jjelen pushed to openssh (f22). "6.8p1-1 + 0.9.3-5"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu Mar 26 13:53:17 UTC 2015
>From 132f8f868622703219c8924ce8383b5927e9457b Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen at redhat.com>
Date: Fri, 20 Mar 2015 14:56:04 +0100
Subject: 6.8p1-1 + 0.9.3-5
diff --git a/.gitignore b/.gitignore
index b64821a..6c4a714 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-6.4p1.tar.gz
/openssh-6.6p1.tar.gz
/openssh-6.7p1.tar.gz
+/openssh-6.8p1.tar.gz
diff --git a/openssh-5.8p1-packet.patch b/openssh-5.8p1-packet.patch
index 4951af6..baccb53 100644
--- a/openssh-5.8p1-packet.patch
+++ b/openssh-5.8p1-packet.patch
@@ -1,12 +1,12 @@
-diff -up openssh-5.8p1/packet.c.packet openssh-5.8p1/packet.c
---- openssh-5.8p1/packet.c.packet 2011-04-05 13:29:06.998648899 +0200
-+++ openssh-5.8p1/packet.c 2011-04-05 13:30:32.967648596 +0200
-@@ -294,6 +294,8 @@ packet_connection_is_on_socket(void)
+diff -up openssh-6.8p1/packet.c.packet openssh-6.8p1/packet.c
+--- openssh-6.8p1/packet.c.packet 2015-03-18 10:56:32.286930601 +0100
++++ openssh-6.8p1/packet.c 2015-03-18 10:58:38.535629739 +0100
+@@ -371,6 +371,8 @@ ssh_packet_connection_is_on_socket(struc
struct sockaddr_storage from, to;
socklen_t fromlen, tolen;
-+ if (!active_state)
++ if (!state)
+ return 0;
/* filedescriptors in and out are the same, so it's a socket */
- if (active_state->connection_in == active_state->connection_out)
+ if (state->connection_in == state->connection_out)
return 1;
diff --git a/openssh-6.1p1-askpass-ld.patch b/openssh-6.1p1-askpass-ld.patch
deleted file mode 100644
index f7a7fac..0000000
--- a/openssh-6.1p1-askpass-ld.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff -up openssh-6.1p1/contrib/Makefile.askpass-ld openssh-6.1p1/contrib/Makefile
---- openssh-6.1p1/contrib/Makefile.askpass-ld 2012-05-19 07:24:37.000000000 +0200
-+++ openssh-6.1p1/contrib/Makefile 2012-09-14 20:35:47.565704718 +0200
-@@ -4,12 +4,12 @@ all:
- @echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
-
- gnome-ssh-askpass1: gnome-ssh-askpass1.c
-- $(CC) `gnome-config --cflags gnome gnomeui` \
-+ $(CC) ${CFLAGS} `gnome-config --cflags gnome gnomeui` \
- gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
- `gnome-config --libs gnome gnomeui`
-
- gnome-ssh-askpass2: gnome-ssh-askpass2.c
-- $(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \
-+ $(CC) ${CFLAGS} `$(PKG_CONFIG) --cflags gtk+-2.0` \
- gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
- `$(PKG_CONFIG) --libs gtk+-2.0 x11`
-
diff --git a/openssh-6.2p1-vendor.patch b/openssh-6.2p1-vendor.patch
index 583a486..67769f0 100644
--- a/openssh-6.2p1-vendor.patch
+++ b/openssh-6.2p1-vendor.patch
@@ -1,8 +1,7 @@
-diff --git a/configure.ac b/configure.ac
-index 6553074..8dedb95 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -4676,6 +4676,12 @@ AC_ARG_WITH([lastlog],
+diff -up openssh-6.8p1/configure.ac.vendor openssh-6.8p1/configure.ac
+--- openssh-6.8p1/configure.ac.vendor 2015-03-18 11:17:56.670880303 +0100
++++ openssh-6.8p1/configure.ac 2015-03-18 11:17:56.695880243 +0100
+@@ -4743,6 +4743,12 @@ AC_ARG_WITH([lastlog],
fi
]
)
@@ -15,7 +14,7 @@ index 6553074..8dedb95 100644
dnl lastlog, [uw]tmpx? detection
dnl NOTE: set the paths in the platform section to avoid the
-@@ -4938,6 +4944,7 @@ echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
+@@ -5005,6 +5011,7 @@ echo " Translate v4 in v6 hack
echo " BSD Auth support: $BSD_AUTH_MSG"
echo " Random number source: $RAND_MSG"
echo " Privsep sandbox style: $SANDBOX_STYLE"
@@ -23,11 +22,10 @@ index 6553074..8dedb95 100644
echo ""
-diff --git a/servconf.c b/servconf.c
-index e3ebaac..c8a3f28 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -141,6 +141,7 @@ initialize_server_options(ServerOptions *options)
+diff -up openssh-6.8p1/servconf.c.vendor openssh-6.8p1/servconf.c
+--- openssh-6.8p1/servconf.c.vendor 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/servconf.c 2015-03-18 11:19:16.279691126 +0100
+@@ -145,6 +145,7 @@ initialize_server_options(ServerOptions
options->max_authtries = -1;
options->max_sessions = -1;
options->banner = NULL;
@@ -35,7 +33,7 @@ index e3ebaac..c8a3f28 100644
options->use_dns = -1;
options->client_alive_interval = -1;
options->client_alive_count_max = -1;
-@@ -310,6 +311,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -327,6 +328,8 @@ fill_default_server_options(ServerOption
options->ip_qos_bulk = IPTOS_THROUGHPUT;
if (options->version_addendum == NULL)
options->version_addendum = xstrdup("");
@@ -44,16 +42,16 @@ index e3ebaac..c8a3f28 100644
if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
options->fwd_opts.streamlocal_bind_mask = 0177;
if (options->fwd_opts.streamlocal_bind_unlink == -1)
-@@ -353,7 +356,7 @@ typedef enum {
+@@ -388,7 +391,7 @@ typedef enum {
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
- sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem,
- sMaxStartups, sMaxAuthTries, sMaxSessions,
+ sGatewayPorts, sPubkeyAuthentication, sPubkeyAcceptedKeyTypes,
+ sXAuthLocation, sSubsystem, sMaxStartups, sMaxAuthTries, sMaxSessions,
- sBanner, sUseDNS, sHostbasedAuthentication,
+ sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
- sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
- sClientAliveCountMax, sAuthorizedKeysFile,
+ sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
+ sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
-@@ -467,6 +470,7 @@ static struct {
+@@ -504,6 +507,7 @@ static struct {
{ "maxauthtries", sMaxAuthTries, SSHCFG_ALL },
{ "maxsessions", sMaxSessions, SSHCFG_ALL },
{ "banner", sBanner, SSHCFG_ALL },
@@ -61,7 +59,7 @@ index e3ebaac..c8a3f28 100644
{ "usedns", sUseDNS, SSHCFG_GLOBAL },
{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
-@@ -1263,6 +1267,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1320,6 +1324,10 @@ process_server_config_line(ServerOptions
multistate_ptr = multistate_privsep;
goto parse_multistate;
@@ -72,7 +70,7 @@ index e3ebaac..c8a3f28 100644
case sAllowUsers:
while ((arg = strdelim(&cp)) && *arg != '\0') {
if (options->num_allow_users >= MAX_ALLOW_USERS)
-@@ -2081,6 +2089,7 @@ dump_config(ServerOptions *o)
+@@ -2145,6 +2153,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUseLogin, o->use_login);
dump_cfg_fmtint(sCompression, o->compression);
dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
@@ -80,11 +78,10 @@ index e3ebaac..c8a3f28 100644
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
-diff --git a/servconf.h b/servconf.h
-index 49b228b..21719e2 100644
---- a/servconf.h
-+++ b/servconf.h
-@@ -149,6 +149,7 @@ typedef struct {
+diff -up openssh-6.8p1/servconf.h.vendor openssh-6.8p1/servconf.h
+--- openssh-6.8p1/servconf.h.vendor 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/servconf.h 2015-03-18 11:17:56.696880241 +0100
+@@ -151,6 +151,7 @@ typedef struct {
int max_authtries;
int max_sessions;
char *banner; /* SSH-2 banner message */
@@ -92,11 +89,10 @@ index 49b228b..21719e2 100644
int use_dns;
int client_alive_interval; /*
* poke the client this often to
-diff --git a/sshd.c b/sshd.c
-index afe9afa..193b206 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -432,7 +432,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
+diff -up openssh-6.8p1/sshd.c.vendor openssh-6.8p1/sshd.c
+--- openssh-6.8p1/sshd.c.vendor 2015-03-18 11:17:56.669880305 +0100
++++ openssh-6.8p1/sshd.c 2015-03-18 11:17:56.697880239 +0100
+@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in
}
xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
@@ -105,7 +101,7 @@ index afe9afa..193b206 100644
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
-@@ -1677,7 +1677,8 @@ main(int ac, char **av)
+@@ -1737,7 +1737,8 @@ main(int ac, char **av)
exit(1);
}
@@ -115,23 +111,21 @@ index afe9afa..193b206 100644
#ifdef WITH_OPENSSL
SSLeay_version(SSLEAY_VERSION)
#else
-diff --git a/sshd_config b/sshd_config
-index 3092ac6..da3db5d 100644
---- a/sshd_config
-+++ b/sshd_config
-@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Default for new installations.
+diff -up openssh-6.8p1/sshd_config.vendor openssh-6.8p1/sshd_config
+--- openssh-6.8p1/sshd_config.vendor 2015-03-18 11:17:56.697880239 +0100
++++ openssh-6.8p1/sshd_config 2015-03-18 11:20:15.552550274 +0100
+@@ -119,6 +119,7 @@ UsePrivilegeSeparation sandbox # Defaul
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
+#ShowPatchLevel no
- #UseDNS yes
+ #UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
-diff --git a/sshd_config.0 b/sshd_config.0
-index 43867d3..a3898c3 100644
---- a/sshd_config.0
-+++ b/sshd_config.0
-@@ -700,6 +700,11 @@ DESCRIPTION
+diff -up openssh-6.8p1/sshd_config.0.vendor openssh-6.8p1/sshd_config.0
+--- openssh-6.8p1/sshd_config.0.vendor 2015-03-18 11:17:56.691880253 +0100
++++ openssh-6.8p1/sshd_config.0 2015-03-18 11:17:56.697880239 +0100
+@@ -740,6 +740,11 @@ DESCRIPTION
Defines the number of bits in the ephemeral protocol version 1
server key. The minimum value is 512, and the default is 1024.
@@ -143,11 +137,10 @@ index 43867d3..a3898c3 100644
StreamLocalBindMask
Sets the octal file creation mode mask (umask) used when creating
a Unix-domain socket file for local or remote port forwarding.
-diff --git a/sshd_config.5 b/sshd_config.5
-index 89a0cf2..cccb310 100644
---- a/sshd_config.5
-+++ b/sshd_config.5
-@@ -1200,6 +1200,13 @@ This option applies to protocol version 1 only.
+diff -up openssh-6.8p1/sshd_config.5.vendor openssh-6.8p1/sshd_config.5
+--- openssh-6.8p1/sshd_config.5.vendor 2015-03-18 11:17:56.691880253 +0100
++++ openssh-6.8p1/sshd_config.5 2015-03-18 11:17:56.697880239 +0100
+@@ -1276,6 +1276,13 @@ This option applies to protocol version
.It Cm ServerKeyBits
Defines the number of bits in the ephemeral protocol version 1 server key.
The minimum value is 512, and the default is 1024.
diff --git a/openssh-6.6.1p1-cisco-dh-keys.patch b/openssh-6.6.1p1-cisco-dh-keys.patch
index 0763b10..6890c05 100644
--- a/openssh-6.6.1p1-cisco-dh-keys.patch
+++ b/openssh-6.6.1p1-cisco-dh-keys.patch
@@ -1,7 +1,6 @@
-diff --git a/compat.c b/compat.c
-index 2709dc5..7412a54 100644
---- a/compat.c
-+++ b/compat.c
+diff -up openssh-6.8p1/compat.c.cisco-dh openssh-6.8p1/compat.c
+--- openssh-6.8p1/compat.c.cisco-dh 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/compat.c 2015-03-19 12:57:58.862606969 +0100
@@ -167,6 +167,7 @@ compat_datafellows(const char *version)
SSH_BUG_SCANNER },
{ "Probe-*",
@@ -10,10 +9,9 @@ index 2709dc5..7412a54 100644
{ NULL, 0 }
};
-diff --git a/compat.h b/compat.h
-index a6c3f3d..d8def7d 100644
---- a/compat.h
-+++ b/compat.h
+diff -up openssh-6.8p1/compat.h.cisco-dh openssh-6.8p1/compat.h
+--- openssh-6.8p1/compat.h.cisco-dh 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/compat.h 2015-03-19 12:57:58.862606969 +0100
@@ -60,6 +60,7 @@
#define SSH_NEW_OPENSSH 0x04000000
#define SSH_BUG_DYNAMIC_RPORT 0x08000000
@@ -22,49 +20,35 @@ index a6c3f3d..d8def7d 100644
void enable_compat13(void);
void enable_compat20(void);
-diff --git a/kexgexc.c b/kexgexc.c
-index 355b7ba..0a91bdd 100644
---- a/kexgexc.c
-+++ b/kexgexc.c
-@@ -58,20 +58,37 @@ kexgex_client(Kex *kex)
- int min, max, nbits;
- DH *dh;
+diff -up openssh-6.8p1/kexgexc.c.cisco-dh openssh-6.8p1/kexgexc.c
+--- openssh-6.8p1/kexgexc.c.cisco-dh 2015-03-19 12:57:58.862606969 +0100
++++ openssh-6.8p1/kexgexc.c 2015-03-19 13:11:52.320519969 +0100
+@@ -64,8 +64,27 @@ kexgex_client(struct ssh *ssh)
-+ min = DH_GRP_MIN;
-+ max = DH_GRP_MAX;
+ kex->min = DH_GRP_MIN;
+ kex->max = DH_GRP_MAX;
+
+ /* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
+ * We need to also ensure that min < nbits < max */
+
+ if (datafellows & SSH_BUG_MAX4096DH) {
+ /* The largest min for these servers is 4096 */
-+ min = MIN(min, 4096);
++ kex->min = MIN(kex->min, 4096);
+ }
+
- nbits = dh_estimate(kex->dh_need * 8);
-+ nbits = MIN(nbits, max);
-+ nbits = MAX(nbits, min);
+ kex->nbits = nbits;
+- if (ssh->compat & SSH_OLD_DHGEX) {
++ kex->nbits = MIN(nbits, kex->max);
++ kex->nbits = MAX(nbits, kex->min);
+
-+ if (datafellows & SSH_BUG_MAX4096DH) {
++ if (ssh->compat & SSH_BUG_MAX4096DH) {
+ /* Cannot have a nbits > 4096 for these servers */
-+ nbits = MIN(nbits, 4096);
++ kex->nbits = MIN(kex->nbits, 4096);
+ /* nbits has to be powers of two */
-+ if (nbits == 3072)
-+ nbits = 4096;
++ if (kex->nbits == 3072)
++ kex->nbits = 4096;
+ }
-
- if (datafellows & SSH_OLD_DHGEX) {
++ if (ssh->compat & SSH_OLD_DHGEX) { /* Old GEX request */
/* Old GEX request */
- packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD);
- packet_put_int(nbits);
-- min = DH_GRP_MIN;
-- max = DH_GRP_MAX;
-
- debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits);
- } else {
- /* New GEX request */
-- min = DH_GRP_MIN;
-- max = DH_GRP_MAX;
- packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST);
- packet_put_int(min);
- packet_put_int(nbits);
+ if ((r = sshpkt_start(ssh, SSH2_MSG_KEX_DH_GEX_REQUEST_OLD))
+ != 0 ||
diff --git a/openssh-6.6.1p1-log-in-chroot.patch b/openssh-6.6.1p1-log-in-chroot.patch
index bca27be..7590812 100644
--- a/openssh-6.6.1p1-log-in-chroot.patch
+++ b/openssh-6.6.1p1-log-in-chroot.patch
@@ -1,7 +1,6 @@
-diff --git a/log.c b/log.c
-index 32e1d2e..d4caeb5 100644
---- a/log.c
-+++ b/log.c
+diff -up openssh-6.8p1/log.c.log-in-chroot openssh-6.8p1/log.c
+--- openssh-6.8p1/log.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/log.c 2015-03-18 12:59:29.694022313 +0100
@@ -241,6 +241,11 @@ debug3(const char *fmt,...)
void
log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
@@ -14,7 +13,7 @@ index 32e1d2e..d4caeb5 100644
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT;
#endif
-@@ -264,8 +269,10 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
+@@ -264,8 +269,10 @@ log_init(char *av0, LogLevel level, Sysl
exit(1);
}
@@ -27,10 +26,9 @@ index 32e1d2e..d4caeb5 100644
log_on_stderr = on_stderr;
if (on_stderr)
-diff --git a/log.h b/log.h
-index ae7df25..30c3310 100644
---- a/log.h
-+++ b/log.h
+diff -up openssh-6.8p1/log.h.log-in-chroot openssh-6.8p1/log.h
+--- openssh-6.8p1/log.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/log.h 2015-03-18 12:59:29.694022313 +0100
@@ -49,6 +49,7 @@ typedef enum {
typedef void (log_handler_fn)(LogLevel, const char *, void *);
@@ -39,11 +37,10 @@ index ae7df25..30c3310 100644
void log_change_level(LogLevel);
int log_is_on_stderr(void);
void log_redirect_stderr_to(const char *);
-diff --git a/monitor.c b/monitor.c
-index 7ebc76e..d97e640 100644
---- a/monitor.c
-+++ b/monitor.c
-@@ -378,6 +378,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
+diff -up openssh-6.8p1/monitor.c.log-in-chroot openssh-6.8p1/monitor.c
+--- openssh-6.8p1/monitor.c.log-in-chroot 2015-03-18 12:59:29.669022374 +0100
++++ openssh-6.8p1/monitor.c 2015-03-18 13:01:52.894671198 +0100
+@@ -357,6 +357,8 @@ monitor_child_preauth(Authctxt *_authctx
close(pmonitor->m_log_sendfd);
pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
@@ -52,7 +49,7 @@ index 7ebc76e..d97e640 100644
authctxt = _authctxt;
memset(authctxt, 0, sizeof(*authctxt));
-@@ -486,6 +488,8 @@ monitor_child_postauth(struct monitor *pmonitor)
+@@ -465,6 +467,8 @@ monitor_child_postauth(struct monitor *p
close(pmonitor->m_recvfd);
pmonitor->m_recvfd = -1;
@@ -61,7 +58,7 @@ index 7ebc76e..d97e640 100644
monitor_set_child_handler(pmonitor->m_pid);
signal(SIGHUP, &monitor_child_handler);
signal(SIGTERM, &monitor_child_handler);
-@@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonitor)
+@@ -566,7 +570,7 @@ monitor_read_log(struct monitor *pmonito
if (log_level_name(level) == NULL)
fatal("%s: invalid log level %u (corrupted message?)",
__func__, level);
@@ -70,8 +67,8 @@ index 7ebc76e..d97e640 100644
buffer_free(&logmsg);
free(msg);
-@@ -2107,13 +2111,28 @@ monitor_init(void)
- mm_init_compression(mon->m_zlib);
+@@ -1998,13 +2002,28 @@ monitor_init(void)
+ (ssh_packet_comp_free_func *)mm_zfree);
}
+ mon->m_state = "";
@@ -101,13 +98,12 @@ index 7ebc76e..d97e640 100644
}
#ifdef GSSAPI
-diff --git a/monitor.h b/monitor.h
-index ff79fbb..00c2028 100644
---- a/monitor.h
-+++ b/monitor.h
+diff -up openssh-6.8p1/monitor.h.log-in-chroot openssh-6.8p1/monitor.h
+--- openssh-6.8p1/monitor.h.log-in-chroot 2015-03-18 12:59:29.695022310 +0100
++++ openssh-6.8p1/monitor.h 2015-03-18 13:02:56.926514197 +0100
@@ -83,10 +83,11 @@ struct monitor {
struct mm_master *m_zlib;
- struct Kex **m_pkex;
+ struct kex **m_pkex;
pid_t m_pid;
+ char *m_state;
};
@@ -118,11 +114,10 @@ index ff79fbb..00c2028 100644
void monitor_sync(struct monitor *);
struct Authctxt;
-diff --git a/session.c b/session.c
-index 9c94d8e..40a681e 100644
---- a/session.c
-+++ b/session.c
-@@ -160,6 +160,8 @@ login_cap_t *lc;
+diff -up openssh-6.8p1/session.c.log-in-chroot openssh-6.8p1/session.c
+--- openssh-6.8p1/session.c.log-in-chroot 2015-03-18 12:59:29.675022359 +0100
++++ openssh-6.8p1/session.c 2015-03-18 12:59:29.696022308 +0100
+@@ -161,6 +161,8 @@ login_cap_t *lc;
static int is_child = 0;
@@ -131,7 +126,7 @@ index 9c94d8e..40a681e 100644
/* Name and directory of socket for authentication agent forwarding. */
static char *auth_sock_name = NULL;
static char *auth_sock_dir = NULL;
-@@ -505,8 +507,8 @@ do_exec_no_pty(Session *s, const char *command)
+@@ -506,8 +508,8 @@ do_exec_no_pty(Session *s, const char *c
is_child = 1;
/* Child. Reinitialize the log since the pid has changed. */
@@ -142,7 +137,7 @@ index 9c94d8e..40a681e 100644
/*
* Create a new session and process group since the 4.4BSD
-@@ -674,8 +676,8 @@ do_exec_pty(Session *s, const char *command)
+@@ -675,8 +677,8 @@ do_exec_pty(Session *s, const char *comm
close(ptymaster);
/* Child. Reinitialize the log because the pid has changed. */
@@ -153,7 +148,7 @@ index 9c94d8e..40a681e 100644
/* Close the master side of the pseudo tty. */
close(ptyfd);
-@@ -779,6 +781,7 @@ do_exec(Session *s, const char *command)
+@@ -780,6 +782,7 @@ do_exec(Session *s, const char *command)
int ret;
const char *forced = NULL;
char session_type[1024], *tty = NULL;
@@ -161,7 +156,7 @@ index 9c94d8e..40a681e 100644
if (options.adm_forced_command) {
original_command = command;
-@@ -836,6 +839,10 @@ do_exec(Session *s, const char *command)
+@@ -837,6 +840,10 @@ do_exec(Session *s, const char *command)
tty += 5;
}
@@ -172,7 +167,7 @@ index 9c94d8e..40a681e 100644
verbose("Starting session: %s%s%s for %s from %.200s port %d",
session_type,
tty == NULL ? "" : " on ",
-@@ -1677,14 +1684,6 @@ child_close_fds(void)
+@@ -1678,14 +1685,6 @@ child_close_fds(void)
* descriptors left by system functions. They will be closed later.
*/
endpwent();
@@ -187,7 +182,7 @@ index 9c94d8e..40a681e 100644
}
/*
-@@ -1830,8 +1829,6 @@ do_child(Session *s, const char *command)
+@@ -1831,8 +1830,6 @@ do_child(Session *s, const char *command
exit(1);
}
@@ -196,7 +191,7 @@ index 9c94d8e..40a681e 100644
if (!options.use_login)
do_rc_files(s, shell);
-@@ -1855,9 +1852,17 @@ do_child(Session *s, const char *command)
+@@ -1856,9 +1853,17 @@ do_child(Session *s, const char *command
argv[i] = NULL;
optind = optreset = 1;
__progname = argv[0];
@@ -215,10 +210,9 @@ index 9c94d8e..40a681e 100644
fflush(NULL);
if (options.use_login) {
-diff --git a/sftp-server-main.c b/sftp-server-main.c
-index 7e644ab..e162b7a 100644
---- a/sftp-server-main.c
-+++ b/sftp-server-main.c
+diff -up openssh-6.8p1/sftp-server-main.c.log-in-chroot openssh-6.8p1/sftp-server-main.c
+--- openssh-6.8p1/sftp-server-main.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/sftp-server-main.c 2015-03-18 12:59:29.696022308 +0100
@@ -47,5 +47,5 @@ main(int argc, char **argv)
return 1;
}
@@ -226,11 +220,10 @@ index 7e644ab..e162b7a 100644
- return (sftp_server_main(argc, argv, user_pw));
+ return (sftp_server_main(argc, argv, user_pw, 0));
}
-diff --git a/sftp-server.c b/sftp-server.c
-index 0177130..8fa7fc7 100644
---- a/sftp-server.c
-+++ b/sftp-server.c
-@@ -1440,7 +1440,7 @@ sftp_server_usage(void)
+diff -up openssh-6.8p1/sftp-server.c.log-in-chroot openssh-6.8p1/sftp-server.c
+--- openssh-6.8p1/sftp-server.c.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/sftp-server.c 2015-03-18 13:03:52.510377911 +0100
+@@ -1502,7 +1502,7 @@ sftp_server_usage(void)
}
int
@@ -238,8 +231,8 @@ index 0177130..8fa7fc7 100644
+sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler)
{
fd_set *rset, *wset;
- int i, in, out, max, ch, skipargs = 0, log_stderr = 0;
-@@ -1453,7 +1453,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
+ int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
+@@ -1515,7 +1515,7 @@ sftp_server_main(int argc, char **argv,
extern char *__progname;
__progname = ssh_get_progname(argv[0]);
@@ -248,7 +241,7 @@ index 0177130..8fa7fc7 100644
pw = pwcopy(user_pw);
-@@ -1524,7 +1524,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
+@@ -1586,7 +1586,7 @@ sftp_server_main(int argc, char **argv,
}
}
@@ -257,10 +250,9 @@ index 0177130..8fa7fc7 100644
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/*
-diff --git a/sftp.h b/sftp.h
-index 2bde8bb..ddf1a39 100644
---- a/sftp.h
-+++ b/sftp.h
+diff -up openssh-6.8p1/sftp.h.log-in-chroot openssh-6.8p1/sftp.h
+--- openssh-6.8p1/sftp.h.log-in-chroot 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/sftp.h 2015-03-18 12:59:29.696022308 +0100
@@ -97,5 +97,5 @@
struct passwd;
@@ -268,11 +260,10 @@ index 2bde8bb..ddf1a39 100644
-int sftp_server_main(int, char **, struct passwd *);
+int sftp_server_main(int, char **, struct passwd *, int);
void sftp_server_cleanup_exit(int) __attribute__((noreturn));
-diff --git a/sshd.c b/sshd.c
-index 39b9c08..ca55d7f 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -737,7 +737,7 @@ privsep_postauth(Authctxt *authctxt)
+diff -up openssh-6.8p1/sshd.c.log-in-chroot openssh-6.8p1/sshd.c
+--- openssh-6.8p1/sshd.c.log-in-chroot 2015-03-18 12:59:29.691022320 +0100
++++ openssh-6.8p1/sshd.c 2015-03-18 12:59:29.697022305 +0100
+@@ -744,7 +744,7 @@ privsep_postauth(Authctxt *authctxt)
}
/* New socket pair */
@@ -281,7 +272,7 @@ index 39b9c08..ca55d7f 100644
pmonitor->m_pid = fork();
if (pmonitor->m_pid == -1)
-@@ -755,6 +755,11 @@ privsep_postauth(Authctxt *authctxt)
+@@ -762,6 +762,11 @@ privsep_postauth(Authctxt *authctxt)
close(pmonitor->m_sendfd);
pmonitor->m_sendfd = -1;
diff --git a/openssh-6.6.1p1-partial-success.patch b/openssh-6.6.1p1-partial-success.patch
deleted file mode 100644
index b5c61cf..0000000
--- a/openssh-6.6.1p1-partial-success.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/auth2.c b/auth2.c
-index d9b440a..ec0bf12 100644
---- a/auth2.c
-+++ b/auth2.c
-@@ -355,8 +355,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
- authctxt->success = 1;
- } else {
-
-- /* Allow initial try of "none" auth without failure penalty */
-- if (!authctxt->server_caused_failure &&
-+ /* Allow initial try of "none" auth without failure penalty
-+ * Partial succes is not failure */
-+ if (!authctxt->server_caused_failure && !partial &&
- (authctxt->attempt > 1 || strcmp(method, "none") != 0))
- authctxt->failures++;
- if (authctxt->failures >= options.max_authtries) {
diff --git a/openssh-6.6.1p1-utf8-banner.patch b/openssh-6.6.1p1-utf8-banner.patch
index 1ab8ade..1513b6f 100644
--- a/openssh-6.6.1p1-utf8-banner.patch
+++ b/openssh-6.6.1p1-utf8-banner.patch
@@ -1,21 +1,19 @@
-diff --git a/Makefile.in b/Makefile.in
-index 2ad26ff..0f0d39f 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -81,7 +81,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
+diff -up openssh-6.8p1/Makefile.in.utf8-banner openssh-6.8p1/Makefile.in
+--- openssh-6.8p1/Makefile.in.utf8-banner 2015-03-18 12:41:28.174713188 +0100
++++ openssh-6.8p1/Makefile.in 2015-03-18 12:45:52.723048114 +0100
+@@ -94,7 +94,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
- ssh-pkcs11.o krl.o smult_curve25519_ref.o \
- kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
-- ssh-ed25519.o digest-openssl.o hmac.o \
-+ ssh-ed25519.o digest-openssl.o hmac.o utf8_stringprep.o \
- sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
-
- SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
-diff --git a/misc.h b/misc.h
-index d4df619..d98b83d 100644
---- a/misc.h
-+++ b/misc.h
-@@ -106,4 +106,7 @@ char *read_passphrase(const char *, int);
+ ssh-pkcs11.o smult_curve25519_ref.o \
+ poly1305.o chacha.o cipher-chachapoly.o \
+- ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
++ ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o utf8_stringprep.o \
+ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
+ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
+ kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
+diff -up openssh-6.8p1/misc.h.utf8-banner openssh-6.8p1/misc.h
+--- openssh-6.8p1/misc.h.utf8-banner 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/misc.h 2015-03-18 12:41:28.175713185 +0100
+@@ -135,4 +135,7 @@ char *read_passphrase(const char *, int)
int ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
int read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
@@ -23,10 +21,9 @@ index d4df619..d98b83d 100644
+int utf8_stringprep(const char *, char *, size_t);
+
#endif /* _MISC_H */
-diff --git a/sshconnect2.c b/sshconnect2.c
-index b00658b..08064f4 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
+diff -up openssh-6.8p1/sshconnect2.c.utf8-banner openssh-6.8p1/sshconnect2.c
+--- openssh-6.8p1/sshconnect2.c.utf8-banner 2015-03-18 12:41:28.161713220 +0100
++++ openssh-6.8p1/sshconnect2.c 2015-03-18 12:44:05.483317714 +0100
@@ -33,6 +33,8 @@
#include <errno.h>
@@ -36,8 +33,8 @@ index b00658b..08064f4 100644
#include <netdb.h>
#include <pwd.h>
#include <signal.h>
-@@ -519,21 +521,51 @@ input_userauth_error(int type, u_int32_t seq, void *ctxt)
- "type %d", type);
+@@ -532,21 +534,51 @@ input_userauth_error(int type, u_int32_t
+ return 0;
}
+/* Check whether we can display UTF-8 safely */
@@ -56,7 +53,7 @@ index b00658b..08064f4 100644
+}
+
/* ARGSUSED */
- void
+ int
input_userauth_banner(int type, u_int32_t seq, void *ctxt)
{
char *msg, *raw, *lang;
@@ -90,11 +87,9 @@ index b00658b..08064f4 100644
fprintf(stderr, "%s", msg);
free(msg);
}
-diff --git a/stringprep-tables.c b/stringprep-tables.c
-new file mode 100644
-index 0000000..49f4d9d
---- /dev/null
-+++ b/stringprep-tables.c
+diff -up openssh-6.8p1/stringprep-tables.c.utf8-banner openssh-6.8p1/stringprep-tables.c
+--- openssh-6.8p1/stringprep-tables.c.utf8-banner 2015-03-18 12:41:28.175713185 +0100
++++ openssh-6.8p1/stringprep-tables.c 2015-03-18 12:41:28.175713185 +0100
@@ -0,0 +1,661 @@
+/* Public domain. */
+
@@ -757,11 +752,9 @@ index 0000000..49f4d9d
+ { 0xE0020, 0xE007F },
+};
+
-diff --git a/utf8_stringprep.c b/utf8_stringprep.c
-new file mode 100644
-index 0000000..bcafae7
---- /dev/null
-+++ b/utf8_stringprep.c
+diff -up openssh-6.8p1/utf8_stringprep.c.utf8-banner openssh-6.8p1/utf8_stringprep.c
+--- openssh-6.8p1/utf8_stringprep.c.utf8-banner 2015-03-18 12:41:28.175713185 +0100
++++ openssh-6.8p1/utf8_stringprep.c 2015-03-18 12:41:28.175713185 +0100
@@ -0,0 +1,229 @@
+/*
+ * Copyright (c) 2013 Damien Miller <djm at mindrot.org>
diff --git a/openssh-6.6p1-GSSAPIEnablek5users.patch b/openssh-6.6p1-GSSAPIEnablek5users.patch
index efd7917..cf01dd5 100644
--- a/openssh-6.6p1-GSSAPIEnablek5users.patch
+++ b/openssh-6.6p1-GSSAPIEnablek5users.patch
@@ -1,8 +1,7 @@
-diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
-index 961c564..0fcfd7b 100644
---- a/gss-serv-krb5.c
-+++ b/gss-serv-krb5.c
-@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
+diff -up openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users openssh-6.8p1/gss-serv-krb5.c
+--- openssh-6.8p1/gss-serv-krb5.c.GSSAPIEnablek5users 2015-03-18 13:04:21.505306818 +0100
++++ openssh-6.8p1/gss-serv-krb5.c 2015-03-18 13:04:21.527306764 +0100
+@@ -260,7 +260,6 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
FILE *fp;
char file[MAXPATHLEN];
char line[BUFSIZ] = "";
@@ -10,7 +9,7 @@ index 961c564..0fcfd7b 100644
struct stat st;
struct passwd *pw = the_authctxt->pw;
int found_principal = 0;
-@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
+@@ -269,7 +268,7 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
/* If both .k5login and .k5users DNE, self-login is ok. */
@@ -19,19 +18,18 @@ index 961c564..0fcfd7b 100644
return ssh_krb5_kuserok(krb_context, principal, luser,
k5login_exists);
}
-diff --git a/servconf.c b/servconf.c
-index e4164b1..87a311b 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -164,6 +164,7 @@ initialize_server_options(ServerOptions *options)
+diff -up openssh-6.8p1/servconf.c.GSSAPIEnablek5users openssh-6.8p1/servconf.c
+--- openssh-6.8p1/servconf.c.GSSAPIEnablek5users 2015-03-18 13:04:21.516306791 +0100
++++ openssh-6.8p1/servconf.c 2015-03-18 13:05:26.846146608 +0100
+@@ -168,6 +168,7 @@ initialize_server_options(ServerOptions
options->version_addendum = NULL;
options->fingerprint_hash = -1;
options->use_kuserok = -1;
+ options->enable_k5users = -1;
}
- void
-@@ -331,6 +332,8 @@ fill_default_server_options(ServerOptions *options)
+ /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
+@@ -348,6 +349,8 @@ fill_default_server_options(ServerOption
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
if (options->use_kuserok == -1)
options->use_kuserok = 1;
@@ -40,16 +38,16 @@ index e4164b1..87a311b 100644
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = PRIVSEP_NOSANDBOX;
-@@ -371,7 +374,7 @@ typedef enum {
+@@ -406,7 +409,7 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
- sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
- sClientAliveCountMax, sAuthorizedKeysFile,
+ sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
+ sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
- sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
-@@ -447,6 +450,7 @@ static struct {
+@@ -484,6 +487,7 @@ static struct {
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
@@ -57,7 +55,7 @@ index e4164b1..87a311b 100644
#else
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
-@@ -454,6 +458,7 @@ static struct {
+@@ -491,6 +495,7 @@ static struct {
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
@@ -65,7 +63,7 @@ index e4164b1..87a311b 100644
#endif
{ "gssusesessionccache", sUnsupported, SSHCFG_GLOBAL },
{ "gssapiusesessioncredcache", sUnsupported, SSHCFG_GLOBAL },
-@@ -1566,6 +1571,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1623,6 +1628,10 @@ process_server_config_line(ServerOptions
intptr = &options->use_kuserok;
goto parse_flag;
@@ -76,7 +74,7 @@ index e4164b1..87a311b 100644
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
-@@ -1884,6 +1893,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+@@ -1947,6 +1956,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
M_CP_INTOPT(use_kuserok);
@@ -84,7 +82,7 @@ index e4164b1..87a311b 100644
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
-@@ -2143,6 +2153,7 @@ dump_config(ServerOptions *o)
+@@ -2207,6 +2217,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
dump_cfg_fmtint(sKerberosUseKuserok, o->use_kuserok);
@@ -92,11 +90,10 @@ index e4164b1..87a311b 100644
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
-diff --git a/servconf.h b/servconf.h
-index cf2a505..070a8ed 100644
---- a/servconf.h
-+++ b/servconf.h
-@@ -175,7 +175,8 @@ typedef struct {
+diff -up openssh-6.8p1/servconf.h.GSSAPIEnablek5users openssh-6.8p1/servconf.h
+--- openssh-6.8p1/servconf.h.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100
++++ openssh-6.8p1/servconf.h 2015-03-18 13:04:21.528306762 +0100
+@@ -177,7 +177,8 @@ typedef struct {
int num_permitted_opens;
@@ -106,10 +103,9 @@ index cf2a505..070a8ed 100644
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
-diff --git a/sshd_config b/sshd_config
-index 0d9454d..e731de1 100644
---- a/sshd_config
-+++ b/sshd_config
+diff -up openssh-6.8p1/sshd_config.GSSAPIEnablek5users openssh-6.8p1/sshd_config
+--- openssh-6.8p1/sshd_config.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100
++++ openssh-6.8p1/sshd_config 2015-03-18 13:04:21.528306762 +0100
@@ -94,6 +94,7 @@ GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
@@ -118,11 +114,10 @@ index 0d9454d..e731de1 100644
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
-diff --git a/sshd_config.5 b/sshd_config.5
-index eb4dd9e..ce1229b 100644
---- a/sshd_config.5
-+++ b/sshd_config.5
-@@ -548,6 +548,12 @@ on logout.
+diff -up openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users openssh-6.8p1/sshd_config.5
+--- openssh-6.8p1/sshd_config.5.GSSAPIEnablek5users 2015-03-18 13:04:21.506306815 +0100
++++ openssh-6.8p1/sshd_config.5 2015-03-18 13:04:21.528306762 +0100
+@@ -576,6 +576,12 @@ on logout.
The default is
.Dq yes .
Note that this option applies to protocol version 2 only.
diff --git a/openssh-6.6p1-ctr-cavstest.patch b/openssh-6.6p1-ctr-cavstest.patch
index c752d62..6f4f1e8 100644
--- a/openssh-6.6p1-ctr-cavstest.patch
+++ b/openssh-6.6p1-ctr-cavstest.patch
@@ -1,7 +1,6 @@
-diff --git a/Makefile.in b/Makefile.in
-index b225217..bbc3034 100644
---- a/Makefile.in
-+++ b/Makefile.in
+diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
+--- openssh-6.8p1/Makefile.in.ctr-cavs 2015-03-18 11:22:05.493289018 +0100
++++ openssh-6.8p1/Makefile.in 2015-03-18 11:22:44.504196316 +0100
@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
@@ -14,12 +13,12 @@ index b225217..bbc3034 100644
MANFMT=@MANFMT@
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
LIBOPENSSH_OBJS=\
- ssherr.o \
-@@ -190,6 +191,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o
+ ssh_api.o \
+@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
$(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
@@ -29,7 +28,7 @@ index b225217..bbc3034 100644
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-@@ -310,6 +314,7 @@ install-files:
+@@ -326,6 +330,7 @@ install-files:
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
@@ -37,11 +36,9 @@ index b225217..bbc3034 100644
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-diff --git a/ctr-cavstest.c b/ctr-cavstest.c
-new file mode 100644
-index 0000000..bbcbe8a
---- /dev/null
-+++ b/ctr-cavstest.c
+diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
+--- openssh-6.8p1/ctr-cavstest.c.ctr-cavs 2015-03-18 11:22:05.521288952 +0100
++++ openssh-6.8p1/ctr-cavstest.c 2015-03-18 11:22:05.521288952 +0100
@@ -0,0 +1,208 @@
+/*
+ *
diff --git a/openssh-6.6p1-gsskex.patch b/openssh-6.6p1-gsskex.patch
index 82e59ac..42b6a10 100644
--- a/openssh-6.6p1-gsskex.patch
+++ b/openssh-6.6p1-gsskex.patch
@@ -1,28 +1,26 @@
-diff --git a/Makefile.in b/Makefile.in
-index bbc3034..c9891e0 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -87,6 +87,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
- atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
+diff -up openssh-6.8p1/Makefile.in.gsskex openssh-6.8p1/Makefile.in
+--- openssh-6.8p1/Makefile.in.gsskex 2015-03-18 11:24:48.875900767 +0100
++++ openssh-6.8p1/Makefile.in 2015-03-18 12:34:36.468748216 +0100
+@@ -90,6 +90,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+ readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
+ atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
- kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
+ kexgssc.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
- ssh-pkcs11.o krl.o smult_curve25519_ref.o \
- kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
-@@ -106,7 +107,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+ ssh-pkcs11.o smult_curve25519_ref.o \
+ poly1305.o chacha.o cipher-chachapoly.o \
+@@ -111,7 +112,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
+ auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
auth2-none.o auth2-passwd.o auth2-pubkey.o \
- monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
- kexc25519s.o auth-krb5.o \
+ monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
- auth2-gss.o gss-serv.o gss-serv-krb5.o \
+ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \
-diff --git a/auth2-gss.c b/auth2-gss.c
-index 4803e7e..222e3e0 100644
---- a/auth2-gss.c
-+++ b/auth2-gss.c
+diff -up openssh-6.8p1/auth2-gss.c.gsskex openssh-6.8p1/auth2-gss.c
+--- openssh-6.8p1/auth2-gss.c.gsskex 2015-03-18 11:24:48.832900869 +0100
++++ openssh-6.8p1/auth2-gss.c 2015-03-18 12:32:50.584011552 +0100
@@ -31,6 +31,7 @@
#include <sys/types.h>
@@ -31,9 +29,9 @@ index 4803e7e..222e3e0 100644
#include "xmalloc.h"
#include "key.h"
-@@ -53,6 +53,40 @@ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
- static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
- static void input_gssapi_errtok(int, u_int32_t, void *);
+@@ -53,6 +54,40 @@ static int input_gssapi_mic(int type, u_
+ static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
+ static int input_gssapi_errtok(int, u_int32_t, void *);
+/*
+ * The 'gssapi_keyex' userauth mechanism.
