9fb82 100644
+ char *fp;
+ const char *crypto_name;
+
-+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
++ fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX);
+ if (key->type == KEY_RSA1)
+ crypto_name = "ssh-rsa1";
+ else
@@ -550,9 +565,9 @@ index ced57fa..ab9fb82 100644
+}
+
+void
-+audit_kex(int ctos, char *enc, char *mac, char *comp)
++audit_kex(int ctos, char *enc, char *mac, char *comp, char *pfs)
+{
-+ PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
++ PRIVSEP(audit_kex_body(ctos, enc, mac, comp, pfs, getpid(), getuid()));
+}
+
+void
@@ -564,7 +579,7 @@ index ced57fa..ab9fb82 100644
# ifndef CUSTOM_SSH_AUDIT_EVENTS
/*
* Null implementations of audit functions.
-@@ -140,6 +175,17 @@ audit_event(ssh_audit_event_t event)
+@@ -140,6 +178,17 @@ audit_event(ssh_audit_event_t event)
}
/*
@@ -582,7 +597,7 @@ index ced57fa..ab9fb82 100644
* Called when a user session is started. Argument is the tty allocated to
* the session, or NULL if no tty was allocated.
*
-@@ -174,13 +220,91 @@ audit_session_close(struct logininfo *li)
+@@ -174,13 +223,91 @@ audit_session_close(struct logininfo *li)
/*
* This will be called when a user runs a non-interactive command. Note that
* it may be called multiple times for a single connection since SSH2 allows
@@ -638,11 +653,11 @@ index ced57fa..ab9fb82 100644
+ * This will be called on succesfull protocol negotiation.
+ */
+void
-+audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
++audit_kex_body(int ctos, char *enc, char *mac, char *compress, char *pfs, pid_t pid,
+ uid_t uid)
+{
-+ debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s from pid %ld uid %u",
-+ (unsigned)geteuid(), ctos, enc, mac, compress, (long)pid,
++ debug("audit protocol negotiation euid %d direction %d cipher %s mac %s compresion %s pfs %s from pid %ld uid %u",
++ (unsigned)geteuid(), ctos, enc, mac, compress, pfs, (long)pid,
+ (unsigned)uid);
+}
+
@@ -677,7 +692,7 @@ index ced57fa..ab9fb82 100644
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
diff --git a/audit.h b/audit.h
-index 92ede5b..a2dc3ff 100644
+index 92ede5b..903df66 100644
--- a/audit.h
+++ b/audit.h
@@ -28,6 +28,7 @@
@@ -706,9 +721,9 @@ index 92ede5b..a2dc3ff 100644
+int audit_keyusage(int, const char *, unsigned, char *, int);
+void audit_key(int, int *, const Key *);
+void audit_unsupported(int);
-+void audit_kex(int, char *, char *, char *);
++void audit_kex(int, char *, char *, char *, char *);
+void audit_unsupported_body(int);
-+void audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
++void audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
+void audit_session_key_free(int ctos);
+void audit_session_key_free_body(int ctos, pid_t, uid_t);
+void audit_destroy_sensitive_data(const char *, pid_t, uid_t);
@@ -717,7 +732,7 @@ index 92ede5b..a2dc3ff 100644
#endif /* _SSH_AUDIT_H */
diff --git a/auditstub.c b/auditstub.c
new file mode 100644
-index 0000000..45817e0
+index 0000000..116f460
--- /dev/null
+++ b/auditstub.c
@@ -0,0 +1,50 @@
@@ -758,7 +773,7 @@ index 0000000..45817e0
+}
+
+void
-+audit_kex(int ctos, char *enc, char *mac, char *comp)
++audit_kex(int ctos, char *enc, char *mac, char *comp, char *pfs)
+{
+}
+
@@ -772,7 +787,7 @@ index 0000000..45817e0
+{
+}
diff --git a/auth-rsa.c b/auth-rsa.c
-index 5dad6c3..f225b0b 100644
+index ff7a132..1e12515 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -93,7 +93,10 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
@@ -797,7 +812,7 @@ index 5dad6c3..f225b0b 100644
+ rv = timingsafe_bcmp(response, mdbuf, 16) == 0;
+
+#ifdef SSH_AUDIT_EVENTS
-+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
++ fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX);
+ if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) {
+ debug("unsuccessful audit");
+ rv = 0;
@@ -812,10 +827,10 @@ index 5dad6c3..f225b0b 100644
/*
diff --git a/auth.c b/auth.c
-index 420a85b..d613f8c 100644
+index 5a9acd3..7eba5d4 100644
--- a/auth.c
+++ b/auth.c
-@@ -628,9 +628,6 @@ getpwnamallow(const char *user)
+@@ -642,9 +642,6 @@ getpwnamallow(const char *user)
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
#endif
@@ -826,10 +841,10 @@ index 420a85b..d613f8c 100644
}
if (!allowed_user(pw))
diff --git a/auth.h b/auth.h
-index 4605588..f9d191c 100644
+index 847cffd..19fbcf5 100644
--- a/auth.h
+++ b/auth.h
-@@ -186,6 +186,7 @@ void abandon_challenge_response(Authctxt *);
+@@ -187,6 +187,7 @@ void abandon_challenge_response(Authctxt *);
char *expand_authorized_keys(const char *, struct passwd *pw);
char *authorized_principals_file(struct passwd *);
@@ -837,7 +852,7 @@ index 4605588..f9d191c 100644
FILE *auth_openkeyfile(const char *, struct passwd *, int);
FILE *auth_openprincipals(const char *, struct passwd *, int);
-@@ -203,6 +204,7 @@ Key *get_hostkey_private_by_type(int);
+@@ -204,6 +205,7 @@ Key *get_hostkey_private_by_type(int);
int get_hostkey_index(Key *);
int ssh1_session_key(BIGNUM *);
void sshd_hostkey_sign(Key *, Key *, u_char **, u_int *, u_char *, u_int);
@@ -846,10 +861,10 @@ index 4605588..f9d191c 100644
/* debug messages during authentication */
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
-index 95d678e..48aede4 100644
+index 41f1a3f..80d9802 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
-@@ -137,7 +137,7 @@ userauth_hostbased(Authctxt *authctxt)
+@@ -138,7 +138,7 @@ userauth_hostbased(Authctxt *authctxt)
/* test for allowed key and correct signature */
authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
@@ -858,7 +873,7 @@ index 95d678e..48aede4 100644
buffer_len(&b))) == 1)
authenticated = 1;
-@@ -154,6 +154,18 @@ done:
+@@ -155,6 +155,18 @@ done:
return authenticated;
}
@@ -878,7 +893,7 @@ index 95d678e..48aede4 100644
int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
-index cb0f931..6d1c872 100644
+index 269e642..110ec48 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -160,7 +160,7 @@ userauth_pubkey(Authctxt *authctxt)
@@ -890,7 +905,7 @@ index cb0f931..6d1c872 100644
buffer_len(&b))) == 1)
authenticated = 1;
buffer_free(&b);
-@@ -231,6 +231,18 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
+@@ -232,6 +232,18 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
free(extra);
}
@@ -907,13 +922,13 @@ index cb0f931..6d1c872 100644
+}
+
static int
- match_principals_option(const char *principal_list, struct KeyCert *cert)
+ match_principals_option(const char *principal_list, struct sshkey_cert *cert)
{
diff --git a/auth2.c b/auth2.c
-index 426dcd6..436cd60 100644
+index ec4ff8a..9e6e815 100644
--- a/auth2.c
+++ b/auth2.c
-@@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+@@ -250,9 +250,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
@@ -924,14 +939,14 @@ index 426dcd6..436cd60 100644
#ifdef USE_PAM
if (options.use_pam)
diff --git a/cipher.c b/cipher.c
-index 53d9b4f..226e56d 100644
+index 638ca2d..9cc7cf8 100644
--- a/cipher.c
+++ b/cipher.c
-@@ -57,20 +57,6 @@ extern const EVP_CIPHER *evp_ssh1_bf(void);
- extern const EVP_CIPHER *evp_ssh1_3des(void);
- extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
+@@ -57,26 +57,6 @@ extern const EVP_CIPHER *evp_ssh1_3des(void);
+ extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
+ #endif
--struct Cipher {
+-struct sshcipher {
- char *name;
- int number; /* for ssh1 only */
- u_int block_size;
@@ -942,22 +957,28 @@ index 53d9b4f..226e56d 100644
- u_int flags;
-#define CFLAG_CBC (1<<0)
-#define CFLAG_CHACHAPOLY (1<<1)
+-#define CFLAG_AESCTR (1<<2)
+-#define CFLAG_NONE (1<<3)
+-#ifdef WITH_OPENSSL
- const EVP_CIPHER *(*evptype)(void);
+-#else
+- void *ignored;
+-#endif
-};
-
- static const struct Cipher ciphers[] = {
- { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
+ static const struct sshcipher ciphers[] = {
+ #ifdef WITH_SSH1
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
diff --git a/cipher.h b/cipher.h
-index 133d2e7..d41758e 100644
+index de74c1e..26ed4cb 100644
--- a/cipher.h
+++ b/cipher.h
-@@ -63,7 +63,20 @@
- typedef struct Cipher Cipher;
- typedef struct CipherContext CipherContext;
+@@ -62,7 +62,26 @@
+ #define CIPHER_ENCRYPT 1
+ #define CIPHER_DECRYPT 0
--struct Cipher;
-+struct Cipher {
+-struct sshcipher;
++struct sshcipher {
+ char *name;
+ int number; /* for ssh1 only */
+ u_int block_size;
@@ -968,17 +989,23 @@ index 133d2e7..d41758e 100644
+ u_int flags;
+#define CFLAG_CBC (1<<0)
+#define CFLAG_CHACHAPOLY (1<<1)
++#define CFLAG_AESCTR (1<<2)
++#define CFLAG_NONE (1<<3)
++#ifdef WITH_OPENSSL
+ const EVP_CIPHER *(*evptype)(void);
++#else
++ void *ignored;
++#endif
+};
+
- struct CipherContext {
+ struct sshcipher_ctx {
int plaintext;
int encrypt;
diff --git a/kex.c b/kex.c
-index bce2ab8..bc3e53e 100644
+index 4563920..e0cf3de 100644
--- a/kex.c
+++ b/kex.c
-@@ -50,6 +50,7 @@
+@@ -52,6 +52,7 @@
#include "monitor.h"
#include "roaming.h"
#include "digest.h"
@@ -986,7 +1013,7 @@ index bce2ab8..bc3e53e 100644
#ifdef GSSAPI
#include "ssh-gss.h"
-@@ -366,9 +367,13 @@ static void
+@@ -370,9 +371,13 @@ static void
choose_enc(Enc *enc, char *client, char *server)
{
char *name = match_list(client, server, NULL);
@@ -1001,7 +1028,7 @@ index bce2ab8..bc3e53e 100644
if ((enc->cipher = cipher_by_name(name)) == NULL)
fatal("matching cipher is not supported: %s", name);
enc->name = name;
-@@ -384,9 +389,13 @@ static void
+@@ -388,9 +393,13 @@ static void
choose_mac(Mac *mac, char *client, char *server)
{
char *name = match_list(client, server, NULL);
@@ -1016,7 +1043,7 @@ index bce2ab8..bc3e53e 100644
if (mac_setup(mac, name) < 0)
fatal("unsupported mac %s", name);
/* truncate the key */
-@@ -401,8 +410,12 @@ static void
+@@ -405,8 +414,12 @@ static void
choose_comp(Comp *comp, char *client, char *server)
{
char *name = match_list(client, server, NULL);
@@ -1030,17 +1057,36 @@ index bce2ab8..bc3e53e 100644
if (strcmp(name, "zlib at openssh.com") == 0) {
comp->type = COMP_DELAYED;
} else if (strcmp(name, "zlib") == 0) {
-@@ -517,6 +530,9 @@ kex_choose_conf(Kex *kex)
- newkeys->enc.name,
+@@ -522,9 +535,11 @@ kex_choose_conf(Kex *kex)
authlen == 0 ? newkeys->mac.name : "<implicit>",
newkeys->comp.name);
-+#ifdef SSH_AUDIT_EVENTS
-+ audit_kex(ctos, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name);
-+#endif
}
++
choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
-@@ -702,3 +718,34 @@ dump_digest(char *msg, u_char *digest, int len)
+ sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
++
+ need = dh_need = 0;
+ for (mode = 0; mode < MODE_MAX; mode++) {
+ newkeys = kex->newkeys[mode];
+@@ -536,11 +551,16 @@ kex_choose_conf(Kex *kex)
+ dh_need = MAX(dh_need, newkeys->enc.block_size);
+ dh_need = MAX(dh_need, newkeys->enc.iv_len);
+ dh_need = MAX(dh_need, newkeys->mac.key_len);
++ debug("kex: %s need=%d dh_need=%d", kex->name, need, dh_need);
++#ifdef SSH_AUDIT_EVENTS
++ audit_kex(mode, newkeys->enc.name, newkeys->mac.name, newkeys->comp.name, kex->name);
++#endif
+ }
+ /* XXX need runden? */
+ kex->we_need = need;
+ kex->dh_need = dh_need;
+
++
+ /* ignore the next message if the proposals do not match */
+ if (first_kex_follows && !proposals_match(my, peer) &&
+ !(datafellows & SSH_BUG_FIRSTKEX)) {
+@@ -710,3 +730,34 @@ dump_digest(char *msg, u_char *digest, int len)
fprintf(stderr, "\n");
}
#endif
@@ -1076,7 +1122,7 @@ index bce2ab8..bc3e53e 100644
+}
+
diff --git a/kex.h b/kex.h
-index 313bb51..c643250 100644
+index 1c76c08..e015d27 100644
--- a/kex.h
+++ b/kex.h
@@ -182,6 +182,8 @@ void kexgss_client(Kex *);
@@ -1088,61 +1134,23 @@ index 313bb51..c643250 100644
void
kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
-diff --git a/key.c b/key.c
-index 900b9e3..62f3edb 100644
---- a/key.c
-+++ b/key.c
-@@ -1925,6 +1925,33 @@ key_demote(const Key *k)
- }
-
- int
-+key_is_private(const Key *k)
-+{
-+ switch (k->type) {
-+ case KEY_RSA_CERT_V00:
-+ case KEY_RSA_CERT:
-+ case KEY_RSA1:
-+ case KEY_RSA:
-+ return k->rsa->d != NULL;
-+ case KEY_DSA_CERT_V00:
-+ case KEY_DSA_CERT:
-+ case KEY_DSA:
-+ return k->dsa->priv_key != NULL;
-+#ifdef OPENSSL_HAS_ECC
-+ case KEY_ECDSA_CERT:
-+ case KEY_ECDSA:
-+ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
-+#endif
-+ case KEY_ED25519_CERT:
-+ case KEY_ED25519:
-+ return (k->ed25519_pk != NULL);
-+ default:
-+ fatal("key_is_private: bad key type %d", k->type);
-+ return 1;
-+ }
-+}
-+
-+int
- key_is_cert(const Key *k)
- {
- if (k == NULL)
diff --git a/key.h b/key.h
-index d51ed81..8f61605 100644
+index e1a3625..4a90e1e 100644
--- a/key.h
+++ b/key.h
-@@ -118,6 +118,7 @@ Key *key_generate(int, u_int);
- Key *key_from_private(const Key *);
- int key_type_from_name(char *);
- int key_is_cert(const Key *);
-+int key_is_private(const Key *k);
- int key_type_is_cert(int);
- int key_type_plain(int);
- int key_to_certified(Key *, int);
+@@ -52,6 +52,7 @@ typedef struct sshkey Key;
+ #define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid
+ #define key_names_valid2 sshkey_names_valid2
+ #define key_is_cert sshkey_is_cert
++#define key_is_private sshkey_is_private
+ #define key_type_plain sshkey_type_plain
+ #define key_cert_is_legacy sshkey_cert_is_legacy
+ #define key_curve_name_to_nid sshkey_curve_name_to_nid
diff --git a/mac.c b/mac.c
-index 0977572..9388af4 100644
+index 402dc98..fd07bf2 100644
--- a/mac.c
+++ b/mac.c
-@@ -222,6 +222,20 @@ mac_clear(Mac *mac)
+@@ -223,6 +223,20 @@ mac_clear(Mac *mac)
mac->umac_ctx = NULL;
}
@@ -1173,10 +1181,10 @@ index fbe18c4..7dc7f43 100644
void mac_clear(Mac *);
+void mac_destroy(Mac *);
diff --git a/monitor.c b/monitor.c
-index 8b18086..5a65114 100644
+index d97e640..07fa655 100644
--- a/monitor.c
+++ b/monitor.c
-@@ -97,6 +97,7 @@
+@@ -100,6 +100,7 @@
#include "ssh2.h"
#include "roaming.h"
#include "authfd.h"
@@ -1184,7 +1192,7 @@ index 8b18086..5a65114 100644
#ifdef GSSAPI
static Gssctxt *gsscontext = NULL;
-@@ -113,6 +114,8 @@ extern Buffer auth_debug;
+@@ -116,6 +117,8 @@ extern Buffer auth_debug;
extern int auth_debug_init;
extern Buffer loginmsg;
@@ -1193,7 +1201,7 @@ index 8b18086..5a65114 100644
/* State exported from the child */
struct {
-@@ -185,6 +188,11 @@ int mm_answer_gss_updatecreds(int, Buffer *);
+@@ -188,6 +191,11 @@ int mm_answer_gss_updatecreds(int, Buffer *);
#ifdef SSH_AUDIT_EVENTS
int mm_answer_audit_event(int, Buffer *);
int mm_answer_audit_command(int, Buffer *);
@@ -1205,7 +1213,7 @@ index 8b18086..5a65114 100644
#endif
static int monitor_read_log(struct monitor *);
-@@ -239,6 +247,10 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -247,6 +255,10 @@ struct mon_table mon_dispatch_proto20[] = {
#endif
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@@ -1216,7 +1224,7 @@ index 8b18086..5a65114 100644
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
-@@ -274,6 +286,11 @@ struct mon_table mon_dispatch_postauth20[] = {
+@@ -285,6 +297,11 @@ struct mon_table mon_dispatch_postauth20[] = {
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
@@ -1228,7 +1236,7 @@ index 8b18086..5a65114 100644
#endif
{0, 0, NULL}
};
-@@ -305,6 +322,10 @@ struct mon_table mon_dispatch_proto15[] = {
+@@ -317,6 +334,10 @@ struct mon_table mon_dispatch_proto15[] = {
#endif
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@@ -1237,9 +1245,9 @@ index 8b18086..5a65114 100644
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
#endif
+ #endif /* WITH_SSH1 */
{0, 0, NULL}
- };
-@@ -316,6 +337,11 @@ struct mon_table mon_dispatch_postauth15[] = {
+@@ -330,6 +351,11 @@ struct mon_table mon_dispatch_postauth15[] = {
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
@@ -1249,9 +1257,9 @@ index 8b18086..5a65114 100644
+ {MONITOR_REQ_AUDIT_SESSION_KEY_FREE, MON_PERMIT, mm_answer_audit_session_key_free_body},
+ {MONITOR_REQ_AUDIT_SERVER_KEY_FREE, MON_PERMIT, mm_answer_audit_server_key_free},
#endif
+ #endif /* WITH_SSH1 */
{0, 0, NULL}
- };
-@@ -1393,9 +1419,11 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1416,9 +1442,11 @@ mm_answer_keyverify(int sock, Buffer *m)
Key *key;
u_char *signature, *data, *blob;
u_int signaturelen, datalen, bloblen;
@@ -1263,7 +1271,7 @@ index 8b18086..5a65114 100644
