From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 5210b5879ba1bf2c3836bf54c4e3a50fa1b0c6f2
Date: Thu, 20 Sep 2018 14:54:55 +0100 [thread overview]
Message-ID: <20180920135456.0F8C81081BD3@git01.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 44454 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 5210b5879ba1bf2c3836bf54c4e3a50fa1b0c6f2 (commit)
via b1bfe61711ac678632118180c06a34deeab96a24 (commit)
via 37d7f3801877b3330465b1a20cfba2fc4987e610 (commit)
via 74189c1d5519c077c43fe123e6e3a3d39176e1fb (commit)
via 1d2fe90cc8952879835c3694a6cb8c45b097013c (commit)
via bd0686f441cf09a2041e1647de6e0dffda590409 (commit)
via 07da1af688135710960e6deb9049a3fab6cb6e81 (commit)
via 38485efafba2936ca3856e1324cca2044a13e85b (commit)
via a6c190818a15342db5d91f4219587aa08f692173 (commit)
from 06131f41e4a186ed7a70e8ef4f002d63cc16707a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 5210b5879ba1bf2c3836bf54c4e3a50fa1b0c6f2
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Sep 20 14:54:02 2018 +0100
core124: Ship updated iproute2
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit b1bfe61711ac678632118180c06a34deeab96a24
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Tue Sep 18 19:35:10 2018 +0200
iproute2: Update to 4.18.0
Triggered by https://bugzilla.ipfire.org/show_bug.cgi?id=11866 ;-)
For details see:
https://lwn.net/Articles/762515/
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 37d7f3801877b3330465b1a20cfba2fc4987e610
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Sep 20 14:52:17 2018 +0100
core124: Ship updated openssh package
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 74189c1d5519c077c43fe123e6e3a3d39176e1fb
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Mon Sep 10 19:38:17 2018 +0200
openssh: Update to 7.8p1
For details see:
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog
I didn't find an official lfs-patch for openssl-1.1-compatibility,
so I used the patch from here:
https://git.archlinux.org/svntogit/packages.git/plain/trunk/openssl-1.1.0.patch?h=packages/openssh
Building ran without any errors.
I tested with both machines (test on Core 120 - and productive - on Core 122) and found no errors so far:
...
[root(a)ipfiretest ~]# ssh -V
OpenSSH_7.8p1, OpenSSL 1.1.0h 27 Mar 2018
...
...
root(a)ipfire: / # ssh -V
OpenSSH_7.8p1, OpenSSL 1.1.0h 27 Mar 2018
...
All ssh-connections ran fine but I'm not REALLY sure if this is sufficient for anyone else.
Could someone please check and confirm!?
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Tested-by: Peter Müller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 1d2fe90cc8952879835c3694a6cb8c45b097013c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Sep 20 14:51:13 2018 +0100
core124: Ship updated OpenSSH configuration
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit bd0686f441cf09a2041e1647de6e0dffda590409
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Sep 20 14:50:25 2018 +0100
ssh: Remove AuthenticationMethods directive
This is only setting something that is default anyways and
prevents sshd from starting if one of the listed methods
is not activated.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 07da1af688135710960e6deb9049a3fab6cb6e81
Author: Peter Müller <peter.mueller(a)link38.eu>
Date: Mon Sep 10 17:52:23 2018 +0200
use custom SSH server configuration in LFS file
Include OpenSSH server configuration file during build.
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 38485efafba2936ca3856e1324cca2044a13e85b
Author: Peter Müller <peter.mueller(a)link38.eu>
Date: Mon Sep 10 17:52:22 2018 +0200
add hardened SSH server configuration
In order to harden OpenSSH server in IPFire, using the upstream default configuration
and edit it via sed commands in LFS file is error-prone and does not scale.
Thereof we ship a custom and more secure OpenSSH server configuration which
is copied into the image during build time.
The fourth version of this patch disables password authentication by
default, since this is required by some cloud hosters in order to apply
the image. Further, this method is less secure than pubkey
authentication.
Non-AEAD ciphers have been re-added to provide compatibility to older
RHEL systems.
Fixes #11750
Fixes #11751
Partially fixes #11538
Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
Cc: Marcel Lorenz <marcel.lorenz(a)ipfire.org>
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit a6c190818a15342db5d91f4219587aa08f692173
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Sep 20 14:21:41 2018 +0100
backup: Fix deleting backup files
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/backup/backup.pl | 7 +-
config/rootfiles/common/iproute2 | 3 +
config/rootfiles/core/124/exclude | 2 -
config/rootfiles/core/124/filelists/files | 3 +
.../{oldcore/106 => core/124}/filelists/iproute2 | 0
.../{oldcore/100 => core/124}/filelists/openssh | 0
config/rootfiles/core/124/update.sh | 3 +
config/ssh/sshd_config | 78 ++++++++
html/cgi-bin/backup.cgi | 6 +-
lfs/iproute2 | 4 +-
lfs/openssh | 26 +--
...1.patch => openssh-7.8p1-openssl-1.1.0-1.patch} | 210 ++++++++++-----------
12 files changed, 199 insertions(+), 143 deletions(-)
copy config/rootfiles/{oldcore/106 => core/124}/filelists/iproute2 (100%)
copy config/rootfiles/{oldcore/100 => core/124}/filelists/openssh (100%)
