openssh: add upstream patches, including CVE-2019-6111

Signed-off-by: Peter Wagner <tripolar@gmx.at>

net/openssh/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssh
 PKG_VERSION:=7.9p1
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \

net/openssh/patches/0001-fix-key-type-check.patch

@@ -0,0 +1,82 @@
+From 5e021158aa22cc64da4fca1618ee0bfd2d031049 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Fri, 16 Nov 2018 02:43:56 +0000
+Subject: upstream: fix bug in HostbasedAcceptedKeyTypes and
+
+PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture types were
+specified, then authentication would always fail for RSA keys as the monitor
+checks only the base key (not the signature algorithm) type against
+*AcceptedKeyTypes. bz#2746; reported by Jakub Jelen; ok dtucker
+
+OpenBSD-Commit-ID: 117bc3dc54578dbdb515a1d3732988cb5b00461b
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=cd9467318b56e6e93ff9575c906ff8350af9b8a2
+Last-Update: 2019-02-28
+
+Patch-Name: fix-key-type-check.patch
+---
+ monitor.c | 39 ++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 34 insertions(+), 5 deletions(-)
+
+diff --git a/monitor.c b/monitor.c
+index 08fddabd7..037d6d333 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -892,6 +892,35 @@ mm_answer_authrole(int sock, struct sshbuf *m)
+ 	return (0);
+ }
+ 
++/*
++ * Check that the key type appears in the supplied pattern list, ignoring
++ * mismatches in the signature algorithm. (Signature algorithm checks are
++ * performed in the unprivileged authentication code).
++ * Returns 1 on success, 0 otherwise.
++ */
++static int
++key_base_type_match(const char *method, const struct sshkey *key,
++    const char *list)
++{
++	char *s, *l, *ol = xstrdup(list);
++	int found = 0;
++
++	l = ol;
++	for ((s = strsep(&l, ",")); s && *s != '\0'; (s = strsep(&l, ","))) {
++		if (sshkey_type_from_name(s) == key->type) {
++			found = 1;
++			break;
++		}
++	}
++	if (!found) {
++		error("%s key type %s is not in permitted list %s", method,
++		    sshkey_ssh_name(key), list);
++	}
++
++	free(ol);
++	return found;
++}
++
+ int
+ mm_answer_authpassword(int sock, struct sshbuf *m)
+ {
+@@ -1197,8 +1226,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
+ 				break;
+ 			if (auth2_key_already_used(authctxt, key))
+ 				break;
+-			if (match_pattern_list(sshkey_ssh_name(key),
+-			    options.pubkey_key_types, 0) != 1)
++			if (!key_base_type_match(auth_method, key,
++			    options.pubkey_key_types))
+ 				break;
+ 			allowed = user_key_allowed(ssh, authctxt->pw, key,
+ 			    pubkey_auth_attempt, &opts);
+@@ -1209,8 +1238,8 @@ mm_answer_keyallowed(int sock, struct sshbuf *m)
+ 				break;
+ 			if (auth2_key_already_used(authctxt, key))
+ 				break;
+-			if (match_pattern_list(sshkey_ssh_name(key),
+-			    options.hostbased_key_types, 0) != 1)
++			if (!key_base_type_match(auth_method, key,
++			    options.hostbased_key_types))
+ 				break;
+ 			allowed = hostbased_key_allowed(authctxt->pw,
+ 			    cuser, chost, key);

