Development September 2018

development@lists.ipfire.org

10 participants
42 discussions

[PATCH] fix broken links in static templates
by Peter Müller 14 Sep '18

14 Sep '18

Some of these links pointed to non-existent or renamed Wiki pages, or were still using HTTP instead of HTTPS. These have been fixed now. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- templates/static/chat.html | 2 +- templates/static/features.html | 22 +++++++++++----------- templates/static/get-involved.html | 20 ++++++++++---------- templates/static/get-started.html | 10 +++++----- templates/static/get-support.html | 10 +++++----- templates/static/hardware.html | 28 ++++++++++++++-------------- templates/static/legal.html | 6 +++--- 7 files changed, 49 insertions(+), 49 deletions(-) diff --git a/templates/static/chat.html b/templates/static/chat.html index ce34c88..63ef411 100644 --- a/templates/static/chat.html +++ b/templates/static/chat.html @@ -49,7 +49,7 @@ <p class="ac"> <small> - <a href="http://planet.ipfire.org/post/opening-the-ipfire-jabber-server"> + <a href="https://planet.ipfire.org/post/opening-the-ipfire-jabber-server"> {{ _("Need a Jabber account?") }} </a> </small> diff --git a/templates/static/features.html b/templates/static/features.html index 4f5192b..fe8223d 100644 --- a/templates/static/features.html +++ b/templates/static/features.html @@ -210,7 +210,7 @@ <ul> <li> - <a href="http://wiki.ipfire.org/en/configuration/firewall/start"> + <a href="https://wiki.ipfire.org/en/configuration/firewall/start"> Firewall-Dokumentation </a> </li> @@ -309,7 +309,7 @@ <ul> <li> - <a href="http://wiki.ipfire.org/en/configuration/firewall/start"> + <a href="https://wiki.ipfire.org/en/configuration/firewall/start"> Firewall Documentation </a> </li> @@ -451,7 +451,7 @@ </p> <p> Qualitätssicherung ist jetzt eine Aufgabe für alle. - Mehr dazu auf <a href="http://pakfire.ipfire.org/">pakfire.ipfire.org</a>. + Mehr dazu auf <a href="https://pakfire.ipfire.org/">https://pakfire.ipfire.org</a>. </p> <hr class="separator"> @@ -472,7 +472,7 @@ </p> <p> Quality assurance became more social right now. Check it - out at <a href="http://pakfire.ipfire.org/">pakfire.ipfire.org</a>. + out at <a href="https://pakfire.ipfire.org/">https://pakfire.ipfire.org</a>. </p> {% end %} </div> @@ -904,7 +904,7 @@ <ul> <li> - <a href="http://wiki.ipfire.org/en/cryptography/hardware"> + <a href="https://wiki.ipfire.org/hardware/cryptography"> Liste der unterstützten Kryptoprozessoren </a> </li> @@ -921,7 +921,7 @@ <ul> <li> - <a href="http://wiki.ipfire.org/en/cryptography/hardware"> + <a href="https://wiki.ipfire.org/hardware/cryptography"> List of supported crypto hardware </a> </li> @@ -941,8 +941,8 @@ <ul> <li> - <a href="http://wiki.ipfire.org/en/cryptography/entropy"> - Liste der unterstützen Zufallszahlgeneratoren + <a href="https://wiki.ipfire.org/hardware/rng"> + Liste der unterstützen Zufallszahlengeneratoren </a> </li> </ul> @@ -956,7 +956,7 @@ <ul> <li> - <a href="http://wiki.ipfire.org/en/cryptography/entropy"> + <a href="https://wiki.ipfire.org/hardware/rng"> List of supported hardware random number generators </a> </li> @@ -1031,7 +1031,7 @@ <p> Der hohe Grad der Kompatibilität zu anderen Herstellern wird durch die Verwendung der freien Implementierung - <a href="http://www.strongswan.org" target="_blank">strongSwan</a> + <a href="https://www.strongswan.org" target="_blank">strongSwan</a> möglich, welches von Andreas Steffen, einem Professor für Sicherheit in der Kommunikationstechnik und Leiter des Instituts für Internetechnologien und -applikationen an der Universität der @@ -1057,7 +1057,7 @@ <p> This high-level of compatibility is achieved by using the free implementation called - <a href="http://www.strongswan.org" target="_blank">strongSwan</a>. It is maintained by Andreas Steffen, who is a professor for security in communications and head of the Institute for Internet Technologies + <a href="https://www.strongswan.org" target="_blank">strongSwan</a>. It is maintained by Andreas Steffen, who is a professor for security in communications and head of the Institute for Internet Technologies and Applications at the University of Applied Sciences Rapperswil, in Switzerland. StrongSwan also works with all current, major operating systems, such as Microsoft Windows 7, Microsoft Windows Vista and Mac OS X. diff --git a/templates/static/get-involved.html b/templates/static/get-involved.html index 6df252a..27e271e 100644 --- a/templates/static/get-involved.html +++ b/templates/static/get-involved.html @@ -46,18 +46,18 @@ Werde Teil der wundervollen Gemeinschaft von IPFire und helfe Einsteigern bei ihren ersten Schritten. Bring dich ein in Diskussionen rund um das Projekt in <a href="/chat">Chaträumen</a>, dem - <a href="http://forum.ipfire.org">IPFire Forum</a>, und - den <a href="http://lists.ipfire.org/">Mailinglisten</a>. + <a href="https://forum.ipfire.org">IPFire Forum</a>, und + den <a href="https://lists.ipfire.org/">Mailinglisten</a>. {% else %} Join the wonderful IPFire Community and help other people getting started with IPFire. Take part in discussions all around the project on our <a href="/chat">channels</a>, - the <a href="http://forum.ipfire.org">IPFire Forums</a>, and - <a href="http://lists.ipfire.org/">Mailing Lists</a>. + the <a href="https://forum.ipfire.org">IPFire Forums</a>, and + <a href="https://lists.ipfire.org/">Mailing Lists</a>. {% end %} </p> <div class="btn-toolbar"> - <a class="btn btn-default" href="http://forum.ipfire.org/search.php?search_id=unanswered"> + <a class="btn btn-default" href="https://forum.ipfire.org/search.php?search_id=unanswered"> {{ _("Unanswered questions on the forums") }} </a> <a class="btn btn-default" href="/chat">{{ _("On our Jabber/IRC channels") }}</a> @@ -69,18 +69,18 @@ <p> {% if lang == "de" %} - Das <a href="//wiki.ipfire.org">IPFire Wiki</a> beinhaltet Dokumentation + Das <a href="https://wiki.ipfire.org">IPFire Wiki</a> beinhaltet Dokumentation über IPFire und beantwortet alle Fragen. Hast du etwas gefunden, das undokumentiert, nicht vollständig ist oder Überarbeitung bedarf? Logge dich ein und editiere gleich los. {% else %} - The <a href="//wiki.ipfire.org">IPFire Wiki</a> is the source of documentation + The <a href="https://wiki.ipfire.org">IPFire Wiki</a> is the source of documentation and answers all questions about IPFire. Found something that needs to be documented, improved, or rewritten? Sign up and get it done! {% end %} </p> - <a class="btn btn-default" href="http://wiki.ipfire.org">{{ _("IPFire Wiki") }}</a> + <a class="btn btn-default" href="https://wiki.ipfire.org">{{ _("IPFire Wiki") }}</a> <hr> @@ -125,7 +125,7 @@ </p> <div class="btn-toolbar"> - <a class="btn btn-default" href="http://wiki.ipfire.org/devel/submit-patches">{{ _("Submit Patches") }}</a> + <a class="btn btn-default" href="https://wiki.ipfire.org/devel/submit-patches">{{ _("Submit Patches") }}</a> <a class="btn btn-default" href="https://pakfire.ipfire.org/">{{ _("Pakfire Build Service") }}</a> </div> @@ -166,7 +166,7 @@ {% end %} </p> - <a class="btn btn-default" href="http://wiki.ipfire.org/en/project/mirror">{{ _("Host a mirror") }}</a> + <a class="btn btn-default" href="https://wiki.ipfire.org/project/mirror">{{ _("Host a mirror") }}</a> <hr> diff --git a/templates/static/get-started.html b/templates/static/get-started.html index 79b0754..d663943 100644 --- a/templates/static/get-started.html +++ b/templates/static/get-started.html @@ -29,11 +29,11 @@ {% if lang == "de" %} IPFire ist eine freie Softwaredistribution, die auf jeder Hardware installiert werden kann, die die - <a href="http://wiki.ipfire.org/en/hardware/start">Voraussetzungen erfüllt</a> + <a href="https://wiki.ipfire.org/hardware/start">Voraussetzungen erfüllt</a> und für den geplanten Einsatzzweck angemessen ausgelegt ist. {% else %} IPFire is a free software distribution that you can install on - any hardware that <a href="http://wiki.ipfire.org/en/hardware/start">fits the requirements</a> + any hardware that <a href="https://wiki.ipfire.org/hardware/start">fits the requirements</a> and is best for your environment's needs. {% end %} </p> @@ -71,7 +71,7 @@ <a class="btn btn-primary btn-lg" href="/download"> {{ _("Download") }} </a> - <a class="btn btn-info btn-lg" href="http://wiki.ipfire.org/en/installation/start"> + <a class="btn btn-info btn-lg" href="https://wiki.ipfire.org/installation/start"> {{ _("Installation Handbook") }} </a> </div> @@ -85,11 +85,11 @@ <p class="lead"> {% if lang == "de" %} IPFire ist zügig installiert und einsatzbereit. Das IPFire Wiki enthält - <a href="http://wiki.ipfire.org/en/configuration/start">ausführliche Dokumentation</a> + <a href="https://wiki.ipfire.org/configuration/start">ausführliche Dokumentation</a> zu allen Funktionen und eine Antwort auf fast jede Frage. {% else %} IPFire is easy to set up and use. The IPFire wiki - <a href="http://wiki.ipfire.org/en/configuration/start">has great documentation</a> + <a href="https://wiki.ipfire.org/configuration/start">has great documentation</a> about all features and answers almost any question. {% end %} </p> diff --git a/templates/static/get-support.html b/templates/static/get-support.html index 7f84b43..ace865c 100644 --- a/templates/static/get-support.html +++ b/templates/static/get-support.html @@ -10,14 +10,14 @@ <section id="community" class="container content-section text-center"> <div class="row"> <div class="col-md-4 text-center"> - <a href="//wiki.ipfire.org" class="link-normal"> + <a href="https://wiki.ipfire.org" class="link-normal"> <span class="fa fa-4x fa-pencil-square-o"></span> <h3>{{ _("Documentation") }}</h3> </a> </div> <div class="col-md-4 text-center"> - <a href="//forum.ipfire.org" class="link-normal"> + <a href="https://forum.ipfire.org" class="link-normal"> <span class="fa fa-4x fa-users"></span> <h3>{{ _("Forums") }}</h3> </a> @@ -39,11 +39,11 @@ <p class="lead"> {% if lang == "de" %} - <a href="http://www.lightningwirelabs.com">Lightning Wire Labs</a> + <a href="https://www.lightningwirelabs.com">Lightning Wire Labs</a> bietet professionelle Supportdienstleistungen rund um IPFire für Unternehmen an. {% else %} - <a href="http://www.lightningwirelabs.com">Lightning Wire Labs</a> + <a href="https://www.lightningwirelabs.com">Lightning Wire Labs</a> provides professional support services for companies that use IPFire. {% end %} </p> @@ -63,7 +63,7 @@ </p> <p class="text-center"> - <a class="btn btn-lwl btn-lg" href="http://www.lightningwirelabs.com"> + <a class="btn btn-lwl btn-lg" href="https://www.lightningwirelabs.com"> {{ _("Go to Lightning Wire Labs") }} </a> </p> diff --git a/templates/static/hardware.html b/templates/static/hardware.html index d18946a..1765fea 100644 --- a/templates/static/hardware.html +++ b/templates/static/hardware.html @@ -26,7 +26,7 @@ <section id="ipfire-professional" class="container content-section"> <h3 class="text-center"> IPFire Premium/Professional Appliance {{ _("by") }} - <a href="http://www.lightningwirelabs.com">Lightning Wire Labs</a> + <a href="https://www.lightningwirelabs.com">Lightning Wire Labs</a> </h3> <p class="ac"> @@ -57,12 +57,12 @@ <p class="ac"> <strong> {% if lang == "de" %} - Die <a href="http://www.lightningwirelabs.com/products/ipfire/appliances">IPFire Premium Appliance und IPFire Professional Appliance</a> - von <a href="http://www.lightningwirelabs.com">Lightning Wire Labs</a> lassen sich perfekt in bestehende Firmeninfrastrukturen integrieren. + Die <a href="https://www.lightningwirelabs.com/products/ipfire/appliances">IPFire Premium Appliance und IPFire Professional Appliance</a> + von <a href="https://www.lightningwirelabs.com">Lightning Wire Labs</a> lassen sich perfekt in bestehende Firmeninfrastrukturen integrieren. Sind sind zuverlässig und stellen die benötigte Performance jederzeit zur Verfügung. {% else %} - The <a href="http://www.lightningwirelabs.com/products/ipfire/appliances">IPFire Premium Appliance and IPFire Professional Appliance</a> - by <a href="http://www.lightningwirelabs.com">Lightning Wire Labs</a> integrate well in every infrastructure of any company. + The <a href="https://www.lightningwirelabs.com/products/ipfire/appliances">IPFire Premium Appliance and IPFire Professional Appliance</a> + by <a href="https://www.lightningwirelabs.com">Lightning Wire Labs</a> integrate well in every infrastructure of any company. They are reliable and deliver the performance that is needed at all times. {% end %} </strong> @@ -191,12 +191,12 @@ <p class="ac"> <strong> {% if lang == "de" %} - Die <a href="http://www.lightningwirelabs.com/products/ipfire/appliances">IPFire Eco Appliance</a> - von <a href="http://www.lightningwirelabs.com">Lightning Wire Labs</a> stellt alle Funktionen von + Die <a href="https://www.lightningwirelabs.com/products/ipfire/appliances">IPFire Eco Appliance</a> + von <a href="https://www.lightningwirelabs.com">Lightning Wire Labs</a> stellt alle Funktionen von IPFire als kleines energiesparendes Komplettsystem bereit. {% else %} - The <a href="http://www.lightningwirelabs.com/products/ipfire/appliances">IPFire Eco Appliance</a> - by <a href="http://www.lightningwirelabs.com">Lightning Wire Labs</a> brings all the features<br> + The <a href="https://www.lightningwirelabs.com/products/ipfire/appliances">IPFire Eco Appliance</a> + by <a href="https://www.lightningwirelabs.com">Lightning Wire Labs</a> brings all the features<br> IPFire has to offer at a small form-factor and with great power-efficiency. {% end %} </strong> @@ -208,7 +208,7 @@ <div class="col-md-7"> <h3> IPFire Duo Box - {{ _("by") }} <a href="http://www.fountainnetworks.com">Fountain Networks</a> + {{ _("by") }} <a href="https://www.fountainnetworks.com">Fountain Networks</a> </h3> <table class="table table-condensed"> @@ -273,11 +273,11 @@ <strong> {% if lang == "de" %} Die <a href="https://www.fountainnetworks.com/ipfire-duo-box">IPFire Duo Box</a> - von <a href="http://www.fountainnetworks.com/">Fountain Networks</a> ist ein großartiges System für Starter, + von <a href="https://www.fountainnetworks.com/">Fountain Networks</a> ist ein großartiges System für Starter, die auf der Suche nach einem kleinen, aber leistungsstarken System sind. {% else %} The <a href="https://www.fountainnetworks.com/ipfire-duo-box">IPFire Duo Box</a> - by <a href="http://www.fountainnetworks.com/">Fountain Networks</a> + by <a href="https://www.fountainnetworks.com/">Fountain Networks</a> is a great system for starters who are searching for something small but still powerful. {% end %} </strong> @@ -297,12 +297,12 @@ {% if lang == "de" %} Zusätzliche Beispielsysteme, empfohlene Hardware, sowie detaillierte Informationen zu einzelnen Komponenten wie beispielsweise Netzwerkcontroller sind im - <a href="http://wiki.ipfire.org/en/hardware/start">Hardwarebereich im IPFire Wiki</a> + <a href="https://wiki.ipfire.org/hardware/start">Hardwarebereich im IPFire Wiki</a> zu finden. {% else %} You can find more example configurations, recommended hardware and information about individual components like the best network controllers and more in the - <a href="http://wiki.ipfire.org/en/hardware/start">hardware section on the IPFire wiki</a>. + <a href="https://wiki.ipfire.org/hardware/start">hardware section on the IPFire wiki</a>. {% end %} </p> </section> diff --git a/templates/static/legal.html b/templates/static/legal.html index f9767f1..a51d475 100644 --- a/templates/static/legal.html +++ b/templates/static/legal.html @@ -21,7 +21,7 @@ <ul class="list-inline"> <li> - <a href="http://talk.ipfire.org/phonebook/ms"> + <a href="https://talk.ipfire.org/phonebook/ms"> <span class="glyphicon glyphicon-earphone"></span> </a> </li> @@ -41,7 +41,7 @@ <ul class="list-inline"> <li> - <a href="http://talk.ipfire.org/phonebook/arne_f"> + <a href="https://talk.ipfire.org/phonebook/arne_f"> <span class="glyphicon glyphicon-earphone"></span> </a> </li> @@ -61,7 +61,7 @@ <ul class="list-inline"> <li> - <a href="http://talk.ipfire.org/phonebook/stevee"> + <a href="https://talk.ipfire.org/phonebook/stevee"> <span class="glyphicon glyphicon-earphone"></span> </a> </li> -- 2.16.4