create mode 100644 config/ssh/sshd_config
rename src/patches/{openssh-7.7p1-openssl-1.1.0-1.patch => openssh-7.8p1-openssl-1.1.0-1.patch} (90%)
Difference in files:
diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index ce16e7f42..ce8911635 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -138,11 +138,8 @@ elsif ($ARGV[0] eq 'cli') {
elsif ($ARGV[0] eq 'addonbackup') {
system("tar -cvzf /var/ipfire/backup/addons/backup/$ARGV[1].ipf --files-from='/var/ipfire/backup/addons/includes/$ARGV[1]'");
}
-elsif ($ARGV[0] =~ /ipf$/ ) {
- system("rm /var/ipfire/backup/$ARGV[0]");
-}
-elsif ($ARGV[0] =~ /iso$/ ) {
- system("rm /var/tmp/backupiso/$ARGV[0]");
+elsif ($ARGV[0] =~ /\.(iso|ipf)$/ ) {
+ unlink("$ARGV[0]");
}
elsif ($ARGV[0] eq '') {
printf "No argument given, please use <include><exclude><cli>\n"
diff --git a/config/rootfiles/common/iproute2 b/config/rootfiles/common/iproute2
index afa30467f..cf9a5c456 100644
--- a/config/rootfiles/common/iproute2
+++ b/config/rootfiles/common/iproute2
@@ -65,6 +65,7 @@ usr/share/bash-completion/completions/tc
#usr/share/man/man8/devlink-dev.8
#usr/share/man/man8/devlink-monitor.8
#usr/share/man/man8/devlink-port.8
+#usr/share/man/man8/devlink-resource.8
#usr/share/man/man8/devlink-sb.8
#usr/share/man/man8/devlink.8
#usr/share/man/man8/genl.8
@@ -97,6 +98,7 @@ usr/share/bash-completion/completions/tc
#usr/share/man/man8/nstat.8
#usr/share/man/man8/rdma-dev.8
#usr/share/man/man8/rdma-link.8
+#usr/share/man/man8/rdma-resource.8
#usr/share/man/man8/rdma.8
#usr/share/man/man8/routef.8
#usr/share/man/man8/routel.8
@@ -111,6 +113,7 @@ usr/share/bash-completion/completions/tc
#usr/share/man/man8/tc-bpf.8
#usr/share/man/man8/tc-cbq-details.8
#usr/share/man/man8/tc-cbq.8
+#usr/share/man/man8/tc-cbs.8
#usr/share/man/man8/tc-cgroup.8
#usr/share/man/man8/tc-choke.8
#usr/share/man/man8/tc-codel.8
diff --git a/config/rootfiles/core/124/exclude b/config/rootfiles/core/124/exclude
index d6fd053b6..b22159878 100644
--- a/config/rootfiles/core/124/exclude
+++ b/config/rootfiles/core/124/exclude
@@ -11,8 +11,6 @@ etc/ipsec.user.secrets
etc/localtime
etc/shadow
etc/snort/snort.conf
-etc/ssh/ssh_config
-etc/ssh/sshd_config
etc/ssl/openssl.cnf
etc/sudoers
etc/sysconfig/firewall.local
diff --git a/config/rootfiles/core/124/filelists/files b/config/rootfiles/core/124/filelists/files
index e3e295706..25e812593 100644
--- a/config/rootfiles/core/124/filelists/files
+++ b/config/rootfiles/core/124/filelists/files
@@ -6,6 +6,8 @@ etc/rc.d/init.d/localnet
etc/rc.d/init.d/networking/red.down/10-static-routes
etc/rc.d/init.d/partresize
etc/rc.d/init.d/static-routes
+etc/ssh/ssh_config
+etc/ssh/sshd_config
etc/sysctl.conf
etc/unbound/unbound.conf
opt/pakfire/lib/functions.pl
@@ -21,6 +23,7 @@ srv/web/ipfire/html/redirect-templates/legacy/template.html
usr/bin/install-bootloader
usr/local/bin/backupiso
usr/local/bin/rebuild-initrd
+var/ipfire/backup/bin/backup.pl
var/ipfire/backup/exclude
var/ipfire/backup/include
var/ipfire/langs
diff --git a/config/rootfiles/core/124/filelists/iproute2 b/config/rootfiles/core/124/filelists/iproute2
new file mode 120000
index 000000000..05f0f71fb
--- /dev/null
+++ b/config/rootfiles/core/124/filelists/iproute2
@@ -0,0 +1 @@
+../../../common/iproute2
\ No newline at end of file
diff --git a/config/rootfiles/core/124/filelists/openssh b/config/rootfiles/core/124/filelists/openssh
new file mode 120000
index 000000000..d8c77fd8e
--- /dev/null
+++ b/config/rootfiles/core/124/filelists/openssh
@@ -0,0 +1 @@
+../../../common/openssh
\ No newline at end of file
diff --git a/config/rootfiles/core/124/update.sh b/config/rootfiles/core/124/update.sh
index 88da254e0..3b5a601d6 100644
--- a/config/rootfiles/core/124/update.sh
+++ b/config/rootfiles/core/124/update.sh
@@ -95,6 +95,9 @@ ldconfig
# Update Language cache
/usr/local/bin/update-lang-cache
+# Apply local configuration to sshd_config
+/usr/local/bin/sshctrl
+
# Start services
/etc/init.d/rngd restart
/etc/init.d/ntp restart
diff --git a/config/ssh/sshd_config b/config/ssh/sshd_config
new file mode 100644
index 000000000..4a25e8383
--- /dev/null
+++ b/config/ssh/sshd_config
@@ -0,0 +1,78 @@
+# ultra-secure OpenSSH server configuration
+
+# only allow version 2 of SSH protocol
+Protocol 2
+
+# listen on port 22 by default
+Port 22
+
+# listen on these interfaces and protocols
+AddressFamily any
+ListenAddress 0.0.0.0
+
+# limit authentication thresholds
+LoginGraceTime 30s
+MaxAuthTries 3
+
+# limit maximum instanctes to prevent DoS
+MaxStartups 5
+
+# ensure proper logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# enforce permission checks before a login is accepted
+# (prevents damage because of hacked systems with world-writeable
+# home directories or similar)
+StrictModes yes
+
+# only allow safe crypto algorithms (may break some _very_ outdated clients)
+# see also: https://stribika.github.io/2015/01/04/secure-secure-shell.html
+KexAlgorithms curve25519-sha256(a)libssh.org,diffie-hellman-group-exchange-sha256
+Ciphers chacha20-poly1305(a)openssh.com,aes256-gcm(a)openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+MACs hmac-sha2-512-etm(a)openssh.com,hmac-sha2-256-etm(a)openssh.com,umac-128-etm(a)openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com
+
