diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2020-04-25 11:37:10 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2020-04-25 11:37:10 +0100 |
| commit | 38423c67c8a23f6a1bc42038193182e2da3116eb (patch) | |
| tree | 04e2cf4bd43601b77daa79fe654e409187093c5e /net-misc/openssh | |
| parent | 623ee73d661e5ed8475cb264511f683407d87365 (diff) | |
gentoo resync : 25.04.2020
Diffstat (limited to 'net-misc/openssh')
33 files changed, 24 insertions, 4231 deletions
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index 77a187243ea2..e680446d5867 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -1,35 +1,10 @@ AUX openssh-6.7_p1-openssl-ignore-status.patch 765 BLAKE2B 6ddc498cef115a38054eb8f1fddac34048b94592e54f8e31dc11717fe872f3d66a7e6877d2449102fbe18a0ee2a35732991abe946b1fe10abfa48bbec6871b26 SHA512 ab15d6dfdb8d59946684501f6f30ac0eb82676855b7b57f19f2027a7ada072f9062fcb96911111a50cfc3838492faddd282db381ec83d22462644ccddccf0ae7 -AUX openssh-7.3-mips-seccomp-n32.patch 634 BLAKE2B 12e931e6c2364d4cdd3f0d9ef8cf72665b65fedc7e8211a75250abe1bf359460afdf9707fdd7f9be8b8f8fd8fe40fdaddcd842da741c4b63fef94c364738cd26 SHA512 eba3e843d3714501a1df3161d02134c54c8ce584db3af698b87d303fc17c16635bd06db4d7c2d9bb47f461c3b211d870b480fd927f4563207e11c9ed2c446770 -AUX openssh-7.5_p1-CVE-2017-15906.patch 1180 BLAKE2B 37fca347fc1fa969f410d514a76b3d7133914aa14c7ef577e6eb0b2f96b936313b20635c6cc23b5e91e3643e26c899e992b82769a5df6568d058eb4f7a43fab8 SHA512 dfba25e9962e4398688d5e6f9311de44931ea5292d7d50c69d8056838ceb41ce099c44f849c204f7b421515c3aa40bde6e9b98b80b9e99aa113c222841daecd4 -AUX openssh-7.5_p1-GSSAPI-dns.patch 11137 BLAKE2B a54ed4d6f81632ae03523b7b61f750402d178d3213ec310bc0e57c0705ed67607a89a786d429599395722eaf40b2fb591c5b8de87ffc4f1dd7f6713b543c31c2 SHA512 f84e1d3fdda7a534d9351884caaefc136be7599e735200f0393db0acad03a57abe6585f9402018b50e3454e6842c3281d630120d479ff819f591c4693252dd0e -AUX openssh-7.5_p1-cross-cache.patch 1220 BLAKE2B 7176b86024b072ff601421143f8567e4e47de3d89b1d865bc92405da75bf7c64fa50b9f746d9c494dbf64bc09e04afc1960f673e68ea1d072a5381027afea63d SHA512 03cf3b5556fcf43c7053d1550c8aa35189759a0a2274a67427b28176ba7938b8d0019992de25fb614dc556c5f45a67649bb5d2d82889ac2c37edd986fc632550 AUX openssh-7.5_p1-disable-conch-interop-tests.patch 554 BLAKE2B f5f45c000ec26c1f783669c3447ea3c80c5c0f9b971b86ca1e79e99e906a90a519abb6b14db462f5766572e9759180719ea44f048ef5aa8efc37efb61d2b6ef7 SHA512 f35b15f1e8d0eb276d748ee14c71004c6599ddb124c33e2f84623bc9eb02bb4fd4680d25d0ba0289d6a723a526c95c9a56b30496bdaa565bae853bf3d1bab61f -AUX openssh-7.5_p1-hpn-x509-10.2-glue.patch 2847 BLAKE2B 8a6151ab121871e4f2d93ace0e07dce1106c6841031cacfb197e00cc76fc1d0cf153aae52757dcf98a5fb89971125493d0572bd4964d0e59cb3f391fd1256aef SHA512 bc23fdf5995ae38ff166f12f64082f79a2135ca28f2240e89bee42b1e3ba39ce94467ece9ddea99173f1829b09b069dbf56a0bce7dfd1ae5f63c12f73b5ffba7 -AUX openssh-7.5_p1-s390-seccomp.patch 624 BLAKE2B 