diff --git a/openssh-6.6p1-ctr-cavstest.patch b/openssh-6.6p1-ctr-cavstest.patch deleted file mode 100644 index 81da034..0000000 --- a/openssh-6.6p1-ctr-cavstest.patch +++ /dev/null @@ -1,257 +0,0 @@ -diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in ---- openssh-6.8p1/Makefile.in.ctr-cavs 2015-03-18 11:22:05.493289018 +0100 -+++ openssh-6.8p1/Makefile.in 2015-03-18 11:22:44.504196316 +0100 -@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign - SFTP_SERVER=$(libexecdir)/sftp-server - SSH_KEYSIGN=$(libexecdir)/ssh-keysign - SSH_KEYCAT=$(libexecdir)/ssh-keycat -+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest - SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper - SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper - PRIVSEP_PATH=@PRIVSEP_PATH@ -@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@ - - .SUFFIXES: .lo - --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) - - XMSS_OBJS=\ - ssh-xmss.o \ -@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l - ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o - $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS) - -+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o -+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -+ - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) - $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) - -@@ -326,6 +330,7 @@ install-files: - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT) -+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) - $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c ---- openssh-6.8p1/ctr-cavstest.c.ctr-cavs 2015-03-18 11:22:05.521288952 +0100 -+++ openssh-6.8p1/ctr-cavstest.c 2015-03-18 11:22:05.521288952 +0100 -@@ -0,0 +1,215 @@ -+/* -+ * -+ * invocation (all of the following are equal): -+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 -+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000 -+ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt -+ */ -+ -+#include "includes.h" -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include "xmalloc.h" -+#include "log.h" -+#include "ssherr.h" -+#include "cipher.h" -+ -+/* compatibility with old or broken OpenSSL versions */ -+#include "openbsd-compat/openssl-compat.h" -+ -+void usage(void) { -+ fprintf(stderr, "Usage: ctr-cavstest --algo \n" -+ " --key --mode \n" -+ " [--iv ] --data \n\n" -+ "Hexadecimal output is printed to stdout.\n" -+ "Hexadecimal input data can be alternatively read from stdin.\n"); -+ exit(1); -+} -+ -+void *fromhex(char *hex, size_t *len) -+{ -+ unsigned char *bin; -+ char *p; -+ size_t n = 0; -+ int shift = 4; -+ unsigned char out = 0; -+ unsigned char *optr; -+ -+ bin = xmalloc(strlen(hex)/2); -+ optr = bin; -+ -+ for (p = hex; *p != '\0'; ++p) { -+ unsigned char c; -+ -+ c = *p; -+ if (isspace(c)) -+ continue; -+ -+ if (c >= '0' && c <= '9') { -+ c = c - '0'; -+ } else if (c >= 'A' && c <= 'F') { -+ c = c - 'A' + 10; -+ } else if (c >= 'a' && c <= 'f') { -+ c = c - 'a' + 10; -+ } else { -+ /* truncate on nonhex cipher */ -+ break; -+ } -+ -+ out |= c << shift; -+ shift = (shift + 4) % 8; -+ -+ if (shift) { -+ *(optr++) = out; -+ out = 0; -+ ++n; -+ } -+ } -+ -+ *len = n; -+ return bin; -+} -+ -+#define READ_CHUNK 4096 -+#define MAX_READ_SIZE 1024*1024*100 -+char *read_stdin(void) -+{ -+ char *buf; -+ size_t n, total = 0; -+ -+ buf = xmalloc(READ_CHUNK); -+ -+ do { -+ n = fread(buf + total, 1, READ_CHUNK, stdin); -+ if (n < READ_CHUNK) /* terminate on short read */ -+ break; -+ -+ total += n; -+ buf = xreallocarray(buf, total + READ_CHUNK, 1); -+ } while(total < MAX_READ_SIZE); -+ return buf; -+} -+ -+int main (int argc, char *argv[]) -+{ -+ -+ const struct sshcipher *c; -+ struct sshcipher_ctx *cc; -+ char *algo = "aes128-ctr"; -+ char *hexkey = NULL; -+ char *hexiv = "00000000000000000000000000000000"; -+ char *hexdata = NULL; -+ char *p; -+ int i, r; -+ int encrypt = 1; -+ void *key; -+ size_t keylen; -+ void *iv; -+ size_t ivlen; -+ void *data; -+ size_t datalen; -+ void *outdata; -+ -+ for (i = 1; i < argc; ++i) { -+ if (strcmp(argv[i], "--algo") == 0) { -+ algo = argv[++i]; -+ } else if (strcmp(argv[i], "--key") == 0) { -+ hexkey = argv[++i]; -+ } else if (strcmp(argv[i], "--mode") == 0) { -+ ++i; -+ if (argv[i] == NULL) { -+ usage(); -+ } -+ if (strncmp(argv[i], "enc", 3) == 0) { -+ encrypt = 1; -+ } else if (strncmp(argv[i], "dec", 3) == 0) { -+ encrypt = 0; -+ } else { -+ usage(); -+ } -+ } else if (strcmp(argv[i], "--iv") == 0) { -+ hexiv = argv[++i]; -+ } else if (strcmp(argv[i], "--data") == 0) { -+ hexdata = argv[++i]; -+ } -+ } -+ -+ if (hexkey == NULL || algo == NULL) { -+ usage(); -+ } -+ -+ OpenSSL_add_all_algorithms(); -+ -+ c = cipher_by_name(algo); -+ if (c == NULL) { -+ fprintf(stderr, "Error: unknown algorithm\n"); -+ return 2; -+ } -+ -+ if (hexdata == NULL) { -+ hexdata = read_stdin(); -+ } else { -+ hexdata = xstrdup(hexdata); -+ } -+ -+ key = fromhex(hexkey, &keylen); -+ -+ if (keylen != 16 && keylen != 24 && keylen == 32) { -+ fprintf(stderr, "Error: unsupported key length\n"); -+ return 2; -+ } -+ -+ iv = fromhex(hexiv, &ivlen); -+ -+ if (ivlen != 16) { -+ fprintf(stderr, "Error: unsupported iv length\n"); -+ return 2; -+ } -+ -+ data = fromhex(hexdata, &datalen); -+ -+ if (data == NULL || datalen == 0) { -+ fprintf(stderr, "Error: no data to encrypt/decrypt\n"); -+ return 2; -+ } -+ -+ if ((r = cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt)) != 0) { -+ fprintf(stderr, "Error: cipher_init failed: %s\n", ssh_err(r)); -+ return 2; -+ } -+ -+ free(key); -+ free(iv); -+ -+ outdata = malloc(datalen); -+ if(outdata == NULL) { -+ fprintf(stderr, "Error: memory allocation failure\n"); -+ return 2; -+ } -+ -+ if ((r = cipher_crypt(cc, 0, outdata, data, datalen, 0, 0)) != 0) { -+ fprintf(stderr, "Error: cipher_crypt failed: %s\n", ssh_err(r)); -+ return 2; -+ } -+ -+ free(data); -+ -+ cipher_free(cc); -+ -+ for (p = outdata; datalen > 0; ++p, --datalen) { -+ printf("%02X", (unsigned char)*p); -+ } -+ -+ free(outdata); -+ -+ printf("\n"); -+ return 0; -+} -+ diff --git a/openssh-6.7p1-kdf-cavs.patch b/openssh-6.7p1-kdf-cavs.patch deleted file mode 100644 index f892bc8..0000000 --- a/openssh-6.7p1-kdf-cavs.patch +++ /dev/null @@ -1,618 +0,0 @@ -diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in ---- openssh-6.8p1/Makefile.in.kdf-cavs 2015-03-18 11:23:46.346049359 +0100 -+++ openssh-6.8p1/Makefile.in 2015-03-18 11:24:20.395968445 +0100 -@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h - SSH_KEYSIGN=$(libexecdir)/ssh-keysign - SSH_KEYCAT=$(libexecdir)/ssh-keycat - CTR_CAVSTEST=$(libexecdir)/ctr-cavstest -+SSH_CAVS=$(libexecdir)/ssh-cavs - SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper - SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper - PRIVSEP_PATH=@PRIVSEP_PATH@ -@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@ - - .SUFFIXES: .lo - --TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) -+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT) - - XMSS_OBJS=\ - ssh-xmss.o \ -@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD - ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o - $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) - -+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS) -+ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -+ - ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS) - $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) - -@@ -331,6 +335,8 @@ install-files: - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT) -+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT) -+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs_driver.pl $(DESTDIR)$(libexecdir)/ssh-cavs_driver.pl - $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) - $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c ---- openssh-6.8p1/ssh-cavs.c.kdf-cavs 2015-03-18 11:23:46.348049354 +0100 -+++ openssh-6.8p1/ssh-cavs.c 2015-03-18 11:23:46.348049354 +0100 -@@ -0,0 +1,387 @@ -+/* -+ * Copyright (C) 2015, Stephan Mueller -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, and the entire permission notice in its entirety, -+ * including the disclaimer of warranties. -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in the -+ * documentation and/or other materials provided with the distribution. -+ * 3. The name of the author may not be used to endorse or promote -+ * products derived from this software without specific prior -+ * written permission. -+ * -+ * ALTERNATIVELY, this product may be distributed under the terms of -+ * the GNU General Public License, in which case the provisions of the GPL2 -+ * are required INSTEAD OF the above restrictions. (This clause is -+ * necessary due to a potential bad interaction between the GPL and -+ * the restrictions contained in a BSD-style copyright.) -+ * -+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF -+ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE -+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT -+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE -+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH -+ * DAMAGE. -+ */ -+ -+#include "includes.h" -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include -+ -+#include "xmalloc.h" -+#include "sshbuf.h" -+#include "sshkey.h" -+#include "cipher.h" -+#include "kex.h" -+#include "packet.h" -+#include "digest.h" -+ -+static int bin_char(unsigned char hex) -+{ -+ if (48 <= hex && 57 >= hex) -+ return (hex - 48); -+ if (65 <= hex && 70 >= hex) -+ return (hex - 55); -+ if (97 <= hex && 102 >= hex) -+ return (hex - 87); -+ return 0; -+} -+ -+/* -+ * Convert hex representation into binary string -+ * @hex input buffer with hex representation -+ * @hexlen length of hex -+ * @bin output buffer with binary data -+ * @binlen length of already allocated bin buffer (should be at least -+ * half of hexlen -- if not, only a fraction of hexlen is converted) -+ */ -+static void hex2bin(const char *hex, size_t hexlen, -+ unsigned char *bin, size_t binlen) -+{ -+ size_t i = 0; -+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen; -+ -+ for (i = 0; i < chars; i++) { -+ bin[i] = bin_char(hex[(i*2)]) << 4; -+ bin[i] |= bin_char(hex[((i*2)+1)]); -+ } -+} -+ -+/* -+ * Allocate sufficient space for binary representation of hex -+ * and convert hex into bin -+ * -+ * Caller must free bin -+ * @hex input buffer with hex representation -+ * @hexlen length of hex -+ * @bin return value holding the pointer to the newly allocated buffer -+ * @binlen return value holding the allocated size of bin -+ * -+ * return: 0 on success, !0 otherwise -+ */ -+static int hex2bin_alloc(const char *hex, size_t hexlen, -+ unsigned char **bin, size_t *binlen) -+{ -+ unsigned char *out = NULL; -+ size_t outlen = 0; -+ -+ if (!hexlen) -+ return -EINVAL; -+ -+ outlen = (hexlen + 1) / 2; -+ -+ out = calloc(1, outlen); -+ if (!out) -+ return -errno; -+ -+ hex2bin(hex, hexlen, out, outlen); -+ *bin = out; -+ *binlen = outlen; -+ return 0; -+} -+ -+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7', -+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' }; -+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7', -+ '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' }; -+static char hex_char(unsigned int bin, int u) -+{ -+ if (bin < sizeof(hex_char_map_l)) -+ return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin]; -+ return 'X'; -+} -+ -+/* -+ * Convert binary string into hex representation -+ * @bin input buffer with binary data -+ * @binlen length of bin -+ * @hex output buffer to store hex data -+ * @hexlen length of already allocated hex buffer (should be at least -+ * twice binlen -- if not, only a fraction of binlen is converted) -+ * @u case of hex characters (0=>lower case, 1=>upper case) -+ */ -+static void bin2hex(const unsigned char *bin, size_t binlen, -+ char *hex, size_t hexlen, int u) -+{ -+ size_t i = 0; -+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen; -+ -+ for (i = 0; i < chars; i++) { -+ hex[(i*2)] = hex_char((bin[i] >> 4), u); -+ hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u); -+ } -+} -+ -+struct kdf_cavs { -+ unsigned char *K; -+ size_t Klen; -+ unsigned char *H; -+ size_t Hlen; -+ unsigned char *session_id; -+ size_t session_id_len; -+ -+ unsigned int iv_len; -+ unsigned int ek_len; -+ unsigned int ik_len; -+}; -+ -+static int sshkdf_cavs(struct kdf_cavs *test) -+{ -+ int ret = 0; -+ struct kex kex; -+ struct sshbuf *Kb = NULL; -+ BIGNUM *Kbn = NULL; -+ int mode = 0; -+ struct newkeys *ctoskeys; -+ struct newkeys *stockeys; -+ struct ssh *ssh = NULL; -+ -+#define HEXOUTLEN 500 -+ char hex[HEXOUTLEN]; -+ -+ memset(&kex, 0, sizeof(struct kex)); -+ -+ Kbn = BN_new(); -+ BN_bin2bn(test->K, test->Klen, Kbn); -+ if (!Kbn) { -+ printf("cannot convert K into bignum\n"); -+ ret = 1; -+ goto out; -+ } -+ Kb = sshbuf_new(); -+ if (!Kb) { -+ printf("cannot convert K into sshbuf\n"); -+ ret = 1; -+ goto out; -+ } -+ sshbuf_put_bignum2(Kb, Kbn); -+ -+ kex.session_id = test->session_id; -+ kex.session_id_len = test->session_id_len; -+ -+ /* setup kex */ -+ -+ /* select the right hash based on struct ssh_digest digests */ -+ switch (test->ik_len) { -+ case 20: -+ kex.hash_alg = SSH_DIGEST_SHA1; -+ break; -+ case 32: -+ kex.hash_alg = SSH_DIGEST_SHA256; -+ break; -+ case 48: -+ kex.hash_alg = SSH_DIGEST_SHA384; -+ break; -+ case 64: -+ kex.hash_alg = SSH_DIGEST_SHA512; -+ break; -+ default: -+ printf("Wrong hash type %u\n", test->ik_len); -+ ret = 1; -+ goto out; -+ } -+ -+ /* implement choose_enc */ -+ for (mode = 0; mode < 2; mode++) { -+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys)); -+ if (!kex.newkeys[mode]) { -+ printf("allocation of newkeys failed\n"); -+ ret = 1; -+ goto out; -+ } -+ kex.newkeys[mode]->enc.iv_len = test->iv_len; -+ kex.newkeys[mode]->enc.key_len = test->ek_len; -+ kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16; -+ kex.newkeys[mode]->mac.key_len = test->ik_len; -+ } -+ -+ /* implement kex_choose_conf */ -+ kex.we_need = kex.newkeys[0]->enc.key_len; -+ if (kex.we_need < kex.newkeys[0]->enc.block_size) -+ kex.we_need = kex.newkeys[0]->enc.block_size; -+ if (kex.we_need < kex.newkeys[0]->enc.iv_len) -+ kex.we_need = kex.newkeys[0]->enc.iv_len; -+ if (kex.we_need < kex.newkeys[0]->mac.key_len) -+ kex.we_need = kex.newkeys[0]->mac.key_len; -+ -+ /* MODE_OUT (1) -> server to client -+ * MODE_IN (0) -> client to server */ -+ kex.server = 1; -+ -+ /* do it */ -+ if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){ -+ printf("Allocation error\n"); -+ goto out; -+ } -+ ssh->kex = &kex; -+ kex_derive_keys(ssh, test->H, test->Hlen, Kb); -+ -+ ctoskeys = kex.newkeys[0]; -+ stockeys = kex.newkeys[1]; -+ -+ /* get data */ -+ memset(hex, 0, HEXOUTLEN); -+ bin2hex(ctoskeys->enc.iv, (size_t)ctoskeys->enc.iv_len, -+ hex, HEXOUTLEN, 0); -+ printf("Initial IV (client to server) = %s\n", hex); -+ memset(hex, 0, HEXOUTLEN); -+ bin2hex(stockeys->enc.iv, (size_t)stockeys->enc.iv_len, -+ hex, HEXOUTLEN, 0); -+ printf("Initial IV (server to client) = %s\n", hex); -+ -+ memset(hex, 0, HEXOUTLEN); -+ bin2hex(ctoskeys->enc.key, (size_t)ctoskeys->enc.key_len, -+ hex, HEXOUTLEN, 0); -+ printf("Encryption key (client to server) = %s\n", hex); -+ memset(hex, 0, HEXOUTLEN); -+ bin2hex(stockeys->enc.key, (size_t)stockeys->enc.key_len, -+ hex, HEXOUTLEN, 0); -+ printf("Encryption key (server to client) = %s\n", hex); -+ -+ memset(hex, 0, HEXOUTLEN); -+ bin2hex(ctoskeys->mac.key, (size_t)ctoskeys->mac.key_len, -+ hex, HEXOUTLEN, 0); -+ printf("Integrity key (client to server) = %s\n", hex); -+ memset(hex, 0, HEXOUTLEN); -+ bin2hex(stockeys->mac.key, (size_t)stockeys->mac.key_len, -+ hex, HEXOUTLEN, 0); -+ printf("Integrity key (server to client) = %s\n", hex); -+ -+out: -+ if (Kbn) -+ BN_free(Kbn); -+ if (Kb) -+ sshbuf_free(Kb); -+ if (ssh) -+ ssh_packet_close(ssh); -+ return ret; -+} -+ -+static void usage(void) -+{ -+ fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n"); -+ fprintf(stderr, "Usage:\n"); -+ fprintf(stderr, "\t-K\tShared secret string\n"); -+ fprintf(stderr, "\t-H\tHash string\n"); -+ fprintf(stderr, "\t-s\tSession ID string\n"); -+ fprintf(stderr, "\t-i\tIV length to be generated\n"); -+ fprintf(stderr, "\t-e\tEncryption key length to be generated\n"); -+ fprintf(stderr, "\t-m\tMAC key length to be generated\n"); -+} -+ -+/* -+ * Test command example: -+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20 -+ * -+ * Initial IV (client to server) = 4bb320d1679dfd3a -+ * Initial IV (server to client) = 43dea6fdf263a308 -+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed -+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0 -+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640 -+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479 -+ */ -+int main(int argc, char *argv[]) -+{ -+ struct kdf_cavs test; -+ int ret = 1; -+ int opt = 0; -+ -+ memset(&test, 0, sizeof(struct kdf_cavs)); -+ while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1) -+ { -+ size_t len = 0; -+ switch(opt) -+ { -+ /* -+ * CAVS K is MPINT -+ * we want a hex (i.e. the caller must ensure the -+ * following transformations already happened): -+ * 1. cut off first four bytes -+ * 2. if most significant bit of value is -+ * 1, prepend 0 byte -+ */ -+ case 'K': -+ len = strlen(optarg); -+ ret = hex2bin_alloc(optarg, len, -+ &test.K, &test.Klen); -+ if (ret) -+ goto out; -+ break; -+ case 'H': -+ len = strlen(optarg); -+ ret = hex2bin_alloc(optarg, len, -+ &test.H, &test.Hlen); -+ if (ret) -+ goto out; -+ break; -+ case 's': -+ len = strlen(optarg); -+ ret = hex2bin_alloc(optarg, len, -+ &test.session_id, -+ &test.session_id_len); -+ if (ret) -+ goto out; -+ break; -+ case 'i': -+ test.iv_len = strtoul(optarg, NULL, 10); -+ break; -+ case 'e': -+ test.ek_len = strtoul(optarg, NULL, 10); -+ break; -+ case 'm': -+ test.ik_len = strtoul(optarg, NULL, 10); -+ break; -+ default: -+ usage(); -+ goto out; -+ } -+ } -+ -+ ret = sshkdf_cavs(&test); -+ -+out: -+ if (test.session_id) -+ free(test.session_id); -+ if (test.K) -+ free(test.K); -+ if (test.H) -+ free(test.H); -+ return ret; -+ -+} -diff -up openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs openssh-6.8p1/ssh-cavs_driver.pl ---- openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs 2015-03-18 11:23:46.348049354 +0100 -+++ openssh-6.8p1/ssh-cavs_driver.pl 2015-03-18 11:23:46.348049354 +0100 -@@ -0,0 +1,184 @@ -+#!/usr/bin/env perl -+# -+# CAVS test driver for OpenSSH -+# -+# Copyright (C) 2015, Stephan Mueller -+# -+# Permission is hereby granted, free of charge, to any person obtaining a copy -+# of this software and associated documentation files (the "Software"), to deal -+# in the Software without restriction, including without limitation the rights -+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+# copies of the Software, and to permit persons to whom the Software is -+# furnished to do so, subject to the following conditions: -+# -+# The above copyright notice and this permission notice shall be included in -+# all copies or substantial portions of the Software. -+# -+# NO WARRANTY -+# -+# BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY -+# FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN -+# OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES -+# PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED -+# OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS -+# TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE -+# PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, -+# REPAIR OR CORRECTION. -+# -+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR -+# REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, -+# INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING -+# OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED -+# TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY -+# YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER -+# PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE -+# POSSIBILITY OF SUCH DAMAGES. -+# -+use strict; -+use warnings; -+use IPC::Open2; -+ -+# Executing a program by feeding STDIN and retrieving -+# STDOUT -+# $1: data string to be piped to the app on STDIN -+# rest: program and args -+# returns: STDOUT of program as string -+sub pipe_through_program($@) { -+ my $in = shift; -+ my @args = @_; -+ -+ my ($CO, $CI); -+ my $pid = open2($CO, $CI, @args); -+ -+ my $out = ""; -+ my $len = length($in); -+ my $first = 1; -+ while (1) { -+ my $rin = ""; -+ my $win = ""; -+ # Output of prog is FD that we read -+ vec($rin,fileno($CO),1) = 1; -+ # Input of prog is FD that we write -+ # check for $first is needed because we can have NULL input -+ # that is to be written to the app -+ if ( $len > 0 || $first) { -+ (vec($win,fileno($CI),1) = 1); -+ $first=0; -+ } -+ # Let us wait for 100ms -+ my $nfound = select(my $rout=$rin, my $wout=$win, undef, 0.1); -+ if ( $wout ) { -+ my $written = syswrite($CI, $in, $len); -+ die "broken pipe" if !defined $written; -+ $len -= $written; -+ substr($in, 0, $written) = ""; -+ if ($len <= 0) { -+ close $CI or die "broken pipe: $!"; -+ } -+ } -+ if ( $rout ) { -+ my $tmp_out = ""; -+ my $bytes_read = sysread($CO, $tmp_out, 4096); -+ $out .= $tmp_out; -+ last if ($bytes_read == 0); -+ } -+ } -+ close $CO or die "broken pipe: $!"; -+ waitpid $pid, 0; -+ -+ return $out; -+} -+ -+# Parser of CAVS test vector file -+# $1: Test vector file -+# $2: Output file for test results -+# return: nothing -+sub parse($$) { -+ my $infile = shift; -+ my $outfile = shift; -+ -+ my $out = ""; -+ -+ my $K = ""; -+ my $H = ""; -+ my $session_id = ""; -+ my $ivlen = 0; -+ my $eklen = ""; -+ my $iklen = ""; -+ -+ open(IN, "<$infile"); -+ while() { -+ -+ my $line = $_; -+ chomp($line); -+ $line =~ s/\r//; -+ -+ if ($line =~ /\[SHA-1\]/) { -+ $iklen = 20; -+ } elsif ($line =~ /\[SHA-256\]/) { -+ $iklen = 32; -+ } elsif ($line =~ /\[SHA-384\]/) { -+ $iklen = 48; -+ } elsif ($line =~ /\[SHA-512\]/) { -+ $iklen = 64; -+ } elsif ($line =~ /^\[IV length\s*=\s*(.*)\]/) { -+ $ivlen = $1; -+ $ivlen = $ivlen / 8; -+ } elsif ($line =~ /^\[encryption key length\s*=\s*(.*)\]/) { -+ $eklen = $1; -+ $eklen = $eklen / 8; -+ } elsif ($line =~ /^K\s*=\s*(.*)/) { -+ $K = $1; -+ $K = substr($K, 8); -+ $K = "00" . $K; -+ } elsif ($line =~ /^H\s*=\s*(.*)/) { -+ $H = $1; -+ } elsif ($line =~ /^session_id\s*=\s*(.*)/) { -+ $session_id = $1; -+ } -+ $out .= $line . "\n"; -+ -+ if ($K ne "" && $H ne "" && $session_id ne "" && -+ $ivlen ne "" && $eklen ne "" && $iklen > 0) { -+ $out .= pipe_through_program("", "./ssh-cavs -H $H -K $K -s $session_id -i $ivlen -e $eklen -m $iklen"); -+ -+ $K = ""; -+ $H = ""; -+ $session_id = ""; -+ } -+ } -+ close IN; -+ $out =~ s/\n/\r\n/g; # make it a dos file -+ open(OUT, ">$outfile") or die "Cannot create output file $outfile: $?"; -+ print OUT $out; -+ close OUT; -+} -+ -+############################################################ -+# -+# let us pretend to be C :-) -+sub main() { -+ -+ my $infile=$ARGV[0]; -+ die "Error: Test vector file $infile not found" if (! -f $infile); -+ -+ my $outfile = $infile; -+ # let us add .rsp regardless whether we could strip .req -+ $outfile =~ s/\.req$//; -+ $outfile .= ".rsp"; -+ if (-f $outfile) { -+ die "Output file $outfile could not be removed: $?" -+ unless unlink($outfile); -+ } -+ print STDERR "Performing tests from source file $infile with results stored in destination file $outfile\n"; -+ -+ # Do the job -+ parse($infile, $outfile); -+} -+ -+########################################### -+# Call it -+main(); -+1; diff --git a/openssh-8.0p1-pkcs11-uri.patch b/openssh-8.0p1-pkcs11-uri.patch index d55df23..0713ffe 100644 --- a/openssh-8.0p1-pkcs11-uri.patch +++ b/openssh-8.0p1-pkcs11-uri.patch @@ -2159,12 +2159,13 @@ index a302c79c..879fe917 100644 if (rv != CKR_OK) { error("C_GetAttributeValue failed: %lu", rv); return (NULL); -@@ -717,18 +874,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, +@@ -717,19 +874,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + * ensure that none of the others are zero length. * XXX assumes CKA_ID is always first. */ - if (key_attr[1].ulValueLen == 0 || +- if (key_attr[1].ulValueLen == 0 || - key_attr[2].ulValueLen == 0) { -+ key_attr[2].ulValueLen == 0 || ++ if (key_attr[2].ulValueLen == 0 || + key_attr[3].ulValueLen == 0) { error("invalid attribute length"); return (NULL); @@ -2259,12 +2260,13 @@ index a302c79c..879fe917 100644 if (rv != CKR_OK) { error("C_GetAttributeValue failed: %lu", rv); return (NULL); -@@ -838,18 +998,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, +@@ -838,19 +998,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx, + * ensure that none of the others are zero length. * XXX assumes CKA_ID is always first. */ - if (key_attr[1].ulValueLen == 0 || +- if (key_attr[1].ulValueLen == 0 || - key_attr[2].ulValueLen == 0) { -+ key_attr[2].ulValueLen == 0 || ++ if (key_attr[2].ulValueLen == 0 || + key_attr[3].ulValueLen == 0) { error("invalid attribute length"); return (NULL); diff --git a/openssh.rpmlintrc b/openssh.rpmlintrc index 0a7a50e..2404235 100644 --- a/openssh.rpmlintrc +++ b/openssh.rpmlintrc @@ -13,9 +13,8 @@ addFilter(r'openssh-(askpass|cavs).x86_64: W: no-documentation') # sshd config and sysconfig is not supposed to be world readable addFilter(r'non-readable /etc/(ssh/sshd_config|sysconfig/sshd)') -# The /var/empty/sshd is supposed to have the given permissions -addFilter(r'non-standard-dir-perm /var/empty/sshd 711') -addFilter(r'non-standard-dir-in-var empty') +# /usr/share/empty.sshd is required to have the given permissions +addFilter(r'non-standard-dir-perm /usr/share/empty.sshd 711') # Spelling false-positives addFilter(r'spelling-error (Summary\(en_US\)|.* en_US) (mls|su|sudo|rlogin|rsh|untrusted) ') diff --git a/openssh.spec b/openssh.spec index 578a2eb..13e4ed4 100644 --- a/openssh.spec +++ b/openssh.spec @@ -51,7 +51,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %global openssh_ver 8.4p1 -%global openssh_rel 4 +%global openssh_rel 5 %global pam_ssh_agent_ver 0.10.4 %global pam_ssh_agent_rel 1 @@ -74,7 +74,6 @@ Source10: sshd.socket Source11: sshd.service Source12: sshd-keygen@.service Source13: sshd-keygen -Source14: sshd.tmpfiles Source15: sshd-keygen.target #https://bugzilla.mindrot.org/show_bug.cgi?id=2581 @@ -133,10 +132,6 @@ Patch707: openssh-7.7p1-redhat.patch Patch711: openssh-7.8p1-UsePAM-warning.patch # make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL Patch712: openssh-6.3p1-ctr-evp-fast.patch -# add cavs test binary for the aes-ctr -Patch713: openssh-6.6p1-ctr-cavstest.patch -# add SSH KDF CAVS test driver -Patch714: openssh-6.7p1-kdf-cavs.patch # GSSAPI Key Exchange (RFC 4462 + RFC 8732) # from https://github.com/openssh-gsskex/openssh-gsskex/tree/fedora/master @@ -226,6 +221,7 @@ BuildRequires: p11-kit-devel BuildRequires: libfido2-devel Recommends: p11-kit Obsoletes: openssh-ldap < 8.3p1-4 +Obsoletes: openssh-cavs < 8.4p1-5 %if %{kerberos5} BuildRequires: krb5-devel @@ -267,10 +263,6 @@ Requires: openssh = %{version}-%{release} Summary: A passphrase dialog for OpenSSH and X Requires: openssh = %{version}-%{release} -%package cavs -Summary: CAVS tests for FIPS validation -Requires: openssh = %{version}-%{release} - %package -n pam_ssh_agent_auth Summary: PAM module for authentication with ssh-agent Version: %{pam_ssh_agent_ver} @@ -311,10 +303,6 @@ OpenSSH is a free version of SSH (Secure SHell), a program for logging into and executing commands on a remote machine. This package contains an X11 passphrase dialog for OpenSSH. -%description cavs -This package contains test binaries and scripts to make FIPS validation -easier. Now contains CTR and KDF CAVS test driver. - %description -n pam_ssh_agent_auth This package contains a PAM module which can be used to authenticate users using ssh keys stored in a ssh-agent. Through the use of the @@ -355,8 +343,6 @@ popd %patch707 -p1 -b .redhat %patch711 -p1 -b .log-usepam-no %patch712 -p1 -b .evp-ctr -%patch713 -p1 -b .ctr-cavs -%patch714 -p1 -b .kdf-cavs # %patch800 -p1 -b .gsskex %patch801 -p1 -b .force_krb @@ -438,7 +424,7 @@ fi --datadir=%{_datadir}/openssh \ --with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \ - --with-privsep-path=%{_var}/empty/sshd \ + --with-privsep-path=%{_datadir}/empty.sshd \ --disable-strip \ --without-zlib-version-check \ --with-ssl-engine \ @@ -515,7 +501,6 @@ mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh -mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd %make_install install -d $RPM_BUILD_ROOT/etc/pam.d/ @@ -535,7 +520,7 @@ install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/ -install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf +install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd %if ! %{no_gnome_askpass} install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass @@ -566,7 +551,7 @@ getent group ssh_keys >/dev/null || groupadd -r ssh_keys || : getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || : getent passwd sshd >/dev/null || \ useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \ - -s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || : + -s /sbin/nologin -r -d /usr/share/empty.sshd sshd 2> /dev/null || : %post server %systemd_post sshd.service sshd.socket @@ -624,7 +609,7 @@ test -f %{sysconfig_anaconda} && \ %attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8* %files server -%dir %attr(0711,root,root) %{_var}/empty/sshd +%dir %attr(0711,root,root) %{_datadir}/empty.sshd %attr(0755,root,root) %{_sbindir}/sshd %attr(0755,root,root) %{_libexecdir}/openssh/sftp-server %attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen @@ -642,7 +627,6 @@ test -f %{sysconfig_anaconda} && \ %attr(0644,root,root) %{_unitdir}/sshd.socket %attr(0644,root,root) %{_unitdir}/sshd-keygen@.service %attr(0644,root,root) %{_unitdir}/sshd-keygen.target -%attr(0644,root,root) %{_tmpfilesdir}/openssh.conf %files keycat %doc HOWTO.ssh-keycat @@ -656,11 +640,6 @@ test -f %{sysconfig_anaconda} && \ %attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass %endif -%files cavs -%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest -%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs -%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs_driver.pl - %if %{pam_ssh_agent} %files -n pam_ssh_agent_auth %license pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE @@ -669,6 +648,11 @@ test -f %{sysconfig_anaconda} && \ %endif %changelog +* Fri Jan 22 2021 Jakub Jelen - 8.4p1-5 + 0.10.4-1 +- Use /usr/share/empty.sshd instead of /var/empty/sshd +- Allow emptu labels in PKCS#11 tokens (#1919007) +- Drop openssh-cavs subpackage + * Tue Dec 01 2020 Jakub Jelen - 8.4p1-4 + 0.10.4-1 - Remove "PasswordAuthentication yes" from vendor configuration as it is already default and it might be hard to override. diff --git a/sshd.tmpfiles b/sshd.tmpfiles deleted file mode 100644 index c35a2b8..0000000 --- a/sshd.tmpfiles +++ /dev/null @@ -1 +0,0 @@ -d /var/empty/sshd 711 root root -