+# enable data compression after successful login only
+Compression delayed
+
+# only allow cryptographically safe SSH host keys (adjust paths if needed)
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_rsa_key
+
+# only allow login via public key by default
+PubkeyAuthentication yes
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+PermitEmptyPasswords no
+
+# permit root login as there is no other user in IPFire 2.x
+PermitRootLogin yes
+
+# ignore user ~/.rhost* files
+IgnoreRhosts yes
+
+# ignore user known hosts file
+IgnoreUserKnownHosts yes
+
+# ignore user environments
+PermitUserEnvironment no
+
+# do not allow any kind of forwarding (provides only low security)
+# some of them might need to be re-enabled if SSH server is a jump platform
+X11Forwarding no
+AllowTcpForwarding no
+AllowAgentForwarding no
+PermitTunnel no
+GatewayPorts no
+PermitOpen none
+
+# detect broken sessions by sending keep-alive messages to
+# clients (both via TCP and SSH)
+TCPKeepAlive yes
+ClientAliveInterval 10
+
+# close unresponsive SSH sessions which fail to answer keep-alive
+ClientAliveCountMax 6
+
+# EOF
diff --git a/html/cgi-bin/backup.cgi b/html/cgi-bin/backup.cgi
index 2a036279d..cac4146ab 100644
--- a/html/cgi-bin/backup.cgi
+++ b/html/cgi-bin/backup.cgi
@@ -137,8 +137,6 @@ elsif ( $cgiparams{'ACTION'} eq "delete" )
my $file = &sanitise_file($cgiparams{'FILE'});
exit(1) unless defined($file);
- $file = &File::Basename::basename($file);
-
system("/usr/local/bin/backupctrl $file >/dev/null 2>&1");
}
@@ -266,7 +264,7 @@ print <<END
<td align='right' width='5'>
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
<input type='hidden' name='ACTION' value='delete' />
- <input type='hidden' name='FILE' value='addons//backup/$_.ipf' />
+ <input type='hidden' name='FILE' value='$_.ipf' />
<input type='image' alt='$Lang::tr{'delete'}' title='$Lang::tr{'delete'}' src='/images/user-trash.png' />
</form>
</td>
@@ -305,7 +303,7 @@ print <<END
<td align='right' width='5'>
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
<input type='hidden' name='ACTION' value='delete' />
- <input type='hidden' name='FILE' value='addons//backup/$_.ipf' />
+ <input type='hidden' name='FILE' value='$_.ipf' />
<input type='image' alt='$Lang::tr{'delete'}' title='$Lang::tr{'delete'}' src='/images/user-trash.png' />
</form>
</td>
diff --git a/lfs/iproute2 b/lfs/iproute2
index 7fa8a1c13..4d2a6f4d7 100644
--- a/lfs/iproute2
+++ b/lfs/iproute2
@@ -24,7 +24,7 @@
include Config
-VER = 4.14.1
+VER = 4.18.0
THISAPP = iproute2-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 1075423d7029e02a8f23ed4f42b7e372
+$(DL_FILE)_MD5 = 8b8680e91390c57cab788fbf8e929479
install : $(TARGET)
diff --git a/lfs/openssh b/lfs/openssh
index 0e6acc227..c67f135e8 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -24,7 +24,7 @@
include Config
-VER = 7.7p1
+VER = 7.8p1
THISAPP = openssh-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 68ba883aff6958297432e5877e9a0fe2
+$(DL_FILE)_MD5 = ce1d090fa6239fd38eb989d5e983b074
install : $(TARGET)
@@ -70,7 +70,7 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssh-7.7p1-openssl-1.1.0-1.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssh-7.8p1-openssl-1.1.0-1.patch
cd $(DIR_APP) && sed -i "s/lkrb5 -ldes/lkrb5/" configure
cd $(DIR_APP) && ./configure \
--prefix=/usr \
@@ -82,23 +82,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
- sed -i -e 's/^#\?Port .*$$/Port 22/' \
- -e 's/^#\?Protocol .*$$/Protocol 2/' \
- -e 's/^#\?LoginGraceTime .*$$/LoginGraceTime 30s/' \
- -e 's/^#\?PubkeyAuthentication .*$$/PubkeyAuthentication yes/' \
- -e 's/^#\?PasswordAuthentication .*$$/PasswordAuthentication no/' \
- -e 's/^#\?MaxStartups .*$$/MaxStartups 5/' \
- -e 's/^#\?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts yes/' \
- -e 's/^#\?UsePAM .*$$//' \
- -e 's/^#\?X11Forwarding .*$$/X11Forwarding no/' \
- -e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \
- -e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \
- -e 's/^#\?AllowTcpForwarding .*$$/AllowTcpForwarding no/' \
- -e 's/^#\?PermitRootLogin .*$$/PermitRootLogin yes/' \
- -e 's|^#\?HostKey /etc/ssh/ssh_host_dsa_key$$||' \
- -e 's|^#\?HostKey /etc/ssh/ssh_host_ecdsa_key$$||' \
- -e 's|^#\?HostKey /etc/ssh/ssh_host_ed25519_key$$||' \
- -e 's|^#\?HostKey /etc/ssh/ssh_host_rsa_key$$|HostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key\nHostKey /etc/ssh/ssh_host_rsa_key|' \
+
+ # install custom OpenSSH server configuration
+ install -v -m 644 $(DIR_SRC)/config/ssh/sshd_config \
/etc/ssh/sshd_config
# install custom OpenSSH client configuration
diff --git a/src/patches/openssh-7.7p1-openssl-1.1.0-1.patch b/src/patches/openssh-7.8p1-openssl-1.1.0-1.patch
similarity index 90%
rename from src/patches/openssh-7.7p1-openssl-1.1.0-1.patch
rename to src/patches/openssh-7.8p1-openssl-1.1.0-1.patch
index cfc9bba91..7f8c7cd4f 100644
--- a/src/patches/openssh-7.7p1-openssl-1.1.0-1.patch
+++ b/src/patches/openssh-7.8p1-openssl-1.1.0-1.patch
@@ -1,13 +1,6 @@
-Submitted by: Bruce Dubbs (bdubbs(a)linuxfromscratch.org)
-Date: 2018-04-07
-Initial Package Version: 7.7p1
-Upstream Status: Pending (Still)
-Origin: https://git.archlinux.org/svntogit/packages.git/plain/trunk/openssl-1.1.0.patch?h=packages/openssh
-Description: Fixes build issues with OpenSSL-1.1.0.
