From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] openssh: Update to 7.8p1 Date: Tue, 11 Sep 2018 21:51:43 +0200 Message-ID: In-Reply-To: <67b39e28248fa66048d03fb1d6e93662acf754db.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7511809725331075185==" List-Id: --===============7511809725331075185== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, sorry, I did not get the tagging procedure yet. > Hi, >=20 > no, you don't need to re-submit the patch. Just add the line as. "add the line as." - Is something missing here? Is adding the line to the commit message on the mailing list enough? Best regards, Peter M=C3=BCller >=20 > -Michael >=20 > On Mon, 2018-09-10 at 19:38 +0200, Peter M=C3=BCller wrote: >> From: Matthias Fischer >> >> For details see: >> http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog >> >> I didn't find an official lfs-patch for openssl-1.1-compatibility, >> so I used the patch from here: >> > https://git.archlinux.org/svntogit/packages.git/plain/trunk/openssl-1.1.0.p= atch?h=3Dpackages/openssh >> >> Building ran without any errors. >> >> I tested with both machines (test on Core 120 - and productive - on Core 1= 22) >> and found no errors so far: >> >> ... >> [root(a)ipfiretest ~]# ssh -V >> OpenSSH_7.8p1, OpenSSL 1.1.0h 27 Mar 2018 >> ... >> >> ... >> root(a)ipfire: / # ssh -V >> OpenSSH_7.8p1, OpenSSL 1.1.0h 27 Mar 2018 >> ... >> >> All ssh-connections ran fine but I'm not REALLY sure if this is sufficient= for >> anyone else. >> >> Could someone please check and confirm!? >> >> Best, >> Matthias >> >> Signed-off-by: Matthias Fischer >> Tested-by: Peter M=C3=BCller >> --- >> lfs/openssh | 6 +- >> ...1.patch =3D> openssh-7.8p1-openssl-1.1.0-1.patch} | 210 ++++++++++----= ---- >> --- >> 2 files changed, 103 insertions(+), 113 deletions(-) >> rename src/patches/{openssh-7.7p1-openssl-1.1.0-1.patch =3D> openssh-7.8p= 1- >> openssl-1.1.0-1.patch} (90%) >> >> diff --git a/lfs/openssh b/lfs/openssh >> index 0e6acc227..3aece17b7 100644 >> --- a/lfs/openssh >> +++ b/lfs/openssh >> @@ -24,7 +24,7 @@ >> =20 >> include Config >> =20 >> -VER =3D 7.7p1 >> +VER =3D 7.8p1 >> =20 >> THISAPP =3D openssh-$(VER) >> DL_FILE =3D $(THISAPP).tar.gz >> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) >> =20 >> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >> =20 >> -$(DL_FILE)_MD5 =3D 68ba883aff6958297432e5877e9a0fe2 >> +$(DL_FILE)_MD5 =3D ce1d090fa6239fd38eb989d5e983b074 >> =20 >> install : $(TARGET) >> =20 >> @@ -70,7 +70,7 @@ $(subst %,%_MD5,$(objects)) : >> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> @$(PREBUILD) >> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) >> - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssh-7.7p1- >> openssl-1.1.0-1.patch >> + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssh-7.8p1- >> openssl-1.1.0-1.patch >> cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure >> cd $(DIR_APP) && ./configure \ >> --prefix=3D/usr \ >> diff --git a/src/patches/openssh-7.7p1-openssl-1.1.0-1.patch >> b/src/patches/openssh-7.8p1-openssl-1.1.0-1.patch >> similarity index 90% >> rename from src/patches/openssh-7.7p1-openssl-1.1.0-1.patch >> rename to src/patches/openssh-7.8p1-openssl-1.1.0-1.patch >> index cfc9bba91..7f8c7cd4f 100644 >> --- a/src/patches/openssh-7.7p1-openssl-1.1.0-1.patch >> +++ b/src/patches/openssh-7.8p1-openssl-1.1.0-1.patch >> @@ -1,13 +1,6 @@ >> -Submitted by: Bruce Dubbs (bdubbs(a)linuxfromscratch.org) >> -Date: 2018-04-07 >> -Initial Package Version: 7.7p1 >> -Upstream Status: Pending (Still) >> -Origin: =20 >> https://git.archlinux.org/svntogit/packages.git/plain/trunk/openssl-1.1.0.