blob = buffer_get_string(m, &bloblen);
signature = buffer_get_string(m, &signaturelen);
data = buffer_get_string(m, &datalen);
-@@ -1403,6 +1431,8 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1426,6 +1454,8 @@ mm_answer_keyverify(int sock, Buffer *m)
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
!monitor_allowed_key(blob, bloblen))
fatal("%s: bad key, not previously allowed", __func__);
@@ -1272,7 +1280,7 @@ index 8b18086..5a65114 100644
key = key_from_blob(blob, bloblen);
if (key == NULL)
-@@ -1423,7 +1453,17 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1446,7 +1476,17 @@ mm_answer_keyverify(int sock, Buffer *m)
if (!valid_data)
fatal("%s: bad signature data blob", __func__);
@@ -1291,7 +1299,7 @@ index 8b18086..5a65114 100644
debug3("%s: key %p signature %s",
__func__, key, (verified == 1) ? "verified" : "unverified");
-@@ -1476,6 +1516,12 @@ mm_session_close(Session *s)
+@@ -1499,6 +1539,12 @@ mm_session_close(Session *s)
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
session_pty_cleanup2(s);
}
@@ -1304,7 +1312,7 @@ index 8b18086..5a65114 100644
session_unused(s->self);
}
-@@ -1756,6 +1802,8 @@ mm_answer_term(int sock, Buffer *req)
+@@ -1781,6 +1827,8 @@ mm_answer_term(int sock, Buffer *req)
sshpam_cleanup();
#endif
@@ -1313,7 +1321,7 @@ index 8b18086..5a65114 100644
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR)
exit(1);
-@@ -1798,11 +1846,43 @@ mm_answer_audit_command(int socket, Buffer *m)
+@@ -1823,11 +1871,43 @@ mm_answer_audit_command(int socket, Buffer *m)
{
u_int len;
char *cmd;
@@ -1358,7 +1366,7 @@ index 8b18086..5a65114 100644
free(cmd);
return (0);
}
-@@ -1946,11 +2026,13 @@ mm_get_keystate(struct monitor *pmonitor)
+@@ -1975,11 +2055,13 @@ mm_get_keystate(struct monitor *pmonitor)
blob = buffer_get_string(&m, &bloblen);
current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
@@ -1372,7 +1380,7 @@ index 8b18086..5a65114 100644
free(blob);
/* Now get sequence numbers for the packets */
-@@ -1996,6 +2078,21 @@ mm_get_keystate(struct monitor *pmonitor)
+@@ -2025,6 +2107,21 @@ mm_get_keystate(struct monitor *pmonitor)
}
buffer_free(&m);
@@ -1394,7 +1402,7 @@ index 8b18086..5a65114 100644
}
-@@ -2277,3 +2374,85 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
+@@ -2321,3 +2418,87 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
#endif /* GSSAPI */
@@ -1418,7 +1426,7 @@ index 8b18086..5a65114 100644
+mm_answer_audit_kex_body(int sock, Buffer *m)
+{
+ int ctos, len;
-+ char *cipher, *mac, *compress;
++ char *cipher, *mac, *compress, *pfs;
+ pid_t pid;
+ uid_t uid;
+
@@ -1426,14 +1434,16 @@ index 8b18086..5a65114 100644
+ cipher = buffer_get_string(m, &len);
+ mac = buffer_get_string(m, &len);
+ compress = buffer_get_string(m, &len);
++ pfs = buffer_get_string(m, &len);
+ pid = buffer_get_int64(m);
+ uid = buffer_get_int64(m);
+
-+ audit_kex_body(ctos, cipher, mac, compress, pid, uid);
++ audit_kex_body(ctos, cipher, mac, compress, pfs, pid, uid);
+
+ free(cipher);
+ free(mac);
+ free(compress);
++ free(pfs);
+ buffer_clear(m);
+
+ mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m);
@@ -1481,7 +1491,7 @@ index 8b18086..5a65114 100644
+}
+#endif /* SSH_AUDIT_EVENTS */
diff --git a/monitor.h b/monitor.h
-index ff79fbb..6dfb234 100644
+index 00c2028..cc8da6a 100644
--- a/monitor.h
+++ b/monitor.h
@@ -69,7 +69,13 @@ enum monitor_reqtype {
@@ -1500,10 +1510,10 @@ index ff79fbb..6dfb234 100644
};
diff --git a/monitor_wrap.c b/monitor_wrap.c
-index d1e1caa..6df236a 100644
+index 7e991e6..ba4ecd7 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
-@@ -450,7 +450,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
+@@ -456,7 +456,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
*/
int
@@ -1512,7 +1522,7 @@ index d1e1caa..6df236a 100644
{
Buffer m;
u_char *blob;
-@@ -464,6 +464,7 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
+@@ -470,6 +470,7 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
return (0);
buffer_init(&m);
@@ -1520,7 +1530,7 @@ index d1e1caa..6df236a 100644
buffer_put_string(&m, blob, len);
buffer_put_string(&m, sig, siglen);
buffer_put_string(&m, data, datalen);
-@@ -481,6 +482,19 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
+@@ -487,6 +488,19 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
return (verified);
}
@@ -1540,7 +1550,7 @@ index d1e1caa..6df236a 100644
/* Export key state after authentication */
Newkeys *
mm_newkeys_from_blob(u_char *blob, int blen)
-@@ -659,12 +673,14 @@ mm_send_keystate(struct monitor *monitor)
+@@ -665,12 +679,14 @@ mm_send_keystate(struct monitor *monitor)
fatal("%s: conversion of newkeys failed", __func__);
buffer_put_string(&m, blob, bloblen);
@@ -1555,7 +1565,7 @@ index d1e1caa..6df236a 100644
free(blob);
packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes);
-@@ -1208,10 +1224,11 @@ mm_audit_event(ssh_audit_event_t event)
+@@ -1218,10 +1234,11 @@ mm_audit_event(ssh_audit_event_t event)
buffer_free(&m);
}
@@ -1568,7 +1578,7 @@ index d1e1caa..6df236a 100644
debug3("%s entering command %s", __func__, command);
-@@ -1219,6 +1236,26 @@ mm_audit_run_command(const char *command)
+@@ -1229,6 +1246,26 @@ mm_audit_run_command(const char *command)
buffer_put_cstring(&m, command);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
@@ -1595,7 +1605,7 @@ index d1e1caa..6df236a 100644
buffer_free(&m);
}
#endif /* SSH_AUDIT_EVENTS */
-@@ -1354,3 +1391,71 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
+@@ -1364,3 +1401,72 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
#endif /* GSSAPI */
@@ -1616,7 +1626,7 @@ index d1e1caa..6df236a 100644
+}
+
+void
-+mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, pid_t pid,
++mm_audit_kex_body(int ctos, char *cipher, char *mac, char *compress, char *fps, pid_t pid,
+ uid_t uid)
+{
+ Buffer m;
@@ -1626,6 +1636,7 @@ index d1e1caa..6df236a 100644
+ buffer_put_cstring(&m, cipher);
+ buffer_put_cstring(&m, (mac ? mac : ""));
+ buffer_put_cstring(&m, compress);
++ buffer_put_cstring(&m, fps);
+ buffer_put_int64(&m, pid);
+ buffer_put_int64(&m, uid);
+
@@ -1668,7 +1679,7 @@ index d1e1caa..6df236a 100644
+}
+#endif /* SSH_AUDIT_EVENTS */
diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 93929e0..4cf0c78 100644
+index 93929e0..e43109f 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char *, char *, Key *);
@@ -1689,14 +1700,14 @@ index 93929e0..4cf0c78 100644
+int mm_audit_run_command(const char *);
+void mm_audit_end_command(int, const char *);
+void mm_audit_unsupported_body(int);
-+void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
++void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t);
+void mm_audit_session_key_free_body(int, pid_t, uid_t);
+void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t);
#endif
struct Session;
diff --git a/packet.c b/packet.c
-index 660a9fc..f5b122b 100644
+index 9b7abd1..f1e00f7 100644
--- a/packet.c
+++ b/packet.c
@@ -61,6 +61,7 @@
@@ -1707,7 +1718,7 @@ index 660a9fc..f5b122b 100644
#include "buffer.h"
#include "packet.h"
#include "crc32.h"
-@@ -476,6 +477,13 @@ packet_get_connection_out(void)
+@@ -483,6 +484,13 @@ packet_get_connection_out(void)
return active_state->connection_out;
}
@@ -1721,7 +1732,7 @@ index 660a9fc..f5b122b 100644
/* Closes the connection and clears and frees internal data structures. */
void
-@@ -484,13 +492,6 @@ packet_close(void)
+@@ -491,13 +499,6 @@ packet_close(void)
if (!active_state->initialized)
return;
active_state->initialized = 0;
@@ -1735,7 +1746,7 @@ index 660a9fc..f5b122b 100644
buffer_free(&active_state->input);
buffer_free(&active_state->output);
buffer_free(&active_state->outgoing_packet);
-@@ -499,8 +500,18 @@ packet_close(void)
+@@ -506,8 +507,18 @@ packet_close(void)
buffer_free(&active_state->compression_buffer);
buffer_compress_uninit();
}
@@ -1756,7 +1767,7 @@ index 660a9fc..f5b122b 100644
}
/* Sets remote side protocol flags. */
-@@ -736,6 +747,25 @@ packet_send1(void)
+@@ -747,6 +758,25 @@ packet_send1(void)
*/
}
@@ -1782,7 +1793,7 @@ index 660a9fc..f5b122b 100644
void
set_newkeys(int mode)
{
-@@ -761,6 +791,7 @@ set_newkeys(int mode)
+@@ -772,6 +802,7 @@ set_newkeys(int mode)
}
if (active_state->newkeys[mode] != NULL) {
debug("set_newkeys: rekeying");
@@ -1790,7 +1801,7 @@ index 660a9fc..f5b122b 100644
cipher_cleanup(cc);
enc = &active_state->newkeys[mode]->enc;
mac = &active_state->newkeys[mode]->mac;
-@@ -2011,6 +2042,47 @@ packet_get_newkeys(int mode)
+@@ -2025,6 +2056,47 @@ packet_get_newkeys(int mode)
return (void *)active_state->newkeys[mode];
}
@@ -1838,7 +1849,7 @@ index 660a9fc..f5b122b 100644
/*
* Save the state for the real connection, and use a separate state when
* resuming a suspended connection.
-@@ -2018,18 +2090,12 @@ packet_get_newkeys(int mode)
+@@ -2032,18 +2104,12 @@ packet_get_newkeys(int mode)
void
packet_backup_state(void)
{
@@ -1858,7 +1869,7 @@ index 660a9fc..f5b122b 100644
}
/*
-@@ -2046,9 +2112,7 @@ packet_restore_state(void)
+@@ -2060,9 +2126,7 @@ packet_restore_state(void)
backup_state = active_state;
active_state = tmp;
active_state->connection_in = backup_state->connection_in;
@@ -1868,7 +1879,7 @@ index 660a9fc..f5b122b 100644
len = buffer_len(&backup_state->input);
if (len > 0) {
buf = buffer_ptr(&backup_state->input);
-@@ -2056,4 +2120,10 @@ packet_restore_state(void)
+@@ -2070,6 +2134,11 @@ packet_restore_state(void)
buffer_clear(&backup_state->input);
add_recv_bytes(len);
}
@@ -1878,19 +1889,20 @@ index 660a9fc..f5b122b 100644
+ free(backup_state);
+ backup_state = NULL;
}
-+
+
+ /* Reset after_authentication and reset compression in post-auth privsep */
diff --git a/packet.h b/packet.h
-index f8edf85..c36c812 100644
+index e7b5fcb..45a6ce6 100644
--- a/packet.h
+++ b/packet.h
-@@ -124,4 +124,5 @@ void packet_restore_state(void);
+@@ -125,4 +125,5 @@ void packet_set_postauth(void);
void *packet_get_input(void);
void *packet_get_output(void);
+void packet_destroy_all(int, int);
#endif /* PACKET_H */
diff --git a/session.c b/session.c
-index df43592..b186ca1 100644
+index 40a681e..acd87d5 100644
--- a/session.c
+++ b/session.c
@@ -138,7 +138,7 @@ extern int log_stderr;
@@ -1902,7 +1914,7 @@ index df43592..b186ca1 100644
extern Buffer loginmsg;
/* original command from peer. */
-@@ -746,6 +746,14 @@ do_exec_pty(Session *s, const char *command)
+@@ -730,6 +730,14 @@ do_exec_pty(Session *s, const char *command)
/* Parent. Close the slave side of the pseudo tty. */
close(ttyfd);
@@ -1917,7 +1929,7 @@ index df43592..b186ca1 100644
/* Enter interactive session. */
s->ptymaster = ptymaster;
packet_set_interactive(1,
-@@ -863,15 +871,19 @@ do_exec(Session *s, const char *command)
+@@ -852,15 +860,19 @@ do_exec(Session *s, const char *command)
get_remote_port());
#ifdef SSH_AUDIT_EVENTS
@@ -1939,7 +1951,7 @@ index df43592..b186ca1 100644
#endif
if (s->ttyfd != -1)
ret = do_exec_pty(s, command);
-@@ -1708,7 +1720,10 @@ do_child(Session *s, const char *command)
+@@ -1703,7 +1715,10 @@ do_child(Session *s, const char *command)
int r = 0;
/* remove hostkey from the child's memory */
@@ -2073,10 +2085,10 @@ index 6a2f35e..e9b312e 100644
void session_close(Session *);
void do_setusercontext(struct passwd *);
diff --git a/sshd.c b/sshd.c
-index 8a0740a..2813aa2 100644
+index ca55d7f..db23ce2 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -119,6 +119,7 @@
+@@ -120,6 +120,7 @@
#endif
#include "monitor_wrap.h"
#include "roaming.h"
@@ -2084,7 +2096,7 @@ index 8a0740a..2813aa2 100644
#include "ssh-sandbox.h"
#include "version.h"
-@@ -264,7 +265,7 @@ Buffer loginmsg;
+@@ -254,7 +255,7 @@ Buffer loginmsg;
struct passwd *privsep_pw = NULL;
/* Prototypes for various functions defined later in this file. */
@@ -2092,8 +2104,8 @@ index 8a0740a..2813aa2 100644
+void destroy_sensitive_data(int);
void demote_sensitive_data(void);
- static void do_ssh1_kex(void);
-@@ -283,6 +284,15 @@ close_listen_socks(void)
+ #ifdef WITH_SSH1
+@@ -275,6 +276,15 @@ close_listen_socks(void)
num_listen_socks = -1;
}
@@ -2109,7 +2121,7 @@ index 8a0740a..2813aa2 100644
static void
close_startup_pipes(void)
{
-@@ -562,22 +572,45 @@ sshd_exchange_identification(int sock_in, int sock_out)
+@@ -554,22 +564,45 @@ sshd_exchange_identification(int sock_in, int sock_out)
}
}
@@ -2137,7 +2149,7 @@ index 8a0740a..2813aa2 100644
+ char *fp;
+
+ if (key_is_private(sensitive_data.host_keys[i]))
-+ fp = key_selected_fingerprint(sensitive_data.host_keys[i], SSH_FP_HEX);
++ fp = key_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+ else
+ fp = NULL;
key_free(sensitive_data.host_keys[i]);
@@ -2158,7 +2170,7 @@ index 8a0740a..2813aa2 100644
key_free(sensitive_data.host_certificates[i]);
sensitive_data.host_certificates[i] = NULL;
}
-@@ -591,6 +624,8 @@ void
+@@ -583,6 +616,8 @@ void
demote_sensitive_data(void)
{
Key *tmp;
@@ -2167,7 +2179,7 @@ index 8a0740a..2813aa2 100644
int i;
if (sensitive_data.server_key) {
-@@ -599,13 +634,25 @@ demote_sensitive_data(void)
+@@ -591,13 +626,25 @@ demote_sensitive_data(void)
sensitive_data.server_key = tmp;
}
@@ -2178,7 +2190,7 @@ index 8a0740a..2813aa2 100644
+ char *fp;
+
+ if (key_is_private(sensitive_data.host_keys[i]))
-+ fp = key_selected_fingerprint(sensitive_data.host_keys[i], SSH_FP_HEX);
++ fp = key_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+ else
+ fp = NULL;
tmp = key_demote(sensitive_data.host_keys[i]);
@@ -2193,7 +2205,7 @@ index 8a0740a..2813aa2 100644
}
/* Certs do not need demotion */
}
-@@ -675,7 +722,7 @@ privsep_preauth(Authctxt *authctxt)
+@@ -667,7 +714,7 @@ privsep_preauth(Authctxt *authctxt)
if (use_privsep == PRIVSEP_ON)
box = ssh_sandbox_init(pmonitor);
@@ -2202,7 +2214,7 @@ index 8a0740a..2813aa2 100644
if (pid == -1) {
fatal("fork of unprivileged child failed");
} else if (pid != 0) {
-@@ -729,6 +776,8 @@ privsep_preauth(Authctxt *authctxt)
+@@ -721,6 +768,8 @@ privsep_preauth(Authctxt *authctxt)
}
}
@@ -2211,7 +2223,7 @@ index 8a0740a..2813aa2 100644
static void
privsep_postauth(Authctxt *authctxt)
{
-@@ -753,6 +802,10 @@ privsep_postauth(Authctxt *authctxt)
+@@ -745,6 +794,10 @@ privsep_postauth(Authctxt *authctxt)
else if (pmonitor->m_pid != 0) {
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
buffer_clear(&loginmsg);
@@ -2222,7 +2234,7 @@ index 8a0740a..2813aa2 100644
monitor_child_postauth(pmonitor);
/* NEVERREACHED */
-@@ -1211,6 +1264,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
+@@ -1222,6 +1275,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
if (received_sigterm) {
logit("Received signal %d; terminating.",
(int) received_sigterm);
@@ -2230,7 +2242,7 @@ index 8a0740a..2813aa2 100644
close_listen_socks();
unlink(options.pid_file);
exit(received_sigterm == SIGTERM ? 0 : 255);
-@@ -2134,6 +2188,7 @@ main(int ac, char **av)
+@@ -2141,6 +2195,7 @@ main(int ac, char **av)
*/
if (use_privsep) {
mm_send_keystate(pmonitor);
@@ -2238,7 +2250,7 @@ index 8a0740a..2813aa2 100644
exit(0);
}
-@@ -2179,7 +2234,7 @@ main(int ac, char **av)
+@@ -2186,7 +2241,7 @@ main(int ac, char **av)
privsep_postauth(authctxt);
/* the monitor process [priv] will not return */
if (!compat20)
@@ -2247,7 +2259,7 @@ index 8a0740a..2813aa2 100644
}
packet_set_timeout(options.client_alive_interval,
-@@ -2189,6 +2244,9 @@ main(int ac, char **av)
+@@ -2196,6 +2251,9 @@ main(int ac, char **av)
do_authenticated(authctxt);
/* The connection has been terminated. */
@@ -2257,18 +2269,18 @@ index 8a0740a..2813aa2 100644
packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
verbose("Transferred: sent %llu, received %llu bytes",
-@@ -2346,6 +2404,10 @@ do_ssh1_kex(void)
+@@ -2355,6 +2413,10 @@ do_ssh1_kex(void)
if (cookie[i] != packet_get_char())
packet_disconnect("IP Spoofing check bytes do not match.");
+#ifdef SSH_AUDIT_EVENTS
-+ audit_kex(2, cipher_name(cipher_type), "crc", "none");
++ audit_kex(2, cipher_name(cipher_type), "crc", "none", "none");
+#endif
+
debug("Encryption type: %.200s", cipher_name(cipher_type));
/* Get the encrypted integer. */
-@@ -2418,7 +2480,7 @@ do_ssh1_kex(void)
+@@ -2427,7 +2489,7 @@ do_ssh1_kex(void)