1 0

[PATCH 1/2] update links to HTTPS in main website templates
by Peter Müller 14 Sep '18

14 Sep '18

Some of the embedded links were still pointing to HTTP destinations or non-existent (i.e. renamed) Wiki pages. These have been fixed now. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- templates/admin-planet.html | 2 +- templates/base.html | 24 ++++++++++++------------ templates/download-splash.html | 10 +++++----- templates/index.html | 14 +++++++------- 4 files changed, 25 insertions(+), 25 deletions(-) diff --git a/templates/admin-planet.html b/templates/admin-planet.html index c40118d..6c3ab5b 100644 --- a/templates/admin-planet.html +++ b/templates/admin-planet.html @@ -20,7 +20,7 @@ {{ entry.author.name }} </td> <td> - <a href="http://planet.ipfire.org/post/{{ entry.slug }}" target="_blank">{{ entry.title }}</a> + <a href="https://planet.ipfire.org/post/{{ entry.slug }}" target="_blank">{{ entry.title }}</a> {% if entry.is_draft() %} <span class="label label-warning">{{ _("Draft") }}</span> {% end %} diff --git a/templates/base.html b/templates/base.html index 83533f9..899c2de 100644 --- a/templates/base.html +++ b/templates/base.html @@ -70,7 +70,7 @@ <ul class="list-unstyled"> <li> - <a href="http://www.ipfire.org/about">{{ _("About IPFire") }}</a> + <a href="https://www.ipfire.org/about">{{ _("About IPFire") }}</a> </li> <li> <a href="https://downloads.ipfire.org">{{ _("Download") }}</a> @@ -79,7 +79,7 @@ <a href="https://planet.ipfire.org">{{ _("Planet") }}</a> </li> <li> - <a href="http://www.ipfire.org/legal">{{ _("Legal") }}</a> + <a href="https://www.ipfire.org/legal">{{ _("Legal") }}</a> </li> </ul> </div> @@ -89,10 +89,10 @@ <ul class="list-unstyled"> <li> - <a href="http://www.ipfire.org/get-support#professional">{{ _("Professional Support") }}</a> + <a href="https://www.ipfire.org/get-support#professional">{{ _("Professional Support") }}</a> </li> <li> - <a href="http://wiki.ipfire.org">{{ _("Documentation") }}</a> + <a href="https://wiki.ipfire.org">{{ _("Documentation") }}</a> </li> </ul> </div> @@ -102,16 +102,16 @@ <ul class="list-unstyled"> <li> - <a href="http://forum.ipfire.org">{{ _("Forum") }}</a> + <a href="https://forum.ipfire.org">{{ _("Forum") }}</a> </li> <li> - <a href="//www.ipfire.org/chat">{{ _("Chat") }}</a> + <a href="https://www.ipfire.org/chat">{{ _("Chat") }}</a> </li> <li> - <a href="http://lists.ipfire.org">{{ _("Mailing Lists") }}</a> + <a href="https://lists.ipfire.org">{{ _("Mailing Lists") }}</a> </li> <li> - <a href="http://talk.ipfire.org">{{ _("Talk") }}</a> + <a href="https://talk.ipfire.org">{{ _("Talk") }}</a> </li> </ul> </div> @@ -121,7 +121,7 @@ <ul class="list-unstyled"> <li> - <a href="http://wiki.ipfire.org/devel/start">{{ _("Become a developer") }}</a> + <a href="https://wiki.ipfire.org/devel/start">{{ _("Become a developer") }}</a> </li> <li> <a href="https://pakfire.ipfire.org">{{ _("Pakfire Build Service") }}</a> @@ -130,20 +130,20 @@ <a href="https://bugzilla.ipfire.org">{{ _("Bugtracker") }}</a> </li> <li> - <a href="http://patchwork.ipfire.org">{{ _("Patchwork") }}</a> + <a href="https://patchwork.ipfire.org">{{ _("Patchwork") }}</a> </li> </ul> </div> <div class="col-md-4 text-center"> - <a class="btn btn-primary" href="//www.ipfire.org/donate"> + <a class="btn btn-primary" href="https://www.ipfire.org/donate"> <span class="fa fa-heart"></span> {{ _("Donate") }} </a> <br><br> <div class="btn-toolbar links"> - <a class="btn btn-sm" href="http://www.ipfire.org/news.rss"> + <a class="btn btn-sm" href="https://www.ipfire.org/news.rss"> <span class="fa fa-2x fa-rss"></span> </a> <a class="btn btn-sm" href="https://twitter.com/ipfire"> diff --git a/templates/download-splash.html b/templates/download-splash.html index a4ca41b..2bddef9 100644 --- a/templates/download-splash.html +++ b/templates/download-splash.html @@ -10,8 +10,8 @@ <p class="lead"> {% if lang == "de" %} - Der Download beginnt in Kürze. - Falls nicht, auf den untenstehenden Link klicken. + Ihr Download beginnt in Kürze. + Falls nicht, bitte auf den untenstehenden Link klicken. {% else %} Your download should begin in a few seconds. If not, click the link below. @@ -24,21 +24,21 @@ <section class="container content-section text-center"> <div class="row"> <div class="col-lg-4 col-md-4"> - <a class="link-normal" href="http://wiki.ipfire.org/en/installation/start"> + <a class="link-normal" href="https://wiki.ipfire.org/installation/start"> <span class="fa fa-4x fa-terminal"></span> <h3>{{ _("How to install IPFire") }}</h3> </a> </div> <div class="col-lg-4 col-md-4"> - <a class="link-normal" href="//www.ipfire.org/donate"> + <a class="link-normal" href="https://www.ipfire.org/donate"> <span class="fa fa-4x fa-heart text-danger"></span> <h3>{{ _("Donate") }}</h3> </a> </div> <div class="col-lg-4 col-md-4"> - <a class="link-normal" href="http://www.ipfire.org/get-support"> + <a class="link-normal" href="https://www.ipfire.org/get-support"> <span class="fa fa-4x fa-question"></span> <h3>{{ _("Get Support") }}</h3> </a> diff --git a/templates/index.html b/templates/index.html index 99a0247..f9900f8 100644 --- a/templates/index.html +++ b/templates/index.html @@ -178,12 +178,12 @@ <p> {% if lang == "de" %} IPFire wird in Europa entwickelt, - <a href="http://fireinfo.ipfire.org/statistics/geo-locations">in vielen Ländern</a> + <a href="https://fireinfo.ipfire.org/statistics/geo-locations">in vielen Ländern</a> überall auf der Welt eingesetzt, und bietet Internetzugang für hundertausende Nutzer jeden Tag. {% else %} IPFire is developed in Europe and used all over the world - <a href="http://fireinfo.ipfire.org/statistics/geo-locations">in hundreds of countries</a> + <a href="https://fireinfo.ipfire.org/statistics/geo-locations">in hundreds of countries</a> by hundreds of thousands of users every day. {% end %} </p> @@ -232,7 +232,7 @@ <strong>{{ item.title }}</strong> </a> {% elif type == "planet" %} - <a href="http://planet.ipfire.org/post/{{ item.slug }}"> + <a href="https://planet.ipfire.org/post/{{ item.slug }}"> {{ item.title }} </a> {% end %} @@ -257,11 +257,11 @@ </span> {% end %} - <a href="http://wishlist.ipfire.org"> + <a href="https://wishlist.ipfire.org"> <strong>{{ _("IPFire Wishlist") }}</strong> </a> - <a href="http://wishlist.ipfire.org/wish/{{ hottest_wish.slug }}"> + <a href="https://wishlist.ipfire.org/wish/{{ hottest_wish.slug }}"> {{ hottest_wish.title }} </a> @@ -281,12 +281,12 @@ <p class="lead"> {% if lang == "de" %} - <a href="http://www.lightningwirelabs.com">Lightning Wire Labs</a> bietet + <a href="https://www.lightningwirelabs.com">Lightning Wire Labs</a> bietet Hardware-Appliances für mittlere bis große Unternehmen und SOHO an. Diese sorgen in jedem Netz für beste Zuverlässigkeit, Stabilität und Performance. {% else %} - <a href="http://www.lightningwirelabs.com">Lightning Wire Labs</a> offer + <a href="https://www.lightningwirelabs.com">Lightning Wire Labs</a> offer IPFire hardware appliances for enterprises, large businesses and SOHO. Deploying one of these on your network will provide you with the greatest reliability, stability and performance. -- 2.16.4