net/openssh/patches/0002-request-rsa-sha2-cert-signatures.patch

@@ -0,0 +1,39 @@
+From d94226d4fcefbc398c5583e12b5d07ca33884ba4 Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Thu, 27 Dec 2018 23:02:11 +0000
+Subject: upstream: Request RSA-SHA2 signatures for
+
+rsa-sha2-{256|512}-cert-v01@openssh.com cert algorithms; ok markus@
+
+OpenBSD-Commit-ID: afc6f7ca216ccd821656d1c911d2a3deed685033
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=f429c1b2ef631f2855e51a790cf71761d752bbca
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2944
+Bug-Debian: https://bugs.debian.org/923419
+Last-Update: 2019-02-28
+
+Patch-Name: request-rsa-sha2-cert-signatures.patch
+---
+ authfd.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/authfd.c b/authfd.c
+index ecdd869ab..62cbf8c19 100644
+--- a/authfd.c
++++ b/authfd.c
+@@ -327,10 +327,12 @@ ssh_free_identitylist(struct ssh_identitylist *idl)
+ static u_int
+ agent_encode_alg(const struct sshkey *key, const char *alg)
+ {
+-	if (alg != NULL && key->type == KEY_RSA) {
+-		if (strcmp(alg, "rsa-sha2-256") == 0)
++	if (alg != NULL && sshkey_type_plain(key->type) == KEY_RSA) {
++		if (strcmp(alg, "rsa-sha2-256") == 0 ||
++		    strcmp(alg, "rsa-sha2-256-cert-v01@openssh.com") == 0)
+ 			return SSH_AGENT_RSA_SHA2_256;
+-		else if (strcmp(alg, "rsa-sha2-512") == 0)
++		if (strcmp(alg, "rsa-sha2-512") == 0 ||
++		    strcmp(alg, "rsa-sha2-512-cert-v01@openssh.com") == 0)
+ 			return SSH_AGENT_RSA_SHA2_512;
+ 	}
+ 	return 0;

net/openssh/patches/0003-sanitize-scp-filenames-via-snmprintf.patch

@@ -28,12 +28,6 @@ diff --git a/atomicio.c b/atomicio.c
 index f854a06f5..d91bd7621 100644
 --- a/atomicio.c
 +++ b/atomicio.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: atomicio.c,v 1.28 2016/07/27 23:18:12 djm Exp $ */
-+/* $OpenBSD: atomicio.c,v 1.29 2019/01/23 08:01:46 dtucker Exp $ */
- /*
-  * Copyright (c) 2006 Damien Miller. All rights reserved.
-  * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
 @@ -65,9 +65,14 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n,
  		res = (f) (fd, s + pos, n - pos);
  		switch (res) {
@@ -72,12 +66,6 @@ diff --git a/progressmeter.c b/progressmeter.c
 index fe9bf52e4..add462dde 100644
 --- a/progressmeter.c
 +++ b/progressmeter.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: progressmeter.c,v 1.45 2016/06/30 05:17:05 dtucker Exp $ */
-+/* $OpenBSD: progressmeter.c,v 1.46 2019/01/23 08:01:46 dtucker Exp $ */
- /*
-  * Copyright (c) 2003 Nils Nordman.  All rights reserved.
-  *
 @@ -31,6 +31,7 @@
  
  #include <errno.h>
@@ -202,12 +190,6 @@ diff --git a/progressmeter.h b/progressmeter.h
 index bf179dca6..8f6678060 100644
 --- a/progressmeter.h
 +++ b/progressmeter.h
-@@ -1,4 +1,4 @@
--/* $OpenBSD: progressmeter.h,v 1.3 2015/01/14 13:54:13 djm Exp $ */
-+/* $OpenBSD: progressmeter.h,v 1.4 2019/01/23 08:01:46 dtucker Exp $ */
- /*
-  * Copyright (c) 2002 Nils Nordman.  All rights reserved.
-  *
 @@ -24,4 +24,5 @@
   */
  

net/openssh/patches/0004-have-progressmeter-force-update-at-beginning-and-end-transfer.patch