session_id[i] = session_key[i] ^ session_key[i + 16];
}
/* Destroy the private and public keys. No longer. */
@@ -2277,7 +2289,7 @@ index 8a0740a..2813aa2 100644
if (use_privsep)
mm_ssh1_session_id(session_id);
-@@ -2584,6 +2646,16 @@ do_ssh2_kex(void)
+@@ -2598,6 +2660,16 @@ do_ssh2_kex(void)
void
cleanup_exit(int i)
{
@@ -2293,8 +2305,8 @@ index 8a0740a..2813aa2 100644
+
if (the_authctxt) {
do_cleanup(the_authctxt);
- if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) {
-@@ -2594,9 +2666,14 @@ cleanup_exit(int i)
+ if (use_privsep && privsep_is_preauth &&
+@@ -2609,9 +2681,14 @@ cleanup_exit(int i)
pmonitor->m_pid, strerror(errno));
}
}
@@ -2310,3 +2322,53 @@ index 8a0740a..2813aa2 100644
audit_event(SSH_CONNECTION_ABANDON);
#endif
_exit(i);
+diff --git a/sshkey.c b/sshkey.c
+index 70df758..f078e11 100644
+--- a/sshkey.c
++++ b/sshkey.c
+@@ -291,6 +291,33 @@ sshkey_type_is_valid_ca(int type)
+ }
+
+ int
++sshkey_is_private(const struct sshkey *k)
++{
++ switch (k->type) {
++ case KEY_RSA_CERT_V00:
++ case KEY_RSA_CERT:
++ case KEY_RSA1:
++ case KEY_RSA:
++ return k->rsa->d != NULL;
++ case KEY_DSA_CERT_V00:
++ case KEY_DSA_CERT:
++ case KEY_DSA:
++ return k->dsa->priv_key != NULL;
++#ifdef OPENSSL_HAS_ECC
++ case KEY_ECDSA_CERT:
++ case KEY_ECDSA:
++ return EC_KEY_get0_private_key(k->ecdsa) != NULL;
++#endif
++ case KEY_ED25519_CERT:
++ case KEY_ED25519:
++ return (k->ed25519_pk != NULL);
++ default:
++ /* fatal("key_is_private: bad key type %d", k->type); */
++ return 0;
++ }
++}
++
++int
+ sshkey_is_cert(const struct sshkey *k)
+ {
+ if (k == NULL)
+diff --git a/sshkey.h b/sshkey.h
+index 4554b09..226a494 100644
+--- a/sshkey.h
++++ b/sshkey.h
+@@ -134,6 +134,7 @@ u_int sshkey_size(const struct sshkey *);
+ int sshkey_generate(int type, u_int bits, struct sshkey **keyp);
+ int sshkey_from_private(const struct sshkey *, struct sshkey **);
+ int sshkey_type_from_name(const char *);
++int sshkey_is_private(const struct sshkey *);
+ int sshkey_is_cert(const struct sshkey *);
+ int sshkey_type_is_cert(int);
+ int sshkey_type_plain(int);
diff --git a/openssh-6.7p1-fingerprint.patch b/openssh-6.7p1-fingerprint.patch
index da798dd..d29fc9b 100644
--- a/openssh-6.7p1-fingerprint.patch
+++ b/openssh-6.7p1-fingerprint.patch
@@ -1,13 +1,47 @@
-diff -up openssh-6.7p1/auth2-hostbased.c.fingerprint openssh-6.7p1/auth2-hostbased.c
---- openssh-6.7p1/auth2-hostbased.c.fingerprint 2014-07-18 06:11:25.000000000 +0200
-+++ openssh-6.7p1/auth2-hostbased.c 2014-12-22 13:10:57.961878113 +0100
+diff --git a/auth-rsa.c b/auth-rsa.c
+index e9f4ede..ff7a132 100644
+--- a/auth-rsa.c
++++ b/auth-rsa.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: auth-rsa.c,v 1.88 2014/07/15 15:54:14 millert Exp $ */
++/* $OpenBSD: auth-rsa.c,v 1.89 2014/12/21 22:27:56 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <ylo at cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
+@@ -236,7 +236,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
+ "actual %d vs. announced %d.",
+ file, linenum, BN_num_bits(key->rsa->n), bits);
+
+- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
++ fp = key_fingerprint(key, options.fingerprint_hash,
++ SSH_FP_DEFAULT);
+ debug("matching key found: file %s, line %lu %s %s",
+ file, linenum, key_type(key), fp);
+ free(fp);
+diff --git a/auth.c b/auth.c
+index 5e60682..5a9acd3 100644
+--- a/auth.c
++++ b/auth.c
+@@ -702,7 +702,7 @@ auth_key_is_revoked(Key *key)
+ case 1:
+ revoked:
+ /* Key revoked */
+- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
++ key_fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
+ error("WARNING: authentication attempt with a revoked "
+ "%s key %s ", key_type(key), key_fp);
+ free(key_fp);
+diff --git a/auth2-hostbased.c b/auth2-hostbased.c
+index 6787e4c..b7ae353 100644
+--- a/auth2-hostbased.c
++++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.18 2014/07/15 15:54:14 millert Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.19 2014/12/21 22:27:56 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
-@@ -208,13 +208,14 @@ hostbased_key_allowed(struct passwd *pw,
+@@ -208,13 +208,14 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
if (host_status == HOST_OK) {
if (key_is_cert(key)) {
fp = key_fingerprint(key->cert->signature_key,
@@ -24,10 +58,11 @@ diff -up openssh-6.7p1/auth2-hostbased.c.fingerprint openssh-6.7p1/auth2-hostbas
verbose("Accepted %s public key %s from %s@%s",
key_type(key), fp, cuser, lookup);
}
-diff -up openssh-6.7p1/auth2-pubkey.c.fingerprint openssh-6.7p1/auth2-pubkey.c
---- openssh-6.7p1/auth2-pubkey.c.fingerprint 2014-07-18 06:11:25.000000000 +0200
-+++ openssh-6.7p1/auth2-pubkey.c 2014-12-22 13:13:56.446258343 +0100
-@@ -213,7 +213,7 @@ pubkey_auth_info(Authctxt *authctxt, con
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index f3ca965..3f4f789 100644
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -213,7 +213,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
if (key_is_cert(key)) {
fp = key_fingerprint(key->cert->signature_key,
@@ -36,7 +71,7 @@ diff -up openssh-6.7p1/auth2-pubkey.c.fingerprint openssh-6.7p1/auth2-pubkey.c
auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
key_type(key), key->cert->key_id,
(unsigned long long)key->cert->serial,
-@@ -221,7 +221,8 @@ pubkey_auth_info(Authctxt *authctxt, con
+@@ -221,7 +221,8 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
free(fp);
} else {
@@ -46,7 +81,7 @@ diff -up openssh-6.7p1/auth2-pubkey.c.fingerprint openssh-6.7p1/auth2-pubkey.c
auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
free(fp);
-@@ -365,8 +366,8 @@ check_authkeys_file(FILE *f, char *file,
+@@ -365,8 +366,8 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
continue;
if (!key_is_cert_authority)
continue;
@@ -57,7 +92,7 @@ diff -up openssh-6.7p1/auth2-pubkey.c.fingerprint openssh-6.7p1/auth2-pubkey.c
debug("matching CA found: file %s, line %lu, %s %s",
file, linenum, key_type(found), fp);
/*
-@@ -406,7 +407,8 @@ check_authkeys_file(FILE *f, char *file,
+@@ -406,7 +407,8 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
if (key_is_cert_authority)
continue;
found_key = 1;
@@ -67,7 +102,7 @@ diff -up openssh-6.7p1/auth2-pubkey.c.fingerprint openssh-6.7p1/auth2-pubkey.c
debug("matching key found: file %s, line %lu %s %s",
file, linenum, key_type(found), fp);
free(fp);
-@@ -432,7 +434,7 @@ user_cert_trusted_ca(struct passwd *pw,
+@@ -432,7 +434,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
return 0;
ca_fp = key_fingerprint(key->cert->signature_key,
@@ -76,62 +111,10 @@ diff -up openssh-6.7p1/auth2-pubkey.c.fingerprint openssh-6.7p1/auth2-pubkey.c
if (key_in_file(key->cert->signature_key,
options.trusted_user_ca_keys, 1) != 1) {
-diff -up openssh-6.7p1/auth.c.fingerprint openssh-6.7p1/auth.c
---- openssh-6.7p1/auth.c.fingerprint 2014-12-22 13:10:57.961878113 +0100
-+++ openssh-6.7p1/auth.c 2014-12-22 13:27:18.105463774 +0100
-@@ -702,7 +702,7 @@ auth_key_is_revoked(Key *key)
- case 1:
- revoked:
- /* Key revoked */
-- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ key_fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
- error("WARNING: authentication attempt with a revoked "
- "%s key %s ", key_type(key), key_fp);
- free(key_fp);
-diff -up openssh-6.7p1/auth-rsa.c.fingerprint openssh-6.7p1/auth-rsa.c
---- openssh-6.7p1/auth-rsa.c.fingerprint 2014-07-18 06:11:25.000000000 +0200
-+++ openssh-6.7p1/auth-rsa.c 2014-12-22 13:10:57.960878116 +0100
-@@ -1,4 +1,4 @@
--/* $OpenBSD: auth-rsa.c,v 1.88 2014/07/15 15:54:14 millert Exp $ */
-+/* $OpenBSD: auth-rsa.c,v 1.89 2014/12/21 22:27:56 djm Exp $ */
- /*
- * Author: Tatu Ylonen <ylo at cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
-@@ -236,7 +236,8 @@ rsa_key_allowed_in_file(struct passwd *p
- "actual %d vs. announced %d.",
- file, linenum, BN_num_bits(key->rsa->n), bits);
-
-- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_fingerprint(key, options.fingerprint_hash,
-+ SSH_FP_DEFAULT);
- debug("matching key found: file %s, line %lu %s %s",
- file, linenum, key_type(key), fp);
- free(fp);
-diff -up openssh-6.7p1/digest.h.fingerprint openssh-6.7p1/digest.h
---- openssh-6.7p1/digest.h.fingerprint 2014-07-03 13:25:04.000000000 +0200
-+++ openssh-6.7p1/digest.h 2014-12-22 13:10:57.961878113 +0100
-@@ -1,4 +1,4 @@
--/* $OpenBSD: digest.h,v 1.6 2014/07/03 04:36:45 djm Exp $ */
-+/* $OpenBSD: digest.h,v 1.7 2014/12/21 22:27:56 djm Exp $ */
- /*
- * Copyright (c) 2013 Damien Miller <djm at mindrot.org>
- *
-@@ -33,6 +33,12 @@
- struct sshbuf;
- struct ssh_digest_ctx;
-
-+/* Looks up a digest algorithm by name */
-+int ssh_digest_alg_by_name(const char *name);
-+
-+/* Returns the algorithm name for a digest identifier */
-+const char *ssh_digest_alg_name(int alg);
-+
- /* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */
- size_t ssh_digest_bytes(int alg);
-
-diff -up openssh-6.7p1/digest-libc.c.fingerprint openssh-6.7p1/digest-libc.c
---- openssh-6.7p1/digest-libc.c.fingerprint 2014-07-02 07:28:03.000000000 +0200
-+++ openssh-6.7p1/digest-libc.c 2014-12-22 13:10:57.961878113 +0100
+diff --git a/digest-libc.c b/digest-libc.c
+index 1b4423a..169ded0 100644
+--- a/digest-libc.c
++++ b/digest-libc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: digest-libc.c,v 1.3 2014/06/24 01:13:21 djm Exp $ */
+/* $OpenBSD: digest-libc.c,v 1.4 2014/12/21 22:27:56 djm Exp $ */
@@ -165,9 +148,10 @@ diff -up openssh-6.7p1/digest-libc.c.fingerprint openssh-6.7p1/digest-libc.c
size_t
ssh_digest_bytes(int alg)
{
-diff -up openssh-6.7p1/digest-openssl.c.fingerprint openssh-6.7p1/digest-openssl.c
---- openssh-6.7p1/digest-openssl.c.fingerprint 2014-07-17 01:01:26.000000000 +0200
-+++ openssh-6.7p1/digest-openssl.c 2014-12-22 13:10:57.961878113 +0100
+diff --git a/digest-openssl.c b/digest-openssl.c
+index 02b1703..bb58ff2 100644
+--- a/digest-openssl.c
++++ b/digest-openssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: digest-openssl.c,v 1.4 2014/07/03 03:26:43 djm Exp $ */
+/* $OpenBSD: digest-openssl.c,v 1.5 2014/12/21 22:27:56 djm Exp $ */
@@ -201,9 +185,33 @@ diff -up openssh-6.7p1/digest-openssl.c.fingerprint openssh-6.7p1/digest-openssl
size_t
ssh_digest_bytes(int alg)
{
-diff -up openssh-6.7p1/dns.c.fingerprint openssh-6.7p1/dns.c
---- openssh-6.7p1/dns.c.fingerprint 2014-07-02 07:28:03.000000000 +0200
-+++ openssh-6.7p1/dns.c 2014-12-22 13:10:57.962878109 +0100
+diff --git a/digest.h b/digest.h
+index 6afb197..3fe0734 100644
+--- a/digest.h
++++ b/digest.h
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: digest.h,v 1.6 2014/07/03 04:36:45 djm Exp $ */
++/* $OpenBSD: digest.h,v 1.7 2014/12/21 22:27:56 djm Exp $ */
+ /*
+ * Copyright (c) 2013 Damien Miller <djm at mindrot.org>
+ *
+@@ -33,6 +33,12 @@
+ struct sshbuf;
+ struct ssh_digest_ctx;
+
++/* Looks up a digest algorithm by name */
++int ssh_digest_alg_by_name(const char *name);
++
++/* Returns the algorithm name for a digest identifier */
++const char *ssh_digest_alg_name(int alg);
++
+ /* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */
+ size_t ssh_digest_bytes(int alg);
+
+diff --git a/dns.c b/dns.c
+index c4d073c..4b8ae44 100644
+--- a/dns.c
++++ b/dns.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.c,v 1.31 2014/06/24 01:13:21 djm Exp $ */
+/* $OpenBSD: dns.c,v 1.32 2014/12/21 22:27:56 djm Exp $ */
@@ -218,7 +226,7 @@ diff -up openssh-6.7p1/dns.c.fingerprint openssh-6.7p1/dns.c
static const char *errset_text[] = {
"success", /* 0 ERRSET_SUCCESS */
-@@ -80,7 +81,7 @@ dns_read_key(u_int8_t *algorithm, u_int8
+@@ -80,7 +81,7 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
u_char **digest, u_int *digest_len, Key *key)
{
int success = 0;
@@ -227,7 +235,7 @@ diff -up openssh-6.7p1/dns.c.fingerprint openssh-6.7p1/dns.c
switch (key->type) {
case KEY_RSA:
-@@ -110,17 +111,17 @@ dns_read_key(u_int8_t *algorithm, u_int8
+@@ -110,17 +111,17 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
switch (*digest_type) {
case SSHFP_HASH_SHA1:
@@ -248,9 +256,10 @@ diff -up openssh-6.7p1/dns.c.fingerprint openssh-6.7p1/dns.c
if (*digest == NULL)
fatal("dns_read_key: null from key_fingerprint_raw()");
success = 1;
-diff -up openssh-6.7p1/key.c.fingerprint openssh-6.7p1/key.c
---- openssh-6.7p1/key.c.fingerprint 2014-07-23 01:40:47.000000000 +0200
-+++ openssh-6.7p1/key.c 2014-12-22 13:10:57.962878109 +0100
+diff --git a/key.c b/key.c
+index 2060761..780be1c 100644
+--- a/key.c
++++ b/key.c
@@ -40,8 +40,7 @@ key_new_private(int type)
}
@@ -261,7 +270,7 @@ diff -up openssh-6.7p1/key.c.fingerprint openssh-6.7p1/key.c
{
u_char *ret = NULL;
size_t dlen;
-@@ -49,7 +48,7 @@ key_fingerprint_raw(const Key *k, enum f
+@@ -49,7 +48,7 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
if (dgst_raw_length != NULL)
*dgst_raw_length = 0;
@@ -270,9 +279,10 @@ diff -up openssh-6.7p1/key.c.fingerprint openssh-6.7p1/key.c
fatal("%s: %s", __func__, ssh_err(r));
if (dlen > INT_MAX)
fatal("%s: giant len %zu", __func__, dlen);
-diff -up openssh-6.7p1/key.h.fingerprint openssh-6.7p1/key.h
---- openssh-6.7p1/key.h.fingerprint 2014-08-21 02:48:41.000000000 +0200
-+++ openssh-6.7p1/key.h 2014-12-22 13:10:57.962878109 +0100
+diff --git a/key.h b/key.h
+index c6401a5..e1a3625 100644
+--- a/key.h
++++ b/key.h
@@ -67,7 +67,7 @@ void key_add_private(Key *);
Key *key_new_private(int);
void key_free(Key *);
@@ -282,9 +292,10 @@ diff -up openssh-6.7p1/key.h.fingerprint openssh-6.7p1/key.h
int key_write(const Key *, FILE *);
int key_read(Key *, char **);
-diff -up openssh-6.7p1/krl.c.fingerprint openssh-6.7p1/krl.c
---- openssh-6.7p1/krl.c.fingerprint 2014-12-22 13:10:57.962878109 +0100
-+++ openssh-6.7p1/krl.c 2014-12-22 13:24:45.969002948 +0100
+diff --git a/krl.c b/krl.c
+index eb31df9..4abed7e 100644
+--- a/krl.c
++++ b/krl.c
@@ -36,6 +36,7 @@
#include "misc.h"
#include "log.h"
@@ -293,7 +304,7 @@ diff -up openssh-6.7p1/krl.c.fingerprint openssh-6.7p1/krl.c
#include "krl.h"
-@@ -406,7 +407,7 @@ ssh_krl_revoke_key_sha1(struct ssh_krl *
+@@ -406,7 +407,7 @@ ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key)
u_int len;
debug3("%s: revoke type %s by sha1", __func__, key_type(key));
@@ -302,7 +313,7 @@ diff -up openssh-6.7p1/krl.c.fingerprint openssh-6.7p1/krl.c
return -1;
return revoke_blob(&krl->revoked_sha1s, blob, len);
}
-@@ -1119,7 +1120,7 @@ is_key_revoked(struct ssh_krl *krl, cons
+@@ -1119,7 +1120,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key)
/* Check explicitly revoked hashes first */
memset(&rb, 0, sizeof(rb));
@@ -311,9 +322,10 @@ diff -up openssh-6.7p1/krl.c.fingerprint openssh-6.7p1/krl.c
return -1;
erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
free(rb.blob);
-diff -up openssh-6.7p1/readconf.c.fingerprint openssh-6.7p1/readconf.c
---- openssh-6.7p1/readconf.c.fingerprint 2014-07-18 06:11:26.000000000 +0200
-+++ openssh-6.7p1/readconf.c 2014-12-22 13:20:33.488879658 +0100
+diff --git a/readconf.c b/readconf.c
+index 7948ce1..3f5c58b 100644
+--- a/readconf.c
++++ b/readconf.c
@@ -56,6 +56,7 @@
#include "kex.h"
#include "mac.h"
@@ -338,17 +350,7 @@ diff -up openssh-6.7p1/readconf.c.fingerprint openssh-6.7p1/readconf.c
{ "ignoreunknown", oIgnoreUnknown },
{ NULL, oBadOption }
-@@ -1097,6 +1100,9 @@ parse_int:
- options->hostkeyalgorithms = xstrdup(arg);
- break;
-
-+ case oFingerprintHash:
-+ return ssh_digest_alg_name(val);
-+
- case oProtocol:
- intptr = &options->protocol;
- arg = strdelim(&s);
-@@ -1433,6 +1439,18 @@ parse_int:
+@@ -1433,6 +1436,18 @@ parse_int:
intptr = &options->fwd_opts.streamlocal_bind_unlink;
goto parse_flag;
@@ -367,7 +369,7 @@ diff -up openssh-6.7p1/readconf.c.fingerprint openssh-6.7p1/readconf.c
case oDeprecated:
debug("%s line %d: Deprecated option \"%s\"",
filename, linenum, keyword);
-@@ -1609,6 +1627,7 @@ initialize_options(Options * options)
+@@ -1609,6 +1624,7 @@ initialize_options(Options * options)
options->canonicalize_max_dots = -1;
options->canonicalize_fallback_local = -1;
options->canonicalize_hostname = -1;