1 1

[PATCH] openssh: Update to 7.8p1
by Peter Müller 13 Sep '18

13 Sep '18

From: Matthias Fischer <matthias.fischer(a)ipfire.org> For details see: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog I didn't find an official lfs-patch for openssl-1.1-compatibility, so I used the patch from here: https://git.archlinux.org/svntogit/packages.git/plain/trunk/openssl-1.1.0.p… Building ran without any errors. I tested with both machines (test on Core 120 - and productive - on Core 122) and found no errors so far: ... [root@ipfiretest ~]# ssh -V OpenSSH_7.8p1, OpenSSL 1.1.0h 27 Mar 2018 ... ... root@ipfire: / # ssh -V OpenSSH_7.8p1, OpenSSL 1.1.0h 27 Mar 2018 ... All ssh-connections ran fine but I'm not REALLY sure if this is sufficient for anyone else. Could someone please check and confirm!? Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> Tested-by: Peter Müller <peter.mueller(a)link38.eu> --- lfs/openssh | 6 +- ...1.patch => openssh-7.8p1-openssl-1.1.0-1.patch} | 210 ++++++++++----------- 2 files changed, 103 insertions(+), 113 deletions(-) rename src/patches/{openssh-7.7p1-openssl-1.1.0-1.patch => openssh-7.8p1-openssl-1.1.0-1.patch} (90%) diff --git a/lfs/openssh b/lfs/openssh index 0e6acc227..3aece17b7 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -24,7 +24,7 @@ include Config -VER = 7.7p1 +VER = 7.8p1 THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 68ba883aff6958297432e5877e9a0fe2 +$(DL_FILE)_MD5 = ce1d090fa6239fd38eb989d5e983b074 install : $(TARGET) @@ -70,7 +70,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssh-7.7p1-openssl-1.1.0-1.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssh-7.8p1-openssl-1.1.0-1.patch cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure cd $(DIR_APP) && ./configure \ --prefix=/usr \ diff --git a/src/patches/openssh-7.7p1-openssl-1.1.0-1.patch b/src/patches/openssh-7.8p1-openssl-1.1.0-1.patch similarity index 90% rename from src/patches/openssh-7.7p1-openssl-1.1.0-1.patch rename to src/patches/openssh-7.8p1-openssl-1.1.0-1.patch index cfc9bba91..7f8c7cd4f 100644 --- a/src/patches/openssh-7.7p1-openssl-1.1.0-1.patch +++ b/src/patches/openssh-7.8p1-openssl-1.1.0-1.patch @@ -1,13 +1,6 @@ -Submitted by: Bruce Dubbs (bdubbs(a)linuxfromscratch.org) -Date: 2018-04-07 -Initial Package Version: 7.7p1 -Upstream Status: Pending (Still) -Origin: https://git.archlinux.org/svntogit/packages.git/plain/trunk/openssl-1.1.0.p… -Description: Fixes build issues with OpenSSL-1.1.0. - diff -aurp old/auth-pam.c new/auth-pam.c ---- old/auth-pam.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/auth-pam.c 2018-03-23 10:05:03.886621278 -1000 +--- old/auth-pam.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/auth-pam.c 2018-08-23 21:31:53.324592767 -0700 @@ -128,6 +128,10 @@ extern u_int utmp_len; typedef pthread_t sp_pthread_t; #else @@ -20,9 +13,9 @@ diff -aurp old/auth-pam.c new/auth-pam.c struct pam_ctxt { diff -aurp old/cipher.c new/cipher.c ---- old/cipher.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/cipher.c 2018-03-23 10:05:03.886621278 -1000 -@@ -297,7 +297,10 @@ cipher_init(struct sshcipher_ctx **ccp, +--- old/cipher.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/cipher.c 2018-08-23 21:31:53.327926112 -0700 +@@ -299,7 +299,10 @@ cipher_init(struct sshcipher_ctx **ccp, goto out; } } @@ -34,7 +27,7 @@ diff -aurp old/cipher.c new/cipher.c ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } -@@ -483,7 +486,7 @@ cipher_get_keyiv(struct sshcipher_ctx *c +@@ -485,7 +488,7 @@ cipher_get_keyiv(struct sshcipher_ctx *c len, iv)) return SSH_ERR_LIBCRYPTO_ERROR; } else @@ -43,7 +36,7 @@ diff -aurp old/cipher.c new/cipher.c #endif return 0; } -@@ -517,14 +520,19 @@ cipher_set_keyiv(struct sshcipher_ctx *c +@@ -519,14 +522,19 @@ cipher_set_keyiv(struct sshcipher_ctx *c EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv)) return SSH_ERR_LIBCRYPTO_ERROR; } else @@ -67,8 +60,8 @@ diff -aurp old/cipher.c new/cipher.c int diff -aurp old/cipher.h new/cipher.h ---- old/cipher.h 2018-03-22 16:21:14.000000000 -1000 -+++ new/cipher.h 2018-03-23 10:05:03.886621278 -1000 +--- old/cipher.h 2018-08-22 22:41:42.000000000 -0700 ++++ new/cipher.h 2018-08-23 21:31:53.327926112 -0700 @@ -46,7 +46,18 @@ #define CIPHER_DECRYPT 0 @@ -89,9 +82,9 @@ diff -aurp old/cipher.h new/cipher.h const struct sshcipher *cipher_by_name(const char *); const char *cipher_warning_message(const struct sshcipher_ctx *); diff -aurp old/configure new/configure ---- old/configure 2018-03-23 03:30:17.000000000 -1000 -+++ new/configure 2018-03-23 10:05:03.888621444 -1000 -@@ -13076,7 +13076,6 @@ if ac_fn_c_try_run "$LINENO"; then : +--- old/configure 2018-08-23 00:09:30.000000000 -0700 ++++ new/configure 2018-08-23 21:31:53.331259457 -0700 +@@ -13032,7 +13032,6 @@ if ac_fn_c_try_run "$LINENO"; then : 100*) ;; # 1.0.x 200*) ;; # LibreSSL *) @@ -100,9 +93,9 @@ diff -aurp old/configure new/configure esac { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ssl_library_ver" >&5 diff -aurp old/dh.c new/dh.c ---- old/dh.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/dh.c 2018-03-23 10:05:03.888621444 -1000 -@@ -211,14 +211,15 @@ choose_dh(int min, int wantbits, int max +--- old/dh.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/dh.c 2018-08-23 21:39:18.863765579 -0700 +@@ -216,14 +216,15 @@ choose_dh(int min, int wantbits, int max /* diffie-hellman-groupN-sha1 */ int @@ -120,7 +113,7 @@ diff -aurp old/dh.c new/dh.c logit("invalid public DH value: negative"); return 0; } -@@ -231,7 +232,8 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) +@@ -236,7 +237,8 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) error("%s: BN_new failed", __func__); return 0; } @@ -130,7 +123,7 @@ diff -aurp old/dh.c new/dh.c BN_cmp(dh_pub, tmp) != -1) { /* pub_exp > p-2 */ BN_clear_free(tmp); logit("invalid public DH value: >= p-1"); -@@ -242,14 +244,14 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) +@@ -247,14 +249,14 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) for (i = 0; i <= n; i++) if (BN_is_bit_set(dh_pub, i)) bits_set++; @@ -147,7 +140,7 @@ diff -aurp old/dh.c new/dh.c return 0; } return 1; -@@ -259,9 +261,13 @@ int +@@ -264,9 +266,13 @@ int dh_gen_key(DH *dh, int need) { int pbits; @@ -163,7 +156,7 @@ diff -aurp old/dh.c new/dh.c need > INT_MAX / 2 || 2 * need > pbits) return SSH_ERR_INVALID_ARGUMENT; if (need < 256) -@@ -270,10 +276,13 @@ dh_gen_key(DH *dh, int need) +@@ -275,11 +281,13 @@ dh_gen_key(DH *dh, int need) * Pollard Rho, Big step/Little Step attacks are O(sqrt(n)), * so double requested need here. */ @@ -171,6 +164,7 @@ diff -aurp old/dh.c new/dh.c - if (DH_generate_key(dh) == 0 || - !dh_pub_is_valid(dh, dh->pub_key)) { - BN_clear_free(dh->priv_key); +- dh->priv_key = NULL; + DH_set_length(dh, MIN(need * 2, pbits - 1)); + if (DH_generate_key(dh) == 0) { + return SSH_ERR_LIBCRYPTO_ERROR; @@ -181,7 +175,7 @@ diff -aurp old/dh.c new/dh.c return SSH_ERR_LIBCRYPTO_ERROR; } return 0; -@@ -282,16 +291,27 @@ dh_gen_key(DH *dh, int need) +@@ -288,16 +296,27 @@ dh_gen_key(DH *dh, int need) DH * dh_new_group_asc(const char *gen, const char *modulus) { @@ -216,7 +210,7 @@ diff -aurp old/dh.c new/dh.c } /* -@@ -306,8 +326,8 @@ dh_new_group(BIGNUM *gen, BIGNUM *modulu +@@ -312,8 +331,8 @@ dh_new_group(BIGNUM *gen, BIGNUM *modulu if ((dh = DH_new()) == NULL) return NULL; @@ -228,8 +222,8 @@ diff -aurp old/dh.c new/dh.c return (dh); } diff -aurp old/dh.h new/dh.h ---- old/dh.h 2018-03-22 16:21:14.000000000 -1000 -+++ new/dh.h 2018-03-23 10:05:03.889621527 -1000 +--- old/dh.h 2018-08-22 22:41:42.000000000 -0700 ++++ new/dh.h 2018-08-23 21:31:53.331259457 -0700 @@ -42,7 +42,7 @@ DH *dh_new_group18(void); DH *dh_new_group_fallback(int); @@ -240,8 +234,8 @@ diff -aurp old/dh.h new/dh.h u_int dh_estimate(int); diff -aurp old/digest-openssl.c new/digest-openssl.c ---- old/digest-openssl.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/digest-openssl.c 2018-03-23 10:05:03.889621527 -1000 +--- old/digest-openssl.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/digest-openssl.c 2018-08-23 21:31:53.331259457 -0700 @@ -43,7 +43,7 @@ struct ssh_digest_ctx { @@ -314,8 +308,8 @@ diff -aurp old/digest-openssl.c new/digest-openssl.c free(ctx); } diff -aurp old/kexdhc.c new/kexdhc.c ---- old/kexdhc.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/kexdhc.c 2018-03-23 10:05:03.889621527 -1000 +--- old/kexdhc.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/kexdhc.c 2018-08-23 21:31:53.331259457 -0700 @@ -81,11 +81,16 @@ kexdh_client(struct ssh *ssh) goto out; } @@ -363,8 +357,8 @@ diff -aurp old/kexdhc.c new/kexdhc.c if ((r = sshkey_verify(server_host_key, signature, slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) != 0) diff -aurp old/kexdhs.c new/kexdhs.c ---- old/kexdhs.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/kexdhs.c 2018-03-23 10:58:58.126733207 -1000 +--- old/kexdhs.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/kexdhs.c 2018-08-23 21:36:50.600564263 -0700 @@ -163,6 +163,9 @@ input_kex_dh_init(int type, u_int32_t se goto out; /* calc H */ @@ -390,10 +384,10 @@ diff -aurp old/kexdhs.c new/kexdhs.c /* save session id := H */ if (kex->session_id == NULL) { -@@ -195,12 +200,17 @@ input_kex_dh_init(int type, u_int32_t se +@@ -195,12 +200,16 @@ input_kex_dh_init(int type, u_int32_t se /* destroy_sensitive_data(); */ - /* send server hostkey, DH pubkey 'f' and singed H */ + /* send server hostkey, DH pubkey 'f' and signed H */ + { + const BIGNUM *pub_key; + DH_get0_key(kex->dh, &pub_key, NULL); @@ -402,17 +396,15 @@ diff -aurp old/kexdhs.c new/kexdhs.c - (r = sshpkt_put_bignum2(ssh, kex->dh->pub_key)) != 0 || /* f */ + (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 || /* f */ (r = sshpkt_put_string(ssh, signature, slen)) != 0 || -- (r = sshpkt_send(ssh)) != 0) -+ (r = sshpkt_send(ssh)) != 0) { + (r = sshpkt_send(ssh)) != 0) goto out; -+ } + } if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0) r = kex_send_newkeys(ssh); diff -aurp old/kexgexc.c new/kexgexc.c ---- old/kexgexc.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/kexgexc.c 2018-03-23 11:00:00.132866201 -1000 +--- old/kexgexc.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/kexgexc.c 2018-08-23 21:31:53.331259457 -0700 @@ -118,11 +118,17 @@ input_kex_dh_gex_group(int type, u_int32 p = g = NULL; /* belong to kex->dh now */ @@ -465,8 +457,8 @@ diff -aurp old/kexgexc.c new/kexgexc.c if ((r = sshkey_verify(server_host_key, signature, slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) != 0) diff -aurp old/kexgexs.c new/kexgexs.c ---- old/kexgexs.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/kexgexs.c 2018-03-23 11:03:06.045049721 -1000 +--- old/kexgexs.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/kexgexs.c 2018-08-23 21:36:11.493972372 -0700 @@ -101,11 +101,16 @@ input_kex_dh_gex_request(int type, u_int goto out; } @@ -516,10 +508,10 @@ diff -aurp old/kexgexs.c new/kexgexs.c /* save session id := H */ if (kex->session_id == NULL) { -@@ -225,12 +236,17 @@ input_kex_dh_gex_init(int type, u_int32_ +@@ -225,12 +236,16 @@ input_kex_dh_gex_init(int type, u_int32_ /* destroy_sensitive_data(); */ - /* send server hostkey, DH pubkey 'f' and singed H */ + /* send server hostkey, DH pubkey 'f' and signed H */ + { + const BIGNUM *pub_key; + DH_get0_key(kex->dh, &pub_key, NULL); @@ -528,35 +520,33 @@ diff -aurp old/kexgexs.c new/kexgexs.c - (r = sshpkt_put_bignum2(ssh, kex->dh->pub_key)) != 0 || /* f */ + (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 || /* f */ (r = sshpkt_put_string(ssh, signature, slen)) != 0 || -- (r = sshpkt_send(ssh)) != 0) -+ (r = sshpkt_send(ssh)) != 0) { + (r = sshpkt_send(ssh)) != 0) goto out; -+ } + } if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0) r = kex_send_newkeys(ssh); diff -aurp old/monitor.c new/monitor.c ---- old/monitor.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/monitor.c 2018-03-23 10:05:03.890621610 -1000 -@@ -595,10 +595,12 @@ mm_answer_moduli(int sock, Buffer *m) - buffer_put_char(m, 0); +--- old/monitor.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/monitor.c 2018-08-23 21:34:14.594343260 -0700 +@@ -589,10 +589,12 @@ mm_answer_moduli(int sock, struct sshbuf + fatal("%s: buffer error: %s", __func__, ssh_err(r)); return (0); } else { + const BIGNUM *p, *g; + DH_get0_pqg(dh, &p, NULL, &g); /* Send first bignum */ - buffer_put_char(m, 1); -- buffer_put_bignum2(m, dh->p); -- buffer_put_bignum2(m, dh->g); -+ buffer_put_bignum2(m, p); -+ buffer_put_bignum2(m, g); + if ((r = sshbuf_put_u8(m, 1)) != 0 || +- (r = sshbuf_put_bignum2(m, dh->p)) != 0 || +- (r = sshbuf_put_bignum2(m, dh->g)) != 0) ++ (r = sshbuf_put_bignum2(m, p)) != 0 || ++ (r = sshbuf_put_bignum2(m, g)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); DH_free(dh); - } diff -aurp old/openbsd-compat/openssl-compat.c new/openbsd-compat/openssl-compat.c ---- old/openbsd-compat/openssl-compat.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/openbsd-compat/openssl-compat.c 2018-03-23 10:05:03.890621610 -1000 +--- old/openbsd-compat/openssl-compat.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/openbsd-compat/openssl-compat.c 2018-08-23 21:31:53.334592801 -0700 @@ -75,7 +75,6 @@ ssh_OpenSSL_add_all_algorithms(void) /* Enable use of crypto hardware */ ENGINE_load_builtin_engines(); @@ -566,8 +556,8 @@ diff -aurp old/openbsd-compat/openssl-compat.c new/openbsd-compat/openssl-compat #endif diff -aurp old/regress/unittests/sshkey/test_file.c new/regress/unittests/sshkey/test_file.c ---- old/regress/unittests/sshkey/test_file.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/regress/unittests/sshkey/test_file.c 2018-03-23 10:05:03.890621610 -1000 +--- old/regress/unittests/sshkey/test_file.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/regress/unittests/sshkey/test_file.c 2018-08-23 21:31:53.334592801 -0700 @@ -60,9 +60,14 @@ sshkey_file_tests(void) a = load_bignum("rsa_1.param.n"); b = load_bignum("rsa_1.param.p"); @@ -605,8 +595,8 @@ diff -aurp old/regress/unittests/sshkey/test_file.c new/regress/unittests/sshkey BN_free(b); BN_free(c); diff -aurp old/regress/unittests/sshkey/test_sshkey.c new/regress/unittests/sshkey/test_sshkey.c ---- old/regress/unittests/sshkey/test_sshkey.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/regress/unittests/sshkey/test_sshkey.c 2018-03-23 10:05:03.890621610 -1000 +--- old/regress/unittests/sshkey/test_sshkey.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/regress/unittests/sshkey/test_sshkey.c 2018-08-23 21:31:53.334592801 -0700 @@ -197,9 +197,14 @@ sshkey_tests(void) k1 = sshkey_new(KEY_RSA); ASSERT_PTR_NE(k1, NULL); @@ -745,8 +735,8 @@ diff -aurp old/regress/unittests/sshkey/test_sshkey.c new/regress/unittests/sshk TEST_START("equal KEY_DSA/demoted KEY_DSA"); diff -aurp old/ssh-dss.c new/ssh-dss.c ---- old/ssh-dss.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/ssh-dss.c 2018-03-23 10:05:03.891621693 -1000 +--- old/ssh-dss.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/ssh-dss.c 2018-08-23 21:31:53.334592801 -0700 @@ -53,6 +53,7 @@ ssh_dss_sign(const struct sshkey *key, u DSA_SIG *sig = NULL; u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN]; @@ -808,8 +798,8 @@ diff -aurp old/ssh-dss.c new/ssh-dss.c /* sha1 the data */ if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen, diff -aurp old/ssh-ecdsa.c new/ssh-ecdsa.c ---- old/ssh-ecdsa.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/ssh-ecdsa.c 2018-03-23 10:05:03.891621693 -1000 +--- old/ssh-ecdsa.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/ssh-ecdsa.c 2018-08-23 21:31:53.334592801 -0700 @@ -80,9 +80,14 @@ ssh_ecdsa_sign(const struct sshkey *key, ret = SSH_ERR_ALLOC_FAIL; goto out; @@ -858,9 +848,9 @@ diff -aurp old/ssh-ecdsa.c new/ssh-ecdsa.c ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; goto out; diff -aurp old/ssh-keygen.c new/ssh-keygen.c ---- old/ssh-keygen.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/ssh-keygen.c 2018-03-23 10:05:03.891621693 -1000 -@@ -493,11 +493,33 @@ do_convert_private_ssh2_from_blob(u_char +--- old/ssh-keygen.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/ssh-keygen.c 2018-08-23 21:31:53.334592801 -0700 +@@ -494,11 +494,33 @@ do_convert_private_ssh2_from_blob(u_char switch (key->type) { case KEY_DSA: @@ -899,7 +889,7 @@ diff -aurp old/ssh-keygen.c new/ssh-keygen.c break; case KEY_RSA: if ((r = sshbuf_get_u8(b, &e1)) != 0 || -@@ -514,16 +536,52 @@ do_convert_private_ssh2_from_blob(u_char +@@ -515,16 +537,52 @@ do_convert_private_ssh2_from_blob(u_char e += e3; debug("e %lx", e); } @@ -958,7 +948,7 @@ diff -aurp old/ssh-keygen.c new/ssh-keygen.c if ((r = ssh_rsa_generate_additional_parameters(key)) != 0) fatal("generate RSA parameters failed: %s", ssh_err(r)); break; -@@ -633,7 +691,7 @@ do_convert_from_pkcs8(struct sshkey **k, +@@ -634,7 +692,7 @@ do_convert_from_pkcs8(struct sshkey **k, identity_file); } fclose(fp); @@ -967,7 +957,7 @@ diff -aurp old/ssh-keygen.c new/ssh-keygen.c case EVP_PKEY_RSA: if ((*k = sshkey_new(KEY_UNSPEC)) == NULL) fatal("sshkey_new failed"); -@@ -657,7 +715,7 @@ do_convert_from_pkcs8(struct sshkey **k, +@@ -658,7 +716,7 @@ do_convert_from_pkcs8(struct sshkey **k, #endif default: fatal("%s: unsupported pubkey type %d", __func__, @@ -977,9 +967,9 @@ diff -aurp old/ssh-keygen.c new/ssh-keygen.c EVP_PKEY_free(pubkey); return; diff -aurp old/ssh-pkcs11-client.c new/ssh-pkcs11-client.c ---- old/ssh-pkcs11-client.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/ssh-pkcs11-client.c 2018-03-23 10:05:03.892621777 -1000 -@@ -144,12 +144,13 @@ pkcs11_rsa_private_encrypt(int flen, con +--- old/ssh-pkcs11-client.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/ssh-pkcs11-client.c 2018-08-23 21:31:53.334592801 -0700 +@@ -156,12 +156,13 @@ pkcs11_rsa_private_encrypt(int flen, con static int wrap_key(RSA *rsa) { @@ -999,8 +989,8 @@ diff -aurp old/ssh-pkcs11-client.c new/ssh-pkcs11-client.c } diff -aurp old/ssh-pkcs11.c new/ssh-pkcs11.c ---- old/ssh-pkcs11.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/ssh-pkcs11.c 2018-03-23 10:05:03.892621777 -1000 +--- old/ssh-pkcs11.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/ssh-pkcs11.c 2018-08-23 21:31:53.334592801 -0700 @@ -67,7 +67,7 @@ struct pkcs11_key { struct pkcs11_provider *provider; CK_ULONG slotidx; @@ -1090,9 +1080,9 @@ diff -aurp old/ssh-pkcs11.c new/ssh-pkcs11.c free(attribs[i].pValue); } diff -aurp old/ssh-rsa.c new/ssh-rsa.c ---- old/ssh-rsa.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/ssh-rsa.c 2018-03-23 10:05:03.892621777 -1000 -@@ -84,7 +84,6 @@ ssh_rsa_generate_additional_parameters(s +--- old/ssh-rsa.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/ssh-rsa.c 2018-08-23 21:31:53.334592801 -0700 +@@ -108,7 +108,6 @@ ssh_rsa_generate_additional_parameters(s { BIGNUM *aux = NULL; BN_CTX *ctx = NULL; @@ -1100,7 +1090,7 @@ diff -aurp old/ssh-rsa.c new/ssh-rsa.c int r; if (key == NULL || key->rsa == NULL || -@@ -99,16 +98,27 @@ ssh_rsa_generate_additional_parameters(s +@@ -123,16 +122,27 @@ ssh_rsa_generate_additional_parameters(s } BN_set_flags(aux, BN_FLG_CONSTTIME); @@ -1135,7 +1125,7 @@ diff -aurp old/ssh-rsa.c new/ssh-rsa.c r = 0; out: BN_clear_free(aux); -@@ -139,7 +149,7 @@ ssh_rsa_sign(const struct sshkey *key, u +@@ -163,7 +173,7 @@ ssh_rsa_sign(const struct sshkey *key, u if (key == NULL || key->rsa == NULL || hash_alg == -1 || sshkey_type_plain(key->type) != KEY_RSA) return SSH_ERR_INVALID_ARGUMENT; @@ -1144,7 +1134,7 @@ diff -aurp old/ssh-rsa.c new/ssh-rsa.c return SSH_ERR_KEY_LENGTH; slen = RSA_size(key->rsa); if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM) -@@ -211,7 +221,7 @@ ssh_rsa_verify(const struct sshkey *key, +@@ -235,7 +245,7 @@ ssh_rsa_verify(const struct sshkey *key, sshkey_type_plain(key->type) != KEY_RSA || sig == NULL || siglen == 0) return SSH_ERR_INVALID_ARGUMENT; @@ -1154,9 +1144,9 @@ diff -aurp old/ssh-rsa.c new/ssh-rsa.c if ((b = sshbuf_from(sig, siglen)) == NULL) diff -aurp old/sshkey.c new/sshkey.c ---- old/sshkey.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/sshkey.c 2018-03-23 10:05:03.893621860 -1000 -@@ -274,10 +274,18 @@ sshkey_size(const struct sshkey *k) +--- old/sshkey.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/sshkey.c 2018-08-23 21:31:53.334592801 -0700 +@@ -292,10 +292,18 @@ sshkey_size(const struct sshkey *k) #ifdef WITH_OPENSSL case KEY_RSA: case KEY_RSA_CERT: @@ -1176,7 +1166,7 @@ diff -aurp old/sshkey.c new/sshkey.c case KEY_ECDSA: case KEY_ECDSA_CERT: return sshkey_curve_nid_to_bits(k->ecdsa_nid); -@@ -482,26 +490,53 @@ sshkey_new(int type) +@@ -500,26 +508,53 @@ sshkey_new(int type) #ifdef WITH_OPENSSL case KEY_RSA: case KEY_RSA_CERT: @@ -1236,7 +1226,7 @@ diff -aurp old/sshkey.c new/sshkey.c k->dsa = dsa; break; case KEY_ECDSA: -@@ -539,6 +574,51 @@ sshkey_add_private(struct sshkey *k) +@@ -557,6 +592,51 @@ sshkey_add_private(struct sshkey *k) #ifdef WITH_OPENSSL case KEY_RSA: case KEY_RSA_CERT: @@ -1288,7 +1278,7 @@ diff -aurp old/sshkey.c new/sshkey.c #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) if (bn_maybe_alloc_failed(k->rsa->d) || bn_maybe_alloc_failed(k->rsa->iqmp) || -@@ -547,13 +627,28 @@ sshkey_add_private(struct sshkey *k) +@@ -565,13 +645,28 @@ sshkey_add_private(struct sshkey *k) bn_maybe_alloc_failed(k->rsa->dmq1) || bn_maybe_alloc_failed(k->rsa->dmp1)) return SSH_ERR_ALLOC_FAIL; @@ -1317,7 +1307,7 @@ diff -aurp old/sshkey.c new/sshkey.c case KEY_ECDSA: case KEY_ECDSA_CERT: /* Cannot do anything until we know the group */ -@@ -677,16 +772,34 @@ sshkey_equal_public(const struct sshkey +@@ -695,16 +790,34 @@ sshkey_equal_public(const struct sshkey #ifdef WITH_OPENSSL case KEY_RSA_CERT: case KEY_RSA: @@ -1360,7 +1350,7 @@ diff -aurp old/sshkey.c new/sshkey.c # ifdef OPENSSL_HAS_ECC case KEY_ECDSA_CERT: case KEY_ECDSA: -@@ -775,12 +888,17 @@ to_blob_buf(const struct sshkey *key, st +@@ -793,12 +906,17 @@ to_blob_buf(const struct sshkey *key, st case KEY_DSA: if (key->dsa == NULL) return SSH_ERR_INVALID_ARGUMENT; @@ -1382,7 +1372,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; # ifdef OPENSSL_HAS_ECC case KEY_ECDSA: -@@ -796,10 +914,14 @@ to_blob_buf(const struct sshkey *key, st +@@ -814,10 +932,14 @@ to_blob_buf(const struct sshkey *key, st case KEY_RSA: if (key->rsa == NULL) return SSH_ERR_INVALID_ARGUMENT; @@ -1399,7 +1389,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; #endif /* WITH_OPENSSL */ case KEY_ED25519: -@@ -1740,13 +1862,32 @@ sshkey_from_private(const struct sshkey +@@ -1758,13 +1880,32 @@ sshkey_from_private(const struct sshkey case KEY_DSA_CERT: if ((n = sshkey_new(k->type)) == NULL) return SSH_ERR_ALLOC_FAIL; @@ -1436,7 +1426,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; # ifdef OPENSSL_HAS_ECC case KEY_ECDSA: -@@ -1770,11 +1911,23 @@ sshkey_from_private(const struct sshkey +@@ -1788,11 +1929,23 @@ sshkey_from_private(const struct sshkey case KEY_RSA_CERT: if ((n = sshkey_new(k->type)) == NULL) return SSH_ERR_ALLOC_FAIL; @@ -1462,7 +1452,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; #endif /* WITH_OPENSSL */ case KEY_ED25519: -@@ -1995,12 +2148,27 @@ sshkey_from_blob_internal(struct sshbuf +@@ -2013,12 +2166,27 @@ sshkey_from_blob_internal(struct sshbuf ret = SSH_ERR_ALLOC_FAIL; goto out; } @@ -1493,7 +1483,7 @@ diff -aurp old/sshkey.c new/sshkey.c ret = SSH_ERR_KEY_LENGTH; goto out; } -@@ -2020,13 +2188,36 @@ sshkey_from_blob_internal(struct sshbuf +@@ -2038,13 +2206,36 @@ sshkey_from_blob_internal(struct sshbuf ret = SSH_ERR_ALLOC_FAIL; goto out; } @@ -1534,7 +1524,7 @@ diff -aurp old/sshkey.c new/sshkey.c #ifdef DEBUG_PK DSA_print_fp(stderr, key->dsa, 8); #endif -@@ -2327,26 +2518,63 @@ sshkey_demote(const struct sshkey *k, st +@@ -2389,26 +2580,63 @@ sshkey_demote(const struct sshkey *k, st goto fail; /* FALLTHROUGH */ case KEY_RSA: @@ -1606,7 +1596,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; case KEY_ECDSA_CERT: if ((ret = sshkey_cert_copy(k, pk)) != 0) -@@ -2496,11 +2724,17 @@ sshkey_certify_custom(struct sshkey *k, +@@ -2558,11 +2786,17 @@ sshkey_certify_custom(struct sshkey *k, switch (k->type) { #ifdef WITH_OPENSSL case KEY_DSA_CERT: @@ -1628,7 +1618,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; # ifdef OPENSSL_HAS_ECC case KEY_ECDSA_CERT: -@@ -2513,9 +2747,15 @@ sshkey_certify_custom(struct sshkey *k, +@@ -2575,9 +2809,15 @@ sshkey_certify_custom(struct sshkey *k, break; # endif /* OPENSSL_HAS_ECC */ case KEY_RSA_CERT: @@ -1646,7 +1636,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; #endif /* WITH_OPENSSL */ case KEY_ED25519_CERT: -@@ -2702,42 +2942,67 @@ sshkey_private_serialize_opt(const struc +@@ -2764,42 +3004,67 @@ sshkey_private_serialize_opt(const struc switch (key->type) { #ifdef WITH_OPENSSL case KEY_RSA: @@ -1730,7 +1720,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; # ifdef OPENSSL_HAS_ECC case KEY_ECDSA: -@@ -2851,18 +3116,61 @@ sshkey_private_deserialize(struct sshbuf +@@ -2913,18 +3178,61 @@ sshkey_private_deserialize(struct sshbuf r = SSH_ERR_ALLOC_FAIL; goto out; } @@ -1799,7 +1789,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; # ifdef OPENSSL_HAS_ECC case KEY_ECDSA: -@@ -2921,29 +3229,104 @@ sshkey_private_deserialize(struct sshbuf +@@ -2983,29 +3291,104 @@ sshkey_private_deserialize(struct sshbuf r = SSH_ERR_ALLOC_FAIL; goto out; } @@ -1918,7 +1908,7 @@ diff -aurp old/sshkey.c new/sshkey.c r = SSH_ERR_KEY_LENGTH; goto out; } -@@ -3707,7 +4090,6 @@ translate_libcrypto_error(unsigned long +@@ -3769,7 +4152,6 @@ translate_libcrypto_error(unsigned long switch (pem_reason) { case EVP_R_BAD_DECRYPT: return SSH_ERR_KEY_WRONG_PASSPHRASE; @@ -1926,7 +1916,7 @@ diff -aurp old/sshkey.c new/sshkey.c case EVP_R_DECODE_ERROR: #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR case EVP_R_PRIVATE_KEY_DECODE_ERROR: -@@ -3772,7 +4154,7 @@ sshkey_parse_private_pem_fileblob(struct +@@ -3834,7 +4216,7 @@ sshkey_parse_private_pem_fileblob(struct r = convert_libcrypto_error(); goto out; } @@ -1935,7 +1925,7 @@ diff -aurp old/sshkey.c new/sshkey.c (type == KEY_UNSPEC || type == KEY_RSA)) { if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { r = SSH_ERR_ALLOC_FAIL; -@@ -3787,11 +4169,11 @@ sshkey_parse_private_pem_fileblob(struct +@@ -3849,11 +4231,11 @@ sshkey_parse_private_pem_fileblob(struct r = SSH_ERR_LIBCRYPTO_ERROR; goto out; } @@ -1949,7 +1939,7 @@ diff -aurp old/sshkey.c new/sshkey.c (type == KEY_UNSPEC || type == KEY_DSA)) { if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { r = SSH_ERR_ALLOC_FAIL; -@@ -3803,7 +4185,7 @@ sshkey_parse_private_pem_fileblob(struct +@@ -3865,7 +4247,7 @@ sshkey_parse_private_pem_fileblob(struct DSA_print_fp(stderr, prv->dsa, 8); #endif #ifdef OPENSSL_HAS_ECC -- 2.16.4

2 3

[PATCH] unbound: Update to 1.8.0
by Matthias Fischer 13 Sep '18

13 Sep '18

Hi, For details see: https://nlnetlabs.nl/svn/unbound/tags/release-1.8.0/doc/Changelog and https://nlnetlabs.nl/projects/unbound/download/ Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- config/rootfiles/common/unbound | 4 ++-- lfs/unbound | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound index f3172f028..9f7c512db 100644 --- a/config/rootfiles/common/unbound +++ b/config/rootfiles/common/unbound @@ -10,8 +10,8 @@ etc/unbound/unbound.conf #usr/include/unbound.h #usr/lib/libunbound.la #usr/lib/libunbound.so -usr/lib/libunbound.so.2 -usr/lib/libunbound.so.2.5.11 +usr/lib/libunbound.so.8 +usr/lib/libunbound.so.8.0.0 #usr/lib/pkgconfig/libunbound.pc usr/sbin/unbound usr/sbin/unbound-anchor diff --git a/lfs/unbound b/lfs/unbound index b4c1b02f3..ae2795e0e 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -24,7 +24,7 @@ include Config -VER = 1.7.3 +VER = 1.8.0 THISAPP = unbound-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = ea45068fb27ef358f581227b99645525 +$(DL_FILE)_MD5 = 495ffdff55a53ff1735fb58e956c1945 install : $(TARGET) -- 2.18.0

2 1

[PATCH v4 1/2] add hardened SSH server configuration
by Peter Müller 12 Sep '18

12 Sep '18

In order to harden OpenSSH server in IPFire, using the upstream default configuration and edit it via sed commands in LFS file is error-prone and does not scale. Thereof we ship a custom and more secure OpenSSH server configuration which is copied into the image during build time. The fourth version of this patch disables password authentication by default, since this is required by some cloud hosters in order to apply the image. Further, this method is less secure than pubkey authentication. Non-AEAD ciphers have been re-added to provide compatibility to older RHEL systems. Fixes #11750 Fixes #11751 Partially fixes #11538 Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> Cc: Marcel Lorenz <marcel.lorenz(a)ipfire.org> Cc: Michael Tremer <michael.tremer(a)ipfire.org> --- config/ssh/sshd_config | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 config/ssh/sshd_config diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config new file mode 100644 index 000000000..06329fbde --- /dev/null +++ b/config/ssh/sshd_config @@ -0,0 +1,81 @@ +# ultra-secure OpenSSH server configuration + +# only allow version 2 of SSH protocol +Protocol 2 + +# listen on port 22 by default +Port 22 + +# listen on these interfaces and protocols +AddressFamily any +ListenAddress 0.0.0.0 + +# limit authentication thresholds +LoginGraceTime 30s +MaxAuthTries 3 + +# limit maximum instanctes to prevent DoS +MaxStartups 5 + +# ensure proper logging +SyslogFacility AUTH +LogLevel INFO + +# enforce permission checks before a login is accepted +# (prevents damage because of hacked systems with world-writeable +# home directories or similar) +StrictModes yes + +# only allow safe crypto algorithms (may break some _very_ outdated clients) +# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html +KexAlgorithms curve25519-sha256(a)libssh.org,diffie-hellman-group-exchange-sha256 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + +# enable data compression after successful login only +Compression delayed + +# only allow cryptographically safe SSH host keys (adjust paths if needed) +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_rsa_key + +# only allow login via public key by default +PubkeyAuthentication yes +PasswordAuthentication no +ChallengeResponseAuthentication no +PermitEmptyPasswords no + +# permit root login as there is no other user in IPFire 2.x +PermitRootLogin yes + +# specify preferred authentication methods (public keys come first) +AuthenticationMethods publickey,password + +# ignore user ~/.rhost* files +IgnoreRhosts yes + +# ignore user known hosts file +IgnoreUserKnownHosts yes + +# ignore user environments +PermitUserEnvironment no + +# do not allow any kind of forwarding (provides only low security) +# some of them might need to be re-enabled if SSH server is a jump platform +X11Forwarding no +AllowTcpForwarding no +AllowAgentForwarding no +PermitTunnel no +GatewayPorts no +PermitOpen none + +# detect broken sessions by sending keep-alive messages to +# clients (both via TCP and SSH) +TCPKeepAlive yes +ClientAliveInterval 10 + +# close unresponsive SSH sessions which fail to answer keep-alive +ClientAliveCountMax 6 + +# EOF -- 2.16.4