0bf595d72cd65993dde4e5aae0a3e091bb48021ef8affa84c988d55d9fe6a823b0329b6d9707c88e1556d45c304b6630ade7008f63fd649975594a75f570bb33 SHA512 058dc269eb032151e88e0ac79a0b0fd6fcd56d489e90e299ee431b1475a8f8080e8f4649244864af33e743820b081c9f90b32a1a93b8b60feeb491c0201a4d61 -AUX openssh-7.5_p1-x32-typo.patch 772 BLAKE2B 3f27d669ee76e191f2f6f7c7d86b1d9cb7297cecf17b2d88d86ef498c9ca35231adb0edc9fb811698ec86fd65527cc3fe9f2ce514836aebe5dc27bca2a3a55dc SHA512 20d19301873d4b8e908527f462f40c2f4a513d0bb89d4c7b885f9fc7eb5d483eea544eb108d87ff6aaa3d988d360c2029910c18f7125c96e8367485553f59a5e -AUX openssh-7.7_p1-GSSAPI-dns.patch 11342 BLAKE2B e648273cdd04bcd46b25a2ae2b4ffdfff455c7ab04f6c56cb5ad91859231c267211564f6b2785d9fad1b78c4fe0a095302c7acf732357efdb2273ebab9ceebab SHA512 bbfe702786636006dfe4560d8245d9007f9a94768a2df17a3ca3ead7bd1351edd2960f993e322b96828a0054ad55f71fcb77793a05ba2e52d8d9286431cc538a -AUX openssh-7.8_p1-GSSAPI-dns.patch 11683 BLAKE2B 156499d327bc9236de7f22d333cfc5da608af38a97de701b7392ca831d2e54f4c313c385acc04fba9dca93e0f2497a0da1538ff7c1ab698353c173da0820c5ef SHA512 5e461fed07d62a13a85a7c8b7902dfe77f7e6bf1c6276c6877142a3acbe79650ebc019dd727183b1e9c781a4c3de22f9c36052a9aa5da5fb39fb4e252b8925af -AUX openssh-7.9_p1-CVE-2018-20685.patch 478 BLAKE2B 35d01914905289fa1ed2a8ee94c3d631a648fc3a6f5ee4963009a67b5e3d9b865cf0c66696858cb114ba02e1578b44203a0db0a0499e3864a5e7c854e715cb10 SHA512 044926de8e0b26ca5444ab2db4ae454cd66b98c85dbdcff384eb1e6ae900498d6591ff91954e6b9cb6b8efc56f415aa66c30b51699e9236279ba47dc6bf88e55 -AUX openssh-7.9_p1-X509-11.6-tests.patch 531 BLAKE2B cfb14747ed4e39d11d7727b779753ddf5f7e94be56d1dbe0a76131d8434dd4453c253467ec1eb7cac49a50f5a3f81c82b804926f46dc79ed09c252397ac9d349 SHA512 7f1322a94aa79c822a8bede36a92fe48dc6b9bf7ceca3068450877b543a1d186031060d642c7d689c02e06ef3e038eae9739deda53c6401439ed20808e82ff10 -AUX openssh-7.9_p1-X509-dont-make-piddir-11.6.patch 812 BLAKE2B e09cdf2c2d3cd0ae05ce7938542d8ebaccacd7b40920259798592e89b3b2a0425a207eee6dd71024b20e3f1220a4ecf65e9f35adc624ad9d5f2fa29b5b796860 SHA512 55612fc54a29ed1e0ea7c6e5332f217efb0b415ab4e04cb48f693bc8c48d8aaed0c962f111f939097fc990110ce506f187fe09827871ec0cee320c463523f7de -AUX openssh-7.9_p1-X509-glue-11.6.patch 1240 BLAKE2B a6c7f7971ddb9b10af1160a7306ed683da72e9bcc3809b1ac28071b67ef96da942dede47b161e9d88c8d3e8bac213425e4fc9b35703455378b11a9465b3dcc8d SHA512 0f4195740c871aec8d806a56911fda37c6ff87c13de094305faf95da718afcdd015672db798d1cb67d3493755fa186758b75a6c0d819188884c92915a7c16bc4 -AUX openssh-7.9_p1-hpn-X509-glue.patch 2786 BLAKE2B ef0651dc65ea1ab22c17e6ba0efe34141bc3af4dafcdbfba5c7fd80107a31fbc7c2671670c57153918bd626f4172e7e16ba22b4f36d67ced1b6e9d7b03c9dbaa SHA512 a205809bded3ac0aba1aec0f27ddc3948414fc3354cf8ec2945fc91effb9a0617ef259475347164c2f7b95de280704be1646725dae183c070efd104c4c515510 -AUX openssh-7.9_p1-hpn-glue.patch 3644 BLAKE2B eed002fc87362fa8bf3a86681fdaf8153137b7a9de7ba4f6fe47dbb39031f61773e9546f226f8035ce4391dce62a1487ba1450cd92e02e4d74fc0875ef2ca603 