@@ -72,7 +70,7 @@ index 4803e7e..222e3e0 100644
/*
* We only support those mechanisms that we know about (ie ones that we know
* how to check local user kuserok and the like)
-@@ -236,7 +270,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
+@@ -238,7 +273,8 @@ input_gssapi_exchange_complete(int type,
packet_check_eom();
@@ -82,7 +80,7 @@ index 4803e7e..222e3e0 100644
authctxt->postponed = 0;
dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-@@ -278,7 +313,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
+@@ -281,7 +317,8 @@ input_gssapi_mic(int type, u_int32_t ple
gssbuf.length = buffer_len(&b);
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -92,8 +90,8 @@ index 4803e7e..222e3e0 100644
else
logit("GSSAPI MIC check failed");
-@@ -295,6 +331,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
- userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
+@@ -299,6 +336,12 @@ input_gssapi_mic(int type, u_int32_t ple
+ return 0;
}
+Authmethod method_gsskeyex = {
@@ -105,10 +103,9 @@ index 4803e7e..222e3e0 100644
Authmethod method_gssapi = {
"gssapi-with-mic",
userauth_gssapi,
-diff --git a/auth2.c b/auth2.c
-index d6fbc93..124d02b 100644
---- a/auth2.c
-+++ b/auth2.c
+diff -up openssh-6.8p1/auth2.c.gsskex openssh-6.8p1/auth2.c
+--- openssh-6.8p1/auth2.c.gsskex 2015-03-18 11:24:48.832900869 +0100
++++ openssh-6.8p1/auth2.c 2015-03-18 11:24:48.875900767 +0100
@@ -70,6 +70,7 @@ extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
@@ -125,13 +122,12 @@ index d6fbc93..124d02b 100644
&method_gssapi,
#endif
&method_passwd,
-diff --git a/clientloop.c b/clientloop.c
-index 397c965..20ce0b5 100644
---- a/clientloop.c
-+++ b/clientloop.c
-@@ -111,6 +111,10 @@
- #include "msg.h"
- #include "roaming.h"
+diff -up openssh-6.8p1/clientloop.c.gsskex openssh-6.8p1/clientloop.c
+--- openssh-6.8p1/clientloop.c.gsskex 2015-03-18 11:24:48.875900767 +0100
++++ openssh-6.8p1/clientloop.c 2015-03-18 12:30:42.647329654 +0100
+@@ -114,6 +114,10 @@
+ #include "ssherr.h"
+ #include "hostfile.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
@@ -140,7 +136,7 @@ index 397c965..20ce0b5 100644
/* import options */
extern Options options;
-@@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
+@@ -1596,6 +1600,15 @@ client_loop(int have_pty, int escape_cha
/* Do channel operations unless rekeying in progress. */
if (!rekeying) {
channel_after_select(readset, writeset);
@@ -155,12 +151,11 @@ index 397c965..20ce0b5 100644
+
if (need_rekeying || packet_need_rekeying()) {
debug("need rekeying");
- xxx_kex->done = 0;
-diff --git a/configure.ac b/configure.ac
-index 8dedb95..2c4adac 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+ active_state->kex->done = 0;
+diff -up openssh-6.8p1/configure.ac.gsskex openssh-6.8p1/configure.ac
+--- openssh-6.8p1/configure.ac.gsskex 2015-03-18 11:24:48.866900788 +0100
++++ openssh-6.8p1/configure.ac 2015-03-18 11:24:48.876900765 +0100
+@@ -620,6 +620,30 @@ main() { if (NSVersionOfRunTimeLibrary("
[Use tunnel device compatibility to OpenBSD])
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
[Prepend the address family to IP tunnel traffic])
@@ -191,11 +186,10 @@ index 8dedb95..2c4adac 100644
m4_pattern_allow([AU_IPv])
AC_CHECK_DECL([AU_IPv4], [],
AC_DEFINE([AU_IPv4], [0], [System only supports IPv4 audit records])
-diff --git a/gss-genr.c b/gss-genr.c
-index b39281b..a3a2289 100644
---- a/gss-genr.c
-+++ b/gss-genr.c
-@@ -39,12 +39,167 @@
+diff -up openssh-6.8p1/gss-genr.c.gsskex openssh-6.8p1/gss-genr.c
+--- openssh-6.8p1/gss-genr.c.gsskex 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/gss-genr.c 2015-03-18 11:24:48.876900765 +0100
+@@ -40,12 +40,167 @@
#include "buffer.h"
#include "log.h"
#include "ssh2.h"
@@ -363,7 +357,7 @@ index b39281b..a3a2289 100644
/* Check that the OID in a data stream matches that in the context */
int
ssh_gssapi_check_oid(Gssctxt *ctx, void *data, size_t len)
-@@ -197,7 +352,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int deleg_creds, gss_buffer_desc *recv_tok,
+@@ -198,7 +353,7 @@ ssh_gssapi_init_ctx(Gssctxt *ctx, int de
}
ctx->major = gss_init_sec_context(&ctx->minor,
@@ -372,7 +366,7 @@ index b39281b..a3a2289 100644
GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
0, NULL, recv_tok, NULL, send_tok, flags, NULL);
-@@ -227,8 +382,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
+@@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, con
}
OM_uint32
@@ -415,7 +409,7 @@ index b39281b..a3a2289 100644
if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context,
GSS_C_QOP_DEFAULT, buffer, hash)))
ssh_gssapi_error(ctx);
-@@ -236,6 +425,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
+@@ -237,6 +426,19 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer
return (ctx->major);
}
@@ -435,7 +429,7 @@ index b39281b..a3a2289 100644
void
ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
const char *context)
-@@ -249,11 +451,16 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
+@@ -250,11 +452,16 @@ ssh_gssapi_buildmic(Buffer *b, const cha
}
int
@@ -453,7 +447,7 @@ index b39281b..a3a2289 100644
/* RFC 4462 says we MUST NOT do SPNEGO */
if (oid->length == spnego_oid.length &&
-@@ -263,6 +470,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
+@@ -264,6 +471,10 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
ssh_gssapi_build_ctx(ctx);
ssh_gssapi_set_oid(*ctx, oid);
major = ssh_gssapi_import_name(*ctx, host);
@@ -464,7 +458,7 @@ index b39281b..a3a2289 100644
if (!GSS_ERROR(major)) {
major = ssh_gssapi_init_ctx(*ctx, 0, GSS_C_NO_BUFFER, &token,
NULL);
-@@ -272,10 +483,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx, gss_OID oid, const char *host)
+@@ -273,10 +484,66 @@ ssh_gssapi_check_mechanism(Gssctxt **ctx
GSS_C_NO_BUFFER);
}
@@ -532,11 +526,10 @@ index b39281b..a3a2289 100644
+}
+
#endif /* GSSAPI */
-diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
-index 795992d..413b845 100644
---- a/gss-serv-krb5.c
-+++ b/gss-serv-krb5.c
-@@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+diff -up openssh-6.8p1/gss-serv-krb5.c.gsskex openssh-6.8p1/gss-serv-krb5.c
+--- openssh-6.8p1/gss-serv-krb5.c.gsskex 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/gss-serv-krb5.c 2015-03-18 11:24:48.876900765 +0100
+@@ -121,7 +121,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
krb5_error_code problem;
krb5_principal princ;
OM_uint32 maj_status, min_status;
@@ -545,7 +538,7 @@ index 795992d..413b845 100644
const char *errmsg;
if (client->creds == NULL) {
-@@ -181,11 +181,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+@@ -181,11 +181,26 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
return;
}
@@ -576,7 +569,7 @@ index 795992d..413b845 100644
#ifdef USE_PAM
if (options.use_pam)
-@@ -194,9 +209,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
+@@ -194,9 +209,76 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_cl
krb5_cc_close(krb_context, ccache);
@@ -663,11 +656,10 @@ index 795992d..413b845 100644
};
#endif /* KRB5 */
-diff --git a/gss-serv.c b/gss-serv.c
-index 5c59924..2289e8e 100644
---- a/gss-serv.c
-+++ b/gss-serv.c
-@@ -45,15 +45,20 @@
+diff -up openssh-6.8p1/gss-serv.c.gsskex openssh-6.8p1/gss-serv.c
+--- openssh-6.8p1/gss-serv.c.gsskex 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/gss-serv.c 2015-03-18 11:24:48.877900762 +0100
+@@ -44,15 +44,20 @@
#include "channels.h"
#include "session.h"
#include "misc.h"
@@ -690,20 +682,21 @@ index 5c59924..2289e8e 100644
#ifdef KRB5
extern ssh_gssapi_mech gssapi_kerberos_mech;
-@@ -100,25 +105,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
+@@ -99,25 +104,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
char lname[NI_MAXHOST];
gss_OID_set oidset;
- gss_create_empty_oid_set(&status, &oidset);
- gss_add_oid_set_member(&status, ctx->oid, &oidset);
-+ if (options.gss_strict_acceptor) {
-+ gss_create_empty_oid_set(&status, &oidset);
-+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
-
+-
- if (gethostname(lname, sizeof(lname))) {
- gss_release_oid_set(&status, &oidset);
- return (-1);
- }
++ if (options.gss_strict_acceptor) {
++ gss_create_empty_oid_set(&status, &oidset);
++ gss_add_oid_set_member(&status, ctx->oid, &oidset);
++
+ if (gethostname(lname, sizeof(lname))) {
+ gss_release_oid_set(&status, &oidset);
+ return (-1);
@@ -722,22 +715,22 @@ index 5c59924..2289e8e 100644
gss_release_oid_set(&status, &oidset);
return (ctx->major);
- }
--
-- if ((ctx->major = gss_acquire_cred(&ctx->minor,
-- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
-- ssh_gssapi_error(ctx);
+ } else {
+ ctx->name = GSS_C_NO_NAME;
+ ctx->creds = GSS_C_NO_CREDENTIAL;
+ return GSS_S_COMPLETE;
+ }
+- if ((ctx->major = gss_acquire_cred(&ctx->minor,
+- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
+- ssh_gssapi_error(ctx);
+-
- gss_release_oid_set(&status, &oidset);
- return (ctx->major);
}
/* Privileged */
-@@ -133,6 +145,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
+@@ -132,6 +144,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss
}
/* Unprivileged */
@@ -767,7 +760,7 @@ index 5c59924..2289e8e 100644
void
ssh_gssapi_supported_oids(gss_OID_set *oidset)
{
-@@ -142,7 +177,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
+@@ -141,7 +176,9 @@ ssh_gssapi_supported_oids(gss_OID_set *o
gss_OID_set supported;
gss_create_empty_oid_set(&min_status, oidset);
@@ -778,7 +771,7 @@ index 5c59924..2289e8e 100644
while (supported_mechs[i]->name != NULL) {
if (GSS_ERROR(gss_test_oid_set_member(&min_status,
-@@ -268,8 +305,48 @@ OM_uint32
+@@ -267,8 +304,48 @@ OM_uint32
ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
{
int i = 0;
@@ -800,7 +793,8 @@ index 5c59924..2289e8e 100644
+ ssh_gssapi_error(ctx);
+ return (ctx->major);
+ }
-+
+
+- gss_buffer_desc ename;
+ ctx->major = gss_compare_name(&ctx->minor, client->name,
+ new_name, &equal);
+
@@ -815,8 +809,7 @@ index 5c59924..2289e8e 100644
+ }
+
+ debug("Marking rekeyed credentials for export");
-
-- gss_buffer_desc ename;
++
+ gss_release_name(&ctx->minor, &client->name);
+ gss_release_cred(&ctx->minor, &client->creds);
+ client->name = new_name;
@@ -828,7 +821,7 @@ index 5c59924..2289e8e 100644
client->mech = NULL;
-@@ -284,6 +361,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
+@@ -283,6 +360,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
if (client->mech == NULL)
return GSS_S_FAILURE;
@@ -842,7 +835,7 @@ index 5c59924..2289e8e 100644
if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
&client->displayname, NULL))) {
ssh_gssapi_error(ctx);
-@@ -301,6 +385,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
+@@ -300,6 +384,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
return (ctx->major);
}
@@ -851,7 +844,7 @@ index 5c59924..2289e8e 100644
/* We can't copy this structure, so we just move the pointer to it */
client->creds = ctx->client_creds;
ctx->client_creds = GSS_C_NO_CREDENTIAL;
-@@ -311,11 +397,20 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
+@@ -310,11 +396,20 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_g
void
ssh_gssapi_cleanup_creds(void)
{
@@ -877,7 +870,7 @@ index 5c59924..2289e8e 100644
}
}
-@@ -348,7 +443,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
+@@ -347,7 +442,7 @@ ssh_gssapi_do_child(char ***envp, u_int
/* Privileged */
int
@@ -886,7 +879,7 @@ index 5c59924..2289e8e 100644
{
OM_uint32 lmin;
-@@ -358,9 +453,11 @@ ssh_gssapi_userok(char *user)
+@@ -357,9 +452,11 @@ ssh_gssapi_userok(char *user)
return 0;
}
if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -900,7 +893,7 @@ index 5c59924..2289e8e 100644
/* Destroy delegated credentials if userok fails */
gss_release_buffer(&lmin, &gssapi_client.displayname);
gss_release_buffer(&lmin, &gssapi_client.exportedname);
-@@ -374,14 +471,90 @@ ssh_gssapi_userok(char *user)
+@@ -373,14 +470,90 @@ ssh_gssapi_userok(char *user)
return (0);
}
@@ -997,12 +990,11 @@ index 5c59924..2289e8e 100644
}
#endif
-diff --git a/kex.c b/kex.c
-index a173e70..4563920 100644
---- a/kex.c
-+++ b/kex.c
-@@ -53,6 +53,10 @@
- #include "roaming.h"
+diff -up openssh-6.8p1/kex.c.gsskex openssh-6.8p1/kex.c
+--- openssh-6.8p1/kex.c.gsskex 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/kex.c 2015-03-18 12:29:33.452501699 +0100
+@@ -55,6 +55,10 @@
+ #include "sshbuf.h"
#include "digest.h"
+#ifdef GSSAPI
@@ -1012,10 +1004,10 @@ index a173e70..4563920 100644
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
# if defined(HAVE_EVP_SHA256)
# define evp_ssh_sha256 EVP_sha256
-@@ -94,6 +98,11 @@ static const struct kexalg kexalgs[] = {
- #ifdef HAVE_EVP_SHA256
+@@ -95,6 +99,11 @@ static const struct kexalg kexalgs[] = {
+ #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
- #endif /* HAVE_EVP_SHA256 */
+ #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
+#ifdef GSSAPI
+ { KEX_GSS_GEX_SHA1_ID, KEX_GSS_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
+ { KEX_GSS_GRP1_SHA1_ID, KEX_GSS_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
@@ -1024,7 +1016,7 @@ index a173e70..4563920 100644
{ NULL, -1, -1, -1},
};
-@@ -123,6 +132,12 @@ kex_alg_by_name(const char *name)
+@@ -128,6 +137,12 @@ kex_alg_by_name(const char *name)
for (k = kexalgs; k->name != NULL; k++) {
if (strcmp(k->name, name) == 0)
return k;
@@ -1037,11 +1029,10 @@ index a173e70..4563920 100644
}
return NULL;
}
-diff --git a/kex.h b/kex.h
-index 4c40ec8..1c76c08 100644
---- a/kex.h
-+++ b/kex.h
-@@ -76,6 +76,11 @@ enum kex_exchange {
+diff -up openssh-6.8p1/kex.h.gsskex openssh-6.8p1/kex.h
+--- openssh-6.8p1/kex.h.gsskex 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/kex.h 2015-03-18 12:28:17.600690296 +0100
+@@ -93,6 +93,11 @@ enum kex_exchange {
KEX_DH_GEX_SHA256,
KEX_ECDH_SHA2,
KEX_C25519_SHA256,
@@ -1053,8 +1044,8 @@ index 4c40ec8..1c76c08 100644
KEX_MAX
};
-@@ -135,6 +140,12 @@ struct Kex {
- int flags;
+@@ -139,6 +144,12 @@ struct kex {
+ u_int flags;
int hash_alg;
int ec_nid;
+#ifdef GSSAPI
@@ -1065,24 +1056,22 @@ index 4c40ec8..1c76c08 100644
+#endif
char *client_version_string;
char *server_version_string;
- int (*verify_host_key)(Key *);
-@@ -166,6 +177,10 @@ void kexecdh_client(Kex *);
- void kexecdh_server(Kex *);
- void kexc25519_client(Kex *);
- void kexc25519_server(Kex *);
+ int (*verify_host_key)(struct sshkey *, struct ssh *);
+@@ -183,6 +194,10 @@ int kexecdh_client(struct ssh *);
+ int kexecdh_server(struct ssh *);
+ int kexc25519_client(struct ssh *);
+ int kexc25519_server(struct ssh *);
+#ifdef GSSAPI
-+void kexgss_client(Kex *);
-+void kexgss_server(Kex *);
++int kexgss_client(struct ssh *);
++int kexgss_server(struct ssh *);
+#endif
- void
- kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
-diff --git a/kexgssc.c b/kexgssc.c
-new file mode 100644
-index 0000000..e90b567
---- /dev/null
-+++ b/kexgssc.c
-@@ -0,0 +1,334 @@
+ int kex_dh_hash(const char *, const char *,
+ const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
+diff -up openssh-6.8p1/kexgssc.c.gsskex openssh-6.8p1/kexgssc.c
+--- openssh-6.8p1/kexgssc.c.gsskex 2015-03-18 11:24:48.877900762 +0100
++++ openssh-6.8p1/kexgssc.c 2015-03-18 11:24:48.877900762 +0100
+@@ -0,0 +1,338 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
@@ -1127,22 +1116,23 @@ index 0000000..e90b567
+#include "log.h"
+#include "packet.h"
+#include "dh.h"
++#include "digest.h"
+
+#include "ssh-gss.h"
+
-+void
-+kexgss_client(Kex *kex) {
++int
++kexgss_client(struct ssh *ssh) {
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc recv_tok, gssbuf, msg_tok, *token_ptr;
+ Gssctxt *ctxt;
+ OM_uint32 maj_status, min_status, ret_flags;
-+ u_int klen, kout, slen = 0, hashlen, strlen;
++ u_int klen, kout, slen = 0, strlen;
+ DH *dh;
+ BIGNUM *dh_server_pub = NULL;
+ BIGNUM *shared_secret = NULL;
+ BIGNUM *p = NULL;
+ BIGNUM *g = NULL;
-+ u_char *kbuf, *hash;
++ u_char *kbuf;
+ u_char *serverhostkey = NULL;
+ u_char *empty = "";
+ char *msg;
@@ -1150,21 +1140,23 @@ index 0000000..e90b567
+ int type = 0;
+ int first = 1;
+ int nbits = 0, min = DH_GRP_MIN, max = DH_GRP_MAX;
++ u_char hash[SSH_DIGEST_MAX_LENGTH];
++ size_t hashlen;
+
+ /* Initialise our GSSAPI world */
+ ssh_gssapi_build_ctx(&ctxt);
-+ if (ssh_gssapi_id_kex(ctxt, kex->name, kex->kex_type)
++ if (ssh_gssapi_id_kex(ctxt, ssh->kex->name, ssh->kex->kex_type)
+ == GSS_C_NO_OID)
+ fatal("Couldn't identify host exchange");
+
-+ if (ssh_gssapi_import_name(ctxt, kex->gss_host))
++ if (ssh_gssapi_import_name(ctxt, ssh->kex->gss_host))
+ fatal("Couldn't import hostname");
+
-+ if (kex->gss_client &&
-+ ssh_gssapi_client_identity(ctxt, kex->gss_client))
++ if (ssh->kex->gss_client &&
++ ssh_gssapi_client_identity(ctxt, ssh->kex->gss_client))
+ fatal("Couldn't acquire client credentials");
+
-+ switch (kex->kex_type) {
++ switch (ssh->kex->kex_type) {
+ case KEX_GSS_GRP1_SHA1:
+ dh = dh_new_group1();
+ break;
@@ -1173,7 +1165,7 @@ index 0000000..e90b567
+ break;
+ case KEX_GSS_GEX_SHA1:
+ debug("Doing group exchange\n");
-+ nbits = dh_estimate(kex->we_need * 8);
++ nbits = dh_estimate(ssh->kex->we_need * 8);
+ packet_start(SSH2_MSG_KEXGSS_GROUPREQ);
+ packet_put_int(min);
+ packet_put_int(nbits);
@@ -1198,11 +1190,11 @@ index 0000000..e90b567
+ dh = dh_new_group(g, p);
+ break;
+ default:
-+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
++ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
+ }
+
+ /* Step 1 - e is dh->pub_key */
-+ dh_gen_key(dh, kex->we_need * 8);
++ dh_gen_key(dh, ssh->kex->we_need * 8);
+
+ /* This is f, we initialise it now to make life easier */
+ dh_server_pub = BN_new();
@@ -1215,7 +1207,7 @@ index 0000000..e90b567
+ debug("Calling gss_init_sec_context");
+
+ maj_status = ssh_gssapi_init_ctx(ctxt,
-+ kex->gss_deleg_creds, token_ptr, &send_tok,
++ ssh->kex->gss_deleg_creds, token_ptr, &send_tok,
+ &ret_flags);
+
+ if (GSS_ERROR(maj_status)) {
@@ -1348,38 +1340,39 @@ index 0000000..e90b567
+ memset(kbuf, 0, klen);
+ free(kbuf);
+
-+ switch (kex->kex_type) {
++ hashlen = sizeof(hash);
++ switch (ssh->kex->kex_type) {
+ case KEX_GSS_GRP1_SHA1:
+ case KEX_GSS_GRP14_SHA1:
-+ kex_dh_hash( kex->client_version_string,
-+ kex->server_version_string,
-+ buffer_ptr(&kex->my), buffer_len(&kex->my),
-+ buffer_ptr(&kex->peer), buffer_len(&kex->peer),
++ kex_dh_hash( ssh->kex->client_version_string,
++ ssh->kex->server_version_string,
++ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
++ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
+ (serverhostkey ? serverhostkey : empty), slen,
+ dh->pub_key, /* e */
+ dh_server_pub, /* f */
+ shared_secret, /* K */
-+ &hash, &hashlen
++ hash, &hashlen
+ );
+ break;
+ case KEX_GSS_GEX_SHA1:
+ kexgex_hash(
-+ kex->hash_alg,
-+ kex->client_version_string,
-+ kex->server_version_string,
-+ buffer_ptr(&kex->my), buffer_len(&kex->my),
-+ buffer_ptr(&kex->peer), buffer_len(&kex->peer),
++ ssh->kex->hash_alg,
++ ssh->kex->client_version_string,
++ ssh->kex->server_version_string,
++ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
++ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
+ (serverhostkey ? serverhostkey : empty), slen,
+ min, nbits, max,
+ dh->p, dh->g,
+ dh->pub_key,
+ dh_server_pub,
+ shared_secret,
-+ &hash, &hashlen
++ hash, &hashlen
+ );
+ break;
+ default:
-+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
++ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
+ }
+
+ gssbuf.value = hash;
@@ -1397,13 +1390,13 @@ index 0000000..e90b567
+ BN_clear_free(dh_server_pub);
+
+ /* save session id */
-+ if (kex->session_id == NULL) {
-+ kex->session_id_len = hashlen;
-+ kex->session_id = xmalloc(kex->session_id_len);
-+ memcpy(kex->session_id, hash, kex->session_id_len);
++ if (ssh->kex->session_id == NULL) {
++ ssh->kex->session_id_len = hashlen;
++ ssh->kex->session_id = xmalloc(ssh->kex->session_id_len);
++ memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len);
+ }
+
-+ if (kex->gss_deleg_creds)
++ if (ssh->kex->gss_deleg_creds)
+ ssh_gssapi_credentials_updated(ctxt);
+
+ if (gss_kex_context == NULL)
@@ -1411,18 +1404,16 @@ index 0000000..e90b567
+ else
+ ssh_gssapi_delete_ctx(&ctxt);
+
-+ kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
++ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
+ BN_clear_free(shared_secret);
-+ kex_finish(kex);
++ return kex_send_newkeys(ssh);
+}
+
+#endif /* GSSAPI */
-diff --git a/kexgsss.c b/kexgsss.c
-new file mode 100644
-index 0000000..b880998
---- /dev/null
-+++ b/kexgsss.c
-@@ -0,0 +1,290 @@
+diff -up openssh-6.8p1/kexgsss.c.gsskex openssh-6.8p1/kexgsss.c
+--- openssh-6.8p1/kexgsss.c.gsskex 2015-03-18 11:24:48.878900760 +0100
++++ openssh-6.8p1/kexgsss.c 2015-03-18 11:24:48.878900760 +0100
+@@ -0,0 +1,295 @@
+/*
+ * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
+ *
@@ -1470,11 +1461,12 @@ index 0000000..b880998
+#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
+#include "servconf.h"
+#include "ssh-gss.h"
++#include "digest.h"
+
+extern ServerOptions options;
+
-+void
-+kexgss_server(Kex *kex)
++int
++kexgss_server(struct ssh *ssh)
+{
+ OM_uint32 maj_status, min_status;
+
@@ -1489,8 +1481,8 @@ index 0000000..b880998
+ gss_buffer_desc gssbuf, recv_tok, msg_tok;
+ gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
+ Gssctxt *ctxt = NULL;
-+ u_int slen, klen, kout, hashlen;
-+ u_char *kbuf, *hash;
++ u_int slen, klen, kout;
++ u_char *kbuf;
+ DH *dh;
+ int min = -1, max = -1, nbits = -1;
+ BIGNUM *shared_secret = NULL;
@@ -1498,6 +1490,8 @@ index 0000000..b880998
+ int type = 0;
+ gss_OID oid;
+ char *mechs;
++ u_char hash[SSH_DIGEST_MAX_LENGTH];
++ size_t hashlen;
+
+ /* Initialise GSSAPI */
+
@@ -1509,8 +1503,8 @@ index 0000000..b880998
+ if ((mechs = ssh_gssapi_server_mechanisms()))
+ free(mechs);
+
-+ debug2("%s: Identifying %s", __func__, kex->name);
-+ oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
++ debug2("%s: Identifying %s", __func__, ssh->kex->name);
++ oid = ssh_gssapi_id_kex(NULL, ssh->kex->name, ssh->kex->kex_type);
+ if (oid == GSS_C_NO_OID)
+ fatal("Unknown gssapi mechanism");
+
@@ -1519,7 +1513,7 @@ index 0000000..b880998
+ if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
+ fatal("Unable to acquire credentials for the server");
+
-+ switch (kex->kex_type) {
++ switch (ssh->kex->kex_type) {
+ case KEX_GSS_GRP1_SHA1:
+ dh = dh_new_group1();
+ break;
@@ -1550,10 +1544,10 @@ index 0000000..b880998
+ packet_write_wait();
+ break;
+ default:
-+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
++ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
+ }
+
-+ dh_gen_key(dh, kex->we_need * 8);
++ dh_gen_key(dh, ssh->kex->we_need * 8);
+
+ do {
+ debug("Wait SSH2_MSG_GSSAPI_INIT");
@@ -1636,43 +1630,44 @@ index 0000000..b880998
+ memset(kbuf, 0, klen);
+ free(kbuf);
+
-+ switch (kex->kex_type) {
++ hashlen = sizeof(hash);
++ switch (ssh->kex->kex_type) {
+ case KEX_GSS_GRP1_SHA1:
+ case KEX_GSS_GRP14_SHA1:
+ kex_dh_hash(
-+ kex->client_version_string, kex->server_version_string,
-+ buffer_ptr(&kex->peer), buffer_len(&kex->peer),
-+ buffer_ptr(&kex->my), buffer_len(&kex->my),
++ ssh->kex->client_version_string, ssh->kex->server_version_string,
++ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
++ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
+ NULL, 0, /* Change this if we start sending host keys */
+ dh_client_pub, dh->pub_key, shared_secret,
-+ &hash, &hashlen
++ hash, &hashlen
+ );
+ break;
+ case KEX_GSS_GEX_SHA1:
+ kexgex_hash(
-+ kex->hash_alg,
-+ kex->client_version_string, kex->server_version_string,
-+ buffer_ptr(&kex->peer), buffer_len(&kex->peer),
-+ buffer_ptr(&kex->my), buffer_len(&kex->my),
++ ssh->kex->hash_alg,
++ ssh->kex->client_version_string, ssh->kex->server_version_string,
++ buffer_ptr(ssh->kex->peer), buffer_len(ssh->kex->peer),
++ buffer_ptr(ssh->kex->my), buffer_len(ssh->kex->my),
+ NULL, 0,
+ min, nbits, max,
+ dh->p, dh->g,
+ dh_client_pub,
+ dh->pub_key,
+ shared_secret,
-+ &hash, &hashlen
++ hash, &hashlen
+ );
+ break;
+ default:
-+ fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
++ fatal("%s: Unexpected KEX type %d", __func__, ssh->kex->kex_type);
+ }
+
+ BN_clear_free(dh_client_pub);
+
-+ if (kex->session_id == NULL) {
-+ kex->session_id_len = hashlen;
-+ kex->session_id = xmalloc(kex->session_id_len);
-+ memcpy(kex->session_id, hash, kex->session_id_len);
++ if (ssh->kex->session_id == NULL) {
++ ssh->kex->session_id_len = hashlen;
++ ssh->kex->session_id = xmalloc(ssh->kex->session_id_len);
++ memcpy(ssh->kex->session_id, hash, ssh->kex->session_id_len);
+ }
+
+ gssbuf.value = hash;
@@ -1703,21 +1698,21 @@ index 0000000..b880998
+
+ DH_free(dh);
+
-+ kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
++ kex_derive_keys_bn(ssh, hash, hashlen, shared_secret);
+ BN_clear_free(shared_secret);
-+ kex_finish(kex);
++ kex_send_newkeys(ssh);
+
+ /* If this was a rekey, then save out any delegated credentials we
+ * just exchanged. */
+ if (options.gss_store_rekey)
+ ssh_gssapi_rekey_creds();
++ return 0;
+}
+#endif /* GSSAPI */
-diff --git a/monitor.c b/monitor.c
-index d3f87e1..7ebc76e 100644
---- a/monitor.c
-+++ b/monitor.c
-@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
+diff -up openssh-6.8p1/monitor.c.gsskex openssh-6.8p1/monitor.c
+--- openssh-6.8p1/monitor.c.gsskex 2015-03-18 11:24:48.834900865 +0100
++++ openssh-6.8p1/monitor.c 2015-03-18 12:24:38.971233895 +0100
+@@ -160,6 +160,8 @@ int mm_answer_gss_setup_ctx(int, Buffer
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
int mm_answer_gss_checkmic(int, Buffer *);
@@ -1726,7 +1721,7 @@ index d3f87e1..7ebc76e 100644
#endif
#ifdef SSH_AUDIT_EVENTS
-@@ -261,11 +263,18 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -240,11 +242,18 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
{MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -1745,7 +1740,7 @@ index d3f87e1..7ebc76e 100644
#ifdef WITH_OPENSSL
{MONITOR_REQ_MODULI, 0, mm_answer_moduli},
#endif
-@@ -380,6 +389,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
+@@ -359,6 +368,10 @@ monitor_child_preauth(Authctxt *_authctx
/* Permit requests for moduli and signatures */
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -1756,7 +1751,7 @@ index d3f87e1..7ebc76e 100644
} else {
mon_dispatch = mon_dispatch_proto15;
-@@ -488,6 +501,10 @@ monitor_child_postauth(struct monitor *pmonitor)
+@@ -467,6 +480,10 @@ monitor_child_postauth(struct monitor *p
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1767,10 +1762,10 @@ index d3f87e1..7ebc76e 100644
} else {
mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1893,6 +1910,13 @@ mm_get_kex(Buffer *m)
- kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
- #endif
- kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+@@ -1892,6 +1909,13 @@ monitor_apply_keystate(struct monitor *p
+ # endif
+ #endif /* WITH_OPENSSL */
+ kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#ifdef GSSAPI
+ if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
@@ -1778,10 +1773,10 @@ index d3f87e1..7ebc76e 100644
+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_server;
+ }
+#endif
- kex->server = 1;
- kex->hostkey_type = buffer_get_int(m);
- kex->kex_type = buffer_get_int(m);
-@@ -2100,6 +2124,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
+ kex->load_host_public_key=&get_hostkey_public_by_type;
+ kex->load_host_private_key=&get_hostkey_private_by_type;
+ kex->host_key_index=&get_hostkey_index;
+@@ -1991,6 +2015,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
OM_uint32 major;
u_int len;
@@ -1791,7 +1786,7 @@ index d3f87e1..7ebc76e 100644
goid.elements = buffer_get_string(m, &len);
goid.length = len;
-@@ -2127,6 +2154,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -2018,6 +2045,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
OM_uint32 flags = 0; /* GSI needs this */
u_int len;
@@ -1801,7 +1796,7 @@ index d3f87e1..7ebc76e 100644
in.value = buffer_get_string(m, &len);
in.length = len;
major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2144,6 +2174,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -2035,6 +2065,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -1809,7 +1804,7 @@ index d3f87e1..7ebc76e 100644
}
return (0);
}
-@@ -2155,6 +2186,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
+@@ -2046,6 +2077,9 @@ mm_answer_gss_checkmic(int sock, Buffer
OM_uint32 ret;
u_int len;
@@ -1819,7 +1814,7 @@ index d3f87e1..7ebc76e 100644
gssbuf.value = buffer_get_string(m, &len);
gssbuf.length = len;
mic.value = buffer_get_string(m, &len);
-@@ -2181,7 +2215,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -2072,7 +2106,11 @@ mm_answer_gss_userok(int sock, Buffer *m
{
int authenticated;
@@ -1832,7 +1827,7 @@ index d3f87e1..7ebc76e 100644
buffer_clear(m);
buffer_put_int(m, authenticated);
-@@ -2194,5 +2232,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -2085,5 +2123,73 @@ mm_answer_gss_userok(int sock, Buffer *m
/* Monitor loop will terminate if authenticated */
return (authenticated);
}
@@ -1906,10 +1901,9 @@ index d3f87e1..7ebc76e 100644
+
#endif /* GSSAPI */
-diff --git a/monitor.h b/monitor.h
-index 20e2b4a..ff79fbb 100644
---- a/monitor.h
-+++ b/monitor.h
+diff -up openssh-6.8p1/monitor.h.gsskex openssh-6.8p1/monitor.h
+--- openssh-6.8p1/monitor.h.gsskex 2015-03-18 11:24:48.834900865 +0100
++++ openssh-6.8p1/monitor.h 2015-03-18 11:24:48.878900760 +0100
@@ -60,6 +60,8 @@ enum monitor_reqtype {
#ifdef WITH_SELINUX
MONITOR_REQ_AUTHROLE = 80,
@@ -1919,11 +1913,10 @@ index 20e2b4a..ff79fbb 100644
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
-diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 82f114c..7e991e6 100644
---- a/monitor_wrap.c
-+++ b/monitor_wrap.c
-@@ -1300,7 +1300,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+diff -up openssh-6.8p1/monitor_wrap.c.gsskex openssh-6.8p1/monitor_wrap.c
+--- openssh-6.8p1/monitor_wrap.c.gsskex 2015-03-18 11:24:48.834900865 +0100
++++ openssh-6.8p1/monitor_wrap.c 2015-03-18 11:24:48.878900760 +0100
+@@ -1087,7 +1087,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
}
int
@@ -1932,7 +1925,7 @@ index 82f114c..7e991e6 100644
{
Buffer m;
int authenticated = 0;
-@@ -1317,5 +1317,50 @@ mm_ssh_gssapi_userok(char *user)
+@@ -1104,5 +1104,50 @@ mm_ssh_gssapi_userok(char *user)
debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
return (authenticated);
}
@@ -1983,11 +1976,10 @@ index 82f114c..7e991e6 100644
+
#endif /* GSSAPI */
-diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 9d5e5ba..93929e0 100644
---- a/monitor_wrap.h
-+++ b/monitor_wrap.h
-@@ -61,8 +61,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *);
+diff -up openssh-6.8p1/monitor_wrap.h.gsskex openssh-6.8p1/monitor_wrap.h
+--- openssh-6.8p1/monitor_wrap.h.gsskex 2015-03-18 11:24:48.834900865 +0100
++++ openssh-6.8p1/monitor_wrap.h 2015-03-18 11:24:48.878900760 +0100
+@@ -61,8 +61,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
@@ -1999,11 +1991,10 @@ index 9d5e5ba..93929e0 100644
#endif
#ifdef USE_PAM
-diff --git a/readconf.c b/readconf.c
-index 3f5c58b..1c07766 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -143,6 +143,8 @@ typedef enum {
+diff -up openssh-6.8p1/readconf.c.gsskex openssh-6.8p1/readconf.c
+--- openssh-6.8p1/readconf.c.gsskex 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/readconf.c 2015-03-18 11:24:48.879900758 +0100
+@@ -147,6 +147,8 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2012,7 +2003,7 @@ index 3f5c58b..1c07766 100644
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
-@@ -187,10 +189,19 @@ static struct {
+@@ -191,10 +193,19 @@ static struct {
{ "afstokenpassing", oUnsupported },
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
@@ -2032,7 +2023,7 @@ index 3f5c58b..1c07766 100644
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
-@@ -868,10 +879,30 @@ parse_time:
+@@ -892,10 +903,30 @@ parse_time:
intptr = &options->gss_authentication;
goto parse_flag;
@@ -2063,7 +2054,7 @@ index 3f5c58b..1c07766 100644
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
-@@ -1553,7 +1584,12 @@ initialize_options(Options * options)
+@@ -1601,7 +1632,12 @@ initialize_options(Options * options)
options->pubkey_authentication = -1;
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
@@ -2076,7 +2067,7 @@ index 3f5c58b..1c07766 100644
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
-@@ -1677,8 +1713,14 @@ fill_default_options(Options * options)
+@@ -1728,8 +1764,14 @@ fill_default_options(Options * options)
options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@@ -2091,10 +2082,9 @@ index 3f5c58b..1c07766 100644
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
-diff --git a/readconf.h b/readconf.h
-index a028306..1dbe509 100644
---- a/readconf.h
-+++ b/readconf.h
+diff -up openssh-6.8p1/readconf.h.gsskex openssh-6.8p1/readconf.h
+--- openssh-6.8p1/readconf.h.gsskex 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/readconf.h 2015-03-18 11:24:48.879900758 +0100
@@ -45,7 +45,12 @@ typedef struct {
int challenge_response_authentication;
/* Try S/Key or TIS, authentication. */
@@ -2108,23 +2098,21 @@ index a028306..1dbe509 100644
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
-index 1d9e0ed..1277409 100644
---- a/regress/cert-hostkey.sh
-+++ b/regress/cert-hostkey.sh
-@@ -17,7 +17,7 @@ ${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\
- cat $OBJ/host_ca_key.pub
- ) > $OBJ/known_hosts-cert
+diff -up openssh-6.8p1/regress/cert-hostkey.sh.gsskex openssh-6.8p1/regress/cert-hostkey.sh
+--- openssh-6.8p1/regress/cert-hostkey.sh.gsskex 2015-03-18 11:24:48.879900758 +0100
++++ openssh-6.8p1/regress/cert-hostkey.sh 2015-03-18 12:15:49.556546478 +0100
+@@ -25,7 +25,7 @@ touch $OBJ/host_revoked_plain
+ touch $OBJ/host_revoked_cert
+ cp $OBJ/host_ca_key.pub $OBJ/host_revoked_ca
-PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
+PLAIN_TYPES=`$SSH -Q key-plain | grep -v null | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
type_has_legacy() {
case $1 in
-diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
-index b093a91..4c8da00 100644
---- a/regress/cert-userkey.sh
-+++ b/regress/cert-userkey.sh
+diff -up openssh-6.8p1/regress/cert-userkey.sh.gsskex openssh-6.8p1/regress/cert-userkey.sh
+--- openssh-6.8p1/regress/cert-userkey.sh.gsskex 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/regress/cert-userkey.sh 2015-03-18 11:24:48.879900758 +0100
@@ -6,7 +6,7 @@ tid="certified user keys"
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
@@ -2134,11 +2122,10 @@ index b093a91..4c8da00 100644
type_has_legacy() {
case $1 in
-diff --git a/regress/kextype.sh b/regress/kextype.sh
-index 6f952f4..bcb609b 100644
---- a/regress/kextype.sh
-+++ b/regress/kextype.sh
-@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy
+diff -up openssh-6.8p1/regress/kextype.sh.gsskex openssh-6.8p1/regress/kextype.sh
+--- openssh-6.8p1/regress/kextype.sh.gsskex 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/regress/kextype.sh 2015-03-18 11:24:48.879900758 +0100
+@@ -14,6 +14,9 @@ echo "KexAlgorithms=$KEXOPT" >> $OBJ/ssh
tries="1 2 3 4"
for k in `${SSH} -Q kex`; do
@@ -2148,10 +2135,9 @@ index 6f952f4..bcb609b 100644
verbose "kex $k"
for i in $tries; do
${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
-diff --git a/regress/rekey.sh b/regress/rekey.sh
-index fd452b0..1148197 100644
---- a/regress/rekey.sh
-+++ b/regress/rekey.sh
+diff -up openssh-6.8p1/regress/rekey.sh.gsskex openssh-6.8p1/regress/rekey.sh
+--- openssh-6.8p1/regress/rekey.sh.gsskex 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/regress/rekey.sh 2015-03-18 11:24:48.879900758 +0100
@@ -38,6 +38,9 @@ increase_datafile_size 300
opts=""
@@ -2172,11 +2158,10 @@ index fd452b0..1148197 100644
verbose "client rekey $c $kex"
ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
done
-diff --git a/servconf.c b/servconf.c
-index c8a3f28..179c20d 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -110,7 +110,10 @@ initialize_server_options(ServerOptions *options)
+diff -up openssh-6.8p1/servconf.c.gsskex openssh-6.8p1/servconf.c
+--- openssh-6.8p1/servconf.c.gsskex 2015-03-18 11:24:48.866900788 +0100
++++ openssh-6.8p1/servconf.c 2015-03-18 12:14:37.967721387 +0100
+@@ -114,7 +114,10 @@ initialize_server_options(ServerOptions
options->kerberos_ticket_cleanup = -1;
options->kerberos_get_afs_token = -1;
options->gss_authentication=-1;
@@ -2187,7 +2172,7 @@ index c8a3f28..179c20d 100644
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
-@@ -253,8 +256,14 @@ fill_default_server_options(ServerOptions *options)
+@@ -270,8 +273,14 @@ fill_default_server_options(ServerOption
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
options->gss_authentication = 0;
@@ -2202,17 +2187,17 @@ index c8a3f28..179c20d 100644
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
-@@ -359,7 +368,8 @@ typedef enum {
+@@ -394,7 +403,8 @@ typedef enum {
sBanner, sShowPatchLevel, sUseDNS, sHostbasedAuthentication,
- sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
- sClientAliveCountMax, sAuthorizedKeysFile,
+ sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
+ sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
+ sGssKeyEx, sGssStoreRekey, sAcceptEnv, sPermitTunnel,
sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
-@@ -428,10 +438,20 @@ static struct {
+@@ -465,10 +475,20 @@ static struct {
#ifdef GSSAPI
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2233,7 +2218,7 @@ index c8a3f28..179c20d 100644
{ "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
{ "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1113,10 +1133,22 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1170,10 +1190,22 @@ process_server_config_line(ServerOptions
intptr = &options->gss_authentication;
goto parse_flag;
@@ -2256,7 +2241,7 @@ index c8a3f28..179c20d 100644
case sPasswordAuthentication:
intptr = &options->password_authentication;
goto parse_flag;
-@@ -2070,6 +2102,9 @@ dump_config(ServerOptions *o)
+@@ -2134,6 +2166,9 @@ dump_config(ServerOptions *o)
#ifdef GSSAPI
dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
@@ -2266,11 +2251,10 @@ index c8a3f28..179c20d 100644
#endif
dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
dump_cfg_fmtint(sKbdInteractiveAuthentication,
-diff --git a/servconf.h b/servconf.h
-index 21719e2..397698b 100644
---- a/servconf.h
-+++ b/servconf.h
-@@ -113,7 +113,10 @@ typedef struct {
+diff -up openssh-6.8p1/servconf.h.gsskex openssh-6.8p1/servconf.h
+--- openssh-6.8p1/servconf.h.gsskex 2015-03-18 11:24:48.866900788 +0100
++++ openssh-6.8p1/servconf.h 2015-03-18 11:24:48.880900755 +0100
+@@ -115,7 +115,10 @@ typedef struct {
int kerberos_get_afs_token; /* If true, try to get AFS token if
* authenticated with Kerberos. */
int gss_authentication; /* If true, permit GSSAPI authentication */
@@ -2281,10 +2265,9 @@ index 21719e2..397698b 100644
int password_authentication; /* If true, permit password
* authentication. */
int kbd_interactive_authentication; /* If true, permit */
-diff --git a/ssh-gss.h b/ssh-gss.h
-index a99d7f0..0374c88 100644
---- a/ssh-gss.h
-+++ b/ssh-gss.h
+diff -up openssh-6.8p1/ssh-gss.h.gsskex openssh-6.8p1/ssh-gss.h
+--- openssh-6.8p1/ssh-gss.h.gsskex 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/ssh-gss.h 2015-03-18 11:24:48.880900755 +0100
@@ -1,6 +1,6 @@
/* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
/*
@@ -2384,10 +2367,9 @@ index a99d7f0..0374c88 100644
#endif /* GSSAPI */
#endif /* _SSH_GSS_H */
-diff --git a/ssh_config b/ssh_config
-index 3f83c40..4a0fb82 100644
---- a/ssh_config
-+++ b/ssh_config
+diff -up openssh-6.8p1/ssh_config.gsskex openssh-6.8p1/ssh_config
+--- openssh-6.8p1/ssh_config.gsskex 2015-03-18 11:24:48.861900800 +0100
++++ openssh-6.8p1/ssh_config 2015-03-18 11:24:48.880900755 +0100
@@ -26,6 +26,8 @@
# HostbasedAuthentication no
# GSSAPIAuthentication no
@@ -2397,11 +2379,10 @@ index 3f83c40..4a0fb82 100644
# BatchMode no
# CheckHostIP yes
# AddressFamily any
-diff --git a/ssh_config.5 b/ssh_config.5
-index f9ede7a..e6649ac 100644
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -701,11 +701,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
+diff -up openssh-6.8p1/ssh_config.5.gsskex openssh-6.8p1/ssh_config.5
+--- openssh-6.8p1/ssh_config.5.gsskex 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/ssh_config.5 2015-03-18 11:24:48.881900753 +0100
+@@ -743,11 +743,43 @@ Specifies whether user authentication ba
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
@@ -2446,13 +2427,12 @@ index f9ede7a..e6649ac 100644
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
-diff --git a/sshconnect2.c b/sshconnect2.c
-index 4724b66..703f8e4 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -159,9 +159,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
- Kex *kex;
+diff -up openssh-6.8p1/sshconnect2.c.gsskex openssh-6.8p1/sshconnect2.c
+--- openssh-6.8p1/sshconnect2.c.gsskex 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/sshconnect2.c 2015-03-18 11:32:36.879784546 +0100
+@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *ho
+ struct kex *kex;
+ int r;
+#ifdef GSSAPI
+ char *orig = NULL, *gss = NULL;
@@ -2485,7 +2465,7 @@ index 4724b66..703f8e4 100644
if (options.ciphers == (char *)-1) {
logit("No valid ciphers for protocol version 2 given, using defaults.");
options.ciphers = NULL;
-@@ -199,6 +224,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -200,6 +225,17 @@ ssh_kex2(char *host, struct sockaddr *ho
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
myproposal[PROPOSAL_KEX_ALGS]);
@@ -2503,10 +2483,10 @@ index 4724b66..703f8e4 100644
if (options.rekey_limit || options.rekey_interval)
packet_set_rekey_limits((u_int32_t)options.rekey_limit,
(time_t)options.rekey_interval);
-@@ -213,10 +249,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -217,11 +253,31 @@ ssh_kex2(char *host, struct sockaddr *ho
kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+ # endif
#endif
- kex->kex[KEX_C25519_SHA256] = kexc25519_client;
+#ifdef GSSAPI
+ if (options.gss_keyex) {
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
@@ -2514,6 +2494,7 @@ index 4724b66..703f8e4 100644
+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
+ }
+#endif
+ kex->kex[KEX_C25519_SHA256] = kexc25519_client;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
kex->verify_host_key=&verify_host_key_callback;
@@ -2531,18 +2512,18 @@ index 4724b66..703f8e4 100644
+ }
+#endif
+
- xxx_kex = kex;
+ dispatch_run(DISPATCH_BLOCK, &kex->done, active_state);
- dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
-@@ -306,6 +362,7 @@ void input_gssapi_token(int type, u_int32_t, void *);
- void input_gssapi_hash(int type, u_int32_t, void *);
- void input_gssapi_error(int, u_int32_t, void *);
- void input_gssapi_errtok(int, u_int32_t, void *);
+ if (options.use_roaming && !kex->roaming) {
+@@ -313,6 +369,7 @@ int input_gssapi_token(int type, u_int32
+ int input_gssapi_hash(int type, u_int32_t, void *);
+ int input_gssapi_error(int, u_int32_t, void *);
+ int input_gssapi_errtok(int, u_int32_t, void *);
+int userauth_gsskeyex(Authctxt *authctxt);
#endif
void userauth(Authctxt *, char *);
-@@ -321,6 +378,11 @@ static char *authmethods_get(void);
+@@ -328,6 +385,11 @@ static char *authmethods_get(void);
Authmethod authmethods[] = {
#ifdef GSSAPI
@@ -2554,7 +2535,7 @@ index 4724b66..703f8e4 100644
{"gssapi-with-mic",
userauth_gssapi,
NULL,
-@@ -617,19 +679,31 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -634,19 +696,31 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
@@ -2588,7 +2569,7 @@ index 4724b66..703f8e4 100644
ok = 1; /* Mechanism works */
} else {
mech++;
-@@ -726,8 +800,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
+@@ -743,8 +817,8 @@ input_gssapi_response(int type, u_int32_
{
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
@@ -2599,9 +2580,9 @@ index 4724b66..703f8e4 100644
if (authctxt == NULL)
fatal("input_gssapi_response: no authentication context");
-@@ -836,6 +910,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
- free(msg);
+@@ -857,6 +931,48 @@ input_gssapi_error(int type, u_int32_t p
free(lang);
+ return 0;
}
+
+int
@@ -2648,11 +2629,10 @@ index 4724b66..703f8e4 100644
#endif /* GSSAPI */
int
-diff --git a/sshd.c b/sshd.c
-index f7b8aba..2871fe9 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -1761,10 +1761,13 @@ main(int ac, char **av)
+diff -up openssh-6.8p1/sshd.c.gsskex openssh-6.8p1/sshd.c
+--- openssh-6.8p1/sshd.c.gsskex 2015-03-18 11:24:48.869900781 +0100
++++ openssh-6.8p1/sshd.c 2015-03-18 11:35:53.260315986 +0100
+@@ -1831,10 +1831,13 @@ main(int ac, char **av)
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
}
@@ -2666,7 +2646,7 @@ index f7b8aba..2871fe9 100644
if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
logit("sshd: no hostkeys available -- exiting.");
exit(1);
-@@ -2501,6 +2504,49 @@ do_ssh2_kex(void)
+@@ -2580,6 +2583,48 @@ do_ssh2_kex(void)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
list_hostkey_types());
@@ -2712,12 +2692,11 @@ index f7b8aba..2871fe9 100644
+ }
+#endif
+
-+
/* start key exchange */
- kex = kex_setup(myproposal);
- #ifdef WITH_OPENSSL
-@@ -2511,6 +2557,13 @@ do_ssh2_kex(void)
- kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+ if ((r = kex_setup(active_state, myproposal)) != 0)
+ fatal("kex_setup: %s", ssh_err(r));
+@@ -2594,6 +2639,13 @@ do_ssh2_kex(void)
+ # endif
#endif
kex->kex[KEX_C25519_SHA256] = kexc25519_server;
+#ifdef GSSAPI
@@ -2730,10 +2709,9 @@ index f7b8aba..2871fe9 100644
kex->server = 1;
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
-diff --git a/sshd_config b/sshd_config
-index 7061f75..f4796fc 100644
---- a/sshd_config
-+++ b/sshd_config
+diff -up openssh-6.8p1/sshd_config.gsskex openssh-6.8p1/sshd_config
+--- openssh-6.8p1/sshd_config.gsskex 2015-03-18 11:24:48.869900781 +0100
++++ openssh-6.8p1/sshd_config 2015-03-18 11:24:48.882900750 +0100
@@ -91,6 +91,8 @@ ChallengeResponseAuthentication no
# GSSAPI options
GSSAPIAuthentication yes
@@ -2743,11 +2721,10 @@ index 7061f75..f4796fc 100644
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
-diff --git a/sshd_config.5 b/sshd_config.5
-index cccb310..8ad79d9 100644
---- a/sshd_config.5
-+++ b/sshd_config.5
-@@ -536,12 +536,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
+diff -up openssh-6.8p1/sshd_config.5.gsskex openssh-6.8p1/sshd_config.5
+--- openssh-6.8p1/sshd_config.5.gsskex 2015-03-18 11:24:48.882900750 +0100
++++ openssh-6.8p1/sshd_config.5 2015-03-18 12:12:57.914965842 +0100
+@@ -564,12 +564,40 @@ Specifies whether user authentication ba
The default is
.Dq no .
