diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2019-10-13 22:11:03 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2019-10-13 22:11:03 +0100 |
| commit | 2929788def9a92c1eb237eed93fbdb0c02838bbf (patch) | |
| tree | 166b01591366d3479084ea774c888bc84aaa8d4f /net-misc/openssh | |
| parent | ab499d7cfb9ad23e83cf7a4f5052bdf1b4c42030 (diff) | |
Revert "gentoo resync : 13.10.2019"
This reverts commit ab499d7cfb9ad23e83cf7a4f5052bdf1b4c42030.
Diffstat (limited to 'net-misc/openssh')
| -rw-r--r-- | net-misc/openssh/Manifest | 21 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch | 31 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch | 76 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch | 14 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch | 57 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch | 359 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.1_p1-hpn-glue.patch | 216 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-7.5_p1-r4.ebuild | 6 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-7.7_p1-r9.ebuild | 6 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-7.9_p1-r4.ebuild | 4 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-8.0_p1-r2.ebuild (renamed from net-misc/openssh/openssh-8.1_p1.ebuild) | 31 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-8.0_p1.ebuild (renamed from net-misc/openssh/openssh-8.0_p1-r4.ebuild) | 34 |
12 files changed, 44 insertions, 811 deletions
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index 900ed083938d..a0df0f9a3cc0 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -26,16 +26,10 @@ AUX openssh-8.0_p1-X509-dont-make-piddir-12.0.patch 814 BLAKE2B 596967e4b13d59b1 AUX openssh-8.0_p1-X509-dont-make-piddir-12.1.patch 812 BLAKE2B a7ded816857183e6a35dd4706ff5c4f4788e2eee5afb08dd59aedd13f0a7d3efc04f74df43bb23d808c8ba53866fdbc1cc89a15ec1b28a995a29181430bffbcf SHA512 1fdc152be81c7a19d8d15c8da03c3de0456cdccb715d1c1fdeea6b7ef89b838e560886dc20d85696fd1105d00512aff884c20ed4117a5afae5c0c00e74831aa5 AUX openssh-8.0_p1-X509-glue-12.0.patch 825 BLAKE2B 9fc0b5b291551d55770bddcf23d44601d15cbc23a6d8f0795cd064f53e1bc2e49056b23b2d7db0aa25e31e8b68c71ef476cb926a7efa765edf81440489711225 SHA512 edd8c0bdc3b90f7afce8eb5d91ec1344b6e22fc9d16787f63eaee9a576178f5e0b4937fb0dc2640779c049a9102ece63360fef4f690b09894ec46995e0f5ebe2 AUX openssh-8.0_p1-X509-glue-12.1.patch 825 BLAKE2B 494e16224e9dc9b90c61f7d3721305192344fe41631c6088768b578f8c5620d8e664403105073ef702df4cf234f00279e5e02fb637b2d392ea9b1a1b962b9b67 SHA512 966553aaf2188395f7d3ac05e91a604fe8db47f781b2c1e01ce7cd5a42bff0e3c76c1fbcf557ee3fbcf16ab77de61b8f9812499553f05c843e1048cd713593e4 -AUX openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch 977 BLAKE2B b2e28683176c4678f51a9a0be3e29496620ac795c7de4649fb3cc0bd076682e42bc1c606b17a76e140f51319e4c4a1cc890c3a37c4bc3cf9222a88e31b8a773f SHA512 8c2567ae16dccc73e302ba90c1bb03e19d4afc3892dd8e1636d7c8853932662eccbda3957e4db55a21bd37d2e65abe74b0b2c1efb74e31751335eb523759d945 -AUX openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch 2696 BLAKE2B 86bac20233102c5beefb3a79e2da8c5421d47d1c175e9e602f14c127e1bf7ec67e193620461ebd7a835bae556dbf9db904c3f63bbd3283a04dac444f34a3eab8 SHA512 f951cdc664088a124754fe963bb6abc659264183a3c773d61243bb12ca87f7554422d9acabb86c6390fe0e088fee60cc3129ad85e336ebf84f5c126d61d1fa3f -AUX openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch 506 BLAKE2B d4e88cc9553c6e2708447edd3ceeeea4f6c967893f34cad6c5fc980ee46895b64b58c5b8d271b7363e7144d34e05fd1e9519e01a9bb05d7c2cc5a9613b2b096c SHA512 cae5a9f5c46a2c70be4284bc050b69dab347181397a9e34c0c2ee5a470992070a2b8359ade42ce6840b5ff6311d3b0026bf6d548e944662c481a74456737a095 -AUX openssh-8.0_p1-fix-putty-tests.patch 1760 BLAKE2B a1127e8f2275c1e23c956b5041dbc84dbdb2cd6b788fc69bfc1f6b030afe86a827483602ce76577b4101ee2e790b1cfa8c1d2db09da59b89fe7df8083bf4695f SHA512 f544d818bdde628131f1819bf2ffb4007802ee5bf12c5cd5bd398efe0f0f430ed6b3efa7969cb2c4fa49a2bbd773d8fa09f4c927cf998a564b7611443437c310 AUX openssh-8.0_p1-hpn-X509-glue.patch 3814 BLAKE2B 9a0071d13bb602f9b0660dd74d0ae59611a0d8b8c13fab7def2ea840d1ea42bb4c0999ef44e86db2e8246c6e803797a70f9b18016da491598991052854659c03 SHA512 a986c012aa58a4764d3c4c4a5bf5d1e69edb156adf18d7e9ccae0508879da8b3e92a884d6dcfa80ec5b02d41e7784d8eb500128925ae5cee0ca948cf6bf50ba2 AUX openssh-8.0_p1-hpn-glue.patch 7029 BLAKE2B cf6fb2c59b768aecf846f0d037ae6d48f750e742f93cdd00a62caf04dfafd993e05921f5d227014e9437d3cdfff4e1b9baa832997904bf398ba06e8f874f7ceb SHA512 63eb0b12763ab53946a9f6b9db44c428d9da8b781a6e1d3f5c4b0edfca85d986cf932461205cee84f9a9db7725c9e05eb1d366b357c787a95c561bdc6514d3d7 AUX openssh-8.0_p1-hpn-version.patch 590 BLAKE2B 1ff20ab17e7e1a20f7a96ded56ff7c059fd509d7773d9abaeac83743102385d9713284c630dc932d40672a9bfc8a894b57c6b073e93a7b024de7490ea54a589c SHA512 37250881f17a44e4a4b0ac164d06961e0731528847d5cbbb263e3f9a286a192c8dae92250b85db3f2e1f280a464c7b3bfc8a7c9e85552375c013e16a6fcf28ed AUX openssh-8.0_p1-tests.patch 1493 BLAKE2B 2e28d9f27d6d9f7e1716cf5f85bbb92af96faf8842e0047d79262a36f5273cd9252bfc576a22e4fc5523942eb7dea80d968045fea317e523d430373c59160ed0 SHA512 1f191076d3199b33e4cfa66e901d086dba32d7ee620c6dfa3bdaa7c9cba8e98d36b7f27d2f2dca7eb8d2549da37dd4b3638e392d8dbd9c36cb4a9ba09a45043f -AUX openssh-8.1_p1-GSSAPI-dns.patch 11639 BLAKE2B 2bc9e618c0acbf6b85496a33055894471235d01f20b76c9b75302dce58c7d6033984c8471789d2f8095d6231f5f271a4eb2f6099936b1631ec261464bc7a3ada SHA512 722a769da482876f0629e110109f02065e47848ff79395e9e64de39ae066d8c5a207f849c59d95b72e70b874f4bedf4e52a2f7ad1752d9c84b99ccdbfa19c73d -AUX openssh-8.1_p1-hpn-glue.patch 7830 BLAKE2B 81c239f57d252b3a9bb1c7aed56ac67196ad11a316163db0cf6d4c75d73db1cbae038707ec788c5101f40ebf455257fa2cd1b9d7facab1081b5b856317543dd7 SHA512 2cf4e5da60e30932619c6915295b1659f53db3e784e87fcbbd25b8d167df8e29a1712235413bb2d485956494111aa682d086f9b5a36c3f55a286d40599df8b8c AUX sshd-r1.confd 774 BLAKE2B df3f3f28cb4d35b49851399b52408c42e242ae3168ff3fc79add211903567da370cfe86a267932ca9cf13c3afbc38a8f1b53e753a31670ee61bf8ba8747832f8 SHA512 3a69752592126024319a95f1c1747af508fd639c86eca472106c5d6c23d5eeaa441ca74740d4b1aafaa0db759d38879e3c1cee742b08d6166ebc58cddac1e2fe AUX sshd-r1.initd 2675 BLAKE2B 47e87cec2d15b90aae362ce0c8e8ba08dada9ebc244e28be1fe67d24deb00675d3d9b8fef40def8a9224a3e2d15ab717574a3d837e099133c1cf013079588b55 SHA512 257d6437162b76c4a3a648ecc5d4739ca7eaa60b192fde91422c6c05d0de6adfa9635adc24d57dc3da6beb92b1b354ffe8fddad3db453efb610195d5509a4e27 AUX sshd.confd 396 BLAKE2B 2fc146e83512d729e120cfe331441e8fe27eba804906cc0c463b938ddaf052e7392efbcda6699467afde22652c599e7d55b0ce18a344137263cd78647fea255f SHA512 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 @@ -60,15 +54,14 @@ DIST openssh-7.9p1-sctp-1.2.patch.xz 7360 BLAKE2B 60e209371ecac24d0b60e48459d4d4 DIST openssh-7.9p1.tar.gz 1565384 BLAKE2B de15795e03d33d4f9fe4792f6b14500123230b6c00c1e5bd7207bb6d6bf6df0b2e057c1b1de0fee709f58dd159203fdd69fe1473118a6baedebaa0c1c4c55b59 SHA512 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e DIST openssh-7_8_P1-hpn-AES-CTR-14.16.diff 29231 BLAKE2B e25877c5e22f674e6db5a0bc107e5daa2509fe762fb14ce7bb2ce9a115e8177a93340c1d19247b6c2c854b7e1f9ae9af9fd932e5fa9c0a6b2ba438cd11a42991 SHA512 1867fb94c29a51294a71a3ec6a299757565a7cda5696118b0b346ed9c78f2c81bb1b888cff5e3418776b2fa277a8f070c5eb9327bb005453e2ffd72d35cdafa7 DIST openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 43356 BLAKE2B 776fa140d64a16c339b46a7c773258d2f4fe44e48b16abccad1a8757a51cb6362722fc5f42c39159af12849f5c88cf574de64815085c97157e16653f18d4909b SHA512 53f2752b7aa02719c8dfe0fe0ef16e874101ba2ba87924aa1122cd445ece218ca09c22abaa3377307f25d459579bc28d3854e2402c71b794db65d58cdd1ebc08 -DIST openssh-8.0p1+x509-12.1-gentoo.diff.gz 680853 BLAKE2B b24ee61d6328bf2de8384d6ecbfc5ae0be4719a3c7a2d714be3a144d327bba5038e7e36ffcc313af2a8a94960ce1f56387654d2d21920af51826af61957aa4cc SHA512 178728139473b277fe50a03f37be50b3f8e539cea8f5937ddfe710082944e799d845cdb5994f585c13564c4a89b80ccf75e87753102aebacdb4c590f0b8a1482 +DIST openssh-8.0p1+x509-12.0.diff.gz 623765 BLAKE2B b1c0d533a58c55b0f8451ce5aa8ee9b462afdc1eee44018f30962d3427c73b12a57c2c88bc8656c09c2b39a2ac72755539eeb29e7060ced5d3e8470647f88c0a SHA512 5f678fd303e39df7a2fb23af682c5a02b33f7fdcafe6171b9db2067098a2048677c415c3bee75225eb9fbaf308cfac7f37b0865951cdb6dda0577908499a8295 +DIST openssh-8.0p1+x509-12.1.diff.gz 680389 BLAKE2B b1e353c496dd6dbd104c32bc5e9a3f055673a7876944d39c80f185cdb589d09b8d509754f04f2e051ceef2b39a3d810ba00b8894a4b67c7a6a0170a4ed0518a5 SHA512 831988d636a19e89a881616e07e38bc6ca44e90443b2bbf290fab3f120877e2eef60f21ad6e0c64098d07e09379f9f73f0ce2e5df975aa1bd43944582f8b8b3e DIST openssh-8.0p1-sctp-1.2.patch.xz 7348 BLAKE2B bc3d3815f1ef5dbab605b93182a00c2fec258f49d56684defb6564d2b60886429c615a7ab076cc071a590f9df0908b1862ceb0961b7e6f6d1090237fec9035d3 SHA512 2f9f774286db75d0240e6fb01655a8a193fb2a5dc4596ad68ed22d64f97c9c46dad61a06478f2e972fd37cbad4d9aca5829bb91097cc56638601ff94a972b24f DIST openssh-8.0p1.tar.gz 1597697 BLAKE2B 5ba79872eabb3b3964d95a8cdd690bfe0323f018d7f944d4e1acb52576c9f6d7a1ddac15e88dc42eac6ecbfabfad1c228e303a2262588769e307c38107a4cd54 SHA512 e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982 -DIST openssh-8.1p1-sctp-1.2.patch.xz 7672 BLAKE2B f1aa0713fcb114d8774bd8d524d106401a9d7c2c73a05fbde200ccbdd2562b3636ddd2d0bc3eae9f04b4d7c729c3dafd814ae8c530a76c4a0190fae71d1edcd2 SHA512 2bffab0bbae5a4c1875e0cc229bfd83d8565bd831309158cd489d8b877556c69b936243888a181bd9ff302e19f2c174156781574294d260b6384c464d003d566 -DIST openssh-8.1p1.tar.gz 1625894 BLAKE2B d525be921a6f49420a58df5ac434d43a0c85e0f6bf8428ecebf04117c50f473185933e6e4485e506ac614f71887a513b9962d7b47969ba785da8e3a38f767322 SHA512 b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925 DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 BLAKE2B 5b2204316dd244bb8dd11db50d5bc3a194e2cc4b64964a2d3df68bbe54c53588f15fc5176dbc3811e929573fa3e41cf91f412aa2513bb9a4b6ed02c2523c1e24 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b -EBUILD openssh-7.5_p1-r4.ebuild 11137 BLAKE2B 371ae94d3f12874e8ee17416cd2c1b81059b4db2cef6cad7453aa85c2c192ebac644c3907d85d42df7729044a8cebb90ef19e35036a402be404a0841333eb653 SHA512 6655b250cbec41c4432b79a4699b15d73f246820d5f0f3c9fdfe5053388be3b0be7a26ec800055ad0824c92cb91bb1a5c9a939d15ff58af07164b9fce230a415 -EBUILD openssh-7.7_p1-r9.ebuild 15919 BLAKE2B be6c6ac296d5332805d9a90c72a23598d17ca02212f2309bbb9dbff5c0374a6ef1c7d346fdd365afc0b0b853c5744c98f2db0d66347313a173aad4942abefc23 SHA512 36357ad30be27388decd08db6ae580984363b4c98c53cb634e5164b2924887cac4d19ea941f686b2290f8ff93db8c4f506fb2f76b24a1790364677ef851f6ce3 -EBUILD openssh-7.9_p1-r4.ebuild 16293 BLAKE2B 1f96b90873bed0b45da2ba26c3b1b9fb170598e6f6bc3090b8edfc7274185291f7e351a0e945e1a04ccb4e2c8fde18ba50f7bf7cd145a98721092a7608991875 SHA512 ee4fc5f36febc96c188d30d2d46b6d14c3d80178c2801802160ffbbce2d019ba6e26f26ae41e752748dc6999e676a4b2dae9e27ab7a42500c3c386f578bc24e7 -EBUILD openssh-8.0_p1-r4.ebuild 16661 BLAKE2B 7b58c80723df0c0c8c7b2a0724b6cb7549211cd618b54bba53e769af0f29c4c887e454a29e06a9e95b30ccc23156e9cfbfc63801df3a224126c296ac43d1f277 SHA512 3d5fe15f2ae2dda9c9b42d153a4fb9efcd553a79b0c136c51f8ee5770679334580ecc062aba8c01119fe4795669b76284f1a051d58797284e0de1c0e1f296c7e -EBUILD openssh-8.1_p1.ebuild 16352 BLAKE2B 2452ba7f2ee139860e648885d6abdecbfaa2fd829090c5176334280663376c3a732dc3458fc6c1645bf9668107172a75a0dc53659dae169913b348db64877b0f SHA512 b29c5431724f708722bd5b901b77a0390a607817ed52bf38f0558e99be53c29e93eb1d91124667ae8a7b0de25d85a28c9c3d5b7d35a1329f9c39791168f95575 +EBUILD openssh-7.5_p1-r4.ebuild 11161 BLAKE2B e6276f34a75fbce06ebefa246786db15aff3bd9a59c77c41d96576b6aeb77c5e6fa17aceb573d4d1f0518aa703d298eb292d0d157fb843a702cbede1f42c0296 SHA512 446414c8961458b812b768d18afe46d60ef4dd54111d95b99654cfb3dfef592812b30527fdda352a595bba815e0ffea4a813e3291bcc96bacb368267ff837bdd +EBUILD openssh-7.7_p1-r9.ebuild 15943 BLAKE2B 459a0f5920b3d5b4da2835e7f3c9f1edd185e48c509e5150a1306dbca3c2f17d0d9d3f41166c4263dd60c0218c11b278a4eaa6f53ae1429710fc749994f70d11 SHA512 3aa9018173cc53de22b1e4693daf4ca2716cd0bc0066f797b6b66926481aaabb3e82942beb305a95523ba64dc9ff95f54232c7538c1d30834f38d88dd94f18a2 +EBUILD openssh-7.9_p1-r4.ebuild 16314 BLAKE2B 4b78ac7c56c7aa5ab0225b07cc8d4f4739408221372064d17bd095dd440af3a9541713ab55de5bdb2347a373b9e267c0e3f38bb992f4ea3da893ff8a808970e0 SHA512 2f9ab98645c6d2ab67ee2e715719cdb868d02e8df19de85bc2556dfa62c26f946125a9fcdbbbdd34a596961272655947d6c6657dc1b477b646d4e42e8ad931af +EBUILD openssh-8.0_p1-r2.ebuild 16221 BLAKE2B 57e648434d52495a68a444a1493e63f906afac08e06dbffff35ab6aa3a41e00b27ea27c975576934d2067ad77183795bf0c2c48e3e7d7951537d1f276005d445 SHA512 a4d21a237fb93b168f3f884923e23e4fb215f8725b076723cccefa1354dc98af11a8f8ed2448d93daa23b3c411b7ebb00c2c9013139be9c1444dd952812472b2 +EBUILD openssh-8.0_p1.ebuild 16146 BLAKE2B 613b780cdde9d39e9f1f67267c773dded920c511c6e8d1241c92c72d9957b39e870517c868d17c72db2ae68bfc2b2d64ba85b777331082d4011057ca87cdb59e SHA512 9358116310155833391140a586d4c375292a9eb68fe40bf7453e9ee547c74bbcb750e360fd43c7c585a222cb053804a413023c0dcc06ab824df964826476853e MISC metadata.xml 2291 BLAKE2B 9e12fbae3c37a48c3b04876a7247bf38c33d6cc5be210b382e35e45c9318b3c3e7c91a0ef32a9fda96ac7a68a00f9d703aacfc1c1f23e59511ea97d159527488 SHA512 8605c7aa2e4594a04006b3abfac3fad359e3e44182be53116e25159b7419d4429176617c10b50354d0d10c2be26af550e9a2b6e4c7085906558a569dddf5c8f3 diff --git a/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch deleted file mode 100644 index fe3be2409e2a..000000000000 --- a/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 3ef92a657444f172b61f92d5da66d94fa8265602 Mon Sep 17 00:00:00 2001 -From: Lonnie Abelbeck <lonnie@abelbeck.com> -Date: Tue, 1 Oct 2019 09:05:09 -0500 -Subject: [PATCH] Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child. - -New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt -in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox. ---- - sandbox-seccomp-filter.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index 840c5232b..39dc289e3 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -168,6 +168,15 @@ static const struct sock_filter preauth_insns[] = { - #ifdef __NR_stat64 - SC_DENY(__NR_stat64, EACCES), - #endif -+#ifdef __NR_shmget -+ SC_DENY(__NR_shmget, EACCES), -+#endif -+#ifdef __NR_shmat -+ SC_DENY(__NR_shmat, EACCES), -+#endif -+#ifdef __NR_shmdt -+ SC_DENY(__NR_shmdt, EACCES), -+#endif - - /* Syscalls to permit */ - #ifdef __NR_brk diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch deleted file mode 100644 index bffc591ef667..000000000000 --- a/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch +++ /dev/null @@ -1,76 +0,0 @@ -https://github.com/openssh/openssh-portable/commit/29e0ecd9b4eb3b9f305e2240351f0c59cad9ef81 - ---- a/sshkey.c -+++ b/sshkey.c -@@ -3209,6 +3209,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) - if ((r = sshkey_froms(buf, &k)) != 0 || - (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) - goto out; -+ if (k->type != type) { -+ r = SSH_ERR_INVALID_FORMAT; -+ goto out; -+ } - if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) { - r = SSH_ERR_LIBCRYPTO_ERROR; - goto out; -@@ -3252,6 +3256,11 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) - if ((r = sshkey_froms(buf, &k)) != 0 || - (r = sshbuf_get_bignum2(buf, &exponent)) != 0) - goto out; -+ if (k->type != type || -+ k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) { -+ r = SSH_ERR_INVALID_FORMAT; -+ goto out; -+ } - if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { - r = SSH_ERR_LIBCRYPTO_ERROR; - goto out; -@@ -3296,6 +3305,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) - (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || - (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) - goto out; -+ if (k->type != type) { -+ r = SSH_ERR_INVALID_FORMAT; -+ goto out; -+ } - if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) { - r = SSH_ERR_LIBCRYPTO_ERROR; - goto out; -@@ -3333,13 +3346,17 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) - (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || - (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) - goto out; -+ if (k->type != type) { -+ r = SSH_ERR_INVALID_FORMAT; -+ goto out; -+ } - if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { - r = SSH_ERR_INVALID_FORMAT; - goto out; - } - k->ed25519_pk = ed25519_pk; - k->ed25519_sk = ed25519_sk; -- ed25519_pk = ed25519_sk = NULL; -+ ed25519_pk = ed25519_sk = NULL; /* transferred */ - break; - #ifdef WITH_XMSS - case KEY_XMSS: -@@ -3370,7 +3387,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) - (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || - (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) - goto out; -- if (strcmp(xmss_name, k->xmss_name)) { -+ if (k->type != type || strcmp(xmss_name, k->xmss_name) != 0) { - r = SSH_ERR_INVALID_FORMAT; - goto out; - } -@@ -3877,7 +3894,8 @@ sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, - } - - /* check that an appropriate amount of auth data is present */ -- if (sshbuf_len(decoded) < encrypted_len + authlen) { -+ if (sshbuf_len(decoded) < authlen || -+ sshbuf_len(decoded) - authlen < encrypted_len) { - r = SSH_ERR_INVALID_FORMAT; - goto out; - } diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch deleted file mode 100644 index ba0bd02371d4..000000000000 --- a/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch +++ /dev/null @@ -1,14 +0,0 @@ -https://github.com/openssh/openssh-portable/commit/a546b17bbaeb12beac4c9aeed56f74a42b18a93a - ---- a/sshkey-xmss.c -+++ b/sshkey-xmss.c -@@ -977,7 +977,8 @@ sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded, - goto out; - } - /* check that an appropriate amount of auth data is present */ -- if (sshbuf_len(encoded) < encrypted_len + authlen) { -+ if (sshbuf_len(encoded) < authlen || -+ sshbuf_len(encoded) - authlen < encrypted_len) { - r = SSH_ERR_INVALID_FORMAT; - goto out; - } diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch deleted file mode 100644 index 4310aa123fc8..000000000000 --- a/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch +++ /dev/null @@ -1,57 +0,0 @@ -Make sure that host keys are already accepted before -running tests. - -https://bugs.gentoo.org/493866 - ---- a/regress/putty-ciphers.sh -+++ b/regress/putty-ciphers.sh -@@ -10,11 +10,17 @@ fi - - for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do - verbose "$tid: cipher $c" -+ rm -f ${COPY} - cp ${OBJ}/.putty/sessions/localhost_proxy \ - ${OBJ}/.putty/sessions/cipher_$c - echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c - -- rm -f ${COPY} -+ env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \ -+ -i ${OBJ}/putty.rsa2 "exit" -+ if [ $? -ne 0 ]; then -+ fail "failed to pre-cache host key" -+ fi -+ - env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \ - cat ${DATA} > ${COPY} - if [ $? -ne 0 ]; then ---- a/regress/putty-kex.sh -+++ b/regress/putty-kex.sh -@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do - ${OBJ}/.putty/sessions/kex_$k - echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k - -+ env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \ -+ -i ${OBJ}/putty.rsa2 "exit" -+ if [ $? -ne 0 ]; then -+ fail "failed to pre-cache host key" -+ fi -+ - env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true - if [ $? -ne 0 ]; then - fail "KEX $k failed" ---- a/regress/putty-transfer.sh -+++ b/regress/putty-transfer.sh -@@ -14,6 +14,13 @@ for c in 0 1 ; do - cp ${OBJ}/.putty/sessions/localhost_proxy \ - ${OBJ}/.putty/sessions/compression_$c - echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k -+ -+ env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \ -+ -i ${OBJ}/putty.rsa2 "exit" -+ if [ $? -ne 0 ]; then -+ fail "failed to pre-cache host key" -+ fi -+ - env HOME=$PWD ${PLINK} -load compression_$c -batch \ - -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY} - if [ $? -ne 0 ]; then diff --git a/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch deleted file mode 100644 index 6aba6f266945..000000000000 --- a/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch +++ /dev/null @@ -1,359 +0,0 @@ -diff --git a/auth.c b/auth.c -index ca450f4e..2994a4e4 100644 ---- a/auth.c -+++ b/auth.c -@@ -723,120 +723,6 @@ fakepw(void) - return (&fake); - } - --/* -- * Returns the remote DNS hostname as a string. The returned string must not -- * be freed. NB. this will usually trigger a DNS query the first time it is -- * called. -- * This function does additional checks on the hostname to mitigate some -- * attacks on legacy rhosts-style authentication. -- * XXX is RhostsRSAAuthentication vulnerable to these? -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) -- */ -- --static char * --remote_hostname(struct ssh *ssh) --{ -- struct sockaddr_storage from; -- socklen_t fromlen; -- struct addrinfo hints, *ai, *aitop; -- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; -- const char *ntop = ssh_remote_ipaddr(ssh); -- -- /* Get IP address of client. */ -- fromlen = sizeof(from); -- memset(&from, 0, sizeof(from)); -- if (getpeername(ssh_packet_get_connection_in(ssh), -- (struct sockaddr *)&from, &fromlen) == -1) { -- debug("getpeername failed: %.100s", strerror(errno)); -- return strdup(ntop); -- } -- -- ipv64_normalise_mapped(&from, &fromlen); -- if (from.ss_family == AF_INET6) -- fromlen = sizeof(struct sockaddr_in6); -- -- debug3("Trying to reverse map address %.100s.", ntop); -- /* Map the IP address to a host name. */ -- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), -- NULL, 0, NI_NAMEREQD) != 0) { -- /* Host name not found. Use ip address. */ -- return strdup(ntop); -- } -- -- /* -- * if reverse lookup result looks like a numeric hostname, -- * someone is trying to trick us by PTR record like following: -- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 -- */ -- memset(&hints, 0, sizeof(hints)); -- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ -- hints.ai_flags = AI_NUMERICHOST; -- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { -- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", -- name, ntop); -- freeaddrinfo(ai); -- return strdup(ntop); -- } -- -- /* Names are stored in lowercase. */ -- lowercase(name); -- -- /* -- * Map it back to an IP address and check that the given -- * address actually is an address of this host. This is -- * necessary because anyone with access to a name server can -- * define arbitrary names for an IP address. Mapping from -- * name to IP address can be trusted better (but can still be -- * fooled if the intruder has access to the name server of -- * the domain). -- */ -- memset(&hints, 0, sizeof(hints)); -- hints.ai_family = from.ss_family; -- hints.ai_socktype = SOCK_STREAM; -- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { -- logit("reverse mapping checking getaddrinfo for %.700s " -- "[%s] failed.", name, ntop); -- return strdup(ntop); -- } -- /* Look for the address from the list of addresses. */ -- for (ai = aitop; ai; ai = ai->ai_next) { -- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, -- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && -- (strcmp(ntop, ntop2) == 0)) -- break; -- } -- freeaddrinfo(aitop); -- /* If we reached the end of the list, the address was not there. */ -- if (ai == NULL) { -- /* Address not found for the host name. */ -- logit("Address %.100s maps to %.600s, but this does not " -- "map back to the address.", ntop, name); -- return strdup(ntop); -- } -- return strdup(name); --} -- --/* -- * Return the canonical name of the host in the other side of the current -- * connection. The host name is cached, so it is efficient to call this -- * several times. -- */ -- --const char * --auth_get_canonical_hostname(struct ssh *ssh, int use_dns) --{ -- static char *dnsname; -- -- if (!use_dns) -- return ssh_remote_ipaddr(ssh); -- else if (dnsname != NULL) -- return dnsname; -- else { -- dnsname = remote_hostname(ssh); -- return dnsname; -- } --} -- - /* - * Runs command in a subprocess with a minimal environment. - * Returns pid on success, 0 on failure. -diff --git a/canohost.c b/canohost.c -index abea9c6e..4f4524d2 100644 ---- a/canohost.c -+++ b/canohost.c -@@ -202,3 +202,117 @@ get_local_port(int sock) - { - return get_sock_port(sock, 1); - } -+ -+/* -+ * Returns the remote DNS hostname as a string. The returned string must not -+ * be freed. NB. this will usually trigger a DNS query the first time it is -+ * called. -+ * This function does additional checks on the hostname to mitigate some -+ * attacks on legacy rhosts-style authentication. -+ * XXX is RhostsRSAAuthentication vulnerable to these? -+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) -+ */ -+ -+static char * -+remote_hostname(struct ssh *ssh) -+{ -+ struct sockaddr_storage from; -+ socklen_t fromlen; -+ struct addrinfo hints, *ai, *aitop; -+ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; -+ const char *ntop = ssh_remote_ipaddr(ssh); -+ -+ /* Get IP address of client. */ -+ fromlen = sizeof(from); -+ memset(&from, 0, sizeof(from)); -+ if (getpeername(ssh_packet_get_connection_in(ssh), -+ (struct sockaddr *)&from, &fromlen) < 0) { -+ debug("getpeername failed: %.100s", strerror(errno)); -+ return strdup(ntop); -+ } -+ -+ ipv64_normalise_mapped(&from, &fromlen); -+ if (from.ss_family == AF_INET6) -+ fromlen = sizeof(struct sockaddr_in6); -+ -+ debug3("Trying to reverse map address %.100s.", ntop); -+ /* Map the IP address to a host name. */ -+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), -+ NULL, 0, NI_NAMEREQD) != 0) { -+ /* Host name not found. Use ip address. */ -+ return strdup(ntop); -+ } -+ -+ /* -+ * if reverse lookup result looks like a numeric hostname, -+ * someone is trying to trick us by PTR record like following: -+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 -+ */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ -+ hints.ai_flags = AI_NUMERICHOST; -+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { -+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", -+ name, ntop); -+ freeaddrinfo(ai); -+ return strdup(ntop); -+ } -+ -+ /* Names are stored in lowercase. */ -+ lowercase(name); -+ -+ /* -+ * Map it back to an IP address and check that the given -+ * address actually is an address of this host. This is -+ * necessary because anyone with access to a name server can -+ * define arbitrary names for an IP address. Mapping from -+ * name to IP address can be trusted better (but can still be -+ * fooled if the intruder has access to the name server of -+ * the domain). -+ */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = from.ss_family; -+ hints.ai_socktype = SOCK_STREAM; -+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { -+ logit("reverse mapping checking getaddrinfo for %.700s " -+ "[%s] failed.", name, ntop); -+ return strdup(ntop); -+ } -+ /* Look for the address from the list of addresses. */ -+ for (ai = aitop; ai; ai = ai->ai_next) { -+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, -+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && -+ (strcmp(ntop, ntop2) == 0)) -+ break; -+ } -+ freeaddrinfo(aitop); -+ /* If we reached the end of the list, the address was not there. */ -+ if (ai == NULL) { -+ /* Address not found for the host name. */ -+ logit("Address %.100s maps to %.600s, but this does not " -+ "map back to the address.", ntop, name); -+ return strdup(ntop); -+ } -+ return strdup(name); -+} -+ -+/* -+ * Return the canonical name of the host in the other side of the current -+ * connection. The host name is cached, so it is efficient to call this -+ * several times. -+ */ -+ -+const char * -+auth_get_canonical_hostname(struct ssh *ssh, int use_dns) -+{ -+ static char *dnsname; -+ -+ if (!use_dns) -+ return ssh_remote_ipaddr(ssh); -+ else if (dnsname != NULL) -+ return dnsname; -+ else { -+ dnsname = remote_hostname(ssh); -+ return dnsname; -+ } -+} -diff --git a/readconf.c b/readconf.c -index f78b4d6f..747287f7 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -162,6 +162,7 @@ typedef enum { - oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, -+ oGssTrustDns, - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, - oHashKnownHosts, -@@ -203,9 +204,11 @@ static struct { - #if defined(GSSAPI) - { "gssapiauthentication", oGssAuthentication }, - { "gssapidelegatecredentials", oGssDelegateCreds }, -+ { "gssapitrustdns", oGssTrustDns }, - # else - { "gssapiauthentication", oUnsupported }, - { "gssapidelegatecredentials", oUnsupported }, -+ { "gssapitrustdns", oUnsupported }, - #endif - #ifdef ENABLE_PKCS11 - { "pkcs11provider", oPKCS11Provider }, -@@ -992,6 +995,10 @@ parse_time: - intptr = &options->gss_deleg_creds; - goto parse_flag; - -+ case oGssTrustDns: -+ intptr = &options->gss_trust_dns; -+ goto parse_flag; -+ - case oBatchMode: - intptr = &options->batch_mode; - goto parse_flag; -@@ -1864,6 +1871,7 @@ initialize_options(Options * options) - options->challenge_response_authentication = -1; - options->gss_authentication = -1; - options->gss_deleg_creds = -1; -+ options->gss_trust_dns = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->kbd_interactive_devices = NULL; -@@ -2011,6 +2019,8 @@ fill_default_options(Options * options) - options->gss_authentication = 0; - if (options->gss_deleg_creds == -1) - options->gss_deleg_creds = 0; -+ if (options->gss_trust_dns == -1) -+ options->gss_trust_dns = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) -diff --git a/readconf.h b/readconf.h -index 8e36bf32..c9e4718d 100644 ---- a/readconf.h -+++ b/readconf.h -@@ -41,6 +41,7 @@ typedef struct { - /* Try S/Key or TIS, authentication. */ - int gss_authentication; /* Try GSS authentication */ - int gss_deleg_creds; /* Delegate GSS credentials */ -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ - int password_authentication; /* Try password - * authentication. */ - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff --git a/ssh_config.5 b/ssh_config.5 -index 02a87892..95de538b 100644 ---- a/ssh_config.5 -+++ b/ssh_config.5 -@@ -762,6 +762,16 @@ The default is - Forward (delegate) credentials to the server. - The default is - .Cm no . -+Note that this option applies to protocol version 2 connections using GSSAPI. -+.It Cm GSSAPITrustDns -+Set to -+.Dq yes to indicate that the DNS is trusted to securely canonicalize -+the name of the host being connected to. If -+.Dq no, the hostname entered on the -+command line will be passed untouched to the GSSAPI library. -+The default is -+.Dq no . -+This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HashKnownHosts - Indicates that - .Xr ssh 1 -diff --git a/sshconnect2.c b/sshconnect2.c -index 87fa70a4..a6ffdc96 100644 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -697,6 +697,13 @@ userauth_gssapi(struct ssh *ssh) - OM_uint32 min; - int r, ok = 0; - gss_OID mech = NULL; -+ const char *gss_host; -+ -+ if (options.gss_trust_dns) { -+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); -+ gss_host = auth_get_canonical_hostname(ssh, 1); -+ } else -+ gss_host = authctxt->host; - - /* Try one GSSAPI method at a time, rather than sending them all at - * once. */ -@@ -711,7 +718,7 @@ userauth_gssapi(struct ssh *ssh) - elements[authctxt->mech_tried]; - /* My DER encoding requires length<128 */ - if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, -- mech, authctxt->host)) { -+ mech, gss_host)) { - ok = 1; /* Mechanism works */ - } else { - authctxt->mech_tried++; diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-glue.patch deleted file mode 100644 index 0ad814f95d87..000000000000 --- a/net-misc/openssh/files/openssh-8.1_p1-hpn-glue.patch +++ /dev/null @@ -1,216 +0,0 @@ -Only in b: .openssh-7_8_P1-hpn-AES-CTR-14.16.diff.un~ -Only in b: .openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.un~ -diff -ru a/openssh-7_8_P1-hpn-AES-CTR-14.16.diff b/openssh-7_8_P1-hpn-AES-CTR-14.16.diff ---- a/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2019-10-10 13:48:31.513603947 -0700 -+++ b/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2019-10-10 13:50:15.012495676 -0700 -@@ -17,8 +17,8 @@ - canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \ - - cipher-ctr.o cleanup.o \ - + cipher-ctr.o cleanup.o cipher-ctr-mt.o \ -- compat.o crc32.o fatal.o hostfile.o \ -- log.o match.o moduli.o nchan.o packet.o opacket.o \ -+ compat.o fatal.o hostfile.o \ -+ log.o match.o moduli.o nchan.o packet.o \ - readpass.o ttymodes.o xmalloc.o addrmatch.o \ - diff --git a/cipher-ctr-mt.c b/cipher-ctr-mt.c - new file mode 100644 -@@ -998,7 +998,7 @@ - + * so we repoint the define to the multithreaded evp. To start the threads we - + * then force a rekey - + */ --+ const void *cc = ssh_packet_get_send_context(active_state); -++ const void *cc = ssh_packet_get_send_context(ssh); - + - + /* only do this for the ctr cipher. otherwise gcm mode breaks. Don't know why though */ - + if (strstr(cipher_ctx_name(cc), "ctr")) { -@@ -1028,7 +1028,7 @@ - + * so we repoint the define to the multithreaded evp. To start the threads we - + * then force a rekey - + */ --+ const void *cc = ssh_packet_get_send_context(active_state); -++ const void *cc = ssh_packet_get_send_context(ssh); - + - + /* only rekey if necessary. If we don't do this gcm mode cipher breaks */ - + if (strstr(cipher_ctx_name(cc), "ctr")) { -diff -ru a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff ---- a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-10-10 13:47:54.801642144 -0700 -+++ b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-10-10 15:58:05.085803333 -0700 -@@ -162,24 +162,24 @@ - } - - +static int --+channel_tcpwinsz(void) -++channel_tcpwinsz(struct ssh *ssh) - +{ - + u_int32_t tcpwinsz = 0; - + socklen_t optsz = sizeof(tcpwinsz); - + int ret = -1; - + - + /* if we aren't on a socket return 128KB */ --+ if (!packet_connection_is_on_socket()) -++ if (!ssh_packet_connection_is_on_socket(ssh)) - + return 128 * 1024; - + --+ ret = getsockopt(packet_get_connection_in(), -++ ret = getsockopt(ssh_packet_get_connection_in(ssh), - + SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); - + /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */ - + if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX) - + tcpwinsz = SSHBUF_SIZE_MAX; - + - + debug2("tcpwinsz: tcp connection %d, Receive window: %d", --+ packet_get_connection_in(), tcpwinsz); -++ ssh_packet_get_connection_in(ssh), tcpwinsz); - + return tcpwinsz; - +} - + -@@ -191,7 +191,7 @@ - c->local_window < c->local_window_max/2) && - c->local_consumed > 0) { - + u_int addition = 0; --+ u_int32_t tcpwinsz = channel_tcpwinsz(); -++ u_int32_t tcpwinsz = channel_tcpwinsz(ssh); - + /* adjust max window size if we are in a dynamic environment */ - + if (c->dynamic_window && (tcpwinsz > c->local_window_max)) { - + /* grow the window somewhat aggressively to maintain pressure */ -@@ -409,18 +409,10 @@ - index dcf35e6..da4ced0 100644 - --- a/packet.c - +++ b/packet.c --@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) -+@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) - return 0; - } - --+/* this supports the forced rekeying required for the NONE cipher */ --+int rekey_requested = 0; --+void --+packet_request_rekeying(void) --+{ --+ rekey_requested = 1; --+} --+ - +/* used to determine if pre or post auth when rekeying for aes-ctr - + * and none cipher switch */ - +int -@@ -434,20 +426,6 @@ - #define MAX_PACKETS (1U<<31) - static int - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) --@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) -- if (state->p_send.packets == 0 && state->p_read.packets == 0) -- return 0; -- --+ /* used to force rekeying when called for by the none --+ * cipher switch methods -cjr */ --+ if (rekey_requested == 1) { --+ rekey_requested = 0; --+ return 1; --+ } --+ -- /* Time-based rekeying */ -- if (state->rekey_interval != 0 && -- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) - diff --git a/packet.h b/packet.h - index 170203c..f4d9df2 100644 - --- a/packet.h -@@ -476,9 +454,9 @@ - /* Format of the configuration file: - - @@ -166,6 +167,8 @@ typedef enum { -- oHashKnownHosts, - oTunnel, oTunnelDevice, - oLocalCommand, oPermitLocalCommand, oRemoteCommand, -+ oDisableMTAES, - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, - + oNoneEnabled, oNoneSwitch, - oVisualHostKey, -@@ -615,9 +593,9 @@ - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ - SyslogFacility log_facility; /* Facility for system logging. */ - @@ -111,7 +115,10 @@ typedef struct { -- - int enable_ssh_keysign; - int64_t rekey_limit; -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/ - + int none_switch; /* Use none cipher */ - + int none_enabled; /* Allow none to be used */ - int rekey_interval; -@@ -633,7 +611,7 @@ - off_t i, statbytes; - size_t amt, nr; - int fd = -1, haderr, indx; --- char *last, *name, buf[2048], encname[PATH_MAX]; -+- char *last, *name, buf[PATH_MAX + 128], encname[PATH_MAX]; - + char *last, *name, buf[16384], encname[PATH_MAX]; - int len; - -@@ -673,9 +651,9 @@ - /* Portable-specific options */ - if (options->use_pam == -1) - @@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options) -- } -- if (options->permit_tun == -1) - options->permit_tun = SSH_TUNMODE_NO; -+ if (options->disable_multithreaded == -1) -+ options->disable_multithreaded = 0; - + if (options->none_enabled == -1) - + options->none_enabled = 0; - + if (options->hpn_disabled == -1) -@@ -1092,7 +1070,7 @@ - xxx_host = host; - xxx_hostaddr = hostaddr; - --@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, -+@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, - - if (!authctxt.success) - fatal("Authentication failed."); -@@ -1108,7 +1086,7 @@ - + memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); - + myproposal[PROPOSAL_ENC_ALGS_STOC] = "none"; - + myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none"; --+ kex_prop2buf(active_state->kex->my, myproposal); -++ kex_prop2buf(ssh->kex->my, myproposal); - + packet_request_rekeying(); - + fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n"); - + } else { -@@ -1117,23 +1095,13 @@ - + fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n"); - + } - + } --+ -- debug("Authentication succeeded (%s).", authctxt.method->name); -- } - -+ #ifdef WITH_OPENSSL -+ if (options.disable_multithreaded == 0) { - diff --git a/sshd.c b/sshd.c - index a738c3a..b32dbe0 100644 - --- a/sshd.c - +++ b/sshd.c --@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) -- char remote_version[256]; /* Must be at least as big as buf. */ -- -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", --- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, --+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, -- *options.version_addendum == '\0' ? "" : " ", -- options.version_addendum); -- - @@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la) - int ret, listen_sock; - struct addrinfo *ai; -@@ -1217,11 +1185,10 @@ - index f1bbf00..21a70c2 100644 - --- a/version.h - +++ b/version.h --@@ -3,4 +3,6 @@ -+@@ -3,4 +3,5 @@ - #define SSH_VERSION "OpenSSH_7.8" - - #define SSH_PORTABLE "p1" - -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_HPN "-hpn14v16" - +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN - + diff --git a/net-misc/openssh/openssh-7.5_p1-r4.ebuild b/net-misc/openssh/openssh-7.5_p1-r4.ebuild index 4b4ae5463ae3..cbe425c4eeff 100644 --- a/net-misc/openssh/openssh-7.5_p1-r4.ebuild +++ b/net-misc/openssh/openssh-7.5_p1-r4.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2019 Gentoo Authors +# Copyright 1999-2018 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 EAPI="5" @@ -25,7 +25,7 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" REQUIRED_USE="ldns? ( ssl ) @@ -56,7 +56,7 @@ LIB_DEPEND=" >=sys-libs/zlib-1.2.3:=[static-libs(+)]" RDEPEND=" !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) + pam? ( virtual/pam ) kerberos? ( virtual/krb5 ) ldap? ( net-nds/openldap )" DEPEND="${RDEPEND} diff --git a/net-misc/openssh/openssh-7.7_p1-r9.ebuild b/net-misc/openssh/openssh-7.7_p1-r9.ebuild index d949654c69e5..0a21486e685f 100644 --- a/net-misc/openssh/openssh-7.7_p1-r9.ebuild +++ b/net-misc/openssh/openssh-7.7_p1-r9.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2019 Gentoo Authors +# Copyright 1999-2018 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 EAPI="6" @@ -26,7 +26,7 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509" RESTRICT="!test? ( test )" @@ -57,7 +57,7 @@ LIB_DEPEND=" >=sys-libs/zlib-1.2.3:=[static-libs(+)]" RDEPEND=" !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) + pam? ( virtual/pam ) kerberos? ( virtual/krb5 )" DEPEND="${RDEPEND} static? ( ${LIB_DEPEND} ) diff --git a/net-misc/openssh/openssh-7.9_p1-r4.ebuild b/net-misc/openssh/openssh-7.9_p1-r4.ebuild index 6f95e59ac4ba..de21ccc51cbe 100644 --- a/net-misc/openssh/openssh-7.9_p1-r4.ebuild +++ b/net-misc/openssh/openssh-7.9_p1-r4.ebuild @@ -33,7 +33,7 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509" RESTRICT="!test? ( test )" @@ -69,7 +69,7 @@ LIB_DEPEND=" >=sys-libs/zlib-1.2.3:=[static-libs(+)]" RDEPEND=" !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) + pam? ( virtual/pam ) kerberos? ( virtual/krb5 )" DEPEND="${RDEPEND} static? ( ${LIB_DEPEND} ) diff --git a/net-misc/openssh/openssh-8.1_p1.ebuild b/net-misc/openssh/openssh-8.0_p1-r2.ebuild index b75fb6f1a88f..c0a1abeb3597 100644 --- a/net-misc/openssh/openssh-8.1_p1.ebuild +++ b/net-misc/openssh/openssh-8.0_p1-r2.ebuild @@ -1,9 +1,9 @@ # Copyright 1999-2019 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=6 -inherit user flag-o-matic multilib autotools pam systemd +inherit user eapi7-ver flag-o-matic multilib autotools pam systemd # Make it more portable between straight releases # and _p? releases. @@ -18,21 +18,21 @@ HPN_PATCHES=( ) SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -#X509_VER="12.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" +X509_VER="12.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" PATCH_SET="openssh-7.9p1-patches-1.0" DESCRIPTION="Port of OpenBSD's free SSH release" HOMEPAGE="https://www.openssh.com/" SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} + ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )} ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} " LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="alpha amd64 ~arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~riscv s390 ~sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509 xmss" RESTRICT="!test? ( test )" @@ -68,7 +68,7 @@ LIB_DEPEND=" >=sys-libs/zlib-1.2.3:=[static-libs(+)]" RDEPEND=" !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) + pam? ( virtual/pam ) kerberos? ( virtual/krb5 )" DEPEND="${RDEPEND} static? ( ${LIB_DEPEND} ) @@ -101,9 +101,9 @@ pkg_pretend() { fi # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." fi } @@ -116,21 +116,20 @@ src_prepare() { sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch - eapply "${FILESDIR}"/${PN}-8.1_p1-GSSAPI-dns.patch #165444 integrated into gsskex + eapply "${FILESDIR}"/${PN}-8.0_p1-GSSAPI-dns.patch #165444 integrated into gsskex eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch + use X509 || eapply "${FILESDIR}"/${PN}-8.0_p1-tests.patch [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches local PATCHSET_VERSION_MACROS=() if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die + pushd "${WORKDIR}" || die eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" eapply "${FILESDIR}/${P}-X509-dont-make-piddir-"${X509_VER}".patch" - popd &>/dev/null || die + popd || die eapply "${WORKDIR}"/${X509_PATCH%.*} eapply "${FILESDIR}"/${P}-X509-$(ver_cut 1-2 ${X509_VER})-tests.patch @@ -169,8 +168,8 @@ src_prepare() { local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" mkdir "${hpn_patchdir}" cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${FILESDIR}"/${PN}-8.1_p1-hpn-glue.patch + pushd "${hpn_patchdir}" + eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-glue.patch if use X509; then einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set" # X509 and AES-CTR-MT don't get along, let's just drop it @@ -178,7 +177,7 @@ src_prepare() { eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-X509-glue.patch fi use sctp && eapply "${FILESDIR}"/${PN}-7.9_p1-hpn-sctp-glue.patch - popd &>/dev/null || die + popd eapply "${hpn_patchdir}" diff --git a/net-misc/openssh/openssh-8.0_p1-r4.ebuild b/net-misc/openssh/openssh-8.0_p1.ebuild index 5393ca2b81d5..c468c3f26f80 100644 --- a/net-misc/openssh/openssh-8.0_p1-r4.ebuild +++ b/net-misc/openssh/openssh-8.0_p1.ebuild @@ -3,7 +3,7 @@ EAPI=6 -inherit user eapi7-ver flag-o-matic multilib autotools pam systemd +inherit user flag-o-matic multilib autotools pam systemd # Make it more portable between straight releases # and _p? releases. @@ -18,7 +18,7 @@ HPN_PATCHES=( ) SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="12.1-gentoo" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" +X509_VER="12.0" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" PATCH_SET="openssh-7.9p1-patches-1.0" @@ -27,14 +27,14 @@ HOMEPAGE="https://www.openssh.com/" SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )} ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} - ${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )} + ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} " LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509 xmss" +IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509" RESTRICT="!test? ( test )" REQUIRED_USE="ldns? ( ssl ) pie? ( !static ) @@ -68,7 +68,7 @@ LIB_DEPEND=" >=sys-libs/zlib-1.2.3:=[static-libs(+)]" RDEPEND=" !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) + pam? ( virtual/pam ) kerberos? ( virtual/krb5 )" DEPEND="${RDEPEND} static? ( ${LIB_DEPEND} ) @@ -119,25 +119,20 @@ src_prepare() { eapply "${FILESDIR}"/${PN}-8.0_p1-GSSAPI-dns.patch #165444 integrated into gsskex eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch - use X509 || eapply "${FILESDIR}"/${PN}-8.0_p1-tests.patch + eapply "${FILESDIR}"/${PN}-8.0_p1-tests.patch [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches local PATCHSET_VERSION_MACROS=() if use X509 ; then - # X509 12.1-gentoo patch contains the changes from below - #pushd "${WORKDIR}" &>/dev/null || die - #eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" - #eapply "${FILESDIR}/${P}-X509-dont-make-piddir-"${X509_VER}".patch" - #popd &>/dev/null || die + pushd "${WORKDIR}" || die + eapply "${FILESDIR}/${P}-X509-glue-${X509_VER}.patch" + eapply "${FILESDIR}/${P}-X509-dont-make-piddir-${X509_VER}.patch" + popd || die eapply "${WORKDIR}"/${X509_PATCH%.*} - eapply "${FILESDIR}"/${P}-X509-$(ver_cut 1-2 ${X509_VER})-tests.patch + eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch # We need to patch package version or any X.509 sshd will reject our ssh client # with "userauth_pubkey: could not parse key: string is too large [preauth]" @@ -173,7 +168,7 @@ src_prepare() { local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" mkdir "${hpn_patchdir}" cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" - pushd "${hpn_patchdir}" &>/dev/null || die + pushd "${hpn_patchdir}" eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-glue.patch if use X509; then einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set" @@ -182,7 +177,7 @@ src_prepare() { eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-X509-glue.patch fi use sctp && eapply "${FILESDIR}"/${PN}-7.9_p1-hpn-sctp-glue.patch - popd &>/dev/null || die + popd eapply "${hpn_patchdir}" @@ -272,7 +267,6 @@ src_configure() { use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS local myconf=( --with-ldflags="${LDFLAGS}" |