SHA512 f6410be5632e4f04f6ba4517afe279640ddc7050750f036fb3e57ab4318e59b86dc44a983deacd6b6f88c4cd0f78dae523f9dded424dce3600a3b1d7a0964435 -AUX openssh-7.9_p1-hpn-openssl-1.1.patch 3160 BLAKE2B fdf063bfd7855879a3cc8765d841f743cd07f3f3c96ecfeb219243680e46deec0d5ebe14f4f2b417cfce4f681b6baf493ee04d86aec74c61777b0485681406e1 SHA512 775d06a5b22cd306f884602dcc22533fe55f083f39ffeed252e7e33d44c52910f0fbe7705ef260d09503d3c26cf7b76b5fa3b0c7f1b263150e945f2ca6050b2d -AUX openssh-7.9_p1-hpn-sctp-glue.patch 597 BLAKE2B d7ac82653c48467ebdc59e1444eead84d3de8cdd93acda6361cedd0cc1e2969e52610c10075463ade71e4c1bb1fcb243bd34d11d6c21cd4c500b6743dc628770 SHA512 4742112e3d0e7463d9194a5ab068d3b6cae6bc4a9b5755599d49a13db514014c7d406c16c7ff59197917b5c152b2a54d15323d88de942215fced4c628cacf2c0 AUX openssh-7.9_p1-include-stdlib.patch 914 BLAKE2B 9c7eb79f87ecd657a80821dfa979d8b0cc12a08d385ec085724f20aa6f5332593ffc7481bb9f816e91df3eb4d75d8f7b66383ff473d271270de128c3b2bf92e5 SHA512 7dade73bdafb0da484cbd396b4a644442f8ea12fef54c07e6308ae2e73a587fa4ddf401e8a0c467469b46fe7f00585e047462545182924c157b4d3894c707a70 -AUX openssh-7.9_p1-openssl-1.0.2-compat.patch 514 BLAKE2B e3859c2bed0e4116e558e7ea8c4679a8666316c26a650acd93ea023444bf69fafad6eba47a6faef7c017d812da76fe93a291e51c427ddecc1fe89bd362758403 SHA512 dde28496df7ee74a2bbcf0aba389abefade3dc41f7d10dc6d3c1a0aca087478bafe10d31ec5e61e758084fa0a2a7c64314502091d900d9cee487c1bdc92722a6 -AUX openssh-8.0_p1-GSSAPI-dns.patch 11634 BLAKE2B 80c304f2a8df328b77a4531bc499bbc83c378007bfd01412a3c879d8a45aa26a68d3fb2b9469f037ec37e5d54fa22aa87c5f963329fb67a16690dcb30407eec9 SHA512 075e0734a15f593a641e3fbc49c7502dc75722501ce6762f0df7a5b5fafb3cceaff05ad9e0bdcb3636b4bb20cf6e680cc20e8d242b6de9b7cec972ba12118ecd -AUX openssh-8.0_p1-X509-12.1-tests.patch 405 BLAKE2B 1a1c29fea98c4ce277c943709576b5130a573e9786a33c957229d74d0e572ca6e5d0dce68b5b515b5c3f44862f1f4dafe2dad1cd3d3710ca415137f8a4013b86 SHA512 0e80b79d3aa8b7e89cf250b31e6bbc2471990b9a2c0ab8b54e6af4c3de77adff3dc6db83f4f14524f830455b5ce4d586f630d33b4ac4b134d1028e325ab351b3 AUX openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch 977 BLAKE2B b2e28683176c4678f51a9a0be3e29496620ac795c7de4649fb3cc0bd076682e42bc1c606b17a76e140f51319e4c4a1cc890c3a37c4bc3cf9222a88e31b8a773f SHA512 8c2567ae16dccc73e302ba90c1bb03e19d4afc3892dd8e1636d7c8853932662eccbda3957e4db55a21bd37d2e65abe74b0b2c1efb74e31751335eb523759d945 -AUX openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch 2696 BLAKE2B 86bac20233102c5beefb3a79e2da8c5421d47d1c175e9e602f14c127e1bf7ec67e193620461ebd7a835bae556dbf9db904c3f63bbd3283a04dac444f34a3eab8 SHA512 f951cdc664088a124754fe963bb6abc659264183a3c773d61243bb12ca87f7554422d9acabb86c6390fe0e088fee60cc3129ad85e336ebf84f5c126d61d1fa3f -AUX openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch 506 BLAKE2B