1 2

[PATCH 1/3] SSH client configuration: Use Protocol version 2 only
by Peter Müller 12 Sep '18

12 Sep '18

SSH Protocol version 1 is insecure and must not be used anymore. Restrict SSH client configuration to ensure only version 2 is used. Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- config/ssh/ssh_config | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/ssh/ssh_config b/config/ssh/ssh_config index 2abfae6d1..b36909f85 100644 --- a/config/ssh/ssh_config +++ b/config/ssh/ssh_config @@ -5,6 +5,9 @@ Host * # disable Roaming as it is known to be vulnerable UseRoaming no + # only use version 2 of SSH protocol + Protocol 2 + # only use secure crypto algorithm KexAlgorithms curve25519-sha256(a)libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -- 2.16.4

1 2

[PATCH] Suggested fix for 'rngd' service status
by Matthias Fischer 12 Sep '18

12 Sep '18

Hi, Since https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=fd0a0384f07b399e9cb… 'rngd' is running again with much higher values. STATUS / ENTROPY shows RUNNING. Thanks! ;-) But '/var/run/rngd.pid' is created with wrong rights (0600). Therefore, STATUS / SERVICES tells me 'rngd' is stopped. The suggested fix checks whether '/var/run/rngd.pid' exists and sets rights accordingly. Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- src/initscripts/system/rngd | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/initscripts/system/rngd b/src/initscripts/system/rngd index 91b70a7b4..8fe5c9363 100644 --- a/src/initscripts/system/rngd +++ b/src/initscripts/system/rngd @@ -15,6 +15,9 @@ case "${1}" in start) boot_mesg "Starting Random Number Generator Daemon..." loadproc /usr/sbin/rngd --quiet + if [ -f "/var/run/rngd.pid" ]; then + chmod 644 /var/run/rngd.pid + fi ;; stop) -- 2.18.0

3 2

[PATCH] update ca-certificates CA bundle
by Peter Müller 11 Sep '18

11 Sep '18

Update the CA certificates list to what Mozilla NSS ships currently. The original file can be retrieved from: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/b… Signed-off-by: Peter Müller <peter.mueller(a)link38.eu> --- config/ca-certificates/certdata.txt | 422 ++++++++++++++++++++++++------------ lfs/ca-certificates | 4 +- 2 files changed, 289 insertions(+), 137 deletions(-) diff --git a/config/ca-certificates/certdata.txt b/config/ca-certificates/certdata.txt index d291f28a5..193cef38f 100644 --- a/config/ca-certificates/certdata.txt +++ b/config/ca-certificates/certdata.txt @@ -7381,136 +7381,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "ComSign CA" -# -# Issuer: C=IL,O=ComSign,CN=ComSign CA -# Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44 -# Subject: C=IL,O=ComSign,CN=ComSign CA -# Not Valid Before: Wed Mar 24 11:32:18 2004 -# Not Valid After : Mon Mar 19 15:02:18 2029 -# Fingerprint (MD5): CD:F4:39:F3:B5:18:50:D7:3E:A4:C5:91:A0:3E:21:4B -# Fingerprint (SHA1): E1:A4:5B:14:1A:21:DA:1A:79:F4:1A:42:A9:61:D6:69:CD:06:34:C1 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ComSign CA" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\064\061\023\060\021\006\003\125\004\003\023\012\103\157\155 -\123\151\147\156\040\103\101\061\020\060\016\006\003\125\004\012 -\023\007\103\157\155\123\151\147\156\061\013\060\011\006\003\125 -\004\006\023\002\111\114 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\064\061\023\060\021\006\003\125\004\003\023\012\103\157\155 -\123\151\147\156\040\103\101\061\020\060\016\006\003\125\004\012 -\023\007\103\157\155\123\151\147\156\061\013\060\011\006\003\125 -\004\006\023\002\111\114 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\024\023\226\203\024\125\214\352\173\143\345\374\064\207 -\167\104 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\003\223\060\202\002\173\240\003\002\001\002\002\020\024 -\023\226\203\024\125\214\352\173\143\345\374\064\207\167\104\060 -\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\064 -\061\023\060\021\006\003\125\004\003\023\012\103\157\155\123\151 -\147\156\040\103\101\061\020\060\016\006\003\125\004\012\023\007 -\103\157\155\123\151\147\156\061\013\060\011\006\003\125\004\006 -\023\002\111\114\060\036\027\015\060\064\060\063\062\064\061\061 -\063\062\061\070\132\027\015\062\071\060\063\061\071\061\065\060 -\062\061\070\132\060\064\061\023\060\021\006\003\125\004\003\023 -\012\103\157\155\123\151\147\156\040\103\101\061\020\060\016\006 -\003\125\004\012\023\007\103\157\155\123\151\147\156\061\013\060 -\011\006\003\125\004\006\023\002\111\114\060\202\001\042\060\015 -\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\001 -\017\000\060\202\001\012\002\202\001\001\000\360\344\124\151\053 -\323\307\217\152\104\344\176\130\047\370\013\320\344\224\022\212 -\361\033\070\070\057\037\061\234\006\324\054\247\336\013\052\256 -\032\240\343\236\152\277\237\074\307\156\242\371\213\144\154\072 -\255\205\125\121\124\245\070\125\270\253\203\004\362\077\144\066 -\367\300\215\103\103\152\146\321\367\027\052\325\357\066\372\060 -\020\102\327\123\315\371\372\063\163\114\263\351\204\040\212\326 -\101\047\065\344\070\372\224\233\270\172\344\171\037\063\373\033 -\330\041\011\050\174\115\030\151\136\144\212\172\031\223\312\176 -\354\363\162\347\067\007\130\131\050\254\102\371\305\377\315\077 -\347\245\372\070\261\320\014\307\331\122\032\123\326\201\314\102 -\172\065\133\355\113\072\172\366\265\216\314\377\017\174\344\140 -\066\207\057\255\360\241\045\175\377\322\113\021\210\160\124\246 -\101\250\147\123\122\102\136\344\064\236\344\276\243\354\252\142 -\135\335\303\114\246\202\101\344\063\013\254\311\063\017\144\202 -\127\052\375\014\255\066\341\014\256\113\305\357\073\231\331\043 -\263\133\135\264\127\354\164\160\014\052\117\002\003\001\000\001 -\243\201\240\060\201\235\060\014\006\003\125\035\023\004\005\060 -\003\001\001\377\060\075\006\003\125\035\037\004\066\060\064\060 -\062\240\060\240\056\206\054\150\164\164\160\072\057\057\146\145 -\144\151\162\056\143\157\155\163\151\147\156\056\143\157\056\151 -\154\057\143\162\154\057\103\157\155\123\151\147\156\103\101\056 -\143\162\154\060\016\006\003\125\035\017\001\001\377\004\004\003 -\002\001\206\060\037\006\003\125\035\043\004\030\060\026\200\024 -\113\001\233\076\126\032\145\066\166\313\173\227\252\222\005\356 -\062\347\050\061\060\035\006\003\125\035\016\004\026\004\024\113 -\001\233\076\126\032\145\066\166\313\173\227\252\222\005\356\062 -\347\050\061\060\015\006\011\052\206\110\206\367\015\001\001\005 -\005\000\003\202\001\001\000\320\331\245\176\376\051\140\105\235 -\176\203\317\156\274\107\156\365\032\236\124\166\102\161\264\074 -\130\077\055\100\045\102\366\201\234\361\211\020\310\016\252\170 -\117\070\011\127\260\074\300\010\374\065\216\361\110\121\215\014 -\161\164\272\204\304\327\162\233\204\174\070\116\144\006\047\052 -\341\247\265\354\010\231\264\012\015\324\205\163\310\022\341\065 -\355\361\005\061\035\163\231\014\353\226\312\335\323\346\205\252 -\360\212\373\165\301\362\011\074\145\145\144\363\114\330\255\313 -\210\151\363\344\203\267\014\275\027\132\226\027\312\133\377\255 -\273\034\351\055\204\200\330\041\276\205\122\331\324\164\271\151 -\205\272\115\355\050\062\353\371\141\112\344\304\066\036\031\334 -\157\204\021\037\225\365\203\050\030\250\063\222\103\047\335\135 -\023\004\105\117\207\325\106\315\075\250\272\360\363\270\126\044 -\105\353\067\307\341\166\117\162\071\030\337\176\164\162\307\163 -\055\071\352\140\346\255\021\242\126\207\173\303\150\232\376\370 -\214\160\250\337\145\062\364\244\100\214\241\302\104\003\016\224 -\000\147\240\161\000\202\110 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE - -# Trust for Certificate "ComSign CA" -# Issuer: C=IL,O=ComSign,CN=ComSign CA -# Serial Number:14:13:96:83:14:55:8c:ea:7b:63:e5:fc:34:87:77:44 -# Subject: C=IL,O=ComSign,CN=ComSign CA -# Not Valid Before: Wed Mar 24 11:32:18 2004 -# Not Valid After : Mon Mar 19 15:02:18 2029 -# Fingerprint (MD5): CD:F4:39:F3:B5:18:50:D7:3E:A4:C5:91:A0:3E:21:4B -# Fingerprint (SHA1): E1:A4:5B:14:1A:21:DA:1A:79:F4:1A:42:A9:61:D6:69:CD:06:34:C1 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "ComSign CA" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\341\244\133\024\032\041\332\032\171\364\032\102\251\141\326\151 -\315\006\064\301 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\315\364\071\363\265\030\120\327\076\244\305\221\240\076\041\113 -END -CKA_ISSUER MULTILINE_OCTAL -\060\064\061\023\060\021\006\003\125\004\003\023\012\103\157\155 -\123\151\147\156\040\103\101\061\020\060\016\006\003\125\004\012 -\023\007\103\157\155\123\151\147\156\061\013\060\011\006\003\125 -\004\006\023\002\111\114 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\020\024\023\226\203\024\125\214\352\173\143\345\374\064\207 -\167\104 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "Cybertrust Global Root" # @@ -19302,7 +19172,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\022\021\040\125\203\344\055\076\124\126\205\055\203\067\267 \054\334\106\021 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -19408,7 +19278,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\022\021\040\331\221\316\256\243\350\305\347\377\351\002\257 \317\163\274\125 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -19571,7 +19441,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\022\021\040\263\220\125\071\175\177\066\155\144\302\247\237 \153\143\216\147 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -19734,7 +19604,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\022\021\040\241\151\033\277\275\271\275\122\226\217\043\350 \110\277\046\021 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -19844,7 +19714,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\022\021\040\346\370\114\374\044\260\276\005\100\254\332\203 \033\064\140\077 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -22993,3 +22863,285 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "GlobalSign Root CA - R6" +# +# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6 +# Serial Number:45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51 +# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6 +# Not Valid Before: Wed Dec 10 00:00:00 2014 +# Not Valid After : Sun Dec 10 00:00:00 2034 +# Fingerprint (SHA-256): 2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25:98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69 +# Fingerprint (SHA1): 80:94:64:0E:B5:A7:A1:CA:11:9C:1F:DD:D5:9F:81:02:63:A7:FB:D1 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GlobalSign Root CA - R6" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157 +\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040 +\055\040\122\066\061\023\060\021\006\003\125\004\012\023\012\107 +\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125 +\004\003\023\012\107\154\157\142\141\154\123\151\147\156 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157 +\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040 +\055\040\122\066\061\023\060\021\006\003\125\004\012\023\012\107 +\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125 +\004\003\023\012\107\154\157\142\141\154\123\151\147\156 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\016\105\346\273\003\203\063\303\205\145\110\346\377\105\121 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\203\060\202\003\153\240\003\002\001\002\002\016\105 +\346\273\003\203\063\303\205\145\110\346\377\105\121\060\015\006 +\011\052\206\110\206\367\015\001\001\014\005\000\060\114\061\040 +\060\036\006\003\125\004\013\023\027\107\154\157\142\141\154\123 +\151\147\156\040\122\157\157\164\040\103\101\040\055\040\122\066 +\061\023\060\021\006\003\125\004\012\023\012\107\154\157\142\141 +\154\123\151\147\156\061\023\060\021\006\003\125\004\003\023\012 +\107\154\157\142\141\154\123\151\147\156\060\036\027\015\061\064 +\061\062\061\060\060\060\060\060\060\060\132\027\015\063\064\061 +\062\061\060\060\060\060\060\060\060\132\060\114\061\040\060\036 +\006\003\125\004\013\023\027\107\154\157\142\141\154\123\151\147 +\156\040\122\157\157\164\040\103\101\040\055\040\122\066\061\023 +\060\021\006\003\125\004\012\023\012\107\154\157\142\141\154\123 +\151\147\156\061\023\060\021\006\003\125\004\003\023\012\107\154 +\157\142\141\154\123\151\147\156\060\202\002\042\060\015\006\011 +\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017\000 +\060\202\002\012\002\202\002\001\000\225\007\350\163\312\146\371 +\354\024\312\173\074\367\015\010\361\264\105\013\054\202\264\110 +\306\353\133\074\256\203\270\101\222\063\024\244\157\177\351\052 +\314\306\260\210\153\305\266\211\321\306\262\377\024\316\121\024 +\041\354\112\335\033\132\306\326\207\356\115\072\025\006\355\144 +\146\013\222\200\312\104\336\163\224\116\363\247\211\177\117\170 +\143\010\310\022\120\155\102\146\057\115\271\171\050\115\122\032 +\212\032\200\267\031\201\016\176\304\212\274\144\114\041\034\103 +\150\327\075\074\212\305\262\146\325\220\232\267\061\006\305\276 +\342\155\062\006\246\036\371\271\353\252\243\270\277\276\202\143 +\120\320\360\030\211\337\344\017\171\365\352\242\037\052\322\160 +\056\173\347\274\223\273\155\123\342\110\174\214\020\007\070\377 +\146\262\167\141\176\340\352\214\074\252\264\244\366\363\225\112 +\022\007\155\375\214\262\211\317\320\240\141\167\310\130\164\260 +\324\043\072\367\135\072\312\242\333\235\011\336\135\104\055\220 +\361\201\315\127\222\372\176\274\120\004\143\064\337\153\223\030 +\276\153\066\262\071\344\254\044\066\267\360\357\266\034\023\127 +\223\266\336\262\370\342\205\267\163\242\270\065\252\105\362\340 +\235\066\241\157\124\212\361\162\126\156\056\210\305\121\102\104 +\025\224\356\243\305\070\226\233\116\116\132\013\107\363\006\066 +\111\167\060\274\161\067\345\246\354\041\010\165\374\346\141\026 +\077\167\325\331\221\227\204\012\154\324\002\115\164\300\024\355 +\375\071\373\203\362\136\024\241\004\260\013\351\376\356\217\341 +\156\013\262\010\263\141\146\011\152\261\006\072\145\226\131\300 +\360\065\375\311\332\050\215\032\021\207\160\201\012\250\232\165 +\035\236\072\206\005\000\236\333\200\326\045\371\334\005\236\047 +\131\114\166\071\133\352\371\245\241\330\203\017\321\377\337\060 +\021\371\205\317\063\110\365\312\155\144\024\054\172\130\117\323 +\113\010\111\305\225\144\032\143\016\171\075\365\263\214\312\130 +\255\234\102\105\171\156\016\207\031\134\124\261\145\266\277\214 +\233\334\023\351\015\157\270\056\334\147\156\311\213\021\265\204 +\024\212\000\031\160\203\171\221\227\221\324\032\047\277\067\036 +\062\007\330\024\143\074\050\114\257\002\003\001\000\001\243\143 +\060\141\060\016\006\003\125\035\017\001\001\377\004\004\003\002 +\001\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003 +\001\001\377\060\035\006\003\125\035\016\004\026\004\024\256\154 +\005\243\223\023\342\242\347\342\327\034\326\307\360\177\310\147 +\123\240\060\037\006\003\125\035\043\004\030\060\026\200\024\256 +\154\005\243\223\023\342\242\347\342\327\034\326\307\360\177\310 +\147\123\240\060\015\006\011\052\206\110\206\367\015\001\001\014 +\005\000\003\202\002\001\000\203\045\355\350\321\375\225\122\315 +\236\300\004\240\221\151\346\134\320\204\336\334\255\242\117\350 +\107\170\326\145\230\251\133\250\074\207\174\002\212\321\156\267 +\026\163\346\137\300\124\230\325\164\276\301\315\342\021\221\255 +\043\030\075\335\341\162\104\226\264\225\136\300\173\216\231\170 +\026\103\023\126\127\263\242\263\073\265\167\334\100\162\254\243 +\353\233\065\076\261\010\041\241\347\304\103\067\171\062\276\265 +\347\234\054\114\274\103\051\231\216\060\323\254\041\340\343\035 +\372\330\007\063\166\124\000\042\052\271\115\040\056\160\150\332 +\345\123\374\203\134\323\235\362\377\104\014\104\146\362\322\343 +\275\106\000\032\155\002\272\045\135\215\241\061\121\335\124\106 +\034\115\333\231\226\357\032\034\004\134\246\025\357\170\340\171 +\376\135\333\076\252\114\125\375\232\025\251\157\341\246\373\337 +\160\060\351\303\356\102\106\355\302\223\005\211\372\175\143\173 +\077\320\161\201\174\000\350\230\256\016\170\064\303\045\373\257 +\012\237\040\153\335\073\023\217\022\214\342\101\032\110\172\163 +\240\167\151\307\266\134\177\202\310\036\376\130\033\050\053\250 +\154\255\136\155\300\005\322\173\267\353\200\376\045\067\376\002 +\233\150\254\102\135\303\356\365\314\334\360\120\165\322\066\151 +\234\346\173\004\337\156\006\151\266\336\012\011\110\131\207\353 +\173\024\140\172\144\252\151\103\357\221\307\114\354\030\335\154 +\357\123\055\214\231\341\136\362\162\076\317\124\310\275\147\354 +\244\017\114\105\377\323\271\060\043\007\114\217\020\277\206\226 +\331\231\132\264\231\127\034\244\314\273\025\211\123\272\054\005 +\017\344\304\236\031\261\030\064\325\114\235\272\355\367\037\257 +\044\225\004\170\250\003\273\356\201\345\332\137\174\213\112\241 +\220\164\045\247\263\076\113\310\054\126\275\307\310\357\070\342 +\134\222\360\171\367\234\204\272\164\055\141\001\040\176\176\321 +\362\117\007\131\137\213\055\103\122\353\106\014\224\341\365\146 +\107\171\167\325\124\133\037\255\044\067\313\105\132\116\240\104 +\110\310\330\260\231\305\025\204\011\366\326\111\111\300\145\270 +\346\032\161\156\240\250\361\202\350\105\076\154\326\002\327\012 +\147\203\005\132\311\244\020 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + +# Trust for "GlobalSign Root CA - R6" +# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6 +# Serial Number:45:e6:bb:03:83:33:c3:85:65:48:e6:ff:45:51 +# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R6 +# Not Valid Before: Wed Dec 10 00:00:00 2014 +# Not Valid After : Sun Dec 10 00:00:00 2034 +# Fingerprint (SHA-256): 2C:AB:EA:FE:37:D0:6C:A2:2A:BA:73:91:C0:03:3D:25:98:29:52:C4:53:64:73:49:76:3A:3A:B5:AD:6C:CF:69 +# Fingerprint (SHA1): 80:94:64:0E:B5:A7:A1:CA:11:9C:1F:DD:D5:9F:81:02:63:A7:FB:D1 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "GlobalSign Root CA - R6" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\200\224\144\016\265\247\241\312\021\234\037\335\325\237\201\002 +\143\247\373\321 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\117\335\007\344\324\042\144\071\036\014\067\102\352\321\306\256 +END +CKA_ISSUER MULTILINE_OCTAL +\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157 +\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040 +\055\040\122\066\061\023\060\021\006\003\125\004\012\023\012\107 +\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125 +\004\003\023\012\107\154\157\142\141\154\123\151\147\156 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\016\105\346\273\003\203\063\303\205\145\110\346\377\105\121 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "OISTE WISeKey Global Root GC CA" +# +# Issuer: CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH +# Serial Number:21:2a:56:0c:ae:da:0c:ab:40:45:bf:2b:a2:2d:3a:ea +# Subject: CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH +# Not Valid Before: Tue May 09 09:48:34 2017 +# Not Valid After : Fri May 09 09:58:33 2042 +# Fingerprint (SHA-256): 85:60:F9:1C:36:24:DA:BA:95:70:B5:FE:A0:DB:E3:6F:F1:1A:83:23:BE:94:86:85:4F:B3:F3:4A:55:71:19:8D +# Fingerprint (SHA1): E0:11:84:5E:34:DE:BE:88:81:B9:9C:F6:16:26:D1:96:1F:C3:B9:31 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "OISTE WISeKey Global Root GC CA" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\155\061\013\060\011\006\003\125\004\006\023\002\103\110\061 +\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113\145 +\171\061\042\060\040\006\003\125\004\013\023\031\117\111\123\124 +\105\040\106\157\165\156\144\141\164\151\157\156\040\105\156\144 +\157\162\163\145\144\061\050\060\046\006\003\125\004\003\023\037 +\117\111\123\124\105\040\127\111\123\145\113\145\171\040\107\154 +\157\142\141\154\040\122\157\157\164\040\107\103\040\103\101 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\155\061\013\060\011\006\003\125\004\006\023\002\103\110\061 +\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113\145 +\171\061\042\060\040\006\003\125\004\013\023\031\117\111\123\124 +\105\040\106\157\165\156\144\141\164\151\157\156\040\105\156\144 +\157\162\163\145\144\061\050\060\046\006\003\125\004\003\023\037 +\117\111\123\124\105\040\127\111\123\145\113\145\171\040\107\154 +\157\142\141\154\040\122\157\157\164\040\107\103\040\103\101 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\041\052\126\014\256\332\014\253\100\105\277\053\242\055 +\072\352 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\151\060\202\001\357\240\003\002\001\002\002\020\041 +\052\126\014\256\332\014\253\100\105\277\053\242\055\072\352\060 +\012\006\010\052\206\110\316\075\004\003\003\060\155\061\013\060 +\011\006\003\125\004\006\023\002\103\110\061\020\060\016\006\003 +\125\004\012\023\007\127\111\123\145\113\145\171\061\042\060\040 +\006\003\125\004\013\023\031\117\111\123\124\105\040\106\157\165 +\156\144\141\164\151\157\156\040\105\156\144\157\162\163\145\144 +\061\050\060\046\006\003\125\004\003\023\037\117\111\123\124\105 +\040\127\111\123\145\113\145\171\040\107\154\157\142\141\154\040 +\122\157\157\164\040\107\103\040\103\101\060\036\027\015\061\067 +\060\065\060\071\060\071\064\070\063\064\132\027\015\064\062\060 +\065\060\071\060\071\065\070\063\063\132\060\155\061\013\060\011 +\006\003\125\004\006\023\002\103\110\061\020\060\016\006\003\125 +\004\012\023\007\127\111\123\145\113\145\171\061\042\060\040\006 +\003\125\004\013\023\031\117\111\123\124\105\040\106\157\165\156 +\144\141\164\151\157\156\040\105\156\144\157\162\163\145\144\061 +\050\060\046\006\003\125\004\003\023\037\117\111\123\124\105\040 +\127\111\123\145\113\145\171\040\107\154\157\142\141\154\040\122 +\157\157\164\040\107\103\040\103\101\060\166\060\020\006\007\052 +\206\110\316\075\002\001\006\005\053\201\004\000\042\003\142\000 +\004\114\351\120\300\306\017\162\030\274\330\361\272\263\211\342 +\171\112\243\026\247\153\124\044\333\121\377\352\364\011\044\303 +\013\042\237\313\152\047\202\201\015\322\300\257\061\344\164\202 +\156\312\045\331\214\165\235\361\333\320\232\242\113\041\176\026 +\247\143\220\322\071\324\261\207\170\137\030\226\017\120\033\065 +\067\017\152\306\334\331\023\115\244\216\220\067\346\275\133\061 +\221\243\124\060\122\060\016\006\003\125\035\017\001\001\377\004 +\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004 +\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026\004 +\024\110\207\024\254\343\303\236\220\140\072\327\312\211\356\323 +\255\214\264\120\146\060\020\006\011\053\006\001\004\001\202\067 +\025\001\004\003\002\001\000\060\012\006\010\052\206\110\316\075 +\004\003\003\003\150\000\060\145\002\060\046\307\151\133\334\325 +\347\262\347\310\014\214\214\303\335\171\214\033\143\325\311\122 +\224\116\115\202\112\163\036\262\200\204\251\045\300\114\132\155 +\111\051\140\170\023\342\176\110\353\144\002\061\000\333\064\040 +\062\010\377\232\111\002\266\210\336\024\257\135\154\231\161\215 +\032\077\213\327\340\242\066\206\034\007\202\072\166\123\375\302 +\242\355\357\173\260\200\117\130\017\113\123\071\275 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE + +# Trust for "OISTE WISeKey Global Root GC CA" +# Issuer: CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH +# Serial Number:21:2a:56:0c:ae:da:0c:ab:40:45:bf:2b:a2:2d:3a:ea +# Subject: CN=OISTE WISeKey Global Root GC CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH +# Not Valid Before: Tue May 09 09:48:34 2017 +# Not Valid After : Fri May 09 09:58:33 2042 +# Fingerprint (SHA-256): 85:60:F9:1C:36:24:DA:BA:95:70:B5:FE:A0:DB:E3:6F:F1:1A:83:23:BE:94:86:85:4F:B3:F3:4A:55:71:19:8D +# Fingerprint (SHA1): E0:11:84:5E:34:DE:BE:88:81:B9:9C:F6:16:26:D1:96:1F:C3:B9:31 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "OISTE WISeKey Global Root GC CA" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\340\021\204\136\064\336\276\210\201\271\234\366\026\046\321\226 +\037\303\271\061 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\251\326\271\055\057\223\144\370\245\151\312\221\351\150\007\043 +END +CKA_ISSUER MULTILINE_OCTAL +\060\155\061\013\060\011\006\003\125\004\006\023\002\103\110\061 +\020\060\016\006\003\125\004\012\023\007\127\111\123\145\113\145 +\171\061\042\060\040\006\003\125\004\013\023\031\117\111\123\124 +\105\040\106\157\165\156\144\141\164\151\157\156\040\105\156\144 +\157\162\163\145\144\061\050\060\046\006\003\125\004\003\023\037 +\117\111\123\124\105\040\127\111\123\145\113\145\171\040\107\154 +\157\142\141\154\040\122\157\157\164\040\107\103\040\103\101 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\041\052\126\014\256\332\014\253\100\105\277\053\242\055 +\072\352 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE diff --git a/lfs/ca-certificates b/lfs/ca-certificates index 8b6f71fef..e063b6439 100644 --- a/lfs/ca-certificates +++ b/lfs/ca-certificates @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2015 IPFire Team <info(a)ipfire.de> # +# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 20180429 +VER = 20180910 THISAPP = ca-certificates DIR_APP = $(DIR_SRC)/$(THISAPP) -- 2.16.4