@@ -375,7 +377,7 @@ diff -up openssh-6.7p1/readconf.c.fingerprint openssh-6.7p1/readconf.c
}
/*
-@@ -1786,6 +1805,9 @@ fill_default_options(Options * options)
+@@ -1786,6 +1802,9 @@ fill_default_options(Options * options)
options->canonicalize_fallback_local = 1;
if (options->canonicalize_hostname == -1)
options->canonicalize_hostname = SSH_CANONICALISE_NO;
@@ -385,9 +387,10 @@ diff -up openssh-6.7p1/readconf.c.fingerprint openssh-6.7p1/readconf.c
#define CLEAR_ON_NONE(v) \
do { \
if (option_clear_or_none(v)) { \
-diff -up openssh-6.7p1/readconf.h.fingerprint openssh-6.7p1/readconf.h
---- openssh-6.7p1/readconf.h.fingerprint 2014-12-22 13:10:57.963878106 +0100
-+++ openssh-6.7p1/readconf.h 2014-12-22 13:14:24.075162395 +0100
+diff --git a/readconf.h b/readconf.h
+index 0b9cb77..a028306 100644
+--- a/readconf.h
++++ b/readconf.h
@@ -144,6 +144,8 @@ typedef struct {
int num_permitted_cnames;
struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS];
@@ -397,9 +400,299 @@ diff -up openssh-6.7p1/readconf.h.fingerprint openssh-6.7p1/readconf.h
char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
} Options;
-diff -up openssh-6.7p1/servconf.c.fingerprint openssh-6.7p1/servconf.c
---- openssh-6.7p1/servconf.c.fingerprint 2014-07-18 06:11:26.000000000 +0200
-+++ openssh-6.7p1/servconf.c 2014-12-22 13:25:22.626875655 +0100
+diff --git a/regress/Makefile b/regress/Makefile
+index 3feb7a9..2905a0d 100644
+--- a/regress/Makefile
++++ b/regress/Makefile
+@@ -1,6 +1,6 @@
+-# $OpenBSD: Makefile,v 1.70 2014/06/24 01:14:17 djm Exp $
++# $OpenBSD: Makefile,v 1.71 2014/12/22 02:15:52 djm Exp $
+
+-REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec
++REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t-exec
+ tests: $(REGRESS_TARGETS)
+
+ # Interop tests are not run by default
+@@ -119,7 +119,7 @@ t3:
+ ${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub
+
+ t4:
+- ${TEST_SSH_SSHKEYGEN} -lf ${.CURDIR}/rsa_openssh.pub |\
++ ${TEST_SSH_SSHKEYGEN} -E md5 -lf ${.CURDIR}/rsa_openssh.pub |\
+ awk '{print $$2}' | diff - ${.CURDIR}/t4.ok
+
+ t5:
+@@ -164,6 +164,10 @@ t10: $(OBJ)/t10.out
+ ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t10.out > /dev/null
+ ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null
+
++t11:
++ ${TEST_SSH_SSHKEYGEN} -E sha256 -lf ${.CURDIR}/rsa_openssh.pub |\
++ awk '{print $$2}' | diff - ${.CURDIR}/t11.ok
++
+ t-exec: ${LTESTS:=.sh}
+ @if [ "x$?" = "x" ]; then exit 0; fi; \
+ for TEST in ""$?; do \
+diff --git a/regress/t11.ok b/regress/t11.ok
+new file mode 100644
+index 0000000..1925bb4
+--- /dev/null
++++ b/regress/t11.ok
+@@ -0,0 +1 @@
++SHA256:4w1rnrek3klTJOTVhwuCIFd5k+pq9Bfo5KTxxb8BqbY
+diff --git a/regress/t4.ok b/regress/t4.ok
+index 8c4942b..4631ea8 100644
+--- a/regress/t4.ok
++++ b/regress/t4.ok
+@@ -1 +1 @@
+-3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36
++MD5:3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36
+diff --git a/regress/unittests/sshkey/test_file.c b/regress/unittests/sshkey/test_file.c
+index 764f7fb..9c38a7c 100644
+--- a/regress/unittests/sshkey/test_file.c
++++ b/regress/unittests/sshkey/test_file.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: test_file.c,v 1.1 2014/06/24 01:14:18 djm Exp $ */
++/* $OpenBSD: test_file.c,v 1.2 2014/12/22 02:15:52 djm Exp $ */
+ /*
+ * Regress test for sshkey.h key management API
+ *
+@@ -33,6 +33,7 @@
+ #include "authfile.h"
+ #include "sshkey.h"
+ #include "sshbuf.h"
++#include "digest.h"
+
+ #include "common.h"
+
+@@ -81,7 +82,7 @@ sshkey_file_tests(void)
+
+ TEST_START("RSA1 key hex fingerprint");
+ buf = load_text_file("rsa1_1.fp");
+- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
++ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX);
+ ASSERT_PTR_NE(cp, NULL);
+ ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+ sshbuf_free(buf);
+@@ -90,7 +91,7 @@ sshkey_file_tests(void)
+
+ TEST_START("RSA1 key bubblebabble fingerprint");
+ buf = load_text_file("rsa1_1.fp.bb");
+- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
++ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
+ ASSERT_PTR_NE(cp, NULL);
+ ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+ sshbuf_free(buf);
+@@ -164,7 +165,7 @@ sshkey_file_tests(void)
+
+ TEST_START("RSA key hex fingerprint");
+ buf = load_text_file("rsa_1.fp");
+- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
++ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX);
+ ASSERT_PTR_NE(cp, NULL);
+ ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+ sshbuf_free(buf);
+@@ -173,7 +174,7 @@ sshkey_file_tests(void)
+
+ TEST_START("RSA cert hex fingerprint");
+ buf = load_text_file("rsa_1-cert.fp");
+- cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX);
++ cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX);
+ ASSERT_PTR_NE(cp, NULL);
+ ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+ sshbuf_free(buf);
+@@ -183,7 +184,7 @@ sshkey_file_tests(void)
+
+ TEST_START("RSA key bubblebabble fingerprint");
+ buf = load_text_file("rsa_1.fp.bb");
+- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
++ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
+ ASSERT_PTR_NE(cp, NULL);
+ ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+ sshbuf_free(buf);
+@@ -257,7 +258,7 @@ sshkey_file_tests(void)
+
+ TEST_START("DSA key hex fingerprint");
+ buf = load_text_file("dsa_1.fp");
+- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
++ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX);
+ ASSERT_PTR_NE(cp, NULL);
+ ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+ sshbuf_free(buf);
+@@ -266,7 +267,7 @@ sshkey_file_tests(void)
+
+ TEST_START("DSA cert hex fingerprint");
+ buf = load_text_file("dsa_1-cert.fp");
+- cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX);
++ cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX);
+ ASSERT_PTR_NE(cp, NULL);
+ ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+ sshbuf_free(buf);
+@@ -276,7 +277,7 @@ sshkey_file_tests(void)
+
+ TEST_START("DSA key bubblebabble fingerprint");
+ buf = load_text_file("dsa_1.fp.bb");
+- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
++ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
+ ASSERT_PTR_NE(cp, NULL);
+ ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+ sshbuf_free(buf);
+@@ -357,7 +358,7 @@ sshkey_file_tests(void)
+
+ TEST_START("ECDSA key hex fingerprint");
+ buf = load_text_file("ecdsa_1.fp");
+- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
++ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX);
+ ASSERT_PTR_NE(cp, NULL);
+ ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+ sshbuf_free(buf);
+@@ -366,7 +367,7 @@ sshkey_file_tests(void)
+
+ TEST_START("ECDSA cert hex fingerprint");
+ buf = load_text_file("ecdsa_1-cert.fp");
+- cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX);
++ cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX);
+ ASSERT_PTR_NE(cp, NULL);
+ ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+ sshbuf_free(buf);
+@@ -376,7 +377,7 @@ sshkey_file_tests(void)
+
+ TEST_START("ECDSA key bubblebabble fingerprint");
+ buf = load_text_file("ecdsa_1.fp.bb");
+- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
++ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
+ ASSERT_PTR_NE(cp, NULL);
+ ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+ sshbuf_free(buf);
+@@ -424,7 +425,7 @@ sshkey_file_tests(void)
+
+ TEST_START("Ed25519 key hex fingerprint");
+ buf = load_text_file("ed25519_1.fp");
+- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
++ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX);
+ ASSERT_PTR_NE(cp, NULL);
+ ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+ sshbuf_free(buf);
+@@ -433,7 +434,7 @@ sshkey_file_tests(void)
+
+ TEST_START("Ed25519 cert hex fingerprint");
+ buf = load_text_file("ed25519_1-cert.fp");
+- cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX);
++ cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX);
+ ASSERT_PTR_NE(cp, NULL);
+ ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+ sshbuf_free(buf);
+@@ -443,7 +444,7 @@ sshkey_file_tests(void)
+
+ TEST_START("Ed25519 key bubblebabble fingerprint");
+ buf = load_text_file("ed25519_1.fp.bb");
+- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
++ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
+ ASSERT_PTR_NE(cp, NULL);
+ ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+ sshbuf_free(buf);
+diff --git a/regress/unittests/sshkey/testdata/dsa_1-cert.fp b/regress/unittests/sshkey/testdata/dsa_1-cert.fp
+index 56ee1f8..b26145b 100644
+--- a/regress/unittests/sshkey/testdata/dsa_1-cert.fp
++++ b/regress/unittests/sshkey/testdata/dsa_1-cert.fp
+@@ -1 +1 @@
+-5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74
++MD5:5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74
+diff --git a/regress/unittests/sshkey/testdata/dsa_1.fp b/regress/unittests/sshkey/testdata/dsa_1.fp
+index 56ee1f8..b26145b 100644
+--- a/regress/unittests/sshkey/testdata/dsa_1.fp
++++ b/regress/unittests/sshkey/testdata/dsa_1.fp
+@@ -1 +1 @@
+-5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74
++MD5:5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74
+diff --git a/regress/unittests/sshkey/testdata/dsa_2.fp b/regress/unittests/sshkey/testdata/dsa_2.fp
+index ba9de82..8226574 100644
+--- a/regress/unittests/sshkey/testdata/dsa_2.fp
++++ b/regress/unittests/sshkey/testdata/dsa_2.fp
+@@ -1 +1 @@
+-72:5f:50:6b:e5:64:c5:62:21:92:3f:8b:10:9b:9f:1a
++MD5:72:5f:50:6b:e5:64:c5:62:21:92:3f:8b:10:9b:9f:1a
+diff --git a/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp b/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp
+index a56dbc8..c3d747a 100644
+--- a/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp
++++ b/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp
+@@ -1 +1 @@
+-f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44
++MD5:f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44
+diff --git a/regress/unittests/sshkey/testdata/ecdsa_1.fp b/regress/unittests/sshkey/testdata/ecdsa_1.fp
+index a56dbc8..c3d747a 100644
+--- a/regress/unittests/sshkey/testdata/ecdsa_1.fp
++++ b/regress/unittests/sshkey/testdata/ecdsa_1.fp
+@@ -1 +1 @@
+-f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44
++MD5:f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44
+diff --git a/regress/unittests/sshkey/testdata/ecdsa_2.fp b/regress/unittests/sshkey/testdata/ecdsa_2.fp
+index eb4bbdf..fe7526b 100644
+--- a/regress/unittests/sshkey/testdata/ecdsa_2.fp
++++ b/regress/unittests/sshkey/testdata/ecdsa_2.fp
+@@ -1 +1 @@
+-51:bd:ff:2b:6d:26:9b:90:f9:e1:4a:ca:a0:29:8e:70
++MD5:51:bd:ff:2b:6d:26:9b:90:f9:e1:4a:ca:a0:29:8e:70
+diff --git a/regress/unittests/sshkey/testdata/ed25519_1-cert.fp b/regress/unittests/sshkey/testdata/ed25519_1-cert.fp
+index e6d23d0..fbde87a 100644
+--- a/regress/unittests/sshkey/testdata/ed25519_1-cert.fp
++++ b/regress/unittests/sshkey/testdata/ed25519_1-cert.fp
+@@ -1 +1 @@
+-19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f
++MD5:19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f
+diff --git a/regress/unittests/sshkey/testdata/ed25519_1.fp b/regress/unittests/sshkey/testdata/ed25519_1.fp
+index e6d23d0..fbde87a 100644
+--- a/regress/unittests/sshkey/testdata/ed25519_1.fp
++++ b/regress/unittests/sshkey/testdata/ed25519_1.fp
+@@ -1 +1 @@
+-19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f
++MD5:19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f
+diff --git a/regress/unittests/sshkey/testdata/ed25519_2.fp b/regress/unittests/sshkey/testdata/ed25519_2.fp
+index 02c684f..ec1cdbb 100644
+--- a/regress/unittests/sshkey/testdata/ed25519_2.fp
++++ b/regress/unittests/sshkey/testdata/ed25519_2.fp
+@@ -1 +1 @@
+-5c:c9:ae:a3:0c:aa:28:29:b8:fc:7c:64:ba:6e:e9:c9
++MD5:5c:c9:ae:a3:0c:aa:28:29:b8:fc:7c:64:ba:6e:e9:c9
+diff --git a/regress/unittests/sshkey/testdata/rsa1_1.fp b/regress/unittests/sshkey/testdata/rsa1_1.fp
+index 782ece0..2e1068c 100644
+--- a/regress/unittests/sshkey/testdata/rsa1_1.fp
++++ b/regress/unittests/sshkey/testdata/rsa1_1.fp
+@@ -1 +1 @@
+-a8:82:9b:98:c5:e6:19:d6:83:39:9f:4d:3a:8f:7c:80
++MD5:a8:82:9b:98:c5:e6:19:d6:83:39:9f:4d:3a:8f:7c:80
+diff --git a/regress/unittests/sshkey/testdata/rsa1_2.fp b/regress/unittests/sshkey/testdata/rsa1_2.fp
+index c332537..cd00393 100644
+--- a/regress/unittests/sshkey/testdata/rsa1_2.fp
++++ b/regress/unittests/sshkey/testdata/rsa1_2.fp
+@@ -1 +1 @@
+-c0:83:1c:97:5f:32:77:7e:e4:e3:e9:29:b9:eb:76:9c
++MD5:c0:83:1c:97:5f:32:77:7e:e4:e3:e9:29:b9:eb:76:9c
+diff --git a/regress/unittests/sshkey/testdata/rsa_1-cert.fp b/regress/unittests/sshkey/testdata/rsa_1-cert.fp
+index bf9c2e3..1cf780d 100644
+--- a/regress/unittests/sshkey/testdata/rsa_1-cert.fp
++++ b/regress/unittests/sshkey/testdata/rsa_1-cert.fp
+@@ -1 +1 @@
+-be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b
++MD5:be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b
+diff --git a/regress/unittests/sshkey/testdata/rsa_1.fp b/regress/unittests/sshkey/testdata/rsa_1.fp
+index bf9c2e3..1cf780d 100644
+--- a/regress/unittests/sshkey/testdata/rsa_1.fp
++++ b/regress/unittests/sshkey/testdata/rsa_1.fp
+@@ -1 +1 @@
+-be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b
++MD5:be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b
+diff --git a/regress/unittests/sshkey/testdata/rsa_2.fp b/regress/unittests/sshkey/testdata/rsa_2.fp
+index 53939f4..8d43676 100644
+--- a/regress/unittests/sshkey/testdata/rsa_2.fp
++++ b/regress/unittests/sshkey/testdata/rsa_2.fp
+@@ -1 +1 @@
+-fb:8f:7b:26:3d:42:40:ef:ed:f1:ed:ee:66:9e:ba:b0
++MD5:fb:8f:7b:26:3d:42:40:ef:ed:f1:ed:ee:66:9e:ba:b0
+diff --git a/servconf.c b/servconf.c
+index b7f3294..e3ebaac 100644
+--- a/servconf.c
++++ b/servconf.c
@@ -54,6 +54,7 @@
#include "packet.h"
#include "hostfile.h"
@@ -408,7 +701,7 @@ diff -up openssh-6.7p1/servconf.c.fingerprint openssh-6.7p1/servconf.c
static void add_listen_addr(ServerOptions *, char *, int);
static void add_one_listen_addr(ServerOptions *, char *, int);
-@@ -157,6 +158,7 @@ initialize_server_options(ServerOptions
+@@ -157,6 +158,7 @@ initialize_server_options(ServerOptions *options)
options->ip_qos_interactive = -1;
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
@@ -416,7 +709,7 @@ diff -up openssh-6.7p1/servconf.c.fingerprint openssh-6.7p1/servconf.c
}
void
-@@ -312,6 +314,8 @@ fill_default_server_options(ServerOption
+@@ -312,6 +314,8 @@ fill_default_server_options(ServerOptions *options)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
options->fwd_opts.streamlocal_bind_unlink = 0;
@@ -442,7 +735,7 @@ diff -up openssh-6.7p1/servconf.c.fingerprint openssh-6.7p1/servconf.c
{ NULL, sBadOption, 0 }
};
-@@ -1663,6 +1668,18 @@ process_server_config_line(ServerOptions
+@@ -1663,6 +1668,18 @@ process_server_config_line(ServerOptions *options, char *line,
intptr = &options->fwd_opts.streamlocal_bind_unlink;
goto parse_flag;
@@ -478,9 +771,10 @@ diff -up openssh-6.7p1/servconf.c.fingerprint openssh-6.7p1/servconf.c
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-6.7p1/servconf.h.fingerprint openssh-6.7p1/servconf.h
---- openssh-6.7p1/servconf.h.fingerprint 2014-07-18 06:11:26.000000000 +0200
-+++ openssh-6.7p1/servconf.h 2014-12-22 13:10:57.964878102 +0100
+diff --git a/servconf.h b/servconf.h
+index 766db3a..49b228b 100644
+--- a/servconf.h
++++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.114 2014/07/15 15:54:14 millert Exp $ */
+/* $OpenBSD: servconf.h,v 1.115 2014/12/21 22:27:56 djm Exp $ */
@@ -496,21 +790,10 @@ diff -up openssh-6.7p1/servconf.h.fingerprint openssh-6.7p1/servconf.h
} ServerOptions;
/* Information about the incoming connection as used by Match */
-diff -up openssh-6.7p1/ssh.1.fingerprint openssh-6.7p1/ssh.1
---- openssh-6.7p1/ssh.1.fingerprint 2014-07-30 04:32:28.000000000 +0200
-+++ openssh-6.7p1/ssh.1 2014-12-22 13:10:57.967878092 +0100
-@@ -1083,7 +1083,7 @@ Fingerprints can be determined using
- If the fingerprint is already known, it can be matched
- and the key can be accepted or rejected.