-
diff -aurp old/auth-pam.c new/auth-pam.c
---- old/auth-pam.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/auth-pam.c 2018-03-23 10:05:03.886621278 -1000
+--- old/auth-pam.c 2018-08-22 22:41:42.000000000 -0700
++++ new/auth-pam.c 2018-08-23 21:31:53.324592767 -0700
@@ -128,6 +128,10 @@ extern u_int utmp_len;
typedef pthread_t sp_pthread_t;
#else
@@ -20,9 +13,9 @@ diff -aurp old/auth-pam.c new/auth-pam.c
struct pam_ctxt {
diff -aurp old/cipher.c new/cipher.c
---- old/cipher.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/cipher.c 2018-03-23 10:05:03.886621278 -1000
-@@ -297,7 +297,10 @@ cipher_init(struct sshcipher_ctx **ccp,
+--- old/cipher.c 2018-08-22 22:41:42.000000000 -0700
++++ new/cipher.c 2018-08-23 21:31:53.327926112 -0700
+@@ -299,7 +299,10 @@ cipher_init(struct sshcipher_ctx **ccp,
goto out;
}
}
@@ -34,7 +27,7 @@ diff -aurp old/cipher.c new/cipher.c
ret = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
-@@ -483,7 +486,7 @@ cipher_get_keyiv(struct sshcipher_ctx *c
+@@ -485,7 +488,7 @@ cipher_get_keyiv(struct sshcipher_ctx *c
len, iv))
return SSH_ERR_LIBCRYPTO_ERROR;
} else
@@ -43,7 +36,7 @@ diff -aurp old/cipher.c new/cipher.c
#endif
return 0;
}
-@@ -517,14 +520,19 @@ cipher_set_keyiv(struct sshcipher_ctx *c
+@@ -519,14 +522,19 @@ cipher_set_keyiv(struct sshcipher_ctx *c
EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv))
return SSH_ERR_LIBCRYPTO_ERROR;
} else
@@ -67,8 +60,8 @@ diff -aurp old/cipher.c new/cipher.c
int
diff -aurp old/cipher.h new/cipher.h
---- old/cipher.h 2018-03-22 16:21:14.000000000 -1000
-+++ new/cipher.h 2018-03-23 10:05:03.886621278 -1000
+--- old/cipher.h 2018-08-22 22:41:42.000000000 -0700
++++ new/cipher.h 2018-08-23 21:31:53.327926112 -0700
@@ -46,7 +46,18 @@
#define CIPHER_DECRYPT 0
@@ -89,9 +82,9 @@ diff -aurp old/cipher.h new/cipher.h
const struct sshcipher *cipher_by_name(const char *);
const char *cipher_warning_message(const struct sshcipher_ctx *);
diff -aurp old/configure new/configure
---- old/configure 2018-03-23 03:30:17.000000000 -1000
-+++ new/configure 2018-03-23 10:05:03.888621444 -1000
-@@ -13076,7 +13076,6 @@ if ac_fn_c_try_run "$LINENO"; then :
+--- old/configure 2018-08-23 00:09:30.000000000 -0700
++++ new/configure 2018-08-23 21:31:53.331259457 -0700
+@@ -13032,7 +13032,6 @@ if ac_fn_c_try_run "$LINENO"; then :
100*) ;; # 1.0.x
200*) ;; # LibreSSL
*)
@@ -100,9 +93,9 @@ diff -aurp old/configure new/configure
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ssl_library_ver" >&5
diff -aurp old/dh.c new/dh.c
---- old/dh.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/dh.c 2018-03-23 10:05:03.888621444 -1000
-@@ -211,14 +211,15 @@ choose_dh(int min, int wantbits, int max
+--- old/dh.c 2018-08-22 22:41:42.000000000 -0700
++++ new/dh.c 2018-08-23 21:39:18.863765579 -0700
+@@ -216,14 +216,15 @@ choose_dh(int min, int wantbits, int max
/* diffie-hellman-groupN-sha1 */
int
@@ -120,7 +113,7 @@ diff -aurp old/dh.c new/dh.c
logit("invalid public DH value: negative");
return 0;
}
-@@ -231,7 +232,8 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
+@@ -236,7 +237,8 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
error("%s: BN_new failed", __func__);
return 0;
}
@@ -130,7 +123,7 @@ diff -aurp old/dh.c new/dh.c
BN_cmp(dh_pub, tmp) != -1) { /* pub_exp > p-2 */
BN_clear_free(tmp);
logit("invalid public DH value: >= p-1");
-@@ -242,14 +244,14 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
+@@ -247,14 +249,14 @@ dh_pub_is_valid(DH *dh, BIGNUM *dh_pub)
for (i = 0; i <= n; i++)
if (BN_is_bit_set(dh_pub, i))
bits_set++;
@@ -147,7 +140,7 @@ diff -aurp old/dh.c new/dh.c
return 0;
}
return 1;
-@@ -259,9 +261,13 @@ int
+@@ -264,9 +266,13 @@ int
dh_gen_key(DH *dh, int need)
{
int pbits;
@@ -163,7 +156,7 @@ diff -aurp old/dh.c new/dh.c
need > INT_MAX / 2 || 2 * need > pbits)
return SSH_ERR_INVALID_ARGUMENT;
if (need < 256)
-@@ -270,10 +276,13 @@ dh_gen_key(DH *dh, int need)
+@@ -275,11 +281,13 @@ dh_gen_key(DH *dh, int need)
* Pollard Rho, Big step/Little Step attacks are O(sqrt(n)),
* so double requested need here.
*/
@@ -171,6 +164,7 @@ diff -aurp old/dh.c new/dh.c
- if (DH_generate_key(dh) == 0 ||
- !dh_pub_is_valid(dh, dh->pub_key)) {
- BN_clear_free(dh->priv_key);
+- dh->priv_key = NULL;
+ DH_set_length(dh, MIN(need * 2, pbits - 1));
+ if (DH_generate_key(dh) == 0) {
+ return SSH_ERR_LIBCRYPTO_ERROR;
@@ -181,7 +175,7 @@ diff -aurp old/dh.c new/dh.c
return SSH_ERR_LIBCRYPTO_ERROR;
}
return 0;
-@@ -282,16 +291,27 @@ dh_gen_key(DH *dh, int need)
+@@ -288,16 +296,27 @@ dh_gen_key(DH *dh, int need)
DH *
dh_new_group_asc(const char *gen, const char *modulus)
{
@@ -216,7 +210,7 @@ diff -aurp old/dh.c new/dh.c
}
/*
-@@ -306,8 +326,8 @@ dh_new_group(BIGNUM *gen, BIGNUM *modulu
+@@ -312,8 +331,8 @@ dh_new_group(BIGNUM *gen, BIGNUM *modulu
if ((dh = DH_new()) == NULL)
return NULL;