Note that this option applies to protocol version 2 only.
@@ -2785,6 +2762,6 @@ index cccb310..8ad79d9 100644
+successful connection rekeying. This option can be used to accepted renewed
+or updated credentials from a compatible client. The default is
+.Dq no .
- .It Cm HostbasedAuthentication
- Specifies whether rhosts or /etc/hosts.equiv authentication together
- with successful public key client host authentication is allowed
+ .It Cm HostbasedAcceptedKeyTypes
+ Specifies the key types that will be accepted for hostbased authentication
+ as a comma-separated pattern list.
diff --git a/openssh-6.6p1-keycat.patch b/openssh-6.6p1-keycat.patch
index 4cbe95d..be79371 100644
--- a/openssh-6.6p1-keycat.patch
+++ b/openssh-6.6p1-keycat.patch
@@ -1,8 +1,6 @@
-diff --git a/HOWTO.ssh-keycat b/HOWTO.ssh-keycat
-new file mode 100644
-index 0000000..630ec62
---- /dev/null
-+++ b/HOWTO.ssh-keycat
+diff -up openssh-6.8p1/HOWTO.ssh-keycat.keycat openssh-6.8p1/HOWTO.ssh-keycat
+--- openssh-6.8p1/HOWTO.ssh-keycat.keycat 2015-03-18 11:13:43.063482958 +0100
++++ openssh-6.8p1/HOWTO.ssh-keycat 2015-03-18 11:13:43.063482958 +0100
@@ -0,0 +1,12 @@
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
+of an user in any environment. This includes environments with
@@ -16,10 +14,9 @@ index 0000000..630ec62
+ PubkeyAuthentication yes
+
+
-diff --git a/Makefile.in b/Makefile.in
-index f02aa1e..b225217 100644
---- a/Makefile.in
-+++ b/Makefile.in
+diff -up openssh-6.8p1/Makefile.in.keycat openssh-6.8p1/Makefile.in
+--- openssh-6.8p1/Makefile.in.keycat 2015-03-18 11:13:43.061482963 +0100
++++ openssh-6.8p1/Makefile.in 2015-03-18 11:14:22.480389291 +0100
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@@ -33,13 +30,13 @@ index f02aa1e..b225217 100644
INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
LIBOPENSSH_OBJS=\
- ssherr.o \
-@@ -186,6 +187,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
- ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
- $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ ssh_api.o \
+@@ -190,6 +191,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
+ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o
+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
+ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
@@ -47,7 +44,7 @@ index f02aa1e..b225217 100644
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-@@ -305,6 +309,7 @@ install-files:
+@@ -321,6 +325,7 @@ install-files:
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi
@@ -55,11 +52,10 @@ index f02aa1e..b225217 100644
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-diff --git a/auth2-pubkey.c b/auth2-pubkey.c
-index 12f5afd..269e642 100644
---- a/auth2-pubkey.c
-+++ b/auth2-pubkey.c
-@@ -602,6 +602,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
+diff -up openssh-6.8p1/auth2-pubkey.c.keycat openssh-6.8p1/auth2-pubkey.c
+--- openssh-6.8p1/auth2-pubkey.c.keycat 2015-03-18 11:13:43.053482982 +0100
++++ openssh-6.8p1/auth2-pubkey.c 2015-03-18 11:13:43.063482958 +0100
+@@ -623,6 +623,14 @@ user_key_command_allowed2(struct passwd
_exit(1);
}
@@ -74,10 +70,9 @@ index 12f5afd..269e642 100644
execl(options.authorized_keys_command,
options.authorized_keys_command, user_pw->pw_name, NULL);
-diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
-index 265bd3a..8f32464 100644
---- a/openbsd-compat/port-linux-sshd.c
-+++ b/openbsd-compat/port-linux-sshd.c
+diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat openssh-6.8p1/openbsd-compat/port-linux-sshd.c
+--- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.keycat 2015-03-18 11:13:43.057482972 +0100
++++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c 2015-03-18 11:13:43.063482958 +0100
@@ -54,6 +54,20 @@ extern Authctxt *the_authctxt;
extern int inetd_flag;
extern int rexeced_flag;
@@ -153,7 +148,7 @@ index 265bd3a..8f32464 100644
/* Set the execution context to the default for the specified user */
void
sshd_selinux_setup_exec_context(char *pwname)
-@@ -344,7 +376,7 @@ sshd_selinux_setup_exec_context(char *pwname)
+@@ -344,7 +376,7 @@ sshd_selinux_setup_exec_context(char *pw
int r = 0;
security_context_t default_ctx = NULL;
@@ -171,11 +166,10 @@ index 265bd3a..8f32464 100644
return;
if (getexeccon((security_context_t *)&ctx) != 0) {
-diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
-index b18893c..cb51f99 100644
---- a/openbsd-compat/port-linux.h
-+++ b/openbsd-compat/port-linux.h
-@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const char *);
+diff -up openssh-6.8p1/openbsd-compat/port-linux.h.keycat openssh-6.8p1/openbsd-compat/port-linux.h
+--- openssh-6.8p1/openbsd-compat/port-linux.h.keycat 2015-03-18 11:13:43.057482972 +0100
++++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 11:13:43.063482958 +0100
+@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const
void ssh_selinux_change_context(const char *);
void ssh_selinux_setfscreatecon(const char *);
@@ -186,11 +180,10 @@ index b18893c..cb51f99 100644
#endif
#ifdef LINUX_OOM_ADJUST
-diff --git a/platform.c b/platform.c
-index 84c47fa..6d876cb 100644
---- a/platform.c
-+++ b/platform.c
-@@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *pw)
+diff -up openssh-6.8p1/platform.c.keycat openssh-6.8p1/platform.c
+--- openssh-6.8p1/platform.c.keycat 2015-03-18 11:13:43.055482977 +0100
++++ openssh-6.8p1/platform.c 2015-03-18 11:13:43.063482958 +0100
+@@ -103,7 +103,7 @@ platform_setusercontext(struct passwd *p
{
#ifdef WITH_SELINUX
/* Cache selinux status for later use */
@@ -199,11 +192,9 @@ index 84c47fa..6d876cb 100644
#endif
#ifdef USE_SOLARIS_PROJECTS
-diff --git a/ssh-keycat.c b/ssh-keycat.c
-new file mode 100644
-index 0000000..f8ed7af
---- /dev/null
-+++ b/ssh-keycat.c
+diff -up openssh-6.8p1/ssh-keycat.c.keycat openssh-6.8p1/ssh-keycat.c
+--- openssh-6.8p1/ssh-keycat.c.keycat 2015-03-18 11:13:43.064482956 +0100
++++ openssh-6.8p1/ssh-keycat.c 2015-03-18 11:13:43.064482956 +0100
@@ -0,0 +1,238 @@
+/*
+ * Redistribution and use in source and binary forms, with or without
diff --git a/openssh-6.6p1-kuserok.patch b/openssh-6.6p1-kuserok.patch
index b0b12a6..9e93051 100644
--- a/openssh-6.6p1-kuserok.patch
+++ b/openssh-6.6p1-kuserok.patch
@@ -1,7 +1,6 @@
-diff --git a/auth-krb5.c b/auth-krb5.c
-index 0089b18..8480261 100644
---- a/auth-krb5.c
-+++ b/auth-krb5.c
+diff -up openssh-6.8p1/auth-krb5.c.kuserok openssh-6.8p1/auth-krb5.c
+--- openssh-6.8p1/auth-krb5.c.kuserok 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/auth-krb5.c 2015-03-18 12:37:14.349351304 +0100
@@ -55,6 +55,21 @@
extern ServerOptions options;
@@ -24,7 +23,7 @@ index 0089b18..8480261 100644
static int
krb5_init(void *context)
{
-@@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
+@@ -158,8 +173,9 @@ auth_krb5_password(Authctxt *authctxt, c
if (problem)
goto out;
@@ -36,11 +35,10 @@ index 0089b18..8480261 100644
problem = -1;
goto out;
}
-diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
-index 54dd383..961c564 100644
---- a/gss-serv-krb5.c
-+++ b/gss-serv-krb5.c
-@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_principal, const char *, const char *,
+diff -up openssh-6.8p1/gss-serv-krb5.c.kuserok openssh-6.8p1/gss-serv-krb5.c
+--- openssh-6.8p1/gss-serv-krb5.c.kuserok 2015-03-18 12:37:14.346351312 +0100
++++ openssh-6.8p1/gss-serv-krb5.c 2015-03-18 12:37:14.349351304 +0100
+@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
int);
static krb5_context krb_context = NULL;
@@ -152,7 +150,7 @@ index 54dd383..961c564 100644
static int
ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
{
-@@ -116,7 +214,8 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
+@@ -116,7 +214,8 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
/* NOTE: .k5login and .k5users must opened as root, not the user,
* because if they are on a krb5-protected filesystem, user credentials
* to access these files aren't available yet. */
@@ -162,7 +160,7 @@ index 54dd383..961c564 100644
retval = 1;
logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
name, (char *)client->displayname.value);
-@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal principal, const char *name,
+@@ -171,9 +270,8 @@ ssh_gssapi_krb5_cmdok(krb5_principal pri
snprintf(file, sizeof(file), "%s/.k5users", pw->pw_dir);
/* If both .k5login and .k5users DNE, self-login is ok. */
if (!k5login_exists && (access(file, F_OK) == -1)) {
@@ -174,19 +172,18 @@ index 54dd383..961c564 100644
}
if ((fp = fopen(file, "r")) == NULL) {
int saved_errno = errno;
-diff --git a/servconf.c b/servconf.c
-index 179c20d..d17ed04 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -163,6 +163,7 @@ initialize_server_options(ServerOptions *options)
+diff -up openssh-6.8p1/servconf.c.kuserok openssh-6.8p1/servconf.c
+--- openssh-6.8p1/servconf.c.kuserok 2015-03-18 12:37:14.342351322 +0100
++++ openssh-6.8p1/servconf.c 2015-03-18 12:38:36.133145700 +0100
+@@ -167,6 +167,7 @@ initialize_server_options(ServerOptions
options->ip_qos_bulk = -1;
options->version_addendum = NULL;
options->fingerprint_hash = -1;
+ options->use_kuserok = -1;
}
- void
-@@ -328,6 +329,8 @@ fill_default_server_options(ServerOptions *options)
+ /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
+@@ -345,6 +346,8 @@ fill_default_server_options(ServerOption
options->fwd_opts.streamlocal_bind_unlink = 0;
if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
@@ -195,8 +192,8 @@ index 179c20d..d17ed04 100644
/* Turn privilege separation on by default */
if (use_privsep == -1)
use_privsep = PRIVSEP_NOSANDBOX;
-@@ -353,7 +356,7 @@ typedef enum {
- sPermitRootLogin, sLogFacility, sLogLevel,
+@@ -388,7 +391,7 @@ typedef enum {
+ sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel,
sRhostsRSAAuthentication, sRSAAuthentication,
sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
- sKerberosGetAFSToken,
@@ -204,7 +201,7 @@ index 179c20d..d17ed04 100644
sKerberosTgtPassing, sChallengeResponseAuthentication,
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
-@@ -427,11 +430,13 @@ static struct {
+@@ -464,11 +467,13 @@ static struct {
#else
{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
#endif
@@ -218,7 +215,7 @@ index 179c20d..d17ed04 100644
#endif
{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1557,6 +1562,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1614,6 +1619,10 @@ process_server_config_line(ServerOptions
*activep = value;
break;
@@ -229,7 +226,7 @@ index 179c20d..d17ed04 100644
case sPermitOpen:
arg = strdelim(&cp);
if (!arg || *arg == '\0')
-@@ -1872,6 +1881,7 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
+@@ -1935,6 +1944,7 @@ copy_set_server_options(ServerOptions *d
M_CP_INTOPT(max_authtries);
M_CP_INTOPT(ip_qos_interactive);
M_CP_INTOPT(ip_qos_bulk);
@@ -237,7 +234,7 @@ index 179c20d..d17ed04 100644
M_CP_INTOPT(rekey_limit);
M_CP_INTOPT(rekey_interval);
-@@ -2130,6 +2140,7 @@ dump_config(ServerOptions *o)
+@@ -2194,6 +2204,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
@@ -245,11 +242,10 @@ index 179c20d..d17ed04 100644
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
-diff --git a/servconf.h b/servconf.h
-index 397698b..cf2a505 100644
---- a/servconf.h
-+++ b/servconf.h
-@@ -175,6 +175,7 @@ typedef struct {
+diff -up openssh-6.8p1/servconf.h.kuserok openssh-6.8p1/servconf.h
+--- openssh-6.8p1/servconf.h.kuserok 2015-03-18 12:37:14.342351322 +0100
++++ openssh-6.8p1/servconf.h 2015-03-18 12:37:14.350351302 +0100
+@@ -177,6 +177,7 @@ typedef struct {
int num_permitted_opens;
@@ -257,10 +253,9 @@ index 397698b..cf2a505 100644
char *chroot_directory;
char *revoked_keys_file;
char *trusted_user_ca_keys;
-diff --git a/sshd_config b/sshd_config
-index f4796fc..0d9454d 100644
---- a/sshd_config
-+++ b/sshd_config
+diff -up openssh-6.8p1/sshd_config.kuserok openssh-6.8p1/sshd_config
+--- openssh-6.8p1/sshd_config.kuserok 2015-03-18 12:37:14.344351317 +0100
++++ openssh-6.8p1/sshd_config 2015-03-18 12:37:14.350351302 +0100
@@ -87,6 +87,7 @@ ChallengeResponseAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
@@ -269,11 +264,10 @@ index f4796fc..0d9454d 100644
# GSSAPI options
GSSAPIAuthentication yes
-diff --git a/sshd_config.5 b/sshd_config.5
-index 8ad79d9..eb4dd9e 100644
---- a/sshd_config.5
-+++ b/sshd_config.5
-@@ -740,6 +740,10 @@ Specifies whether to automatically destroy the user's ticket cache
+diff -up openssh-6.8p1/sshd_config.5.kuserok openssh-6.8p1/sshd_config.5
+--- openssh-6.8p1/sshd_config.5.kuserok 2015-03-18 12:37:14.343351319 +0100
++++ openssh-6.8p1/sshd_config.5 2015-03-18 12:39:23.373026939 +0100
+@@ -779,6 +779,10 @@ Specifies whether to automatically destr
file on logout.
The default is
.Dq yes .
@@ -284,8 +278,8 @@ index 8ad79d9..eb4dd9e 100644
.It Cm KexAlgorithms
Specifies the available KEX (Key Exchange) algorithms.
Multiple algorithms must be comma-separated.
-@@ -961,6 +965,7 @@ Available keywords are
- .Cm HostbasedUsesNameFromPacketOnly ,
+@@ -1017,6 +1021,7 @@ Available keywords are
+ .Cm IPQoS ,
.Cm KbdInteractiveAuthentication ,
.Cm KerberosAuthentication ,
+.Cm KerberosUseKuserok ,
diff --git a/openssh-6.6p1-role-mls.patch b/openssh-6.6p1-role-mls.patch
index 02e81e6..e058f1e 100644
--- a/openssh-6.6p1-role-mls.patch
+++ b/openssh-6.6p1-role-mls.patch
@@ -1,7 +1,6 @@
-diff --git a/auth-pam.c b/auth-pam.c
-index d789bad..cd1a775 100644
---- a/auth-pam.c
-+++ b/auth-pam.c
+diff -up openssh-6.8p1/auth-pam.c.role-mls openssh-6.8p1/auth-pam.c
+--- openssh-6.8p1/auth-pam.c.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/auth-pam.c 2015-03-18 11:04:21.045817122 +0100
@@ -1068,7 +1068,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
@@ -11,10 +10,9 @@ index d789bad..cd1a775 100644
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
-diff --git a/auth-pam.h b/auth-pam.h
-index a1a2b52..b109a5a 100644
---- a/auth-pam.h
-+++ b/auth-pam.h
+diff -up openssh-6.8p1/auth-pam.h.role-mls openssh-6.8p1/auth-pam.h
+--- openssh-6.8p1/auth-pam.h.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/auth-pam.h 2015-03-18 11:04:21.045817122 +0100
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
@@ -24,11 +22,10 @@ index a1a2b52..b109a5a 100644
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
-diff --git a/auth.h b/auth.h
-index d081c94..847cffd 100644
---- a/auth.h
-+++ b/auth.h
-@@ -59,6 +59,9 @@ struct Authctxt {
+diff -up openssh-6.8p1/auth.h.role-mls openssh-6.8p1/auth.h
+--- openssh-6.8p1/auth.h.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/auth.h 2015-03-18 11:04:21.045817122 +0100
+@@ -62,6 +62,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
char *style;
@@ -38,11 +35,10 @@ index d081c94..847cffd 100644
void *kbdintctxt;
char *info; /* Extra info for next auth_log */
#ifdef BSD_AUTH
-diff --git a/auth1.c b/auth1.c
-index 5038828..f0a98d2 100644
---- a/auth1.c
-+++ b/auth1.c
-@@ -382,6 +382,9 @@ do_authentication(Authctxt *authctxt)
+diff -up openssh-6.8p1/auth1.c.role-mls openssh-6.8p1/auth1.c
+--- openssh-6.8p1/auth1.c.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/auth1.c 2015-03-18 11:04:21.046817119 +0100
+@@ -384,6 +384,9 @@ do_authentication(Authctxt *authctxt)
{
u_int ulen;
char *user, *style = NULL;
@@ -52,7 +48,7 @@ index 5038828..f0a98d2 100644
/* Get the name of the user that we wish to log in as. */
packet_read_expect(SSH_CMSG_USER);
-@@ -390,11 +393,24 @@ do_authentication(Authctxt *authctxt)
+@@ -392,11 +395,24 @@ do_authentication(Authctxt *authctxt)
user = packet_get_cstring(&ulen);
packet_check_eom();
@@ -77,11 +73,10 @@ index 5038828..f0a98d2 100644
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
-diff --git a/auth2-gss.c b/auth2-gss.c
-index 447f896..4803e7e 100644
---- a/auth2-gss.c
-+++ b/auth2-gss.c
-@@ -252,6 +252,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
+diff -up openssh-6.8p1/auth2-gss.c.role-mls openssh-6.8p1/auth2-gss.c
+--- openssh-6.8p1/auth2-gss.c.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/auth2-gss.c 2015-03-18 11:04:21.046817119 +0100
+@@ -255,6 +255,7 @@ input_gssapi_mic(int type, u_int32_t ple
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
@@ -89,7 +84,7 @@ index 447f896..4803e7e 100644
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
-@@ -264,7 +265,13 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
+@@ -267,7 +268,13 @@ input_gssapi_mic(int type, u_int32_t ple
mic.value = packet_get_string(&len);
mic.length = len;
@@ -104,7 +99,7 @@ index 447f896..4803e7e 100644
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
-@@ -276,6 +283,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
+@@ -279,6 +286,8 @@ input_gssapi_mic(int type, u_int32_t ple
logit("GSSAPI MIC check failed");
buffer_free(&b);
@@ -113,11 +108,10 @@ index 447f896..4803e7e 100644
free(mic.value);
authctxt->postponed = 0;
-diff --git a/auth2-hostbased.c b/auth2-hostbased.c
-index b7ae353..41f1a3f 100644
---- a/auth2-hostbased.c
-+++ b/auth2-hostbased.c
-@@ -113,7 +113,15 @@ userauth_hostbased(Authctxt *authctxt)
+diff -up openssh-6.8p1/auth2-hostbased.c.role-mls openssh-6.8p1/auth2-hostbased.c
+--- openssh-6.8p1/auth2-hostbased.c.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/auth2-hostbased.c 2015-03-18 11:04:21.046817119 +0100
+@@ -122,7 +122,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
@@ -134,11 +128,10 @@ index b7ae353..41f1a3f 100644
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
-diff --git a/auth2-pubkey.c b/auth2-pubkey.c
-index 3f4f789..12f5afd 100644
---- a/auth2-pubkey.c
-+++ b/auth2-pubkey.c
-@@ -133,9 +133,11 @@ userauth_pubkey(Authctxt *authctxt)
+diff -up openssh-6.8p1/auth2-pubkey.c.role-mls openssh-6.8p1/auth2-pubkey.c
+--- openssh-6.8p1/auth2-pubkey.c.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/auth2-pubkey.c 2015-03-18 11:04:21.046817119 +0100
+@@ -145,9 +145,11 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
@@ -152,11 +145,10 @@ index 3f4f789..12f5afd 100644
buffer_put_cstring(&b, userstyle);
free(userstyle);
buffer_put_cstring(&b,
-diff --git a/auth2.c b/auth2.c
-index d9b440a..d6fbc93 100644
---- a/auth2.c
-+++ b/auth2.c
-@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+diff -up openssh-6.8p1/auth2.c.role-mls openssh-6.8p1/auth2.c
+--- openssh-6.8p1/auth2.c.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/auth2.c 2015-03-18 11:04:21.046817119 +0100
+@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
@@ -166,7 +158,7 @@ index d9b440a..d6fbc93 100644
int authenticated = 0;
if (authctxt == NULL)
-@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+@@ -226,6 +229,11 @@ input_userauth_request(int type, u_int32
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@@ -178,7 +170,7 @@ index d9b440a..d6fbc93 100644
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
-@@ -252,8 +260,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
@@ -195,10 +187,9 @@ index d9b440a..d6fbc93 100644
userauth_banner();
if (auth2_setup_methods_lists(authctxt) != 0)
packet_disconnect("no authentication methods enabled");
-diff --git a/misc.c b/misc.c
-index 94b05b0..651c21b 100644
---- a/misc.c
-+++ b/misc.c
+diff -up openssh-6.8p1/misc.c.role-mls openssh-6.8p1/misc.c
+--- openssh-6.8p1/misc.c.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/misc.c 2015-03-18 11:04:21.046817119 +0100
@@ -431,6 +431,7 @@ char *
colon(char *cp)
{
@@ -221,11 +212,10 @@ index 94b05b0..651c21b 100644
}
return NULL;
}
-diff --git a/monitor.c b/monitor.c
-index dbe29f1..d3f87e1 100644
---- a/monitor.c
-+++ b/monitor.c
-@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
+diff -up openssh-6.8p1/monitor.c.role-mls openssh-6.8p1/monitor.c
+--- openssh-6.8p1/monitor.c.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/monitor.c 2015-03-18 11:04:21.047817117 +0100
+@@ -127,6 +127,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);
@@ -235,7 +225,7 @@ index dbe29f1..d3f87e1 100644
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -227,6 +230,9 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -206,6 +209,9 @@ struct mon_table mon_dispatch_proto20[]
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -245,7 +235,7 @@ index dbe29f1..d3f87e1 100644
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
-@@ -824,6 +830,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
+@@ -862,6 +868,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -255,7 +245,7 @@ index dbe29f1..d3f87e1 100644
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
#ifdef USE_PAM
-@@ -865,6 +874,25 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -903,6 +912,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0);
}
@@ -281,7 +271,7 @@ index dbe29f1..d3f87e1 100644
int
mm_answer_authpassword(int sock, Buffer *m)
{
-@@ -1241,7 +1269,7 @@ static int
+@@ -1291,7 +1319,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
@@ -290,7 +280,7 @@ index dbe29f1..d3f87e1 100644
u_int len;
int fail = 0;
-@@ -1267,6 +1295,8 @@ monitor_valid_userblob(u_char *data, u_int datalen)
+@@ -1317,6 +1345,8 @@ monitor_valid_userblob(u_char *data, u_i
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_cstring(&b, NULL);
@@ -299,7 +289,7 @@ index dbe29f1..d3f87e1 100644
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
-@@ -1302,7 +1332,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
+@@ -1352,7 +1382,7 @@ monitor_valid_hostbasedblob(u_char *data
char *chost)
{
Buffer b;
@@ -308,7 +298,7 @@ index dbe29f1..d3f87e1 100644
u_int len;
int fail = 0;
-@@ -1319,6 +1349,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
+@@ -1369,6 +1399,8 @@ monitor_valid_hostbasedblob(u_char *data
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_cstring(&b, NULL);
@@ -317,10 +307,9 @@ index dbe29f1..d3f87e1 100644
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
-diff --git a/monitor.h b/monitor.h
-index 5bc41b5..20e2b4a 100644
---- a/monitor.h
-+++ b/monitor.h
+diff -up openssh-6.8p1/monitor.h.role-mls openssh-6.8p1/monitor.h
+--- openssh-6.8p1/monitor.h.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/monitor.h 2015-03-18 11:04:21.047817117 +0100
@@ -57,6 +57,10 @@ enum monitor_reqtype {
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
MONITOR_REQ_TERM = 50,
@@ -332,11 +321,10 @@ index 5bc41b5..20e2b4a 100644
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
-diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 45dc169..82f114c 100644
---- a/monitor_wrap.c
-+++ b/monitor_wrap.c
-@@ -342,6 +342,25 @@ mm_inform_authserv(char *service, char *style)
+diff -up openssh-6.8p1/monitor_wrap.c.role-mls openssh-6.8p1/monitor_wrap.c
+--- openssh-6.8p1/monitor_wrap.c.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/monitor_wrap.c 2015-03-18 11:04:21.047817117 +0100
+@@ -347,6 +347,25 @@ mm_inform_authserv(char *service, char *
buffer_free(&m);
}
@@ -362,13 +350,12 @@ index 45dc169..82f114c 100644
/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)
-diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 18c2501..9d5e5ba 100644
---- a/monitor_wrap.h
-+++ b/monitor_wrap.h
+diff -up openssh-6.8p1/monitor_wrap.h.role-mls openssh-6.8p1/monitor_wrap.h
+--- openssh-6.8p1/monitor_wrap.h.role-mls 2015-03-18 11:04:21.047817117 +0100
++++ openssh-6.8p1/monitor_wrap.h 2015-03-18 11:10:32.343936171 +0100
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int);
- int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
+ int mm_key_sign(Key *, u_char **, u_int *, const u_char *, u_int);
void mm_inform_authserv(char *, char *);
+#ifdef WITH_SELINUX
+void mm_inform_authrole(char *);
@@ -376,11 +363,10 @@ index 18c2501..9d5e5ba 100644
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
-diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
-index ab1a3e3..843225d 100644
---- a/openbsd-compat/Makefile.in
-+++ b/openbsd-compat/Makefile.in
-@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
+diff -up openssh-6.8p1/openbsd-compat/Makefile.in.role-mls openssh-6.8p1/openbsd-compat/Makefile.in
+--- openssh-6.8p1/openbsd-compat/Makefile.in.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/openbsd-compat/Makefile.in 2015-03-18 11:04:21.047817117 +0100
+@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
@@ -389,11 +375,9 @@ index ab1a3e3..843225d 100644
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
-diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
-new file mode 100644
-index 0000000..6310717
---- /dev/null
-+++ b/openbsd-compat/port-linux-sshd.c
+diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/openbsd-compat/port-linux-sshd.c
+--- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls 2015-03-18 11:04:21.048817114 +0100
++++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c 2015-03-18 11:04:21.048817114 +0100
@@ -0,0 +1,415 @@
+/*
+ * Copyright (c) 2005 Daniel Walsh <dwalsh at redhat.com>
@@ -810,10 +794,9 @@ index 0000000..6310717
+#endif
+#endif
+
-diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
-index 4637a7a..22ea8ef 100644
---- a/openbsd-compat/port-linux.c
-+++ b/openbsd-compat/port-linux.c
+diff -up openssh-6.8p1/openbsd-compat/port-linux.c.role-mls openssh-6.8p1/openbsd-compat/port-linux.c
+--- openssh-6.8p1/openbsd-compat/port-linux.c.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/openbsd-compat/port-linux.c 2015-03-18 11:04:21.048817114 +0100
@@ -103,37 +103,6 @@ ssh_selinux_getctxbyname(char *pwname)
return sc;
}
@@ -852,10 +835,9 @@ index 4637a7a..22ea8ef 100644
/* Set the TTY context for the specified user */
void
ssh_selinux_setup_pty(char *pwname, const char *tty)
-diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
-index e3d1004..8ef6cc4 100644
---- a/openbsd-compat/port-linux.h
-+++ b/openbsd-compat/port-linux.h
+diff -up openssh-6.8p1/openbsd-compat/port-linux.h.role-mls openssh-6.8p1/openbsd-compat/port-linux.h
+--- openssh-6.8p1/openbsd-compat/port-linux.h.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 11:04:21.048817114 +0100
@@ -22,9 +22,10 @@
#ifdef WITH_SELINUX
int ssh_selinux_enabled(void);
@@ -868,11 +850,10 @@ index e3d1004..8ef6cc4 100644
#endif
#ifdef LINUX_OOM_ADJUST
-diff --git a/platform.c b/platform.c
-index ee313da..84c47fa 100644
---- a/platform.c
-+++ b/platform.c
-@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
+diff -up openssh-6.8p1/platform.c.role-mls openssh-6.8p1/platform.c
+--- openssh-6.8p1/platform.c.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/platform.c 2015-03-18 11:04:21.048817114 +0100
+@@ -184,7 +184,7 @@ platform_setusercontext_post_groups(stru
}
#endif /* HAVE_SETPCRED */
#ifdef WITH_SELINUX
@@ -881,11 +862,10 @@ index ee313da..84c47fa 100644
#endif
}
-diff --git a/sshd.c b/sshd.c
-index 481d001..41b317b 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -2144,6 +2144,9 @@ main(int ac, char **av)
+diff -up openssh-6.8p1/sshd.c.role-mls openssh-6.8p1/sshd.c
+--- openssh-6.8p1/sshd.c.role-mls 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/sshd.c 2015-03-18 11:04:21.048817114 +0100
+@@ -2220,6 +2220,9 @@ main(int ac, char **av)
restore_uid();
}
#endif
diff --git a/openssh-6.6p1-set_remote_ipaddr.patch b/openssh-6.6p1-set_remote_ipaddr.patch
index 166e569..ec4e416 100644
--- a/openssh-6.6p1-set_remote_ipaddr.patch
+++ b/openssh-6.6p1-set_remote_ipaddr.patch
@@ -1,8 +1,7 @@
-diff --git a/canohost.c b/canohost.c
-index 97ce58c..1f9320a 100644
---- a/canohost.c
-+++ b/canohost.c
-@@ -338,6 +338,21 @@ clear_cached_addr(void)
+diff -up openssh-6.8p1/canohost.c.set_remote_ipaddr openssh-6.8p1/canohost.c
+--- openssh-6.8p1/canohost.c.set_remote_ipaddr 2015-03-18 12:40:03.702925550 +0100
++++ openssh-6.8p1/canohost.c 2015-03-18 12:40:03.749925432 +0100
+@@ -349,6 +349,21 @@ clear_cached_addr(void)
cached_port = -1;
}
@@ -24,7 +23,7 @@ index 97ce58c..1f9320a 100644
/*
* Returns the IP-address of the remote host as a string. The returned
* string must not be freed.
-@@ -347,17 +362,9 @@ const char *
+@@ -358,17 +373,9 @@ const char *
get_remote_ipaddr(void)
{
/* Check whether we have cached the ipaddr. */
@@ -45,10 +44,9 @@ index 97ce58c..1f9320a 100644
return canonical_host_ip;
}
-diff --git a/canohost.h b/canohost.h
-index 4c8636f..4079953 100644
---- a/canohost.h
-+++ b/canohost.h
+diff -up openssh-6.8p1/canohost.h.set_remote_ipaddr openssh-6.8p1/canohost.h
+--- openssh-6.8p1/canohost.h.set_remote_ipaddr 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/canohost.h 2015-03-18 12:40:03.749925432 +0100
@@ -13,6 +13,7 @@
*/
@@ -57,19 +55,18 @@ index 4c8636f..4079953 100644
const char *get_remote_ipaddr(void);
const char *get_remote_name_or_ip(u_int, int);
-diff --git a/sshconnect.c b/sshconnect.c
-index e636f33..451a58b 100644
---- a/sshconnect.c
-+++ b/sshconnect.c
-@@ -62,6 +62,7 @@
- #include "monitor_fdpass.h"
- #include "ssh2.h"
+diff -up openssh-6.8p1/sshconnect.c.set_remote_ipaddr openssh-6.8p1/sshconnect.c
+--- openssh-6.8p1/sshconnect.c.set_remote_ipaddr 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/sshconnect.c 2015-03-18 12:40:58.096788804 +0100
+@@ -65,6 +65,7 @@
#include "version.h"
+ #include "authfile.h"
+ #include "ssherr.h"
+#include "canohost.h"
char *client_version_string = NULL;
char *server_version_string = NULL;
-@@ -170,6 +171,7 @@ ssh_proxy_fdpass_connect(const char *host, u_short port,
+@@ -174,6 +175,7 @@ ssh_proxy_fdpass_connect(const char *hos
/* Set the connection file descriptors. */
packet_set_connection(sock, sock);
@@ -77,7 +74,7 @@ index e636f33..451a58b 100644
return 0;
}
-@@ -492,6 +494,7 @@ ssh_connect_direct(const char *host, struct addrinfo *aitop,
+@@ -496,6 +498,7 @@ ssh_connect_direct(const char *host, str
/* Set the connection. */
packet_set_connection(sock, sock);
diff --git a/openssh-6.7p1-audit.patch b/openssh-6.7p1-audit.patch
index 2c1e80d..cb8e778 100644
--- a/openssh-6.7p1-audit.patch
+++ b/openssh-6.7p1-audit.patch
@@ -1,22 +1,19 @@
-diff --git a/Makefile.in b/Makefile.in
-index 8e11217..9311e16 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -92,7 +92,8 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
- ssh-pkcs11.o krl.o smult_curve25519_ref.o \
- kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
- ssh-ed25519.o digest-openssl.o hmac.o utf8_stringprep.o \
-- sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
-+ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
-+ auditstub.o
+diff -up openssh-6.8p1/Makefile.in.audit openssh-6.8p1/Makefile.in
+--- openssh-6.8p1/Makefile.in.audit 2015-03-20 13:41:15.065883826 +0100
++++ openssh-6.8p1/Makefile.in 2015-03-20 13:41:15.100883769 +0100
+@@ -98,7 +98,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+ sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
+ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
+ kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
+- kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o
++ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o auditstub.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
-diff --git a/audit-bsm.c b/audit-bsm.c
-index 6135591..c7a1b47 100644
---- a/audit-bsm.c
-+++ b/audit-bsm.c
-@@ -375,10 +375,23 @@ audit_connection_from(const char *host, int port)
+diff -up openssh-6.8p1/audit-bsm.c.audit openssh-6.8p1/audit-bsm.c
+--- openssh-6.8p1/audit-bsm.c.audit 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/audit-bsm.c 2015-03-20 13:41:15.092883782 +0100
+@@ -375,10 +375,23 @@ audit_connection_from(const char *host,
#endif
}
@@ -95,10 +92,9 @@ index 6135591..c7a1b47 100644
+ /* not implemented */
+}
#endif /* BSM */
-diff --git a/audit-linux.c b/audit-linux.c
-index b3ee2f4..bff8180 100644
---- a/audit-linux.c
-+++ b/audit-linux.c
+diff -up openssh-6.8p1/audit-linux.c.audit openssh-6.8p1/audit-linux.c
+--- openssh-6.8p1/audit-linux.c.audit 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/audit-linux.c 2015-03-20 13:41:15.093883780 +0100
@@ -35,13 +35,25 @@
#include "log.h"
@@ -227,7 +223,7 @@ index b3ee2f4..bff8180 100644
+ goto out;
+ /* is the fingerprint_prefix() still needed?
+ snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s%s rport=%d",
-+ type, bits, key_fingerprint_prefix(), fp, get_remote_port());
++ type, bits, sshkey_fingerprint_prefix(), fp, get_remote_port());
+ */
+ snprintf(buf, sizeof(buf), "key algo=%s size=%d fp=%s rport=%d",
+ type, bits, fp, get_remote_port());
@@ -490,10 +486,9 @@ index b3ee2f4..bff8180 100644
+ error("cannot write into audit");
+}
#endif /* USE_LINUX_AUDIT */
-diff --git a/audit.c b/audit.c
-index ced57fa..18908b4 100644
---- a/audit.c
-+++ b/audit.c
+diff -up openssh-6.8p1/audit.c.audit openssh-6.8p1/audit.c
+--- openssh-6.8p1/audit.c.audit 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/audit.c 2015-03-20 13:41:15.093883780 +0100
@@ -28,6 +28,7 @@
#include <stdarg.h>
@@ -548,7 +543,7 @@ index ced57fa..18908b4 100644
+ char *fp;
+ const char *crypto_name;
+
-+ fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX);
++ fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX);
+ if (key->type == KEY_RSA1)
+ crypto_name = "ssh-rsa1";
+ else
@@ -637,7 +632,7 @@ index ced57fa..18908b4 100644
+{
+ debug("audit %s key usage euid %d user %s key type %s key length %d fingerprint %s%s, result %d",
+ host_user ? "pubkey" : "hostbased", geteuid(), audit_username(), type, bits,
-+ key_fingerprint_prefix(), fp, rv);
++ sshkey_fingerprint_prefix(), fp, rv);
+}
+
+/*
@@ -691,10 +686,9 @@ index ced57fa..18908b4 100644
}
# endif /* !defined CUSTOM_SSH_AUDIT_EVENTS */
#endif /* SSH_AUDIT_EVENTS */
-diff --git a/audit.h b/audit.h
-index 92ede5b..903df66 100644
---- a/audit.h
-+++ b/audit.h
+diff -up openssh-6.8p1/audit.h.audit openssh-6.8p1/audit.h
+--- openssh-6.8p1/audit.h.audit 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/audit.h 2015-03-20 13:41:15.093883780 +0100
@@ -28,6 +28,7 @@
# define _SSH_AUDIT_H
@@ -730,11 +724,9 @@ index 92ede5b..903df66 100644
+void audit_generate_ephemeral_server_key(const char *);
#endif /* _SSH_AUDIT_H */
-diff --git a/auditstub.c b/auditstub.c
-new file mode 100644
-index 0000000..116f460
---- /dev/null
-+++ b/auditstub.c
+diff -up openssh-6.8p1/auditstub.c.audit openssh-6.8p1/auditstub.c
+--- openssh-6.8p1/auditstub.c.audit 2015-03-20 13:41:15.093883780 +0100
++++ openssh-6.8p1/auditstub.c 2015-03-20 13:41:15.093883780 +0100
@@ -0,0 +1,50 @@
+/* $Id: auditstub.c,v 1.1 jfch Exp $ */
+
@@ -786,11 +778,10 @@ index 0000000..116f460
+audit_session_key_free_body(int ctos, pid_t pid, uid_t uid)
+{
+}
-diff --git a/auth-rsa.c b/auth-rsa.c
-index ff7a132..1e12515 100644
---- a/auth-rsa.c
-+++ b/auth-rsa.c
-@@ -93,7 +93,10 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
+diff -up openssh-6.8p1/auth-rsa.c.audit openssh-6.8p1/auth-rsa.c
+--- openssh-6.8p1/auth-rsa.c.audit 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/auth-rsa.c 2015-03-20 13:41:15.094883779 +0100
+@@ -95,7 +95,10 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
{
u_char buf[32], mdbuf[16];
struct ssh_digest_ctx *md;
@@ -802,7 +793,7 @@ index ff7a132..1e12515 100644
/* don't allow short keys */
if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
-@@ -117,12 +120,18 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
+@@ -119,12 +122,18 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
ssh_digest_free(md);
/* Verify that the response is the original challenge. */
@@ -812,7 +803,7 @@ index ff7a132..1e12515 100644
+ rv = timingsafe_bcmp(response, mdbuf, 16) == 0;
+
+#ifdef SSH_AUDIT_EVENTS
-+ fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX);
++ fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_HEX);
+ if (audit_keyusage(1, "ssh-rsa1", RSA_size(key->rsa) * 8, fp, rv) == 0) {
+ debug("unsuccessful audit");
+ rv = 0;
@@ -826,11 +817,10 @@ index ff7a132..1e12515 100644
}
/*
-diff --git a/auth.c b/auth.c
-index 5a9acd3..7eba5d4 100644
---- a/auth.c
-+++ b/auth.c
-@@ -642,9 +642,6 @@ getpwnamallow(const char *user)
+diff -up openssh-6.8p1/auth.c.audit openssh-6.8p1/auth.c
+--- openssh-6.8p1/auth.c.audit 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/auth.c 2015-03-20 13:41:15.094883779 +0100
+@@ -644,9 +644,6 @@ getpwnamallow(const char *user)
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
#endif
@@ -840,11 +830,10 @@ index 5a9acd3..7eba5d4 100644
return (NULL);
}
if (!allowed_user(pw))
-diff --git a/auth.h b/auth.h
-index 847cffd..19fbcf5 100644
---- a/auth.h
-+++ b/auth.h
-@@ -187,6 +187,7 @@ void abandon_challenge_response(Authctxt *);
+diff -up openssh-6.8p1/auth.h.audit openssh-6.8p1/auth.h
+--- openssh-6.8p1/auth.h.audit 2015-03-20 13:41:15.002883927 +0100
++++ openssh-6.8p1/auth.h 2015-03-20 13:41:15.094883779 +0100
+@@ -195,6 +195,7 @@ void abandon_challenge_response(Authctxt
char *expand_authorized_keys(const char *, struct passwd *pw);
char *authorized_principals_file(struct passwd *);
@@ -852,19 +841,18 @@ index 847cffd..19fbcf5 100644
FILE *auth_openkeyfile(const char *, struct passwd *, int);
FILE *auth_openprincipals(const char *, struct passwd *, int);
-@@ -204,6 +205,7 @@ Key *get_hostkey_private_by_type(int);
- int get_hostkey_index(Key *);
+@@ -213,6 +214,7 @@ int get_hostkey_index(Key *, int, struc
int ssh1_session_key(BIGNUM *);
- void sshd_hostkey_sign(Key *, Key *, u_char **, u_int *, u_char *, u_int);
+ int sshd_hostkey_sign(Key *, Key *, u_char **, size_t *,
+ const u_char *, size_t, u_int);
+int hostbased_key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
/* debug messages during authentication */
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
-diff --git a/auth2-hostbased.c b/auth2-hostbased.c
-index 41f1a3f..80d9802 100644
---- a/auth2-hostbased.c
-+++ b/auth2-hostbased.c
-@@ -138,7 +138,7 @@ userauth_hostbased(Authctxt *authctxt)
+diff -up openssh-6.8p1/auth2-hostbased.c.audit openssh-6.8p1/auth2-hostbased.c
+--- openssh-6.8p1/auth2-hostbased.c.audit 2015-03-20 13:41:15.002883927 +0100
++++ openssh-6.8p1/auth2-hostbased.c 2015-03-20 13:41:15.093883780 +0100
+@@ -147,7 +147,7 @@ userauth_hostbased(Authctxt *authctxt)
/* test for allowed key and correct signature */
authenticated = 0;
if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
@@ -873,7 +861,7 @@ index 41f1a3f..80d9802 100644
buffer_len(&b))) == 1)
authenticated = 1;
-@@ -155,6 +155,18 @@ done:
+@@ -164,6 +164,18 @@ done:
return authenticated;
}
@@ -892,20 +880,19 @@ index 41f1a3f..80d9802 100644
/* return 1 if given hostkey is allowed */
int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
-diff --git a/auth2-pubkey.c b/auth2-pubkey.c
-index 269e642..110ec48 100644
---- a/auth2-pubkey.c
-+++ b/auth2-pubkey.c
-@@ -160,7 +160,7 @@ userauth_pubkey(Authctxt *authctxt)
+diff -up openssh-6.8p1/auth2-pubkey.c.audit openssh-6.8p1/auth2-pubkey.c
+--- openssh-6.8p1/auth2-pubkey.c.audit 2015-03-20 13:41:15.013883910 +0100
++++ openssh-6.8p1/auth2-pubkey.c 2015-03-20 13:41:15.094883779 +0100
+@@ -172,7 +172,7 @@ userauth_pubkey(Authctxt *authctxt)
/* test for correct signature */
authenticated = 0;
if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
- PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
+ PRIVSEP(user_key_verify(key, sig, slen, buffer_ptr(&b),
- buffer_len(&b))) == 1)
+ buffer_len(&b))) == 1) {
authenticated = 1;
- buffer_free(&b);
-@@ -232,6 +232,18 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
+ /* Record the successful key to prevent reuse */
+@@ -250,6 +250,18 @@ pubkey_auth_info(Authctxt *authctxt, con
free(extra);
}
@@ -924,11 +911,10 @@ index 269e642..110ec48 100644
static int
match_principals_option(const char *principal_list, struct sshkey_cert *cert)
{
-diff --git a/auth2.c b/auth2.c
-index ec4ff8a..9e6e815 100644
---- a/auth2.c
-+++ b/auth2.c
-@@ -250,9 +250,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+diff -up openssh-6.8p1/auth2.c.audit openssh-6.8p1/auth2.c
+--- openssh-6.8p1/auth2.c.audit 2015-03-20 13:41:15.044883860 +0100
++++ openssh-6.8p1/auth2.c 2015-03-20 13:41:15.093883780 +0100
+@@ -249,9 +249,6 @@ input_userauth_request(int type, u_int32
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
@@ -938,11 +924,10 @@ index ec4ff8a..9e6e815 100644
}
#ifdef USE_PAM
if (options.use_pam)
-diff --git a/cipher.c b/cipher.c
-index 638ca2d..9cc7cf8 100644
---- a/cipher.c
-+++ b/cipher.c
-@@ -57,26 +57,6 @@ extern const EVP_CIPHER *evp_ssh1_3des(void);
+diff -up openssh-6.8p1/cipher.c.audit openssh-6.8p1/cipher.c
+--- openssh-6.8p1/cipher.c.audit 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/cipher.c 2015-03-20 13:41:15.101883767 +0100
+@@ -57,26 +59,6 @@ extern const EVP_CIPHER *evp_ssh1_3des(v
extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
#endif
@@ -969,10 +954,9 @@ index 638ca2d..9cc7cf8 100644
static const struct sshcipher ciphers[] = {
#ifdef WITH_SSH1
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
-diff --git a/cipher.h b/cipher.h
-index de74c1e..26ed4cb 100644
---- a/cipher.h
-+++ b/cipher.h
+diff -up openssh-6.8p1/cipher.h.audit openssh-6.8p1/cipher.h
+--- openssh-6.8p1/cipher.h.audit 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/cipher.h 2015-03-20 13:41:15.094883779 +0100
@@ -62,7 +62,26 @@
#define CIPHER_ENCRYPT 1
#define CIPHER_DECRYPT 0
@@ -1001,75 +985,60 @@ index de74c1e..26ed4cb 100644
struct sshcipher_ctx {
int plaintext;
int encrypt;
-diff --git a/kex.c b/kex.c
-index 4563920..e0cf3de 100644
---- a/kex.c
-+++ b/kex.c
-@@ -52,6 +52,7 @@
- #include "monitor.h"
- #include "roaming.h"
+diff -up openssh-6.8p1/kex.c.audit openssh-6.8p1/kex.c
+--- openssh-6.8p1/kex.c.audit 2015-03-20 13:41:15.046883856 +0100
++++ openssh-6.8p1/kex.c 2015-03-20 13:41:15.101883767 +0100
+@@ -54,6 +55,7 @@
+ #include "ssherr.h"
+ #include "sshbuf.h"
#include "digest.h"
+#include "audit.h"
#ifdef GSSAPI
#include "ssh-gss.h"
-@@ -370,9 +371,13 @@ static void
- choose_enc(Enc *enc, char *client, char *server)
+@@ -484,8 +508,12 @@ choose_enc(struct sshenc *enc, char *cli
{
char *name = match_list(client, server, NULL);
+
- if (name == NULL)
+ if (name == NULL) {
+#ifdef SSH_AUDIT_EVENTS
+ audit_unsupported(0);
+#endif
- fatal("no matching cipher found: client %s server %s",
- client, server);
+ return SSH_ERR_NO_CIPHER_ALG_MATCH;
+ }
if ((enc->cipher = cipher_by_name(name)) == NULL)
- fatal("matching cipher is not supported: %s", name);
+ return SSH_ERR_INTERNAL_ERROR;
enc->name = name;
-@@ -388,9 +393,13 @@ static void
- choose_mac(Mac *mac, char *client, char *server)
+@@ -503,8 +531,12 @@ choose_mac(struct ssh *ssh, struct sshma
{
char *name = match_list(client, server, NULL);
+
- if (name == NULL)
+ if (name == NULL) {
+#ifdef SSH_AUDIT_EVENTS
+ audit_unsupported(1);
+#endif
- fatal("no matching mac found: client %s server %s",
- client, server);
+ return SSH_ERR_NO_MAC_ALG_MATCH;
+ }
if (mac_setup(mac, name) < 0)
- fatal("unsupported mac %s", name);
+ return SSH_ERR_INTERNAL_ERROR;
/* truncate the key */
-@@ -405,8 +414,12 @@ static void
- choose_comp(Comp *comp, char *client, char *server)
+@@ -521,8 +553,12 @@ choose_comp(struct sshcomp *comp, char *
{
char *name = match_list(client, server, NULL);
+
- if (name == NULL)
+ if (name == NULL) {
+#ifdef SSH_AUDIT_EVENTS
+ audit_unsupported(2);
+#endif
- fatal("no matching comp found: client %s server %s", client, server);
+ return SSH_ERR_NO_COMPRESS_ALG_MATCH;
+ }
if (strcmp(name, "zlib at openssh.com") == 0) {
comp->type = COMP_DELAYED;
} else if (strcmp(name, "zlib") == 0) {
-@@ -522,9 +535,11 @@ kex_choose_conf(Kex *kex)
- authlen == 0 ? newkeys->mac.name : "<implicit>",
- newkeys->comp.name);
- }
-+
- choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
- choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
- sprop[PROPOSAL_SERVER_HOST_KEY_ALGS]);
-+
- need = dh_need = 0;
- for (mode = 0; mode < MODE_MAX; mode++) {
- newkeys = kex->newkeys[mode];
-@@ -536,11 +551,16 @@ kex_choose_conf(Kex *kex)
+@@ -672,6 +708,10 @@ kex_choose_conf(struct ssh *ssh)
dh_need = MAX(dh_need, newkeys->enc.block_size);
dh_need = MAX(dh_need, newkeys->enc.iv_len);
dh_need = MAX(dh_need, newkeys->mac.key_len);
@@ -1080,19 +1049,13 @@ index 4563920..e0cf3de 100644
}
/* XXX need runden? */
kex->we_need = need;
- kex->dh_need = dh_need;
-
-+
- /* ignore the next message if the proposals do not match */
- if (first_kex_follows && !proposals_match(my, peer) &&
- !(datafellows & SSH_BUG_FIRSTKEX)) {
-@@ -710,3 +730,34 @@ dump_digest(char *msg, u_char *digest, int len)
- fprintf(stderr, "\n");
+@@ -847,3 +887,34 @@ dump_digest(char *msg, u_char *digest, i
+ sshbuf_dump_data(digest, len, stderr);
}
#endif
+
+static void
-+enc_destroy(Enc *enc)
++enc_destroy(struct sshenc *enc)
+{
+ if (enc == NULL)
+ return;
@@ -1111,7 +1074,7 @@ index 4563920..e0cf3de 100644
+}
+
+void
-+newkeys_destroy(Newkeys *newkeys)
++newkeys_destroy(struct newkeys *newkeys)
+{
+ if (newkeys == NULL)
+ return;
@@ -1121,41 +1084,38 @@ index 4563920..e0cf3de 100644
+ memset(&newkeys->comp, 0, sizeof(newkeys->comp));
+}
+
-diff --git a/kex.h b/kex.h
-index 1c76c08..e015d27 100644
---- a/kex.h
-+++ b/kex.h
-@@ -182,6 +182,8 @@ void kexgss_client(Kex *);
- void kexgss_server(Kex *);
+diff -up openssh-6.8p1/kex.h.audit openssh-6.8p1/kex.h
+--- openssh-6.8p1/kex.h.audit 2015-03-20 13:41:15.046883856 +0100
++++ openssh-6.8p1/kex.h 2015-03-20 13:41:15.095883777 +0100
+@@ -199,6 +199,8 @@ int kexgss_client(struct ssh *);
+ int kexgss_server(struct ssh *);
#endif
-+void newkeys_destroy(Newkeys *newkeys);
++void newkeys_destroy(struct newkeys *newkeys);
+
- void
- kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
- BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
-diff --git a/key.h b/key.h
-index e1a3625..4a90e1e 100644
---- a/key.h
-+++ b/key.h
-@@ -52,6 +52,7 @@ typedef struct sshkey Key;
+ int kex_dh_hash(const char *, const char *,
+ const u_char *, size_t, const u_char *, size_t, const u_char *, size_t,
+ const BIGNUM *, const BIGNUM *, const BIGNUM *, u_char *, size_t *);
+diff -up openssh-6.8p1/key.h.audit openssh-6.8p1/key.h
+--- openssh-6.8p1/key.h.audit 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/key.h 2015-03-20 13:41:15.095883777 +0100
+@@ -50,6 +50,7 @@ typedef struct sshkey Key;
+ #define key_ecdsa_bits_to_nid sshkey_ecdsa_bits_to_nid
#define key_ecdsa_key_to_nid sshkey_ecdsa_key_to_nid
- #define key_names_valid2 sshkey_names_valid2
#define key_is_cert sshkey_is_cert
+#define key_is_private sshkey_is_private
#define key_type_plain sshkey_type_plain
#define key_cert_is_legacy sshkey_cert_is_legacy
#define key_curve_name_to_nid sshkey_curve_name_to_nid
-diff --git a/mac.c b/mac.c
-index 402dc98..fd07bf2 100644
---- a/mac.c
-+++ b/mac.c
-@@ -223,6 +223,20 @@ mac_clear(Mac *mac)
+diff -up openssh-6.8p1/mac.c.audit openssh-6.8p1/mac.c
+--- openssh-6.8p1/mac.c.audit 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/mac.c 2015-03-20 13:41:15.102883766 +0100
+@@ -226,6 +246,20 @@ mac_clear(struct sshmac *mac)
mac->umac_ctx = NULL;
}
+void
-+mac_destroy(Mac *mac)
++mac_destroy(struct sshmac *mac)
+{
+ if (mac == NULL)
+ return;
@@ -1171,37 +1131,37 @@ index 402dc98..fd07bf2 100644
/* XXX copied from ciphers_valid */
#define MAC_SEP ","
int
-diff --git a/mac.h b/mac.h
-index fbe18c4..7dc7f43 100644
---- a/mac.h
-+++ b/mac.h
-@@ -29,3 +29,4 @@ int mac_setup(Mac *, char *);
- int mac_init(Mac *);
- u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
- void mac_clear(Mac *);
-+void mac_destroy(Mac *);
-diff --git a/monitor.c b/monitor.c
-index d97e640..07fa655 100644
---- a/monitor.c
-+++ b/monitor.c
-@@ -100,6 +100,7 @@
+diff -up openssh-6.8p1/mac.h.audit openssh-6.8p1/mac.h
+--- openssh-6.8p1/mac.h.audit 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/mac.h 2015-03-20 13:41:15.095883777 +0100
+@@ -47,5 +47,6 @@ int mac_init(struct sshmac *);
+ int mac_compute(struct sshmac *, u_int32_t, const u_char *, int,
+ u_char *, size_t);
+ void mac_clear(struct sshmac *);
++void mac_destroy(struct sshmac *);
+
+ #endif /* SSHMAC_H */
+diff -up openssh-6.8p1/monitor.c.audit openssh-6.8p1/monitor.c
+--- openssh-6.8p1/monitor.c.audit 2015-03-20 13:41:15.072883814 +0100
++++ openssh-6.8p1/monitor.c 2015-03-20 13:41:15.107883758 +0100
+@@ -102,6 +102,7 @@
#include "ssh2.h"
#include "roaming.h"
#include "authfd.h"
+#include "audit.h"
+ #include "match.h"
+ #include "ssherr.h"
- #ifdef GSSAPI
- static Gssctxt *gsscontext = NULL;
-@@ -116,6 +117,8 @@ extern Buffer auth_debug;
+@@ -117,6 +118,8 @@ extern Buffer auth_debug;
extern int auth_debug_init;
extern Buffer loginmsg;
+extern void destroy_sensitive_data(int);
+
/* State exported from the child */
+ static struct sshbuf *child_state;
- struct {
-@@ -188,6 +191,11 @@ int mm_answer_gss_updatecreds(int, Buffer *);
+@@ -167,6 +170,11 @@ int mm_answer_gss_updatecreds(int, Buffe
#ifdef SSH_AUDIT_EVENTS
int mm_answer_audit_event(int, Buffer *);
int mm_answer_audit_command(int, Buffer *);
@@ -1213,7 +1173,7 @@ index d97e640..07fa655 100644
#endif
static int monitor_read_log(struct monitor *);
-@@ -247,6 +255,10 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -226,6 +234,10 @@ struct mon_table mon_dispatch_proto20[]
#endif
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@@ -1224,7 +1184,7 @@ index d97e640..07fa655 100644
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
-@@ -285,6 +297,11 @@ struct mon_table mon_dispatch_postauth20[] = {
+@@ -264,6 +276,11 @@ struct mon_table mon_dispatch_postauth20
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
@@ -1236,7 +1196,7 @@ index d97e640..07fa655 100644
#endif
{0, 0, NULL}
};
-@@ -317,6 +334,10 @@ struct mon_table mon_dispatch_proto15[] = {
+@@ -296,6 +313,10 @@ struct mon_table mon_dispatch_proto15[]
#endif
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
@@ -1247,7 +1207,7 @@ index d97e640..07fa655 100644
#endif
#endif /* WITH_SSH1 */
{0, 0, NULL}
-@@ -330,6 +351,11 @@ struct mon_table mon_dispatch_postauth15[] = {
+@@ -309,6 +330,11 @@ struct mon_table mon_dispatch_postauth15
#ifdef SSH_AUDIT_EVENTS
{MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
{MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
@@ -1259,7 +1219,7 @@ index d97e640..07fa655 100644
#endif
#endif /* WITH_SSH1 */
{0, 0, NULL}
-@@ -1416,9 +1442,11 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1466,9 +1493,11 @@ mm_answer_keyverify(int sock, Buffer *m)
Key *key;
u_char *signature, *data, *blob;
u_int signaturelen, datalen, bloblen;
@@ -1271,7 +1231,7 @@ index d97e640..07fa655 100644
blob = buffer_get_string(m, &bloblen);
signature = buffer_get_string(m, &signaturelen);
data = buffer_get_string(m, &datalen);
-@@ -1426,6 +1454,8 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1476,6 +1505,8 @@ mm_answer_keyverify(int sock, Buffer *m)
if (hostbased_cuser == NULL || hostbased_chost == NULL ||
!monitor_allowed_key(blob, bloblen))
fatal("%s: bad key, not previously allowed", __func__);
@@ -1280,7 +1240,7 @@ index d97e640..07fa655 100644
key = key_from_blob(blob, bloblen);
if (key == NULL)
-@@ -1446,7 +1476,17 @@ mm_answer_keyverify(int sock, Buffer *m)
+@@ -1496,7 +1527,17 @@ mm_answer_keyverify(int sock, Buffer *m)
if (!valid_data)
fatal("%s: bad signature data blob", __func__);
@@ -1299,7 +1259,7 @@ index d97e640..07fa655 100644
debug3("%s: key %p signature %s",
__func__, key, (verified == 1) ? "verified" : "unverified");
-@@ -1499,6 +1539,12 @@ mm_session_close(Session *s)
+@@ -1554,6 +1595,12 @@ mm_session_close(Session *s)
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
session_pty_cleanup2(s);
}
@@ -1312,7 +1272,7 @@ index d97e640..07fa655 100644
session_unused(s->self);
}
-@@ -1781,6 +1827,8 @@ mm_answer_term(int sock, Buffer *req)
+@@ -1836,6 +1883,8 @@ mm_answer_term(int sock, Buffer *req)
sshpam_cleanup();
#endif
@@ -1321,7 +1281,7 @@ index d97e640..07fa655 100644
while (waitpid(pmonitor->m_pid, &status, 0) == -1)
if (errno != EINTR)
exit(1);
-@@ -1823,11 +1871,43 @@ mm_answer_audit_command(int socket, Buffer *m)
+@@ -1878,11 +1927,43 @@ mm_answer_audit_command(int socket, Buff
{
u_int len;
char *cmd;
@@ -1366,24 +1326,18 @@ index d97e640..07fa655 100644
free(cmd);
return (0);
}
-@@ -1975,11 +2055,13 @@ mm_get_keystate(struct monitor *pmonitor)
-
- blob = buffer_get_string(&m, &bloblen);
- current_keys[MODE_OUT] = mm_newkeys_from_blob(blob, bloblen);
-+ memset(blob, 0, bloblen);
- free(blob);
-
- debug3("%s: Waiting for second key", __func__);
- blob = buffer_get_string(&m, &bloblen);
- current_keys[MODE_IN] = mm_newkeys_from_blob(blob, bloblen);
-+ memset(blob, 0, bloblen);
- free(blob);
-
- /* Now get sequence numbers for the packets */
-@@ -2025,6 +2107,21 @@ mm_get_keystate(struct monitor *pmonitor)
- }
+@@ -1936,6 +2017,7 @@
+ void
+ mm_get_keystate(struct monitor *pmonitor)
+ {
++ Buffer m;
+ debug3("%s: Waiting for new keys", __func__);
- buffer_free(&m);
+ if ((child_state = sshbuf_new()) == NULL)
+@@ -1946,6 +2027,21 @@ mm_get_keystate(struct monitor *pmonitor
+ mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
+ child_state);
+ debug3("%s: GOT new keys", __func__);
+
+#ifdef SSH_AUDIT_EVENTS
+ if (compat20) {
@@ -1402,7 +1356,7 @@ index d97e640..07fa655 100644
}
-@@ -2321,3 +2418,87 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
+@@ -2212,3 +2308,87 @@ mm_answer_gss_updatecreds(int socket, Bu
#endif /* GSSAPI */
@@ -1490,10 +1444,9 @@ index d97e640..07fa655 100644
+ return 0;
+}
+#endif /* SSH_AUDIT_EVENTS */
-diff --git a/monitor.h b/monitor.h
-index 00c2028..cc8da6a 100644
---- a/monitor.h
-+++ b/monitor.h
+diff -up openssh-6.8p1/monitor.h.audit openssh-6.8p1/monitor.h
+--- openssh-6.8p1/monitor.h.audit 2015-03-20 13:41:15.072883814 +0100
++++ openssh-6.8p1/monitor.h 2015-03-20 13:41:15.096883775 +0100
@@ -69,7 +69,13 @@ enum monitor_reqtype {
MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
@@ -1509,11 +1462,10 @@ index 00c2028..cc8da6a 100644
};
-diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 7e991e6..ba4ecd7 100644
---- a/monitor_wrap.c
-+++ b/monitor_wrap.c
-@@ -456,7 +456,7 @@ mm_key_allowed(enum mm_keytype type, char *user, char *host, Key *key)
+diff -up openssh-6.8p1/monitor_wrap.c.audit openssh-6.8p1/monitor_wrap.c
+--- openssh-6.8p1/monitor_wrap.c.audit 2015-03-20 13:41:15.047883855 +0100
++++ openssh-6.8p1/monitor_wrap.c 2015-03-20 13:41:15.108883756 +0100
+@@ -461,7 +461,7 @@ mm_key_allowed(enum mm_keytype type, cha
*/
int
@@ -1522,7 +1474,7 @@ index 7e991e6..ba4ecd7 100644
{
Buffer m;
u_char *blob;
-@@ -470,6 +470,7 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
+@@ -475,6 +475,7 @@ mm_key_verify(Key *key, u_char *sig, u_i
return (0);
buffer_init(&m);
@@ -1530,7 +1482,7 @@ index 7e991e6..ba4ecd7 100644
buffer_put_string(&m, blob, len);
buffer_put_string(&m, sig, siglen);
buffer_put_string(&m, data, datalen);
-@@ -487,6 +488,19 @@ mm_key_verify(Key *key, u_char *sig, u_int siglen, u_char *data, u_int datalen)
+@@ -492,6 +493,18 @@ mm_key_verify(Key *key, u_char *sig, u_i
return (verified);
}
@@ -1546,26 +1498,10 @@ index 7e991e6..ba4ecd7 100644
+ return mm_key_verify(MM_USERKEY, key, sig, siglen, data, datalen);
+}
+
-+
- /* Export key state after authentication */
- Newkeys *
- mm_newkeys_from_blob(u_char *blob, int blen)
-@@ -665,12 +679,14 @@ mm_send_keystate(struct monitor *monitor)
- fatal("%s: conversion of newkeys failed", __func__);
-
- buffer_put_string(&m, blob, bloblen);
-+ memset(blob, 0, bloblen);
- free(blob);
-
- if (!mm_newkeys_to_blob(MODE_IN, &blob, &bloblen))
- fatal("%s: conversion of newkeys failed", __func__);
-
- buffer_put_string(&m, blob, bloblen);
-+ memset(blob, 0, bloblen);
- free(blob);
-
- packet_get_state(MODE_OUT, &seqnr, &blocks, &packets, &bytes);
-@@ -1218,10 +1234,11 @@ mm_audit_event(ssh_audit_event_t event)
+ void
+ mm_send_keystate(struct monitor *monitor)
+ {
+@@ -1005,10 +1018,11 @@ mm_audit_event(ssh_audit_event_t event)
buffer_free(&m);
}
@@ -1578,7 +1514,7 @@ index 7e991e6..ba4ecd7 100644
debug3("%s entering command %s", __func__, command);
-@@ -1229,6 +1246,26 @@ mm_audit_run_command(const char *command)
+@@ -1016,6 +1030,26 @@ mm_audit_run_command(const char *command
buffer_put_cstring(&m, command);
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_COMMAND, &m);
@@ -1605,7 +1541,7 @@ index 7e991e6..ba4ecd7 100644
buffer_free(&m);
}
#endif /* SSH_AUDIT_EVENTS */
-@@ -1364,3 +1401,72 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
+@@ -1151,3 +1185,72 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_cc
#endif /* GSSAPI */
@@ -1678,11 +1614,10 @@ index 7e991e6..ba4ecd7 100644
+ buffer_free(&m);
+}
+#endif /* SSH_AUDIT_EVENTS */
-diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 93929e0..e43109f 100644
---- a/monitor_wrap.h
-+++ b/monitor_wrap.h
-@@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char *, char *, Key *);
+diff -up openssh-6.8p1/monitor_wrap.h.audit openssh-6.8p1/monitor_wrap.h
+--- openssh-6.8p1/monitor_wrap.h.audit 2015-03-20 13:41:15.048883853 +0100
++++ openssh-6.8p1/monitor_wrap.h 2015-03-20 13:41:15.096883775 +0100
+@@ -52,7 +52,8 @@ int mm_key_allowed(enum mm_keytype, char
int mm_user_key_allowed(struct passwd *, Key *);
int mm_hostbased_key_allowed(struct passwd *, char *, char *, Key *);
int mm_auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
@@ -1706,20 +1641,19 @@ index 93929e0..e43109f 100644
#endif
struct Session;
-diff --git a/packet.c b/packet.c
-index 9b7abd1..f1e00f7 100644
---- a/packet.c
-+++ b/packet.c
-@@ -61,6 +61,7 @@
- #include <time.h>
+diff -up openssh-6.8p1/packet.c.audit openssh-6.8p1/packet.c
+--- openssh-6.8p1/packet.c.audit 2015-03-20 13:41:14.990883947 +0100
++++ openssh-6.8p1/packet.c 2015-03-20 13:41:15.097883774 +0100
+@@ -67,6 +67,7 @@
+ #include "key.h" /* typedefs XXX */
#include "xmalloc.h"
+#include "audit.h"
- #include "buffer.h"
- #include "packet.h"
#include "crc32.h"
-@@ -483,6 +484,13 @@ packet_get_connection_out(void)
- return active_state->connection_out;
+ #include "deattack.h"
+ #include "compat.h"
+@@ -448,6 +449,13 @@ ssh_packet_get_connection_out(struct ssh
+ return ssh->state->connection_out;
}
+static int
@@ -1729,50 +1663,66 @@ index 9b7abd1..f1e00f7 100644
+ (state->newkeys[MODE_IN] != NULL || state->newkeys[MODE_OUT] != NULL);
+}
+
- /* Closes the connection and clears and frees internal data structures. */
-
- void
-@@ -491,13 +499,6 @@ packet_close(void)
- if (!active_state->initialized)
+ /*
+ * Returns the IP-address of the remote host as a string. The returned
+ * string must not be freed.
+@@ -478,13 +486,6 @@ ssh_packet_close(struct ssh *ssh)
+ if (!state->initialized)
return;
- active_state->initialized = 0;
-- if (active_state->connection_in == active_state->connection_out) {
-- shutdown(active_state->connection_out, SHUT_RDWR);
-- close(active_state->connection_out);
+ state->initialized = 0;
+- if (state->connection_in == state->connection_out) {
+- shutdown(state->connection_out, SHUT_RDWR);
+- close(state->connection_out);
- } else {
-- close(active_state->connection_in);
-- close(active_state->connection_out);
+- close(state->connection_in);
+- close(state->connection_out);
- }
- buffer_free(&active_state->input);
- buffer_free(&active_state->output);
- buffer_free(&active_state->outgoing_packet);
-@@ -506,8 +507,18 @@ packet_close(void)
- buffer_free(&active_state->compression_buffer);
- buffer_compress_uninit();
+ sshbuf_free(state->input);
+ sshbuf_free(state->output);
+ sshbuf_free(state->outgoing_packet);
+@@ -516,14 +517,24 @@ ssh_packet_close(struct ssh *ssh)
+ inflateEnd(stream);
+ }
}
-- cipher_cleanup(&active_state->send_context);
-- cipher_cleanup(&active_state->receive_context);
-+ if (packet_state_has_keys(active_state)) {
-+ cipher_cleanup(&active_state->send_context);
-+ cipher_cleanup(&active_state->receive_context);
+- if ((r = cipher_cleanup(&state->send_context)) != 0)
+- error("%s: cipher_cleanup failed: %s", __func__, ssh_err(r));
+- if ((r = cipher_cleanup(&state->receive_context)) != 0)
+- error("%s: cipher_cleanup failed: %s", __func__, ssh_err(r));
++ if (packet_state_has_keys(state)) {
++ if ((r = cipher_cleanup(&state->send_context)) != 0)
++ error("%s: cipher_cleanup failed: %s", __func__, ssh_err(r));
++ if ((r = cipher_cleanup(&state->receive_context)) != 0)
++ error("%s: cipher_cleanup failed: %s", __func__, ssh_err(r));
+ audit_session_key_free(2);
+ }
-+ if (active_state->connection_in == active_state->connection_out) {
-+ shutdown(active_state->connection_out, SHUT_RDWR);
-+ close(active_state->connection_out);
+ if (ssh->remote_ipaddr) {
+ free(ssh->remote_ipaddr);
+ ssh->remote_ipaddr = NULL;
+ }
++ if (state->connection_in == state->connection_out) {
++ shutdown(state->connection_out, SHUT_RDWR);
++ close(state->connection_out);
+ } else {
-+ close(active_state->connection_in);
-+ close(active_state->connection_out);
++ close(state->connection_in);
++ close(state->connection_out);
+ }
+ free(ssh->state);
+ ssh->state = NULL;
}
-
- /* Sets remote side protocol flags. */
-@@ -747,6 +758,25 @@ packet_send1(void)
- */
+@@ -941,6 +952,7 @@ ssh_set_newkeys(struct ssh *ssh, int mod
+ }
+ if (state->newkeys[mode] != NULL) {
+ debug("set_newkeys: rekeying");
++ audit_session_key_free(mode);
+ if ((r = cipher_cleanup(cc)) != 0)
+ return r;
+ enc = &state->newkeys[mode]->enc;
+@@ -2263,6 +2275,73 @@ ssh_packet_get_output(struct ssh *ssh)
+ return (void *)ssh->state->output;
}
+static void
-+newkeys_destroy_and_free(Newkeys *newkeys)
++newkeys_destroy_and_free(struct newkeys *newkeys)
+{
+ if (newkeys == NULL)
+ return;
@@ -1790,21 +1740,6 @@ index 9b7abd1..f1e00f7 100644
+ free(newkeys);
+}
+
- void
- set_newkeys(int mode)
- {
-@@ -772,6 +802,7 @@ set_newkeys(int mode)
- }
- if (active_state->newkeys[mode] != NULL) {
- debug("set_newkeys: rekeying");
-+ audit_session_key_free(mode);
- cipher_cleanup(cc);
- enc = &active_state->newkeys[mode]->enc;
- mac = &active_state->newkeys[mode]->mac;
-@@ -2025,6 +2056,48 @@ packet_get_newkeys(int mode)
- return (void *)active_state->newkeys[mode];
- }
-
+static void
+packet_destroy_state(struct session_state *state)
+{
@@ -1814,12 +1749,18 @@ index 9b7abd1..f1e00f7 100644
+ cipher_cleanup(&state->receive_context);
+ cipher_cleanup(&state->send_context);
+
-+ buffer_free(&state->input);
-+ buffer_free(&state->output);
-+ buffer_free(&state->outgoing_packet);
-+ buffer_free(&state->incoming_packet);
-+ if( state->compression_buffer_ready )
-+ buffer_free(&state->compression_buffer);
++ buffer_free(state->input);
++ state->input = NULL;
++ buffer_free(state->output);
++ state->output = NULL;
++ buffer_free(state->outgoing_packet);
++ state->outgoing_packet = NULL;
++ buffer_free(state->incoming_packet);
++ state->incoming_packet = NULL;
++ if( state->compression_buffer ) {
++ buffer_free(state->compression_buffer);
++ state->compression_buffer = NULL;
++ }
+ newkeys_destroy_and_free(state->newkeys[MODE_IN]);
+ state->newkeys[MODE_IN] = NULL;
+ newkeys_destroy_and_free(state->newkeys[MODE_OUT]);
@@ -1833,10 +1774,10 @@ index 9b7abd1..f1e00f7 100644
+packet_destroy_all(int audit_it, int privsep)
+{
+ if (audit_it)
-+ audit_it = packet_state_has_keys (active_state) ||
-+ packet_state_has_keys (backup_state);
-+ packet_destroy_state(active_state);
-+ packet_destroy_state(backup_state);
++ audit_it = packet_state_has_keys (active_state->state) ||
++ packet_state_has_keys (backup_state->state);
++ packet_destroy_state(active_state->state);
++ packet_destroy_state(backup_state->state);
+ if (audit_it) {
+#ifdef SSH_AUDIT_EVENTS
+ if (privsep)
@@ -1847,66 +1788,73 @@ index 9b7abd1..f1e00f7 100644
+ }
+}
+
+ /* XXX TODO update roaming to new API (does not work anyway) */
/*
* Save the state for the real connection, and use a separate state when
- * resuming a suspended connection.