- Because of the difficulty of comparing host keys
--just by looking at hex strings,
-+just by looking at fingerprint strings,
- there is also support to compare host keys visually,
- using
- .Em random art .
-diff -up openssh-6.7p1/ssh-add.1.fingerprint openssh-6.7p1/ssh-add.1
---- openssh-6.7p1/ssh-add.1.fingerprint 2013-12-18 07:46:28.000000000 +0100
-+++ openssh-6.7p1/ssh-add.1 2014-12-22 13:10:57.964878102 +0100
+diff --git a/ssh-add.1 b/ssh-add.1
+index 4812448..04d1840 100644
+--- a/ssh-add.1
++++ b/ssh-add.1
@@ -44,6 +44,7 @@
.Sh SYNOPSIS
.Nm ssh-add
@@ -519,7 +802,7 @@ diff -up openssh-6.7p1/ssh-add.1.fingerprint openssh-6.7p1/ssh-add.1
.Op Fl t Ar life
.Op Ar
.Nm ssh-add
-@@ -108,6 +109,14 @@ If no public key is found at a given pat
+@@ -108,6 +109,14 @@ If no public key is found at a given path,
will append
.Pa .pub
and retry.
@@ -534,9 +817,10 @@ diff -up openssh-6.7p1/ssh-add.1.fingerprint openssh-6.7p1/ssh-add.1
.It Fl e Ar pkcs11
Remove keys provided by the PKCS#11 shared library
.Ar pkcs11 .
-diff -up openssh-6.7p1/ssh-add.c.fingerprint openssh-6.7p1/ssh-add.c
---- openssh-6.7p1/ssh-add.c.fingerprint 2014-07-11 01:19:05.000000000 +0200
-+++ openssh-6.7p1/ssh-add.c 2014-12-22 13:10:57.965878099 +0100
+diff --git a/ssh-add.c b/ssh-add.c
+index 78a3359..5d6a5f4 100644
+--- a/ssh-add.c
++++ b/ssh-add.c
@@ -63,6 +63,7 @@
#include "pathnames.h"
#include "misc.h"
@@ -554,7 +838,7 @@ diff -up openssh-6.7p1/ssh-add.c.fingerprint openssh-6.7p1/ssh-add.c
/* Default lifetime (0 == forever) */
static int lifetime = 0;
-@@ -340,8 +343,8 @@ list_identities(AuthenticationConnection
+@@ -340,8 +343,8 @@ list_identities(AuthenticationConnection *ac, int do_fp)
key = ssh_get_next_identity(ac, &comment, version)) {
had_identities = 1;
if (do_fp) {
@@ -653,9 +937,10 @@ diff -up openssh-6.7p1/ssh-add.c.fingerprint openssh-6.7p1/ssh-add.c
argc -= optind;
argv += optind;
if (pkcs11provider != NULL) {
-diff -up openssh-6.7p1/ssh-agent.1.fingerprint openssh-6.7p1/ssh-agent.1
---- openssh-6.7p1/ssh-agent.1.fingerprint 2014-04-20 05:25:09.000000000 +0200
-+++ openssh-6.7p1/ssh-agent.1 2014-12-22 13:10:57.965878099 +0100
+diff --git a/ssh-agent.1 b/ssh-agent.1
+index a1e634f..d7e791b 100644
+--- a/ssh-agent.1
++++ b/ssh-agent.1
@@ -45,6 +45,7 @@
.Op Fl c | s
.Op Fl d
@@ -679,9 +964,10 @@ diff -up openssh-6.7p1/ssh-agent.1.fingerprint openssh-6.7p1/ssh-agent.1
.It Fl k
Kill the current agent (given by the
.Ev SSH_AGENT_PID
-diff -up openssh-6.7p1/ssh-agent.c.fingerprint openssh-6.7p1/ssh-agent.c
---- openssh-6.7p1/ssh-agent.c.fingerprint 2014-07-30 04:32:46.000000000 +0200
-+++ openssh-6.7p1/ssh-agent.c 2014-12-22 13:10:57.965878099 +0100
+diff --git a/ssh-agent.c b/ssh-agent.c
+index 25f10c5..c8036c8 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
@@ -142,6 +142,8 @@ extern char *__progname;
/* Default lifetime in seconds (0 == forever) */
static long lifetime = 0;
@@ -724,141 +1010,359 @@ diff -up openssh-6.7p1/ssh-agent.c.fingerprint openssh-6.7p1/ssh-agent.c
case 'c':
if (s_flag)
usage();
-diff -up openssh-6.7p1/sshconnect2.c.fingerprint openssh-6.7p1/sshconnect2.c
---- openssh-6.7p1/sshconnect2.c.fingerprint 2014-07-18 06:11:27.000000000 +0200
-+++ openssh-6.7p1/sshconnect2.c 2014-12-22 13:10:57.968878088 +0100
-@@ -582,7 +582,7 @@ input_userauth_pk_ok(int type, u_int32_t
- key->type, pktype);
- goto done;
- }
-- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
- debug2("input_userauth_pk_ok: fp %s", fp);
- free(fp);
-
-@@ -991,7 +991,7 @@ sign_and_send_pubkey(Authctxt *authctxt,
- int have_sig = 1;
- char *fp;
-
-- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_fingerprint(id->key, options.fingerprint_hash, SSH_FP_DEFAULT);
- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
- free(fp);
-
-diff -up openssh-6.7p1/sshconnect.c.fingerprint openssh-6.7p1/sshconnect.c
---- openssh-6.7p1/sshconnect.c.fingerprint 2014-07-18 06:11:26.000000000 +0200
-+++ openssh-6.7p1/sshconnect.c 2014-12-22 13:15:28.371939131 +0100
-@@ -915,9 +915,10 @@ check_host_key(char *hostname, struct so
- "key for IP address '%.128s' to the list "
- "of known hosts.", type, ip);
- } else if (options.visual_host_key) {
-- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-- ra = key_fingerprint(host_key, SSH_FP_MD5,
-- SSH_FP_RANDOMART);
-+ fp = key_fingerprint(host_key,
-+ options.fingerprint_hash, SSH_FP_DEFAULT);
-+ ra = key_fingerprint(host_key,
-+ options.fingerprint_hash, SSH_FP_RANDOMART);
- logit("Host key fingerprint is %s\n%s\n", fp, ra);
- free(ra);
- free(fp);
-@@ -956,9 +957,10 @@ check_host_key(char *hostname, struct so
- else
- snprintf(msg1, sizeof(msg1), ".");
- /* The default */
-- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-- ra = key_fingerprint(host_key, SSH_FP_MD5,
-- SSH_FP_RANDOMART);
-+ fp = key_fingerprint(host_key,
-+ options.fingerprint_hash, SSH_FP_DEFAULT);
-+ ra = key_fingerprint(host_key,
-+ options.fingerprint_hash, SSH_FP_RANDOMART);
- msg2[0] = '\0';
- if (options.verify_host_key_dns) {
- if (matching_host_key_dns)
-@@ -1222,7 +1224,7 @@ verify_host_key(char *host, struct socka
- char *fp;
- Key *plain = NULL;
-
-- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_fingerprint(host_key, options.fingerprint_hash, SSH_FP_DEFAULT);
- debug("Server host key: %s %s", key_type(host_key), fp);
- free(fp);
-
-@@ -1356,8 +1358,10 @@ show_other_keys(struct hostkeys *hostkey
- continue;
- if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
- continue;
-- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
-- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
-+ fp = key_fingerprint(found->key,
-+ options.fingerprint_hash, SSH_FP_DEFAULT);
-+ ra = key_fingerprint(found->key,
-+ options.fingerprint_hash, SSH_FP_RANDOMART);
- logit("WARNING: %s key found for host %s\n"
- "in %s:%lu\n"
- "%s key fingerprint %s.",
-@@ -1378,7 +1382,8 @@ warn_changed_key(Key *host_key)
- {
- char *fp;
-
-- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_fingerprint(host_key, options.fingerprint_hash,
-+ SSH_FP_DEFAULT);
-
- error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
- error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
-diff -up openssh-6.7p1/sshd_config.5.fingerprint openssh-6.7p1/sshd_config.5
---- openssh-6.7p1/sshd_config.5.fingerprint 2014-10-03 01:24:57.000000000 +0200
-+++ openssh-6.7p1/sshd_config.5 2014-12-22 13:10:57.968878088 +0100
-@@ -483,6 +483,15 @@ and finally
- See PATTERNS in
- .Xr ssh_config 5
- for more information on patterns.
-+.It Cm FingerprintHash
-+Specifies the hash algorithm used when logging key fingerprints.
+diff --git a/ssh-keygen.1 b/ssh-keygen.1
+index 723a016..276dacc 100644
+--- a/ssh-keygen.1
++++ b/ssh-keygen.1
+@@ -73,6 +73,7 @@
+ .Op Fl f Ar keyfile
+ .Nm ssh-keygen
+ .Fl l
++.Op Fl E Ar fingerprint_hash
+ .Op Fl f Ar input_keyfile
+ .Nm ssh-keygen
+ .Fl B
+@@ -269,6 +270,14 @@ When used in combination with
+ this option indicates that a CA key resides in a PKCS#11 token (see the
+ .Sx CERTIFICATES
+ section for details).
++.It Fl E Ar fingerprint_hash
++Specifies the hash algorithm used when displaying key fingerprints.
+Valid options are:
+.Dq md5
+and
+.Dq sha256 .
+The default is
+.Dq sha256 .
-+.Pp
- .It Cm ForceCommand
- Forces the execution of the command specified by
- .Cm ForceCommand ,
-diff -up openssh-6.7p1/sshkey.c.fingerprint openssh-6.7p1/sshkey.c
---- openssh-6.7p1/sshkey.c.fingerprint 2014-07-21 17:07:11.000000000 +0200
-+++ openssh-6.7p1/sshkey.c 2014-12-22 13:10:57.969878085 +0100
-@@ -29,6 +29,7 @@
+ .It Fl e
+ This option will read a private or public OpenSSH key file and
+ print to stdout the key in one of the formats specified by the
+diff --git a/ssh-keygen.c b/ssh-keygen.c
+index 23058ee..64fa217 100644
+--- a/ssh-keygen.c
++++ b/ssh-keygen.c
+@@ -53,6 +53,7 @@
+ #include "ssh-pkcs11.h"
+ #include "atomicio.h"
+ #include "krl.h"
++#include "digest.h"
- #include <sys/param.h>
- #include <sys/types.h>
-+#include <netinet/in.h>
+ /* Number of bits in the RSA/DSA key. This value can be set on the command line. */
+ #define DEFAULT_BITS 2048
+@@ -90,6 +91,9 @@ int show_cert = 0;
+ int print_fingerprint = 0;
+ int print_bubblebabble = 0;
- #include <openssl/evp.h>
- #include <openssl/err.h>
-@@ -852,29 +853,18 @@ sshkey_plain_to_blob(const struct sshkey
- }
++/* Hash algorithm to use for fingerprints. */
++int fingerprint_hash = SSH_FP_HASH_DEFAULT;
++
+ /* The identity file name, given on the command line or entered by the user. */
+ char identity_file[1024];
+ int have_identity = 0;
+@@ -749,11 +753,11 @@ do_download(struct passwd *pw)
+ Key **keys = NULL;
+ int i, nkeys;
+ enum fp_rep rep;
+- enum fp_type fptype;
++ int fptype;
+ char *fp, *ra;
- int
--sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type,
-+sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
- u_char **retp, size_t *lenp)
- {
- u_char *blob = NULL, *ret = NULL;
- size_t blob_len = 0;
-- int hash_alg = -1, r = SSH_ERR_INTERNAL_ERROR;
-+ int r = SSH_ERR_INTERNAL_ERROR;
+- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
+- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
++ fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
++ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
- if (retp != NULL)
- *retp = NULL;
- if (lenp != NULL)
- *lenp = 0;
--
-- switch (dgst_type) {
-- case SSH_FP_MD5:
-- hash_alg = SSH_DIGEST_MD5;
+ pkcs11_init(0);
+ nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys);
+@@ -762,7 +766,7 @@ do_download(struct passwd *pw)
+ for (i = 0; i < nkeys; i++) {
+ if (print_fingerprint) {
+ fp = key_fingerprint(keys[i], fptype, rep);
+- ra = key_fingerprint(keys[i], SSH_FP_MD5,
++ ra = key_fingerprint(keys[i], fingerprint_hash,
+ SSH_FP_RANDOMART);
+ printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
+ fp, key_type(keys[i]));
+@@ -792,12 +796,11 @@ do_fingerprint(struct passwd *pw)
+ char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
+ int i, skip = 0, num = 0, invalid = 1;
+ enum fp_rep rep;
+- enum fp_type fptype;
++ int fptype;
+ struct stat st;
+
+- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
+- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
+-
++ fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
++ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
+ if (!have_identity)
+ ask_filename(pw, "Enter file in which the key is");
+ if (stat(identity_file, &st) < 0) {
+@@ -807,7 +810,8 @@ do_fingerprint(struct passwd *pw)
+ public = key_load_public(identity_file, &comment);
+ if (public != NULL) {
+ fp = key_fingerprint(public, fptype, rep);
+- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
++ ra = key_fingerprint(public, fingerprint_hash,
++ SSH_FP_RANDOMART);
+ printf("%u %s %s (%s)\n", key_size(public), fp, comment,
+ key_type(public));
+ if (log_level >= SYSLOG_LEVEL_VERBOSE)
+@@ -873,7 +877,8 @@ do_fingerprint(struct passwd *pw)
+ }
+ comment = *cp ? cp : comment;
+ fp = key_fingerprint(public, fptype, rep);
+- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
++ ra = key_fingerprint(public, fingerprint_hash,
++ SSH_FP_RANDOMART);
+ printf("%u %s %s (%s)\n", key_size(public), fp,
+ comment ? comment : "no comment", key_type(public));
+ if (log_level >= SYSLOG_LEVEL_VERBOSE)
+@@ -991,13 +996,15 @@ printhost(FILE *f, const char *name, Key *public, int ca, int revoked, int hash)
+ {
+ if (print_fingerprint) {
+ enum fp_rep rep;
+- enum fp_type fptype;
++ int fptype;
+ char *fp, *ra;
+
+- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
+- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
++ fptype = print_bubblebabble ?
++ SSH_DIGEST_SHA1 : fingerprint_hash;
++ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
+ fp = key_fingerprint(public, fptype, rep);
+- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
++ ra = key_fingerprint(public, fingerprint_hash,
++ SSH_FP_RANDOMART);
+ printf("%u %s %s (%s)\n", key_size(public), fp, name,
+ key_type(public));
+ if (log_level >= SYSLOG_LEVEL_VERBOSE)
+@@ -1906,9 +1913,9 @@ do_show_cert(struct passwd *pw)
+ fatal("%s is not a certificate", identity_file);
+ v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
+
+- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
++ key_fp = key_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
+ ca_fp = key_fingerprint(key->cert->signature_key,
+- SSH_FP_MD5, SSH_FP_HEX);
++ fingerprint_hash, SSH_FP_DEFAULT);
+
+ printf("%s:\n", identity_file);
+ printf(" Type: %s %s certificate\n", key_ssh_name(key),
+@@ -2187,7 +2194,7 @@ usage(void)
+ " ssh-keygen -e [-m key_format] [-f input_keyfile]\n"
+ " ssh-keygen -y [-f input_keyfile]\n"
+ " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n"
+- " ssh-keygen -l [-f input_keyfile]\n"
++ " ssh-keygen -l [-E fingerprint_hash] [-f input_keyfile]\n"
+ " ssh-keygen -B [-f input_keyfile]\n");
+ #ifdef ENABLE_PKCS11
+ fprintf(stderr,
+@@ -2256,9 +2263,10 @@ main(int argc, char **argv)
+ exit(1);
+ }
+
+- /* Remaining characters: EUYdw */
++ /* Remaining characters: UYdw */
+ while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy"
+- "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:a:b:f:g:j:m:n:r:s:t:z:")) != -1) {
++ "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:"
++ "a:b:f:g:j:m:n:r:s:t:z:")) != -1) {
+ switch (opt) {
+ case 'A':
+ gen_all_hostkeys = 1;
+@@ -2269,6 +2277,11 @@ main(int argc, char **argv)
+ fatal("Bits has bad value %s (%s)",
+ optarg, errstr);
+ break;
++ case 'E':
++ fingerprint_hash = ssh_digest_alg_by_name(optarg);
++ if (fingerprint_hash == -1)
++ fatal("Invalid hash algorithm \"%s\"", optarg);
++ break;
+ case 'F':
+ find_host = 1;
+ rr_hostname = optarg;
+@@ -2700,8 +2713,9 @@ passphrase_again:
+ fclose(f);
+
+ if (!quiet) {
+- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
+- char *ra = key_fingerprint(public, SSH_FP_MD5,
++ char *fp = key_fingerprint(public, fingerprint_hash,
++ SSH_FP_DEFAULT);
++ char *ra = key_fingerprint(public, fingerprint_hash,
+ SSH_FP_RANDOMART);
+ printf("Your public key has been saved in %s.\n",
+ identity_file);
+diff --git a/ssh-keysign.c b/ssh-keysign.c
+index d95bb7d..3526d7d 100644
+--- a/ssh-keysign.c
++++ b/ssh-keysign.c
+@@ -246,7 +246,8 @@ main(int argc, char **argv)
+ }
+ }
+ if (!found) {
+- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
++ fp = key_fingerprint(key, options.fingerprint_hash,
++ SSH_FP_DEFAULT);
+ fatal("no matching hostkey found for key %s %s",
+ key_type(key), fp);
+ }
+diff --git a/ssh.1 b/ssh.1
+index fa5cfb2..d3198a1 100644
+--- a/ssh.1
++++ b/ssh.1
+@@ -1083,7 +1083,7 @@ Fingerprints can be determined using
+ If the fingerprint is already known, it can be matched
+ and the key can be accepted or rejected.
+ Because of the difficulty of comparing host keys
+-just by looking at hex strings,
++just by looking at fingerprint strings,
+ there is also support to compare host keys visually,
+ using
+ .Em random art .
+diff --git a/sshconnect.c b/sshconnect.c
+index ac09eae..7db31e6 100644
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -915,9 +915,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+ "key for IP address '%.128s' to the list "
+ "of known hosts.", type, ip);
+ } else if (options.visual_host_key) {
+- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+- ra = key_fingerprint(host_key, SSH_FP_MD5,
+- SSH_FP_RANDOMART);
++ fp = key_fingerprint(host_key,
++ options.fingerprint_hash, SSH_FP_DEFAULT);
++ ra = key_fingerprint(host_key,
++ options.fingerprint_hash, SSH_FP_RANDOMART);
+ logit("Host key fingerprint is %s\n%s\n", fp, ra);
+ free(ra);
+ free(fp);
+@@ -956,9 +957,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+ else
+ snprintf(msg1, sizeof(msg1), ".");
+ /* The default */
+- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+- ra = key_fingerprint(host_key, SSH_FP_MD5,
+- SSH_FP_RANDOMART);
++ fp = key_fingerprint(host_key,
++ options.fingerprint_hash, SSH_FP_DEFAULT);
++ ra = key_fingerprint(host_key,
++ options.fingerprint_hash, SSH_FP_RANDOMART);
+ msg2[0] = '\0';
+ if (options.verify_host_key_dns) {
+ if (matching_host_key_dns)
+@@ -1222,7 +1224,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
+ char *fp;
+ Key *plain = NULL;
+
+- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
++ fp = key_fingerprint(host_key, options.fingerprint_hash, SSH_FP_DEFAULT);
+ debug("Server host key: %s %s", key_type(host_key), fp);
+ free(fp);
+
+@@ -1356,8 +1358,10 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)
+ continue;
+ if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
+ continue;
+- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
+- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
++ fp = key_fingerprint(found->key,
++ options.fingerprint_hash, SSH_FP_DEFAULT);
++ ra = key_fingerprint(found->key,
++ options.fingerprint_hash, SSH_FP_RANDOMART);
+ logit("WARNING: %s key found for host %s\n"
+ "in %s:%lu\n"
+ "%s key fingerprint %s.",
+@@ -1378,7 +1382,8 @@ warn_changed_key(Key *host_key)
+ {
+ char *fp;
+
+- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
++ fp = key_fingerprint(host_key, options.fingerprint_hash,
++ SSH_FP_DEFAULT);
+
+ error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
+ error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 68f7f4f..4724b66 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -582,7 +582,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
+ key->type, pktype);
+ goto done;
+ }
+- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
++ fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
+ debug2("input_userauth_pk_ok: fp %s", fp);
+ free(fp);
+
+@@ -991,7 +991,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
+ int have_sig = 1;
+ char *fp;
+
+- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
++ fp = key_fingerprint(id->key, options.fingerprint_hash, SSH_FP_DEFAULT);
+ debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
+ free(fp);
+
+diff --git a/sshd_config.5 b/sshd_config.5
+index fd44abe..0449eeb 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -483,6 +483,15 @@ and finally
+ See PATTERNS in
+ .Xr ssh_config 5
+ for more information on patterns.
++.It Cm FingerprintHash
++Specifies the hash algorithm used when logging key fingerprints.
++Valid options are:
++.Dq md5
++and
++.Dq sha256 .
++The default is
++.Dq sha256 .
++.Pp
+ .It Cm ForceCommand
+ Forces the execution of the command specified by
+ .Cm ForceCommand ,
+diff --git a/sshkey.c b/sshkey.c
+index fdd0c8a..70df758 100644
+--- a/sshkey.c
++++ b/sshkey.c
+@@ -29,6 +29,7 @@
+
+ #include <sys/param.h>
+ #include <sys/types.h>
++#include <netinet/in.h>
+
+ #include <openssl/evp.h>
+ #include <openssl/err.h>
+@@ -852,29 +853,18 @@ sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
+ }
+
+ int
+-sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type,
++sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
+ u_char **retp, size_t *lenp)
+ {
+ u_char *blob = NULL, *ret = NULL;
+ size_t blob_len = 0;
+- int hash_alg = -1, r = SSH_ERR_INTERNAL_ERROR;
++ int r = SSH_ERR_INTERNAL_ERROR;
+
+ if (retp != NULL)
+ *retp = NULL;
+ if (lenp != NULL)
+ *lenp = 0;
+-
+- switch (dgst_type) {
+- case SSH_FP_MD5:
+- hash_alg = SSH_DIGEST_MD5;
- break;
- case SSH_FP_SHA1:
- hash_alg = SSH_DIGEST_SHA1;
@@ -871,7 +1375,7 @@ diff -up openssh-6.7p1/sshkey.c.fingerprint openssh-6.7p1/sshkey.c
r = SSH_ERR_INVALID_ARGUMENT;
goto out;
}
-@@ -899,7 +889,7 @@ sshkey_fingerprint_raw(const struct sshk
+@@ -899,7 +889,7 @@ sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type,
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
@@ -880,7 +1384,7 @@ diff -up openssh-6.7p1/sshkey.c.fingerprint openssh-6.7p1/sshkey.c
ret, SSH_DIGEST_MAX_LENGTH)) != 0)
goto out;
/* success */
-@@ -908,7 +898,7 @@ sshkey_fingerprint_raw(const struct sshk
+@@ -908,7 +898,7 @@ sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type,
ret = NULL;
}
if (lenp != NULL)
@@ -889,7 +1393,7 @@ diff -up openssh-6.7p1/sshkey.c.fingerprint openssh-6.7p1/sshkey.c
r = 0;
out:
free(ret);
-@@ -920,21 +910,45 @@ sshkey_fingerprint_raw(const struct sshk
+@@ -920,21 +910,45 @@ sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type,
}
static char *
@@ -924,15 +1428,15 @@ diff -up openssh-6.7p1/sshkey.c.fingerprint openssh-6.7p1/sshkey.c
+ ret[strcspn(ret, "=")] = '\0';
+ return ret;
+}
-+
+
+- /* Remove the trailing ':' character */
+- retval[(dgst_raw_len * 3) - 1] = '\0';
+static char *
+fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
+{
+ char *retval, hex[5];
+ size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2;
-
-- /* Remove the trailing ':' character */
-- retval[(dgst_raw_len * 3) - 1] = '\0';
++
+ if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL)
+ return NULL;
+ strlcpy(retval, alg, rlen);
@@ -945,7 +1449,7 @@ diff -up openssh-6.7p1/sshkey.c.fingerprint openssh-6.7p1/sshkey.c
return retval;
}
-@@ -1020,7 +1034,7 @@ fingerprint_bubblebabble(u_char *dgst_ra
+@@ -1020,7 +1034,7 @@ fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len)
#define FLDSIZE_Y (FLDBASE + 1)
#define FLDSIZE_X (FLDBASE * 2 + 1)
static char *
@@ -954,7 +1458,7 @@ diff -up openssh-6.7p1/sshkey.c.fingerprint openssh-6.7p1/sshkey.c
const struct sshkey *k)
{
/*
-@@ -1028,9 +1042,9 @@ fingerprint_randomart(u_char *dgst_raw,
+@@ -1028,9 +1042,9 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
* intersects with itself. Matter of taste.
*/
char *augmentation_string = " .o+=*BOX@%&#/^SE";
@@ -966,7 +1470,7 @@ diff -up openssh-6.7p1/sshkey.c.fingerprint openssh-6.7p1/sshkey.c
u_int b;
int x, y, r;
size_t len = strlen(augmentation_string) - 1;
-@@ -1075,8 +1089,12 @@ fingerprint_randomart(u_char *dgst_raw,
+@@ -1075,8 +1089,12 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
sshkey_type(k), sshkey_size(k));
/* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */
if (r < 0 || r > (int)sizeof(title))
@@ -981,7 +1485,7 @@ diff -up openssh-6.7p1/sshkey.c.fingerprint openssh-6.7p1/sshkey.c
/* output upper border */
p = retval;
-@@ -1085,7 +1103,7 @@ fingerprint_randomart(u_char *dgst_raw,
+@@ -1085,7 +1103,7 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
*p++ = '-';
memcpy(p, title, tlen);
p += tlen;
@@ -990,7 +1494,7 @@ diff -up openssh-6.7p1/sshkey.c.fingerprint openssh-6.7p1/sshkey.c
*p++ = '-';
*p++ = '+';
*p++ = '\n';
-@@ -1101,7 +1119,11 @@ fingerprint_randomart(u_char *dgst_raw,
+@@ -1101,7 +1119,11 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
/* output lower border */
*p++ = '+';
@@ -1003,7 +1507,7 @@ diff -up openssh-6.7p1/sshkey.c.fingerprint openssh-6.7p1/sshkey.c
*p++ = '-';
*p++ = '+';
-@@ -1109,24 +1131,39 @@ fingerprint_randomart(u_char *dgst_raw,
+@@ -1109,24 +1131,39 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
}
char *
@@ -1047,194 +1551,10 @@ diff -up openssh-6.7p1/sshkey.c.fingerprint openssh-6.7p1/sshkey.c
break;
default:
explicit_bzero(dgst_raw, dgst_raw_len);
-diff -up openssh-6.7p1/ssh-keygen.1.fingerprint openssh-6.7p1/ssh-keygen.1
---- openssh-6.7p1/ssh-keygen.1.fingerprint 2014-04-20 05:23:04.000000000 +0200
-+++ openssh-6.7p1/ssh-keygen.1 2014-12-22 13:10:57.966878095 +0100
-@@ -73,6 +73,7 @@
- .Op Fl f Ar keyfile
- .Nm ssh-keygen
- .Fl l
-+.Op Fl E Ar fingerprint_hash
- .Op Fl f Ar input_keyfile
- .Nm ssh-keygen
- .Fl B
-@@ -269,6 +270,14 @@ When used in combination with
- this option indicates that a CA key resides in a PKCS#11 token (see the
- .Sx CERTIFICATES
- section for details).
-+.It Fl E Ar fingerprint_hash
-+Specifies the hash algorithm used when displaying key fingerprints.
-+Valid options are:
-+.Dq md5
-+and
-+.Dq sha256 .
-+The default is
-+.Dq sha256 .
- .It Fl e
- This option will read a private or public OpenSSH key file and
- print to stdout the key in one of the formats specified by the
-diff -up openssh-6.7p1/ssh-keygen.c.fingerprint openssh-6.7p1/ssh-keygen.c
---- openssh-6.7p1/ssh-keygen.c.fingerprint 2014-07-03 13:24:41.000000000 +0200
-+++ openssh-6.7p1/ssh-keygen.c 2014-12-22 13:10:57.966878095 +0100
-@@ -53,6 +53,7 @@
- #include "ssh-pkcs11.h"
- #include "atomicio.h"
- #include "krl.h"
-+#include "digest.h"
-
- /* Number of bits in the RSA/DSA key. This value can be set on the command line. */
- #define DEFAULT_BITS 2048
-@@ -90,6 +91,9 @@ int show_cert = 0;
- int print_fingerprint = 0;
- int print_bubblebabble = 0;
-
-+/* Hash algorithm to use for fingerprints. */
-+int fingerprint_hash = SSH_FP_HASH_DEFAULT;
-+
- /* The identity file name, given on the command line or entered by the user. */
- char identity_file[1024];
- int have_identity = 0;
-@@ -749,11 +753,11 @@ do_download(struct passwd *pw)
- Key **keys = NULL;
- int i, nkeys;
- enum fp_rep rep;
-- enum fp_type fptype;
-+ int fptype;
- char *fp, *ra;
-
-- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
-- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
-+ fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
-+ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
-
- pkcs11_init(0);
- nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys);
-@@ -762,7 +766,7 @@ do_download(struct passwd *pw)
- for (i = 0; i < nkeys; i++) {
- if (print_fingerprint) {
- fp = key_fingerprint(keys[i], fptype, rep);
-- ra = key_fingerprint(keys[i], SSH_FP_MD5,
-+ ra = key_fingerprint(keys[i], fingerprint_hash,
- SSH_FP_RANDOMART);
- printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
- fp, key_type(keys[i]));
-@@ -792,12 +796,11 @@ do_fingerprint(struct passwd *pw)
- char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
- int i, skip = 0, num = 0, invalid = 1;
- enum fp_rep rep;
-- enum fp_type fptype;
-+ int fptype;
- struct stat st;
-
-- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
-- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
--
-+ fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
-+ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
- if (!have_identity)
- ask_filename(pw, "Enter file in which the key is");
- if (stat(identity_file, &st) < 0) {
-@@ -807,7 +810,8 @@ do_fingerprint(struct passwd *pw)
- public = key_load_public(identity_file, &comment);
- if (public != NULL) {
- fp = key_fingerprint(public, fptype, rep);
-- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
-+ ra = key_fingerprint(public, fingerprint_hash,
-+ SSH_FP_RANDOMART);
- printf("%u %s %s (%s)\n", key_size(public), fp, comment,
- key_type(public));
- if (log_level >= SYSLOG_LEVEL_VERBOSE)
-@@ -873,7 +877,8 @@ do_fingerprint(struct passwd *pw)
- }
- comment = *cp ? cp : comment;
- fp = key_fingerprint(public, fptype, rep);
-- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
-+ ra = key_fingerprint(public, fingerprint_hash,
-+ SSH_FP_RANDOMART);
- printf("%u %s %s (%s)\n", key_size(public), fp,
- comment ? comment : "no comment", key_type(public));
- if (log_level >= SYSLOG_LEVEL_VERBOSE)
-@@ -991,13 +996,15 @@ printhost(FILE *f, const char *name, Key
- {
- if (print_fingerprint) {
- enum fp_rep rep;
-- enum fp_type fptype;
-+ int fptype;
- char *fp, *ra;
-
-- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
-- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
-+ fptype = print_bubblebabble ?