@@ -0,0 +1,108 @@
+From 2a8f710447442e9a03e71c022859112ec2d77d17 Mon Sep 17 00:00:00 2001
+From: "dtucker@openbsd.org" <dtucker@openbsd.org>
+Date: Thu, 24 Jan 2019 16:52:17 +0000
+Subject: upstream: Have progressmeter force an update at the beginning and
+
+end of each transfer.  Fixes the problem recently introduces where very quick
+transfers do not display the progressmeter at all.  Spotted by naddy@
+
+OpenBSD-Commit-ID: 68dc46c259e8fdd4f5db3ec2a130f8e4590a7a9a
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=bdc6c63c80b55bcbaa66b5fde31c1cb1d09a41eb
+Last-Update: 2019-02-08
+
+Patch-Name: have-progressmeter-force-update-at-beginning-and-end-transfer.patch
+---
+ progressmeter.c | 13 +++++--------
+ progressmeter.h |  4 ++--
+ scp.c           |  2 +-
+ sftp-client.c   |  2 +-
+ 4 files changed, 9 insertions(+), 12 deletions(-)
+
+diff --git a/progressmeter.c b/progressmeter.c
+index add462dde..e385c1254 100644
+--- a/progressmeter.c
++++ b/progressmeter.c
+@@ -59,9 +59,6 @@ static void format_rate(char *, int, off_t);
+ static void sig_winch(int);
+ static void setscreensize(void);
+ 
+-/* updates the progressmeter to reflect the current state of the transfer */
+-void refresh_progress_meter(void);
+-
+ /* signal handler for updating the progress meter */
+ static void sig_alarm(int);
+ 
+@@ -120,7 +117,7 @@ format_size(char *buf, int size, off_t bytes)
+ }
+ 
+ void
+-refresh_progress_meter(void)
++refresh_progress_meter(int force_update)
+ {
+ 	char buf[MAX_WINSIZE + 1];
+ 	off_t transferred;
+@@ -131,7 +128,7 @@ refresh_progress_meter(void)
+ 	int hours, minutes, seconds;
+ 	int file_len;
+ 
+-	if ((!alarm_fired && !win_resized) || !can_output())
++	if ((!force_update && !alarm_fired && !win_resized) || !can_output())
+ 		return;
+ 	alarm_fired = 0;
+ 
+@@ -254,7 +251,7 @@ start_progress_meter(const char *f, off_t filesize, off_t *ctr)
+ 	bytes_per_second = 0;
+ 
+ 	setscreensize();
+-	refresh_progress_meter();
++	refresh_progress_meter(1);
+ 
+ 	signal(SIGALRM, sig_alarm);
+ 	signal(SIGWINCH, sig_winch);
+@@ -271,7 +268,7 @@ stop_progress_meter(void)
+ 
+ 	/* Ensure we complete the progress */
+ 	if (cur_pos != end_pos)
+-		refresh_progress_meter();
++		refresh_progress_meter(1);
+ 
+ 	atomicio(vwrite, STDOUT_FILENO, "\n", 1);
+ }
+diff --git a/progressmeter.h b/progressmeter.h
+index 8f6678060..1703ea75b 100644
+--- a/progressmeter.h
++++ b/progressmeter.h
+@@ -24,5 +24,5 @@
+  */
+ 
+ void	start_progress_meter(const char *, off_t, off_t *);
+-void	refresh_progress_meter(void);
++void	refresh_progress_meter(int);
+ void	stop_progress_meter(void);
+diff --git a/scp.c b/scp.c
+index 80308573c..1971c80cd 100644
+--- a/scp.c
++++ b/scp.c
+@@ -593,7 +593,7 @@ scpio(void *_cnt, size_t s)
+ 	off_t *cnt = (off_t *)_cnt;
+ 
+ 	*cnt += s;
+-	refresh_progress_meter();
++	refresh_progress_meter(0);
+ 	if (limit_kbps > 0)
+ 		bandwidth_limit(&bwlimit, s);
+ 	return 0;
+diff --git a/sftp-client.c b/sftp-client.c
+index 2bc698f86..cf2887a40 100644
+--- a/sftp-client.c
++++ b/sftp-client.c
+@@ -101,7 +101,7 @@ sftpio(void *_bwlimit, size_t amount)
+ {
+ 	struct bwlimit *bwlimit = (struct bwlimit *)_bwlimit;
+ 
+-	refresh_progress_meter();
++	refresh_progress_meter(0);
+ 	if (bwlimit != NULL)
+ 		bandwidth_limit(bwlimit, amount);
+ 	return 0;

net/openssh/patches/0006-scp-handle-braces.patch

@@ -0,0 +1,353 @@
+From 7a3fa37583d4abf128f7f4c6eb1e7ffc90115eab Mon Sep 17 00:00:00 2001
+From: "djm@openbsd.org" <djm@openbsd.org>
+Date: Sun, 10 Feb 2019 11:15:52 +0000
+Subject: upstream: when checking that filenames sent by the server side
+
+match what the client requested, be prepared to handle shell-style brace
+alternations, e.g. "{foo,bar}".
+
+"looks good to me" millert@ + in snaps for the last week courtesy
+deraadt@
+
+OpenBSD-Commit-ID: 3b1ce7639b0b25b2248e3a30f561a548f6815f3e
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=3d896c157c722bc47adca51a58dca859225b5874
+Bug-Debian: https://bugs.debian.org/923486
+Last-Update: 2019-03-01
+
+Patch-Name: scp-handle-braces.patch
+---
+ scp.c | 280 +++++++++++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 269 insertions(+), 11 deletions(-)
+
+diff --git a/scp.c b/scp.c
+index 035037bcc..3888baab0 100644
+--- a/scp.c
++++ b/scp.c
+@@ -635,6 +635,253 @@ parse_scp_uri(const char *uri, char **userp, char **hostp, int *portp,
+ 	return r;
+ }
+ 
++/* Appends a string to an array; returns 0 on success, -1 on alloc failure */
++static int
++append(char *cp, char ***ap, size_t *np)
++{
++	char **tmp;
++
++	if ((tmp = reallocarray(*ap, *np + 1, sizeof(*tmp))) == NULL)
++		return -1;
++	tmp[(*np)] = cp;
++	(*np)++;
++	*ap = tmp;
++	return 0;
++}
++
++/*
++ * Finds the start and end of the first brace pair in the pattern.
++ * returns 0 on success or -1 for invalid patterns.
++ */
++static int
++find_brace(const char *pattern, int *startp, int *endp)
++{
++	int i;
++	int in_bracket, brace_level;
++
++	*startp = *endp = -1;
++	in_bracket = brace_level = 0;
++	for (i = 0; i < INT_MAX && *endp < 0 && pattern[i] != '\0'; i++) {
++		switch (pattern[i]) {
++		case '\\':
++			/* skip next character */
++			if (pattern[i + 1] != '\0')
++				i++;
++			break;
++		case '[':
++			in_bracket = 1;
++			break;
++		case ']':
++			in_bracket = 0;
++			break;
++		case '{':
++			if (in_bracket)
++				break;
++			if (pattern[i + 1] == '}') {
++				/* Protect a single {}, for find(1), like csh */
++				i++; /* skip */
++				break;
++			}
++			if (*startp == -1)
++				*startp = i;
++			brace_level++;
++			break;
++		case '}':
++			if (in_bracket)
++				break;
++			if (*startp < 0) {
++				/* Unbalanced brace */
++				return -1;
++			}
++			if (--brace_level <= 0)
++				*endp = i;
++			break;
++		}
++	}
++	/* unbalanced brackets/braces */
++	if (*endp < 0 && (*startp >= 0 || in_bracket))
++		return -1;
++	return 0;
++}
++
++/*
++ * Assembles and records a successfully-expanded pattern, returns -1 on
++ * alloc failure.
++ */
++static int
++emit_expansion(const char *pattern, int brace_start, int brace_end,
++    int sel_start, int sel_end, char ***patternsp, size_t *npatternsp)
++{
++	char *cp;
++	int o = 0, tail_len = strlen(pattern + brace_end + 1);
++
++	if ((cp = malloc(brace_start + (sel_end - sel_start) +
++	    tail_len + 1)) == NULL)
++		return -1;
++
++	/* Pattern before initial brace */
++	if (brace_start > 0) {
++		memcpy(cp, pattern, brace_start);
++		o = brace_start;
++	}
++	/* Current braced selection */
++	if (sel_end - sel_start > 0) {
++		memcpy(cp + o, pattern + sel_start,
++		    sel_end - sel_start);
++		o += sel_end - sel_start;
++	}
++	/* Remainder of pattern after closing brace */
++	if (tail_len > 0) {
++		memcpy(cp + o, pattern + brace_end + 1, tail_len);
++		o += tail_len;
++	}
++	cp[o] = '\0';
++	if (append(cp, patternsp, npatternsp) != 0) {
++		free(cp);
++		return -1;
++	}
++	return 0;
++}
++
++/*
++ * Expand the first encountered brace in pattern, appending the expanded
++ * patterns it yielded to the *patternsp array.
++ *
++ * Returns 0 on success or -1 on allocation failure.
++ *
++ * Signals whether expansion was performed via *expanded and whether
++ * pattern was invalid via *invalid.
++ */
++static int
++brace_expand_one(const char *pattern, char ***patternsp, size_t *npatternsp,
++    int *expanded, int *invalid)
++{
++	int i;
++	int in_bracket, brace_start, brace_end, brace_level;
++	int sel_start, sel_end;
++
++	*invalid = *expanded = 0;
++
++	if (find_brace(pattern, &brace_start, &brace_end) != 0) {
++		*invalid = 1;
++		return 0;
++	} else if (brace_start == -1)
++		return 0;
++
++	in_bracket = brace_level = 0;
++	for (i = sel_start = brace_start + 1; i < brace_end; i++) {
++		switch (pattern[i]) {
++		case '{':
++			if (in_bracket)
++				break;
++			brace_level++;
++			break;
++		case '}':
++			if (in_bracket)
++				break;
++			brace_level--;
++			break;
++		case '[':
++			in_bracket = 1;
++			break;
++		case ']':
++			in_bracket = 0;
++			break;
++		case '\\':
++			if (i < brace_end - 1)
++				i++; /* skip */
++			break;
++		}
++		if (pattern[i] == ',' || i == brace_end - 1) {
++			if (in_bracket || brace_level > 0)
++				continue;
++			/* End of a selection, emit an expanded pattern */
++
++			/* Adjust end index for last selection */
++			sel_end = (i == brace_end - 1) ? brace_end : i;
++			if (emit_expansion(pattern, brace_start, brace_end,
++			    sel_start, sel_end, patternsp, npatternsp) != 0)
++				return -1;
++			/* move on to the next selection */
++			sel_start = i + 1;
++			continue;
++		}
++	}
++	if (in_bracket || brace_level > 0) {
++		*invalid = 1;
++		return 0;
++	}
++	/* success */
++	*expanded = 1;
++	return 0;
++}
++
++/* Expand braces from pattern. Returns 0 on success, -1 on failure */
++static int
++brace_expand(const char *pattern, char ***patternsp, size_t *npatternsp)
++{
++	char *cp, *cp2, **active = NULL, **done = NULL;
++	size_t i, nactive = 0, ndone = 0;
++	int ret = -1, invalid = 0, expanded = 0;
++
++	*patternsp = NULL;
++	*npatternsp = 0;
++
++	/* Start the worklist with the original pattern */
++	if ((cp = strdup(pattern)) == NULL)
++		return -1;
++	if (append(cp, &active, &nactive) != 0) {
++		free(cp);
++		return -1;
++	}
++	while (nactive > 0) {
++		cp = active[nactive - 1];
++		nactive--;
++		if (brace_expand_one(cp, &active, &nactive,
++		    &expanded, &invalid) == -1) {
++			free(cp);
++			goto fail;
++		}
++		if (invalid)
++			fatal("%s: invalid brace pattern \"%s\"", __func__, cp);
++		if (expanded) {
++			/*
++			 * Current entry expanded to new entries on the
++			 * active list; discard the progenitor pattern.
++			 */
++			free(cp);
++			continue;
++		}
++		/*
++		 * Pattern did not expand; append the finename component to
++		 * the completed list
++		 */
++		if ((cp2 = strrchr(cp, '/')) != NULL)
++			*cp2++ = '\0';
++		else
++			cp2 = cp;
++		if (append(xstrdup(cp2), &done, &ndone) != 0) {
++			free(cp);
++			goto fail;
++		}
++		free(cp);
++	}
++	/* success */
++	*patternsp = done;
++	*npatternsp = ndone;
++	done = NULL;
++	ndone = 0;
++	ret = 0;
++ fail:
++	for (i = 0; i < nactive; i++)
++		free(active[i]);
++	free(active);
++	for (i = 0; i < ndone; i++)
++		free(done[i]);
++	free(done);
++	return ret;
++}
++
+ void
+ toremote(int argc, char **argv)
+ {
+@@ -998,7 +1245,8 @@ sink(int argc, char **argv, const char *src)
+ 	unsigned long long ull;
+ 	int setimes, targisdir, wrerrno = 0;
+ 	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
+-	char *src_copy = NULL, *restrict_pattern = NULL;
++	char **patterns = NULL;
++	size_t n, npatterns = 0;
+ 	struct timeval tv[2];
+ 
+ #define	atime	tv[0]
+@@ -1028,16 +1276,13 @@ sink(int argc, char **argv, const char *src)
+ 		 * Prepare to try to restrict incoming filenames to match
+ 		 * the requested destination file glob.
+ 		 */
+-		if ((src_copy = strdup(src)) == NULL)
+-			fatal("strdup failed");
+-		if ((restrict_pattern = strrchr(src_copy, '/')) != NULL) {
+-			*restrict_pattern++ = '\0';
+-		}
++		if (brace_expand(src, &patterns, &npatterns) != 0)
++			fatal("%s: could not expand pattern", __func__);
+ 	}
+ 	for (first = 1;; first = 0) {
+ 		cp = buf;
+ 		if (atomicio(read, remin, cp, 1) != 1)
+-			return;
++			goto done;
+ 		if (*cp++ == '\n')
+ 			SCREWUP("unexpected <newline>");
+ 		do {
+@@ -1063,7 +1308,7 @@ sink(int argc, char **argv, const char *src)
+ 		}
+ 		if (buf[0] == 'E') {
+ 			(void) atomicio(vwrite, remout, "", 1);
+-			return;
++			goto done;
+ 		}
+ 		if (ch == '\n')
+ 			*--cp = 0;
+@@ -1138,9 +1383,14 @@ sink(int argc, char **argv, const char *src)
+ 			run_err("error: unexpected filename: %s", cp);
+ 			exit(1);
+ 		}
+-		if (restrict_pattern != NULL &&
+-		    fnmatch(restrict_pattern, cp, 0) != 0)
+-			SCREWUP("filename does not match request");
++		if (npatterns > 0) {
++			for (n = 0; n < npatterns; n++) {
++				if (fnmatch(patterns[n], cp, 0) == 0)
++					break;
++			}
++			if (n >= npatterns)
++				SCREWUP("filename does not match request");
++		}
+ 		if (targisdir) {
+ 			static char *namebuf;
+ 			static size_t cursize;
+@@ -1299,7 +1549,15 @@ bad:			run_err("%s: %s", np, strerror(errno));
+ 			break;
+ 		}
+ 	}
++done:
++	for (n = 0; n < npatterns; n++)
++		free(patterns[n]);
++	free(patterns);
++	return;
+ screwup:
++	for (n = 0; n < npatterns; n++)
++		free(patterns[n]);
++	free(patterns);
+ 	run_err("protocol error: %s", why);
+ 	exit(1);
+ }