-@@ -2032,18 +2104,12 @@ packet_get_newkeys(int mode)
- void
- packet_backup_state(void)
+@@ -2272,18 +2373,12 @@ void
+ ssh_packet_backup_state(struct ssh *ssh,
+ struct ssh *backup_state)
{
-- struct session_state *tmp;
+- struct ssh *tmp;
-
- close(active_state->connection_in);
- active_state->connection_in = -1;
- close(active_state->connection_out);
- active_state->connection_out = -1;
+ close(ssh->state->connection_in);
+ ssh->state->connection_in = -1;
+ close(ssh->state->connection_out);
+ ssh->state->connection_out = -1;
- if (backup_state)
- tmp = backup_state;
- else
-- tmp = alloc_session_state();
- backup_state = active_state;
-- active_state = tmp;
-+ active_state = alloc_session_state();
+- tmp = ssh_alloc_session_state();
+ backup_state = ssh;
+- ssh = tmp;
++ ssh = ssh_alloc_session_state();
}
- /*
-@@ -2060,9 +2126,7 @@ packet_restore_state(void)
- backup_state = active_state;
- active_state = tmp;
- active_state->connection_in = backup_state->connection_in;
-- backup_state->connection_in = -1;
- active_state->connection_out = backup_state->connection_out;
-- backup_state->connection_out = -1;
- len = buffer_len(&backup_state->input);
+ /* XXX FIXME FIXME FIXME */
+@@ -2302,9 +2397,7 @@ ssh_packet_restore_state(struct ssh *ssh
+ backup_state = ssh;
+ ssh = tmp;
+ ssh->state->connection_in = backup_state->state->connection_in;
+- backup_state->state->connection_in = -1;
+ ssh->state->connection_out = backup_state->state->connection_out;
+- backup_state->state->connection_out = -1;
+ len = sshbuf_len(backup_state->state->input);
if (len > 0) {
- buf = buffer_ptr(&backup_state->input);
-@@ -2070,6 +2134,11 @@ packet_restore_state(void)
- buffer_clear(&backup_state->input);
+ if ((r = sshbuf_putb(ssh->state->input,
+@@ -2313,6 +2406,11 @@ ssh_packet_restore_state(struct ssh *ssh
+ sshbuf_reset(backup_state->state->input);
add_recv_bytes(len);
}
-+ backup_state->connection_in = -1;
-+ backup_state->connection_out = -1;
-+ packet_destroy_state(backup_state);
++ backup_state->state->connection_in = -1;
++ backup_state->state->connection_out = -1;
++ packet_destroy_state(backup_state->state);
+ free(backup_state);
+ backup_state = NULL;
}
/* Reset after_authentication and reset compression in post-auth privsep */
-diff --git a/packet.h b/packet.h
-index e7b5fcb..45a6ce6 100644
---- a/packet.h
-+++ b/packet.h
-@@ -125,4 +125,5 @@ void packet_set_postauth(void);
- void *packet_get_input(void);
- void *packet_get_output(void);
+diff -up openssh-6.8p1/packet.h.audit openssh-6.8p1/packet.h
+--- openssh-6.8p1/packet.h.audit 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/packet.h 2015-03-20 13:41:15.097883774 +0100
+@@ -189,7 +189,7 @@ int sshpkt_get_end(struct ssh *ssh);
+ const u_char *sshpkt_ptr(struct ssh *, size_t *lenp);
+
+ /* OLD API */
+-extern struct ssh *active_state;
++extern struct ssh *active_state, *backup_state;
+ #include "opacket.h"
+
+ #if !defined(WITH_OPENSSL)
+@@ -203,4 +203,5 @@ extern struct ssh *active_state;
+ # undef EC_POINT
+ #endif
+void packet_destroy_all(int, int);
#endif /* PACKET_H */
-diff --git a/session.c b/session.c
-index 40a681e..acd87d5 100644
---- a/session.c
-+++ b/session.c
-@@ -138,7 +138,7 @@ extern int log_stderr;
+diff -up openssh-6.8p1/session.c.audit openssh-6.8p1/session.c
+--- openssh-6.8p1/session.c.audit 2015-03-20 13:41:15.073883813 +0100
++++ openssh-6.8p1/session.c 2015-03-20 13:41:15.097883774 +0100
+@@ -139,7 +139,7 @@ extern int log_stderr;
extern int debug_flag;
extern u_int utmp_len;
extern int startup_pipe;
@@ -1915,7 +1863,7 @@ index 40a681e..acd87d5 100644
extern Buffer loginmsg;
/* original command from peer. */
-@@ -730,6 +730,14 @@ do_exec_pty(Session *s, const char *command)
+@@ -731,6 +731,14 @@ do_exec_pty(Session *s, const char *comm
/* Parent. Close the slave side of the pseudo tty. */
close(ttyfd);
@@ -1930,7 +1878,7 @@ index 40a681e..acd87d5 100644
/* Enter interactive session. */
s->ptymaster = ptymaster;
packet_set_interactive(1,
-@@ -852,15 +860,19 @@ do_exec(Session *s, const char *command)
+@@ -853,15 +861,19 @@ do_exec(Session *s, const char *command)
get_remote_port());
#ifdef SSH_AUDIT_EVENTS
@@ -1952,7 +1900,7 @@ index 40a681e..acd87d5 100644
#endif
if (s->ttyfd != -1)
ret = do_exec_pty(s, command);
-@@ -1703,7 +1715,10 @@ do_child(Session *s, const char *command)
+@@ -1704,7 +1716,10 @@ do_child(Session *s, const char *command
int r = 0;
/* remove hostkey from the child's memory */
@@ -1964,7 +1912,7 @@ index 40a681e..acd87d5 100644
/* Force a password change */
if (s->authctxt->force_pwchange) {
-@@ -1933,6 +1948,7 @@ session_unused(int id)
+@@ -1934,6 +1949,7 @@ session_unused(int id)
sessions[id].ttyfd = -1;
sessions[id].ptymaster = -1;
sessions[id].x11_chanids = NULL;
@@ -1972,7 +1920,7 @@ index 40a681e..acd87d5 100644
sessions[id].next_unused = sessions_first_unused;
sessions_first_unused = id;
}
-@@ -2015,6 +2031,19 @@ session_open(Authctxt *authctxt, int chanid)
+@@ -2016,6 +2032,19 @@ session_open(Authctxt *authctxt, int cha
}
Session *
@@ -1992,7 +1940,7 @@ index 40a681e..acd87d5 100644
session_by_tty(char *tty)
{
int i;
-@@ -2531,6 +2560,30 @@ session_exit_message(Session *s, int status)
+@@ -2532,6 +2561,30 @@ session_exit_message(Session *s, int sta
chan_write_failed(c);
}
@@ -2023,7 +1971,7 @@ index 40a681e..acd87d5 100644
void
session_close(Session *s)
{
-@@ -2539,6 +2592,10 @@ session_close(Session *s)
+@@ -2540,6 +2593,10 @@ session_close(Session *s)
debug("session_close: session %d pid %ld", s->self, (long)s->pid);
if (s->ttyfd != -1)
session_pty_cleanup(s);
@@ -2034,7 +1982,7 @@ index 40a681e..acd87d5 100644
free(s->term);
free(s->display);
free(s->x11_chanids);
-@@ -2753,6 +2810,15 @@ do_authenticated2(Authctxt *authctxt)
+@@ -2754,6 +2811,15 @@ do_authenticated2(Authctxt *authctxt)
server_loop2(authctxt);
}
@@ -2050,17 +1998,16 @@ index 40a681e..acd87d5 100644
void
do_cleanup(Authctxt *authctxt)
{
-@@ -2801,5 +2867,5 @@ do_cleanup(Authctxt *authctxt)
+@@ -2802,5 +2868,5 @@ do_cleanup(Authctxt *authctxt)
* or if running in monitor.
*/
if (!use_privsep || mm_is_monitor())
- session_destroy_all(session_pty_cleanup2);
+ session_destroy_all(do_cleanup_one_session);
}
-diff --git a/session.h b/session.h
-index 6a2f35e..e9b312e 100644
---- a/session.h
-+++ b/session.h
+diff -up openssh-6.8p1/session.h.audit openssh-6.8p1/session.h
+--- openssh-6.8p1/session.h.audit 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/session.h 2015-03-20 13:41:15.097883774 +0100
@@ -61,6 +61,12 @@ struct Session {
char *name;
char *val;
@@ -2085,19 +2032,18 @@ index 6a2f35e..e9b312e 100644
Session *session_by_tty(char *);
void session_close(Session *);
void do_setusercontext(struct passwd *);
-diff --git a/sshd.c b/sshd.c
-index ca55d7f..db23ce2 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -120,6 +120,7 @@
+diff -up openssh-6.8p1/sshd.c.audit openssh-6.8p1/sshd.c
+--- openssh-6.8p1/sshd.c.audit 2015-03-20 13:41:15.083883796 +0100
++++ openssh-6.8p1/sshd.c 2015-03-20 13:41:15.110883753 +0100
+@@ -121,6 +124,7 @@
#endif
#include "monitor_wrap.h"
#include "roaming.h"
+#include "audit.h"
#include "ssh-sandbox.h"
#include "version.h"
-
-@@ -254,7 +255,7 @@ Buffer loginmsg;
+ #include "ssherr.h"
+@@ -260,7 +264,7 @@ Buffer loginmsg;
struct passwd *privsep_pw = NULL;
/* Prototypes for various functions defined later in this file. */
@@ -2106,7 +2052,7 @@ index ca55d7f..db23ce2 100644
void demote_sensitive_data(void);
#ifdef WITH_SSH1
-@@ -275,6 +276,15 @@ close_listen_socks(void)
+@@ -281,6 +285,15 @@ close_listen_socks(void)
num_listen_socks = -1;
}
@@ -2122,7 +2068,7 @@ index ca55d7f..db23ce2 100644
static void
close_startup_pipes(void)
{
-@@ -554,22 +564,45 @@ sshd_exchange_identification(int sock_in, int sock_out)
+@@ -560,22 +573,45 @@ sshd_exchange_identification(int sock_in
}
}
@@ -2150,7 +2096,7 @@ index ca55d7f..db23ce2 100644
+ char *fp;
+
+ if (key_is_private(sensitive_data.host_keys[i]))
-+ fp = key_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
++ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+ else
+ fp = NULL;
key_free(sensitive_data.host_keys[i]);
@@ -2171,7 +2117,7 @@ index ca55d7f..db23ce2 100644
key_free(sensitive_data.host_certificates[i]);
sensitive_data.host_certificates[i] = NULL;
}
-@@ -583,6 +616,8 @@ void
+@@ -589,6 +625,8 @@ void
demote_sensitive_data(void)
{
Key *tmp;
@@ -2180,7 +2126,7 @@ index ca55d7f..db23ce2 100644
int i;
if (sensitive_data.server_key) {
-@@ -591,13 +626,25 @@ demote_sensitive_data(void)
+@@ -597,13 +635,25 @@ demote_sensitive_data(void)
sensitive_data.server_key = tmp;
}
@@ -2191,7 +2137,7 @@ index ca55d7f..db23ce2 100644
+ char *fp;
+
+ if (key_is_private(sensitive_data.host_keys[i]))
-+ fp = key_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
++ fp = sshkey_fingerprint(sensitive_data.host_keys[i], options.fingerprint_hash, SSH_FP_HEX);
+ else
+ fp = NULL;
tmp = key_demote(sensitive_data.host_keys[i]);
@@ -2206,7 +2152,7 @@ index ca55d7f..db23ce2 100644
}
/* Certs do not need demotion */
}
-@@ -667,7 +714,7 @@ privsep_preauth(Authctxt *authctxt)
+@@ -675,7 +725,7 @@ privsep_preauth(Authctxt *authctxt)
if (use_privsep == PRIVSEP_ON)
box = ssh_sandbox_init(pmonitor);
@@ -2215,35 +2161,26 @@ index ca55d7f..db23ce2 100644
if (pid == -1) {
fatal("fork of unprivileged child failed");
} else if (pid != 0) {
-@@ -721,6 +768,8 @@ privsep_preauth(Authctxt *authctxt)
- }
- }
-
-+extern Newkeys *current_keys[];
-+
- static void
- privsep_postauth(Authctxt *authctxt)
- {
-@@ -745,6 +794,10 @@ privsep_postauth(Authctxt *authctxt)
+@@ -759,6 +811,10 @@ privsep_postauth(Authctxt *authctxt)
else if (pmonitor->m_pid != 0) {
verbose("User child is on pid %ld", (long)pmonitor->m_pid);
buffer_clear(&loginmsg);
-+ newkeys_destroy(current_keys[MODE_OUT]);
-+ newkeys_destroy(current_keys[MODE_IN]);
++ newkeys_destroy((*pmonitor->m_pkex)->newkeys[MODE_OUT]);
++ newkeys_destroy((*pmonitor->m_pkex)->newkeys[MODE_IN]);
+ audit_session_key_free_body(2, getpid(), getuid());
+ packet_destroy_all(0, 0);
monitor_child_postauth(pmonitor);
/* NEVERREACHED */
-@@ -1222,6 +1275,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
+@@ -1286,6 +1341,7 @@ server_accept_loop(int *sock_in, int *so
if (received_sigterm) {
logit("Received signal %d; terminating.",
(int) received_sigterm);
+ destroy_sensitive_data(0);
close_listen_socks();
- unlink(options.pid_file);
- exit(received_sigterm == SIGTERM ? 0 : 255);
-@@ -2141,6 +2195,7 @@ main(int ac, char **av)
+ if (options.pid_file != NULL)
+ unlink(options.pid_file);
+@@ -2242,6 +2321,7 @@ main(int ac, char **av)
*/
if (use_privsep) {
mm_send_keystate(pmonitor);
@@ -2251,7 +2188,7 @@ index ca55d7f..db23ce2 100644
exit(0);
}
-@@ -2186,7 +2241,7 @@ main(int ac, char **av)
+@@ -2287,7 +2367,7 @@ main(int ac, char **av)
privsep_postauth(authctxt);
/* the monitor process [priv] will not return */
if (!compat20)
@@ -2260,17 +2197,17 @@ index ca55d7f..db23ce2 100644
}
packet_set_timeout(options.client_alive_interval,
-@@ -2196,6 +2251,9 @@ main(int ac, char **av)
+@@ -2301,6 +2381,9 @@ main(int ac, char **av)
do_authenticated(authctxt);
/* The connection has been terminated. */
+ packet_destroy_all(1, 1);
+ destroy_sensitive_data(1);
+
- packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
- packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
+ packet_get_bytes(&ibytes, &obytes);
verbose("Transferred: sent %llu, received %llu bytes",
-@@ -2355,6 +2413,10 @@ do_ssh1_kex(void)
+ (unsigned long long)obytes, (unsigned long long)ibytes);
+@@ -2461,6 +2544,10 @@ do_ssh1_kex(void)
if (cookie[i] != packet_get_char())
packet_disconnect("IP Spoofing check bytes do not match.");
@@ -2281,16 +2218,16 @@ index ca55d7f..db23ce2 100644
debug("Encryption type: %.200s", cipher_name(cipher_type));
/* Get the encrypted integer. */
-@@ -2427,7 +2489,7 @@ do_ssh1_kex(void)
- session_id[i] = session_key[i] ^ session_key[i + 16];
+@@ -2520,7 +2607,7 @@ do_ssh1_kex(void)
}
+
/* Destroy the private and public keys. No longer. */
- destroy_sensitive_data();
+ destroy_sensitive_data(0);
if (use_privsep)
mm_ssh1_session_id(session_id);
-@@ -2598,6 +2660,16 @@ do_ssh2_kex(void)
+@@ -2703,6 +2802,16 @@ do_ssh2_kex(void)
void
cleanup_exit(int i)
{
@@ -2307,7 +2244,7 @@ index ca55d7f..db23ce2 100644
if (the_authctxt) {
do_cleanup(the_authctxt);
if (use_privsep && privsep_is_preauth &&
-@@ -2609,9 +2681,14 @@ cleanup_exit(int i)
+@@ -2714,9 +2823,14 @@ cleanup_exit(int i)
pmonitor->m_pid, strerror(errno));
}
}
@@ -2323,11 +2260,10 @@ index ca55d7f..db23ce2 100644
audit_event(SSH_CONNECTION_ABANDON);
#endif
_exit(i);
-diff --git a/sshkey.c b/sshkey.c
-index 70df758..f078e11 100644
---- a/sshkey.c
-+++ b/sshkey.c
-@@ -291,6 +291,33 @@ sshkey_type_is_valid_ca(int type)
+diff -up openssh-6.8p1/sshkey.c.audit openssh-6.8p1/sshkey.c
+--- openssh-6.8p1/sshkey.c.audit 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/sshkey.c 2015-03-20 13:41:15.111883751 +0100
+@@ -317,6 +319,33 @@ sshkey_type_is_valid_ca(int type)
}
int
@@ -2361,11 +2297,10 @@ index 70df758..f078e11 100644
sshkey_is_cert(const struct sshkey *k)
{
if (k == NULL)
-diff --git a/sshkey.h b/sshkey.h
-index 4554b09..226a494 100644
---- a/sshkey.h
-+++ b/sshkey.h
-@@ -134,6 +134,7 @@ u_int sshkey_size(const struct sshkey *);
+diff -up openssh-6.8p1/sshkey.h.audit openssh-6.8p1/sshkey.h
+--- openssh-6.8p1/sshkey.h.audit 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/sshkey.h 2015-03-20 13:41:15.098883772 +0100
+@@ -134,6 +134,7 @@ u_int sshkey_size(const struct sshkey
int sshkey_generate(int type, u_int bits, struct sshkey **keyp);
int sshkey_from_private(const struct sshkey *, struct sshkey **);
int sshkey_type_from_name(const char *);
@@ -2373,11 +2308,10 @@ index 4554b09..226a494 100644
int sshkey_is_cert(const struct sshkey *);
int sshkey_type_is_cert(int);
int sshkey_type_plain(int);
-
-diff -U3 openssh-6.6p1/sandbox-seccomp-filter.c openssh-6.6p1.seccomp/sandbox-seccomp-filter.c
---- openssh-6.6p1/sandbox-seccomp-filter.c 2014-02-06 01:17:50.000000000 +0100
-+++ openssh-6.6p1.seccomp/sandbox-seccomp-filter.c 2015-02-11 09:07:10.885000000 +0100
-@@ -95,6 +95,12 @@
+diff -up openssh-6.8p1/sandbox-seccomp-filter.c.audit openssh-6.8p1/sandbox-seccomp-filter.c
+--- openssh-6.8p1/sandbox-seccomp-filter.c.audit 2015-03-20 13:41:15.088883788 +0100
++++ openssh-6.8p1/sandbox-seccomp-filter.c 2015-03-20 13:41:15.097883774 +0100
+@@ -110,6 +110,12 @@ static const struct sock_filter preauth_
#ifdef __NR_time /* not defined on EABI ARM */
SC_ALLOW(time),
#endif
diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch
index 875b79a..c7a7e04 100644
--- a/openssh-6.7p1-coverity.patch
+++ b/openssh-6.7p1-coverity.patch
@@ -1,8 +1,7 @@
-diff --git a/auth-pam.c b/auth-pam.c
-index cd1a775..2fff267 100644
---- a/auth-pam.c
-+++ b/auth-pam.c
-@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void **value)
+diff -up openssh-6.8p1/auth-pam.c.coverity openssh-6.8p1/auth-pam.c
+--- openssh-6.8p1/auth-pam.c.coverity 2015-03-18 17:21:51.792265051 +0100
++++ openssh-6.8p1/auth-pam.c 2015-03-18 17:21:51.895264835 +0100
+@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
if (sshpam_thread_status != -1)
return (sshpam_thread_status);
signal(SIGCHLD, sshpam_oldsig);
@@ -16,11 +15,10 @@ index cd1a775..2fff267 100644
return (status);
}
#endif
-diff --git a/channels.c b/channels.c
-index 51a221d..0ef1d90 100644
---- a/channels.c
-+++ b/channels.c
-@@ -239,11 +239,11 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
+diff -up openssh-6.8p1/channels.c.coverity openssh-6.8p1/channels.c
+--- openssh-6.8p1/channels.c.coverity 2015-03-18 17:21:51.815265002 +0100
++++ openssh-6.8p1/channels.c 2015-03-18 17:21:51.896264833 +0100
+@@ -243,11 +243,11 @@ channel_register_fds(Channel *c, int rfd
channel_max_fd = MAX(channel_max_fd, wfd);
channel_max_fd = MAX(channel_max_fd, efd);
@@ -35,7 +33,7 @@ index 51a221d..0ef1d90 100644
fcntl(efd, F_SETFD, FD_CLOEXEC);
c->rfd = rfd;
-@@ -261,11 +261,11 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd,
+@@ -265,11 +265,11 @@ channel_register_fds(Channel *c, int rfd
/* enable nonblocking mode */
if (nonblock) {
@@ -50,7 +48,7 @@ index 51a221d..0ef1d90 100644
set_nonblock(efd);
}
}
-@@ -3959,13 +3959,13 @@ connect_local_xsocket_path(const char *pathname, int len)
+@@ -3972,13 +3972,13 @@ connect_local_xsocket_path(const char *p
int sock;
struct sockaddr_un addr;
@@ -66,35 +64,10 @@ index 51a221d..0ef1d90 100644
if (len > sizeof addr.sun_path)
len = sizeof addr.sun_path;
memcpy(addr.sun_path, pathname, len);
-diff --git a/clientloop.c b/clientloop.c
-index 20ce0b5..65cb26a 100644
---- a/clientloop.c
-+++ b/clientloop.c
-@@ -2090,15 +2090,16 @@ client_input_global_request(int type, u_int32_t seq, void *ctxt)
- {
- char *rtype;
- int want_reply;
-- int success = 0;
-+/* int success = 0;
-+ success is still 0 the packet is allways SSH2_MSG_REQUEST_FAILURE, isn't it? */
-
- rtype = packet_get_string(NULL);
- want_reply = packet_get_char();
- debug("client_input_global_request: rtype %s want_reply %d",
- rtype, want_reply);
- if (want_reply) {
-- packet_start(success ?
-- SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
-+ packet_start(/*success ?
-+ SSH2_MSG_REQUEST_SUCCESS :*/ SSH2_MSG_REQUEST_FAILURE);
- packet_send();
- packet_write_wait();
- }
-diff --git a/entropy.c b/entropy.c
-index 06b0095..a4097da 100644
---- a/entropy.c
-+++ b/entropy.c
-@@ -44,6 +44,7 @@
+diff -up openssh-6.8p1/entropy.c.coverity openssh-6.8p1/entropy.c
+--- openssh-6.8p1/entropy.c.coverity 2015-03-18 17:21:51.891264843 +0100
++++ openssh-6.8p1/entropy.c 2015-03-18 17:21:51.897264831 +0100
+@@ -46,6 +46,7 @@
#include <openssl/err.h>
#include "openbsd-compat/openssl-compat.h"
@@ -102,11 +75,10 @@ index 06b0095..a4097da 100644
#include "ssh.h"
#include "misc.h"
-diff --git a/monitor.c b/monitor.c
-index 07fa655..b8e6e06 100644
---- a/monitor.c
-+++ b/monitor.c
-@@ -488,7 +488,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
+diff -up openssh-6.8p1/monitor.c.coverity openssh-6.8p1/monitor.c
+--- openssh-6.8p1/monitor.c.coverity 2015-03-18 17:21:51.887264852 +0100
++++ openssh-6.8p1/monitor.c 2015-03-18 17:21:51.897264831 +0100
+@@ -444,7 +444,7 @@ monitor_child_preauth(Authctxt *_authctx
mm_get_keystate(pmonitor);
/* Drain any buffered messages from the child */
@@ -115,7 +87,7 @@ index 07fa655..b8e6e06 100644
;
close(pmonitor->m_sendfd);
-@@ -1276,6 +1276,10 @@ mm_answer_keyallowed(int sock, Buffer *m)
+@@ -1303,6 +1303,10 @@ mm_answer_keyallowed(int sock, Buffer *m
break;
}
}
@@ -126,7 +98,7 @@ index 07fa655..b8e6e06 100644
if (key != NULL)
key_free(key);
-@@ -1297,9 +1301,6 @@ mm_answer_keyallowed(int sock, Buffer *m)
+@@ -1324,9 +1328,6 @@ mm_answer_keyallowed(int sock, Buffer *m
free(chost);
}
@@ -136,11 +108,10 @@ index 07fa655..b8e6e06 100644
buffer_clear(m);
buffer_put_int(m, allowed);
buffer_put_int(m, forced_command != NULL);
-diff --git a/monitor_wrap.c b/monitor_wrap.c
-index ba4ecd7..b3e4ca1 100644
---- a/monitor_wrap.c
-+++ b/monitor_wrap.c
-@@ -749,10 +749,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, size_t namebuflen)
+diff -up openssh-6.8p1/monitor_wrap.c.coverity openssh-6.8p1/monitor_wrap.c
+--- openssh-6.8p1/monitor_wrap.c.coverity 2015-03-18 17:21:51.888264849 +0100
++++ openssh-6.8p1/monitor_wrap.c 2015-03-18 17:21:51.897264831 +0100
+@@ -533,10 +533,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
(tmp2 = dup(pmonitor->m_recvfd)) == -1) {
error("%s: cannot allocate fds for pty", __func__);
@@ -154,11 +125,10 @@ index ba4ecd7..b3e4ca1 100644
return 0;
}
close(tmp1);
-diff --git a/openbsd-compat/bindresvport.c b/openbsd-compat/bindresvport.c
-index c89f214..80115c2 100644
---- a/openbsd-compat/bindresvport.c
-+++ b/openbsd-compat/bindresvport.c
-@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr *sa)
+diff -up openssh-6.8p1/openbsd-compat/bindresvport.c.coverity openssh-6.8p1/openbsd-compat/bindresvport.c
+--- openssh-6.8p1/openbsd-compat/bindresvport.c.coverity 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/openbsd-compat/bindresvport.c 2015-03-18 17:21:51.897264831 +0100
+@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
struct sockaddr_in6 *in6;
u_int16_t *portp;
u_int16_t port;
@@ -167,10 +137,9 @@ index c89f214..80115c2 100644
int i;
if (sa == NULL) {
-diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
-index 8b7cda2..e2ca8a1 100644
---- a/openbsd-compat/port-linux.h
-+++ b/openbsd-compat/port-linux.h
+diff -up openssh-6.8p1/openbsd-compat/port-linux.h.coverity openssh-6.8p1/openbsd-compat/port-linux.h
+--- openssh-6.8p1/openbsd-compat/port-linux.h.coverity 2015-03-18 17:21:51.861264906 +0100
++++ openssh-6.8p1/openbsd-compat/port-linux.h 2015-03-18 17:21:51.897264831 +0100
@@ -37,4 +37,6 @@ void oom_adjust_restore(void);
void oom_adjust_setup(void);
#endif
@@ -178,23 +147,10 @@ index 8b7cda2..e2ca8a1 100644
+void linux_seed(void);
+
#endif /* ! _PORT_LINUX_H */
-diff --git a/packet.c b/packet.c
-index 8ec353e..dbc2c33 100644
---- a/packet.c
-+++ b/packet.c
-@@ -1246,6 +1246,7 @@ packet_read_poll1(void)
- case DEATTACK_DETECTED:
- packet_disconnect("crc32 compensation attack: "
- "network attack detected");
-+ break;
- case DEATTACK_DOS_DETECTED:
- packet_disconnect("deattack denial of "
- "service detected");
-diff --git a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
-index 8ba6d87..a7808c7 100644
---- a/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
-+++ b/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
-@@ -87,7 +87,7 @@ pam_user_key_allowed2(struct passwd *pw, Key *key, char *file)
+diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c.coverity openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c
+--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c.coverity 2015-03-18 17:21:51.788265059 +0100
++++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c 2015-03-18 17:21:51.898264829 +0100
+@@ -87,7 +87,7 @@ pam_user_key_allowed2(struct passwd *pw,
found = key_new(key->type);
while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
@@ -203,7 +159,7 @@ index 8ba6d87..a7808c7 100644
/* Skip leading whitespace, empty and comment lines. */
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-@@ -99,7 +99,6 @@ pam_user_key_allowed2(struct passwd *pw, Key *key, char *file)
+@@ -99,7 +99,6 @@ pam_user_key_allowed2(struct passwd *pw,
/* no key? check if there are options for this key */
int quoted = 0;
verbose("user_key_allowed: check options: '%s'", cp);
@@ -211,10 +167,9 @@ index 8ba6d87..a7808c7 100644
for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
if (*cp == '\\' && cp[1] == '"')
cp++; /* Skip both */
-diff --git a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
-index e14eb27..323817a 100644
---- a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
-+++ b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
+diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.coverity openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c
+--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.coverity 2015-03-18 17:21:51.786265063 +0100
++++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c 2015-03-18 17:21:51.898264829 +0100
@@ -89,8 +89,7 @@ userauth_pubkey_from_id(Identity * id)
authenticated = 1;
@@ -225,44 +180,10 @@ index e14eb27..323817a 100644
if(sig != NULL)
free(sig);
if(pkblob != NULL)
-diff --git a/progressmeter.c b/progressmeter.c
-index bbbc706..ae6d1aa 100644
---- a/progressmeter.c
-+++ b/progressmeter.c
-@@ -65,7 +65,7 @@ static void update_progress_meter(int);
-
- static time_t start; /* start progress */
- static time_t last_update; /* last progress update */
--static char *file; /* name of the file being transferred */
-+static const char *file; /* name of the file being transferred */
- static off_t start_pos; /* initial position of transfer */
- static off_t end_pos; /* ending position of transfer */
- static off_t cur_pos; /* transfer position as of last refresh */
-@@ -248,7 +248,7 @@ update_progress_meter(int ignore)
- }
-
- void
--start_progress_meter(char *f, off_t filesize, off_t *ctr)
-+start_progress_meter(const char *f, off_t filesize, off_t *ctr)
- {
- start = last_update = monotime();
- file = f;
-diff --git a/progressmeter.h b/progressmeter.h
-index 10bab99..e9ca8f0 100644
---- a/progressmeter.h
-+++ b/progressmeter.h
-@@ -23,5 +23,5 @@
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
--void start_progress_meter(char *, off_t, off_t *);
-+void start_progress_meter(const char *, off_t, off_t *);
- void stop_progress_meter(void);
-diff --git a/scp.c b/scp.c
-index cbd904d..e4e9fa1 100644
---- a/scp.c
-+++ b/scp.c
-@@ -155,7 +155,7 @@ killchild(int signo)
+diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c
+--- openssh-6.8p1/scp.c.coverity 2015-03-18 17:21:51.868264891 +0100
++++ openssh-6.8p1/scp.c 2015-03-18 17:21:58.281251460 +0100
+@@ -156,7 +156,7 @@ killchild(int signo)
{
if (do_cmd_pid > 1) {
kill(do_cmd_pid, signo ? signo : SIGTERM);
@@ -271,11 +192,10 @@ index cbd904d..e4e9fa1 100644
}
if (signo)
-diff --git a/servconf.c b/servconf.c
-index 87a311b..895cdca 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -1418,7 +1418,7 @@ process_server_config_line(ServerOptions *options, char *line,
+diff -up openssh-6.8p1/servconf.c.coverity openssh-6.8p1/servconf.c
+--- openssh-6.8p1/servconf.c.coverity 2015-03-18 17:21:51.893264839 +0100
++++ openssh-6.8p1/servconf.c 2015-03-18 17:21:58.281251460 +0100
+@@ -1475,7 +1475,7 @@ process_server_config_line(ServerOptions
fatal("%s line %d: Missing subsystem name.",
filename, linenum);
if (!*activep) {
@@ -284,7 +204,7 @@ index 87a311b..895cdca 100644
break;
}
for (i = 0; i < options->num_subsystems; i++)
-@@ -1509,8 +1509,9 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1566,8 +1566,9 @@ process_server_config_line(ServerOptions
if (*activep && *charptr == NULL) {
*charptr = tilde_expand_filename(arg, getuid());
/* increase optional counter */
@@ -296,10 +216,9 @@ index 87a311b..895cdca 100644
}
break;
-diff --git a/serverloop.c b/serverloop.c
-index e92f9e2..3cad041 100644
---- a/serverloop.c
-+++ b/serverloop.c
+diff -up openssh-6.8p1/serverloop.c.coverity openssh-6.8p1/serverloop.c
+--- openssh-6.8p1/serverloop.c.coverity 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/serverloop.c 2015-03-18 17:28:45.616436080 +0100
@@ -147,13 +147,13 @@ notify_setup(void)
static void
notify_parent(void)
@@ -327,7 +246,7 @@ index e92f9e2..3cad041 100644
debug2("notify_done: reading");
}
-@@ -337,7 +337,7 @@ wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
+@@ -337,7 +337,7 @@ wait_until_can_do_something(fd_set **rea
* If we have buffered data, try to write some of that data
* to the program.
*/
@@ -345,7 +264,7 @@ index e92f9e2..3cad041 100644
data = buffer_ptr(&stdin_buffer);
dlen = buffer_len(&stdin_buffer);
len = write(fdin, data, dlen);
-@@ -590,7 +590,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
+@@ -590,7 +590,7 @@ server_loop(pid_t pid, int fdin_arg, int
set_nonblock(fdin);
set_nonblock(fdout);
/* we don't have stderr for interactive terminal sessions, see below */
@@ -354,7 +273,7 @@ index e92f9e2..3cad041 100644
set_nonblock(fderr);
if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin))
-@@ -614,7 +614,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
+@@ -614,7 +614,7 @@ server_loop(pid_t pid, int fdin_arg, int
max_fd = MAX(connection_in, connection_out);
max_fd = MAX(max_fd, fdin);
max_fd = MAX(max_fd, fdout);
@@ -363,7 +282,7 @@ index e92f9e2..3cad041 100644
max_fd = MAX(max_fd, fderr);
#endif
-@@ -644,7 +644,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
+@@ -644,7 +644,7 @@ server_loop(pid_t pid, int fdin_arg, int
* If we have received eof, and there is no more pending
* input data, cause a real eof by closing fdin.
*/
@@ -372,7 +291,7 @@ index e92f9e2..3cad041 100644
if (fdin != fdout)
close(fdin);
else
-@@ -740,15 +740,15 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
+@@ -740,15 +740,15 @@ server_loop(pid_t pid, int fdin_arg, int
buffer_free(&stderr_buffer);
/* Close the file descriptors. */
@@ -391,16 +310,16 @@ index e92f9e2..3cad041 100644
close(fdin);
fdin = -1;
-@@ -947,7 +947,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt)
+@@ -950,7 +950,7 @@ server_input_window_size(int type, u_int
debug("Window change received.");
packet_check_eom();
- if (fdin != -1)
+ if (fdin >= 0)
pty_change_window_size(fdin, row, col, xpixel, ypixel);
+ return 0;
}
-
-@@ -1039,7 +1039,7 @@ server_request_tun(void)
+@@ -1043,7 +1043,7 @@ server_request_tun(void)
}
tun = packet_get_int();
@@ -409,361 +328,10 @@ index e92f9e2..3cad041 100644
if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
goto done;
tun = forced_tun_device;
-diff --git a/sftp-client.c b/sftp-client.c
-index 990b58d..3d0f22b 100644
---- a/sftp-client.c
-+++ b/sftp-client.c
-@@ -151,7 +151,7 @@ get_msg(struct sftp_conn *conn, Buffer *m)
- }
-
- static void
--send_string_request(struct sftp_conn *conn, u_int id, u_int code, char *s,
-+send_string_request(struct sftp_conn *conn, u_int id, u_int code, const char *s,
- u_int len)
- {
- Buffer msg;
-@@ -167,7 +167,7 @@ send_string_request(struct sftp_conn *conn, u_int id, u_int code, char *s,
-
- static void
- send_string_attrs_request(struct sftp_conn *conn, u_int id, u_int code,
-- char *s, u_int len, Attrib *a)
-+ const char *s, u_int len, Attrib *a)
- {
- Buffer msg;
-
-@@ -429,7 +429,7 @@ sftp_proto_version(struct sftp_conn *conn)
- }
-
- int
--do_close(struct sftp_conn *conn, char *handle, u_int handle_len)
-+do_close(struct sftp_conn *conn, const char *handle, u_int handle_len)
- {
- u_int id, status;
- Buffer msg;
-@@ -454,7 +454,7 @@ do_close(struct sftp_conn *conn, char *handle, u_int handle_len)
-
-
- static int
--do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag,
-+do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag,
- SFTP_DIRENT ***dir)
- {
- Buffer msg;
-@@ -577,7 +577,7 @@ do_lsreaddir(struct sftp_conn *conn, char *path, int print_flag,
- }
-
- int
--do_readdir(struct sftp_conn *conn, char *path, SFTP_DIRENT ***dir)
-+do_readdir(struct sftp_conn *conn, const char *path, SFTP_DIRENT ***dir)
- {
- return(do_lsreaddir(conn, path, 0, dir));
- }
-@@ -597,7 +597,7 @@ void free_sftp_dirents(SFTP_DIRENT **s)
- }
-
- int
--do_rm(struct sftp_conn *conn, char *path)
-+do_rm(struct sftp_conn *conn, const char *path)
- {
- u_int status, id;
-
-@@ -612,7 +612,7 @@ do_rm(struct sftp_conn *conn, char *path)
- }
-
- int
--do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int print_flag)
-+do_mkdir(struct sftp_conn *conn, const char *path, Attrib *a, int print_flag)
- {
- u_int status, id;
-
-@@ -628,7 +628,7 @@ do_mkdir(struct sftp_conn *conn, char *path, Attrib *a, int print_flag)
- }
-
- int
--do_rmdir(struct sftp_conn *conn, char *path)
-+do_rmdir(struct sftp_conn *conn, const char *path)
- {
- u_int status, id;
-
-@@ -644,7 +644,7 @@ do_rmdir(struct sftp_conn *conn, char *path)
- }
-
- Attrib *
--do_stat(struct sftp_conn *conn, char *path, int quiet)
-+do_stat(struct sftp_conn *conn, const char *path, int quiet)
- {
- u_int id;
-
-@@ -658,7 +658,7 @@ do_stat(struct sftp_conn *conn, char *path, int quiet)
- }
-
- Attrib *
--do_lstat(struct sftp_conn *conn, char *path, int quiet)
-+do_lstat(struct sftp_conn *conn, const char *path, int quiet)
- {
- u_int id;
-
-@@ -679,7 +679,7 @@ do_lstat(struct sftp_conn *conn, char *path, int quiet)
-
- #ifdef notyet
- Attrib *
--do_fstat(struct sftp_conn *conn, char *handle, u_int handle_len, int quiet)
-+do_fstat(struct sftp_conn *conn, const char *handle, u_int handle_len, int quiet)
- {
- u_int id;
-
-@@ -692,7 +692,7 @@ do_fstat(struct sftp_conn *conn, char *handle, u_int handle_len, int quiet)
- #endif
-
- int
--do_setstat(struct sftp_conn *conn, char *path, Attrib *a)
-+do_setstat(struct sftp_conn *conn, const char *path, Attrib *a)
- {
- u_int status, id;
-
-@@ -709,7 +709,7 @@ do_setstat(struct sftp_conn *conn, char *path, Attrib *a)
- }
-
- int
--do_fsetstat(struct sftp_conn *conn, char *handle, u_int handle_len,
-+do_fsetstat(struct sftp_conn *conn, const char *handle, u_int handle_len,
- Attrib *a)
- {
- u_int status, id;
-@@ -726,7 +726,7 @@ do_fsetstat(struct sftp_conn *conn, char *handle, u_int handle_len,
- }
-
- char *
--do_realpath(struct sftp_conn *conn, char *path)
-+do_realpath(struct sftp_conn *conn, const char *path)
- {
- Buffer msg;
- u_int type, expected_id, count, id;
-@@ -775,7 +775,7 @@ do_realpath(struct sftp_conn *conn, char *path)
- }
-
- int
--do_rename(struct sftp_conn *conn, char *oldpath, char *newpath,
-+do_rename(struct sftp_conn *conn, const char *oldpath, const char *newpath,
- int force_legacy)
- {
- Buffer msg;
-@@ -811,7 +811,7 @@ do_rename(struct sftp_conn *conn, char *oldpath, char *newpath,
- }
-
- int
--do_hardlink(struct sftp_conn *conn, char *oldpath, char *newpath)
-+do_hardlink(struct sftp_conn *conn, const char *oldpath, const char *newpath)
- {
- Buffer msg;
- u_int status, id;
-@@ -844,7 +844,7 @@ do_hardlink(struct sftp_conn *conn, char *oldpath, char *newpath)
- }
-
- int
--do_symlink(struct sftp_conn *conn, char *oldpath, char *newpath)
-+do_symlink(struct sftp_conn *conn, const char *oldpath, const char *newpath)
- {
- Buffer msg;
- u_int status, id;
-@@ -876,7 +876,7 @@ do_symlink(struct sftp_conn *conn, char *oldpath, char *newpath)
- }
-
- int
--do_fsync(struct sftp_conn *conn, char *handle, u_int handle_len)
-+do_fsync(struct sftp_conn *conn, const char *handle, u_int handle_len)
- {
- Buffer msg;
- u_int status, id;
-@@ -907,7 +907,7 @@ do_fsync(struct sftp_conn *conn, char *handle, u_int handle_len)
-
- #ifdef notyet
- char *
--do_readlink(struct sftp_conn *conn, char *path)
-+do_readlink(struct sftp_conn *conn, const char *path)
- {
- Buffer msg;
- u_int type, expected_id, count, id;
-@@ -1010,7 +1010,7 @@ do_fstatvfs(struct sftp_conn *conn, const char *handle, u_int handle_len,
-
- static void
- send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset,
-- u_int len, char *handle, u_int handle_len)
-+ u_int len, const char *handle, u_int handle_len)
- {
- Buffer msg;
-
-@@ -1026,7 +1026,7 @@ send_read_request(struct sftp_conn *conn, u_int id, u_int64_t offset,
- }
-
- int
--do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
-+do_download(struct sftp_conn *conn, const char *remote_path, const char *local_path,
- Attrib *a, int preserve_flag, int resume_flag, int fsync_flag)
- {
- Attrib junk;
-@@ -1308,7 +1308,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
- }
-
- static int
--download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
-+download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, int depth,
- Attrib *dirattrib, int preserve_flag, int print_flag, int resume_flag,
- int fsync_flag)
- {
-@@ -1400,7 +1400,7 @@ download_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
- }
-
- int
--download_dir(struct sftp_conn *conn, char *src, char *dst,
-+download_dir(struct sftp_conn *conn, const char *src, const char *dst,
- Attrib *dirattrib, int preserve_flag, int print_flag,
- int resume_flag, int fsync_flag)
- {
-@@ -1419,7 +1419,7 @@ download_dir(struct sftp_conn *conn, char *src, char *dst,
- }
-
- int
--do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
-+do_upload(struct sftp_conn *conn, const char *local_path, const char *remote_path,
- int preserve_flag, int resume, int fsync_flag)
- {
- int local_fd;
-@@ -1628,7 +1628,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
- }
-
- static int
--upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
-+upload_dir_internal(struct sftp_conn *conn, const char *src, const char *dst, int depth,
- int preserve_flag, int print_flag, int resume, int fsync_flag)
- {
- int ret = 0, status;
-@@ -1721,7 +1721,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
- }
-
- int
--upload_dir(struct sftp_conn *conn, char *src, char *dst, int preserve_flag,
-+upload_dir(struct sftp_conn *conn, const char *src, const char *dst, int preserve_flag,
- int print_flag, int resume, int fsync_flag)
- {
- char *dst_canon;
-@@ -1740,7 +1740,7 @@ upload_dir(struct sftp_conn *conn, char *src, char *dst, int preserve_flag,
- }
-
- char *
--path_append(char *p1, char *p2)
-+path_append(const char *p1, const char *p2)
- {
- char *ret;
- size_t len = strlen(p1) + strlen(p2) + 2;
-diff --git a/sftp-client.h b/sftp-client.h
-index 967840b..ffbcade 100644
---- a/sftp-client.h
-+++ b/sftp-client.h
-@@ -56,79 +56,79 @@ struct sftp_conn *do_init(int, int, u_int, u_int, u_int64_t);
- u_int sftp_proto_version(struct sftp_conn *);
-
- /* Close file referred to by 'handle' */
--int do_close(struct sftp_conn *, char *, u_int);
-+int do_close(struct sftp_conn *, const char *, u_int);
-
- /* Read contents of 'path' to NULL-terminated array 'dir' */
--int do_readdir(struct sftp_conn *, char *, SFTP_DIRENT ***);
-+int do_readdir(struct sftp_conn *, const char *, SFTP_DIRENT ***);
-
- /* Frees a NULL-terminated array of SFTP_DIRENTs (eg. from do_readdir) */
- void free_sftp_dirents(SFTP_DIRENT **);
-
- /* Delete file 'path' */
--int do_rm(struct sftp_conn *, char *);
-+int do_rm(struct sftp_conn *, const char *);
-
- /* Create directory 'path' */
--int do_mkdir(struct sftp_conn *, char *, Attrib *, int);
-+int do_mkdir(struct sftp_conn *, const char *, Attrib *, int);
-
- /* Remove directory 'path' */
--int do_rmdir(struct sftp_conn *, char *);
-+int do_rmdir(struct sftp_conn *, const char *);
-
- /* Get file attributes of 'path' (follows symlinks) */
--Attrib *do_stat(struct sftp_conn *, char *, int);
-+Attrib *do_stat(struct sftp_conn *, const char *, int);
-
- /* Get file attributes of 'path' (does not follow symlinks) */
--Attrib *do_lstat(struct sftp_conn *, char *, int);
-+Attrib *do_lstat(struct sftp_conn *, const char *, int);
-
- /* Set file attributes of 'path' */
--int do_setstat(struct sftp_conn *, char *, Attrib *);
-+int do_setstat(struct sftp_conn *, const char *, Attrib *);
-
- /* Set file attributes of open file 'handle' */
--int do_fsetstat(struct sftp_conn *, char *, u_int, Attrib *);
-+int do_fsetstat(struct sftp_conn *, const char *, u_int, Attrib *);
-
- /* Canonicalise 'path' - caller must free result */
--char *do_realpath(struct sftp_conn *, char *);
-+char *do_realpath(struct sftp_conn *, const char *);
-
- /* Get statistics for filesystem hosting file at "path" */
- int do_statvfs(struct sftp_conn *, const char *, struct sftp_statvfs *, int);
-
- /* Rename 'oldpath' to 'newpath' */
--int do_rename(struct sftp_conn *, char *, char *m, int force_legacy);
-+int do_rename(struct sftp_conn *, const char *, const char *m, int force_legacy);
-
- /* Link 'oldpath' to 'newpath' */
--int do_hardlink(struct sftp_conn *, char *, char *);
-+int do_hardlink(struct sftp_conn *, const char *, const char *);
-
- /* Rename 'oldpath' to 'newpath' */
--int do_symlink(struct sftp_conn *, char *, char *);
-+int do_symlink(struct sftp_conn *, const char *, const char *);
-
- /* Call fsync() on open file 'handle' */
--int do_fsync(struct sftp_conn *conn, char *, u_int);
-+int do_fsync(struct sftp_conn *conn, const char *, u_int);
-
- /*
- * Download 'remote_path' to 'local_path'. Preserve permissions and times
- * if 'pflag' is set
- */
--int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int, int);
-+int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int, int, int);
-
- /*
- * Recursively download 'remote_directory' to 'local_directory'. Preserve
- * times if 'pflag' is set
- */
--int download_dir(struct sftp_conn *, char *, char *, Attrib *, int,
-+int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int,
- int, int, int);
-
- /*
- * Upload 'local_path' to 'remote_path'. Preserve permissions and times
- * if 'pflag' is set
- */
--int do_upload(struct sftp_conn *, char *, char *, int, int, int);
-+int do_upload(struct sftp_conn *, const char *, const char *, int, int, int);
-
- /*
- * Recursively upload 'local_directory' to 'remote_directory'. Preserve
- * times if 'pflag' is set
- */
--int upload_dir(struct sftp_conn *, char *, char *, int, int, int, int);
-+int upload_dir(struct sftp_conn *, const char *, const char *, int, int, int, int);
-
- /* Concatenate paths, taking care of slashes. Caller must free result. */
--char *path_append(char *, char *);
-+char *path_append(const char *, const char *);
-
- #endif
-diff --git a/sftp.c b/sftp.c
-index ff4d63d..4439100 100644
---- a/sftp.c
-+++ b/sftp.c
-@@ -220,7 +220,7 @@ killchild(int signo)
+diff -up openssh-6.8p1/sftp.c.coverity openssh-6.8p1/sftp.c
+--- openssh-6.8p1/sftp.c.coverity 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/sftp.c 2015-03-18 17:21:58.283251456 +0100
+@@ -223,7 +223,7 @@ killchild(int signo)
{
if (sshpid > 1) {
kill(sshpid, SIGTERM);
@@ -772,7 +340,7 @@ index ff4d63d..4439100 100644
}
_exit(1);
-@@ -332,7 +332,7 @@ local_do_ls(const char *args)
+@@ -335,7 +335,7 @@ local_do_ls(const char *args)
/* Strip one path (usually the pwd) from the start of another */
static char *
@@ -781,7 +349,7 @@ index ff4d63d..4439100 100644
{
size_t len;
-@@ -350,7 +350,7 @@ path_strip(char *path, char *strip)
+@@ -353,7 +353,7 @@ path_strip(char *path, char *strip)
}
static char *
@@ -790,7 +358,7 @@ index ff4d63d..4439100 100644
{
char *abs_str;
-@@ -548,7 +548,7 @@ parse_no_flags(const char *cmd, char **argv, int argc)
+@@ -551,7 +551,7 @@ parse_no_flags(const char *cmd, char **a
}
static int
@@ -799,7 +367,7 @@ index ff4d63d..4439100 100644
{
struct stat sb;
-@@ -560,7 +560,7 @@ is_dir(char *path)
+@@ -563,7 +563,7 @@ is_dir(char *path)
}
static int
@@ -808,7 +376,7 @@ index ff4d63d..4439100 100644
{
Attrib *a;
-@@ -574,7 +574,7 @@ remote_is_dir(struct sftp_conn *conn, char *path)
+@@ -577,7 +577,7 @@ remote_is_dir(struct sftp_conn *conn, ch
/* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
static int
@@ -817,7 +385,7 @@ index ff4d63d..4439100 100644
{
size_t l = strlen(pathname);
-@@ -582,7 +582,7 @@ pathname_is_dir(char *pathname)
+@@ -585,7 +585,7 @@ pathname_is_dir(char *pathname)
}
static int
@@ -826,7 +394,7 @@ index ff4d63d..4439100 100644
int pflag, int rflag, int resume, int fflag)
{
char *abs_src = NULL;
-@@ -666,7 +666,7 @@ out:
+@@ -669,7 +669,7 @@ out:
}
static int
@@ -835,7 +403,7 @@ index ff4d63d..4439100 100644
int pflag, int rflag, int resume, int fflag)
{
char *tmp_dst = NULL;
-@@ -776,7 +776,7 @@ sdirent_comp(const void *aa, const void *bb)
+@@ -779,7 +779,7 @@ sdirent_comp(const void *aa, const void
/* sftp ls.1 replacement for directories */
static int
@@ -844,7 +412,7 @@ index ff4d63d..4439100 100644
{
int n;
u_int c = 1, colspace = 0, columns = 1;
-@@ -861,7 +861,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
+@@ -864,7 +864,7 @@ do_ls_dir(struct sftp_conn *conn, char *
/* sftp ls.1 replacement which handles path globs */
static int
@@ -853,7 +421,7 @@ index ff4d63d..4439100 100644
int lflag)
{
char *fname, *lname;
-@@ -946,7 +946,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
+@@ -949,7 +949,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
}
static int
@@ -862,11 +430,10 @@ index ff4d63d..4439100 100644
{
struct sftp_statvfs st;
char s_used[FMT_SCALED_STRSIZE];
-diff --git a/ssh-agent.c b/ssh-agent.c
-index c8036c8..4da3bb6 100644
---- a/ssh-agent.c
-+++ b/ssh-agent.c
-@@ -1056,8 +1056,8 @@ main(int ac, char **av)
+diff -up openssh-6.8p1/ssh-agent.c.coverity openssh-6.8p1/ssh-agent.c
+--- openssh-6.8p1/ssh-agent.c.coverity 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/ssh-agent.c 2015-03-18 17:21:58.284251454 +0100
+@@ -1166,8 +1166,8 @@ main(int ac, char **av)
sanitise_stdfd();
/* drop */
@@ -877,29 +444,10 @@ index c8036c8..4da3bb6 100644
#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
/* Disable ptrace on Linux without sgid bit */
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 64fa217..635e8fd 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -687,11 +687,11 @@ do_convert_from(struct passwd *pw)
- fatal("%s: unknown key format %d", __func__, convert_format);
- }
-
-- if (!private)
-+ if (!private) {
- ok = key_write(k, stdout);
- if (ok)
- fprintf(stdout, "\n");
-- else {
-+ } else {
- switch (k->type) {
- case KEY_DSA:
- ok = PEM_write_DSAPrivateKey(stdout, k->dsa, NULL,
-diff --git a/sshd.c b/sshd.c
-index 783abe3..eaade2a 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -771,8 +771,10 @@ privsep_preauth(Authctxt *authctxt)
+diff -up openssh-6.8p1/sshd.c.coverity openssh-6.8p1/sshd.c
+--- openssh-6.8p1/sshd.c.coverity 2015-03-18 17:21:51.893264839 +0100
++++ openssh-6.8p1/sshd.c 2015-03-18 17:21:58.284251454 +0100
+@@ -778,8 +778,10 @@ privsep_preauth(Authctxt *authctxt)
if (getuid() == 0 || geteuid() == 0)
privsep_preauth_child();
setproctitle("%s", "[net]");
@@ -911,7 +459,7 @@ index 783abe3..eaade2a 100644
return 0;
}
-@@ -1458,6 +1460,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
+@@ -1518,6 +1520,9 @@ server_accept_loop(int *sock_in, int *so
if (num_listen_socks < 0)
break;
}
@@ -921,15 +469,14 @@ index 783abe3..eaade2a 100644
}
-diff --git a/sshkey.c b/sshkey.c
-index 5e3d97f..dae8270 100644
---- a/sshkey.c
-+++ b/sshkey.c
-@@ -54,6 +54,7 @@
+diff -up openssh-6.8p1/sshkey.c.coverity openssh-6.8p1/sshkey.c
+--- openssh-6.8p1/sshkey.c.coverity 2015-03-18 17:21:58.285251452 +0100
++++ openssh-6.8p1/sshkey.c 2015-03-18 17:45:32.232705363 +0100
+@@ -58,6 +58,7 @@
#include "digest.h"
#define SSHKEY_INTERNAL
#include "sshkey.h"
+#include "log.h"
+ #include "match.h"
/* openssh private key file format */
- #define MARK_BEGIN "-----BEGIN OPENSSH PRIVATE KEY-----\n"
diff --git a/openssh-6.7p1-debian-restore-tcp-wrappers.patch b/openssh-6.7p1-debian-restore-tcp-wrappers.patch
index a5ee347..63d62a0 100644
--- a/openssh-6.7p1-debian-restore-tcp-wrappers.patch
+++ b/openssh-6.7p1-debian-restore-tcp-wrappers.patch
@@ -1,7 +1,7 @@
-diff -up openssh-6.7p1/configure.ac.tcp_wrappers openssh-6.7p1/configure.ac
---- openssh-6.7p1/configure.ac.tcp_wrappers 2015-01-20 16:58:39.829111746 +0100
-+++ openssh-6.7p1/configure.ac 2015-01-20 16:58:39.870111159 +0100
-@@ -1404,6 +1404,62 @@ AC_ARG_WITH([skey],
+diff -up openssh-6.8p1/configure.ac.tcp_wrappers openssh-6.8p1/configure.ac
+--- openssh-6.8p1/configure.ac.tcp_wrappers 2015-03-18 13:05:57.365071779 +0100
++++ openssh-6.8p1/configure.ac 2015-03-18 13:05:57.408071673 +0100
+@@ -1440,6 +1440,62 @@ AC_ARG_WITH([skey],
]
)
@@ -64,7 +64,7 @@ diff -up openssh-6.7p1/configure.ac.tcp_wrappers openssh-6.7p1/configure.ac
# Check whether user wants to use ldns
LDNS_MSG="no"
AC_ARG_WITH(ldns,
-@@ -4959,6 +5015,7 @@ echo " KerberosV support
+@@ -5026,6 +5082,7 @@ echo " KerberosV support
echo " SELinux support: $SELINUX_MSG"
echo " Smartcard support: $SCARD_MSG"
echo " S/KEY support: $SKEY_MSG"
@@ -72,9 +72,9 @@ diff -up openssh-6.7p1/configure.ac.tcp_wrappers openssh-6.7p1/configure.ac
echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
-diff -up openssh-6.7p1/sshd.8.tcp_wrappers openssh-6.7p1/sshd.8
---- openssh-6.7p1/sshd.8.tcp_wrappers 2015-01-20 16:58:39.838111617 +0100
-+++ openssh-6.7p1/sshd.8 2015-01-20 16:58:39.871111145 +0100
+diff -up openssh-6.8p1/sshd.8.tcp_wrappers openssh-6.8p1/sshd.8
+--- openssh-6.8p1/sshd.8.tcp_wrappers 2015-03-18 13:05:57.377071749 +0100
++++ openssh-6.8p1/sshd.8 2015-03-18 13:05:57.408071673 +0100
@@ -858,6 +858,12 @@ the user's home directory becomes access
This file should be writable only by the user, and need not be
readable by anyone else.