= patch?h=3Dpackages/openssh >> -Description: Fixes build issues with OpenSSL-1.1.0. >> - >> diff -aurp old/auth-pam.c new/auth-pam.c >> ---- old/auth-pam.c 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/auth-pam.c 2018-03-23 10:05:03.886621278 -1000 >> +--- old/auth-pam.c 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/auth-pam.c 2018-08-23 21:31:53.324592767 -0700 >> @@ -128,6 +128,10 @@ extern u_int utmp_len; >> typedef pthread_t sp_pthread_t; >> #else >> @@ -20,9 +13,9 @@ diff -aurp old/auth-pam.c new/auth-pam.c >> =20 >> struct pam_ctxt { >> diff -aurp old/cipher.c new/cipher.c >> ---- old/cipher.c 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/cipher.c 2018-03-23 10:05:03.886621278 -1000 >> -@@ -297,7 +297,10 @@ cipher_init(struct sshcipher_ctx **ccp, >> +--- old/cipher.c 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/cipher.c 2018-08-23 21:31:53.327926112 -0700 >> +@@ -299,7 +299,10 @@ cipher_init(struct sshcipher_ctx **ccp, >> goto out; >> } >> } >> @@ -34,7 +27,7 @@ diff -aurp old/cipher.c new/cipher.c >> ret =3D SSH_ERR_LIBCRYPTO_ERROR; >> goto out; >> } >> -@@ -483,7 +486,7 @@ cipher_get_keyiv(struct sshcipher_ctx *c >> +@@ -485,7 +488,7 @@ cipher_get_keyiv(struct sshcipher_ctx *c >> len, iv)) >> return SSH_ERR_LIBCRYPTO_ERROR; >> } else >> @@ -43,7 +36,7 @@ diff -aurp old/cipher.c new/cipher.c >> #endif >> return 0; >> } >> -@@ -517,14 +520,19 @@ cipher_set_keyiv(struct sshcipher_ctx *c >> +@@ -519,14 +522,19 @@ cipher_set_keyiv(struct sshcipher_ctx *c >> EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv)) >> return SSH_ERR_LIBCRYPTO_ERROR; >> } else >> @@ -67,8 +60,8 @@ diff -aurp old/cipher.c new/cipher.c >> =20 >> int >> diff -aurp old/cipher.h new/cipher.h >> ---- old/cipher.h 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/cipher.h 2018-03-23 10:05:03.886621278 -1000 >> +--- old/cipher.h 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/cipher.h 2018-08-23 21:31:53.327926112 -0700 >> @@ -46,7 +46,18 @@ >> #define CIPHER_DECRYPT 0 >> =20 >> @@ -89,9 +82,9 @@ diff -aurp old/cipher.h new/cipher.h >> const struct sshcipher *cipher_by_name(const char *); >> const char *cipher_warning_message(const struct sshcipher_ctx *); >> diff -aurp old/configure new/configure >> ---- old/configure 2018-03-23 03:30:17.000000000 -1000 >> -+++ new/configure 2018-03-23 10:05:03.888621444 -1000 >> -@@ -13076,7 +13076,6 @@ if ac_fn_c_try_run "$LINENO"; then : >> +--- old/configure 2018-08-23 00:09:30.000000000 -0700 >> ++++ new/configure 2018-08-23 21:31:53.331259457 -0700 >> +@@ -13032,7 +13032,6 @@ if ac_fn_c_try_run "$LINENO"; then : >> 100*) ;; # 1.0.x >> 200*) ;; # LibreSSL >> *) >> @@ -100,9 +93,9 @@ diff -aurp old/configure new/configure >> esac >> { $as_echo "$as_me:${as_lineno-$LINENO}: result: >> $ssl_library_ver" >&5 >> diff -aurp old/dh.c new/dh.c >> ---- old/dh.c 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/dh.c 2018-03-23 10:05:03.888621444 -1000 >> -@@ -211,14 +211,15 @@ choose_dh(int min, int wantbits, int max >> +--- old/dh.c 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/dh.c 2018-08-23 21:39:18.863765579 -0700 >> +@@ -216,14 +216,15 @@ choose_dh(int min, int wantbits, int max >> /* diffie-hellman-groupN-sha1 */ >> =20 >> int >> @@ -120,7 +113,7 @@ diff -aurp old/dh.c new/dh.c >> logit("invalid public DH value: negative"); >> return 0; >> } >> -@@ -231,7 +232,8 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) >> +@@ -236,7 +237,8 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) >> error("%s: BN_new failed", __func__); >> return 0; >> } >> @@ -130,7 +123,7 @@ diff -aurp old/dh.c new/dh.c >> BN_cmp(dh_pub, tmp) !=3D -1) { /* pub_exp > p-2 */ >> BN_clear_free(tmp); >> logit("invalid public DH value: >=3D p-1"); >> -@@ -242,14 +244,14 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) >> +@@ -247,14 +249,14 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) >> for (i =3D 0; i <=3D n; i++) >> if (BN_is_bit_set(dh_pub, i)) >> bits_set++; >> @@ -147,7 +140,7 @@ diff -aurp old/dh.c new/dh.c >> return 0; >> } >> return 1; >> -@@ -259,9 +261,13 @@ int >> +@@ -264,9 +266,13 @@ int >> dh_gen_key(DH *dh, int need) >> { >> int pbits; >> @@ -163,7 +156,7 @@ diff -aurp old/dh.c new/dh.c >> need > INT_MAX / 2 || 2 * need > pbits) >> return SSH_ERR_INVALID_ARGUMENT; >> if (need < 256) >> -@@ -270,10 +276,13 @@ dh_gen_key(DH *dh, int need) >> +@@ -275,11 +281,13 @@ dh_gen_key(DH *dh, int need) >> * Pollard Rho, Big step/Little Step attacks are O(sqrt(n)), >> * so double requested need here. >> */ >> @@ -171,6 +164,7 @@ diff -aurp old/dh.c new/dh.c >> - if (DH_generate_key(dh) =3D=3D 0 || >> - !dh_pub_is_valid(dh, dh->pub_key)) { >> - BN_clear_free(dh->priv_key); >> +- dh->priv_key =3D NULL; >> + DH_set_length(dh, MIN(need * 2, pbits - 1)); >> + if (DH_generate_key(dh) =3D=3D 0) { >> + return SSH_ERR_LIBCRYPTO_ERROR; >> @@ -181,7 +175,7 @@ diff -aurp old/dh.c new/dh.c >> return SSH_ERR_LIBCRYPTO_ERROR; >> } >> return 0; >> -@@ -282,16 +291,27 @@ dh_gen_key(DH *dh, int need) >> +@@ -288,16 +296,27 @@ dh_gen_key(DH *dh, int need) >> DH * >> dh_new_group_asc(const char *gen, const char *modulus) >> { >> @@ -216,7 +210,7 @@ diff -aurp old/dh.c new/dh.c >> } >> =20 >> /* >> -@@ -306,8 +326,8 @@ dh_new_group(BIGNUM *gen, BIGNUM *modulu >> +@@ -312,8 +331,8 @@ dh_new_group(BIGNUM *gen, BIGNUM *modulu >> =20 >> if ((dh =3D DH_new()) =3D=3D NULL) >> return NULL; >> @@ -228,8 +222,8 @@ diff -aurp old/dh.c new/dh.c >> return (dh); >> } >> diff -aurp old/dh.h new/dh.h >> ---- old/dh.h 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/dh.h 2018-03-23 10:05:03.889621527 -1000 >> +--- old/dh.h 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/dh.h 2018-08-23 21:31:53.331259457 -0700 >> @@ -42,7 +42,7 @@ DH *dh_new_group18(void); >> DH *dh_new_group_fallback(int); >> =20 >> @@ -240,8 +234,8 @@ diff -aurp old/dh.h new/dh.h >> u_int dh_estimate(int); >> =20 >> diff -aurp old/digest-openssl.c new/digest-openssl.c >> ---- old/digest-openssl.c 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/digest-openssl.c 2018-03-23 10:05:03.889621527 -1000 >> +--- old/digest-openssl.c 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/digest-openssl.c 2018-08-23 21:31:53.331259457 -0700 >> @@ -43,7 +43,7 @@ >> =20 >> struct ssh_digest_ctx { >> @@ -314,8 +308,8 @@ diff -aurp old/digest-openssl.c new/digest-openssl.c >> free(ctx); >> } >> diff -aurp old/kexdhc.c new/kexdhc.c >> ---- old/kexdhc.c 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/kexdhc.c 2018-03-23 10:05:03.889621527 -1000 >> +--- old/kexdhc.c 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/kexdhc.c 2018-08-23 21:31:53.331259457 -0700 >> @@ -81,11 +81,16 @@ kexdh_client(struct ssh *ssh) >> goto out; >> } >> @@ -363,8 +357,8 @@ diff -aurp old/kexdhc.c new/kexdhc.c >> if ((r =3D sshkey_verify(server_host_key, signature, slen, hash, hashle= n, >> kex->hostkey_alg, ssh->compat)) !=3D 0) >> diff -aurp old/kexdhs.c new/kexdhs.c >> ---- old/kexdhs.c 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/kexdhs.c 2018-03-23 10:58:58.126733207 -1000 >> +--- old/kexdhs.c 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/kexdhs.c 2018-08-23 21:36:50.600564263 -0700 >> @@ -163,6 +163,9 @@ input_kex_dh_init(int type, u_int32_t se >> goto out; >> /* calc H */ >> @@ -390,10 +384,10 @@ diff -aurp old/kexdhs.c new/kexdhs.c >> =20 >> /* save session id :=3D H */ >> if (kex->session_id =3D=3D NULL) { >> -@@ -195,12 +200,17 @@ input_kex_dh_init(int type, u_int32_t se >> +@@ -195,12 +200,16 @@ input_kex_dh_init(int type, u_int32_t se >> /* destroy_sensitive_data(); */ >> =20 >> - /* send server hostkey, DH pubkey 'f' and singed H */ >> + /* send server hostkey, DH pubkey 'f' and signed H */ >> + { >> + const BIGNUM *pub_key; >> + DH_get0_key(kex->dh, &pub_key, NULL); >> @@ -402,17 +396,15 @@ diff -aurp old/kexdhs.c new/kexdhs.c >> - (r =3D sshpkt_put_bignum2(ssh, kex->dh->pub_key)) !