d4e88cc9553c6e2708447edd3ceeeea4f6c967893f34cad6c5fc980ee46895b64b58c5b8d271b7363e7144d34e05fd1e9519e01a9bb05d7c2cc5a9613b2b096c SHA512 cae5a9f5c46a2c70be4284bc050b69dab347181397a9e34c0c2ee5a470992070a2b8359ade42ce6840b5ff6311d3b0026bf6d548e944662c481a74456737a095 AUX openssh-8.0_p1-fix-putty-tests.patch 1760 BLAKE2B a1127e8f2275c1e23c956b5041dbc84dbdb2cd6b788fc69bfc1f6b030afe86a827483602ce76577b4101ee2e790b1cfa8c1d2db09da59b89fe7df8083bf4695f SHA512 f544d818bdde628131f1819bf2ffb4007802ee5bf12c5cd5bd398efe0f0f430ed6b3efa7969cb2c4fa49a2bbd773d8fa09f4c927cf998a564b7611443437c310 AUX openssh-8.0_p1-hpn-14.20-X509-glue.patch 4063 BLAKE2B 30a9b4df889a2ae46b7b0a4f5ab963b9258ed918756e4b05f465af2664b5ec9d149ab496b05ee2a221ffc28c84ce26ff6c3e0bb8da4c59338616c992e1412fb0 SHA512 ed2102af78a4f10dc7ae56edeb3dd94690ba4df5803ec7d68fff76226f54eca5c023d6d87735ed7f33131a0fd0c382a5503d767e91e812bfc1f5f590cf213f34 -AUX openssh-8.0_p1-hpn-X509-glue.patch 3814 BLAKE2B 9a0071d13bb602f9b0660dd74d0ae59611a0d8b8c13fab7def2ea840d1ea42bb4c0999ef44e86db2e8246c6e803797a70f9b18016da491598991052854659c03 SHA512 a986c012aa58a4764d3c4c4a5bf5d1e69edb156adf18d7e9ccae0508879da8b3e92a884d6dcfa80ec5b02d41e7784d8eb500128925ae5cee0ca948cf6bf50ba2 -AUX openssh-8.0_p1-hpn-glue.patch 7029 BLAKE2B cf6fb2c59b768aecf846f0d037ae6d48f750e742f93cdd00a62caf04dfafd993e05921f5d227014e9437d3cdfff4e1b9baa832997904bf398ba06e8f874f7ceb SHA512 63eb0b12763ab53946a9f6b9db44c428d9da8b781a6e1d3f5c4b0edfca85d986cf932461205cee84f9a9db7725c9e05eb1d366b357c787a95c561bdc6514d3d7 AUX openssh-8.0_p1-hpn-version.patch 590 BLAKE2B 1ff20ab17e7e1a20f7a96ded56ff7c059fd509d7773d9abaeac83743102385d9713284c630dc932d40672a9bfc8a894b57c6b073e93a7b024de7490ea54a589c SHA512 37250881f17a44e4a4b0ac164d06961e0731528847d5cbbb263e3f9a286a192c8dae92250b85db3f2e1f280a464c7b3bfc8a7c9e85552375c013e16a6fcf28ed -AUX openssh-8.0_p1-tests.patch 1493 BLAKE2B 2e28d9f27d6d9f7e1716cf5f85bbb92af96faf8842e0047d79262a36f5273cd9252bfc576a22e4fc5523942eb7dea80d968045fea317e523d430373c59160ed0 SHA512 1f191076d3199b33e4cfa66e901d086dba32d7ee620c6dfa3bdaa7c9cba8e98d36b7f27d2f2dca7eb8d2549da37dd4b3638e392d8dbd9c36cb4a9ba09a45043f AUX openssh-8.1_p1-GSSAPI-dns.patch 11639 BLAKE2B 2bc9e618c0acbf6b85496a33055894471235d01f20b76c9b75302dce58c7d6033984c8471789d2f8095d6231f5f271a4eb2f6099936b1631ec261464bc7a3ada SHA512 722a769da482876f0629e110109f02065e47848ff79395e9e64de39ae066d8c5a207f849c59d95b72e70b874f4bedf4e52a2f7ad1752d9c84b99ccdbfa19c73d AUX openssh-8.1_p1-X509-12.3-tests.patch 405 BLAKE2B 1a1c29fea98c4ce277c943709576b5130a573e9786a33c957229d74d0e572ca6e5d0dce68b5b515b5c3f44862f1f4dafe2dad1cd3d3710ca415137f8a4013b86 SHA512 0e80b79d3aa8b7e89cf250b31e6bbc2471990b9a2c0ab8b54e6af4c3de77adff3dc6db83f4f14524f830455b5ce4d586f630d33b4ac4b134d1028e325ab351b3 AUX openssh-8.1_p1-X509-glue-12.3.patch 1613 BLAKE2B aef1de72da18a2af0fae1793eed5baa1be2af9f26a522e6772f43f1053d263f154db76cf0ebe3ddebbfd9798ffb334100ce5eb3894ad3095b1cd48d1ef5b9839 SHA512 