@@ -228,8 +222,8 @@ diff -aurp old/dh.c new/dh.c
return (dh);
}
diff -aurp old/dh.h new/dh.h
---- old/dh.h 2018-03-22 16:21:14.000000000 -1000
-+++ new/dh.h 2018-03-23 10:05:03.889621527 -1000
+--- old/dh.h 2018-08-22 22:41:42.000000000 -0700
++++ new/dh.h 2018-08-23 21:31:53.331259457 -0700
@@ -42,7 +42,7 @@ DH *dh_new_group18(void);
DH *dh_new_group_fallback(int);
@@ -240,8 +234,8 @@ diff -aurp old/dh.h new/dh.h
u_int dh_estimate(int);
diff -aurp old/digest-openssl.c new/digest-openssl.c
---- old/digest-openssl.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/digest-openssl.c 2018-03-23 10:05:03.889621527 -1000
+--- old/digest-openssl.c 2018-08-22 22:41:42.000000000 -0700
++++ new/digest-openssl.c 2018-08-23 21:31:53.331259457 -0700
@@ -43,7 +43,7 @@
struct ssh_digest_ctx {
@@ -314,8 +308,8 @@ diff -aurp old/digest-openssl.c new/digest-openssl.c
free(ctx);
}
diff -aurp old/kexdhc.c new/kexdhc.c
---- old/kexdhc.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/kexdhc.c 2018-03-23 10:05:03.889621527 -1000
+--- old/kexdhc.c 2018-08-22 22:41:42.000000000 -0700
++++ new/kexdhc.c 2018-08-23 21:31:53.331259457 -0700
@@ -81,11 +81,16 @@ kexdh_client(struct ssh *ssh)
goto out;
}
@@ -363,8 +357,8 @@ diff -aurp old/kexdhc.c new/kexdhc.c
if ((r = sshkey_verify(server_host_key, signature, slen, hash, hashlen,
kex->hostkey_alg, ssh->compat)) != 0)
diff -aurp old/kexdhs.c new/kexdhs.c
---- old/kexdhs.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/kexdhs.c 2018-03-23 10:58:58.126733207 -1000
+--- old/kexdhs.c 2018-08-22 22:41:42.000000000 -0700
++++ new/kexdhs.c 2018-08-23 21:36:50.600564263 -0700
@@ -163,6 +163,9 @@ input_kex_dh_init(int type, u_int32_t se
goto out;
/* calc H */
@@ -390,10 +384,10 @@ diff -aurp old/kexdhs.c new/kexdhs.c
/* save session id := H */
if (kex->session_id == NULL) {
-@@ -195,12 +200,17 @@ input_kex_dh_init(int type, u_int32_t se
+@@ -195,12 +200,16 @@ input_kex_dh_init(int type, u_int32_t se
/* destroy_sensitive_data(); */
- /* send server hostkey, DH pubkey 'f' and singed H */
+ /* send server hostkey, DH pubkey 'f' and signed H */
+ {
+ const BIGNUM *pub_key;
+ DH_get0_key(kex->dh, &pub_key, NULL);
@@ -402,17 +396,15 @@ diff -aurp old/kexdhs.c new/kexdhs.c
- (r = sshpkt_put_bignum2(ssh, kex->dh->pub_key)) != 0 || /* f */
+ (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 || /* f */
(r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
-- (r = sshpkt_send(ssh)) != 0)
-+ (r = sshpkt_send(ssh)) != 0) {
+ (r = sshpkt_send(ssh)) != 0)
goto out;
-+ }
+ }
if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
r = kex_send_newkeys(ssh);
diff -aurp old/kexgexc.c new/kexgexc.c
---- old/kexgexc.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/kexgexc.c 2018-03-23 11:00:00.132866201 -1000
+--- old/kexgexc.c 2018-08-22 22:41:42.000000000 -0700
++++ new/kexgexc.c 2018-08-23 21:31:53.331259457 -0700
@@ -118,11 +118,17 @@ input_kex_dh_gex_group(int type, u_int32
p = g = NULL; /* belong to kex->dh now */
@@ -465,8 +457,8 @@ diff -aurp old/kexgexc.c new/kexgexc.c
if ((r = sshkey_verify(server_host_key, signature, slen, hash,
hashlen, kex->hostkey_alg, ssh->compat)) != 0)
diff -aurp old/kexgexs.c new/kexgexs.c
---- old/kexgexs.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/kexgexs.c 2018-03-23 11:03:06.045049721 -1000
+--- old/kexgexs.c 2018-08-22 22:41:42.000000000 -0700
++++ new/kexgexs.c 2018-08-23 21:36:11.493972372 -0700
@@ -101,11 +101,16 @@ input_kex_dh_gex_request(int type, u_int
goto out;
}
@@ -516,10 +508,10 @@ diff -aurp old/kexgexs.c new/kexgexs.c
/* save session id := H */
if (kex->session_id == NULL) {
-@@ -225,12 +236,17 @@ input_kex_dh_gex_init(int type, u_int32_
+@@ -225,12 +236,16 @@ input_kex_dh_gex_init(int type, u_int32_
/* destroy_sensitive_data(); */
- /* send server hostkey, DH pubkey 'f' and singed H */
+ /* send server hostkey, DH pubkey 'f' and signed H */
+ {
+ const BIGNUM *pub_key;
+ DH_get0_key(kex->dh, &pub_key, NULL);
@@ -528,35 +520,33 @@ diff -aurp old/kexgexs.c new/kexgexs.c
- (r = sshpkt_put_bignum2(ssh, kex->dh->pub_key)) != 0 || /* f */
+ (r = sshpkt_put_bignum2(ssh, pub_key)) != 0 || /* f */
(r = sshpkt_put_string(ssh, signature, slen)) != 0 ||
-- (r = sshpkt_send(ssh)) != 0)
-+ (r = sshpkt_send(ssh)) != 0) {
+ (r = sshpkt_send(ssh)) != 0)
goto out;
-+ }
+ }
if ((r = kex_derive_keys_bn(ssh, hash, hashlen, shared_secret)) == 0)
r = kex_send_newkeys(ssh);
diff -aurp old/monitor.c new/monitor.c
---- old/monitor.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/monitor.c 2018-03-23 10:05:03.890621610 -1000
-@@ -595,10 +595,12 @@ mm_answer_moduli(int sock, Buffer *m)
- buffer_put_char(m, 0);
+--- old/monitor.c 2018-08-22 22:41:42.000000000 -0700
++++ new/monitor.c 2018-08-23 21:34:14.594343260 -0700
+@@ -589,10 +589,12 @@ mm_answer_moduli(int sock, struct sshbuf
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
