From 4c983d0192cb62cc26aee37e820c1d6a4ac5183d Mon Sep 17 00:00:00 2001 From: Raymond Colebaugh Date: Aug 03 2023 23:35:15 +0000 Subject: Merge upstream changes for 8.7p1-29.6 --- diff --git a/fb87_slog.patch b/fb87_slog.patch index e6e907b..ffeb03d 100644 --- a/fb87_slog.patch +++ b/fb87_slog.patch @@ -1,7 +1,7 @@ -Index: b/slog.c +Index: openssh-8.7p1/slog.c =================================================================== --- /dev/null -+++ b/slog.c ++++ openssh-8.7p1/slog.c @@ -0,0 +1,619 @@ +/* + * Copyright 2004-present Facebook. All Rights Reserved. @@ -622,51 +622,51 @@ Index: b/slog.c + return "Unknown session state"; // Should never happen + } +} -Index: b/servconf.c +Index: openssh-8.7p1/servconf.c =================================================================== ---- b.orig/servconf.c -+++ b/servconf.c -@@ -204,6 +204,9 @@ initialize_server_options(ServerOptions +--- openssh-8.7p1.orig/servconf.c ++++ openssh-8.7p1/servconf.c +@@ -205,6 +205,9 @@ initialize_server_options(ServerOptions options->disable_forwarding = -1; options->expose_userauth_info = -1; - options->rsa_min_size = -1; -+ options->log_format_prefix = NULL; -+ options->num_log_format_keys = 0; -+ options->log_format_json = -1; + options->required_rsa_size = -1; ++ options->log_format_prefix = NULL; ++ options->num_log_format_keys = 0; ++ options->log_format_json = -1; } /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ -@@ -473,6 +476,8 @@ fill_default_server_options(ServerOption +@@ -474,6 +477,8 @@ fill_default_server_options(ServerOption options->sk_provider = xstrdup("internal"); - if (options->rsa_min_size == -1) - options->rsa_min_size = SSH_RSA_MINIMUM_MODULUS_SIZE; -+ if (options->log_format_json == -1) -+ options->log_format_json = 0; + if (options->required_rsa_size == -1) + options->required_rsa_size = SSH_RSA_MINIMUM_MODULUS_SIZE; ++ if (options->log_format_json == -1) ++ options->log_format_json = 0; assemble_algorithms(options); -@@ -553,6 +558,10 @@ typedef enum { +@@ -554,6 +559,10 @@ typedef enum { sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, - sRSAMinSize, -+ /* Structured Logging options. Unless sLogFormatKeys is set, -+ structured logging is disabled */ -+ sLogFormatPrefix, sLogFormatKeys, sLogFormatJson, + sRequiredRSASize, ++ /* Structured Logging options. Unless sLogFormatKeys is set, ++ structured logging is disabled */ ++ sLogFormatPrefix, sLogFormatKeys, sLogFormatJson, + sDeprecated, sIgnore, sUnsupported } ServerOpCodes; -@@ -730,6 +739,9 @@ static struct { - { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, +@@ -732,6 +741,9 @@ static struct { { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, - { "rsaminsize", sRSAMinSize, SSHCFG_ALL }, -+ { "logformatprefix", sLogFormatPrefix, SSHCFG_GLOBAL }, -+ { "logformatkeys", sLogFormatKeys, SSHCFG_GLOBAL }, -+ { "logformatjson", sLogFormatJson, SSHCFG_GLOBAL }, + { "requiredrsasize", sRequiredRSASize, SSHCFG_ALL }, + { "rsaminsize", sRequiredRSASize, SSHCFG_ALL }, /* alias */ ++ { "logformatprefix", sLogFormatPrefix, SSHCFG_GLOBAL }, ++ { "logformatkeys", sLogFormatKeys, SSHCFG_GLOBAL }, ++ { "logformatjson", sLogFormatJson, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; -@@ -2367,6 +2379,30 @@ process_server_config_line_depth(ServerO +@@ -2369,6 +2381,30 @@ process_server_config_line_depth(ServerO } break; @@ -697,7 +697,7 @@ Index: b/servconf.c case sIPQoS: arg = argv_next(&ac, &av); if (!arg || *arg == '\0') -@@ -3024,6 +3060,7 @@ dump_config(ServerOptions *o) +@@ -3026,6 +3062,7 @@ dump_config(ServerOptions *o) dump_cfg_fmtint(sStreamLocalBindUnlink, o->fwd_opts.streamlocal_bind_unlink); dump_cfg_fmtint(sFingerprintHash, o->fingerprint_hash); dump_cfg_fmtint(sExposeAuthInfo, o->expose_userauth_info); @@ -705,7 +705,7 @@ Index: b/servconf.c /* string arguments */ dump_cfg_string(sPidFile, o->pid_file); -@@ -3054,6 +3091,7 @@ dump_config(ServerOptions *o) +@@ -3056,6 +3093,7 @@ dump_config(ServerOptions *o) #if defined(__OpenBSD__) || defined(HAVE_SYS_SET_PROCESS_RDOMAIN) dump_cfg_string(sRDomain, o->routing_domain); #endif @@ -713,7 +713,7 @@ Index: b/servconf.c /* string arguments requiring a lookup */ dump_cfg_string(sLogLevel, log_level_name(o->log_level)); -@@ -3076,6 +3114,7 @@ dump_config(ServerOptions *o) +@@ -3078,6 +3116,7 @@ dump_config(ServerOptions *o) o->num_auth_methods, o->auth_methods); dump_cfg_strarray_oneline(sLogVerbose, o->num_log_verbose, o->log_verbose); @@ -721,10 +721,10 @@ Index: b/servconf.c /* other arguments */ for (i = 0; i < o->num_subsystems; i++) -Index: b/auth2-pubkey.c +Index: openssh-8.7p1/auth2-pubkey.c =================================================================== ---- b.orig/auth2-pubkey.c -+++ b/auth2-pubkey.c +--- openssh-8.7p1.orig/auth2-pubkey.c ++++ openssh-8.7p1/auth2-pubkey.c @@ -66,6 +66,7 @@ #include "monitor_wrap.h" #include "authfile.h" @@ -733,7 +733,7 @@ Index: b/auth2-pubkey.c #include "ssherr.h" #include "channels.h" /* XXX for session.h */ #include "session.h" /* XXX for child_set_env(); refactor? */ -@@ -389,6 +390,7 @@ check_principals_line(struct ssh *ssh, c +@@ -390,6 +391,7 @@ check_principals_line(struct ssh *ssh, c debug3("%s: matched principal \"%.100s\"", loc, cert->principals[i]); found = 1; @@ -741,7 +741,7 @@ Index: b/auth2-pubkey.c } if (found && authoptsp != NULL) { *authoptsp = opts; -@@ -714,6 +716,7 @@ check_authkey_line(struct ssh *ssh, stru +@@ -715,6 +717,7 @@ check_authkey_line(struct ssh *ssh, stru (unsigned long long)key->cert->serial, sshkey_type(found), fp, loc); @@ -749,7 +749,7 @@ Index: b/auth2-pubkey.c success: if (finalopts == NULL) fatal_f("internal error: missing options"); -@@ -864,6 +867,7 @@ user_cert_trusted_ca(struct ssh *ssh, st +@@ -865,6 +868,7 @@ user_cert_trusted_ca(struct ssh *ssh, st *authoptsp = final_opts; final_opts = NULL; } @@ -757,10 +757,10 @@ Index: b/auth2-pubkey.c ret = 1; out: sshauthopt_free(principals_opts); -Index: b/regress/test-exec.sh +Index: openssh-8.7p1/regress/test-exec.sh =================================================================== ---- b.orig/regress/test-exec.sh -+++ b/regress/test-exec.sh +--- openssh-8.7p1.orig/regress/test-exec.sh ++++ openssh-8.7p1/regress/test-exec.sh @@ -689,7 +689,7 @@ start_sshd () trace "wait for sshd" @@ -770,10 +770,10 @@ Index: b/regress/test-exec.sh i=`expr $i + 1` sleep $i done -Index: b/session.c +Index: openssh-8.7p1/session.c =================================================================== ---- b.orig/session.c -+++ b/session.c +--- openssh-8.7p1.orig/session.c ++++ openssh-8.7p1/session.c @@ -96,6 +96,8 @@ #include "monitor_wrap.h" #include "sftp.h" @@ -813,10 +813,10 @@ Index: b/session.c return remote; } - -Index: b/log.h +Index: openssh-8.7p1/log.h =================================================================== ---- b.orig/log.h -+++ b/log.h +--- openssh-8.7p1.orig/log.h ++++ openssh-8.7p1/log.h @@ -133,4 +133,6 @@ void sshlogdirect(LogLevel, int, const #define logdie_fr(r, ...) sshlogdie(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_ERROR, ssh_err(r), __VA_ARGS__) #define sigdie_fr(r, ...) sshsigdie(__FILE__, __func__, __LINE__, 1, SYSLOG_LEVEL_ERROR, ssh_err(r), __VA_ARGS__) @@ -824,10 +824,10 @@ Index: b/log.h +void do_log_slog_payload(const char *); + #endif -Index: b/log.c +Index: openssh-8.7p1/log.c =================================================================== ---- b.orig/log.c -+++ b/log.c +--- openssh-8.7p1.orig/log.c ++++ openssh-8.7p1/log.c @@ -529,3 +529,39 @@ sshlogdirect(LogLevel level, int forced, do_log(level, forced, NULL, fmt, args); va_end(args); @@ -868,10 +868,10 @@ Index: b/log.c + } + errno = saved_errno; +} -Index: b/slog.h +Index: openssh-8.7p1/slog.h =================================================================== --- /dev/null -+++ b/slog.h ++++ openssh-8.7p1/slog.h @@ -0,0 +1,41 @@ +/* + * Copyright 2004-present Facebook. All Rights Reserved. @@ -914,10 +914,10 @@ Index: b/slog.h +void slog_log_session(void); + +#endif -Index: b/sshd.c +Index: openssh-8.7p1/sshd.c =================================================================== ---- b.orig/sshd.c -+++ b/sshd.c +--- openssh-8.7p1.orig/sshd.c ++++ openssh-8.7p1/sshd.c @@ -132,6 +132,8 @@ #include "sk-api.h" #include "srclimit.h" @@ -927,7 +927,7 @@ Index: b/sshd.c /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) -@@ -2149,6 +2151,7 @@ main(int ac, char **av) +@@ -2163,6 +2165,7 @@ main(int ac, char **av) } /* Reinitialize the log (because of the fork above). */ log_init(__progname, options.log_level, options.log_facility, log_stderr); @@ -935,7 +935,7 @@ Index: b/sshd.c if (FIPS_mode()) { debug("FIPS mode initialized"); -@@ -2315,8 +2318,15 @@ main(int ac, char **av) +@@ -2332,8 +2335,15 @@ main(int ac, char **av) rdomain == NULL ? "" : " rdomain \"", rdomain == NULL ? "" : rdomain, rdomain == NULL ? "" : "\""); @@ -952,7 +952,7 @@ Index: b/sshd.c /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is -@@ -2638,6 +2648,7 @@ cleanup_exit(int i) +@@ -2655,6 +2665,7 @@ cleanup_exit(int i) if (in_cleanup) _exit(i); in_cleanup = 1; @@ -960,10 +960,10 @@ Index: b/sshd.c if (the_active_state != NULL && the_authctxt != NULL) { do_cleanup(the_active_state, the_authctxt); if (use_privsep && privsep_is_preauth && -Index: b/sshd_config +Index: openssh-8.7p1/sshd_config =================================================================== ---- b.orig/sshd_config -+++ b/sshd_config +--- openssh-8.7p1.orig/sshd_config ++++ openssh-8.7p1/sshd_config @@ -33,6 +33,15 @@ Include /etc/ssh/sshd_config.d/*.conf # Logging #SyslogFacility AUTH @@ -980,10 +980,10 @@ Index: b/sshd_config # Authentication: -Index: b/auth-pam.c +Index: openssh-8.7p1/auth-pam.c =================================================================== ---- b.orig/auth-pam.c -+++ b/auth-pam.c +--- openssh-8.7p1.orig/auth-pam.c ++++ openssh-8.7p1/auth-pam.c @@ -94,6 +94,7 @@ extern char *__progname; #include "auth-pam.h" #include "canohost.h" @@ -1006,10 +1006,10 @@ Index: b/auth-pam.c else { sshpam_session_open = 0; auth_restrict_session(ssh); -Index: b/servconf.h +Index: openssh-8.7p1/servconf.h =================================================================== ---- b.orig/servconf.h -+++ b/servconf.h +--- openssh-8.7p1.orig/servconf.h ++++ openssh-8.7p1/servconf.h @@ -22,6 +22,8 @@ #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ @@ -1022,20 +1022,20 @@ Index: b/servconf.h @@ -239,6 +241,12 @@ typedef struct { u_int64_t timing_secret; char *sk_provider; - int rsa_min_size; /* minimum size of RSA keys */ + int required_rsa_size; /* minimum size of RSA keys */ + -+ char *log_format_prefix; -+ u_int num_log_format_keys; -+ char *log_format_keys[MAX_LOGFORMAT_KEYS]; -+ int log_format_json; /* 1 to return "token": "token_val" in log format */ ++ char *log_format_prefix; ++ u_int num_log_format_keys; ++ char *log_format_keys[MAX_LOGFORMAT_KEYS]; ++ int log_format_json; /* 1 to return "token": "token_val" in log format */ + } ServerOptions; /* Information about the incoming connection as used by Match */ -Index: b/regress/slog.sh +Index: openssh-8.7p1/regress/slog.sh =================================================================== --- /dev/null -+++ b/regress/slog.sh ++++ openssh-8.7p1/regress/slog.sh @@ -0,0 +1,59 @@ +tid='structured log' + @@ -1096,10 +1096,10 @@ Index: b/regress/slog.sh + +test_log_counts +test_json_valid -Index: b/Makefile.in +Index: openssh-8.7p1/Makefile.in =================================================================== ---- b.orig/Makefile.in -+++ b/Makefile.in +--- openssh-8.7p1.orig/Makefile.in ++++ openssh-8.7p1/Makefile.in @@ -129,7 +129,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw monitor.o monitor_wrap.o auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \ @@ -1118,10 +1118,10 @@ Index: b/Makefile.in rm -rf autom4te.cache rm -f regress/check-perm rm -f regress/mkdtemp -Index: b/auth.c +Index: openssh-8.7p1/auth.c =================================================================== ---- b.orig/auth.c -+++ b/auth.c +--- openssh-8.7p1.orig/auth.c ++++ openssh-8.7p1/auth.c @@ -76,6 +76,7 @@ #include "ssherr.h" #include "compat.h" diff --git a/openssh.spec b/openssh.spec index bde5c0b..350d05e 100644 --- a/openssh.spec +++ b/openssh.spec @@ -56,7 +56,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.7p1 %global openssh_rel 29 -%global hyperscale_rel 5 +%global hyperscale_rel 6 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 5 @@ -827,6 +827,9 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Mon Apr 24 2023 Raymond Colebaugh - 8.7p1-29.6 + 0.10.4-5.6 +- Merge new changes from upstream + * Thu Apr 06 2023 Dmitry Belyavskiy - 8.7p1-29 - Resolve possible self-DoS with some clients Resolves: rhbz#2186473