@@ -96,12 +96,12 @@ diff -up openssh-6.7p1/sshd.8.tcp_wrappers openssh-6.7p1/sshd.8
.Xr login.conf 5 ,
.Xr moduli 5 ,
.Xr sshd_config 5 ,
-diff -up openssh-6.7p1/sshd.c.tcp_wrappers openssh-6.7p1/sshd.c
---- openssh-6.7p1/sshd.c.tcp_wrappers 2015-01-20 16:58:39.863111259 +0100
-+++ openssh-6.7p1/sshd.c 2015-01-20 16:59:12.992636776 +0100
-@@ -123,6 +123,13 @@
- #include "ssh-sandbox.h"
+diff -up openssh-6.8p1/sshd.c.tcp_wrappers openssh-6.8p1/sshd.c
+--- openssh-6.8p1/sshd.c.tcp_wrappers 2015-03-18 13:05:57.402071688 +0100
++++ openssh-6.8p1/sshd.c 2015-03-18 13:06:48.199947136 +0100
+@@ -125,6 +125,13 @@
#include "version.h"
+ #include "ssherr.h"
+#ifdef LIBWRAP
+#include <tcpd.h>
@@ -113,7 +113,7 @@ diff -up openssh-6.7p1/sshd.c.tcp_wrappers openssh-6.7p1/sshd.c
#ifndef O_NOCTTY
#define O_NOCTTY 0
#endif
-@@ -2078,6 +2085,24 @@ main(int ac, char **av)
+@@ -2150,6 +2157,24 @@ main(int ac, char **av)
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
#endif
diff --git a/openssh-6.7p1-fingerprint.patch b/openssh-6.7p1-fingerprint.patch
deleted file mode 100644
index d29fc9b..0000000
--- a/openssh-6.7p1-fingerprint.patch
+++ /dev/null
@@ -1,1596 +0,0 @@
-diff --git a/auth-rsa.c b/auth-rsa.c
-index e9f4ede..ff7a132 100644
---- a/auth-rsa.c
-+++ b/auth-rsa.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: auth-rsa.c,v 1.88 2014/07/15 15:54:14 millert Exp $ */
-+/* $OpenBSD: auth-rsa.c,v 1.89 2014/12/21 22:27:56 djm Exp $ */
- /*
- * Author: Tatu Ylonen <ylo at cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
-@@ -236,7 +236,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
- "actual %d vs. announced %d.",
- file, linenum, BN_num_bits(key->rsa->n), bits);
-
-- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_fingerprint(key, options.fingerprint_hash,
-+ SSH_FP_DEFAULT);
- debug("matching key found: file %s, line %lu %s %s",
- file, linenum, key_type(key), fp);
- free(fp);
-diff --git a/auth.c b/auth.c
-index 5e60682..5a9acd3 100644
---- a/auth.c
-+++ b/auth.c
-@@ -702,7 +702,7 @@ auth_key_is_revoked(Key *key)
- case 1:
- revoked:
- /* Key revoked */
-- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ key_fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
- error("WARNING: authentication attempt with a revoked "
- "%s key %s ", key_type(key), key_fp);
- free(key_fp);
-diff --git a/auth2-hostbased.c b/auth2-hostbased.c
-index 6787e4c..b7ae353 100644
---- a/auth2-hostbased.c
-+++ b/auth2-hostbased.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: auth2-hostbased.c,v 1.18 2014/07/15 15:54:14 millert Exp $ */
-+/* $OpenBSD: auth2-hostbased.c,v 1.19 2014/12/21 22:27:56 djm Exp $ */
- /*
- * Copyright (c) 2000 Markus Friedl. All rights reserved.
- *
-@@ -208,13 +208,14 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
- if (host_status == HOST_OK) {
- if (key_is_cert(key)) {
- fp = key_fingerprint(key->cert->signature_key,
-- SSH_FP_MD5, SSH_FP_HEX);
-+ options.fingerprint_hash, SSH_FP_DEFAULT);
- verbose("Accepted certificate ID \"%s\" signed by "
- "%s CA %s from %s@%s", key->cert->key_id,
- key_type(key->cert->signature_key), fp,
- cuser, lookup);
- } else {
-- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_fingerprint(key, options.fingerprint_hash,
-+ SSH_FP_DEFAULT);
- verbose("Accepted %s public key %s from %s@%s",
- key_type(key), fp, cuser, lookup);
- }
-diff --git a/auth2-pubkey.c b/auth2-pubkey.c
-index f3ca965..3f4f789 100644
---- a/auth2-pubkey.c
-+++ b/auth2-pubkey.c
-@@ -213,7 +213,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
-
- if (key_is_cert(key)) {
- fp = key_fingerprint(key->cert->signature_key,
-- SSH_FP_MD5, SSH_FP_HEX);
-+ options.fingerprint_hash, SSH_FP_DEFAULT);
- auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
- key_type(key), key->cert->key_id,
- (unsigned long long)key->cert->serial,
-@@ -221,7 +221,8 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
- extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
- free(fp);
- } else {
-- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_fingerprint(key, options.fingerprint_hash,
-+ SSH_FP_DEFAULT);
- auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
- extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
- free(fp);
-@@ -365,8 +366,8 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
- continue;
- if (!key_is_cert_authority)
- continue;
-- fp = key_fingerprint(found, SSH_FP_MD5,
-- SSH_FP_HEX);
-+ fp = key_fingerprint(found, options.fingerprint_hash,
-+ SSH_FP_DEFAULT);
- debug("matching CA found: file %s, line %lu, %s %s",
- file, linenum, key_type(found), fp);
- /*
-@@ -406,7 +407,8 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
- if (key_is_cert_authority)
- continue;
- found_key = 1;
-- fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_fingerprint(found, options.fingerprint_hash,
-+ SSH_FP_DEFAULT);
- debug("matching key found: file %s, line %lu %s %s",
- file, linenum, key_type(found), fp);
- free(fp);
-@@ -432,7 +434,7 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
- return 0;
-
- ca_fp = key_fingerprint(key->cert->signature_key,
-- SSH_FP_MD5, SSH_FP_HEX);
-+ options.fingerprint_hash, SSH_FP_DEFAULT);
-
- if (key_in_file(key->cert->signature_key,
- options.trusted_user_ca_keys, 1) != 1) {
-diff --git a/digest-libc.c b/digest-libc.c
-index 1b4423a..169ded0 100644
---- a/digest-libc.c
-+++ b/digest-libc.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: digest-libc.c,v 1.3 2014/06/24 01:13:21 djm Exp $ */
-+/* $OpenBSD: digest-libc.c,v 1.4 2014/12/21 22:27:56 djm Exp $ */
- /*
- * Copyright (c) 2013 Damien Miller <djm at mindrot.org>
- * Copyright (c) 2014 Markus Friedl. All rights reserved.
-@@ -126,6 +126,26 @@ ssh_digest_by_alg(int alg)
- return &(digests[alg]);
- }
-
-+int
-+ssh_digest_alg_by_name(const char *name)
-+{
-+ int alg;
-+
-+ for (alg = 0; alg < SSH_DIGEST_MAX; alg++) {
-+ if (strcasecmp(name, digests[alg].name) == 0)
-+ return digests[alg].id;
-+ }
-+ return -1;
-+}
-+
-+const char *
-+ssh_digest_alg_name(int alg)
-+{
-+ const struct ssh_digest *digest = ssh_digest_by_alg(alg);
-+
-+ return digest == NULL ? NULL : digest->name;
-+}
-+
- size_t
- ssh_digest_bytes(int alg)
- {
-diff --git a/digest-openssl.c b/digest-openssl.c
-index 02b1703..bb58ff2 100644
---- a/digest-openssl.c
-+++ b/digest-openssl.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: digest-openssl.c,v 1.4 2014/07/03 03:26:43 djm Exp $ */
-+/* $OpenBSD: digest-openssl.c,v 1.5 2014/12/21 22:27:56 djm Exp $ */
- /*
- * Copyright (c) 2013 Damien Miller <djm at mindrot.org>
- *
-@@ -74,6 +74,26 @@ ssh_digest_by_alg(int alg)
- return &(digests[alg]);
- }
-
-+int
-+ssh_digest_alg_by_name(const char *name)
-+{
-+ int alg;
-+
-+ for (alg = 0; digests[alg].id != -1; alg++) {
-+ if (strcasecmp(name, digests[alg].name) == 0)
-+ return digests[alg].id;
-+ }
-+ return -1;
-+}
-+
-+const char *
-+ssh_digest_alg_name(int alg)
-+{
-+ const struct ssh_digest *digest = ssh_digest_by_alg(alg);
-+
-+ return digest == NULL ? NULL : digest->name;
-+}
-+
- size_t
- ssh_digest_bytes(int alg)
- {
-diff --git a/digest.h b/digest.h
-index 6afb197..3fe0734 100644
---- a/digest.h
-+++ b/digest.h
-@@ -1,4 +1,4 @@
--/* $OpenBSD: digest.h,v 1.6 2014/07/03 04:36:45 djm Exp $ */
-+/* $OpenBSD: digest.h,v 1.7 2014/12/21 22:27:56 djm Exp $ */
- /*
- * Copyright (c) 2013 Damien Miller <djm at mindrot.org>
- *
-@@ -33,6 +33,12 @@
- struct sshbuf;
- struct ssh_digest_ctx;
-
-+/* Looks up a digest algorithm by name */
-+int ssh_digest_alg_by_name(const char *name);
-+
-+/* Returns the algorithm name for a digest identifier */
-+const char *ssh_digest_alg_name(int alg);
-+
- /* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */
- size_t ssh_digest_bytes(int alg);
-
-diff --git a/dns.c b/dns.c
-index c4d073c..4b8ae44 100644
---- a/dns.c
-+++ b/dns.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: dns.c,v 1.31 2014/06/24 01:13:21 djm Exp $ */
-+/* $OpenBSD: dns.c,v 1.32 2014/12/21 22:27:56 djm Exp $ */
-
- /*
- * Copyright (c) 2003 Wesley Griffin. All rights reserved.
-@@ -41,6 +41,7 @@
- #include "key.h"
- #include "dns.h"
- #include "log.h"
-+#include "digest.h"
-
- static const char *errset_text[] = {
- "success", /* 0 ERRSET_SUCCESS */
-@@ -80,7 +81,7 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
- u_char **digest, u_int *digest_len, Key *key)
- {
- int success = 0;
-- enum fp_type fp_type = 0;
-+ int fp_alg = -1;
-
- switch (key->type) {
- case KEY_RSA:
-@@ -110,17 +111,17 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
-
- switch (*digest_type) {
- case SSHFP_HASH_SHA1:
-- fp_type = SSH_FP_SHA1;
-+ fp_alg = SSH_DIGEST_SHA1;
- break;
- case SSHFP_HASH_SHA256:
-- fp_type = SSH_FP_SHA256;
-+ fp_alg = SSH_DIGEST_SHA256;
- break;
- default:
- *digest_type = SSHFP_HASH_RESERVED; /* 0 */
- }
-
- if (*algorithm && *digest_type) {
-- *digest = key_fingerprint_raw(key, fp_type, digest_len);
-+ *digest = key_fingerprint_raw(key, fp_alg, digest_len);
- if (*digest == NULL)
- fatal("dns_read_key: null from key_fingerprint_raw()");
- success = 1;
-diff --git a/key.c b/key.c
-index 2060761..780be1c 100644
---- a/key.c
-+++ b/key.c
-@@ -40,8 +40,7 @@ key_new_private(int type)
- }
-
- u_char*
--key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
-- u_int *dgst_raw_length)
-+key_fingerprint_raw(const Key *k, int dgst_alg, u_int *dgst_raw_length)
- {
- u_char *ret = NULL;
- size_t dlen;
-@@ -49,7 +48,7 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
-
- if (dgst_raw_length != NULL)
- *dgst_raw_length = 0;
-- if ((r = sshkey_fingerprint_raw(k, dgst_type, &ret, &dlen)) != 0)
-+ if ((r = sshkey_fingerprint_raw(k, dgst_alg, &ret, &dlen)) != 0)
- fatal("%s: %s", __func__, ssh_err(r));
- if (dlen > INT_MAX)
- fatal("%s: giant len %zu", __func__, dlen);
-diff --git a/key.h b/key.h
-index c6401a5..e1a3625 100644
---- a/key.h
-+++ b/key.h
-@@ -67,7 +67,7 @@ void key_add_private(Key *);
- Key *key_new_private(int);
- void key_free(Key *);
- Key *key_demote(const Key *);
--u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
-+u_char *key_fingerprint_raw(const Key *, int, u_int *);
- int key_write(const Key *, FILE *);
- int key_read(Key *, char **);
-
-diff --git a/krl.c b/krl.c
-index eb31df9..4abed7e 100644
---- a/krl.c
-+++ b/krl.c
-@@ -36,6 +36,7 @@
- #include "misc.h"
- #include "log.h"
- #include "xmalloc.h"
-+#include "digest.h"
-
- #include "krl.h"
-
-@@ -406,7 +407,7 @@ ssh_krl_revoke_key_sha1(struct ssh_krl *krl, const Key *key)
- u_int len;
-
- debug3("%s: revoke type %s by sha1", __func__, key_type(key));
-- if ((blob = key_fingerprint_raw(key, SSH_FP_SHA1, &len)) == NULL)
-+ if ((blob = key_fingerprint_raw(key, SSH_DIGEST_SHA1, &len)) == NULL)
- return -1;
- return revoke_blob(&krl->revoked_sha1s, blob, len);
- }
-@@ -1119,7 +1120,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key)
-
- /* Check explicitly revoked hashes first */
- memset(&rb, 0, sizeof(rb));
-- if ((rb.blob = key_fingerprint_raw(key, SSH_FP_SHA1, &rb.len)) == NULL)
-+ if ((rb.blob = key_fingerprint_raw(key, SSH_DIGEST_SHA1, &rb.len)) == NULL)
- return -1;
- erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
- free(rb.blob);
-diff --git a/readconf.c b/readconf.c
-index 7948ce1..3f5c58b 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -56,6 +56,7 @@
- #include "kex.h"
- #include "mac.h"
- #include "uidswap.h"
-+#include "digest.h"
-
- /* Format of the configuration file:
-
-@@ -151,6 +152,7 @@ typedef enum {
- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
- oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
- oStreamLocalBindMask, oStreamLocalBindUnlink,
-+ oFingerprintHash,
- oIgnoredUnknownOption, oDeprecated, oUnsupported
- } OpCodes;
-
-@@ -265,6 +267,7 @@ static struct {
- { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
- { "streamlocalbindmask", oStreamLocalBindMask },
- { "streamlocalbindunlink", oStreamLocalBindUnlink },
-+ { "fingerprinthash", oFingerprintHash },
- { "ignoreunknown", oIgnoreUnknown },
-
- { NULL, oBadOption }
-@@ -1433,6 +1436,18 @@ parse_int:
- intptr = &options->fwd_opts.streamlocal_bind_unlink;
- goto parse_flag;
-
-+ case oFingerprintHash:
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.",
-+ filename, linenum);
-+ if ((value = ssh_digest_alg_by_name(arg)) == -1)
-+ fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
-+ filename, linenum, arg);
-+ if (*activep)
-+ options->fingerprint_hash = value;
-+ break;
-+
- case oDeprecated:
- debug("%s line %d: Deprecated option \"%s\"",
- filename, linenum, keyword);
-@@ -1609,6 +1624,7 @@ initialize_options(Options * options)
- options->canonicalize_max_dots = -1;
- options->canonicalize_fallback_local = -1;
- options->canonicalize_hostname = -1;
-+ options->fingerprint_hash = -1;
- }
-
- /*
-@@ -1786,6 +1802,9 @@ fill_default_options(Options * options)
- options->canonicalize_fallback_local = 1;
- if (options->canonicalize_hostname == -1)
- options->canonicalize_hostname = SSH_CANONICALISE_NO;
-+ if (options->fingerprint_hash == -1)
-+ options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
-+
- #define CLEAR_ON_NONE(v) \
- do { \
- if (option_clear_or_none(v)) { \
-diff --git a/readconf.h b/readconf.h
-index 0b9cb77..a028306 100644
---- a/readconf.h
-+++ b/readconf.h
-@@ -144,6 +144,8 @@ typedef struct {
- int num_permitted_cnames;
- struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS];
-
-+ int fingerprint_hash;
-+
- char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
- } Options;
-
-diff --git a/regress/Makefile b/regress/Makefile
-index 3feb7a9..2905a0d 100644
---- a/regress/Makefile
-+++ b/regress/Makefile
-@@ -1,6 +1,6 @@
--# $OpenBSD: Makefile,v 1.70 2014/06/24 01:14:17 djm Exp $
-+# $OpenBSD: Makefile,v 1.71 2014/12/22 02:15:52 djm Exp $
-
--REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec
-+REGRESS_TARGETS= unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t-exec
- tests: $(REGRESS_TARGETS)
-
- # Interop tests are not run by default
-@@ -119,7 +119,7 @@ t3:
- ${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub
-
- t4:
-- ${TEST_SSH_SSHKEYGEN} -lf ${.CURDIR}/rsa_openssh.pub |\
-+ ${TEST_SSH_SSHKEYGEN} -E md5 -lf ${.CURDIR}/rsa_openssh.pub |\
- awk '{print $$2}' | diff - ${.CURDIR}/t4.ok
-
- t5:
-@@ -164,6 +164,10 @@ t10: $(OBJ)/t10.out
- ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t10.out > /dev/null
- ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null
-
-+t11:
-+ ${TEST_SSH_SSHKEYGEN} -E sha256 -lf ${.CURDIR}/rsa_openssh.pub |\
-+ awk '{print $$2}' | diff - ${.CURDIR}/t11.ok
-+
- t-exec: ${LTESTS:=.sh}
- @if [ "x$?" = "x" ]; then exit 0; fi; \
- for TEST in ""$?; do \
-diff --git a/regress/t11.ok b/regress/t11.ok
-new file mode 100644
-index 0000000..1925bb4
---- /dev/null
-+++ b/regress/t11.ok
-@@ -0,0 +1 @@
-+SHA256:4w1rnrek3klTJOTVhwuCIFd5k+pq9Bfo5KTxxb8BqbY
-diff --git a/regress/t4.ok b/regress/t4.ok
-index 8c4942b..4631ea8 100644
---- a/regress/t4.ok
-+++ b/regress/t4.ok
-@@ -1 +1 @@
--3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36
-+MD5:3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36
-diff --git a/regress/unittests/sshkey/test_file.c b/regress/unittests/sshkey/test_file.c
-index 764f7fb..9c38a7c 100644
---- a/regress/unittests/sshkey/test_file.c
-+++ b/regress/unittests/sshkey/test_file.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: test_file.c,v 1.1 2014/06/24 01:14:18 djm Exp $ */
-+/* $OpenBSD: test_file.c,v 1.2 2014/12/22 02:15:52 djm Exp $ */
- /*
- * Regress test for sshkey.h key management API
- *
-@@ -33,6 +33,7 @@
- #include "authfile.h"
- #include "sshkey.h"
- #include "sshbuf.h"
-+#include "digest.h"
-
- #include "common.h"
-
-@@ -81,7 +82,7 @@ sshkey_file_tests(void)
-
- TEST_START("RSA1 key hex fingerprint");
- buf = load_text_file("rsa1_1.fp");
-- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
-+ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX);
- ASSERT_PTR_NE(cp, NULL);
- ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
- sshbuf_free(buf);
-@@ -90,7 +91,7 @@ sshkey_file_tests(void)
-
- TEST_START("RSA1 key bubblebabble fingerprint");
- buf = load_text_file("rsa1_1.fp.bb");
-- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
-+ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
- ASSERT_PTR_NE(cp, NULL);
- ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
- sshbuf_free(buf);
-@@ -164,7 +165,7 @@ sshkey_file_tests(void)
-
- TEST_START("RSA key hex fingerprint");
- buf = load_text_file("rsa_1.fp");
-- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
-+ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX);
- ASSERT_PTR_NE(cp, NULL);
- ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
- sshbuf_free(buf);
-@@ -173,7 +174,7 @@ sshkey_file_tests(void)
-
- TEST_START("RSA cert hex fingerprint");
- buf = load_text_file("rsa_1-cert.fp");
-- cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX);
-+ cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX);
- ASSERT_PTR_NE(cp, NULL);
- ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
- sshbuf_free(buf);
-@@ -183,7 +184,7 @@ sshkey_file_tests(void)
-
- TEST_START("RSA key bubblebabble fingerprint");
- buf = load_text_file("rsa_1.fp.bb");
-- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
-+ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
- ASSERT_PTR_NE(cp, NULL);
- ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
- sshbuf_free(buf);
-@@ -257,7 +258,7 @@ sshkey_file_tests(void)
-
- TEST_START("DSA key hex fingerprint");
- buf = load_text_file("dsa_1.fp");
-- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
-+ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX);
- ASSERT_PTR_NE(cp, NULL);
- ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
- sshbuf_free(buf);
-@@ -266,7 +267,7 @@ sshkey_file_tests(void)
-
- TEST_START("DSA cert hex fingerprint");
- buf = load_text_file("dsa_1-cert.fp");
-- cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX);
-+ cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX);
- ASSERT_PTR_NE(cp, NULL);
- ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
- sshbuf_free(buf);
-@@ -276,7 +277,7 @@ sshkey_file_tests(void)
-
- TEST_START("DSA key bubblebabble fingerprint");
- buf = load_text_file("dsa_1.fp.bb");
-- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
-+ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
- ASSERT_PTR_NE(cp, NULL);
- ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
- sshbuf_free(buf);
-@@ -357,7 +358,7 @@ sshkey_file_tests(void)
-
- TEST_START("ECDSA key hex fingerprint");
- buf = load_text_file("ecdsa_1.fp");
-- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
-+ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX);
- ASSERT_PTR_NE(cp, NULL);
- ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
- sshbuf_free(buf);
-@@ -366,7 +367,7 @@ sshkey_file_tests(void)
-
- TEST_START("ECDSA cert hex fingerprint");
- buf = load_text_file("ecdsa_1-cert.fp");
-- cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX);
-+ cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX);
- ASSERT_PTR_NE(cp, NULL);
- ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
- sshbuf_free(buf);
-@@ -376,7 +377,7 @@ sshkey_file_tests(void)
-
- TEST_START("ECDSA key bubblebabble fingerprint");
- buf = load_text_file("ecdsa_1.fp.bb");
-- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
-+ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
- ASSERT_PTR_NE(cp, NULL);
- ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
- sshbuf_free(buf);
-@@ -424,7 +425,7 @@ sshkey_file_tests(void)
-
- TEST_START("Ed25519 key hex fingerprint");
- buf = load_text_file("ed25519_1.fp");
-- cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
-+ cp = sshkey_fingerprint(k1, SSH_DIGEST_MD5, SSH_FP_HEX);
- ASSERT_PTR_NE(cp, NULL);
- ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
- sshbuf_free(buf);
-@@ -433,7 +434,7 @@ sshkey_file_tests(void)
-
- TEST_START("Ed25519 cert hex fingerprint");
- buf = load_text_file("ed25519_1-cert.fp");
-- cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX);
-+ cp = sshkey_fingerprint(k2, SSH_DIGEST_MD5, SSH_FP_HEX);
- ASSERT_PTR_NE(cp, NULL);
- ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
- sshbuf_free(buf);
-@@ -443,7 +444,7 @@ sshkey_file_tests(void)
-
- TEST_START("Ed25519 key bubblebabble fingerprint");
- buf = load_text_file("ed25519_1.fp.bb");
-- cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
-+ cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
- ASSERT_PTR_NE(cp, NULL);
- ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
- sshbuf_free(buf);
-diff --git a/regress/unittests/sshkey/testdata/dsa_1-cert.fp b/regress/unittests/sshkey/testdata/dsa_1-cert.fp
-index 56ee1f8..b26145b 100644
---- a/regress/unittests/sshkey/testdata/dsa_1-cert.fp
-+++ b/regress/unittests/sshkey/testdata/dsa_1-cert.fp
-@@ -1 +1 @@
--5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74
-+MD5:5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74
-diff --git a/regress/unittests/sshkey/testdata/dsa_1.fp b/regress/unittests/sshkey/testdata/dsa_1.fp
-index 56ee1f8..b26145b 100644
---- a/regress/unittests/sshkey/testdata/dsa_1.fp
-+++ b/regress/unittests/sshkey/testdata/dsa_1.fp
-@@ -1 +1 @@
--5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74
-+MD5:5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74
-diff --git a/regress/unittests/sshkey/testdata/dsa_2.fp b/regress/unittests/sshkey/testdata/dsa_2.fp
-index ba9de82..8226574 100644
---- a/regress/unittests/sshkey/testdata/dsa_2.fp
-+++ b/regress/unittests/sshkey/testdata/dsa_2.fp
-@@ -1 +1 @@
--72:5f:50:6b:e5:64:c5:62:21:92:3f:8b:10:9b:9f:1a
-+MD5:72:5f:50:6b:e5:64:c5:62:21:92:3f:8b:10:9b:9f:1a
-diff --git a/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp b/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp
-index a56dbc8..c3d747a 100644
---- a/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp
-+++ b/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp
-@@ -1 +1 @@
--f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44
-+MD5:f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44
-diff --git a/regress/unittests/sshkey/testdata/ecdsa_1.fp b/regress/unittests/sshkey/testdata/ecdsa_1.fp
-index a56dbc8..c3d747a 100644
---- a/regress/unittests/sshkey/testdata/ecdsa_1.fp
-+++ b/regress/unittests/sshkey/testdata/ecdsa_1.fp
-@@ -1 +1 @@
--f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44
-+MD5:f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44
-diff --git a/regress/unittests/sshkey/testdata/ecdsa_2.fp b/regress/unittests/sshkey/testdata/ecdsa_2.fp
-index eb4bbdf..fe7526b 100644
---- a/regress/unittests/sshkey/testdata/ecdsa_2.fp
-+++ b/regress/unittests/sshkey/testdata/ecdsa_2.fp
-@@ -1 +1 @@
--51:bd:ff:2b:6d:26:9b:90:f9:e1:4a:ca:a0:29:8e:70
-+MD5:51:bd:ff:2b:6d:26:9b:90:f9:e1:4a:ca:a0:29:8e:70
-diff --git a/regress/unittests/sshkey/testdata/ed25519_1-cert.fp b/regress/unittests/sshkey/testdata/ed25519_1-cert.fp
-index e6d23d0..fbde87a 100644
---- a/regress/unittests/sshkey/testdata/ed25519_1-cert.fp
-+++ b/regress/unittests/sshkey/testdata/ed25519_1-cert.fp
-@@ -1 +1 @@
--19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f
-+MD5:19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f
-diff --git a/regress/unittests/sshkey/testdata/ed25519_1.fp b/regress/unittests/sshkey/testdata/ed25519_1.fp
-index e6d23d0..fbde87a 100644
---- a/regress/unittests/sshkey/testdata/ed25519_1.fp
-+++ b/regress/unittests/sshkey/testdata/ed25519_1.fp
-@@ -1 +1 @@
--19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f
-+MD5:19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f
-diff --git a/regress/unittests/sshkey/testdata/ed25519_2.fp b/regress/unittests/sshkey/testdata/ed25519_2.fp
-index 02c684f..ec1cdbb 100644
---- a/regress/unittests/sshkey/testdata/ed25519_2.fp
-+++ b/regress/unittests/sshkey/testdata/ed25519_2.fp
-@@ -1 +1 @@
--5c:c9:ae:a3:0c:aa:28:29:b8:fc:7c:64:ba:6e:e9:c9
-+MD5:5c:c9:ae:a3:0c:aa:28:29:b8:fc:7c:64:ba:6e:e9:c9
-diff --git a/regress/unittests/sshkey/testdata/rsa1_1.fp b/regress/unittests/sshkey/testdata/rsa1_1.fp
-index 782ece0..2e1068c 100644
---- a/regress/unittests/sshkey/testdata/rsa1_1.fp
-+++ b/regress/unittests/sshkey/testdata/rsa1_1.fp
-@@ -1 +1 @@
--a8:82:9b:98:c5:e6:19:d6:83:39:9f:4d:3a:8f:7c:80
-+MD5:a8:82:9b:98:c5:e6:19:d6:83:39:9f:4d:3a:8f:7c:80
-diff --git a/regress/unittests/sshkey/testdata/rsa1_2.fp b/regress/unittests/sshkey/testdata/rsa1_2.fp
-index c332537..cd00393 100644
---- a/regress/unittests/sshkey/testdata/rsa1_2.fp
-+++ b/regress/unittests/sshkey/testdata/rsa1_2.fp
-@@ -1 +1 @@
--c0:83:1c:97:5f:32:77:7e:e4:e3:e9:29:b9:eb:76:9c
-+MD5:c0:83:1c:97:5f:32:77:7e:e4:e3:e9:29:b9:eb:76:9c
-diff --git a/regress/unittests/sshkey/testdata/rsa_1-cert.fp b/regress/unittests/sshkey/testdata/rsa_1-cert.fp
-index bf9c2e3..1cf780d 100644
---- a/regress/unittests/sshkey/testdata/rsa_1-cert.fp
-+++ b/regress/unittests/sshkey/testdata/rsa_1-cert.fp
-@@ -1 +1 @@
--be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b
-+MD5:be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b
-diff --git a/regress/unittests/sshkey/testdata/rsa_1.fp b/regress/unittests/sshkey/testdata/rsa_1.fp
-index bf9c2e3..1cf780d 100644
---- a/regress/unittests/sshkey/testdata/rsa_1.fp
-+++ b/regress/unittests/sshkey/testdata/rsa_1.fp
-@@ -1 +1 @@
--be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b
-+MD5:be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b
-diff --git a/regress/unittests/sshkey/testdata/rsa_2.fp b/regress/unittests/sshkey/testdata/rsa_2.fp
-index 53939f4..8d43676 100644
---- a/regress/unittests/sshkey/testdata/rsa_2.fp
-+++ b/regress/unittests/sshkey/testdata/rsa_2.fp
-@@ -1 +1 @@
--fb:8f:7b:26:3d:42:40:ef:ed:f1:ed:ee:66:9e:ba:b0
-+MD5:fb:8f:7b:26:3d:42:40:ef:ed:f1:ed:ee:66:9e:ba:b0
-diff --git a/servconf.c b/servconf.c
-index b7f3294..e3ebaac 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -54,6 +54,7 @@
- #include "packet.h"
- #include "hostfile.h"
- #include "auth.h"
-+#include "digest.h"
-
- static void add_listen_addr(ServerOptions *, char *, int);
- static void add_one_listen_addr(ServerOptions *, char *, int);
-@@ -157,6 +158,7 @@ initialize_server_options(ServerOptions *options)
- options->ip_qos_interactive = -1;
- options->ip_qos_bulk = -1;
- options->version_addendum = NULL;
-+ options->fingerprint_hash = -1;
- }
-
- void
-@@ -312,6 +314,8 @@ fill_default_server_options(ServerOptions *options)
- options->fwd_opts.streamlocal_bind_mask = 0177;
- if (options->fwd_opts.streamlocal_bind_unlink == -1)
- options->fwd_opts.streamlocal_bind_unlink = 0;
-+ if (options->fingerprint_hash == -1)
-+ options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
- /* Turn privilege separation on by default */
- if (use_privsep == -1)
- use_privsep = PRIVSEP_NOSANDBOX;
-@@ -361,7 +365,7 @@ typedef enum {
- sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
- sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
- sStreamLocalBindMask, sStreamLocalBindUnlink,
-- sAllowStreamLocalForwarding,
-+ sAllowStreamLocalForwarding, sFingerprintHash,
- sDeprecated, sUnsupported
- } ServerOpCodes;
-
-@@ -492,6 +496,7 @@ static struct {
- { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
- { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
- { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
-+ { "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
- { NULL, sBadOption, 0 }
- };
-
-@@ -1663,6 +1668,18 @@ process_server_config_line(ServerOptions *options, char *line,
- intptr = &options->fwd_opts.streamlocal_bind_unlink;
- goto parse_flag;
-
-+ case sFingerprintHash:
-+ arg = strdelim(&cp);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.",
-+ filename, linenum);
-+ if ((value = ssh_digest_alg_by_name(arg)) == -1)
-+ fatal("%.200s line %d: Invalid hash algorithm \"%s\".",
-+ filename, linenum, arg);
-+ if (*activep)
-+ options->fingerprint_hash = value;
-+ break;
-+
- case sDeprecated:
- logit("%s line %d: Deprecated option %s",
- filename, linenum, arg);
-@@ -1905,6 +1922,8 @@ fmt_intarg(ServerOpCodes code, int val)
- return fmt_multistate_int(val, multistate_tcpfwd);
- case sAllowStreamLocalForwarding:
- return fmt_multistate_int(val, multistate_tcpfwd);
-+ case sFingerprintHash:
-+ return ssh_digest_alg_name(val);
- case sProtocol:
- switch (val) {
- case SSH_PROTO_1:
-@@ -2066,6 +2085,7 @@ dump_config(ServerOptions *o)
- dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
- dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
- dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
-+ dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
-
- /* string arguments */
- dump_cfg_string(sPidFile, o->pid_file);
-diff --git a/servconf.h b/servconf.h
-index 766db3a..49b228b 100644
---- a/servconf.h
-+++ b/servconf.h
-@@ -1,4 +1,4 @@
--/* $OpenBSD: servconf.h,v 1.114 2014/07/15 15:54:14 millert Exp $ */
-+/* $OpenBSD: servconf.h,v 1.115 2014/12/21 22:27:56 djm Exp $ */
-
- /*
- * Author: Tatu Ylonen <ylo at cs.hut.fi>
-@@ -185,6 +185,8 @@ typedef struct {
-
- u_int num_auth_methods;
- char *auth_methods[MAX_AUTH_METHODS];
-+
-+ int fingerprint_hash;
- } ServerOptions;
-
- /* Information about the incoming connection as used by Match */
-diff --git a/ssh-add.1 b/ssh-add.1
-index 4812448..04d1840 100644
---- a/ssh-add.1
-+++ b/ssh-add.1
-@@ -44,6 +44,7 @@
- .Sh SYNOPSIS
- .Nm ssh-add
- .Op Fl cDdkLlXx
-+.Op Fl E Ar fingerprint_hash
- .Op Fl t Ar life
- .Op Ar
- .Nm ssh-add
-@@ -108,6 +109,14 @@ If no public key is found at a given path,
- will append
- .Pa .pub
- and retry.