return (0);
} else {
+ const BIGNUM *p, *g;
+ DH_get0_pqg(dh, &p, NULL, &g);
/* Send first bignum */
- buffer_put_char(m, 1);
-- buffer_put_bignum2(m, dh->p);
-- buffer_put_bignum2(m, dh->g);
-+ buffer_put_bignum2(m, p);
-+ buffer_put_bignum2(m, g);
+ if ((r = sshbuf_put_u8(m, 1)) != 0 ||
+- (r = sshbuf_put_bignum2(m, dh->p)) != 0 ||
+- (r = sshbuf_put_bignum2(m, dh->g)) != 0)
++ (r = sshbuf_put_bignum2(m, p)) != 0 ||
++ (r = sshbuf_put_bignum2(m, g)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
DH_free(dh);
- }
diff -aurp old/openbsd-compat/openssl-compat.c new/openbsd-compat/openssl-compat.c
---- old/openbsd-compat/openssl-compat.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/openbsd-compat/openssl-compat.c 2018-03-23 10:05:03.890621610 -1000
+--- old/openbsd-compat/openssl-compat.c 2018-08-22 22:41:42.000000000 -0700
++++ new/openbsd-compat/openssl-compat.c 2018-08-23 21:31:53.334592801 -0700
@@ -75,7 +75,6 @@ ssh_OpenSSL_add_all_algorithms(void)
/* Enable use of crypto hardware */
ENGINE_load_builtin_engines();
@@ -566,8 +556,8 @@ diff -aurp old/openbsd-compat/openssl-compat.c new/openbsd-compat/openssl-compat
#endif
diff -aurp old/regress/unittests/sshkey/test_file.c new/regress/unittests/sshkey/test_file.c
---- old/regress/unittests/sshkey/test_file.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/regress/unittests/sshkey/test_file.c 2018-03-23 10:05:03.890621610 -1000
+--- old/regress/unittests/sshkey/test_file.c 2018-08-22 22:41:42.000000000 -0700
++++ new/regress/unittests/sshkey/test_file.c 2018-08-23 21:31:53.334592801 -0700
@@ -60,9 +60,14 @@ sshkey_file_tests(void)
a = load_bignum("rsa_1.param.n");
b = load_bignum("rsa_1.param.p");
@@ -605,8 +595,8 @@ diff -aurp old/regress/unittests/sshkey/test_file.c new/regress/unittests/sshkey
BN_free(b);
BN_free(c);
diff -aurp old/regress/unittests/sshkey/test_sshkey.c new/regress/unittests/sshkey/test_sshkey.c
---- old/regress/unittests/sshkey/test_sshkey.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/regress/unittests/sshkey/test_sshkey.c 2018-03-23 10:05:03.890621610 -1000
+--- old/regress/unittests/sshkey/test_sshkey.c 2018-08-22 22:41:42.000000000 -0700
++++ new/regress/unittests/sshkey/test_sshkey.c 2018-08-23 21:31:53.334592801 -0700
@@ -197,9 +197,14 @@ sshkey_tests(void)
k1 = sshkey_new(KEY_RSA);
ASSERT_PTR_NE(k1, NULL);
@@ -745,8 +735,8 @@ diff -aurp old/regress/unittests/sshkey/test_sshkey.c new/regress/unittests/sshk
TEST_START("equal KEY_DSA/demoted KEY_DSA");
diff -aurp old/ssh-dss.c new/ssh-dss.c
---- old/ssh-dss.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/ssh-dss.c 2018-03-23 10:05:03.891621693 -1000
+--- old/ssh-dss.c 2018-08-22 22:41:42.000000000 -0700
++++ new/ssh-dss.c 2018-08-23 21:31:53.334592801 -0700
@@ -53,6 +53,7 @@ ssh_dss_sign(const struct sshkey *key, u
DSA_SIG *sig = NULL;
u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN];
@@ -808,8 +798,8 @@ diff -aurp old/ssh-dss.c new/ssh-dss.c
/* sha1 the data */
if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
diff -aurp old/ssh-ecdsa.c new/ssh-ecdsa.c
---- old/ssh-ecdsa.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/ssh-ecdsa.c 2018-03-23 10:05:03.891621693 -1000
+--- old/ssh-ecdsa.c 2018-08-22 22:41:42.000000000 -0700
++++ new/ssh-ecdsa.c 2018-08-23 21:31:53.334592801 -0700
@@ -80,9 +80,14 @@ ssh_ecdsa_sign(const struct sshkey *key,
ret = SSH_ERR_ALLOC_FAIL;
goto out;
@@ -858,9 +848,9 @@ diff -aurp old/ssh-ecdsa.c new/ssh-ecdsa.c
ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
goto out;
diff -aurp old/ssh-keygen.c new/ssh-keygen.c
---- old/ssh-keygen.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/ssh-keygen.c 2018-03-23 10:05:03.891621693 -1000
-@@ -493,11 +493,33 @@ do_convert_private_ssh2_from_blob(u_char
+--- old/ssh-keygen.c 2018-08-22 22:41:42.000000000 -0700
++++ new/ssh-keygen.c 2018-08-23 21:31:53.334592801 -0700
+@@ -494,11 +494,33 @@ do_convert_private_ssh2_from_blob(u_char
switch (key->type) {
case KEY_DSA:
@@ -899,7 +889,7 @@ diff -aurp old/ssh-keygen.c new/ssh-keygen.c
break;
case KEY_RSA:
if ((r = sshbuf_get_u8(b, &e1)) != 0 ||
-@@ -514,16 +536,52 @@ do_convert_private_ssh2_from_blob(u_char
+@@ -515,16 +537,52 @@ do_convert_private_ssh2_from_blob(u_char
e += e3;
debug("e %lx", e);
}
@@ -958,7 +948,7 @@ diff -aurp old/ssh-keygen.c new/ssh-keygen.c
if ((r = ssh_rsa_generate_additional_parameters(key)) != 0)
fatal("generate RSA parameters failed: %s", ssh_err(r));
break;
-@@ -633,7 +691,7 @@ do_convert_from_pkcs8(struct sshkey **k,
+@@ -634,7 +692,7 @@ do_convert_from_pkcs8(struct sshkey **k,
identity_file);
}
fclose(fp);
@@ -967,7 +957,7 @@ diff -aurp old/ssh-keygen.c new/ssh-keygen.c
case EVP_PKEY_RSA:
if ((*k = sshkey_new(KEY_UNSPEC)) == NULL)
fatal("sshkey_new failed");
-@@ -657,7 +715,7 @@ do_convert_from_pkcs8(struct sshkey **k,