2 2

firewall.local
by Bob Brewer 11 Sep '18

11 Sep '18

I have a comprehensive blocklist which is loaded and unloaded from /etc/sysconfig/firewall.local by a script (blacklist.sh) at startup which creates drop rules in the CUSTOMFORWARD and CUSTOMINPUT tables. ********************************************* !/bin/sh # Used for private firewall rules # See how we were called. case "$1" in start) ## add your 'start' rules here /usr/local/bin/blacklist.sh INPUT append ;; stop) ## add your 'stop' rules here /usr/local/bin/blacklist.sh INPUT delete ;; reload) $0 stop $0 start ## add your 'reload' rules here ;; *) echo "Usage: $0 {start|stop|reload}" ;; esac ********************************************* It would appear that firewall.local script is called from /usr/lib/firewall/rules.pl with #Reload firewall.local if present if ( -f '/etc/sysconfig/firewall.local'){ run("/etc/sysconfig/firewall.local reload"); which calls "reload" to the firewall.local script which at boot first runs "stop" and tries to unload the blacklist firewall rules before they have been created causing many errors to be generated in the logs before the rules are then created with "start". Changing rules.pl to: run("/etc/sysconfig/firewall.local start"); overcomes the boot problem but I can't then find out how my blacklist rules would then be deleted and potentially multiple copies of the blacklist rules being created. Maybe I don't fully understand the way the firewall.local rules are controlled but to me there does seem to be an illogical way that the rules are created and deleted by firewall.local. To me it looks like a bug but if I have understood the process incorrectly, I would appreciate an explanation of the process. Regards Rob

1 0

[PATCH] openssh: Update to 7.8p1
by Matthias Fischer 10 Sep '18

10 Sep '18

For details see: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog I didn't find an official lfs-patch for openssl-1.1-compatibility, so I used the patch from here: https://git.archlinux.org/svntogit/packages.git/plain/trunk/openssl-1.1.0.p… Building ran without any errors. I tested with both machines (test on Core 120 - and productive - on Core 122) and found no errors so far: ... [root@ipfiretest ~]# ssh -V OpenSSH_7.8p1, OpenSSL 1.1.0h 27 Mar 2018 ... ... root@ipfire: / # ssh -V OpenSSH_7.8p1, OpenSSL 1.1.0h 27 Mar 2018 ... All ssh-connections ran fine but I'm not REALLY sure if this is sufficient for anyone else. Could someone please check and confirm!? Best, Matthias Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/openssh | 6 +- ...ch => openssh-7.8p1-openssl-1.1.0-1.patch} | 210 +++++++++--------- 2 files changed, 103 insertions(+), 113 deletions(-) rename src/patches/{openssh-7.7p1-openssl-1.1.0-1.patch => openssh-7.8p1-openssl-1.1.0-1.patch} (90%) diff --git a/lfs/openssh b/lfs/openssh index a88b2d126..588820e50 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -24,7 +24,7 @@ include Config -VER = 7.7p1 +VER = 7.8p1 THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 68ba883aff6958297432e5877e9a0fe2 +$(DL_FILE)_MD5 = ce1d090fa6239fd38eb989d5e983b074 install : $(TARGET) @@ -70,7 +70,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssh-7.7p1-openssl-1.1.0-1.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssh-7.8p1-openssl-1.1.0-1.patch cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure cd $(DIR_APP) && ./configure \ --prefix=/usr \ diff --git a/src/patches/openssh-7.7p1-openssl-1.1.0-1.patch b/src/patches/openssh-7.8p1-openssl-1.1.0-1.patch similarity index 90% rename from src/patches/openssh-7.7p1-openssl-1.1.0-1.patch rename to src/patches/openssh-7.8p1-openssl-1.1.0-1.patch index cfc9bba91..7f8c7cd4f 100644 --- a/src/patches/openssh-7.7p1-openssl-1.1.0-1.patch +++ b/src/patches/openssh-7.8p1-openssl-1.1.0-1.patch @@ -1,13 +1,6 @@ -Submitted by: Bruce Dubbs (bdubbs(a)linuxfromscratch.org) -Date: 2018-04-07 -Initial Package Version: 7.7p1 -Upstream Status: Pending (Still) -Origin: https://git.archlinux.org/svntogit/packages.git/plain/trunk/openssl-1.1.0.p… -Description: Fixes build issues with OpenSSL-1.1.0. - diff -aurp old/auth-pam.c new/auth-pam.c ---- old/auth-pam.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/auth-pam.c 2018-03-23 10:05:03.886621278 -1000 +--- old/auth-pam.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/auth-pam.c 2018-08-23 21:31:53.324592767 -0700 @@ -128,6 +128,10 @@ extern u_int utmp_len; typedef pthread_t sp_pthread_t; #else @@ -20,9 +13,9 @@ diff -aurp old/auth-pam.c new/auth-pam.c struct pam_ctxt { diff -aurp old/cipher.c new/cipher.c ---- old/cipher.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/cipher.c 2018-03-23 10:05:03.886621278 -1000 -@@ -297,7 +297,10 @@ cipher_init(struct sshcipher_ctx **ccp, +--- old/cipher.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/cipher.c 2018-08-23 21:31:53.327926112 -0700 +@@ -299,7 +299,10 @@ cipher_init(struct sshcipher_ctx **ccp, goto out; } } @@ -34,7 +27,7 @@ diff -aurp old/cipher.c new/cipher.c ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } -@@ -483,7 +486,7 @@ cipher_get_keyiv(struct sshcipher_ctx *c +@@ -485,7 +488,7 @@ cipher_get_keyiv(struct sshcipher_ctx *c len, iv)) return SSH_ERR_LIBCRYPTO_ERROR; } else @@ -43,7 +36,7 @@ diff -aurp old/cipher.c new/cipher.c #endif return 0; } -@@ -517,14 +520,19 @@ cipher_set_keyiv(struct sshcipher_ctx *c +@@ -519,14 +522,19 @@ cipher_set_keyiv(struct sshcipher_ctx *c EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv)) return SSH_ERR_LIBCRYPTO_ERROR; } else @@ -67,8 +60,8 @@ diff -aurp old/cipher.c new/cipher.c int diff -aurp old/cipher.h new/cipher.h ---- old/cipher.h 2018-03-22 16:21:14.000000000 -1000 -+++ new/cipher.h 2018-03-23 10:05:03.886621278 -1000 +--- old/cipher.h 2018-08-22 22:41:42.000000000 -0700 ++++ new/cipher.h 2018-08-23 21:31:53.327926112 -0700 @@ -46,7 +46,18 @@ #define CIPHER_DECRYPT 0 @@ -89,9 +82,9 @@ diff -aurp old/cipher.h new/cipher.h const struct sshcipher *cipher_by_name(const char *); const char *cipher_warning_message(const struct sshcipher_ctx *); diff -aurp old/configure new/configure ---- old/configure 2018-03-23 03:30:17.000000000 -1000 -+++ new/configure 2018-03-23 10:05:03.888621444 -1000 -@@ -13076,7 +13076,6 @@ if ac_fn_c_try_run "$LINENO"; then : +--- old/configure 2018-08-23 00:09:30.000000000 -0700 ++++ new/configure 2018-08-23 21:31:53.331259457 -0700 +@@ -13032,7 +13032,6 @@ if ac_fn_c_try_run "$LINENO"; then : 100*) ;; # 1.0.x 200*) ;; # LibreSSL *) @@ -100,9 +93,9 @@ diff -aurp old/configure new/configure esac { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ssl_library_ver" >&5 diff -aurp old/dh.c new/dh.c ---- old/dh.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/dh.c 2018-03-23 10:05:03.888621444 -1000 -@@ -211,14 +211,15 @@ choose_dh(int min, int wantbits, int max +--- old/dh.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/dh.c 2018-08-23 21:39:18.863765579 -0700 +@@ -216,14 +216,15 @@ choose_dh(int min, int wantbits, int max /* diffie-hellman-groupN-sha1 */ int @@ -120,7 +113,7 @@ diff -aurp old/dh.c new/dh.c logit("invalid public DH value: negative"); return 0; } -@@ -231,7 +232,8 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) +@@ -236,7 +237,8 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) error("%s: BN_new failed", __func__); return 0; } @@ -130,7 +123,7 @@ diff -aurp old/dh.c new/dh.c BN_cmp(dh_pub, tmp) != -1) { /* pub_exp > p-2 */ BN_clear_free(tmp); logit("invalid public DH value: >= p-1"); -@@ -242,14 +244,14 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) +@@ -247,14 +249,14 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub) for (i = 0; i <= n; i++) if (BN_is_bit_set(dh_pub, i)) bits_set++; @@ -147,7 +140,7 @@ diff -aurp old/dh.c new/dh.c return 0; } return 1; -@@ -259,9 +261,13 @@ int +@@ -264,9 +266,13 @@ int dh_gen_key(DH *dh, int need) { int pbits; @@ -163,7 +156,7 @@ diff -aurp old/dh.c new/dh.c need > INT_MAX / 2 || 2 * need > pbits) return SSH_ERR_INVALID_ARGUMENT; if (need < 256) -@@ -270,10 +276,13 @@ dh_gen_key(DH *dh, int need) +@@ -275,11 +281,13 @@ dh_gen_key(DH *dh, int need) * Pollard Rho, Big step/Little Step attacks are O(sqrt(n)), * so double requested need here. */ @@ -171,6 +164,7 @@ diff -aurp old/dh.c new/dh.c - if (DH_generate_key(dh) == 0 || - !dh_pub_is_valid(dh, dh->pub_key)) { - BN_clear_free(dh->priv_key); +- dh->priv_key = NULL; + DH_set_length(dh, MIN(need * 2, pbits - 1)); + if (DH_generate_key(dh) == 0) { + return SSH_ERR_LIBCRYPTO_ERROR; @@ -181,7 +175,7 @@ diff -aurp old/dh.c new/dh.c return SSH_ERR_LIBCRYPTO_ERROR; } return 0; -@@ -282,16 +291,27 @@ dh_gen_key(DH *dh, int need) +@@ -288,16 +296,27 @@ dh_gen_key(DH *dh, int need) DH * dh_new_group_asc(const char *gen, const char *modulus) { @@ -216,7 +210,7 @@ diff -aurp old/dh.c new/dh.c } /* -@@ -306,8 +326,8 @@ dh_new_group(BIGNUM *gen, BIGNUM *modulu +@@ -312,8 +331,8 @@ dh_new_group(BIGNUM *gen, BIGNUM *modulu if ((dh = DH_new()) == NULL) return NULL; @@ -228,8 +222,8 @@ diff -aurp old/dh.c new/dh.c return (dh); } diff -aurp old/dh.h new/dh.h ---- old/dh.h 2018-03-22 16:21:14.000000000 -1000 -+++ new/dh.h 2018-03-23 10:05:03.889621527 -1000 +--- old/dh.h 2018-08-22 22:41:42.000000000 -0700 ++++ new/dh.h 2018-08-23 21:31:53.331259457 -0700 @@ -42,7 +42,7 @@ DH *dh_new_group18(void); DH *dh_new_group_fallback(int); @@ -240,8 +234,8 @@ diff -aurp old/dh.h new/dh.h u_int dh_estimate(int); diff -aurp old/digest-openssl.c new/digest-openssl.c ---- old/digest-openssl.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/digest-openssl.c 2018-03-23 10:05:03.889621527 -1000 +--- old/digest-openssl.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/digest-openssl.c 2018-08-23 21:31:53.331259457 -0700 @@ -43,7 +43,7 @@ struct ssh_digest_ctx { @@ -314,8 +308,8 @@ diff -aurp old/digest-openssl.c new/digest-openssl.c free(ctx); } diff -aurp old/kexdhc.c new/kexdhc.c ---- old/kexdhc.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/kexdhc.c 2018-03-23 10:05:03.889621527 -1000 +--- old/kexdhc.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/kexdhc.c 2018-08-23 21:31:53.331259457 -0700 @@ -81,11 +81,16 @@ kexdh_client(struct ssh *ssh) goto out; } @@ -363,8 +357,8 @@ diff -aurp old/kexdhc.c new/kexdhc.c if ((r = sshkey_verify(server_host_key, signature, slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) != 0) diff -aurp old/kexdhs.c new/kexdhs.c ---- old/kexdhs.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/kexdhs.c 2018-03-23 10:58:58.126733207 -1000 +--- old/kexdhs.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/kexdhs.c 2018-08-23 21:36:50.600564263 -0700 @@ -163,6 +163,9 @@ input_kex_dh_init(int type, u_int32_t se goto out; /* calc H */ @@ -390,10 +384,10 @@ diff -aurp old/kexdhs.c new/kexdhs.c /* save session id := H */ if (kex->session_id == NULL) { -@@ -195,12 +200,17 @@ input_kex_dh_init(int type, u_int32_t se +@@ -195,12 +200,16 @@ input_kex_dh_init(int type, u_int32_t se /* destroy_sensitive_data(); */ - /* send server hostkey, DH pubkey 'f' and singed H */ + /* send server hostkey, DH pubkey 'f' and signed H */ + { + const BIGNUM *pub_key; + DH_get0_key(kex->dh, &pub_key, NULL); @@ -402,17 +396,15 @@ diff -aurp old/kexdhs.c new/kexdhs.c - (r = sshpkt_put_bignum2(ssh, kex->dh->pub_key)) != 0 || /* f */ + (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 || /* f */ (r = sshpkt_put_string(ssh, signature, slen)) != 0 || -- (r = sshpkt_send(ssh)) != 0) -+ (r = sshpkt_send(ssh)) != 0) { + (r = sshpkt_send(ssh)) != 0) goto out; -+ } + } if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0) r = kex_send_newkeys(ssh); diff -aurp old/kexgexc.c new/kexgexc.c ---- old/kexgexc.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/kexgexc.c 2018-03-23 11:00:00.132866201 -1000 +--- old/kexgexc.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/kexgexc.c 2018-08-23 21:31:53.331259457 -0700 @@ -118,11 +118,17 @@ input_kex_dh_gex_group(int type, u_int32 p = g = NULL; /* belong to kex->dh now */ @@ -465,8 +457,8 @@ diff -aurp old/kexgexc.c new/kexgexc.c if ((r = sshkey_verify(server_host_key, signature, slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) != 0) diff -aurp old/kexgexs.c new/kexgexs.c ---- old/kexgexs.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/kexgexs.c 2018-03-23 11:03:06.045049721 -1000 +--- old/kexgexs.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/kexgexs.c 2018-08-23 21:36:11.493972372 -0700 @@ -101,11 +101,16 @@ input_kex_dh_gex_request(int type, u_int goto out; } @@ -516,10 +508,10 @@ diff -aurp old/kexgexs.c new/kexgexs.c /* save session id := H */ if (kex->session_id == NULL) { -@@ -225,12 +236,17 @@ input_kex_dh_gex_init(int type, u_int32_ +@@ -225,12 +236,16 @@ input_kex_dh_gex_init(int type, u_int32_ /* destroy_sensitive_data(); */ - /* send server hostkey, DH pubkey 'f' and singed H */ + /* send server hostkey, DH pubkey 'f' and signed H */ + { + const BIGNUM *pub_key; + DH_get0_key(kex->dh, &pub_key, NULL); @@ -528,35 +520,33 @@ diff -aurp old/kexgexs.c new/kexgexs.c - (r = sshpkt_put_bignum2(ssh, kex->dh->pub_key)) != 0 || /* f */ + (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 || /* f */ (r = sshpkt_put_string(ssh, signature, slen)) != 0 || -- (r = sshpkt_send(ssh)) != 0) -+ (r = sshpkt_send(ssh)) != 0) { + (r = sshpkt_send(ssh)) != 0) goto out; -+ } + } if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0) r = kex_send_newkeys(ssh); diff -aurp old/monitor.c new/monitor.c ---- old/monitor.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/monitor.c 2018-03-23 10:05:03.890621610 -1000 -@@ -595,10 +595,12 @@ mm_answer_moduli(int sock, Buffer *m) - buffer_put_char(m, 0); +--- old/monitor.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/monitor.c 2018-08-23 21:34:14.594343260 -0700 +@@ -589,10 +589,12 @@ mm_answer_moduli(int sock, struct sshbuf + fatal("%s: buffer error: %s", __func__, ssh_err(r)); return (0); } else { + const BIGNUM *p, *g; + DH_get0_pqg(dh, &p, NULL, &g); /* Send first bignum */ - buffer_put_char(m, 1); -- buffer_put_bignum2(m, dh->p); -- buffer_put_bignum2(m, dh->g); -+ buffer_put_bignum2(m, p); -+ buffer_put_bignum2(m, g); + if ((r = sshbuf_put_u8(m, 1)) != 0 || +- (r = sshbuf_put_bignum2(m, dh->p)) != 0 || +- (r = sshbuf_put_bignum2(m, dh->g)) != 0) ++ (r = sshbuf_put_bignum2(m, p)) != 0 || ++ (r = sshbuf_put_bignum2(m, g)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); DH_free(dh); - } diff -aurp old/openbsd-compat/openssl-compat.c new/openbsd-compat/openssl-compat.c ---- old/openbsd-compat/openssl-compat.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/openbsd-compat/openssl-compat.c 2018-03-23 10:05:03.890621610 -1000 +--- old/openbsd-compat/openssl-compat.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/openbsd-compat/openssl-compat.c 2018-08-23 21:31:53.334592801 -0700 @@ -75,7 +75,6 @@ ssh_OpenSSL_add_all_algorithms(void) /* Enable use of crypto hardware */ ENGINE_load_builtin_engines(); @@ -566,8 +556,8 @@ diff -aurp old/openbsd-compat/openssl-compat.c new/openbsd-compat/openssl-compat #endif diff -aurp old/regress/unittests/sshkey/test_file.c new/regress/unittests/sshkey/test_file.c ---- old/regress/unittests/sshkey/test_file.