=3D 0 || /* f >> */ >> + (r =3D sshpkt_put_bignum2(ssh, pub_key)) !=3D 0 || /* f */ >> (r =3D sshpkt_put_string(ssh, signature, slen)) !=3D 0 || >> -- (r =3D sshpkt_send(ssh)) !=3D 0) >> -+ (r =3D sshpkt_send(ssh)) !=3D 0) { >> + (r =3D sshpkt_send(ssh)) !=3D 0) >> goto out; >> -+ } >> + } >> =20 >> if ((r =3D kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) =3D= =3D 0) >> r =3D kex_send_newkeys(ssh); >> diff -aurp old/kexgexc.c new/kexgexc.c >> ---- old/kexgexc.c 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/kexgexc.c 2018-03-23 11:00:00.132866201 -1000 >> +--- old/kexgexc.c 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/kexgexc.c 2018-08-23 21:31:53.331259457 -0700 >> @@ -118,11 +118,17 @@ input_kex_dh_gex_group(int type, u_int32 >> p =3D g =3D NULL; /* belong to kex->dh now */ >> =20 >> @@ -465,8 +457,8 @@ diff -aurp old/kexgexc.c new/kexgexc.c >> if ((r =3D sshkey_verify(server_host_key, signature, slen, hash, >> hashlen, kex->hostkey_alg, ssh->compat)) !=3D 0) >> diff -aurp old/kexgexs.c new/kexgexs.c >> ---- old/kexgexs.c 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/kexgexs.c 2018-03-23 11:03:06.045049721 -1000 >> +--- old/kexgexs.c 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/kexgexs.c 2018-08-23 21:36:11.493972372 -0700 >> @@ -101,11 +101,16 @@ input_kex_dh_gex_request(int type, u_int >> goto out; >> } >> @@ -516,10 +508,10 @@ diff -aurp old/kexgexs.c new/kexgexs.c >> =20 >> /* save session id :=3D H */ >> if (kex->session_id =3D=3D NULL) { >> -@@ -225,12 +236,17 @@ input_kex_dh_gex_init(int type, u_int32_ >> +@@ -225,12 +236,16 @@ input_kex_dh_gex_init(int type, u_int32_ >> /* destroy_sensitive_data(); */ >> =20 >> - /* send server hostkey, DH pubkey 'f' and singed H */ >> + /* send server hostkey, DH pubkey 'f' and signed H */ >> + { >> + const BIGNUM *pub_key; >> + DH_get0_key(kex->dh, &pub_key, NULL); >> @@ -528,35 +520,33 @@ diff -aurp old/kexgexs.c new/kexgexs.c >> - (r =3D sshpkt_put_bignum2(ssh, kex->dh->pub_key)) !=3D 0 || /* = f */ >> + (r =3D sshpkt_put_bignum2(ssh, pub_key)) !=3D 0 || /* f */ >> (r =3D sshpkt_put_string(ssh, signature, slen)) !=3D 0 || >> -- (r =3D sshpkt_send(ssh)) !=3D 0) >> -+ (r =3D sshpkt_send(ssh)) !=3D 0) { >> + (r =3D sshpkt_send(ssh)) !=3D 0) >> goto out; >> -+ } >> + } >> =20 >> if ((r =3D kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) =3D= =3D 0) >> r =3D kex_send_newkeys(ssh); >> diff -aurp old/monitor.c new/monitor.c >> ---- old/monitor.c 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/monitor.c 2018-03-23 10:05:03.890621610 -1000 >> -@@ -595,10 +595,12 @@ mm_answer_moduli(int sock, Buffer *m) >> - buffer_put_char(m, 0); >> +--- old/monitor.c 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/monitor.c 2018-08-23 21:34:14.594343260 -0700 >> +@@ -589,10 +589,12 @@ mm_answer_moduli(int sock, struct sshbuf >> + fatal("%s: buffer error: %s", __func__, ssh_err(r)); >> return (0); >> } else { >> + const BIGNUM *p, *g; >> + DH_get0_pqg(dh, &p, NULL, &g); >> /* Send first bignum */ >> - buffer_put_char(m, 1); >> -- buffer_put_bignum2(m, dh->p); >> -- buffer_put_bignum2(m, dh->g); >> -+ buffer_put_bignum2(m, p); >> -+ buffer_put_bignum2(m, g); >> + if ((r =3D sshbuf_put_u8(m, 1)) !=3D 0 || >> +- (r =3D sshbuf_put_bignum2(m, dh->p)) !=3D 0 || >> +- (r =3D sshbuf_put_bignum2(m, dh->g)) !=3D 0) >> ++ (r =3D sshbuf_put_bignum2(m, p)) !=3D 0 || >> ++ (r =3D sshbuf_put_bignum2(m, g)) !=3D 0) >> + fatal("%s: buffer error: %s", __func__, ssh_err(r)); >> =20 >> DH_free(dh); >> - } >> diff -aurp old/openbsd-compat/openssl-compat.c new/openbsd-compat/openssl- >> compat.c >> ---- old/openbsd-compat/openssl-compat.c 2018-03-22 16:21:14.000000000 >> -1000 >> -+++ new/openbsd-compat/openssl-compat.c 2018-03-23 10:05:03.890621610 >> -1000 >> +--- old/openbsd-compat/openssl-compat.c 2018-08-22 22:41:42.000000000 >> -0700 >> ++++ new/openbsd-compat/openssl-compat.c 2018-08-23 21:31:53.334592801 >> -0700 >> @@ -75,7 +75,6 @@ ssh_OpenSSL_add_all_algorithms(void) >> /* Enable use of crypto hardware */ >> ENGINE_load_builtin_engines(); >> @@ -566,8 +556,8 @@ diff -aurp old/openbsd-compat/openssl-compat.c >> new/openbsd-compat/openssl-compat >> #endif >> =20 >> diff -aurp old/regress/unittests/sshkey/test_file.c >> new/regress/unittests/sshkey/test_file.c >> ---- old/regress/unittests/sshkey/test_file.c 2018-03-22 16:21:14.000000000 >> -1000 >> -+++ new/regress/unittests/sshkey/test_file.c 2018-03-23 10:05:03.890621610 >> -1000 >> +--- old/regress/unittests/sshkey/test_file.c 2018-08-22 22:41:42.000000000 >> -0700 >> ++++ new/regress/unittests/sshkey/test_file.c 2018-08-23 21:31:53.334592801 >> -0700 >> @@ -60,9 +60,14 @@ sshkey_file_tests(void) >> a =3D load_bignum("rsa_1.param.n"); >> b =3D load_bignum("rsa_1.param.p"); >> @@ -605,8 +595,8 @@ diff -aurp old/regress/unittests/sshkey/test_file.c >> new/regress/unittests/sshkey >> BN_free(b); >> BN_free(c); >> diff -aurp old/regress/unittests/sshkey/test_sshkey.c >> new/regress/unittests/sshkey/test_sshkey.c >> ---- old/regress/unittests/sshkey/test_sshkey.c 2018-03-22 >> 16:21:14.000000000 -1000 >> -+++ new/regress/unittests/sshkey/test_sshkey.c 2018-03-23 >> 10:05:03.890621610 -1000 >> +--- old/regress/unittests/sshkey/test_sshkey.c 2018-08-22 >> 22:41:42.000000000 -0700 >> ++++ new/regress/unittests/sshkey/test_sshkey.c 2018-08-23 >> 21:31:53.334592801 -0700 >> @@ -197,9 +197,14 @@ sshkey_tests(void) >> k1 =3D sshkey_new(KEY_RSA); >> ASSERT_PTR_NE(k1, NULL); >> @@ -745,8 +735,8 @@ diff -aurp old/regress/unittests/sshkey/test_sshkey.c >> new/regress/unittests/sshk >> =20 >> TEST_START("equal KEY_DSA/demoted KEY_DSA"); >> diff -aurp old/ssh-dss.c new/ssh-dss.c >> ---- old/ssh-dss.c 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/ssh-dss.c 2018-03-23 10:05:03.891621693 -1000 >> +--- old/ssh-dss.c 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/ssh-dss.c 2018-08-23 21:31:53.334592801 -0700 >> @@ -53,6 +53,7 @@ ssh_dss_sign(const struct sshkey *key, u >> DSA_SIG *sig =3D NULL; >> u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN]; >> @@ -808,8 +798,8 @@ diff -aurp old/ssh-dss.c new/ssh-dss.c >> /* sha1 the data */ >> if ((ret =3D ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen, >> diff -aurp old/ssh-ecdsa.c new/ssh-ecdsa.c >> ---- old/ssh-ecdsa.c 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/ssh-ecdsa.c 2018-03-23 10:05:03.891621693 -1000 >> +--- old/ssh-ecdsa.c 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/ssh-ecdsa.c 2018-08-23 21:31:53.334592801 -0700 >> @@ -80,9 +80,14 @@ ssh_ecdsa_sign(const struct sshkey *key, >> ret =3D SSH_ERR_ALLOC_FAIL; >> goto out; >> @@ -858,9 +848,9 @@ diff -aurp old/ssh-ecdsa.c new/ssh-ecdsa.c >> ret =3D SSH_ERR_UNEXPECTED_TRAILING_DATA; >> goto out; >> diff -aurp old/ssh-keygen.c new/ssh-keygen.c >> ---- old/ssh-keygen.c 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/ssh-keygen.c 2018-03-23 10:05:03.891621693 -1000 >> -@@ -493,11 +493,33 @@ do_convert_private_ssh2_from_blob(u_char >> +--- old/ssh-keygen.c 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/ssh-keygen.c 2018-08-23 21:31:53.334592801 -0700 >> +@@ -494,11 +494,33 @@ do_convert_private_ssh2_from_blob(u_char >> =20 >> switch (key->type) { >> case KEY_DSA: >> @@ -899,7 +889,7 @@ diff -aurp old/ssh-keygen.c new/ssh-keygen.c >> break; >> case KEY_RSA: >> if ((r =3D sshbuf_get_u8(b, &e1)) !