+@@ -658,7 +716,7 @@ do_convert_from_pkcs8(struct sshkey **k,
#endif
default:
fatal("%s: unsupported pubkey type %d", __func__,
@@ -977,9 +967,9 @@ diff -aurp old/ssh-keygen.c new/ssh-keygen.c
EVP_PKEY_free(pubkey);
return;
diff -aurp old/ssh-pkcs11-client.c new/ssh-pkcs11-client.c
---- old/ssh-pkcs11-client.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/ssh-pkcs11-client.c 2018-03-23 10:05:03.892621777 -1000
-@@ -144,12 +144,13 @@ pkcs11_rsa_private_encrypt(int flen, con
+--- old/ssh-pkcs11-client.c 2018-08-22 22:41:42.000000000 -0700
++++ new/ssh-pkcs11-client.c 2018-08-23 21:31:53.334592801 -0700
+@@ -156,12 +156,13 @@ pkcs11_rsa_private_encrypt(int flen, con
static int
wrap_key(RSA *rsa)
{
@@ -999,8 +989,8 @@ diff -aurp old/ssh-pkcs11-client.c new/ssh-pkcs11-client.c
}
diff -aurp old/ssh-pkcs11.c new/ssh-pkcs11.c
---- old/ssh-pkcs11.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/ssh-pkcs11.c 2018-03-23 10:05:03.892621777 -1000
+--- old/ssh-pkcs11.c 2018-08-22 22:41:42.000000000 -0700
++++ new/ssh-pkcs11.c 2018-08-23 21:31:53.334592801 -0700
@@ -67,7 +67,7 @@ struct pkcs11_key {
struct pkcs11_provider *provider;
CK_ULONG slotidx;
@@ -1090,9 +1080,9 @@ diff -aurp old/ssh-pkcs11.c new/ssh-pkcs11.c
free(attribs[i].pValue);
}
diff -aurp old/ssh-rsa.c new/ssh-rsa.c
---- old/ssh-rsa.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/ssh-rsa.c 2018-03-23 10:05:03.892621777 -1000
-@@ -84,7 +84,6 @@ ssh_rsa_generate_additional_parameters(s
+--- old/ssh-rsa.c 2018-08-22 22:41:42.000000000 -0700
++++ new/ssh-rsa.c 2018-08-23 21:31:53.334592801 -0700
+@@ -108,7 +108,6 @@ ssh_rsa_generate_additional_parameters(s
{
BIGNUM *aux = NULL;
BN_CTX *ctx = NULL;
@@ -1100,7 +1090,7 @@ diff -aurp old/ssh-rsa.c new/ssh-rsa.c
int r;
if (key == NULL || key->rsa == NULL ||
-@@ -99,16 +98,27 @@ ssh_rsa_generate_additional_parameters(s
+@@ -123,16 +122,27 @@ ssh_rsa_generate_additional_parameters(s
}
BN_set_flags(aux, BN_FLG_CONSTTIME);
@@ -1135,7 +1125,7 @@ diff -aurp old/ssh-rsa.c new/ssh-rsa.c
r = 0;
out:
BN_clear_free(aux);
-@@ -139,7 +149,7 @@ ssh_rsa_sign(const struct sshkey *key, u
+@@ -163,7 +173,7 @@ ssh_rsa_sign(const struct sshkey *key, u
if (key == NULL || key->rsa == NULL || hash_alg == -1 ||
sshkey_type_plain(key->type) != KEY_RSA)
return SSH_ERR_INVALID_ARGUMENT;
@@ -1144,7 +1134,7 @@ diff -aurp old/ssh-rsa.c new/ssh-rsa.c
return SSH_ERR_KEY_LENGTH;
slen = RSA_size(key->rsa);
if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
-@@ -211,7 +221,7 @@ ssh_rsa_verify(const struct sshkey *key,
+@@ -235,7 +245,7 @@ ssh_rsa_verify(const struct sshkey *key,
sshkey_type_plain(key->type) != KEY_RSA ||
sig == NULL || siglen == 0)
return SSH_ERR_INVALID_ARGUMENT;
@@ -1154,9 +1144,9 @@ diff -aurp old/ssh-rsa.c new/ssh-rsa.c
if ((b = sshbuf_from(sig, siglen)) == NULL)
diff -aurp old/sshkey.c new/sshkey.c
---- old/sshkey.c 2018-03-22 16:21:14.000000000 -1000
-+++ new/sshkey.c 2018-03-23 10:05:03.893621860 -1000
-@@ -274,10 +274,18 @@ sshkey_size(const struct sshkey *k)
+--- old/sshkey.c 2018-08-22 22:41:42.000000000 -0700
++++ new/sshkey.c 2018-08-23 21:31:53.334592801 -0700
+@@ -292,10 +292,18 @@ sshkey_size(const struct sshkey *k)
#ifdef WITH_OPENSSL
case KEY_RSA:
case KEY_RSA_CERT:
@@ -1176,7 +1166,7 @@ diff -aurp old/sshkey.c new/sshkey.c
case KEY_ECDSA:
case KEY_ECDSA_CERT:
return sshkey_curve_nid_to_bits(k->ecdsa_nid);
-@@ -482,26 +490,53 @@ sshkey_new(int type)
+@@ -500,26 +508,53 @@ sshkey_new(int type)
#ifdef WITH_OPENSSL
case KEY_RSA:
case KEY_RSA_CERT:
@@ -1236,7 +1226,7 @@ diff -aurp old/sshkey.c new/sshkey.c
k->dsa = dsa;
break;
case KEY_ECDSA:
-@@ -539,6 +574,51 @@ sshkey_add_private(struct sshkey *k)
+@@ -557,6 +592,51 @@ sshkey_add_private(struct sshkey *k)
#ifdef WITH_OPENSSL
case KEY_RSA:
case KEY_RSA_CERT:
@@ -1288,7 +1278,7 @@ diff -aurp old/sshkey.c new/sshkey.c
#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
if (bn_maybe_alloc_failed(k->rsa->d) ||
bn_maybe_alloc_failed(k->rsa->iqmp) ||
-@@ -547,13 +627,28 @@ sshkey_add_private(struct sshkey *k)
+@@ -565,13 +645,28 @@ sshkey_add_private(struct sshkey *k)
bn_maybe_alloc_failed(k->rsa->dmq1) ||
bn_maybe_alloc_failed(k->rsa->dmp1))
return SSH_ERR_ALLOC_FAIL;
@@ -1317,7 +1307,7 @@ diff -aurp old/sshkey.c new/sshkey.c
case KEY_ECDSA:
case KEY_ECDSA_CERT:
/* Cannot do anything until we know the group */
-@@ -677,16 +772,34 @@ sshkey_equal_public(const struct sshkey
+@@ -695,16 +790,34 @@ sshkey_equal_public(const struct sshkey
#ifdef WITH_OPENSSL
case KEY_RSA_CERT:
case KEY_RSA:
@@ -1360,7 +1350,7 @@ diff -aurp old/sshkey.c new/sshkey.c
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA_CERT:
case KEY_ECDSA:
-@@ -775,12 +888,17 @@ to_blob_buf(const struct sshkey *key, st
+@@ -793,12 +906,17 @@ to_blob_buf(const struct sshkey *key, st
case KEY_DSA:
if (key->dsa == NULL)
return SSH_ERR_INVALID_ARGUMENT;