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/regress/unittests/sshkey/test_file.c 2018-03-23 10:05:03.890621610 -1000 +--- old/regress/unittests/sshkey/test_file.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/regress/unittests/sshkey/test_file.c 2018-08-23 21:31:53.334592801 -0700 @@ -60,9 +60,14 @@ sshkey_file_tests(void) a = load_bignum("rsa_1.param.n"); b = load_bignum("rsa_1.param.p"); @@ -605,8 +595,8 @@ diff -aurp old/regress/unittests/sshkey/test_file.c new/regress/unittests/sshkey BN_free(b); BN_free(c); diff -aurp old/regress/unittests/sshkey/test_sshkey.c new/regress/unittests/sshkey/test_sshkey.c ---- old/regress/unittests/sshkey/test_sshkey.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/regress/unittests/sshkey/test_sshkey.c 2018-03-23 10:05:03.890621610 -1000 +--- old/regress/unittests/sshkey/test_sshkey.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/regress/unittests/sshkey/test_sshkey.c 2018-08-23 21:31:53.334592801 -0700 @@ -197,9 +197,14 @@ sshkey_tests(void) k1 = sshkey_new(KEY_RSA); ASSERT_PTR_NE(k1, NULL); @@ -745,8 +735,8 @@ diff -aurp old/regress/unittests/sshkey/test_sshkey.c new/regress/unittests/sshk TEST_START("equal KEY_DSA/demoted KEY_DSA"); diff -aurp old/ssh-dss.c new/ssh-dss.c ---- old/ssh-dss.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/ssh-dss.c 2018-03-23 10:05:03.891621693 -1000 +--- old/ssh-dss.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/ssh-dss.c 2018-08-23 21:31:53.334592801 -0700 @@ -53,6 +53,7 @@ ssh_dss_sign(const struct sshkey *key, u DSA_SIG *sig = NULL; u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN]; @@ -808,8 +798,8 @@ diff -aurp old/ssh-dss.c new/ssh-dss.c /* sha1 the data */ if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen, diff -aurp old/ssh-ecdsa.c new/ssh-ecdsa.c ---- old/ssh-ecdsa.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/ssh-ecdsa.c 2018-03-23 10:05:03.891621693 -1000 +--- old/ssh-ecdsa.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/ssh-ecdsa.c 2018-08-23 21:31:53.334592801 -0700 @@ -80,9 +80,14 @@ ssh_ecdsa_sign(const struct sshkey *key, ret = SSH_ERR_ALLOC_FAIL; goto out; @@ -858,9 +848,9 @@ diff -aurp old/ssh-ecdsa.c new/ssh-ecdsa.c ret = SSH_ERR_UNEXPECTED_TRAILING_DATA; goto out; diff -aurp old/ssh-keygen.c new/ssh-keygen.c ---- old/ssh-keygen.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/ssh-keygen.c 2018-03-23 10:05:03.891621693 -1000 -@@ -493,11 +493,33 @@ do_convert_private_ssh2_from_blob(u_char +--- old/ssh-keygen.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/ssh-keygen.c 2018-08-23 21:31:53.334592801 -0700 +@@ -494,11 +494,33 @@ do_convert_private_ssh2_from_blob(u_char switch (key->type) { case KEY_DSA: @@ -899,7 +889,7 @@ diff -aurp old/ssh-keygen.c new/ssh-keygen.c break; case KEY_RSA: if ((r = sshbuf_get_u8(b, &e1)) != 0 || -@@ -514,16 +536,52 @@ do_convert_private_ssh2_from_blob(u_char +@@ -515,16 +537,52 @@ do_convert_private_ssh2_from_blob(u_char e += e3; debug("e %lx", e); } @@ -958,7 +948,7 @@ diff -aurp old/ssh-keygen.c new/ssh-keygen.c if ((r = ssh_rsa_generate_additional_parameters(key)) != 0) fatal("generate RSA parameters failed: %s", ssh_err(r)); break; -@@ -633,7 +691,7 @@ do_convert_from_pkcs8(struct sshkey **k, +@@ -634,7 +692,7 @@ do_convert_from_pkcs8(struct sshkey **k, identity_file); } fclose(fp); @@ -967,7 +957,7 @@ diff -aurp old/ssh-keygen.c new/ssh-keygen.c case EVP_PKEY_RSA: if ((*k = sshkey_new(KEY_UNSPEC)) == NULL) fatal("sshkey_new failed"); -@@ -657,7 +715,7 @@ do_convert_from_pkcs8(struct sshkey **k, +@@ -658,7 +716,7 @@ do_convert_from_pkcs8(struct sshkey **k, #endif default: fatal("%s: unsupported pubkey type %d", __func__, @@ -977,9 +967,9 @@ diff -aurp old/ssh-keygen.c new/ssh-keygen.c EVP_PKEY_free(pubkey); return; diff -aurp old/ssh-pkcs11-client.c new/ssh-pkcs11-client.c ---- old/ssh-pkcs11-client.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/ssh-pkcs11-client.c 2018-03-23 10:05:03.892621777 -1000 -@@ -144,12 +144,13 @@ pkcs11_rsa_private_encrypt(int flen, con +--- old/ssh-pkcs11-client.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/ssh-pkcs11-client.c 2018-08-23 21:31:53.334592801 -0700 +@@ -156,12 +156,13 @@ pkcs11_rsa_private_encrypt(int flen, con static int wrap_key(RSA *rsa) { @@ -999,8 +989,8 @@ diff -aurp old/ssh-pkcs11-client.c new/ssh-pkcs11-client.c } diff -aurp old/ssh-pkcs11.c new/ssh-pkcs11.c ---- old/ssh-pkcs11.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/ssh-pkcs11.c 2018-03-23 10:05:03.892621777 -1000 +--- old/ssh-pkcs11.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/ssh-pkcs11.c 2018-08-23 21:31:53.334592801 -0700 @@ -67,7 +67,7 @@ struct pkcs11_key { struct pkcs11_provider *provider; CK_ULONG slotidx; @@ -1090,9 +1080,9 @@ diff -aurp old/ssh-pkcs11.c new/ssh-pkcs11.c free(attribs[i].pValue); } diff -aurp old/ssh-rsa.c new/ssh-rsa.c ---- old/ssh-rsa.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/ssh-rsa.c 2018-03-23 10:05:03.892621777 -1000 -@@ -84,7 +84,6 @@ ssh_rsa_generate_additional_parameters(s +--- old/ssh-rsa.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/ssh-rsa.c 2018-08-23 21:31:53.334592801 -0700 +@@ -108,7 +108,6 @@ ssh_rsa_generate_additional_parameters(s { BIGNUM *aux = NULL; BN_CTX *ctx = NULL; @@ -1100,7 +1090,7 @@ diff -aurp old/ssh-rsa.c new/ssh-rsa.c int r; if (key == NULL || key->rsa == NULL || -@@ -99,16 +98,27 @@ ssh_rsa_generate_additional_parameters(s +@@ -123,16 +122,27 @@ ssh_rsa_generate_additional_parameters(s } BN_set_flags(aux, BN_FLG_CONSTTIME); @@ -1135,7 +1125,7 @@ diff -aurp old/ssh-rsa.c new/ssh-rsa.c r = 0; out: BN_clear_free(aux); -@@ -139,7 +149,7 @@ ssh_rsa_sign(const struct sshkey *key, u +@@ -163,7 +173,7 @@ ssh_rsa_sign(const struct sshkey *key, u if (key == NULL || key->rsa == NULL || hash_alg == -1 || sshkey_type_plain(key->type) != KEY_RSA) return SSH_ERR_INVALID_ARGUMENT; @@ -1144,7 +1134,7 @@ diff -aurp old/ssh-rsa.c new/ssh-rsa.c return SSH_ERR_KEY_LENGTH; slen = RSA_size(key->rsa); if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM) -@@ -211,7 +221,7 @@ ssh_rsa_verify(const struct sshkey *key, +@@ -235,7 +245,7 @@ ssh_rsa_verify(const struct sshkey *key, sshkey_type_plain(key->type) != KEY_RSA || sig == NULL || siglen == 0) return SSH_ERR_INVALID_ARGUMENT; @@ -1154,9 +1144,9 @@ diff -aurp old/ssh-rsa.c new/ssh-rsa.c if ((b = sshbuf_from(sig, siglen)) == NULL) diff -aurp old/sshkey.c new/sshkey.c ---- old/sshkey.c 2018-03-22 16:21:14.000000000 -1000 -+++ new/sshkey.c 2018-03-23 10:05:03.893621860 -1000 -@@ -274,10 +274,18 @@ sshkey_size(const struct sshkey *k) +--- old/sshkey.c 2018-08-22 22:41:42.000000000 -0700 ++++ new/sshkey.c 2018-08-23 21:31:53.334592801 -0700 +@@ -292,10 +292,18 @@ sshkey_size(const struct sshkey *k) #ifdef WITH_OPENSSL case KEY_RSA: case KEY_RSA_CERT: @@ -1176,7 +1166,7 @@ diff -aurp old/sshkey.c new/sshkey.c case KEY_ECDSA: case KEY_ECDSA_CERT: return sshkey_curve_nid_to_bits(k->ecdsa_nid); -@@ -482,26 +490,53 @@ sshkey_new(int type) +@@ -500,26 +508,53 @@ sshkey_new(int type) #ifdef WITH_OPENSSL case KEY_RSA: case KEY_RSA_CERT: @@ -1236,7 +1226,7 @@ diff -aurp old/sshkey.c new/sshkey.c k->dsa = dsa; break; case KEY_ECDSA: -@@ -539,6 +574,51 @@ sshkey_add_private(struct sshkey *k) +@@ -557,6 +592,51 @@ sshkey_add_private(struct sshkey *k) #ifdef WITH_OPENSSL case KEY_RSA: case KEY_RSA_CERT: @@ -1288,7 +1278,7 @@ diff -aurp old/sshkey.c new/sshkey.c #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL) if (bn_maybe_alloc_failed(k->rsa->d) || bn_maybe_alloc_failed(k->rsa->iqmp) || -@@ -547,13 +627,28 @@ sshkey_add_private(struct sshkey *k) +@@ -565,13 +645,28 @@ sshkey_add_private(struct sshkey *k) bn_maybe_alloc_failed(k->rsa->dmq1) || bn_maybe_alloc_failed(k->rsa->dmp1)) return SSH_ERR_ALLOC_FAIL; @@ -1317,7 +1307,7 @@ diff -aurp old/sshkey.c new/sshkey.c case KEY_ECDSA: case KEY_ECDSA_CERT: /* Cannot do anything until we know the group */ -@@ -677,16 +772,34 @@ sshkey_equal_public(const struct sshkey +@@ -695,16 +790,34 @@ sshkey_equal_public(const struct sshkey #ifdef WITH_OPENSSL case KEY_RSA_CERT: case KEY_RSA: @@ -1360,7 +1350,7 @@ diff -aurp old/sshkey.c new/sshkey.c # ifdef OPENSSL_HAS_ECC case KEY_ECDSA_CERT: case KEY_ECDSA: -@@ -775,12 +888,17 @@ to_blob_buf(const struct sshkey *key, st +@@ -793,12 +906,17 @@ to_blob_buf(const struct sshkey *key, st case KEY_DSA: if (key->dsa == NULL) return SSH_ERR_INVALID_ARGUMENT; @@ -1382,7 +1372,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; # ifdef OPENSSL_HAS_ECC case KEY_ECDSA: -@@ -796,10 +914,14 @@ to_blob_buf(const struct sshkey *key, st +@@ -814,10 +932,14 @@ to_blob_buf(const struct sshkey *key, st case KEY_RSA: if (key->rsa == NULL) return SSH_ERR_INVALID_ARGUMENT; @@ -1399,7 +1389,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; #endif /* WITH_OPENSSL */ case KEY_ED25519: -@@ -1740,13 +1862,32 @@ sshkey_from_private(const struct sshkey +@@ -1758,13 +1880,32 @@ sshkey_from_private(const struct sshkey case KEY_DSA_CERT: if ((n = sshkey_new(k->type)) == NULL) return SSH_ERR_ALLOC_FAIL; @@ -1436,7 +1426,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; # ifdef OPENSSL_HAS_ECC case KEY_ECDSA: -@@ -1770,11 +1911,23 @@ sshkey_from_private(const struct sshkey +@@ -1788,11 +1929,23 @@ sshkey_from_private(const struct sshkey case KEY_RSA_CERT: if ((n = sshkey_new(k->type)) == NULL) return SSH_ERR_ALLOC_FAIL; @@ -1462,7 +1452,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; #endif /* WITH_OPENSSL */ case KEY_ED25519: -@@ -1995,12 +2148,27 @@ sshkey_from_blob_internal(struct sshbuf +@@ -2013,12 +2166,27 @@ sshkey_from_blob_internal(struct sshbuf ret = SSH_ERR_ALLOC_FAIL; goto out; } @@ -1493,7 +1483,7 @@ diff -aurp old/sshkey.c new/sshkey.c ret = SSH_ERR_KEY_LENGTH; goto out; } -@@ -2020,13 +2188,36 @@ sshkey_from_blob_internal(struct sshbuf +@@ -2038,13 +2206,36 @@ sshkey_from_blob_internal(struct sshbuf ret = SSH_ERR_ALLOC_FAIL; goto out; } @@ -1534,7 +1524,7 @@ diff -aurp old/sshkey.c new/sshkey.c #ifdef DEBUG_PK DSA_print_fp(stderr, key->dsa, 8); #endif -@@ -2327,26 +2518,63 @@ sshkey_demote(const struct sshkey *k, st +@@ -2389,26 +2580,63 @@ sshkey_demote(const struct sshkey *k, st goto fail; /* FALLTHROUGH */ case KEY_RSA: @@ -1606,7 +1596,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; case KEY_ECDSA_CERT: if ((ret = sshkey_cert_copy(k, pk)) != 0) -@@ -2496,11 +2724,17 @@ sshkey_certify_custom(struct sshkey *k, +@@ -2558,11 +2786,17 @@ sshkey_certify_custom(struct sshkey *k, switch (k->type) { #ifdef WITH_OPENSSL case KEY_DSA_CERT: @@ -1628,7 +1618,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; # ifdef OPENSSL_HAS_ECC case KEY_ECDSA_CERT: -@@ -2513,9 +2747,15 @@ sshkey_certify_custom(struct sshkey *k, +@@ -2575,9 +2809,15 @@ sshkey_certify_custom(struct sshkey *k, break; # endif /* OPENSSL_HAS_ECC */ case KEY_RSA_CERT: @@ -1646,7 +1636,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; #endif /* WITH_OPENSSL */ case KEY_ED25519_CERT: -@@ -2702,42 +2942,67 @@ sshkey_private_serialize_opt(const struc +@@ -2764,42 +3004,67 @@ sshkey_private_serialize_opt(const struc switch (key->type) { #ifdef WITH_OPENSSL case KEY_RSA: @@ -1730,7 +1720,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; # ifdef OPENSSL_HAS_ECC case KEY_ECDSA: -@@ -2851,18 +3116,61 @@ sshkey_private_deserialize(struct sshbuf +@@ -2913,18 +3178,61 @@ sshkey_private_deserialize(struct sshbuf r = SSH_ERR_ALLOC_FAIL; goto out; } @@ -1799,7 +1789,7 @@ diff -aurp old/sshkey.c new/sshkey.c break; # ifdef OPENSSL_HAS_ECC case KEY_ECDSA: -@@ -2921,29 +3229,104 @@ sshkey_private_deserialize(struct sshbuf +@@ -2983,29 +3291,104 @@ sshkey_private_deserialize(struct sshbuf r = SSH_ERR_ALLOC_FAIL; goto out; } @@ -1918,7 +1908,7 @@ diff -aurp old/sshkey.c new/sshkey.c r = SSH_ERR_KEY_LENGTH; goto out; } -@@ -3707,7 +4090,6 @@ translate_libcrypto_error(unsigned long +@@ -3769,7 +4152,6 @@ translate_libcrypto_error(unsigned long switch (pem_reason) { case EVP_R_BAD_DECRYPT: return SSH_ERR_KEY_WRONG_PASSPHRASE; @@ -1926,7 +1916,7 @@ diff -aurp old/sshkey.c new/sshkey.c case EVP_R_DECODE_ERROR: #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR case EVP_R_PRIVATE_KEY_DECODE_ERROR: -@@ -3772,7 +4154,7 @@ sshkey_parse_private_pem_fileblob(struct +@@ -3834,7 +4216,7 @@ sshkey_parse_private_pem_fileblob(struct r = convert_libcrypto_error(); goto out; } @@ -1935,7 +1925,7 @@ diff -aurp old/sshkey.c new/sshkey.c (type == KEY_UNSPEC || type == KEY_RSA)) { if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { r = SSH_ERR_ALLOC_FAIL; -@@ -3787,11 +4169,11 @@ sshkey_parse_private_pem_fileblob(struct +@@ -3849,11 +4231,11 @@ sshkey_parse_private_pem_fileblob(struct r = SSH_ERR_LIBCRYPTO_ERROR; goto out; } @@ -1949,7 +1939,7 @@ diff -aurp old/sshkey.c new/sshkey.c (type == KEY_UNSPEC || type == KEY_DSA)) { if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) { r = SSH_ERR_ALLOC_FAIL; -@@ -3803,7 +4185,7 @@ sshkey_parse_private_pem_fileblob(struct +@@ -3865,7 +4247,7 @@ sshkey_parse_private_pem_fileblob(struct DSA_print_fp(stderr, prv->dsa, 8); #endif #ifdef OPENSSL_HAS_ECC -- 2.18.0

3 5

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development September 2018