e533175bcabd1ddbb50c6cc605cba0190d2cde24149d5451a807cdc05847fa95a2b72188bc23866876e8ec88073df8039e0e85e703560e90f53a92df6f616572 @@ -44,6 +19,7 @@ AUX openssh-8.2_p1-X509-glue-12.4.2.patch 5118 BLAKE2B 6adb167f27a926ac591c023e0 AUX openssh-8.2_p1-X509-glue-12.4.3.patch 5024 BLAKE2B 96568de2316e50d8390654aecbec7751eb9eb333b30fb30700161c626f93e97c5fb244d96baf32fa12d31760efdb10c80012f872412e90837f8b294082d7b087 SHA512 85c635ed067ec3c829fe4caee6bfe84e0f986f0513d744476e637c1af16af910604b879e6894300be1ce8a6a6e397149329e8fe09246e3654dcdef1ff44da4ed AUX openssh-8.2_p1-hpn-14.20-X509-glue.patch 4881 BLAKE2B 899065ef3b781e7e67ea630ff26ac8c3975073e9ef5b0cc345c6cee9fb2e45d2ff549b716a76211c88efb1e540ed7d79c4467e0342cfbea64fef8e6cafddac85 SHA512 d37d4fd8614bed8b1592697b911a04e2ca7d14d24e9c315a6695b4c88cdb5b4ae980e8cb68040fe54b4587675ebb3ac5694ea0d09093f8451aa65e427b6a5d95 AUX openssh-8.2_p1-hpn-14.20-glue.patch 5294 BLAKE2B 6a778eab95e05d371fd92a02f96b926cec5c6ff90dea36065b4857ddf243b5f95bb25aa339fddb1c662b628f26d0c11858d1ca0badece0a7268d6a51e99a09be SHA512 50289c60df01a59f134a0b283ec21d6a06beccdb68de67a46b4e0e9a9bc47855b0e4dbed47300c2f042f2eb9f63e4d6d0683f3092ee358a82e9d6337a3b173fe +AUX openssh-8.2_p1-hpn-14.20-libressl.patch 755 BLAKE2B 55a8082d3dda7e94bdfe772001487e897625a074d23d2041aea660c41e7aa2de1d14ba1a0e7146181d8159293ec896c133205a55d722f49e9a03e5bf99ba7473 SHA512 ce2038f57017375d02cb55ec6c65e6c5276c161c20a5987178003d57282fa44268ac3abe1acd2d1342ba00d125bb50945ca483c7ebd5de6feeac5f8c6f3f0e1e AUX openssh-8.2_p1-hpn-14.20-sctp-glue.patch 755 BLAKE2B 091a7cf60907c142d28b7f20a9fe4e1db8f2ce7f268ea4e0f206de89ea4ce560e82c2e91a9281a664868628426ad8c262667b7e6ad4e35247422937b98034855 SHA512 cff282e6a35a109794fca25b724b8e5024e7ded07b5dd3646489f384bdd5a42726d7cf9f814b8ebc20caed02a1a70d80e0396626bdfc13302096e15c11433dde AUX sshd-r1.confd 774 BLAKE2B df3f3f28cb4d35b49851399b52408c42e242ae3168ff3fc79add211903567da370cfe86a267932ca9cf13c3afbc38a8f1b53e753a31670ee61bf8ba8747832f8 SHA512 3a69752592126024319a95f1c1747af508fd639c86eca472106c5d6c23d5eeaa441ca74740d4b1aafaa0db759d38879e3c1cee742b08d6166ebc58cddac1e2fe AUX sshd-r1.initd 2675 BLAKE2B 47e87cec2d15b90aae362ce0c8e8ba08dada9ebc244e28be1fe67d24deb00675d3d9b8fef40def8a9224a3e2d15ab717574a3d837e099133c1cf013079588b55 SHA512 257d6437162b76c4a3a648ecc5d4739ca7eaa60b192fde91422c6c05d0de6adfa9635adc24d57dc3da6beb92b1b354ffe8fddad3db453efb610195d5509a4e27 @@ -54,24 +30,6 @@ AUX sshd.rc6.4 2108 BLAKE2B 55b66dddb45aadccde794667195f716f84c521576d886a3acc56 AUX sshd.service 242 BLAKE2B e77eb1e0adad0641b60a59d243e911e0a6286a87acda25f3e478582068d8a7a2a12ec88e14bf2c01c7f4c2025ce2d2ce1b1273a93c096bc96da47a69878a823e SHA512 77f50c85a2c944995a39819916eb860cfdc1aff90986e93282e669a0de73c287ecb92d550fd118cfcc8ab538eab677e0d103b23cd959b7e8d9801bc37250c39c AUX sshd.socket 136 BLAKE2B 22e218c831fc384a3151ef97c391253738fa9002e20cf4628c6fe3d52d4b0ac3b957da58f816950669d0a6f8f2786251c6dfc31bbb863f837a3f52631341dc2e SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42 AUX sshd_at.service 176 BLAKE2B 316c2de6af05e97ad2271dfda9fc3276b5c049aa1e56ea7c4acc20d5dd6f4444b0ed3122db90959dc8c009e36f59dbe8e8b969f21eaca98c513ac46b4f80f46e SHA512 662a9c2668902633e6dbcb9435ac35bec3e224afdb2ab6a1df908618536ae9fc1958ba1d611e146c01fddb0c8f41eefdc26de78f45b7f165b1d6b2ee2f23be2a -DIST openssh-7.4_p1-sctp.patch.xz 8220 BLAKE2B 2d571cacaab342b7950b42ec826bd896edf78780e9ee73fcd441cbc9764eb59e408e295062862db986918824d10498383bf34ae7c93df0da2c056eaec4d2c031 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4 -DIST openssh-7.5p1+x509-10.2.diff.gz 467040 BLAKE2B 4048b0f016bf7d43276f88117fc266d1a450d298563bfc6ce705ec2829b8f9d91af5c5232941d55004b5aea2d3e0fb682a9d4acd9510c9761ba7ede2f2f0e37f SHA512 ec760d38771749d09afc8d720120ea2aa065c1c7983898b45dba74a4411f7e61e7705da226864e1e8e62e2261eecc3a4ab654b528c71512a07798824d9fb1a9a -DIST openssh-7.5p1-hpnssh14v12.tar.xz 23068 BLAKE2B 15702338877e50c2143b33b93bfc87d0aa0fa55915db1f0cab9c22e55f8aa0c6eeb5a56f438d849544d1650bdc574384b851292d621b79f673b78bc37617aa0b SHA512 45c42090a212b9ce898fbaa8284ddf0f0d17236af13c4a780e00bf265b0c7a4286027e90a7ce9ad70066309db722709dd2f0a7914f57e5364ffbaf7c4859cdf9 -DIST openssh-7.5p1.tar.gz 1510857 BLAKE2B 505764a210018136456c0f5dd40ad9f1383551c3ae037593d4296305df189e0a6f1383adc89b1970d58b8dcfff391878b7a29b848cc244a99705a164bec5d734 SHA512 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81 -DIST openssh-7.7p1-hpnssh14v15-gentoo2.patch.xz 22060 BLAKE2B 9ee654f689d4b90bd0fe4f71d57b4a8d9d957012be3a23ff2baa6c45ae99e2f1e4daf5de24479a6a3eb761ee6847deb3c6c3021d4cbabc9089f605d8d7270efc SHA512 856d28ac89c14d01c40c7d7e93cfaebd74b091188b5b469550eb62aa5445177aec1a5f47c1e2f7173013712e98e5f9f5e46bbb3dbd4ec7c5ee8256ef45cda0f8 -DIST openssh-7.7p1-patches-1.2.tar.xz 17584 BLAKE2B 192ec01906c911197abec4606cdf136cf26ac4ab4c405267cd98bafaea409d9d596b2b985eaeda6a1425d587d63b6f403b988f280aff989357586bf232d27712 SHA512 e646ec3674b5ef38abe823406d33c8a47c5f63fa962c41386709a7ad7115d968b70fbcf7a8f3efc67a3e80e0194e8e22a01c2342c830f99970fe02532cdee51b -DIST openssh-7.7p1-sctp-1.1.patch.xz 7548 BLAKE2B 3b960c2377351955007005de560c2a3e8d0d059a0435e5beda14c63e444dad8b4357edaccd1cfe446c6268514f152b2bcfa7fa3612f1ae1324a31fecb0e85ac5 SHA512 093605865262a2b972db8c92990a49ed6178ed4567fb2626518c826c8472553d9be99a9e6052a6f5e545d81867b4118e9fd8a2c0c26a2739f1720b0f13282cba -DIST openssh-7.7p1-x509-11.3.1.patch.xz 362672 BLAKE2B 55b8b0ef00dc4d962a0db1115406b7b1e84110870c74198e9e4cb081b2ffde8daca67cb281c69d73b4c5cbffde361429d62634be194b57e888a0b434a0f42a37 SHA512 f84744f6d2e5a15017bce37bfa65ebb47dbafeac07ea9aab46bdc780b4062ff70687512d9d512cab81e3b9c701adb6ce17c5474f35cb4b49f57db2e2d45ac9ac -DIST openssh-7.7p1.tar.gz 1536900 BLAKE2B 7aee360f2cea5bfa3f8426fcbd66fde2568f05f9c8e623326b60f03b7c5f8abf223e178aa1d5958015b51627565bf5b1ace35b57f309638c908f5a7bf5500d21 SHA512 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261 -DIST openssh-7.9p1+x509-11.6.diff.gz 655819 BLAKE2B f442bb993f89782b74b0cd28906c91edfcf5b1d42a4c8135a5ccf5045e7eb000eb7aa301685b748f707506ba20e3b842d684db436872ed82b6d9b9c086879515 SHA512 0ff6ed2822aaa43cf352134b90975fb663662c5ea3d73b690601f24342ea207aecda8cdb9c1bdc3e3656fb059d842dfb3bf22646b626c303240808286103d8bc -DIST openssh-7.9p1-patches-1.0.tar.xz 9080 BLAKE2B c14106a875b6ea0672a03f6cb292386daba96da23fed4ebd04a75f712e252bc88a25116b0b3b27446421aadf112451cb3b8a96d2f7d437e6728fe782190bc69e SHA512 7903cdb4ce5be0f1b1b741788fb372e68b0c9c1d6da0d854d8bc62e4743ad7cd13101b867b541828d3786b0857783377457e5e87ba9b63bfd9afcdbfd93ac103 -DIST openssh-7.9p1-sctp-1.2.patch.xz 7360 BLAKE2B 60e209371ecac24d0b60e48459d4d4044c0f364a2eea748cc4edd1501faec69a3c5b9e0b7db336968399ec684b6c8aceeac9196ba1ecf563ae3d660682cbc9a0 SHA512 d4d37a49cd43a3b9b7b173b0935267b84133b9b0954b7f71714ba781a6129c6d424f8b7a528dd7d4f287784c5517d57b1d6d7c6df8b5d738e34eb6dc7eae7191 -DIST openssh-7.9p1.tar.gz 1565384 BLAKE2B de15795e03d33d4f9fe4792f6b14500123230b6c00c1e5bd7207bb6d6bf6df0b2e057c1b1de0fee709f58dd159203fdd69fe1473118a6baedebaa0c1c4c55b59 SHA512 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e -DIST openssh-7_8_P1-hpn-AES-CTR-14.16.diff 29231 BLAKE2B e25877c5e22f674e6db5a0bc107e5daa2509fe762fb14ce7bb2ce9a115e8177a93340c1d19247b6c2c854b7e1f9ae9af9fd932e5fa9c0a6b2ba438cd11a42991 SHA512 1867fb94c29a51294a71a3ec6a299757565a7cda5696118b0b346ed9c78f2c81bb1b888cff5e3418776b2fa277a8f070c5eb9327bb005453e2ffd72d35cdafa7 -DIST openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 43356 BLAKE2B 776fa140d64a16c339b46a7c773258d2f4fe44e48b16abccad1a8757a51cb6362722fc5f42c39159af12849f5c88cf574de64815085c97157e16653f18d4909b SHA512 53f2752b7aa02719c8dfe0fe0ef16e874101ba2ba87924aa1122cd445ece218ca09c22abaa3377307f25d459579bc28d3854e2402c71b794db65d58cdd1ebc08 -DIST openssh-8.0p1+x509-12.1-gentoo.diff.gz 680853 BLAKE2B b24ee61d6328bf2de8384d6ecbfc5ae0be4719a3c7a2d714be3a144d327bba5038e7e36ffcc313af2a8a94960ce1f56387654d2d21920af51826af61957aa4cc SHA512 178728139473b277fe50a03f37be50b3f8e539cea8f5937ddfe710082944e799d845cdb5994f585c13564c4a89b80ccf75e87753102aebacdb4c590f0b8a1482 -DIST openssh-8.0p1-sctp-1.2.patch.xz 7348 BLAKE2B bc3d3815f1ef5dbab605b93182a00c2fec258f49d56684defb6564d2b60886429c615a7ab076cc071a590f9df0908b1862ceb0961b7e6f6d1090237fec9035d3 SHA512 2f9f774286db75d0240e6fb01655a8a193fb2a5dc4596ad68ed22d64f97c9c46dad61a06478f2e972fd37cbad4d9aca5829bb91097cc56638601ff94a972b24f -DIST openssh-8.0p1.tar.gz 1597697 BLAKE2B 5ba79872eabb3b3964d95a8cdd690bfe0323f018d7f944d4e1acb52576c9f6d7a1ddac15e88dc42eac6ecbfabfad1c228e303a2262588769e307c38107a4cd54 SHA512 e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982 DIST openssh-8.1_p1-glibc-2.31-patches.tar.xz 1752 BLAKE2B