@@ -1382,7 +1372,7 @@ diff -aurp old/sshkey.c new/sshkey.c
break;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
-@@ -796,10 +914,14 @@ to_blob_buf(const struct sshkey *key, st
+@@ -814,10 +932,14 @@ to_blob_buf(const struct sshkey *key, st
case KEY_RSA:
if (key->rsa == NULL)
return SSH_ERR_INVALID_ARGUMENT;
@@ -1399,7 +1389,7 @@ diff -aurp old/sshkey.c new/sshkey.c
break;
#endif /* WITH_OPENSSL */
case KEY_ED25519:
-@@ -1740,13 +1862,32 @@ sshkey_from_private(const struct sshkey
+@@ -1758,13 +1880,32 @@ sshkey_from_private(const struct sshkey
case KEY_DSA_CERT:
if ((n = sshkey_new(k->type)) == NULL)
return SSH_ERR_ALLOC_FAIL;
@@ -1436,7 +1426,7 @@ diff -aurp old/sshkey.c new/sshkey.c
break;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
-@@ -1770,11 +1911,23 @@ sshkey_from_private(const struct sshkey
+@@ -1788,11 +1929,23 @@ sshkey_from_private(const struct sshkey
case KEY_RSA_CERT:
if ((n = sshkey_new(k->type)) == NULL)
return SSH_ERR_ALLOC_FAIL;
@@ -1462,7 +1452,7 @@ diff -aurp old/sshkey.c new/sshkey.c
break;
#endif /* WITH_OPENSSL */
case KEY_ED25519:
-@@ -1995,12 +2148,27 @@ sshkey_from_blob_internal(struct sshbuf
+@@ -2013,12 +2166,27 @@ sshkey_from_blob_internal(struct sshbuf
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
@@ -1493,7 +1483,7 @@ diff -aurp old/sshkey.c new/sshkey.c
ret = SSH_ERR_KEY_LENGTH;
goto out;
}
-@@ -2020,13 +2188,36 @@ sshkey_from_blob_internal(struct sshbuf
+@@ -2038,13 +2206,36 @@ sshkey_from_blob_internal(struct sshbuf
ret = SSH_ERR_ALLOC_FAIL;
goto out;
}
@@ -1534,7 +1524,7 @@ diff -aurp old/sshkey.c new/sshkey.c
#ifdef DEBUG_PK
DSA_print_fp(stderr, key->dsa, 8);
#endif
-@@ -2327,26 +2518,63 @@ sshkey_demote(const struct sshkey *k, st
+@@ -2389,26 +2580,63 @@ sshkey_demote(const struct sshkey *k, st
goto fail;
/* FALLTHROUGH */
case KEY_RSA:
@@ -1606,7 +1596,7 @@ diff -aurp old/sshkey.c new/sshkey.c
break;
case KEY_ECDSA_CERT:
if ((ret = sshkey_cert_copy(k, pk)) != 0)
-@@ -2496,11 +2724,17 @@ sshkey_certify_custom(struct sshkey *k,
+@@ -2558,11 +2786,17 @@ sshkey_certify_custom(struct sshkey *k,
switch (k->type) {
#ifdef WITH_OPENSSL
case KEY_DSA_CERT:
@@ -1628,7 +1618,7 @@ diff -aurp old/sshkey.c new/sshkey.c
break;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA_CERT:
-@@ -2513,9 +2747,15 @@ sshkey_certify_custom(struct sshkey *k,
+@@ -2575,9 +2809,15 @@ sshkey_certify_custom(struct sshkey *k,
break;
# endif /* OPENSSL_HAS_ECC */
case KEY_RSA_CERT:
@@ -1646,7 +1636,7 @@ diff -aurp old/sshkey.c new/sshkey.c
break;
#endif /* WITH_OPENSSL */
case KEY_ED25519_CERT:
-@@ -2702,42 +2942,67 @@ sshkey_private_serialize_opt(const struc
+@@ -2764,42 +3004,67 @@ sshkey_private_serialize_opt(const struc
switch (key->type) {
#ifdef WITH_OPENSSL
case KEY_RSA:
@@ -1730,7 +1720,7 @@ diff -aurp old/sshkey.c new/sshkey.c
break;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
-@@ -2851,18 +3116,61 @@ sshkey_private_deserialize(struct sshbuf
+@@ -2913,18 +3178,61 @@ sshkey_private_deserialize(struct sshbuf
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
@@ -1799,7 +1789,7 @@ diff -aurp old/sshkey.c new/sshkey.c
break;
# ifdef OPENSSL_HAS_ECC
case KEY_ECDSA:
-@@ -2921,29 +3229,104 @@ sshkey_private_deserialize(struct sshbuf
+@@ -2983,29 +3291,104 @@ sshkey_private_deserialize(struct sshbuf
r = SSH_ERR_ALLOC_FAIL;
goto out;
}
@@ -1918,7 +1908,7 @@ diff -aurp old/sshkey.c new/sshkey.c
r = SSH_ERR_KEY_LENGTH;
goto out;
}
-@@ -3707,7 +4090,6 @@ translate_libcrypto_error(unsigned long
+@@ -3769,7 +4152,6 @@ translate_libcrypto_error(unsigned long
switch (pem_reason) {
case EVP_R_BAD_DECRYPT:
return SSH_ERR_KEY_WRONG_PASSPHRASE;
@@ -1926,7 +1916,7 @@ diff -aurp old/sshkey.c new/sshkey.c
case EVP_R_DECODE_ERROR:
#ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR
case EVP_R_PRIVATE_KEY_DECODE_ERROR:
-@@ -3772,7 +4154,7 @@ sshkey_parse_private_pem_fileblob(struct
+@@ -3834,7 +4216,7 @@ sshkey_parse_private_pem_fileblob(struct
r = convert_libcrypto_error();
goto out;
}
@@ -1935,7 +1925,7 @@ diff -aurp old/sshkey.c new/sshkey.c
(type == KEY_UNSPEC || type == KEY_RSA)) {
if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
-@@ -3787,11 +4169,11 @@ sshkey_parse_private_pem_fileblob(struct
+@@ -3849,11 +4231,11 @@ sshkey_parse_private_pem_fileblob(struct
r = SSH_ERR_LIBCRYPTO_ERROR;
goto out;
}
@@ -1949,7 +1939,7 @@ diff -aurp old/sshkey.c new/sshkey.c
(type == KEY_UNSPEC || type == KEY_DSA)) {
if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
-@@ -3803,7 +4185,7 @@ sshkey_parse_private_pem_fileblob(struct
+@@ -3865,7 +4247,7 @@ sshkey_parse_private_pem_fileblob(struct
DSA_print_fp(stderr, prv->dsa, 8);
#endif
#ifdef OPENSSL_HAS_ECC
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2018-09-20 13:54 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180920135456.0F8C81081BD3@git01.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox