diff --git a/openssh-6.6p1-ctr-cavstest.patch b/openssh-6.6p1-ctr-cavstest.patch
deleted file mode 100644
index 81da034..0000000
--- a/openssh-6.6p1-ctr-cavstest.patch
+++ /dev/null
@@ -1,257 +0,0 @@
-diff -up openssh-6.8p1/Makefile.in.ctr-cavs openssh-6.8p1/Makefile.in
---- openssh-6.8p1/Makefile.in.ctr-cavs 2015-03-18 11:22:05.493289018 +0100
-+++ openssh-6.8p1/Makefile.in 2015-03-18 11:22:44.504196316 +0100
-@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
- SFTP_SERVER=$(libexecdir)/sftp-server
- SSH_KEYSIGN=$(libexecdir)/ssh-keysign
- SSH_KEYCAT=$(libexecdir)/ssh-keycat
-+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
- SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
- SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
- PRIVSEP_PATH=@PRIVSEP_PATH@
-@@ -66,7 +67,7 @@ EXEEXT=@EXEEXT@
-
- .SUFFIXES: .lo
-
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
-
- XMSS_OBJS=\
- ssh-xmss.o \
-@@ -194,6 +195,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
- ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o uidswap.o
- $(LD) -o $@ ssh-keycat.o uidswap.o $(LDFLAGS) -lssh -lopenbsd-compat $(KEYCATLIBS) $(LIBS)
-
-+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
-+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-+
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-
-@@ -326,6 +330,7 @@ install-files:
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
-+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
- $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-diff -up openssh-6.8p1/ctr-cavstest.c.ctr-cavs openssh-6.8p1/ctr-cavstest.c
---- openssh-6.8p1/ctr-cavstest.c.ctr-cavs 2015-03-18 11:22:05.521288952 +0100
-+++ openssh-6.8p1/ctr-cavstest.c 2015-03-18 11:22:05.521288952 +0100
-@@ -0,0 +1,215 @@
-+/*
-+ *
-+ * invocation (all of the following are equal):
-+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6
-+ * ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt --data a6deca405eef2e8e4609abf3c3ccf4a6 --iv 00000000000000000000000000000000
-+ * echo -n a6deca405eef2e8e4609abf3c3ccf4a6 | ./ctr-cavstest --algo aes128-ctr --key 987212980144b6a632e864031f52dacc --mode encrypt
-+ */
-+
-+#include "includes.h"
-+
-+#include <sys/types.h>
-+#include <sys/param.h>
-+#include <stdarg.h>
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <ctype.h>
-+
-+#include "xmalloc.h"
-+#include "log.h"
-+#include "ssherr.h"
-+#include "cipher.h"
-+
-+/* compatibility with old or broken OpenSSL versions */
-+#include "openbsd-compat/openssl-compat.h"
-+
-+void usage(void) {
-+ fprintf(stderr, "Usage: ctr-cavstest --algo <ssh-crypto-algorithm>\n"
-+ " --key <hexadecimal-key> --mode <encrypt|decrypt>\n"
-+ " [--iv <hexadecimal-iv>] --data <hexadecimal-data>\n\n"
-+ "Hexadecimal output is printed to stdout.\n"
-+ "Hexadecimal input data can be alternatively read from stdin.\n");
-+ exit(1);
-+}
-+
-+void *fromhex(char *hex, size_t *len)
-+{
-+ unsigned char *bin;
-+ char *p;
-+ size_t n = 0;
-+ int shift = 4;
-+ unsigned char out = 0;
-+ unsigned char *optr;
-+
-+ bin = xmalloc(strlen(hex)/2);
-+ optr = bin;
-+
-+ for (p = hex; *p != '\0'; ++p) {
-+ unsigned char c;
-+
-+ c = *p;
-+ if (isspace(c))
-+ continue;
-+
-+ if (c >= '0' && c <= '9') {
-+ c = c - '0';
-+ } else if (c >= 'A' && c <= 'F') {
-+ c = c - 'A' + 10;
-+ } else if (c >= 'a' && c <= 'f') {
-+ c = c - 'a' + 10;
-+ } else {
-+ /* truncate on nonhex cipher */
-+ break;
-+ }
-+
-+ out |= c << shift;
-+ shift = (shift + 4) % 8;
-+
-+ if (shift) {
-+ *(optr++) = out;
-+ out = 0;
-+ ++n;
-+ }
-+ }
-+
-+ *len = n;
-+ return bin;
-+}
-+
-+#define READ_CHUNK 4096
-+#define MAX_READ_SIZE 1024*1024*100
-+char *read_stdin(void)
-+{
-+ char *buf;
-+ size_t n, total = 0;
-+
-+ buf = xmalloc(READ_CHUNK);
-+
-+ do {
-+ n = fread(buf + total, 1, READ_CHUNK, stdin);
-+ if (n < READ_CHUNK) /* terminate on short read */
-+ break;
-+
-+ total += n;
-+ buf = xreallocarray(buf, total + READ_CHUNK, 1);
-+ } while(total < MAX_READ_SIZE);
-+ return buf;
-+}
-+
-+int main (int argc, char *argv[])
-+{
-+
-+ const struct sshcipher *c;
-+ struct sshcipher_ctx *cc;
-+ char *algo = "aes128-ctr";
-+ char *hexkey = NULL;
-+ char *hexiv = "00000000000000000000000000000000";
-+ char *hexdata = NULL;
-+ char *p;
-+ int i, r;
-+ int encrypt = 1;
-+ void *key;
-+ size_t keylen;
-+ void *iv;
-+ size_t ivlen;
-+ void *data;
-+ size_t datalen;
-+ void *outdata;
-+
-+ for (i = 1; i < argc; ++i) {
-+ if (strcmp(argv[i], "--algo") == 0) {
-+ algo = argv[++i];
-+ } else if (strcmp(argv[i], "--key") == 0) {
-+ hexkey = argv[++i];
-+ } else if (strcmp(argv[i], "--mode") == 0) {
-+ ++i;
-+ if (argv[i] == NULL) {
-+ usage();
-+ }
-+ if (strncmp(argv[i], "enc", 3) == 0) {
-+ encrypt = 1;
-+ } else if (strncmp(argv[i], "dec", 3) == 0) {
-+ encrypt = 0;
-+ } else {
-+ usage();
-+ }
-+ } else if (strcmp(argv[i], "--iv") == 0) {
-+ hexiv = argv[++i];
-+ } else if (strcmp(argv[i], "--data") == 0) {
-+ hexdata = argv[++i];
-+ }
-+ }
-+
-+ if (hexkey == NULL || algo == NULL) {
-+ usage();
-+ }
-+
-+ OpenSSL_add_all_algorithms();
-+
-+ c = cipher_by_name(algo);
-+ if (c == NULL) {
-+ fprintf(stderr, "Error: unknown algorithm\n");
-+ return 2;
-+ }
-+
-+ if (hexdata == NULL) {
-+ hexdata = read_stdin();
-+ } else {
-+ hexdata = xstrdup(hexdata);
-+ }
-+
-+ key = fromhex(hexkey, &keylen);
-+
-+ if (keylen != 16 && keylen != 24 && keylen == 32) {
-+ fprintf(stderr, "Error: unsupported key length\n");
-+ return 2;
-+ }
-+
-+ iv = fromhex(hexiv, &ivlen);
-+
-+ if (ivlen != 16) {
-+ fprintf(stderr, "Error: unsupported iv length\n");
-+ return 2;
-+ }
-+
-+ data = fromhex(hexdata, &datalen);
-+
-+ if (data == NULL || datalen == 0) {
-+ fprintf(stderr, "Error: no data to encrypt/decrypt\n");
-+ return 2;
-+ }
-+
-+ if ((r = cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt)) != 0) {
-+ fprintf(stderr, "Error: cipher_init failed: %s\n", ssh_err(r));
-+ return 2;
-+ }
-+
-+ free(key);
-+ free(iv);
-+
-+ outdata = malloc(datalen);
-+ if(outdata == NULL) {
-+ fprintf(stderr, "Error: memory allocation failure\n");
-+ return 2;
-+ }
-+
-+ if ((r = cipher_crypt(cc, 0, outdata, data, datalen, 0, 0)) != 0) {
-+ fprintf(stderr, "Error: cipher_crypt failed: %s\n", ssh_err(r));
-+ return 2;
-+ }
-+
-+ free(data);
-+
-+ cipher_free(cc);
-+
-+ for (p = outdata; datalen > 0; ++p, --datalen) {
-+ printf("%02X", (unsigned char)*p);
-+ }
-+
-+ free(outdata);
-+
-+ printf("\n");
-+ return 0;
-+}
-+
diff --git a/openssh-6.7p1-kdf-cavs.patch b/openssh-6.7p1-kdf-cavs.patch
deleted file mode 100644
index f892bc8..0000000
--- a/openssh-6.7p1-kdf-cavs.patch
+++ /dev/null
@@ -1,618 +0,0 @@
-diff -up openssh-6.8p1/Makefile.in.kdf-cavs openssh-6.8p1/Makefile.in
---- openssh-6.8p1/Makefile.in.kdf-cavs 2015-03-18 11:23:46.346049359 +0100
-+++ openssh-6.8p1/Makefile.in 2015-03-18 11:24:20.395968445 +0100
-@@ -29,6 +29,7 @@ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-h
- SSH_KEYSIGN=$(libexecdir)/ssh-keysign
- SSH_KEYCAT=$(libexecdir)/ssh-keycat
- CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
-+SSH_CAVS=$(libexecdir)/ssh-cavs
- SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
- SSH_SK_HELPER=$(libexecdir)/ssh-sk-helper
- PRIVSEP_PATH=@PRIVSEP_PATH@
-@@ -67,7 +68,7 @@ EXEEXT=@EXEEXT@
-
- .SUFFIXES: .lo
-
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT) ssh-cavs$(EXEEXT)
-
- XMSS_OBJS=\
- ssh-xmss.o \
-@@ -198,6 +199,9 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHD
- ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
- $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-
-+ssh-cavs$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-cavs.o $(SKOBJS)
-+ $(LD) -o $@ ssh-cavs.o $(SKOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-+
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYSCAN_OBJS)
- $(LD) -o $@ $(SSHKEYSCAN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-
-@@ -331,6 +335,8 @@ install-files:
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-sk-helper$(EXEEXT) $(DESTDIR)$(SSH_SK_HELPER)$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
-+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-cavs$(EXEEXT)
-+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-cavs_driver.pl $(DESTDIR)$(libexecdir)/ssh-cavs_driver.pl
- $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
- $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-diff -up openssh-6.8p1/ssh-cavs.c.kdf-cavs openssh-6.8p1/ssh-cavs.c
---- openssh-6.8p1/ssh-cavs.c.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
-+++ openssh-6.8p1/ssh-cavs.c 2015-03-18 11:23:46.348049354 +0100
-@@ -0,0 +1,387 @@
-+/*
-+ * Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, and the entire permission notice in its entirety,
-+ * including the disclaimer of warranties.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. The name of the author may not be used to endorse or promote
-+ * products derived from this software without specific prior
-+ * written permission.
-+ *
-+ * ALTERNATIVELY, this product may be distributed under the terms of
-+ * the GNU General Public License, in which case the provisions of the GPL2
-+ * are required INSTEAD OF the above restrictions. (This clause is
-+ * necessary due to a potential bad interaction between the GPL and
-+ * the restrictions contained in a BSD-style copyright.)
-+ *
-+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF
-+ * WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
-+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
-+ * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
-+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
-+ * USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH
-+ * DAMAGE.
-+ */
-+
-+#include "includes.h"
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <errno.h>
-+#include <sys/types.h>
-+#include <string.h>
-+
-+#include <openssl/bn.h>
-+
-+#include "xmalloc.h"
-+#include "sshbuf.h"
-+#include "sshkey.h"
-+#include "cipher.h"
-+#include "kex.h"
-+#include "packet.h"
-+#include "digest.h"
-+
-+static int bin_char(unsigned char hex)
-+{
-+ if (48 <= hex && 57 >= hex)
-+ return (hex - 48);
-+ if (65 <= hex && 70 >= hex)
-+ return (hex - 55);
-+ if (97 <= hex && 102 >= hex)
-+ return (hex - 87);
-+ return 0;
-+}
-+
-+/*
-+ * Convert hex representation into binary string
-+ * @hex input buffer with hex representation
-+ * @hexlen length of hex
-+ * @bin output buffer with binary data
-+ * @binlen length of already allocated bin buffer (should be at least
-+ * half of hexlen -- if not, only a fraction of hexlen is converted)
-+ */
-+static void hex2bin(const char *hex, size_t hexlen,
-+ unsigned char *bin, size_t binlen)
-+{
-+ size_t i = 0;
-+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
-+
-+ for (i = 0; i < chars; i++) {
-+ bin[i] = bin_char(hex[(i*2)]) << 4;
-+ bin[i] |= bin_char(hex[((i*2)+1)]);
-+ }
-+}
-+
-+/*
-+ * Allocate sufficient space for binary representation of hex
-+ * and convert hex into bin
-+ *
-+ * Caller must free bin
-+ * @hex input buffer with hex representation
-+ * @hexlen length of hex
-+ * @bin return value holding the pointer to the newly allocated buffer
-+ * @binlen return value holding the allocated size of bin
-+ *
-+ * return: 0 on success, !0 otherwise
-+ */
-+static int hex2bin_alloc(const char *hex, size_t hexlen,
-+ unsigned char **bin, size_t *binlen)
-+{
-+ unsigned char *out = NULL;
-+ size_t outlen = 0;
-+
-+ if (!hexlen)
-+ return -EINVAL;
-+
-+ outlen = (hexlen + 1) / 2;
-+
-+ out = calloc(1, outlen);
-+ if (!out)
-+ return -errno;
-+
-+ hex2bin(hex, hexlen, out, outlen);
-+ *bin = out;
-+ *binlen = outlen;
-+ return 0;
-+}
-+
-+static char hex_char_map_l[] = { '0', '1', '2', '3', '4', '5', '6', '7',
-+ '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
-+static char hex_char_map_u[] = { '0', '1', '2', '3', '4', '5', '6', '7',
-+ '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
-+static char hex_char(unsigned int bin, int u)
-+{
-+ if (bin < sizeof(hex_char_map_l))
-+ return (u) ? hex_char_map_u[bin] : hex_char_map_l[bin];
-+ return 'X';
-+}
-+
-+/*
-+ * Convert binary string into hex representation
-+ * @bin input buffer with binary data
-+ * @binlen length of bin
-+ * @hex output buffer to store hex data
-+ * @hexlen length of already allocated hex buffer (should be at least
-+ * twice binlen -- if not, only a fraction of binlen is converted)
-+ * @u case of hex characters (0=>lower case, 1=>upper case)
-+ */
-+static void bin2hex(const unsigned char *bin, size_t binlen,
-+ char *hex, size_t hexlen, int u)
-+{
-+ size_t i = 0;
-+ size_t chars = (binlen > (hexlen / 2)) ? (hexlen / 2) : binlen;
-+
-+ for (i = 0; i < chars; i++) {
-+ hex[(i*2)] = hex_char((bin[i] >> 4), u);
-+ hex[((i*2)+1)] = hex_char((bin[i] & 0x0f), u);
-+ }
-+}
-+
-+struct kdf_cavs {
-+ unsigned char *K;
-+ size_t Klen;
-+ unsigned char *H;
-+ size_t Hlen;
-+ unsigned char *session_id;
-+ size_t session_id_len;
-+
-+ unsigned int iv_len;
-+ unsigned int ek_len;
-+ unsigned int ik_len;
-+};
-+
-+static int sshkdf_cavs(struct kdf_cavs *test)
-+{
-+ int ret = 0;
-+ struct kex kex;
-+ struct sshbuf *Kb = NULL;
-+ BIGNUM *Kbn = NULL;
-+ int mode = 0;
-+ struct newkeys *ctoskeys;
-+ struct newkeys *stockeys;
-+ struct ssh *ssh = NULL;
-+
-+#define HEXOUTLEN 500
-+ char hex[HEXOUTLEN];
-+
-+ memset(&kex, 0, sizeof(struct kex));
-+
-+ Kbn = BN_new();
-+ BN_bin2bn(test->K, test->Klen, Kbn);
-+ if (!Kbn) {
-+ printf("cannot convert K into bignum\n");
-+ ret = 1;
-+ goto out;
-+ }
-+ Kb = sshbuf_new();
-+ if (!Kb) {
-+ printf("cannot convert K into sshbuf\n");
-+ ret = 1;
-+ goto out;
-+ }
-+ sshbuf_put_bignum2(Kb, Kbn);
-+
-+ kex.session_id = test->session_id;
-+ kex.session_id_len = test->session_id_len;
-+
-+ /* setup kex */
-+
-+ /* select the right hash based on struct ssh_digest digests */
-+ switch (test->ik_len) {
-+ case 20:
-+ kex.hash_alg = SSH_DIGEST_SHA1;
-+ break;
-+ case 32:
-+ kex.hash_alg = SSH_DIGEST_SHA256;
-+ break;
-+ case 48:
-+ kex.hash_alg = SSH_DIGEST_SHA384;
-+ break;
-+ case 64:
-+ kex.hash_alg = SSH_DIGEST_SHA512;
-+ break;
-+ default:
-+ printf("Wrong hash type %u\n", test->ik_len);
-+ ret = 1;
-+ goto out;
-+ }
-+
-+ /* implement choose_enc */
-+ for (mode = 0; mode < 2; mode++) {
-+ kex.newkeys[mode] = calloc(1, sizeof(struct newkeys));
-+ if (!kex.newkeys[mode]) {
-+ printf("allocation of newkeys failed\n");
-+ ret = 1;
-+ goto out;
-+ }
-+ kex.newkeys[mode]->enc.iv_len = test->iv_len;
-+ kex.newkeys[mode]->enc.key_len = test->ek_len;
-+ kex.newkeys[mode]->enc.block_size = (test->iv_len == 64) ? 8 : 16;
-+ kex.newkeys[mode]->mac.key_len = test->ik_len;
-+ }
-+
-+ /* implement kex_choose_conf */
-+ kex.we_need = kex.newkeys[0]->enc.key_len;
-+ if (kex.we_need < kex.newkeys[0]->enc.block_size)
-+ kex.we_need = kex.newkeys[0]->enc.block_size;
-+ if (kex.we_need < kex.newkeys[0]->enc.iv_len)
-+ kex.we_need = kex.newkeys[0]->enc.iv_len;
-+ if (kex.we_need < kex.newkeys[0]->mac.key_len)
-+ kex.we_need = kex.newkeys[0]->mac.key_len;
-+
-+ /* MODE_OUT (1) -> server to client
-+ * MODE_IN (0) -> client to server */
-+ kex.server = 1;
-+
-+ /* do it */
-+ if ((ssh = ssh_packet_set_connection(NULL, -1, -1)) == NULL){
-+ printf("Allocation error\n");
-+ goto out;
-+ }
-+ ssh->kex = &kex;
-+ kex_derive_keys(ssh, test->H, test->Hlen, Kb);
-+
-+ ctoskeys = kex.newkeys[0];
-+ stockeys = kex.newkeys[1];
-+
-+ /* get data */
-+ memset(hex, 0, HEXOUTLEN);
-+ bin2hex(ctoskeys->enc.iv, (size_t)ctoskeys->enc.iv_len,
-+ hex, HEXOUTLEN, 0);
-+ printf("Initial IV (client to server) = %s\n", hex);
-+ memset(hex, 0, HEXOUTLEN);
-+ bin2hex(stockeys->enc.iv, (size_t)stockeys->enc.iv_len,
-+ hex, HEXOUTLEN, 0);
-+ printf("Initial IV (server to client) = %s\n", hex);
-+
-+ memset(hex, 0, HEXOUTLEN);
-+ bin2hex(ctoskeys->enc.key, (size_t)ctoskeys->enc.key_len,
-+ hex, HEXOUTLEN, 0);
-+ printf("Encryption key (client to server) = %s\n", hex);
-+ memset(hex, 0, HEXOUTLEN);
-+ bin2hex(stockeys->enc.key, (size_t)stockeys->enc.key_len,
-+ hex, HEXOUTLEN, 0);
-+ printf("Encryption key (server to client) = %s\n", hex);
-+
-+ memset(hex, 0, HEXOUTLEN);
-+ bin2hex(ctoskeys->mac.key, (size_t)ctoskeys->mac.key_len,
-+ hex, HEXOUTLEN, 0);
-+ printf("Integrity key (client to server) = %s\n", hex);
-+ memset(hex, 0, HEXOUTLEN);
-+ bin2hex(stockeys->mac.key, (size_t)stockeys->mac.key_len,
-+ hex, HEXOUTLEN, 0);
-+ printf("Integrity key (server to client) = %s\n", hex);
-+
-+out:
-+ if (Kbn)
-+ BN_free(Kbn);
-+ if (Kb)
-+ sshbuf_free(Kb);
-+ if (ssh)
-+ ssh_packet_close(ssh);
-+ return ret;
-+}
-+
-+static void usage(void)
-+{
-+ fprintf(stderr, "\nOpenSSH KDF CAVS Test\n\n");
-+ fprintf(stderr, "Usage:\n");
-+ fprintf(stderr, "\t-K\tShared secret string\n");
-+ fprintf(stderr, "\t-H\tHash string\n");
-+ fprintf(stderr, "\t-s\tSession ID string\n");
-+ fprintf(stderr, "\t-i\tIV length to be generated\n");
-+ fprintf(stderr, "\t-e\tEncryption key length to be generated\n");
-+ fprintf(stderr, "\t-m\tMAC key length to be generated\n");
-+}
-+
-+/*
-+ * Test command example:
-+ * ./ssh-cavs -K 0055d50f2d163cc07cd8a93cc7c3430c30ce786b572c01ad29fec7597000cf8618d664e2ec3dcbc8bb7a1a7eb7ef67f61cdaf291625da879186ac0a5cb27af571b59612d6a6e0627344d846271959fda61c78354aa498773d59762f8ca2d0215ec590d8633de921f920d41e47b3de6ab9a3d0869e1c826d0e4adebf8e3fb646a15dea20a410b44e969f4b791ed6a67f13f1b74234004d5fa5e87eff7abc32d49bbdf44d7b0107e8f10609233b7e2b7eff74a4daf25641de7553975dac6ac1e5117df6f6dbaa1c263d23a6c3e5a3d7d49ae8a828c1e333ac3f85fbbf57b5c1a45be45e43a7be1a4707eac779b8285522d1f531fe23f890fd38a004339932b93eda4 -H d3ab91a850febb417a25d892ec48ed5952c7a5de -s d3ab91a850febb417a25d892ec48ed5952c7a5de -i 8 -e 24 -m 20
-+ *
-+ * Initial IV (client to server) = 4bb320d1679dfd3a
-+ * Initial IV (server to client) = 43dea6fdf263a308
-+ * Encryption key (client to server) = 13048cc600b9d3cf9095aa6cf8e2ff9cf1c54ca0520c89ed
-+ * Encryption key (server to client) = 1e483c5134e901aa11fc4e0a524e7ec7b75556148a222bb0
-+ * Integrity key (client to server) = ecef63a092b0dcc585bdc757e01b2740af57d640
-+ * Integrity key (server to client) = 7424b05f3c44a72b4ebd281fb71f9cbe7b64d479
-+ */
-+int main(int argc, char *argv[])
-+{
-+ struct kdf_cavs test;
-+ int ret = 1;
-+ int opt = 0;
-+
-+ memset(&test, 0, sizeof(struct kdf_cavs));
-+ while((opt = getopt(argc, argv, "K:H:s:i:e:m:")) != -1)
-+ {
-+ size_t len = 0;
-+ switch(opt)
-+ {
-+ /*
-+ * CAVS K is MPINT
-+ * we want a hex (i.e. the caller must ensure the
-+ * following transformations already happened):
-+ * 1. cut off first four bytes
-+ * 2. if most significant bit of value is
-+ * 1, prepend 0 byte
-+ */
-+ case 'K':
-+ len = strlen(optarg);
-+ ret = hex2bin_alloc(optarg, len,
-+ &test.K, &test.Klen);
-+ if (ret)
-+ goto out;
-+ break;
-+ case 'H':
-+ len = strlen(optarg);
-+ ret = hex2bin_alloc(optarg, len,
-+ &test.H, &test.Hlen);
-+ if (ret)
-+ goto out;
-+ break;
-+ case 's':
-+ len = strlen(optarg);
-+ ret = hex2bin_alloc(optarg, len,
-+ &test.session_id,
-+ &test.session_id_len);
-+ if (ret)
-+ goto out;
-+ break;
-+ case 'i':
-+ test.iv_len = strtoul(optarg, NULL, 10);
-+ break;
-+ case 'e':
-+ test.ek_len = strtoul(optarg, NULL, 10);
-+ break;
-+ case 'm':
-+ test.ik_len = strtoul(optarg, NULL, 10);
-+ break;
-+ default:
-+ usage();
-+ goto out;
-+ }
-+ }
-+
-+ ret = sshkdf_cavs(&test);
-+
-+out:
-+ if (test.session_id)
-+ free(test.session_id);
-+ if (test.K)
-+ free(test.K);
-+ if (test.H)
-+ free(test.H);
-+ return ret;
-+
-+}
-diff -up openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs openssh-6.8p1/ssh-cavs_driver.pl
---- openssh-6.8p1/ssh-cavs_driver.pl.kdf-cavs 2015-03-18 11:23:46.348049354 +0100
-+++ openssh-6.8p1/ssh-cavs_driver.pl 2015-03-18 11:23:46.348049354 +0100
-@@ -0,0 +1,184 @@
-+#!/usr/bin/env perl
-+#
-+# CAVS test driver for OpenSSH
-+#
-+# Copyright (C) 2015, Stephan Mueller <smueller@chronox.de>
-+#
-+# Permission is hereby granted, free of charge, to any person obtaining a copy
-+# of this software and associated documentation files (the "Software"), to deal
-+# in the Software without restriction, including without limitation the rights
-+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-+# copies of the Software, and to permit persons to whom the Software is
-+# furnished to do so, subject to the following conditions:
-+#
-+# The above copyright notice and this permission notice shall be included in
-+# all copies or substantial portions of the Software.
-+#
-+# NO WARRANTY
-+#
-+# BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-+# FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
-+# OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-+# PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-+# OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-+# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
-+# TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
-+# PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-+# REPAIR OR CORRECTION.
-+#
-+# IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-+# WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-+# REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-+# INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-+# OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-+# TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-+# YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-+# PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-+# POSSIBILITY OF SUCH DAMAGES.
-+#
-+use strict;
-+use warnings;
-+use IPC::Open2;
-+
-+# Executing a program by feeding STDIN and retrieving
-+# STDOUT
-+# $1: data string to be piped to the app on STDIN
-+# rest: program and args
-+# returns: STDOUT of program as string
-+sub pipe_through_program($@) {
-+ my $in = shift;
-+ my @args = @_;
-+
-+ my ($CO, $CI);
-+ my $pid = open2($CO, $CI, @args);
-+
-+ my $out = "";
-+ my $len = length($in);
-+ my $first = 1;
-+ while (1) {
-+ my $rin = "";
-+ my $win = "";
-+ # Output of prog is FD that we read
-+ vec($rin,fileno($CO),1) = 1;
-+ # Input of prog is FD that we write
-+ # check for $first is needed because we can have NULL input
-+ # that is to be written to the app
-+ if ( $len > 0 || $first) {
-+ (vec($win,fileno($CI),1) = 1);
-+ $first=0;
-+ }
-+ # Let us wait for 100ms
-+ my $nfound = select(my $rout=$rin, my $wout=$win, undef, 0.1);
-+ if ( $wout ) {
-+ my $written = syswrite($CI, $in, $len);
-+ die "broken pipe" if !defined $written;
-+ $len -= $written;
-+ substr($in, 0, $written) = "";
-+ if ($len <= 0) {
-+ close $CI or die "broken pipe: $!";
-+ }
-+ }
-+ if ( $rout ) {
-+ my $tmp_out = "";
-+ my $bytes_read = sysread($CO, $tmp_out, 4096);
-+ $out .= $tmp_out;
-+ last if ($bytes_read == 0);
-+ }
-+ }
-+ close $CO or die "broken pipe: $!";
-+ waitpid $pid, 0;
-+
-+ return $out;
-+}
-+
-+# Parser of CAVS test vector file
-+# $1: Test vector file
-+# $2: Output file for test results
-+# return: nothing
-+sub parse($$) {
-+ my $infile = shift;
-+ my $outfile = shift;
-+
-+ my $out = "";
-+
-+ my $K = "";
-+ my $H = "";
-+ my $session_id = "";
-+ my $ivlen = 0;
-+ my $eklen = "";
-+ my $iklen = "";
-+
-+ open(IN, "<$infile");
-+ while(<IN>) {
-+
-+ my $line = $_;
-+ chomp($line);
-+ $line =~ s/\r//;
-+
-+ if ($line =~ /\[SHA-1\]/) {
-+ $iklen = 20;
-+ } elsif ($line =~ /\[SHA-256\]/) {
-+ $iklen = 32;
-+ } elsif ($line =~ /\[SHA-384\]/) {
-+ $iklen = 48;
-+ } elsif ($line =~ /\[SHA-512\]/) {
-+ $iklen = 64;
-+ } elsif ($line =~ /^\[IV length\s*=\s*(.*)\]/) {
-+ $ivlen = $1;
-+ $ivlen = $ivlen / 8;
-+ } elsif ($line =~ /^\[encryption key length\s*=\s*(.*)\]/) {
-+ $eklen = $1;
-+ $eklen = $eklen / 8;
-+ } elsif ($line =~ /^K\s*=\s*(.*)/) {
-+ $K = $1;
-+ $K = substr($K, 8);
-+ $K = "00" . $K;
-+ } elsif ($line =~ /^H\s*=\s*(.*)/) {
-+ $H = $1;
-+ } elsif ($line =~ /^session_id\s*=\s*(.*)/) {
-+ $session_id = $1;
-+ }
-+ $out .= $line . "\n";
-+
-+ if ($K ne "" && $H ne "" && $session_id ne "" &&
-+ $ivlen ne "" && $eklen ne "" && $iklen > 0) {
-+ $out .= pipe_through_program("", "./ssh-cavs -H $H -K $K -s $session_id -i $ivlen -e $eklen -m $iklen");
-+
-+ $K = "";
-+ $H = "";
-+ $session_id = "";
-+ }
-+ }
-+ close IN;
-+ $out =~ s/\n/\r\n/g; # make it a dos file
-+ open(OUT, ">$outfile") or die "Cannot create output file $outfile: $?";
-+ print OUT $out;
-+ close OUT;
-+}
-+
-+############################################################
-+#
-+# let us pretend to be C :-)
-+sub main() {
-+
-+ my $infile=$ARGV[0];
-+ die "Error: Test vector file $infile not found" if (! -f $infile);
-+
-+ my $outfile = $infile;
-+ # let us add .rsp regardless whether we could strip .req
-+ $outfile =~ s/\.req$//;
-+ $outfile .= ".rsp";
-+ if (-f $outfile) {
-+ die "Output file $outfile could not be removed: $?"
-+ unless unlink($outfile);
-+ }
-+ print STDERR "Performing tests from source file $infile with results stored in destination file $outfile\n";
-+
-+ # Do the job
-+ parse($infile, $outfile);
-+}
-+
-+###########################################
-+# Call it
-+main();
-+1;
diff --git a/openssh-8.0p1-pkcs11-uri.patch b/openssh-8.0p1-pkcs11-uri.patch
index d55df23..0713ffe 100644
--- a/openssh-8.0p1-pkcs11-uri.patch
+++ b/openssh-8.0p1-pkcs11-uri.patch
@@ -2159,12 +2159,13 @@ index a302c79c..879fe917 100644
if (rv != CKR_OK) {
error("C_GetAttributeValue failed: %lu", rv);
return (NULL);
-@@ -717,18 +874,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+@@ -717,19 +874,19 @@ pkcs11_fetch_ecdsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+ * ensure that none of the others are zero length.
* XXX assumes CKA_ID is always first.
*/
- if (key_attr[1].ulValueLen == 0 ||
+- if (key_attr[1].ulValueLen == 0 ||
- key_attr[2].ulValueLen == 0) {
-+ key_attr[2].ulValueLen == 0 ||
++ if (key_attr[2].ulValueLen == 0 ||
+ key_attr[3].ulValueLen == 0) {
error("invalid attribute length");
return (NULL);
@@ -2259,12 +2260,13 @@ index a302c79c..879fe917 100644
if (rv != CKR_OK) {
error("C_GetAttributeValue failed: %lu", rv);
return (NULL);
-@@ -838,18 +998,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+@@ -838,19 +998,19 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
+ * ensure that none of the others are zero length.
* XXX assumes CKA_ID is always first.
*/
- if (key_attr[1].ulValueLen == 0 ||
+- if (key_attr[1].ulValueLen == 0 ||
- key_attr[2].ulValueLen == 0) {
-+ key_attr[2].ulValueLen == 0 ||
++ if (key_attr[2].ulValueLen == 0 ||
+ key_attr[3].ulValueLen == 0) {
error("invalid attribute length");
return (NULL);
diff --git a/openssh.rpmlintrc b/openssh.rpmlintrc
index 0a7a50e..2404235 100644
--- a/openssh.rpmlintrc
+++ b/openssh.rpmlintrc
@@ -13,9 +13,8 @@ addFilter(r'openssh-(askpass|cavs).x86_64: W: no-documentation')
# sshd config and sysconfig is not supposed to be world readable
addFilter(r'non-readable /etc/(ssh/sshd_config|sysconfig/sshd)')
-# The /var/empty/sshd is supposed to have the given permissions
-addFilter(r'non-standard-dir-perm /var/empty/sshd 711')
-addFilter(r'non-standard-dir-in-var empty')
+# /usr/share/empty.sshd is required to have the given permissions
+addFilter(r'non-standard-dir-perm /usr/share/empty.sshd 711')
# Spelling false-positives
addFilter(r'spelling-error (Summary\(en_US\)|.* en_US) (mls|su|sudo|rlogin|rsh|untrusted) ')
diff --git a/openssh.spec b/openssh.spec
index 578a2eb..13e4ed4 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -51,7 +51,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%global openssh_ver 8.4p1
-%global openssh_rel 4
+%global openssh_rel 5
%global pam_ssh_agent_ver 0.10.4
%global pam_ssh_agent_rel 1
@@ -74,7 +74,6 @@ Source10: sshd.socket
Source11: sshd.service
Source12: sshd-keygen@.service
Source13: sshd-keygen
-Source14: sshd.tmpfiles
Source15: sshd-keygen.target
#https://bugzilla.mindrot.org/show_bug.cgi?id=2581
@@ -133,10 +132,6 @@ Patch707: openssh-7.7p1-redhat.patch
Patch711: openssh-7.8p1-UsePAM-warning.patch
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
Patch712: openssh-6.3p1-ctr-evp-fast.patch
-# add cavs test binary for the aes-ctr
-Patch713: openssh-6.6p1-ctr-cavstest.patch
-# add SSH KDF CAVS test driver
-Patch714: openssh-6.7p1-kdf-cavs.patch
# GSSAPI Key Exchange (RFC 4462 + RFC 8732)
# from https://github.com/openssh-gsskex/openssh-gsskex/tree/fedora/master
@@ -226,6 +221,7 @@ BuildRequires: p11-kit-devel
BuildRequires: libfido2-devel
Recommends: p11-kit
Obsoletes: openssh-ldap < 8.3p1-4
+Obsoletes: openssh-cavs < 8.4p1-5
%if %{kerberos5}
BuildRequires: krb5-devel
@@ -267,10 +263,6 @@ Requires: openssh = %{version}-%{release}
Summary: A passphrase dialog for OpenSSH and X
Requires: openssh = %{version}-%{release}
-%package cavs
-Summary: CAVS tests for FIPS validation
-Requires: openssh = %{version}-%{release}
-
%package -n pam_ssh_agent_auth
Summary: PAM module for authentication with ssh-agent
Version: %{pam_ssh_agent_ver}
@@ -311,10 +303,6 @@ OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
an X11 passphrase dialog for OpenSSH.
-%description cavs
-This package contains test binaries and scripts to make FIPS validation
-easier. Now contains CTR and KDF CAVS test driver.
-
%description -n pam_ssh_agent_auth
This package contains a PAM module which can be used to authenticate
users using ssh keys stored in a ssh-agent. Through the use of the
@@ -355,8 +343,6 @@ popd
%patch707 -p1 -b .redhat
%patch711 -p1 -b .log-usepam-no
%patch712 -p1 -b .evp-ctr
-%patch713 -p1 -b .ctr-cavs
-%patch714 -p1 -b .kdf-cavs
#
%patch800 -p1 -b .gsskex
%patch801 -p1 -b .force_krb
@@ -438,7 +424,7 @@ fi
--datadir=%{_datadir}/openssh \
--with-default-path=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
- --with-privsep-path=%{_var}/empty/sshd \
+ --with-privsep-path=%{_datadir}/empty.sshd \
--disable-strip \
--without-zlib-version-check \
--with-ssl-engine \
@@ -515,7 +501,6 @@ mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/ssh_config.d
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh/sshd_config.d
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
-mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
%make_install
install -d $RPM_BUILD_ROOT/etc/pam.d/
@@ -535,7 +520,7 @@ install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
-install -m644 -D %{SOURCE14} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
+install -d -m711 ${RPM_BUILD_ROOT}/%{_datadir}/empty.sshd
%if ! %{no_gnome_askpass}
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
@@ -566,7 +551,7 @@ getent group ssh_keys >/dev/null || groupadd -r ssh_keys || :
getent group sshd >/dev/null || groupadd -g %{sshd_uid} -r sshd || :
getent passwd sshd >/dev/null || \
useradd -c "Privilege-separated SSH" -u %{sshd_uid} -g sshd \
- -s /sbin/nologin -r -d /var/empty/sshd sshd 2> /dev/null || :
+ -s /sbin/nologin -r -d /usr/share/empty.sshd sshd 2> /dev/null || :
%post server
%systemd_post sshd.service sshd.socket
@@ -624,7 +609,7 @@ test -f %{sysconfig_anaconda} && \
%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
%files server
-%dir %attr(0711,root,root) %{_var}/empty/sshd
+%dir %attr(0711,root,root) %{_datadir}/empty.sshd
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0755,root,root) %{_libexecdir}/openssh/sshd-keygen
@@ -642,7 +627,6 @@ test -f %{sysconfig_anaconda} && \
%attr(0644,root,root) %{_unitdir}/sshd.socket
%attr(0644,root,root) %{_unitdir}/sshd-keygen@.service
%attr(0644,root,root) %{_unitdir}/sshd-keygen.target
-%attr(0644,root,root) %{_tmpfilesdir}/openssh.conf
%files keycat
%doc HOWTO.ssh-keycat
@@ -656,11 +640,6 @@ test -f %{sysconfig_anaconda} && \
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
%endif
-%files cavs
-%attr(0755,root,root) %{_libexecdir}/openssh/ctr-cavstest
-%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs
-%attr(0755,root,root) %{_libexecdir}/openssh/ssh-cavs_driver.pl
-
%if %{pam_ssh_agent}
%files -n pam_ssh_agent_auth
%license pam_ssh_agent_auth-pam_ssh_agent_auth-%{pam_ssh_agent_ver}/OPENSSH_LICENSE
@@ -669,6 +648,11 @@ test -f %{sysconfig_anaconda} && \
%endif
%changelog
+* Fri Jan 22 2021 Jakub Jelen <jjelen@redhat.com> - 8.4p1-5 + 0.10.4-1
+- Use /usr/share/empty.sshd instead of /var/empty/sshd
+- Allow emptu labels in PKCS#11 tokens (#1919007)
+- Drop openssh-cavs subpackage
+
* Tue Dec 01 2020 Jakub Jelen <jjelen@redhat.com> - 8.4p1-4 + 0.10.4-1
- Remove "PasswordAuthentication yes" from vendor configuration as it is
already default and it might be hard to override.
diff --git a/sshd.tmpfiles b/sshd.tmpfiles
deleted file mode 100644
index c35a2b8..0000000
--- a/sshd.tmpfiles
+++ /dev/null
@@ -1 +0,0 @@
-d /var/empty/sshd 711 root root -