-+.It Fl E Ar fingerprint_hash
-+Specifies the hash algorithm used when displaying key fingerprints.
-+Valid options are:
-+.Dq md5
-+and
-+.Dq sha256 .
-+The default is
-+.Dq sha256 .
- .It Fl e Ar pkcs11
- Remove keys provided by the PKCS#11 shared library
- .Ar pkcs11 .
-diff --git a/ssh-add.c b/ssh-add.c
-index 78a3359..5d6a5f4 100644
---- a/ssh-add.c
-+++ b/ssh-add.c
-@@ -63,6 +63,7 @@
- #include "pathnames.h"
- #include "misc.h"
- #include "ssherr.h"
-+#include "digest.h"
-
- /* argv0 */
- extern char *__progname;
-@@ -79,6 +80,8 @@ static char *default_files[] = {
- NULL
- };
-
-+static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
-+
- /* Default lifetime (0 == forever) */
- static int lifetime = 0;
-
-@@ -340,8 +343,8 @@ list_identities(AuthenticationConnection *ac, int do_fp)
- key = ssh_get_next_identity(ac, &comment, version)) {
- had_identities = 1;
- if (do_fp) {
-- fp = key_fingerprint(key, SSH_FP_MD5,
-- SSH_FP_HEX);
-+ fp = key_fingerprint(key, fingerprint_hash,
-+ SSH_FP_DEFAULT);
- printf("%d %s %s (%s)\n",
- key_size(key), fp, comment, key_type(key));
- free(fp);
-@@ -408,6 +411,7 @@ usage(void)
- fprintf(stderr, "usage: %s [options] [file ...]\n", __progname);
- fprintf(stderr, "Options:\n");
- fprintf(stderr, " -l List fingerprints of all identities.\n");
-+ fprintf(stderr, " -E hash Specify hash algorithm used for fingerprints.\n");
- fprintf(stderr, " -L List public key parameters of all identities.\n");
- fprintf(stderr, " -k Load only keys and not certificates.\n");
- fprintf(stderr, " -c Require confirmation to sign using identities\n");
-@@ -428,6 +432,7 @@ main(int argc, char **argv)
- AuthenticationConnection *ac = NULL;
- char *pkcs11provider = NULL;
- int i, ch, deleting = 0, ret = 0, key_only = 0;
-+ int xflag = 0, lflag = 0, Dflag = 0;
-
- /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
- sanitise_stdfd();
-@@ -446,21 +451,28 @@ main(int argc, char **argv)
- "Could not open a connection to your authentication agent.\n");
- exit(2);
- }
-- while ((ch = getopt(argc, argv, "klLcdDxXe:s:t:")) != -1) {
-+ while ((ch = getopt(argc, argv, "klLcdDxXE:e:s:t:")) != -1) {
- switch (ch) {
-+ case 'E':
-+ fingerprint_hash = ssh_digest_alg_by_name(optarg);
-+ if (fingerprint_hash == -1)
-+ fatal("Invalid hash algorithm \"%s\"", optarg);
-+ break;
- case 'k':
- key_only = 1;
- break;
- case 'l':
- case 'L':
-- if (list_identities(ac, ch == 'l' ? 1 : 0) == -1)
-- ret = 1;
-- goto done;
-+ if (lflag != 0)
-+ fatal("-%c flag already specified", lflag);
-+ lflag = ch;
-+ break;
- case 'x':
- case 'X':
-- if (lock_agent(ac, ch == 'x' ? 1 : 0) == -1)
-- ret = 1;
-- goto done;
-+ if (xflag != 0)
-+ fatal("-%c flag already specified", xflag);
-+ xflag = ch;
-+ break;
- case 'c':
- confirm = 1;
- break;
-@@ -468,9 +480,8 @@ main(int argc, char **argv)
- deleting = 1;
- break;
- case 'D':
-- if (delete_all(ac) == -1)
-- ret = 1;
-- goto done;
-+ Dflag = 1;
-+ break;
- case 's':
- pkcs11provider = optarg;
- break;
-@@ -491,6 +502,23 @@ main(int argc, char **argv)
- goto done;
- }
- }
-+
-+ if ((xflag != 0) + (lflag != 0) + (Dflag != 0) > 1)
-+ fatal("Invalid combination of actions");
-+ else if (xflag) {
-+ if (lock_agent(ac, xflag == 'x' ? 1 : 0) == -1)
-+ ret = 1;
-+ goto done;
-+ } else if (lflag) {
-+ if (list_identities(ac, lflag == 'l' ? 1 : 0) == -1)
-+ ret = 1;
-+ goto done;
-+ } else if (Dflag) {
-+ if (delete_all(ac) == -1)
-+ ret = 1;
-+ goto done;
-+ }
-+
- argc -= optind;
- argv += optind;
- if (pkcs11provider != NULL) {
-diff --git a/ssh-agent.1 b/ssh-agent.1
-index a1e634f..d7e791b 100644
---- a/ssh-agent.1
-+++ b/ssh-agent.1
-@@ -45,6 +45,7 @@
- .Op Fl c | s
- .Op Fl d
- .Op Fl a Ar bind_address
-+.Op Fl E Ar fingerprint_hash
- .Op Fl t Ar life
- .Op Ar command Op Ar arg ...
- .Nm ssh-agent
-@@ -96,6 +97,14 @@ Debug mode.
- When this option is specified
- .Nm
- will not fork.
-+.It Fl E Ar fingerprint_hash
-+Specifies the hash algorithm used when displaying key fingerprints.
-+Valid options are:
-+.Dq md5
-+and
-+.Dq sha256 .
-+The default is
-+.Dq sha256 .
- .It Fl k
- Kill the current agent (given by the
- .Ev SSH_AGENT_PID
-diff --git a/ssh-agent.c b/ssh-agent.c
-index 25f10c5..c8036c8 100644
---- a/ssh-agent.c
-+++ b/ssh-agent.c
-@@ -142,6 +142,8 @@ extern char *__progname;
- /* Default lifetime in seconds (0 == forever) */
- static long lifetime = 0;
-
-+static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
-+
- static void
- close_socket(SocketEntry *e)
- {
-@@ -203,7 +205,7 @@ confirm_key(Identity *id)
- char *p;
- int ret = -1;
-
-- p = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
-+ p = key_fingerprint(id->key, fingerprint_hash, SSH_FP_DEFAULT);
- if (ask_permission("Allow use of key %s?\nKey fingerprint %s.",
- id->comment, p))
- ret = 0;
-@@ -1026,7 +1028,7 @@ usage(void)
- {
- fprintf(stderr,
- "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-t life]\n"
-- " [command [arg ...]]\n"
-+ " [-E fingerprint_hash] [command [arg ...]]\n"
- " ssh-agent [-c | -s] -k\n");
- exit(1);
- }
-@@ -1069,8 +1071,13 @@ main(int ac, char **av)
- __progname = ssh_get_progname(av[0]);
- seed_rng();
-
-- while ((ch = getopt(ac, av, "cdksa:t:")) != -1) {
-+ while ((ch = getopt(ac, av, "cdksE:a:t:")) != -1) {
- switch (ch) {
-+ case 'E':
-+ fingerprint_hash = ssh_digest_alg_by_name(optarg);
-+ if (fingerprint_hash == -1)
-+ fatal("Invalid hash algorithm \"%s\"", optarg);
-+ break;
- case 'c':
- if (s_flag)
- usage();
-diff --git a/ssh-keygen.1 b/ssh-keygen.1
-index 723a016..276dacc 100644
---- a/ssh-keygen.1
-+++ b/ssh-keygen.1
-@@ -73,6 +73,7 @@
- .Op Fl f Ar keyfile
- .Nm ssh-keygen
- .Fl l
-+.Op Fl E Ar fingerprint_hash
- .Op Fl f Ar input_keyfile
- .Nm ssh-keygen
- .Fl B
-@@ -269,6 +270,14 @@ When used in combination with
- this option indicates that a CA key resides in a PKCS#11 token (see the
- .Sx CERTIFICATES
- section for details).
-+.It Fl E Ar fingerprint_hash
-+Specifies the hash algorithm used when displaying key fingerprints.
-+Valid options are:
-+.Dq md5
-+and
-+.Dq sha256 .
-+The default is
-+.Dq sha256 .
- .It Fl e
- This option will read a private or public OpenSSH key file and
- print to stdout the key in one of the formats specified by the
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index 23058ee..64fa217 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -53,6 +53,7 @@
- #include "ssh-pkcs11.h"
- #include "atomicio.h"
- #include "krl.h"
-+#include "digest.h"
-
- /* Number of bits in the RSA/DSA key. This value can be set on the command line. */
- #define DEFAULT_BITS 2048
-@@ -90,6 +91,9 @@ int show_cert = 0;
- int print_fingerprint = 0;
- int print_bubblebabble = 0;
-
-+/* Hash algorithm to use for fingerprints. */
-+int fingerprint_hash = SSH_FP_HASH_DEFAULT;
-+
- /* The identity file name, given on the command line or entered by the user. */
- char identity_file[1024];
- int have_identity = 0;
-@@ -749,11 +753,11 @@ do_download(struct passwd *pw)
- Key **keys = NULL;
- int i, nkeys;
- enum fp_rep rep;
-- enum fp_type fptype;
-+ int fptype;
- char *fp, *ra;
-
-- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
-- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
-+ fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
-+ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
-
- pkcs11_init(0);
- nkeys = pkcs11_add_provider(pkcs11provider, NULL, &keys);
-@@ -762,7 +766,7 @@ do_download(struct passwd *pw)
- for (i = 0; i < nkeys; i++) {
- if (print_fingerprint) {
- fp = key_fingerprint(keys[i], fptype, rep);
-- ra = key_fingerprint(keys[i], SSH_FP_MD5,
-+ ra = key_fingerprint(keys[i], fingerprint_hash,
- SSH_FP_RANDOMART);
- printf("%u %s %s (PKCS11 key)\n", key_size(keys[i]),
- fp, key_type(keys[i]));
-@@ -792,12 +796,11 @@ do_fingerprint(struct passwd *pw)
- char *comment = NULL, *cp, *ep, line[16*1024], *fp, *ra;
- int i, skip = 0, num = 0, invalid = 1;
- enum fp_rep rep;
-- enum fp_type fptype;
-+ int fptype;
- struct stat st;
-
-- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
-- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
--
-+ fptype = print_bubblebabble ? SSH_DIGEST_SHA1 : fingerprint_hash;
-+ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
- if (!have_identity)
- ask_filename(pw, "Enter file in which the key is");
- if (stat(identity_file, &st) < 0) {
-@@ -807,7 +810,8 @@ do_fingerprint(struct passwd *pw)
- public = key_load_public(identity_file, &comment);
- if (public != NULL) {
- fp = key_fingerprint(public, fptype, rep);
-- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
-+ ra = key_fingerprint(public, fingerprint_hash,
-+ SSH_FP_RANDOMART);
- printf("%u %s %s (%s)\n", key_size(public), fp, comment,
- key_type(public));
- if (log_level >= SYSLOG_LEVEL_VERBOSE)
-@@ -873,7 +877,8 @@ do_fingerprint(struct passwd *pw)
- }
- comment = *cp ? cp : comment;
- fp = key_fingerprint(public, fptype, rep);
-- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
-+ ra = key_fingerprint(public, fingerprint_hash,
-+ SSH_FP_RANDOMART);
- printf("%u %s %s (%s)\n", key_size(public), fp,
- comment ? comment : "no comment", key_type(public));
- if (log_level >= SYSLOG_LEVEL_VERBOSE)
-@@ -991,13 +996,15 @@ printhost(FILE *f, const char *name, Key *public, int ca, int revoked, int hash)
- {
- if (print_fingerprint) {
- enum fp_rep rep;
-- enum fp_type fptype;
-+ int fptype;
- char *fp, *ra;
-
-- fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
-- rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
-+ fptype = print_bubblebabble ?
-+ SSH_DIGEST_SHA1 : fingerprint_hash;
-+ rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_DEFAULT;
- fp = key_fingerprint(public, fptype, rep);
-- ra = key_fingerprint(public, SSH_FP_MD5, SSH_FP_RANDOMART);
-+ ra = key_fingerprint(public, fingerprint_hash,
-+ SSH_FP_RANDOMART);
- printf("%u %s %s (%s)\n", key_size(public), fp, name,
- key_type(public));
- if (log_level >= SYSLOG_LEVEL_VERBOSE)
-@@ -1906,9 +1913,9 @@ do_show_cert(struct passwd *pw)
- fatal("%s is not a certificate", identity_file);
- v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
-
-- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ key_fp = key_fingerprint(key, fingerprint_hash, SSH_FP_DEFAULT);
- ca_fp = key_fingerprint(key->cert->signature_key,
-- SSH_FP_MD5, SSH_FP_HEX);
-+ fingerprint_hash, SSH_FP_DEFAULT);
-
- printf("%s:\n", identity_file);
- printf(" Type: %s %s certificate\n", key_ssh_name(key),
-@@ -2187,7 +2194,7 @@ usage(void)
- " ssh-keygen -e [-m key_format] [-f input_keyfile]\n"
- " ssh-keygen -y [-f input_keyfile]\n"
- " ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n"
-- " ssh-keygen -l [-f input_keyfile]\n"
-+ " ssh-keygen -l [-E fingerprint_hash] [-f input_keyfile]\n"
- " ssh-keygen -B [-f input_keyfile]\n");
- #ifdef ENABLE_PKCS11
- fprintf(stderr,
-@@ -2256,9 +2263,10 @@ main(int argc, char **argv)
- exit(1);
- }
-
-- /* Remaining characters: EUYdw */
-+ /* Remaining characters: UYdw */
- while ((opt = getopt(argc, argv, "ABHLQXceghiklopquvxy"
-- "C:D:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:a:b:f:g:j:m:n:r:s:t:z:")) != -1) {
-+ "C:D:E:F:G:I:J:K:M:N:O:P:R:S:T:V:W:Z:"
-+ "a:b:f:g:j:m:n:r:s:t:z:")) != -1) {
- switch (opt) {
- case 'A':
- gen_all_hostkeys = 1;
-@@ -2269,6 +2277,11 @@ main(int argc, char **argv)
- fatal("Bits has bad value %s (%s)",
- optarg, errstr);
- break;
-+ case 'E':
-+ fingerprint_hash = ssh_digest_alg_by_name(optarg);
-+ if (fingerprint_hash == -1)
-+ fatal("Invalid hash algorithm \"%s\"", optarg);
-+ break;
- case 'F':
- find_host = 1;
- rr_hostname = optarg;
-@@ -2700,8 +2713,9 @@ passphrase_again:
- fclose(f);
-
- if (!quiet) {
-- char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
-- char *ra = key_fingerprint(public, SSH_FP_MD5,
-+ char *fp = key_fingerprint(public, fingerprint_hash,
-+ SSH_FP_DEFAULT);
-+ char *ra = key_fingerprint(public, fingerprint_hash,
- SSH_FP_RANDOMART);
- printf("Your public key has been saved in %s.\n",
- identity_file);
-diff --git a/ssh-keysign.c b/ssh-keysign.c
-index d95bb7d..3526d7d 100644
---- a/ssh-keysign.c
-+++ b/ssh-keysign.c
-@@ -246,7 +246,8 @@ main(int argc, char **argv)
- }
- }
- if (!found) {
-- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_fingerprint(key, options.fingerprint_hash,
-+ SSH_FP_DEFAULT);
- fatal("no matching hostkey found for key %s %s",
- key_type(key), fp);
- }
-diff --git a/ssh.1 b/ssh.1
-index fa5cfb2..d3198a1 100644
---- a/ssh.1
-+++ b/ssh.1
-@@ -1083,7 +1083,7 @@ Fingerprints can be determined using
- If the fingerprint is already known, it can be matched
- and the key can be accepted or rejected.
- Because of the difficulty of comparing host keys
--just by looking at hex strings,
-+just by looking at fingerprint strings,
- there is also support to compare host keys visually,
- using
- .Em random art .
-diff --git a/sshconnect.c b/sshconnect.c
-index ac09eae..7db31e6 100644
---- a/sshconnect.c
-+++ b/sshconnect.c
-@@ -915,9 +915,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
- "key for IP address '%.128s' to the list "
- "of known hosts.", type, ip);
- } else if (options.visual_host_key) {
-- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-- ra = key_fingerprint(host_key, SSH_FP_MD5,
-- SSH_FP_RANDOMART);
-+ fp = key_fingerprint(host_key,
-+ options.fingerprint_hash, SSH_FP_DEFAULT);
-+ ra = key_fingerprint(host_key,
-+ options.fingerprint_hash, SSH_FP_RANDOMART);
- logit("Host key fingerprint is %s\n%s\n", fp, ra);
- free(ra);
- free(fp);
-@@ -956,9 +957,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
- else
- snprintf(msg1, sizeof(msg1), ".");
- /* The default */
-- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-- ra = key_fingerprint(host_key, SSH_FP_MD5,
-- SSH_FP_RANDOMART);
-+ fp = key_fingerprint(host_key,
-+ options.fingerprint_hash, SSH_FP_DEFAULT);
-+ ra = key_fingerprint(host_key,
-+ options.fingerprint_hash, SSH_FP_RANDOMART);
- msg2[0] = '\0';
- if (options.verify_host_key_dns) {
- if (matching_host_key_dns)
-@@ -1222,7 +1224,7 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
- char *fp;
- Key *plain = NULL;
-
-- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_fingerprint(host_key, options.fingerprint_hash, SSH_FP_DEFAULT);
- debug("Server host key: %s %s", key_type(host_key), fp);
- free(fp);
-
-@@ -1356,8 +1358,10 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)
- continue;
- if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
- continue;
-- fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
-- ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
-+ fp = key_fingerprint(found->key,
-+ options.fingerprint_hash, SSH_FP_DEFAULT);
-+ ra = key_fingerprint(found->key,
-+ options.fingerprint_hash, SSH_FP_RANDOMART);
- logit("WARNING: %s key found for host %s\n"
- "in %s:%lu\n"
- "%s key fingerprint %s.",
-@@ -1378,7 +1382,8 @@ warn_changed_key(Key *host_key)
- {
- char *fp;
-
-- fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_fingerprint(host_key, options.fingerprint_hash,
-+ SSH_FP_DEFAULT);
-
- error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
- error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
-diff --git a/sshconnect2.c b/sshconnect2.c
-index 68f7f4f..4724b66 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -582,7 +582,7 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
- key->type, pktype);
- goto done;
- }
-- fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
- debug2("input_userauth_pk_ok: fp %s", fp);
- free(fp);
-
-@@ -991,7 +991,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
- int have_sig = 1;
- char *fp;
-
-- fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
-+ fp = key_fingerprint(id->key, options.fingerprint_hash, SSH_FP_DEFAULT);
- debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
- free(fp);
-
-diff --git a/sshd_config.5 b/sshd_config.5
-index fd44abe..0449eeb 100644
---- a/sshd_config.5
-+++ b/sshd_config.5
-@@ -483,6 +483,15 @@ and finally
- See PATTERNS in
- .Xr ssh_config 5
- for more information on patterns.
-+.It Cm FingerprintHash
-+Specifies the hash algorithm used when logging key fingerprints.
-+Valid options are:
-+.Dq md5
-+and
-+.Dq sha256 .
-+The default is
-+.Dq sha256 .
-+.Pp
- .It Cm ForceCommand
- Forces the execution of the command specified by
- .Cm ForceCommand ,
-diff --git a/sshkey.c b/sshkey.c
-index fdd0c8a..70df758 100644
---- a/sshkey.c
-+++ b/sshkey.c
-@@ -29,6 +29,7 @@
-
- #include <sys/param.h>
- #include <sys/types.h>
-+#include <netinet/in.h>
-
- #include <openssl/evp.h>
- #include <openssl/err.h>
-@@ -852,29 +853,18 @@ sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
- }
-
- int
--sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type,
-+sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
- u_char **retp, size_t *lenp)
- {
- u_char *blob = NULL, *ret = NULL;
- size_t blob_len = 0;
-- int hash_alg = -1, r = SSH_ERR_INTERNAL_ERROR;
-+ int r = SSH_ERR_INTERNAL_ERROR;
-
- if (retp != NULL)
- *retp = NULL;
- if (lenp != NULL)
- *lenp = 0;
--
-- switch (dgst_type) {
-- case SSH_FP_MD5:
-- hash_alg = SSH_DIGEST_MD5;
-- break;
-- case SSH_FP_SHA1:
-- hash_alg = SSH_DIGEST_SHA1;
-- break;
-- case SSH_FP_SHA256:
-- hash_alg = SSH_DIGEST_SHA256;
-- break;
-- default:
-+ if (ssh_digest_bytes(dgst_alg) == 0) {
- r = SSH_ERR_INVALID_ARGUMENT;
- goto out;
- }
-@@ -899,7 +889,7 @@ sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type,
- r = SSH_ERR_ALLOC_FAIL;
- goto out;
- }
-- if ((r = ssh_digest_memory(hash_alg, blob, blob_len,
-+ if ((r = ssh_digest_memory(dgst_alg, blob, blob_len,
- ret, SSH_DIGEST_MAX_LENGTH)) != 0)
- goto out;
- /* success */
-@@ -908,7 +898,7 @@ sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type,
- ret = NULL;
- }
- if (lenp != NULL)
-- *lenp = ssh_digest_bytes(hash_alg);
-+ *lenp = ssh_digest_bytes(dgst_alg);
- r = 0;
- out:
- free(ret);
-@@ -920,21 +910,45 @@ sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type,
- }
-
- static char *
--fingerprint_hex(u_char *dgst_raw, size_t dgst_raw_len)
-+fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
- {
-- char *retval;
-- size_t i;
-+ char *ret;
-+ size_t plen = strlen(alg) + 1;
-+ size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
-+ int r;
-
-- if ((retval = calloc(1, dgst_raw_len * 3 + 1)) == NULL)
-+ if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL)
-+ return NULL;
-+ strlcpy(ret, alg, rlen);
-+ strlcat(ret, ":", rlen);
-+ if (dgst_raw_len == 0)
-+ return ret;
-+ if ((r = b64_ntop(dgst_raw, dgst_raw_len,
-+ ret + plen, rlen - plen)) == -1) {
-+ explicit_bzero(ret, rlen);
-+ free(ret);
- return NULL;
-- for (i = 0; i < dgst_raw_len; i++) {
-- char hex[4];
-- snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
-- strlcat(retval, hex, dgst_raw_len * 3 + 1);
- }
-+ /* Trim padding characters from end */
-+ ret[strcspn(ret, "=")] = '\0';
-+ return ret;
-+}
-
-- /* Remove the trailing ':' character */
-- retval[(dgst_raw_len * 3) - 1] = '\0';
-+static char *
-+fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
-+{
-+ char *retval, hex[5];
-+ size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2;
-+
-+ if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL)
-+ return NULL;
-+ strlcpy(retval, alg, rlen);
-+ strlcat(retval, ":", rlen);
-+ for (i = 0; i < dgst_raw_len; i++) {
-+ snprintf(hex, sizeof(hex), "%s%02x",
-+ i > 0 ? ":" : "", dgst_raw[i]);
-+ strlcat(retval, hex, rlen);
-+ }
- return retval;
- }
-
-@@ -1020,7 +1034,7 @@ fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len)
- #define FLDSIZE_Y (FLDBASE + 1)
- #define FLDSIZE_X (FLDBASE * 2 + 1)
- static char *
--fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
-+fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len,
- const struct sshkey *k)
- {
- /*
-@@ -1028,9 +1042,9 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
- * intersects with itself. Matter of taste.
- */
- char *augmentation_string = " .o+=*BOX@%&#/^SE";
-- char *retval, *p, title[FLDSIZE_X];
-+ char *retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X];
- u_char field[FLDSIZE_X][FLDSIZE_Y];
-- size_t i, tlen;
-+ size_t i, tlen, hlen;
- u_int b;
- int x, y, r;
- size_t len = strlen(augmentation_string) - 1;
-@@ -1075,8 +1089,12 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
- sshkey_type(k), sshkey_size(k));
- /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */
- if (r < 0 || r > (int)sizeof(title))
-- snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
-- tlen = strlen(title);
-+ r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
-+ tlen = (r <= 0) ? 0 : strlen(title);
-+
-+ /* assemble hash ID. */
-+ r = snprintf(hash, sizeof(hash), "[%s]", alg);
-+ hlen = (r <= 0) ? 0 : strlen(hash);
-
- /* output upper border */
- p = retval;
-@@ -1085,7 +1103,7 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
- *p++ = '-';
- memcpy(p, title, tlen);
- p += tlen;
-- for (i = p - retval - 1; i < FLDSIZE_X; i++)
-+ for (i += tlen; i < FLDSIZE_X; i++)
- *p++ = '-';
- *p++ = '+';
- *p++ = '\n';
-@@ -1101,7 +1119,11 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
-
- /* output lower border */
- *p++ = '+';
-- for (i = 0; i < FLDSIZE_X; i++)
-+ for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++)
-+ *p++ = '-';
-+ memcpy(p, hash, hlen);
-+ p += hlen;
-+ for (i += hlen; i < FLDSIZE_X; i++)
- *p++ = '-';
- *p++ = '+';
-
-@@ -1109,24 +1131,39 @@ fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
- }
-
- char *
--sshkey_fingerprint(const struct sshkey *k, enum sshkey_fp_type dgst_type,
-+sshkey_fingerprint(const struct sshkey *k, int dgst_alg,
- enum sshkey_fp_rep dgst_rep)
- {
- char *retval = NULL;
- u_char *dgst_raw;
- size_t dgst_raw_len;
-
-- if (sshkey_fingerprint_raw(k, dgst_type, &dgst_raw, &dgst_raw_len) != 0)
-+ if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0)
- return NULL;
- switch (dgst_rep) {
-+ case SSH_FP_DEFAULT:
-+ if (dgst_alg == SSH_DIGEST_MD5) {
-+ retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
-+ dgst_raw, dgst_raw_len);
-+ } else {
-+ retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
-+ dgst_raw, dgst_raw_len);
-+ }
-+ break;
- case SSH_FP_HEX:
-- retval = fingerprint_hex(dgst_raw, dgst_raw_len);
-+ retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
-+ dgst_raw, dgst_raw_len);
-+ break;
-+ case SSH_FP_BASE64:
-+ retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
-+ dgst_raw, dgst_raw_len);
- break;
- case SSH_FP_BUBBLEBABBLE:
- retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
- break;
- case SSH_FP_RANDOMART:
-- retval = fingerprint_randomart(dgst_raw, dgst_raw_len, k);
-+ retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg),
-+ dgst_raw, dgst_raw_len, k);
- break;
- default:
- explicit_bzero(dgst_raw, dgst_raw_len);
-diff --git a/sshkey.h b/sshkey.h
-index 450b30c..4554b09 100644
---- a/sshkey.h
-+++ b/sshkey.h
-@@ -1,4 +1,4 @@
--/* $OpenBSD: sshkey.h,v 1.1 2014/06/24 01:16:58 djm Exp $ */
-+/* $OpenBSD: sshkey.h,v 1.2 2014/12/21 22:27:55 djm Exp $ */
-
- /*
- * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
-@@ -67,16 +67,14 @@ enum sshkey_types {
- KEY_UNSPEC
- };
-
--/* Fingerprint hash algorithms */
--enum sshkey_fp_type {
-- SSH_FP_SHA1,
-- SSH_FP_MD5,
-- SSH_FP_SHA256
--};
-+/* Default fingerprint hash */
-+#define SSH_FP_HASH_DEFAULT SSH_DIGEST_SHA256
-
- /* Fingerprint representation formats */
- enum sshkey_fp_rep {
-+ SSH_FP_DEFAULT = 0,
- SSH_FP_HEX,
-+ SSH_FP_BASE64,
- SSH_FP_BUBBLEBABBLE,
- SSH_FP_RANDOMART
- };
-@@ -124,9 +122,9 @@ int sshkey_equal_public(const struct sshkey *,
- const struct sshkey *);
- int sshkey_equal(const struct sshkey *, const struct sshkey *);
- char *sshkey_fingerprint(const struct sshkey *,
-- enum sshkey_fp_type, enum sshkey_fp_rep);
-+ int, enum sshkey_fp_rep);
- int sshkey_fingerprint_raw(const struct sshkey *k,
-- enum sshkey_fp_type dgst_type, u_char **retp, size_t *lenp);
-+ int, u_char **retp, size_t *lenp);
- const char *sshkey_type(const struct sshkey *);
- const char *sshkey_cert_type(const struct sshkey *);
- int sshkey_write(const struct sshkey *, FILE *);
diff --git a/openssh-6.7p1-fips.patch b/openssh-6.7p1-fips.patch
index 984a038..0aafdcc 100644
--- a/openssh-6.7p1-fips.patch
+++ b/openssh-6.7p1-fips.patch
@@ -1,8 +1,7 @@
-diff --git a/Makefile.in b/Makefile.in
-index 9311e16..1eb2b45 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -164,25 +164,25 @@ libssh.a: $(LIBSSH_OBJS)
+diff -up openssh-6.8p1/Makefile.in.fips openssh-6.8p1/Makefile.in
+--- openssh-6.8p1/Makefile.in.fips 2015-03-19 13:14:22.221212174 +0100
++++ openssh-6.8p1/Makefile.in 2015-03-19 13:14:22.230212157 +0100
+@@ -168,25 +168,25 @@ libssh.a: $(LIBSSH_OBJS)
$(RANLIB) $@
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@@ -34,7 +33,7 @@ index 9311e16..1eb2b45 100644
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-@@ -197,7 +197,7 @@ ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
+@@ -204,7 +204,7 @@ ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a
$(LD) -o $@ ssh-cavs.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
@@ -43,10 +42,9 @@ index 9311e16..1eb2b45 100644
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-diff --git a/cipher-ctr.c b/cipher-ctr.c
-index 73e9c7c..40ee395 100644
---- a/cipher-ctr.c
-+++ b/cipher-ctr.c
+diff -up openssh-6.8p1/cipher-ctr.c.fips openssh-6.8p1/cipher-ctr.c
+--- openssh-6.8p1/cipher-ctr.c.fips 2015-03-19 13:14:22.155212302 +0100
++++ openssh-6.8p1/cipher-ctr.c 2015-03-19 13:14:22.230212157 +0100
@@ -179,7 +179,8 @@ evp_aes_128_ctr(void)
aes_ctr.do_cipher = ssh_aes_ctr;
#ifndef SSH_OLD_EVP
@@ -57,10 +55,9 @@ index 73e9c7c..40ee395 100644
#endif
return (&aes_ctr);
}
-diff --git a/cipher.c b/cipher.c
-index 9cc7cf8..5ebfa84 100644
---- a/cipher.c
-+++ b/cipher.c
+diff -up openssh-6.8p1/cipher.c.fips openssh-6.8p1/cipher.c
+--- openssh-6.8p1/cipher.c.fips 2015-03-19 13:14:22.224212169 +0100
++++ openssh-6.8p1/cipher.c 2015-03-19 13:14:22.230212157 +0100
@@ -39,6 +39,8 @@
#include <sys/types.h>
@@ -70,7 +67,7 @@ index 9cc7cf8..5ebfa84 100644
#include <string.h>
#include <stdarg.h>
#include <stdio.h>
-@@ -99,6 +101,26 @@ static const struct sshcipher ciphers[] = {
+@@ -99,6 +101,26 @@ static const struct sshcipher ciphers[]
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
};
@@ -133,11 +130,10 @@ index 9cc7cf8..5ebfa84 100644
if (strcasecmp(c->name, name) == 0)
return c->number;
return -1;
-diff --git a/dh.h b/dh.h
-index 48f7b68..9ff39f4 100644
---- a/dh.h
-+++ b/dh.h
-@@ -45,6 +45,7 @@ int dh_estimate(int);
+diff -up openssh-6.8p1/dh.h.fips openssh-6.8p1/dh.h
+--- openssh-6.8p1/dh.h.fips 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/dh.h 2015-03-19 13:14:22.230212157 +0100
+@@ -45,6 +45,7 @@ u_int dh_estimate(int);
/* Min and max values from RFC4419. */
#define DH_GRP_MIN 1024
@@ -145,11 +141,10 @@ index 48f7b68..9ff39f4 100644
#define DH_GRP_MAX 8192
/*
-diff --git a/entropy.c b/entropy.c
-index d24e724..06b0095 100644
---- a/entropy.c
-+++ b/entropy.c
-@@ -215,6 +215,9 @@ seed_rng(void)
+diff -up openssh-6.8p1/entropy.c.fips openssh-6.8p1/entropy.c
+--- openssh-6.8p1/entropy.c.fips 2015-03-19 13:14:22.147212317 +0100
++++ openssh-6.8p1/entropy.c 2015-03-19 13:14:22.230212157 +0100
+@@ -217,6 +217,9 @@ seed_rng(void)
fatal("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
@@ -159,10 +154,9 @@ index d24e724..06b0095 100644
#ifndef OPENSSL_PRNG_ONLY
if (RAND_status() == 1) {
debug3("RNG is ready, skipping seeding");
-diff --git a/kex.c b/kex.c
-index e0cf3de..e11198f 100644
---- a/kex.c
-+++ b/kex.c
+diff -up openssh-6.8p1/kex.c.fips openssh-6.8p1/kex.c
+--- openssh-6.8p1/kex.c.fips 2015-03-19 13:14:22.165212282 +0100
++++ openssh-6.8p1/kex.c 2015-03-19 13:14:22.230212157 +0100
@@ -35,6 +35,7 @@
#ifdef WITH_OPENSSL
@@ -170,7 +164,7 @@ index e0cf3de..e11198f 100644
+#include <openssl/fips.h>
#endif
- #include "xmalloc.h"
+ #include "ssh2.h"
@@ -107,6 +108,25 @@ static const struct kexalg kexalgs[] = {
{ NULL, -1, -1, -1},
};
@@ -197,7 +191,7 @@ index e0cf3de..e11198f 100644
char *
kex_alg_list(char sep)
{
-@@ -130,7 +150,7 @@ kex_alg_by_name(const char *name)
+@@ -134,7 +154,7 @@ kex_alg_by_name(const char *name)
{
const struct kexalg *k;
@@ -206,7 +200,7 @@ index e0cf3de..e11198f 100644
if (strcmp(k->name, name) == 0)
return k;
#ifdef GSSAPI
-@@ -155,7 +175,10 @@ kex_names_valid(const char *names)
+@@ -160,7 +180,10 @@ kex_names_valid(const char *names)
for ((p = strsep(&cp, ",")); p && *p != '\0';
(p = strsep(&cp, ","))) {
if (kex_alg_by_name(p) == NULL) {
@@ -218,60 +212,34 @@ index e0cf3de..e11198f 100644
free(s);
return 0;
}
-diff --git a/kexecdhc.c b/kexecdhc.c
-index 2f7629c..20c9946 100644
---- a/kexecdhc.c
-+++ b/kexecdhc.c
-@@ -154,6 +154,7 @@ kexecdh_client(Kex *kex)
-
- kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
- BN_clear_free(shared_secret);
-+ memset(hash, 0, hashlen);
- kex_finish(kex);
- }
- #else /* OPENSSL_HAS_ECC */
-diff --git a/kexecdhs.c b/kexecdhs.c
-index 2700b72..0820894 100644
---- a/kexecdhs.c
-+++ b/kexecdhs.c
-@@ -150,6 +150,7 @@ kexecdh_server(Kex *kex)
-
- kex_derive_keys_bn(kex, hash, hashlen, shared_secret);
- BN_clear_free(shared_secret);
-+ memset(hash, 0, hashlen);
- kex_finish(kex);
- }
- #else /* OPENSSL_HAS_ECC */
-diff --git a/kexgexc.c b/kexgexc.c
-index 0a91bdd..b75930b 100644
---- a/kexgexc.c
-+++ b/kexgexc.c
-@@ -26,6 +26,8 @@
+diff -up openssh-6.8p1/kexgexc.c.fips openssh-6.8p1/kexgexc.c
+--- openssh-6.8p1/kexgexc.c.fips 2015-03-19 13:14:22.196212223 +0100
++++ openssh-6.8p1/kexgexc.c 2015-03-19 13:15:11.462117016 +0100
+@@ -28,6 +28,8 @@
- #include "includes.h"
+ #ifdef WITH_OPENSSL
+#include <openssl/fips.h>
+
#include <sys/types.h>
#include <openssl/dh.h>
-@@ -58,7 +60,7 @@ kexgex_client(Kex *kex)
- int min, max, nbits;
- DH *dh;
+@@ -62,7 +64,7 @@ kexgex_client(struct ssh *ssh)
+
+ nbits = dh_estimate(kex->dh_need * 8);
-- min = DH_GRP_MIN;
-+ min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
- max = DH_GRP_MAX;
+- kex->min = DH_GRP_MIN;
++ kex->min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
+ kex->max = DH_GRP_MAX;
/* Servers with MAX4096DH need a preferred size (nbits) <= 4096.