=3D 0 || >> -@@ -514,16 +536,52 @@ do_convert_private_ssh2_from_blob(u_char >> +@@ -515,16 +537,52 @@ do_convert_private_ssh2_from_blob(u_char >> e +=3D e3; >> debug("e %lx", e); >> } >> @@ -958,7 +948,7 @@ diff -aurp old/ssh-keygen.c new/ssh-keygen.c >> if ((r =3D ssh_rsa_generate_additional_parameters(key)) !=3D 0) >> fatal("generate RSA parameters failed: %s", ssh_err(r)); >> break; >> -@@ -633,7 +691,7 @@ do_convert_from_pkcs8(struct sshkey **k, >> +@@ -634,7 +692,7 @@ do_convert_from_pkcs8(struct sshkey **k, >> identity_file); >> } >> fclose(fp); >> @@ -967,7 +957,7 @@ diff -aurp old/ssh-keygen.c new/ssh-keygen.c >> case EVP_PKEY_RSA: >> if ((*k =3D sshkey_new(KEY_UNSPEC)) =3D=3D NULL) >> fatal("sshkey_new failed"); >> -@@ -657,7 +715,7 @@ do_convert_from_pkcs8(struct sshkey **k, >> +@@ -658,7 +716,7 @@ do_convert_from_pkcs8(struct sshkey **k, >> #endif >> default: >> fatal("%s: unsupported pubkey type %d", __func__, >> @@ -977,9 +967,9 @@ diff -aurp old/ssh-keygen.c new/ssh-keygen.c >> EVP_PKEY_free(pubkey); >> return; >> diff -aurp old/ssh-pkcs11-client.c new/ssh-pkcs11-client.c >> ---- old/ssh-pkcs11-client.c 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/ssh-pkcs11-client.c 2018-03-23 10:05:03.892621777 -1000 >> -@@ -144,12 +144,13 @@ pkcs11_rsa_private_encrypt(int flen, con >> +--- old/ssh-pkcs11-client.c 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/ssh-pkcs11-client.c 2018-08-23 21:31:53.334592801 -0700 >> +@@ -156,12 +156,13 @@ pkcs11_rsa_private_encrypt(int flen, con >> static int >> wrap_key(RSA *rsa) >> { >> @@ -999,8 +989,8 @@ diff -aurp old/ssh-pkcs11-client.c new/ssh-pkcs11-clie= nt.c >> } >> =20 >> diff -aurp old/ssh-pkcs11.c new/ssh-pkcs11.c >> ---- old/ssh-pkcs11.c 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/ssh-pkcs11.c 2018-03-23 10:05:03.892621777 -1000 >> +--- old/ssh-pkcs11.c 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/ssh-pkcs11.c 2018-08-23 21:31:53.334592801 -0700 >> @@ -67,7 +67,7 @@ struct pkcs11_key { >> struct pkcs11_provider *provider; >> CK_ULONG slotidx; >> @@ -1090,9 +1080,9 @@ diff -aurp old/ssh-pkcs11.c new/ssh-pkcs11.c >> free(attribs[i].pValue); >> } >> diff -aurp old/ssh-rsa.c new/ssh-rsa.c >> ---- old/ssh-rsa.c 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/ssh-rsa.c 2018-03-23 10:05:03.892621777 -1000 >> -@@ -84,7 +84,6 @@ ssh_rsa_generate_additional_parameters(s >> +--- old/ssh-rsa.c 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/ssh-rsa.c 2018-08-23 21:31:53.334592801 -0700 >> +@@ -108,7 +108,6 @@ ssh_rsa_generate_additional_parameters(s >> { >> BIGNUM *aux =3D NULL; >> BN_CTX *ctx =3D NULL; >> @@ -1100,7 +1090,7 @@ diff -aurp old/ssh-rsa.c new/ssh-rsa.c >> int r; >> =20 >> if (key =3D=3D NULL || key->rsa =3D=3D NULL || >> -@@ -99,16 +98,27 @@ ssh_rsa_generate_additional_parameters(s >> +@@ -123,16 +122,27 @@ ssh_rsa_generate_additional_parameters(s >> } >> BN_set_flags(aux, BN_FLG_CONSTTIME); >> =20 >> @@ -1135,7 +1125,7 @@ diff -aurp old/ssh-rsa.c new/ssh-rsa.c >> r =3D 0; >> out: >> BN_clear_free(aux); >> -@@ -139,7 +149,7 @@ ssh_rsa_sign(const struct sshkey *key, u >> +@@ -163,7 +173,7 @@ ssh_rsa_sign(const struct sshkey *key, u >> if (key =3D=3D NULL || key->rsa =3D=3D NULL || hash_alg =3D=3D -1 || >> sshkey_type_plain(key->type) !=3D KEY_RSA) >> return SSH_ERR_INVALID_ARGUMENT; >> @@ -1144,7 +1134,7 @@ diff -aurp old/ssh-rsa.c new/ssh-rsa.c >> return SSH_ERR_KEY_LENGTH; >> slen =3D RSA_size(key->rsa); >> if (slen <=3D 0 || slen > SSHBUF_MAX_BIGNUM) >> -@@ -211,7 +221,7 @@ ssh_rsa_verify(const struct sshkey *key, >> +@@ -235,7 +245,7 @@ ssh_rsa_verify(const struct sshkey *key, >> sshkey_type_plain(key->type) !=3D KEY_RSA || >> sig =3D=3D NULL || siglen =3D=3D 0) >> return SSH_ERR_INVALID_ARGUMENT; >> @@ -1154,9 +1144,9 @@ diff -aurp old/ssh-rsa.c new/ssh-rsa.c >> =20 >> if ((b =3D sshbuf_from(sig, siglen)) =3D=3D NULL) >> diff -aurp old/sshkey.c new/sshkey.c >> ---- old/sshkey.c 2018-03-22 16:21:14.000000000 -1000 >> -+++ new/sshkey.c 2018-03-23 10:05:03.893621860 -1000 >> -@@ -274,10 +274,18 @@ sshkey_size(const struct sshkey *k) >> +--- old/sshkey.c 2018-08-22 22:41:42.000000000 -0700 >> ++++ new/sshkey.c 2018-08-23 21:31:53.334592801 -0700 >> +@@ -292,10 +292,18 @@ sshkey_size(const struct sshkey *k) >> #ifdef WITH_OPENSSL >> case KEY_RSA: >> case KEY_RSA_CERT: >> @@ -1176,7 +1166,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> case KEY_ECDSA: >> case KEY_ECDSA_CERT: >> return sshkey_curve_nid_to_bits(k->ecdsa_nid); >> -@@ -482,26 +490,53 @@ sshkey_new(int type) >> +@@ -500,26 +508,53 @@ sshkey_new(int type) >> #ifdef WITH_OPENSSL >> case KEY_RSA: >> case KEY_RSA_CERT: >> @@ -1236,7 +1226,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> k->dsa =3D dsa; >> break; >> case KEY_ECDSA: >> -@@ -539,6 +574,51 @@ sshkey_add_private(struct sshkey *k) >> +@@ -557,6 +592,51 @@ sshkey_add_private(struct sshkey *k) >> #ifdef WITH_OPENSSL >> case KEY_RSA: >> case KEY_RSA_CERT: >> @@ -1288,7 +1278,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> #define bn_maybe_alloc_failed(p) (p =3D=3D NULL && (p =3D BN_new()) =3D= =3D NULL) >> if (bn_maybe_alloc_failed(k->rsa->d) || >> bn_maybe_alloc_failed(k->rsa->iqmp) || >> -@@ -547,13 +627,28 @@ sshkey_add_private(struct sshkey *k) >> +@@ -565,13 +645,28 @@ sshkey_add_private(struct sshkey *k) >> bn_maybe_alloc_failed(k->rsa->dmq1) || >> bn_maybe_alloc_failed(k->rsa->dmp1)) >> return SSH_ERR_ALLOC_FAIL; >> @@ -1317,7 +1307,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> case KEY_ECDSA: >> case KEY_ECDSA_CERT: >> /* Cannot do anything until we know the group */ >> -@@ -677,16 +772,34 @@ sshkey_equal_public(const struct sshkey >> +@@ -695,16 +790,34 @@ sshkey_equal_public(const struct sshkey >> #ifdef WITH_OPENSSL >> case KEY_RSA_CERT: >> case KEY_RSA: >> @@ -1360,7 +1350,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> # ifdef OPENSSL_HAS_ECC >> case KEY_ECDSA_CERT: >> case KEY_ECDSA: >> -@@ -775,12 +888,17 @@ to_blob_buf(const struct sshkey *key, st >> +@@ -793,12 +906,17 @@ to_blob_buf(const struct sshkey *key, st >> case KEY_DSA: >> if (key->dsa =3D=3D NULL) >> return SSH_ERR_INVALID_ARGUMENT; >> @@ -1382,7 +1372,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> break; >> # ifdef OPENSSL_HAS_ECC >> case KEY_ECDSA: >> -@@ -796,10 +914,14 @@ to_blob_buf(const struct sshkey *key, st >> +@@ -814,10 +932,14 @@ to_blob_buf(const struct sshkey *key, st >> case KEY_RSA: >> if (key->rsa =3D=3D NULL) >> return SSH_ERR_INVALID_ARGUMENT; >> @@ -1399,7 +1389,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> break; >> #endif /* WITH_OPENSSL */ >> case KEY_ED25519: >> -@@ -1740,13 +1862,32 @@ sshkey_from_private(const struct sshkey >> +@@ -1758,13 +1880,32 @@ sshkey_from_private(const struct sshkey >> case KEY_DSA_CERT: >> if ((n =3D sshkey_new(k->type)) =3D=3D NULL) >> return SSH_ERR_ALLOC_FAIL; >> @@ -1436,7 +1426,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> break; >> # ifdef OPENSSL_HAS_ECC >> case KEY_ECDSA: >> -@@ -1770,11 +1911,23 @@ sshkey_from_private(const struct sshkey >> +@@ -1788,11 +1929,23 @@ sshkey_from_private(const struct sshkey >> case KEY_RSA_CERT: >> if ((n =3D sshkey_new(k->type)) =3D=3D NULL) >> return SSH_ERR_ALLOC_FAIL; >> @@ -1462,7 +1452,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> break; >> #endif /* WITH_OPENSSL */ >> case KEY_ED25519: >> -@@ -1995,12 +2148,27 @@ sshkey_from_blob_internal(struct sshbuf >> +@@ -2013,12 +2166,27 @@ sshkey_from_blob_internal(struct sshbuf >> ret =3D SSH_ERR_ALLOC_FAIL; >> goto out; >> } >> @@ -1493,7 +1483,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> ret =3D SSH_ERR_KEY_LENGTH; >> goto out; >> } >> -@@ -2020,13 +2188,36 @@ sshkey_from_blob_internal(struct sshbuf >> +@@ -2038,13 +2206,36 @@ sshkey_from_blob_internal(struct sshbuf >> ret =3D SSH_ERR_ALLOC_FAIL; >> goto out; >> } >> @@ -1534,7 +1524,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> #ifdef DEBUG_PK >> DSA_print_fp(stderr, key->dsa, 8); >> #endif >> -@@ -2327,26 +2518,63 @@ sshkey_demote(const struct sshkey *k, st >> +@@ -2389,26 +2580,63 @@ sshkey_demote(const struct sshkey *k, st >> goto fail; >> /* FALLTHROUGH */ >> case KEY_RSA: >> @@ -1606,7 +1596,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> break; >> case KEY_ECDSA_CERT: >> if ((ret =3D sshkey_cert_copy(k, pk)) !=3D 0) >> -@@ -2496,11 +2724,17 @@ sshkey_certify_custom(struct sshkey *k, >> +@@ -2558,11 +2786,17 @@ sshkey_certify_custom(struct sshkey *k, >> switch (k->type) { >> #ifdef WITH_OPENSSL >> case KEY_DSA_CERT: >> @@ -1628,7 +1618,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> break; >> # ifdef OPENSSL_HAS_ECC >> case KEY_ECDSA_CERT: >> -@@ -2513,9 +2747,15 @@ sshkey_certify_custom(struct sshkey *k, >> +@@ -2575,9 +2809,15 @@ sshkey_certify_custom(struct sshkey *k, >> break; >> # endif /* OPENSSL_HAS_ECC */ >> case KEY_RSA_CERT: >> @@ -1646,7 +1636,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> break; >> #endif /* WITH_OPENSSL */ >> case KEY_ED25519_CERT: >> -@@ -2702,42 +2942,67 @@ sshkey_private_serialize_opt(const struc >> +@@ -2764,42 +3004,67 @@ sshkey_private_serialize_opt(const struc >> switch (key->type) { >> #ifdef WITH_OPENSSL >> case KEY_RSA: >> @@ -1730,7 +1720,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> break; >> # ifdef OPENSSL_HAS_ECC >> case KEY_ECDSA: >> -@@ -2851,18 +3116,61 @@ sshkey_private_deserialize(struct sshbuf >> +@@ -2913,18 +3178,61 @@ sshkey_private_deserialize(struct sshbuf >> r =3D SSH_ERR_ALLOC_FAIL; >> goto out; >> } >> @@ -1799,7 +1789,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> break; >> # ifdef OPENSSL_HAS_ECC >> case KEY_ECDSA: >> -@@ -2921,29 +3229,104 @@ sshkey_private_deserialize(struct sshbuf >> +@@ -2983,29 +3291,104 @@ sshkey_private_deserialize(struct sshbuf >> r =3D SSH_ERR_ALLOC_FAIL; >> goto out; >> } >> @@ -1918,7 +1908,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> r =3D SSH_ERR_KEY_LENGTH; >> goto out; >> } >> -@@ -3707,7 +4090,6 @@ translate_libcrypto_error(unsigned long >> +@@ -3769,7 +4152,6 @@ translate_libcrypto_error(unsigned long >> switch (pem_reason) { >> case EVP_R_BAD_DECRYPT: >> return SSH_ERR_KEY_WRONG_PASSPHRASE; >> @@ -1926,7 +1916,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> case EVP_R_DECODE_ERROR: >> #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR >> case EVP_R_PRIVATE_KEY_DECODE_ERROR: >> -@@ -3772,7 +4154,7 @@ sshkey_parse_private_pem_fileblob(struct >> +@@ -3834,7 +4216,7 @@ sshkey_parse_private_pem_fileblob(struct >> r =3D convert_libcrypto_error(); >> goto out; >> } >> @@ -1935,7 +1925,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> (type =3D=3D KEY_UNSPEC || type =3D=3D KEY_RSA)) { >> if ((prv =3D sshkey_new(KEY_UNSPEC)) =3D=3D NULL) { >> r =3D SSH_ERR_ALLOC_FAIL; >> -@@ -3787,11 +4169,11 @@ sshkey_parse_private_pem_fileblob(struct >> +@@ -3849,11 +4231,11 @@ sshkey_parse_private_pem_fileblob(struct >> r =3D SSH_ERR_LIBCRYPTO_ERROR; >> goto out; >> } >> @@ -1949,7 +1939,7 @@ diff -aurp old/sshkey.c new/sshkey.c >> (type =3D=3D KEY_UNSPEC || type =3D=3D KEY_DSA)) { >> if ((prv =3D sshkey_new(KEY_UNSPEC)) =3D=3D NULL) { >> r =3D SSH_ERR_ALLOC_FAIL; >> -@@ -3803,7 +4185,7 @@ sshkey_parse_private_pem_fileblob(struct >> +@@ -3865,7 +4247,7 @@ sshkey_parse_private_pem_fileblob(struct >> DSA_print_fp(stderr, prv->dsa, 8); >> #endif >> #ifdef OPENSSL_HAS_ECC >=20 --=20 Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq --===============7511809725331075185==--