-+ SSH_DIGEST_SHA1 : fingerprint_hash;
-+ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
- fp = key_fingerprint(public, fptype, rep);
-- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
-+ ra = key_fingerprint(public, fingerprint_hash,
-+ SSH_FP_RANDOMART);
- printf("%u %s %s (%s)\n", key_size(public), fp, name,
- key_type(public));
- if (log_level >= SYSLOG_LEVEL_VERBOSE)
-@@ -1906,9 +1913,9 @@ do_show_cert(struct passwd *pw)
- fatal("%s is not a certificate", identity_file);
- v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
-
-- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ key_fp = key_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
- ca_fp = key_fingerprint(key->cert->signature_key,
-- SSH_FP_MD5, SSH_FP_HEX);
-+ fingerprint_hash, SSH_FP_DEFAULT);
-
- printf("%s:\n", identity_file);
- printf(" Type: %s %s certificate\n", key_ssh_name(key),
-@@ -2187,7 +2194,7 @@ usage(void)
- " ssh-keygen -e [-m key_format] [-f input_keyfile]\n"
- " ssh-keygen -y [-f input_keyfile]\n"
- " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n"
-- " ssh-keygen -l [-f input_keyfile]\n"
-+ " ssh-keygen -l [-E fingerprint_hash] [-f input_keyfile]\n"
- " ssh-keygen -B [-f input_keyfile]\n");
- #ifdef ENABLE_PKCS11
- fprintf(stderr,
-@@ -2256,9 +2263,10 @@ main(int argc, char **argv)
- exit(1);
- }
-
-- /* Remaining characters: EUYdw */
-+ /* Remaining characters: UYdw */
- while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy"
-- "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:a:b:f:g:j:m:n:r:s:t:z:")) != -1) {
-+ "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:"
-+ "a:b:f:g:j:m:n:r:s:t:z:")) != -1) {
- switch (opt) {
- case 'A':
- gen_all_hostkeys = 1;
-@@ -2269,6 +2277,11 @@ main(int argc, char **argv)
- fatal("Bits has bad value %s (%s)",
- optarg, errstr);
- break;
-+ case 'E':
-+ fingerprint_hash = ssh_digest_alg_by_name(optarg);
-+ if (fingerprint_hash == -1)
-+ fatal("Invalid hash algorithm \"%s\"", optarg);
-+ break;
- case 'F':
- find_host = 1;
- rr_hostname = optarg;
-@@ -2700,8 +2713,9 @@ passphrase_again:
- fclose(f);
-
- if (!quiet) {
-- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
-- char *ra = key_fingerprint(public, SSH_FP_MD5,
-+ char *fp = key_fingerprint(public, fingerprint_hash,
-+ SSH_FP_DEFAULT);
-+ char *ra = key_fingerprint(public, fingerprint_hash,
- SSH_FP_RANDOMART);
- printf("Your public key has been saved in %s.\n",
- identity_file);
-diff -up openssh-6.7p1/sshkey.h.fingerprint openssh-6.7p1/sshkey.h
---- openssh-6.7p1/sshkey.h.fingerprint 2014-08-20 03:06:51.000000000 +0200
-+++ openssh-6.7p1/sshkey.h 2014-12-22 13:10:57.969878085 +0100
+diff --git a/sshkey.h b/sshkey.h
+index 450b30c..4554b09 100644
+--- a/sshkey.h
++++ b/sshkey.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshkey.h,v 1.1 2014/06/24 01:16:58 djm Exp $ */
+/* $OpenBSD: sshkey.h,v 1.2 2014/12/21 22:27:55 djm Exp $ */
@@ -1262,7 +1582,7 @@ diff -up openssh-6.7p1/sshkey.h.fingerprint openssh-6.7p1/sshkey.h
SSH_FP_BUBBLEBABBLE,
SSH_FP_RANDOMART
};
-@@ -124,9 +122,9 @@ int sshkey_equal_public(const struct s
+@@ -124,9 +122,9 @@ int sshkey_equal_public(const struct sshkey *,
const struct sshkey *);
int sshkey_equal(const struct sshkey *, const struct sshkey *);
char *sshkey_fingerprint(const struct sshkey *,
@@ -1274,16 +1594,3 @@ diff -up openssh-6.7p1/sshkey.h.fingerprint openssh-6.7p1/sshkey.h
const char *sshkey_type(const struct sshkey *);
const char *sshkey_cert_type(const struct sshkey *);
int sshkey_write(const struct sshkey *, FILE *);
-diff -up openssh-6.7p1/ssh-keysign.c.fingerprint openssh-6.7p1/ssh-keysign.c
---- openssh-6.7p1/ssh-keysign.c.fingerprint 2014-05-15 06:24:10.000000000 +0200
-+++ openssh-6.7p1/ssh-keysign.c 2014-12-22 13:10:57.967878092 +0100
-@@ -246,7 +246,8 @@ main(int argc, char **argv)
- }
- }
- if (!found) {
-- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_fingerprint(key, options.fingerprint_hash,
-+ SSH_FP_DEFAULT);
- fatal("no matching hostkey found for key %s %s",
- key_type(key), fp);
- }
diff --git a/openssh-6.6p1-fips.patch b/openssh-6.7p1-fips.patch
similarity index 71%
rename from openssh-6.6p1-fips.patch
rename to openssh-6.7p1-fips.patch
index f97e2ba..ea82670 100644
--- a/openssh-6.6p1-fips.patch
+++ b/openssh-6.7p1-fips.patch
@@ -1,8 +1,8 @@
diff --git a/Makefile.in b/Makefile.in
-index 3bb7f00..294bef5 100644
+index 9311e16..1eb2b45 100644
--- a/Makefile.in
+++ b/Makefile.in
-@@ -154,25 +154,25 @@ libssh.a: $(LIBSSH_OBJS)
+@@ -164,25 +164,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@@ -34,7 +34,7 @@ index 3bb7f00..294bef5 100644
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-@@ -187,7 +187,7 @@ ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
+@@ -197,7 +197,7 @@ ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
@@ -43,77 +43,6 @@ index 3bb7f00..294bef5 100644
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-diff --git a/auth-rsa.c b/auth-rsa.c
-index f225b0b..8bafcd6 100644
---- a/auth-rsa.c
-+++ b/auth-rsa.c
-@@ -244,7 +244,7 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
- "actual %d vs. announced %d.",
- file, linenum, BN_num_bits(key->rsa->n), bits);
-
-- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
- debug("matching key found: file %s, line %lu %s %s",
- file, linenum, key_type(key), fp);
- free(fp);
-diff --git a/auth2-pubkey.c b/auth2-pubkey.c
-index 6d1c872..3808ec8 100644
---- a/auth2-pubkey.c
-+++ b/auth2-pubkey.c
-@@ -214,8 +214,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
- }
-
- if (key_is_cert(key)) {
-- fp = key_fingerprint(key->cert->signature_key,
-- SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_selected_fingerprint(key->cert->signature_key, SSH_FP_HEX);
- auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
- key_type(key), key->cert->key_id,
- (unsigned long long)key->cert->serial,
-@@ -223,7 +222,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
- extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
- free(fp);
- } else {
-- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_selected_fingerprint(key, SSH_FP_HEX);
- auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
- extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
- free(fp);
-diff --git a/authfile.c b/authfile.c
-index ec4f4ff..2b3d650 100644
---- a/authfile.c
-+++ b/authfile.c
-@@ -46,6 +46,7 @@
- #include <openssl/err.h>
- #include <openssl/evp.h>
- #include <openssl/pem.h>
-+#include <openssl/fips.h>
-
- /* compatibility with old or broken OpenSSL versions */
- #include "openbsd-compat/openssl-compat.h"
-@@ -1068,7 +1069,7 @@ Key *
- key_parse_private(Buffer *buffer, const char *filename,
- const char *passphrase, char **commentp)
- {
-- Key *pub, *prv;
-+ Key *pub, *prv = NULL;
-
- /* it's a SSH v1 key if the public key part is readable */
- pub = key_parse_public_rsa1(buffer, commentp);
-@@ -1080,9 +1081,10 @@ key_parse_private(Buffer *buffer, const char *filename,
- *commentp = xstrdup(filename);
- } else {
- key_free(pub);
-- /* key_parse_public_rsa1() has already loaded the comment */
-- prv = key_parse_private_type(buffer, KEY_RSA1, passphrase,
-- NULL);
-+ if (! FIPS_mode())
-+ /* key_parse_public_rsa1() has already loaded the comment */
-+ prv = key_parse_private_type(buffer, KEY_RSA1, passphrase,
-+ NULL);
- }
- return prv;
- }
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 73e9c7c..40ee395 100644
--- a/cipher-ctr.c
@@ -129,7 +58,7 @@ index 73e9c7c..40ee395 100644
return (&aes_ctr);
}
diff --git a/cipher.c b/cipher.c
-index 226e56d..b19443c 100644
+index 9cc7cf8..5ebfa84 100644
--- a/cipher.c
+++ b/cipher.c
@@ -39,6 +39,8 @@
@@ -141,11 +70,11 @@ index 226e56d..b19443c 100644
#include <string.h>
#include <stdarg.h>
#include <stdio.h>
-@@ -90,6 +92,25 @@ static const struct Cipher ciphers[] = {
+@@ -99,6 +101,26 @@ static const struct sshcipher ciphers[] = {
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
};
-+static const struct Cipher fips_ciphers[] = {
++static const struct sshcipher fips_ciphers[] = {
+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
@@ -164,38 +93,39 @@ index 226e56d..b19443c 100644
+#endif
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
+};
++
/*--*/
- /* Returns a list of supported ciphers separated by the specified char. */
-@@ -100,7 +121,7 @@ cipher_alg_list(char sep, int auth_only)
+ /* Returns a comma-separated list of supported ciphers. */
+@@ -109,7 +131,7 @@ cipher_alg_list(char sep, int auth_only)
size_t nlen, rlen = 0;
- const Cipher *c;
+ const struct sshcipher *c;
- for (c = ciphers; c->name != NULL; c++) {
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) {
if (c->number != SSH_CIPHER_SSH2)
continue;
if (auth_only && c->auth_len == 0)
-@@ -180,7 +201,7 @@ const Cipher *
+@@ -193,7 +215,7 @@ const struct sshcipher *
cipher_by_name(const char *name)
{
- const Cipher *c;
+ const struct sshcipher *c;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (strcmp(c->name, name) == 0)
return c;
return NULL;
-@@ -190,7 +211,7 @@ const Cipher *
+@@ -203,7 +225,7 @@ const struct sshcipher *
cipher_by_number(int id)
{
- const Cipher *c;
+ const struct sshcipher *c;
- for (c = ciphers; c->name != NULL; c++)
+ for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
if (c->number == id)
return c;
return NULL;
-@@ -232,7 +253,7 @@ cipher_number(const char *name)
- const Cipher *c;
+@@ -244,7 +266,7 @@ cipher_number(const char *name)
+ const struct sshcipher *c;
if (name == NULL)
return -1;
- for (c = ciphers; c->name != NULL; c++)
@@ -216,10 +146,10 @@ index 48f7b68..9ff39f4 100644
/*
diff --git a/entropy.c b/entropy.c
-index b361a04..5616643 100644
+index d24e724..06b0095 100644
--- a/entropy.c
+++ b/entropy.c
-@@ -222,6 +222,9 @@ seed_rng(void)
+@@ -215,6 +215,9 @@ seed_rng(void)
fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
@@ -230,18 +160,18 @@ index b361a04..5616643 100644
if (RAND_status() == 1) {
debug3("RNG is ready, skipping seeding");
diff --git a/kex.c b/kex.c
-index bc3e53e..ede7b67 100644
+index e0cf3de..e11198f 100644
--- a/kex.c
+++ b/kex.c
-@@ -34,6 +34,7 @@
- #include <string.h>
+@@ -35,6 +35,7 @@
+ #ifdef WITH_OPENSSL
#include <openssl/crypto.h>
+#include <openssl/fips.h>
+ #endif
#include "xmalloc.h"
- #include "ssh2.h"
-@@ -103,6 +104,25 @@ static const struct kexalg kexalgs[] = {
+@@ -107,6 +108,25 @@ static const struct kexalg kexalgs[] = {
{ NULL, -1, -1, -1},
};
@@ -267,7 +197,7 @@ index bc3e53e..ede7b67 100644
char *
kex_alg_list(char sep)
{
-@@ -126,7 +146,7 @@ kex_alg_by_name(const char *name)
+@@ -130,7 +150,7 @@ kex_alg_by_name(const char *name)
{
const struct kexalg *k;
@@ -276,7 +206,7 @@ index bc3e53e..ede7b67 100644
if (strcmp(k->name, name) == 0)
return k;
#ifdef GSSAPI
-@@ -151,7 +171,10 @@ kex_names_valid(const char *names)
+@@ -155,7 +175,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
@@ -313,7 +243,7 @@ index 2700b72..0820894 100644
}
#else /* OPENSSL_HAS_ECC */
diff --git a/kexgexc.c b/kexgexc.c
-index 355b7ba..427e11f 100644
+index 0a91bdd..b75930b 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -26,6 +26,8 @@
@@ -358,50 +288,8 @@ index 770ad28..9d4fc6d 100644
omax = max = DH_GRP_MAX;
break;
default:
-diff --git a/key.c b/key.c
-index 62f3edb..a2050f6 100644
---- a/key.c
-+++ b/key.c
-@@ -42,6 +42,7 @@
- #include "crypto_api.h"
-
- #include <openssl/evp.h>
-+#include <openssl/fips.h>
- #include <openbsd-compat/openssl-compat.h>
-
- #include <stdarg.h>
-@@ -636,9 +637,13 @@ key_fingerprint_selection(void)
- char *env;
-
- if (!rv_defined) {
-- env = getenv("SSH_FINGERPRINT_TYPE");
-- rv = (env && !strcmp (env, "sha")) ?
-- SSH_FP_SHA1 : SSH_FP_MD5;
-+ if (FIPS_mode())
-+ rv = SSH_FP_SHA1;
-+ else {
-+ env = getenv("SSH_FINGERPRINT_TYPE");
-+ rv = (env && !strcmp (env, "sha")) ?
-+ SSH_FP_SHA1 : SSH_FP_MD5;
-+ }
- rv_defined = 1;
- }
- return rv;
-@@ -1168,8 +1173,11 @@ rsa_generate_private_key(u_int bits)
- fatal("%s: BN_new failed", __func__);
- if (!BN_set_word(f4, RSA_F4))
- fatal("%s: BN_new failed", __func__);
-- if (!RSA_generate_key_ex(private, bits, f4, NULL))
-+ if (!RSA_generate_key_ex(private, bits, f4, NULL)) {
-+ if (FIPS_mode())
-+ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
- fatal("%s: key generation failed.", __func__);
-+ }
- BN_free(f4);
- return private;
- }
diff --git a/mac.c b/mac.c
-index 9388af4..cd7b034 100644
+index fd07bf2..fedfbb2 100644
--- a/mac.c
+++ b/mac.c
@@ -27,6 +27,8 @@
@@ -466,26 +354,18 @@ index 9388af4..cd7b034 100644
continue;
if (mac != NULL) {
diff --git a/myproposal.h b/myproposal.h
-index 3a0f5ae..4f35a44 100644
+index b35b2b8..a608d27 100644
--- a/myproposal.h
+++ b/myproposal.h
-@@ -88,6 +88,12 @@
- "diffie-hellman-group14-sha1," \
- "diffie-hellman-group1-sha1"
+@@ -140,6 +140,28 @@
+ "hmac-sha1-96," \
+ "hmac-md5-96"
+#define KEX_DEFAULT_KEX_FIPS \
+ KEX_ECDH_METHODS \
+ KEX_SHA256_METHODS \
+ "diffie-hellman-group-exchange-sha1," \
+ "diffie-hellman-group14-sha1"
-+
- #define KEX_DEFAULT_PK_ALG \
- HOSTKEY_ECDSA_CERT_METHODS \
- "ssh-ed25519-cert-v01 at openssh.com," \
-@@ -133,6 +139,22 @@
- #define KEX_DEFAULT_COMP "none,zlib at openssh.com,zlib"
- #define KEX_DEFAULT_LANG ""
-
+#define KEX_FIPS_ENCRYPT \
+ "aes128-ctr,aes192-ctr,aes256-ctr," \
+ "aes128-cbc,3des-cbc," \
@@ -502,59 +382,24 @@ index 3a0f5ae..4f35a44 100644
+#define KEX_FIPS_MAC \
+ "hmac-sha1"
+#endif
++
+ #else
- static char *myproposal[PROPOSAL_MAX] = {
- KEX_DEFAULT_KEX,
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 66198e6..ccf22c8 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -195,6 +195,12 @@ type_bits_valid(int type, u_int32_t *bitsp)
- fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
- exit(1);
- }
-+ if (FIPS_mode()) {
-+ if (type == KEY_DSA)
-+ fatal("DSA keys are not allowed in FIPS mode");
-+ if (type == KEY_ED25519)
-+ fatal("ED25519 keys are not allowed in FIPS mode");
-+ }
- if (type == KEY_DSA && *bitsp != 1024)
- fatal("DSA keys must be 1024 bits");
- else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)
-@@ -746,7 +752,7 @@ do_download(struct passwd *pw)
- enum fp_type fptype;
- char *fp, *ra;
-
-- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
-+ fptype = print_bubblebabble ? SSH_FP_SHA1 : key_fingerprint_selection();
- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
-
- pkcs11_init(0);
-@@ -756,8 +762,7 @@ do_download(struct passwd *pw)
- for (i = 0; i < nkeys; i++) {
- if (print_fingerprint) {
- fp = key_fingerprint(keys[i], fptype, rep);
-- ra = key_fingerprint(keys[i], SSH_FP_MD5,
-- SSH_FP_RANDOMART);
-+ ra = key_selected_fingerprint(keys[i], SSH_FP_RANDOMART);
- printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
- fp, key_type(keys[i]));
- if (log_level >= SYSLOG_LEVEL_VERBOSE)
+ #define KEX_SERVER_KEX \
diff --git a/ssh.c b/ssh.c
-index 1e6cb90..ea9193f 100644
+index 26e9681..a0a7c29 100644
--- a/ssh.c
+++ b/ssh.c
-@@ -73,6 +73,8 @@
-
+@@ -75,6 +75,8 @@
#include <openssl/evp.h>
#include <openssl/err.h>
+ #endif
+#include <openssl/fips.h>
+#include <fipscheck.h>
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
-@@ -427,6 +429,13 @@ main(int ac, char **av)
+@@ -433,6 +435,13 @@ main(int ac, char **av)
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
@@ -568,7 +413,7 @@ index 1e6cb90..ea9193f 100644
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
-@@ -504,6 +513,9 @@ main(int ac, char **av)
+@@ -510,6 +519,9 @@ main(int ac, char **av)
"ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
@@ -578,15 +423,15 @@ index 1e6cb90..ea9193f 100644
options.protocol = SSH_PROTO_1;
break;
case '2':
-@@ -828,7 +840,6 @@ main(int ac, char **av)
-
+@@ -841,7 +853,6 @@ main(int ac, char **av)
host_arg = xstrdup(host);
+ #ifdef WITH_OPENSSL
- OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
+ #endif
- /* Initialize the command to execute on remote host. */
-@@ -973,6 +984,10 @@ main(int ac, char **av)
+@@ -997,6 +1008,10 @@ main(int ac, char **av)
seed_rng();
@@ -597,7 +442,7 @@ index 1e6cb90..ea9193f 100644
if (options.user == NULL)
options.user = xstrdup(pw->pw_name);
-@@ -1020,6 +1035,12 @@ main(int ac, char **av)
+@@ -1069,6 +1084,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000;
@@ -611,10 +456,10 @@ index 1e6cb90..ea9193f 100644
if (ssh_connect(host, addrs, &hostaddr, options.port,
options.address_family, options.connection_attempts,
diff --git a/sshconnect2.c b/sshconnect2.c
-index b00658b..6a1562c 100644
+index efe6158..5631f39 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
-@@ -44,6 +44,8 @@
+@@ -46,6 +46,8 @@
#include <vis.h>
#endif
@@ -623,24 +468,13 @@ index b00658b..6a1562c 100644
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
-@@ -168,20 +170,25 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -171,20 +173,25 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
#ifdef GSSAPI
if (options.gss_keyex) {
- /* Add the GSSAPI mechanisms currently supported on this
- * client to the key exchange algorithm proposal */
- orig = myproposal[PROPOSAL_KEX_ALGS];
--
-- if (options.gss_trust_dns)
-- gss_host = (char *)get_canonical_hostname(1);
-- else
-- gss_host = host;
--
-- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
-- if (gss) {
-- debug("Offering GSSAPI proposal: %s", gss);
-- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
-- "%s,%s", gss, orig);
+ if (FIPS_mode()) {
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0;
@@ -648,12 +482,21 @@ index b00658b..6a1562c 100644
+ /* Add the GSSAPI mechanisms currently supported on this
+ * client to the key exchange algorithm proposal */
+ orig = myproposal[PROPOSAL_KEX_ALGS];
-+
+
+- if (options.gss_trust_dns)
+- gss_host = (char *)get_canonical_hostname(1);
+- else
+- gss_host = host;
+ if (options.gss_trust_dns)
+ gss_host = (char *)get_canonical_hostname(1);
+ else
+ gss_host = host;
-+
+
+- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
+- if (gss) {
+- debug("Offering GSSAPI proposal: %s", gss);
+- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
+- "%s,%s", gss, orig);
+ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
+ if (gss) {
+ debug("Offering GSSAPI proposal: %s", gss);
@@ -663,7 +506,7 @@ index b00658b..6a1562c 100644
}
}
#endif
-@@ -193,6 +200,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -196,6 +203,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@@ -674,7 +517,7 @@ index b00658b..6a1562c 100644
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -208,7 +219,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -211,7 +222,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@@ -686,7 +529,7 @@ index b00658b..6a1562c 100644
if (options.hostkeyalgorithms != NULL)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(options.hostkeyalgorithms);
-@@ -220,9 +235,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -223,9 +238,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@@ -700,19 +543,27 @@ index b00658b..6a1562c 100644
/* If we've got GSSAPI algorithms, then we also support the
* 'null' hostkey, as a last resort */
diff --git a/sshd.c b/sshd.c
-index b561ec8..e977de3 100644
+index db23ce2..3ce59f0 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -75,6 +75,8 @@
+@@ -66,6 +66,7 @@
+ #include <grp.h>
+ #include <pwd.h>
+ #include <signal.h>
++#include <syslog.h>
+ #include <stdarg.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -76,6 +77,8 @@
#include <openssl/dh.h>
#include <openssl/bn.h>
#include <openssl/rand.h>
+#include <openssl/fips.h>
+#include <fipscheck.h>
#include "openbsd-compat/openssl-compat.h"
+ #endif
- #ifdef HAVE_SECUREWARE
-@@ -1468,6 +1470,18 @@ main(int ac, char **av)
+@@ -1479,6 +1482,18 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);
@@ -731,16 +582,16 @@ index b561ec8..e977de3 100644
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
-@@ -1619,8 +1633,6 @@ main(int ac, char **av)
+@@ -1630,7 +1645,7 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
-- OpenSSL_add_all_algorithms();
--
- /* If requested, redirect the logs to the specified logfile. */
- if (logfile != NULL) {
- log_redirect_stderr_to(logfile);
-@@ -1798,6 +1810,10 @@ main(int ac, char **av)
+-#ifdef WITH_OPENSSL
++#if 0 /* FIPS */
+ OpenSSL_add_all_algorithms();
+ #endif
+
+@@ -1816,6 +1831,10 @@ main(int ac, char **av)
debug("private host key: #%d type %d %s", i, keytype,
key_type(key ? key : pubkey));
}
@@ -751,7 +602,7 @@ index b561ec8..e977de3 100644
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
-@@ -1961,6 +1977,10 @@ main(int ac, char **av)
+@@ -1982,6 +2001,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
@@ -762,7 +613,7 @@ index b561ec8..e977de3 100644
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
if (chdir("/") == -1)
-@@ -2530,6 +2550,9 @@ do_ssh2_kex(void)
+@@ -2541,6 +2564,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@@ -772,7 +623,7 @@ index b561ec8..e977de3 100644
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2539,6 +2562,9 @@ do_ssh2_kex(void)
+@@ -2550,6 +2576,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@@ -782,7 +633,7 @@ index b561ec8..e977de3 100644
}
if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-@@ -2549,6 +2575,8 @@ do_ssh2_kex(void)
+@@ -2560,6 +2589,8 @@ do_ssh2_kex(void)
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@@ -791,7 +642,7 @@ index b561ec8..e977de3 100644
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
myproposal[PROPOSAL_KEX_ALGS]);
-@@ -2575,10 +2603,14 @@ do_ssh2_kex(void)
+@@ -2586,10 +2617,14 @@ do_ssh2_kex(void)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL;
@@ -810,3 +661,24 @@ index b561ec8..e977de3 100644
if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig);
+diff --git a/sshkey.c b/sshkey.c
+index f078e11..5e3d97f 100644
+--- a/sshkey.c
++++ b/sshkey.c
+@@ -34,6 +34,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/err.h>
+ #include <openssl/pem.h>
++#include <openssl/fips.h>
+
+ #include "crypto_api.h"
+
+@@ -1523,6 +1524,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
+ }
+ if (!BN_set_word(f4, RSA_F4) ||
+ !RSA_generate_key_ex(private, bits, f4, NULL)) {
++ if (FIPS_mode())
++ logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
+ ret = SSH_ERR_LIBCRYPTO_ERROR;
+ goto out;
+ }
diff --git a/openssh-6.6p1-ldap.patch b/openssh-6.7p1-ldap.patch
similarity index 99%
rename from openssh-6.6p1-ldap.patch
rename to openssh-6.7p1-ldap.patch
index ae3e7cd..51faad6 100644
--- a/openssh-6.6p1-ldap.patch
+++ b/openssh-6.7p1-ldap.patch
@@ -113,7 +113,7 @@ index 0000000..dd5f5cc
+ Jan F. Chadima <jchadima at redhat.com>
+
diff --git a/Makefile.in b/Makefile.in
-index 28a8ec4..411eadb 100644
+index 06be3d5..f02aa1e 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
@@ -125,7 +125,7 @@ index 28a8ec4..411eadb 100644
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
PRIVSEP_PATH=@PRIVSEP_PATH@
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -60,8 +62,9 @@ XAUTH_PATH=@XAUTH_PATH@
+@@ -61,8 +63,9 @@ XAUTH_PATH=@XAUTH_PATH@
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
EXEEXT=@EXEEXT@
MANFMT=@MANFMT@
@@ -134,9 +134,9 @@ index 28a8ec4..411eadb 100644
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
- LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
- canohost.o channels.o cipher.o cipher-aes.o \
-@@ -98,8 +101,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+ LIBOPENSSH_OBJS=\
+ ssherr.o \
+@@ -108,8 +111,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o sandbox-capsicum.o
@@ -147,7 +147,7 @@ index 28a8ec4..411eadb 100644
MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -170,6 +173,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco
+@@ -180,6 +183,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -157,7 +157,7 @@ index 28a8ec4..411eadb 100644
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-@@ -273,6 +279,10 @@ install-files:
+@@ -295,6 +301,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@@ -168,7 +168,7 @@ index 28a8ec4..411eadb 100644
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-@@ -289,6 +299,10 @@ install-files:
+@@ -311,6 +321,10 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -179,7 +179,7 @@ index 28a8ec4..411eadb 100644
-rm -f $(DESTDIR)$(bindir)/slogin
ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-@@ -318,6 +332,13 @@ install-sysconf:
+@@ -340,6 +354,13 @@ install-sysconf:
else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
fi
@@ -193,7 +193,7 @@ index 28a8ec4..411eadb 100644
host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \
-@@ -381,6 +402,8 @@ uninstall:
+@@ -403,6 +424,8 @@ uninstall:
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@@ -202,19 +202,19 @@ index 28a8ec4..411eadb 100644
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -392,6 +415,7 @@ uninstall:
+@@ -414,6 +437,7 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
- regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
+ regress-prep:
diff --git a/configure.ac b/configure.ac
-index 7c6ce08..722a19e 100644
+index 67c4486..6553074 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -1625,6 +1625,106 @@ if test "x$use_pie" != "xno"; then
+@@ -1569,6 +1569,106 @@ if test "x$use_pie" != "xno"; then
fi
fi
@@ -1159,7 +1159,7 @@ index 0000000..665dca2
+
diff --git a/ldapconf.c b/ldapconf.c
new file mode 100644
-index 0000000..525060a
+index 0000000..b49cae6
--- /dev/null
+++ b/ldapconf.c
@@ -0,0 +1,722 @@
diff --git a/openssh.spec b/openssh.spec
index 28abea8..86883b1 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -63,10 +63,10 @@
%endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%define openssh_ver 6.6.1p1
-%define openssh_rel 11.1
+%define openssh_ver 6.7p1
+%define openssh_rel 1
%define pam_ssh_agent_ver 0.9.3
-%define pam_ssh_agent_rel 3
+%define pam_ssh_agent_rel 4
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
@@ -74,8 +74,7 @@ Version: %{openssh_ver}
Release: %{openssh_rel}%{?dist}%{?rescue_rel}
URL: http://www.openssh.com/portable.html
#URL1: http://pamsshagentauth.sourceforge.net
-# Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
-Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz
+Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
#Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
Source2: sshd.pam
Source3: sshd.init
@@ -103,10 +102,9 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
Patch103: openssh-5.8p1-packet.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1402
-Patch200: openssh-6.6p1-audit.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1171248
# record pfs= field in CRYPTO_SESSION audit event
-Patch201: openssh-6.6.1p1-audit-pfs.patch
+Patch200: openssh-6.7p1-audit.patch
# --- pam_ssh-agent ---
# make it build reusing the openssh sources
@@ -117,13 +115,15 @@ Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch
Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
# don't use xfree (#1024965)
Patch303: pam_ssh_agent_auth-0.9.3-no-xfree.patch
+# use SSH_DIGEST_* for fingerprint hashes
+Patch304: pam_ssh_agent_auth-0.9.3-fingerprint-hash.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
Patch400: openssh-6.6p1-role-mls.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
Patch404: openssh-6.6p1-privsep-selinux.patch
#?-- unwanted child :(
-Patch501: openssh-6.6p1-ldap.patch
+Patch501: openssh-6.7p1-ldap.patch
#?
Patch502: openssh-6.6p1-keycat.patch
@@ -143,15 +143,11 @@ Patch608: openssh-6.1p1-askpass-ld.patch
Patch609: openssh-5.5p1-x11.patch
#?
-Patch700: openssh-6.6p1-fips.patch
-#?
-# drop? Patch701: openssh-5.6p1-exit-deadlock.patch
+Patch700: openssh-6.7p1-fips.patch
#?
Patch702: openssh-5.1p1-askpass-progress.patch
#?
Patch703: openssh-4.3p2-askpass-grab-info.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=205842
-# drop? Patch704: openssh-5.9p1-edns.patch
#?
Patch705: openssh-5.1p1-scp-manpage.patch
#?
@@ -361,7 +357,7 @@ remote ssh-agent instance.
The module is most useful for su and sudo service stacks.
%prep
-%setup -q -a 4 -n openssh-6.6p1
+%setup -q -a 4
#Do not enable by default
%if 0
%patch0 -p1 -b .wIm
@@ -377,6 +373,7 @@ pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
%patch301 -p1 -b .psaa-seteuid
%patch302 -p1 -b .psaa-visibility
%patch303 -p1 -b .psaa-xfree
+%patch304 -p2 -b .psaa-fingerprint
# Remove duplicate headers
rm -f $(cat %{SOURCE5})
popd
@@ -399,13 +396,8 @@ popd
%patch607 -p1 -b .sigpipe
%patch608 -p1 -b .askpass-ld
%patch609 -p1 -b .x11
-#
-# drop? %patch701 -p1 -b .exit-deadlock
%patch702 -p1 -b .progress
%patch703 -p1 -b .grab-info
-# investigate - https://bugzilla.redhat.com/show_bug.cgi?id=205842
-# probably not needed anymore %patch704 -p1 -b .edns
-# drop it %patch705 -p1 -b .manpage
%patch706 -p1 -b .localdomain
%patch707 -p1 -b .redhat
%patch708 -p1 -b .entropy
@@ -422,15 +414,10 @@ popd
%patch902 -p1 -b .ccache_name
%patch905 -p1 -b .legacy-ssh-copy-id
%patch906 -p1 -b .fromto-remote
-%patch907 -p1 -b .CLOCK_BOOTTIME
-%patch908 -p1 -b .CVE-2014-2653
-%patch909 -p1 -b .6.6.1
-%patch910 -p1 -b .NI_MAXHOST
%patch911 -p1 -b .set_remote_ipaddr
%patch912 -p1 -b .utf8-banner
%patch913 -p1 -b .partial-success
%patch914 -p1 -b .servconf
-%patch915 -p1 -b .SIGXFSZ
%patch916 -p1 -b .contexts
%patch917 -p1 -b .cisco-dh
%patch918 -p1 -b .log-in-chroot
@@ -439,10 +426,10 @@ popd
%patch802 -p1 -b .GSSAPIEnablek5users
%patch200 -p1 -b .audit
-%patch201 -p1 -b .audit-fps
%patch700 -p1 -b .fips
-%patch100 -p1 -b .coverity
+# FIXME rebase 6.7p1
+# %patch100 -p1 -b .coverity
%if 0
# Nothing here yet
@@ -751,6 +738,9 @@ getent passwd sshd >/dev/null || \
%endif
%changelog
+* Tue Jan 20 2015 Petr Lautrbach <plautrba at redhat.com> 6.7p1-1 + 0.9.3-4
+- new upstream release openssh-6.7p1
+
* Thu Jan 15 2015 Jakub Jelen <jjelen at redhat.com> 6.6.1p1-11.1 + 0.9.3-3
- error message if scp when directory doesn't exist (#1142223)
- parsing configuration file values (#1130733)
diff --git a/pam_ssh_agent_auth-0.9.3-fingerprint-hash.patch b/pam_ssh_agent_auth-0.9.3-fingerprint-hash.patch
new file mode 100644
index 0000000..6b133ee
--- /dev/null
+++ b/pam_ssh_agent_auth-0.9.3-fingerprint-hash.patch
@@ -0,0 +1,64 @@
+diff --git a/pam_ssh_agent_auth-0.9.3/key.c b/pam_ssh_agent_auth-0.9.3/key.c
+index 9555e7e..c17aae6 100644
+--- a/pam_ssh_agent_auth-0.9.3/key.c
++++ b/pam_ssh_agent_auth-0.9.3/key.c
+@@ -55,6 +55,7 @@
+ #include "uuencode.h"
+ #include "buffer.h"
+ #include "log.h"
++#include "digest.h"
+
+ Key *
+ key_new(int type)
+@@ -181,7 +182,7 @@ key_equal(const Key *a, const Key *b)
+ }
+
+ u_char*
+-key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
++key_fingerprint_raw(const Key *k, int dgst_type,
+ u_int *dgst_raw_length)
+ {
+ const EVP_MD *md = NULL;
+@@ -194,10 +195,10 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
+ *dgst_raw_length = 0;
+
+ switch (dgst_type) {
+- case SSH_FP_MD5:
++ case SSH_DIGEST_MD5:
+ md = EVP_md5();
+ break;
+- case SSH_FP_SHA1:
++ case SSH_DIGEST_SHA1:
+ md = EVP_sha1();
+ break;
+ default:
+@@ -302,7 +303,7 @@ key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
+ }
+
+ char *
+-key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
++key_fingerprint(const Key *k, int dgst_type, enum fp_rep dgst_rep)
+ {
+ char *retval = NULL;
+ u_char *dgst_raw;
+diff --git a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
+index dddcba9..8ba6d87 100644
+--- a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
++++ b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
+@@ -43,6 +43,7 @@
+ #include "buffer.h"
+ #include "log.h"
+ #include "compat.h"
++#include "digest.h"
+ #include "key.h"
+ #include "pathnames.h"
+ #include "misc.h"
+@@ -118,7 +119,7 @@ pam_user_key_allowed2(struct passwd *pw, Key *key, char *file)
+ found_key = 1;
+ logit("matching key found: file %s, line %lu",
+ file, linenum);
+- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
++ fp = key_fingerprint(found, SSH_DIGEST_MD5, SSH_FP_HEX);
+ logit("Found matching %s key: %s",
+ key_type(found), fp);
+ free(fp);
diff --git a/sources b/sources
index fbdb5e4..1215c48 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
9872ca1983e566ff5a89c240529e223d pam_ssh_agent_auth-0.9.3.tar.bz2
-3e9800e6bca1fbac0eea4d41baa7f239 openssh-6.6p1.tar.gz
+3246aa79317b1d23cae783a3bf8275d6 openssh-6.7p1.tar.gz
More information about the scm-commits
mailing list