-diff --git a/kexgexs.c b/kexgexs.c
-index 770ad28..9d4fc6d 100644
---- a/kexgexs.c
-+++ b/kexgexs.c
-@@ -76,16 +76,16 @@ kexgex_server(Kex *kex)
- omin = min = packet_get_int();
- onbits = nbits = packet_get_int();
- omax = max = packet_get_int();
+diff -up openssh-6.8p1/kexgexs.c.fips openssh-6.8p1/kexgexs.c
+--- openssh-6.8p1/kexgexs.c.fips 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/kexgexs.c 2015-03-19 13:14:22.231212155 +0100
+@@ -87,9 +87,9 @@ input_kex_dh_gex_request(int type, u_int
+ kex->nbits = nbits;
+ kex->min = min;
+ kex->max = max;
- min = MAX(DH_GRP_MIN, min);
+ min = MAX(FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN, min);
max = MIN(DH_GRP_MAX, max);
@@ -280,28 +248,28 @@ index 770ad28..9d4fc6d 100644
nbits = MIN(DH_GRP_MAX, nbits);
break;
case SSH2_MSG_KEX_DH_GEX_REQUEST_OLD:
- debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received");
- onbits = nbits = packet_get_int();
+@@ -99,7 +99,7 @@ input_kex_dh_gex_request(int type, u_int
+ goto out;
+ kex->nbits = nbits;
/* unused for old GEX */
-- omin = min = DH_GRP_MIN;
-+ omin = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
- omax = max = DH_GRP_MAX;
+- kex->min = min = DH_GRP_MIN;
++ kex->min = min = FIPS_mode() ? DH_GRP_MIN_FIPS : DH_GRP_MIN;
+ kex->max = max = DH_GRP_MAX;
break;
default:
-diff --git a/mac.c b/mac.c
-index fd07bf2..fedfbb2 100644
---- a/mac.c
-+++ b/mac.c
+diff -up openssh-6.8p1/mac.c.fips openssh-6.8p1/mac.c
+--- openssh-6.8p1/mac.c.fips 2015-03-19 13:14:22.224212169 +0100
++++ openssh-6.8p1/mac.c 2015-03-19 13:14:22.231212155 +0100
@@ -27,6 +27,8 @@
#include <sys/types.h>
+#include <openssl/fips.h>
+
- #include <stdarg.h>
#include <string.h>
- #include <signal.h>
-@@ -60,7 +62,7 @@ struct macalg {
+ #include <stdio.h>
+
+@@ -54,7 +56,7 @@ struct macalg {
int etm; /* Encrypt-then-MAC */
};
@@ -310,7 +278,7 @@ index fd07bf2..fedfbb2 100644
/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
{ "hmac-sha1", SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
{ "hmac-sha1-96", SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
-@@ -91,6 +93,24 @@ static const struct macalg macs[] = {
+@@ -85,6 +87,24 @@ static const struct macalg macs[] = {
{ NULL, 0, 0, 0, 0, 0, 0 }
};
@@ -335,7 +303,7 @@ index fd07bf2..fedfbb2 100644
/* Returns a list of supported MACs separated by the specified char. */
char *
mac_alg_list(char sep)
-@@ -99,7 +119,7 @@ mac_alg_list(char sep)
+@@ -93,7 +113,7 @@ mac_alg_list(char sep)
size_t nlen, rlen = 0;
const struct macalg *m;
@@ -344,7 +312,7 @@ index fd07bf2..fedfbb2 100644
if (ret != NULL)
ret[rlen++] = sep;
nlen = strlen(m->name);
-@@ -133,7 +153,7 @@ mac_setup(Mac *mac, char *name)
+@@ -132,7 +152,7 @@ mac_setup(struct sshmac *mac, char *name
{
const struct macalg *m;
@@ -352,11 +320,10 @@ index fd07bf2..fedfbb2 100644
+ for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
if (strcmp(name, m->name) != 0)
continue;
- if (mac != NULL) {
-diff --git a/myproposal.h b/myproposal.h
-index b35b2b8..a608d27 100644
---- a/myproposal.h
-+++ b/myproposal.h
+ if (mac != NULL)
+diff -up openssh-6.8p1/myproposal.h.fips openssh-6.8p1/myproposal.h
+--- openssh-6.8p1/myproposal.h.fips 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/myproposal.h 2015-03-19 13:14:22.231212155 +0100
@@ -140,6 +140,28 @@
"hmac-sha1-96," \
"hmac-md5-96"
@@ -386,10 +353,9 @@ index b35b2b8..a608d27 100644
#else
#define KEX_SERVER_KEX \
-diff --git a/ssh.c b/ssh.c
-index 26e9681..a0a7c29 100644
---- a/ssh.c
-+++ b/ssh.c
+diff -up openssh-6.8p1/ssh.c.fips openssh-6.8p1/ssh.c
+--- openssh-6.8p1/ssh.c.fips 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/ssh.c 2015-03-19 13:14:22.232212153 +0100
@@ -75,6 +75,8 @@
#include <openssl/evp.h>
#include <openssl/err.h>
@@ -399,7 +365,7 @@ index 26e9681..a0a7c29 100644
#include "openbsd-compat/openssl-compat.h"
#include "openbsd-compat/sys-queue.h"
-@@ -433,6 +435,14 @@ main(int ac, char **av)
+@@ -523,6 +525,14 @@ main(int ac, char **av)
sanitise_stdfd();
__progname = ssh_get_progname(av[0]);
@@ -414,8 +380,8 @@ index 26e9681..a0a7c29 100644
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
-@@ -510,6 +519,9 @@ main(int ac, char **av)
- "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
+@@ -600,6 +610,9 @@ main(int ac, char **av)
+ "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
+ if (FIPS_mode()) {
@@ -424,7 +390,7 @@ index 26e9681..a0a7c29 100644
options.protocol = SSH_PROTO_1;
break;
case '2':
-@@ -841,7 +853,6 @@ main(int ac, char **av)
+@@ -941,7 +954,6 @@ main(int ac, char **av)
host_arg = xstrdup(host);
#ifdef WITH_OPENSSL
@@ -432,7 +398,7 @@ index 26e9681..a0a7c29 100644
ERR_load_crypto_strings();
#endif
-@@ -997,6 +1008,10 @@ main(int ac, char **av)
+@@ -1115,6 +1127,10 @@ main(int ac, char **av)
seed_rng();
@@ -443,7 +409,7 @@ index 26e9681..a0a7c29 100644
if (options.user == NULL)
options.user = xstrdup(pw->pw_name);
-@@ -1069,6 +1084,12 @@ main(int ac, char **av)
+@@ -1192,6 +1208,12 @@ main(int ac, char **av)
timeout_ms = options.connection_timeout * 1000;
@@ -456,10 +422,9 @@ index 26e9681..a0a7c29 100644
/* Open a connection to the remote host. */
if (ssh_connect(host, addrs, &hostaddr, options.port,
options.address_family, options.connection_attempts,
-diff --git a/sshconnect2.c b/sshconnect2.c
-index efe6158..5631f39 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
+diff -up openssh-6.8p1/sshconnect2.c.fips openssh-6.8p1/sshconnect2.c
+--- openssh-6.8p1/sshconnect2.c.fips 2015-03-19 13:14:22.188212238 +0100
++++ openssh-6.8p1/sshconnect2.c 2015-03-19 13:14:22.232212153 +0100
@@ -46,6 +46,8 @@
#include <vis.h>
#endif
@@ -469,13 +434,24 @@ index efe6158..5631f39 100644
#include "openbsd-compat/sys-queue.h"
#include "xmalloc.h"
-@@ -171,20 +173,25 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -172,20 +174,25 @@ ssh_kex2(char *host, struct sockaddr *ho
#ifdef GSSAPI
if (options.gss_keyex) {
- /* Add the GSSAPI mechanisms currently supported on this
- * client to the key exchange algorithm proposal */
- orig = myproposal[PROPOSAL_KEX_ALGS];
+-
+- if (options.gss_trust_dns)
+- gss_host = (char *)get_canonical_hostname(1);
+- else
+- gss_host = host;
+-
+- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
+- if (gss) {
+- debug("Offering GSSAPI proposal: %s", gss);
+- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
+- "%s,%s", gss, orig);
+ if (FIPS_mode()) {
+ logit("Disabling GSSAPIKeyExchange. Not usable in FIPS mode");
+ options.gss_keyex = 0;
@@ -483,21 +459,12 @@ index efe6158..5631f39 100644
+ /* Add the GSSAPI mechanisms currently supported on this
+ * client to the key exchange algorithm proposal */
+ orig = myproposal[PROPOSAL_KEX_ALGS];
-
-- if (options.gss_trust_dns)
-- gss_host = (char *)get_canonical_hostname(1);
-- else
-- gss_host = host;
++
+ if (options.gss_trust_dns)
+ gss_host = (char *)get_canonical_hostname(1);
+ else
+ gss_host = host;
-
-- gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
-- if (gss) {
-- debug("Offering GSSAPI proposal: %s", gss);
-- xasprintf(&myproposal[PROPOSAL_KEX_ALGS],
-- "%s,%s", gss, orig);
++
+ gss = ssh_gssapi_client_mechanisms(gss_host, options.gss_client_identity);
+ if (gss) {
+ debug("Offering GSSAPI proposal: %s", gss);
@@ -507,7 +474,7 @@ index efe6158..5631f39 100644
}
}
#endif
-@@ -196,6 +203,10 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -197,6 +204,10 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@@ -518,7 +485,7 @@ index efe6158..5631f39 100644
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -211,7 +222,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -212,7 +223,11 @@ ssh_kex2(char *host, struct sockaddr *ho
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@@ -530,7 +497,7 @@ index efe6158..5631f39 100644
if (options.hostkeyalgorithms != NULL)
myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
compat_pkalg_proposal(options.hostkeyalgorithms);
-@@ -223,9 +238,11 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -224,9 +239,11 @@ ssh_kex2(char *host, struct sockaddr *ho
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@@ -543,10 +510,9 @@ index efe6158..5631f39 100644
#ifdef GSSAPI
/* If we've got GSSAPI algorithms, then we also support the
* 'null' hostkey, as a last resort */
-diff --git a/sshd.c b/sshd.c
-index db23ce2..3ce59f0 100644
---- a/sshd.c
-+++ b/sshd.c
+diff -up openssh-6.8p1/sshd.c.fips openssh-6.8p1/sshd.c
+--- openssh-6.8p1/sshd.c.fips 2015-03-19 13:14:22.226212165 +0100
++++ openssh-6.8p1/sshd.c 2015-03-19 13:14:22.232212153 +0100
@@ -66,6 +66,7 @@
#include <grp.h>
#include <pwd.h>
@@ -555,7 +521,7 @@ index db23ce2..3ce59f0 100644
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
-@@ -76,6 +77,8 @@
+@@ -77,6 +78,8 @@
#include <openssl/dh.h>
#include <openssl/bn.h>
#include <openssl/rand.h>
@@ -564,7 +530,7 @@ index db23ce2..3ce59f0 100644
#include "openbsd-compat/openssl-compat.h"
#endif
-@@ -1479,6 +1482,18 @@ main(int ac, char **av)
+@@ -1543,6 +1546,18 @@ main(int ac, char **av)
#endif
__progname = ssh_get_progname(av[0]);
@@ -583,7 +549,7 @@ index db23ce2..3ce59f0 100644
/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
saved_argc = ac;
rexec_argc = ac;
-@@ -1630,7 +1645,7 @@ main(int ac, char **av)
+@@ -1694,7 +1709,7 @@ main(int ac, char **av)
else
closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@@ -592,9 +558,9 @@ index db23ce2..3ce59f0 100644
OpenSSL_add_all_algorithms();
#endif
-@@ -1816,6 +1831,10 @@ main(int ac, char **av)
- debug("private host key: #%d type %d %s", i, keytype,
- key_type(key ? key : pubkey));
+@@ -1890,6 +1905,10 @@ main(int ac, char **av)
+ sshkey_type(pubkey) : sshkey_ssh_name(pubkey), fp);
+ free(fp);
}
+ if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) {
+ logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
@@ -603,7 +569,7 @@ index db23ce2..3ce59f0 100644
if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
logit("Disabling protocol version 1. Could not load host key");
options.protocol &= ~SSH_PROTO_1;
-@@ -1982,6 +2001,10 @@ main(int ac, char **av)
+@@ -2058,6 +2077,10 @@ main(int ac, char **av)
/* Reinitialize the log (because of the fork above). */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
@@ -614,7 +580,7 @@ index db23ce2..3ce59f0 100644
/* Chdir to the root directory so that the current disk can be
unmounted if desired. */
if (chdir("/") == -1)
-@@ -2541,6 +2564,9 @@ do_ssh2_kex(void)
+@@ -2642,6 +2665,9 @@ do_ssh2_kex(void)
if (options.ciphers != NULL) {
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@@ -624,7 +590,7 @@ index db23ce2..3ce59f0 100644
}
myproposal[PROPOSAL_ENC_ALGS_CTOS] =
compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2550,6 +2576,9 @@ do_ssh2_kex(void)
+@@ -2651,6 +2677,9 @@ do_ssh2_kex(void)
if (options.macs != NULL) {
myproposal[PROPOSAL_MAC_ALGS_CTOS] =
myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
@@ -634,7 +600,7 @@ index db23ce2..3ce59f0 100644
}
if (options.compression == COMP_NONE) {
myproposal[PROPOSAL_COMP_ALGS_CTOS] =
-@@ -2560,6 +2589,8 @@ do_ssh2_kex(void)
+@@ -2661,6 +2690,8 @@ do_ssh2_kex(void)
}
if (options.kex_algorithms != NULL)
myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
@@ -643,7 +609,7 @@ index db23ce2..3ce59f0 100644
myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
myproposal[PROPOSAL_KEX_ALGS]);
-@@ -2586,10 +2617,14 @@ do_ssh2_kex(void)
+@@ -2687,10 +2718,14 @@ do_ssh2_kex(void)
if (strlen(myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS]) == 0)
orig = NULL;
@@ -662,19 +628,18 @@ index db23ce2..3ce59f0 100644
if (gss && orig)
xasprintf(&newstr, "%s,%s", gss, orig);
-diff --git a/sshkey.c b/sshkey.c
-index f078e11..5e3d97f 100644
---- a/sshkey.c
-+++ b/sshkey.c
-@@ -34,6 +34,7 @@
+diff -up openssh-6.8p1/sshkey.c.fips openssh-6.8p1/sshkey.c
+--- openssh-6.8p1/sshkey.c.fips 2015-03-19 13:14:22.227212163 +0100
++++ openssh-6.8p1/sshkey.c 2015-03-19 13:14:22.233212151 +0100
+@@ -35,6 +35,7 @@
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/pem.h>
+#include <openssl/fips.h>
+ #endif
#include "crypto_api.h"
-
-@@ -1523,6 +1524,8 @@ rsa_generate_private_key(u_int bits, RSA **rsap)
+@@ -1562,6 +1563,8 @@ rsa_generate_private_key(u_int bits, RSA
}
if (!BN_set_word(f4, RSA_F4) ||
!RSA_generate_key_ex(private, bits, f4, NULL)) {
@@ -683,9 +648,10 @@ index f078e11..5e3d97f 100644
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
---- a/servconf.c 2015-01-30 12:24:12.388337643 +0100
-+++ b/servconf.c 2015-01-30 12:26:36.229229751 +0100
-@@ -2159,8 +2162,10 @@
+diff -up openssh-6.8p1/servconf.c.fips openssh-6.8p1/servconf.c
+--- openssh-6.8p1/servconf.c.fips 2015-03-19 13:14:22.210212196 +0100
++++ openssh-6.8p1/servconf.c 2015-03-19 13:14:22.233212151 +0100
+@@ -2226,8 +2226,10 @@ dump_config(ServerOptions *o)
/* string arguments */
dump_cfg_string(sPidFile, o->pid_file);
dump_cfg_string(sXAuthLocation, o->xauth_location);
@@ -698,12 +664,14 @@ index f078e11..5e3d97f 100644
dump_cfg_string(sBanner, o->banner);
dump_cfg_string(sForceCommand, o->adm_forced_command);
dump_cfg_string(sChrootDirectory, o->chroot_directory);
-@@ -2180,7 +2180,7 @@
+@@ -2240,8 +2242,8 @@ dump_config(ServerOptions *o)
+ dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
- dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
-- KEX_SERVER_KEX);
+- dump_cfg_string(sKexAlgorithms,
+- o->kex_algorithms ? o->kex_algorithms : KEX_SERVER_KEX);
++ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
+ FIPS_mode() ? KEX_DEFAULT_KEX_FIPS : KEX_SERVER_KEX);
-
- /* string arguments requiring a lookup */
- dump_cfg_string(sLogLevel, log_level_name(o->log_level));
+ dump_cfg_string(sHostbasedAcceptedKeyTypes, o->hostbased_key_types ?
+ o->hostbased_key_types : KEX_DEFAULT_PK_ALG);
+ dump_cfg_string(sPubkeyAcceptedKeyTypes, o->pubkey_key_types ?
diff --git a/openssh-6.7p1-kdf-cavs.patch b/openssh-6.7p1-kdf-cavs.patch
index 19e1b53..d219791 100644
--- a/openssh-6.7p1-kdf-cavs.patch
+++ b/openssh-6.7p1-kdf-cavs.patch
@@ -1,8 +1,7 @@
-diff --git a/Makefile.in b/Makefile.in
-index 1eb2b45..cfa89a1 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
+diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
+--- openssh-6.8p1/Makefile.in.kdf-cavs 2015-03-18 11:23:46.346049359 +0100
++++ openssh-6.8p1/Makefile.in 2015-03-18 11:24:20.395968445 +0100
+@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
SSH_KEYCAT=$(libexecdir)/ssh-keycat
CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
@@ -18,8 +17,8 @@ index 1eb2b45..cfa89a1 100644
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
LIBOPENSSH_OBJS=\
- ssherr.o \
-@@ -196,6 +196,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
+ ssh_api.o \
+@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
$(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
@@ -29,7 +28,7 @@ index 1eb2b45..cfa89a1 100644
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-@@ -320,6 +321,8 @@ install-files:
+@@ -331,6 +335,8 @@ install-files:
fi
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
@@ -38,12 +37,10 @@ index 1eb2b45..cfa89a1 100644
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-diff --git a/ssh-cavs.c b/ssh-cavs.c
-new file mode 100644
-index 0000000..928ff80
---- /dev/null
-+++ b/ssh-cavs.c
-@@ -0,0 +1,374 @@
+diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
+--- openssh-6.8p1/ssh-cavs.c.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
++++ openssh-6.8p1/ssh-cavs.c 2015-03-18 11:23:46.348049354 +0100
+@@ -0,0 +1,383 @@
+/*
+ * Copyright (C) 2015, Stephan Mueller <smueller at chronox.de>
+ *
@@ -95,6 +92,7 @@ index 0000000..928ff80
+#include "key.h"
+#include "cipher.h"
+#include "kex.h"
++#include "packet.h"
+
+static int bin_char(unsigned char hex)
+{
@@ -208,16 +206,17 @@ index 0000000..928ff80
+static int sshkdf_cavs(struct kdf_cavs *test)
+{
+ int ret = 0;
-+ Kex kex;
++ struct kex kex;
+ BIGNUM *Kbn = NULL;
+ int mode = 0;
-+ Newkeys *ctoskeys;
-+ Newkeys *stockeys;
++ struct newkeys *ctoskeys;
++ struct newkeys *stockeys;
++ struct ssh *ssh = NULL;
+
+#define HEXOUTLEN 500
+ char hex[HEXOUTLEN];
+
-+ memset(&kex, 0, sizeof(Kex));
++ memset(&kex, 0, sizeof(struct kex));
+
+ Kbn = BN_new();
+ BN_bin2bn(test->K, test->Klen, Kbn);
@@ -254,7 +253,7 @@ index 0000000..928ff80
+
+ /* implement choose_enc */
+ for (mode = 0; mode < 2; mode++) {
-+ kex.newkeys[mode] = calloc(1, sizeof(Newkeys));
++ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
+ if (!kex.newkeys[mode]) {
+ printf("allocation of newkeys failed\n");
+ ret = 1;
@@ -280,10 +279,15 @@ index 0000000..928ff80
+ kex.server = 1;
+
+ /* do it */
-+ kex_derive_keys_bn(&kex, test->H, test->Hlen, Kbn);
++ if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
++ printf("Allocation error\n");
++ goto out;
++ }
++ ssh->kex = &kex;
++ kex_derive_keys_bn(ssh, test->H, test->Hlen, Kbn);
+
-+ ctoskeys = kex_get_newkeys(0);
-+ stockeys = kex_get_newkeys(1);
++ ctoskeys = kex.newkeys[0];
++ stockeys = kex.newkeys[1];
+
+ /* get data */
+ memset(hex, 0, HEXOUTLEN);
@@ -323,6 +327,8 @@ index 0000000..928ff80
+ free(kex.newkeys[0]);
+ if (kex.newkeys[1])
+ free(kex.newkeys[1]);
++ if (ssh)
++ ssh_packet_close(ssh);
+ return ret;
+}
+
@@ -418,11 +424,9 @@ index 0000000..928ff80
+ return ret;
+
+}
-diff --git a/ssh-cavs_driver.pl b/ssh-cavs_driver.pl
-new file mode 100644
-index 0000000..6ed8f26
---- /dev/null
-+++ b/ssh-cavs_driver.pl
+diff -up openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs openssh-6.8p1/ssh-cavs_driver.pl
+--- openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
++++ openssh-6.8p1/ssh-cavs_driver.pl 2015-03-18 11:23:46.348049354 +0100
@@ -0,0 +1,184 @@
+#!/usr/bin/env perl
+#
diff --git a/openssh-6.7p1-ldap.patch b/openssh-6.7p1-ldap.patch
index e46e93a..296e7ea 100644
--- a/openssh-6.7p1-ldap.patch
+++ b/openssh-6.7p1-ldap.patch
@@ -1,8 +1,6 @@
-diff --git a/HOWTO.ldap-keys b/HOWTO.ldap-keys
-new file mode 100644
-index 0000000..dd5f5cc
---- /dev/null
-+++ b/HOWTO.ldap-keys
+diff -up openssh-6.8p1/HOWTO.ldap-keys.ldap openssh-6.8p1/HOWTO.ldap-keys
+--- openssh-6.8p1/HOWTO.ldap-keys.ldap 2015-03-18 11:11:29.029801467 +0100
++++ openssh-6.8p1/HOWTO.ldap-keys 2015-03-18 11:11:29.029801467 +0100
@@ -0,0 +1,119 @@
+
+HOW TO START
@@ -123,10 +121,9 @@ index 0000000..dd5f5cc
+5) Author
+ Jan F. Chadima <jchadima at redhat.com>
+
-diff --git a/Makefile.in b/Makefile.in
-index 06be3d5..f02aa1e 100644
---- a/Makefile.in
-+++ b/Makefile.in
+diff -up openssh-6.8p1/Makefile.in.ldap openssh-6.8p1/Makefile.in
+--- openssh-6.8p1/Makefile.in.ldap 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/Makefile.in 2015-03-18 11:13:10.147561177 +0100
@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
SFTP_SERVER=$(libexecdir)/sftp-server
@@ -146,8 +143,8 @@ index 06be3d5..f02aa1e 100644
+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
LIBOPENSSH_OBJS=\
- ssherr.o \
-@@ -108,8 +111,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+ ssh_api.o \
+@@ -112,8 +115,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o sandbox-capsicum.o
@@ -158,17 +155,17 @@ index 06be3d5..f02aa1e 100644
MANTYPE = @MANTYPE@
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -180,6 +183,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco
+@@ -184,6 +187,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
-+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
++ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o
++ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o sshbuf-getput-basic.o ssherr.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-@@ -295,6 +301,10 @@ install-files:
+@@ -311,6 +317,10 @@ install-files:
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@@ -179,7 +176,7 @@ index 06be3d5..f02aa1e 100644
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-@@ -311,6 +321,10 @@ install-files:
+@@ -327,6 +337,10 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -190,7 +187,7 @@ index 06be3d5..f02aa1e 100644
-rm -f $(DESTDIR)$(bindir)/slogin
ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-@@ -340,6 +354,13 @@ install-sysconf:
+@@ -356,6 +370,13 @@ install-sysconf:
else \
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
fi
@@ -204,7 +201,7 @@ index 06be3d5..f02aa1e 100644
host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \
-@@ -403,6 +424,8 @@ uninstall:
+@@ -419,6 +440,8 @@ uninstall:
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
@@ -213,7 +210,7 @@ index 06be3d5..f02aa1e 100644
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -414,6 +437,7 @@ uninstall:
+@@ -430,6 +453,7 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -221,11 +218,10 @@ index 06be3d5..f02aa1e 100644
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
regress-prep:
-diff --git a/configure.ac b/configure.ac
-index 67c4486..6553074 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1569,6 +1569,106 @@ if test "x$use_pie" != "xno"; then
+diff -up openssh-6.8p1/configure.ac.ldap openssh-6.8p1/configure.ac
+--- openssh-6.8p1/configure.ac.ldap 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/configure.ac 2015-03-18 11:11:29.030801464 +0100
+@@ -1605,6 +1605,106 @@ if test "x$use_pie" != "xno"; then
fi
fi
@@ -332,11 +328,9 @@ index 67c4486..6553074 100644
dnl Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS([ \
Blowfish_initstate \
-diff --git a/ldap-helper.c b/ldap-helper.c
-new file mode 100644
-index 0000000..e95a94a
---- /dev/null
-+++ b/ldap-helper.c
+diff -up openssh-6.8p1/ldap-helper.c.ldap openssh-6.8p1/ldap-helper.c
+--- openssh-6.8p1/ldap-helper.c.ldap 2015-03-18 11:11:29.030801464 +0100
++++ openssh-6.8p1/ldap-helper.c 2015-03-18 11:11:29.030801464 +0100
@@ -0,0 +1,155 @@
+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -493,11 +487,9 @@ index 0000000..e95a94a
+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
+void buffer_put_string(Buffer *b, const void *f, u_int l) {}
+
-diff --git a/ldap-helper.h b/ldap-helper.h
-new file mode 100644
-index 0000000..14cb29a
---- /dev/null
-+++ b/ldap-helper.h
+diff -up openssh-6.8p1/ldap-helper.h.ldap openssh-6.8p1/ldap-helper.h
+--- openssh-6.8p1/ldap-helper.h.ldap 2015-03-18 11:11:29.031801462 +0100
++++ openssh-6.8p1/ldap-helper.h 2015-03-18 11:11:29.031801462 +0100
@@ -0,0 +1,32 @@
+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -531,11 +523,9 @@ index 0000000..14cb29a
+extern int config_warning_config_file;
+
+#endif /* LDAP_HELPER_H */
-diff --git a/ldap.conf b/ldap.conf
-new file mode 100644
-index 0000000..42e38d3
---- /dev/null
-+++ b/ldap.conf
+diff -up openssh-6.8p1/ldap.conf.ldap openssh-6.8p1/ldap.conf
+--- openssh-6.8p1/ldap.conf.ldap 2015-03-18 11:11:29.031801462 +0100
++++ openssh-6.8p1/ldap.conf 2015-03-18 11:11:29.031801462 +0100
@@ -0,0 +1,95 @@
+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
+#
@@ -632,11 +622,9 @@ index 0000000..42e38d3
+
+#AccountClass posixAccount
+
-diff --git a/ldapbody.c b/ldapbody.c
-new file mode 100644
-index 0000000..3029108
---- /dev/null
-+++ b/ldapbody.c
+diff -up openssh-6.8p1/ldapbody.c.ldap openssh-6.8p1/ldapbody.c
+--- openssh-6.8p1/ldapbody.c.ldap 2015-03-18 11:11:29.031801462 +0100
++++ openssh-6.8p1/ldapbody.c 2015-03-18 11:11:29.031801462 +0100
@@ -0,0 +1,493 @@
+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1131,11 +1119,9 @@ index 0000000..3029108
+ return;
+}
+
-diff --git a/ldapbody.h b/ldapbody.h
-new file mode 100644
-index 0000000..665dca2
---- /dev/null
-+++ b/ldapbody.h
+diff -up openssh-6.8p1/ldapbody.h.ldap openssh-6.8p1/ldapbody.h
+--- openssh-6.8p1/ldapbody.h.ldap 2015-03-18 11:11:29.031801462 +0100
++++ openssh-6.8p1/ldapbody.h 2015-03-18 11:11:29.031801462 +0100
@@ -0,0 +1,37 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1174,11 +1160,9 @@ index 0000000..665dca2
+
+#endif /* LDAPBODY_H */
+
-diff --git a/ldapconf.c b/ldapconf.c
-new file mode 100644
-index 0000000..b49cae6
---- /dev/null
-+++ b/ldapconf.c
+diff -up openssh-6.8p1/ldapconf.c.ldap openssh-6.8p1/ldapconf.c
+--- openssh-6.8p1/ldapconf.c.ldap 2015-03-18 11:11:29.032801460 +0100
++++ openssh-6.8p1/ldapconf.c 2015-03-18 11:11:29.032801460 +0100
@@ -0,0 +1,728 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1908,11 +1892,9 @@ index 0000000..b49cae6
+ dump_cfg_string(lAccountClass, options.account_class);
+}
+
-diff --git a/ldapconf.h b/ldapconf.h
-new file mode 100644
-index 0000000..2cb550c
---- /dev/null
-+++ b/ldapconf.h
+diff -up openssh-6.8p1/ldapconf.h.ldap openssh-6.8p1/ldapconf.h
+--- openssh-6.8p1/ldapconf.h.ldap 2015-03-18 11:11:29.032801460 +0100
++++ openssh-6.8p1/ldapconf.h 2015-03-18 11:11:29.032801460 +0100
@@ -0,0 +1,73 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1987,11 +1969,9 @@ index 0000000..2cb550c
+void dump_config(void);
+
+#endif /* LDAPCONF_H */
-diff --git a/ldapincludes.h b/ldapincludes.h
-new file mode 100644
-index 0000000..8539bdc
---- /dev/null
-+++ b/ldapincludes.h
+diff -up openssh-6.8p1/ldapincludes.h.ldap openssh-6.8p1/ldapincludes.h
+--- openssh-6.8p1/ldapincludes.h.ldap 2015-03-18 11:11:29.032801460 +0100
++++ openssh-6.8p1/ldapincludes.h 2015-03-18 11:11:29.032801460 +0100
@@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -2034,11 +2014,9 @@ index 0000000..8539bdc
+#endif
+
+#endif /* LDAPINCLUDES_H */
-diff --git a/ldapmisc.c b/ldapmisc.c
-new file mode 100644
-index 0000000..de23c0c
---- /dev/null
-+++ b/ldapmisc.c
+diff -up openssh-6.8p1/ldapmisc.c.ldap openssh-6.8p1/ldapmisc.c
+--- openssh-6.8p1/ldapmisc.c.ldap 2015-03-18 11:11:29.032801460 +0100
++++ openssh-6.8p1/ldapmisc.c 2015-03-18 11:11:29.032801460 +0100
@@ -0,0 +1,79 @@
+
+#include "ldapincludes.h"
@@ -2119,11 +2097,9 @@ index 0000000..de23c0c
+}
+#endif
+
-diff --git a/ldapmisc.h b/ldapmisc.h
-new file mode 100644
-index 0000000..4c271df
---- /dev/null
-+++ b/ldapmisc.h
+diff -up openssh-6.8p1/ldapmisc.h.ldap openssh-6.8p1/ldapmisc.h
+--- openssh-6.8p1/ldapmisc.h.ldap 2015-03-18 11:11:29.032801460 +0100
++++ openssh-6.8p1/ldapmisc.h 2015-03-18 11:11:29.032801460 +0100
@@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -2160,11 +2136,9 @@ index 0000000..4c271df
+
+#endif /* LDAPMISC_H */
+
-diff --git a/openssh-lpk-openldap.schema b/openssh-lpk-openldap.schema
-new file mode 100644
-index 0000000..c84f90f
---- /dev/null
-+++ b/openssh-lpk-openldap.schema
+diff -up openssh-6.8p1/openssh-lpk-openldap.schema.ldap openssh-6.8p1/openssh-lpk-openldap.schema
+--- openssh-6.8p1/openssh-lpk-openldap.schema.ldap 2015-03-18 11:11:29.033801457 +0100
++++ openssh-6.8p1/openssh-lpk-openldap.schema 2015-03-18 11:11:29.033801457 +0100
@@ -0,0 +1,21 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@@ -2187,11 +2161,9 @@ index 0000000..c84f90f
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
-diff --git a/openssh-lpk-sun.schema b/openssh-lpk-sun.schema
-new file mode 100644
-index 0000000..3136673
---- /dev/null
-+++ b/openssh-lpk-sun.schema
+diff -up openssh-6.8p1/openssh-lpk-sun.schema.ldap openssh-6.8p1/openssh-lpk-sun.schema
+--- openssh-6.8p1/openssh-lpk-sun.schema.ldap 2015-03-18 11:11:29.033801457 +0100
++++ openssh-6.8p1/openssh-lpk-sun.schema 2015-03-18 11:11:29.033801457 +0100
@@ -0,0 +1,23 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@@ -2216,11 +2188,9 @@ index 0000000..3136673
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
-diff --git a/ssh-ldap-helper.8 b/ssh-ldap-helper.8
-new file mode 100644
-index 0000000..5d2d7be
---- /dev/null
-+++ b/ssh-ldap-helper.8
+diff -up openssh-6.8p1/ssh-ldap-helper.8.ldap openssh-6.8p1/ssh-ldap-helper.8
+--- openssh-6.8p1/ssh-ldap-helper.8.ldap 2015-03-18 11:11:29.033801457 +0100
++++ openssh-6.8p1/ssh-ldap-helper.8 2015-03-18 11:11:29.033801457 +0100
@@ -0,0 +1,79 @@
+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
@@ -2301,21 +2271,17 @@ index 0000000..5d2d7be
+OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima at redhat.com
-diff --git a/ssh-ldap-wrapper b/ssh-ldap-wrapper
-new file mode 100644
-index 0000000..cb500aa
---- /dev/null
-+++ b/ssh-ldap-wrapper
+diff -up openssh-6.8p1/ssh-ldap-wrapper.ldap openssh-6.8p1/ssh-ldap-wrapper
+--- openssh-6.8p1/ssh-ldap-wrapper.ldap 2015-03-18 11:11:29.033801457 +0100
++++ openssh-6.8p1/ssh-ldap-wrapper 2015-03-18 11:11:29.033801457 +0100
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
+
-diff --git a/ssh-ldap.conf.5 b/ssh-ldap.conf.5
-new file mode 100644
-index 0000000..f7081b8
---- /dev/null
-+++ b/ssh-ldap.conf.5
+diff -up openssh-6.8p1/ssh-ldap.conf.5.ldap openssh-6.8p1/ssh-ldap.conf.5
+--- openssh-6.8p1/ssh-ldap.conf.5.ldap 2015-03-18 11:11:29.033801457 +0100
++++ openssh-6.8p1/ssh-ldap.conf.5 2015-03-18 11:11:29.033801457 +0100
@@ -0,0 +1,385 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
diff --git a/openssh-6.7p1-sftp-force-permission.patch b/openssh-6.7p1-sftp-force-permission.patch
index 05fff13..1a88e50 100644
--- a/openssh-6.7p1-sftp-force-permission.patch
+++ b/openssh-6.7p1-sftp-force-permission.patch
@@ -1,6 +1,7 @@
---- openssh-5.3p1/sftp-server.8 2015-02-10 10:08:09.611849984 +0100
-+++ openssh-5.3p1/sftp-server.8.perms 2015-02-10 10:08:52.204120509 +0100
-@@ -33,6 +33,7 @@
+diff -up openssh-6.8p1/sftp-server.8.sftp-force-mode openssh-6.8p1/sftp-server.8
+--- openssh-6.8p1/sftp-server.8.sftp-force-mode 2015-03-17 06:49:20.000000000 +0100
++++ openssh-6.8p1/sftp-server.8 2015-03-18 13:18:05.898306477 +0100
+@@ -38,6 +38,7 @@
.Op Fl P Ar blacklisted_requests
.Op Fl p Ar whitelisted_requests
.Op Fl u Ar umask
@@ -8,7 +9,7 @@
.Ek
.Nm
.Fl Q Ar protocol_feature
-@@ -77,6 +78,10 @@ Sets an explicit
+@@ -138,6 +139,10 @@ Sets an explicit
.Xr umask 2
to be applied to newly-created files and directories, instead of the
user's default mask.
@@ -19,9 +20,10 @@
.El
.Pp
On some systems,
---- openssh-5.3p1/sftp-server.c 2015-02-10 10:08:09.611849984 +0100
-+++ openssh-5.3p1/sftp-server.c.perms 2015-02-10 10:39:00.855453028 +0100
-@@ -70,6 +70,10 @@ Buffer oqueue;
+diff -up openssh-6.8p1/sftp-server.c.sftp-force-mode openssh-6.8p1/sftp-server.c
+--- openssh-6.8p1/sftp-server.c.sftp-force-mode 2015-03-18 13:18:05.883306513 +0100
++++ openssh-6.8p1/sftp-server.c 2015-03-18 13:18:36.697232193 +0100
+@@ -70,6 +70,10 @@ struct sshbuf *oqueue;
/* Version of client */
static u_int version;
@@ -32,10 +34,10 @@
/* SSH2_FXP_INIT received */
static int init_done;
-@@ -551,6 +555,10 @@ process_open(void)
- a = get_attrib();
+@@ -693,6 +697,10 @@ process_open(u_int32_t id)
+ debug3("request %u: open flags %d", id, pflags);
flags = flags_from_portable(pflags);
- mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666;
+ mode = (a.flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a.perm : 0666;
+ if (permforce == 1) { /* Force perm if -m is set */
+ mode = permforcemode;
+ (void)umask(0); /* so umask does not interfere */
@@ -43,7 +45,7 @@
logit("open \"%s\" flags %s mode 0%o",
name, string_from_portable(pflags), mode);
if (readonly &&
-@@ -1322,7 +1330,7 @@ sftp_server_usage(void)
+@@ -1495,7 +1503,7 @@ sftp_server_usage(void)
fprintf(stderr,
"usage: %s [-ehR] [-d start_directory] [-f log_facility] "
"[-l log_level]\n\t[-P blacklisted_requests] "
@@ -52,7 +54,7 @@
" %s -Q protocol_feature\n",
__progname, __progname);
exit(1);
-@@ -1343,7 +1351,7 @@ sftp_server_main(int argc, char **argv,
+@@ -1520,7 +1528,7 @@ sftp_server_main(int argc, char **argv,
pw = pwcopy(user_pw);
while (!skipargs && (ch = getopt(argc, argv,
@@ -61,7 +63,7 @@
switch (ch) {
case 'Q':
if (strcasecmp(optarg, "requests") != 0) {
-@@ -1373,6 +1381,15 @@ sftp_server_main(int argc, char **argv,
+@@ -1580,6 +1588,15 @@ sftp_server_main(int argc, char **argv,
fatal("Invalid umask \"%s\"", optarg);
(void)umask((mode_t)mask);
break;
diff --git a/openssh-6.7p1-sshdT-output.patch b/openssh-6.7p1-sshdT-output.patch
index 11e9c69..aa09346 100644
--- a/openssh-6.7p1-sshdT-output.patch
+++ b/openssh-6.7p1-sshdT-output.patch
@@ -1,14 +1,7 @@
---- a/servconf.c 2015-01-30 12:24:12.388337643 +0100
-+++ b/servconf.c 2015-01-30 12:26:36.229229751 +0100
-@@ -55,6 +55,7 @@
- #include "hostfile.h"
- #include "auth.h"
- #include "digest.h"
-+#include "myproposal.h"
-
- static void add_listen_addr(ServerOptions *, char *, int);
- static void add_one_listen_addr(ServerOptions *, char *, int);
-@@ -1974,6 +1974,8 @@ dump_cfg_strarray_oneline(ServerOpCodes code, u_int count, char **vals)
+diff -up openssh-6.8p1/servconf.c.sshdt openssh-6.8p1/servconf.c
+--- openssh-6.8p1/servconf.c.sshdt 2015-03-18 13:07:24.457858235 +0100
++++ openssh-6.8p1/servconf.c 2015-03-18 13:09:27.253557396 +0100
+@@ -2118,6 +2118,8 @@ dump_cfg_strarray_oneline(ServerOpCodes
{
u_int i;
@@ -17,7 +10,7 @@
printf("%s", lookup_opcode_name(code));
for (i = 0; i < count; i++)
printf(" %s", vals[i]);
-@@ -2093,7 +2094,7 @@
+@@ -2156,7 +2158,7 @@ dump_config(ServerOptions *o)
/* integer arguments */
#ifdef USE_PAM
@@ -26,7 +19,7 @@
#endif
dump_cfg_int(sServerKeyBits, o->server_key_bits);
dump_cfg_int(sLoginGraceTime, o->login_grace_time);
-@@ -2103,6 +2104,7 @@
+@@ -2166,6 +2168,7 @@ dump_config(ServerOptions *o)
dump_cfg_int(sMaxSessions, o->max_sessions);
dump_cfg_int(sClientAliveInterval, o->client_alive_interval);
dump_cfg_int(sClientAliveCountMax, o->client_alive_count_max);
@@ -34,7 +27,7 @@
/* formatted integer arguments */
dump_cfg_fmtint(sPermitRootLogin, o->permit_root_login);
-@@ -2150,6 +2152,7 @@
+@@ -2213,6 +2216,7 @@ dump_config(ServerOptions *o)
dump_cfg_fmtint(sShowPatchLevel, o->show_patchlevel);
dump_cfg_fmtint(sUseDNS, o->use_dns);
dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
@@ -42,19 +35,7 @@
dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash);
-@@ -2159,9 +2162,8 @@
- /* string arguments */
- dump_cfg_string(sPidFile, o->pid_file);
- dump_cfg_string(sXAuthLocation, o->xauth_location);
-- dump_cfg_string(sCiphers, o->ciphers ? o->ciphers :
-- cipher_alg_list(',', 0));
-- dump_cfg_string(sMacs, o->macs ? o->macs : mac_alg_list(','));
-+ dump_cfg_string(sCiphers, o->ciphers ? o->ciphers : KEX_SERVER_ENCRYPT);
-+ dump_cfg_string(sMacs, o->macs ? o->macs : KEX_SERVER_MAC);
- dump_cfg_string(sBanner, o->banner);
- dump_cfg_string(sForceCommand, o->adm_forced_command);
- dump_cfg_string(sChrootDirectory, o->chroot_directory);
-@@ -2169,12 +2171,13 @@
+@@ -2231,7 +2235,8 @@ dump_config(ServerOptions *o)
dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
dump_cfg_string(sAuthorizedPrincipalsFile,
o->authorized_principals_file);
@@ -64,14 +45,7 @@
dump_cfg_string(sAuthorizedKeysCommand, o->authorized_keys_command);
dump_cfg_string(sAuthorizedKeysCommandUser, o->authorized_keys_command_user);
dump_cfg_string(sHostKeyAgent, o->host_key_agent);
-- dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
-- kex_alg_list(','));
-+ dump_cfg_string(sKexAlgorithms, o->kex_algorithms ? o->kex_algorithms :
-+ KEX_SERVER_KEX);
-
- /* string arguments requiring a lookup */
- dump_cfg_string(sLogLevel, log_level_name(o->log_level));
-@@ -2096,7 +2101,7 @@ dump_config(ServerOptions *o)
+@@ -2251,7 +2256,7 @@ dump_config(ServerOptions *o)
o->authorized_keys_files);
dump_cfg_strarray(sHostKeyFile, o->num_host_key_files,
o->host_key_files);
diff --git a/openssh.spec b/openssh.spec
index c707144..25622f4 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -65,10 +65,10 @@
%endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%define openssh_ver 6.7p1
-%define openssh_rel 11
+%define openssh_ver 6.8p1
+%define openssh_rel 1
%define pam_ssh_agent_ver 0.9.3
-%define pam_ssh_agent_rel 4
+%define pam_ssh_agent_rel 5
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
@@ -96,8 +96,6 @@ Patch0: openssh-5.9p1-wIm.patch
#?
Patch100: openssh-6.7p1-coverity.patch
-#https://bugzilla.mindrot.org/show_bug.cgi?id=1872
-Patch101: openssh-6.7p1-fingerprint.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
Patch102: openssh-5.8p1-getaddrinfo.patch
@@ -140,8 +138,6 @@ Patch604: openssh-6.6p1-keyperm.patch
Patch606: openssh-5.9p1-ipv6man.patch
#?
Patch607: openssh-5.8p2-sigpipe.patch
-#?
-Patch608: openssh-6.1p1-askpass-ld.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1789
Patch609: openssh-5.5p1-x11.patch
@@ -193,9 +189,6 @@ Patch911: openssh-6.6p1-set_remote_ipaddr.patch
# https://bugzilla.mindrot.org/show_bug.cgi?id=2058
# slightly changed patch from comment 10
Patch912: openssh-6.6.1p1-utf8-banner.patch
-# don't consider a partial success as a failure
-# https://bugzilla.mindrot.org/show_bug.cgi?id=2270
-Patch913: openssh-6.6.1p1-partial-success.patch
# fix parsing of empty options in sshd_conf
# https://bugzilla.mindrot.org/show_bug.cgi?id=2281
Patch914: openssh-6.6.1p1-servconf-parser.patch
@@ -377,7 +370,6 @@ The module is most useful for su and sudo service stacks.
%patch0 -p1 -b .wIm
%endif
-%patch101 -p1 -b .fingerprint
# investigate %patch102 -p1 -b .getaddrinfo
%patch103 -p1 -b .packet
@@ -408,7 +400,6 @@ popd
%patch604 -p1 -b .keyperm
%patch606 -p1 -b .ipv6man
%patch607 -p1 -b .sigpipe
-%patch608 -p1 -b .askpass-ld
%patch609 -p1 -b .x11
%patch702 -p1 -b .progress
%patch703 -p1 -b .grab-info
@@ -431,7 +422,6 @@ popd
%patch906 -p1 -b .fromto-remote
%patch911 -p1 -b .set_remote_ipaddr
%patch912 -p1 -b .utf8-banner
-%patch913 -p1 -b .partial-success
%patch914 -p1 -b .servconf
%patch916 -p1 -b .contexts
%patch917 -p1 -b .cisco-dh
@@ -764,6 +754,9 @@ getent passwd sshd >/dev/null || \
%endif
%changelog
+* Fri Mar 20 2015 Jakub Jelen <jjelen at redhat.com> 6.8p1-1 + 0.9.3.5
+- new upstream release openssh-6.8p1
+
* Thu Mar 12 2015 Jakub Jelen <jjelen at redhat.com> 6.7p1-11 + 0.9.3-4
- Ability to specify LDAP filter in ldap.conf for ssh-ldap-helper
- Fix auditing when using combination of ForceCommand and PTY
diff --git a/sources b/sources
index 1215c48..7de5d73 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
9872ca1983e566ff5a89c240529e223d pam_ssh_agent_auth-0.9.3.tar.bz2
-3246aa79317b1d23cae783a3bf8275d6 openssh-6.7p1.tar.gz
+08f72de6751acfbd0892b5f003922701 openssh-6.8p1.tar.gz
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/openssh.git/commit/?h=f22&id=132f8f868622703219c8924ce8383b5927e9457b
More information about the scm-commits
mailing list