ccab53069c0058be7ba787281f5a1775d169a9dcda6f78742eb8cb3cce4ebe3a4c506c75a8ac142700669cf04b7475e35f6a06a4499d3d076e4e88e4fc59f3e6 SHA512 270d532fc7f4ec10c5ee56677f8280dec47a96e73f8032713b212cfad64a58ef142a7f49b7981dca80cbf0dd99753ef7a93b6af164cad9492fa224d546c27f14 DIST openssh-8.1p1+x509-12.3.diff.gz 689934 BLAKE2B 57a302a25bec1d630b9c36f74ab490e11c97f9bcbaf8f527e46ae7fd5bade19feb3d8853079870b5c08b70a55e289cf4bf7981c11983973fa588841aeb21e650 SHA512 8d7c321423940f5a78a51a25ad5373f5db17a4a8ca7e85041e503998e0823ad22068bc652e907e9f5787858d45ce438a4bba18240fa72e088eb10b903e96b192 DIST openssh-8.1p1-sctp-1.2.patch.xz 7672 BLAKE2B f1aa0713fcb114d8774bd8d524d106401a9d7c2c73a05fbde200ccbdd2562b3636ddd2d0bc3eae9f04b4d7c729c3dafd814ae8c530a76c4a0190fae71d1edcd2 SHA512 2bffab0bbae5a4c1875e0cc229bfd83d8565bd831309158cd489d8b877556c69b936243888a181bd9ff302e19f2c174156781574294d260b6384c464d003d566 @@ -83,12 +41,7 @@ DIST openssh-8.2p1.tar.gz 1701197 BLAKE2B 8b95cdebc87e8d14f655ed13c12b91b122adf4 DIST openssh-8_1_P1-hpn-AES-CTR-14.20.diff 29935 BLAKE2B 79101c43601e41306c957481c0680a63357d93bededdf12a32229d50acd9c1f46a386cbb91282e9e7d7bb26a9f276f5a675fd2de7662b7cbd073322b172d3bca SHA512 94f011b7e654630e968a378375aa54fa1fde087b4426d0f2225813262e6667a1073814d6a83e9005f97b371c536e462e614bfe726b092ffed8229791592ca221 DIST openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 42696 BLAKE2B d8ac7fa1a4e4d1877acdedeaee80172da469b5a62d0aaa43d6ed46c578e7893577b9d563835d89ca2044867fc561ad3f562bf504c025cf4c78421cf3d24397e9 SHA512 768db7cca8839df4441afcb08457d13d32625b31859da527c3d7f1a92d17a4ec81d6987db00879c394bbe59589e57b10bfd98899a167ffed65ab367b1fd08739 DIST openssh-8_1_P1-hpn-PeakTput-14.20.diff 2012 BLAKE2B e42c43128f1d82b4de1517e6a9219947da03cecb607f1bc45f0728547f17601a6ce2ec819b6434890efd19ceaf4d20cb98183596ab5ee79e104a52cda7db9cdc SHA512 238f9419efd3be80bd700f6ae7e210e522d747c363c4e670364f5191f144ae3aa8d1b1539c0bf87b3de36743aa73e8101c53c0ef1c6472d209569be389e7814d -DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 BLAKE2B 5b2204316dd244bb8dd11db50d5bc3a194e2cc4b64964a2d3df68bbe54c53588f15fc5176dbc3811e929573fa3e41cf91f412aa2513bb9a4b6ed02c2523c1e24 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b -EBUILD openssh-7.5_p1-r5.ebuild 11193 BLAKE2B 62b884f5ec9924d199c7c14a91aeed198013cba04716a0010c8254382dd55e95783fbc8641005cf1929900ed04804573ed39a407349ec1a450f6582bca6ba9aa SHA512 82b9eca54d021b995832b28f97dfae75e38dcdf426581dfe75704280b0a2818cafbc09f82ff7a43bbc7fd68e49a441844d1163411723d474bccd8905b82359b2 -EBUILD openssh-7.7_p1-r10.ebuild 15936 BLAKE2B 54042c1bf3f7d19e58c9d6e1970f3a3194e73d716652a669a1ea04c066112dae6dcd7e09fe2ae20e4a21a8dc18d513231bcf26b1917ab877b93c0e2fb18e3de3 SHA512 33896ad4ba6ee7b7238d8b1cc3ed04993e8e07e2456cd70295656b1522ad9eb2caeecdb897568ca13cb6f4f9e70fff7b238b634a8102ef5bff87f9654d11ddfc -EBUILD openssh-7.9_p1-r5.ebuild 16308 BLAKE2B ad98ce6cfd5be009c649c698993be93bdadcc959fc9bc4d43a4bbc45865c8bc802f6a4e179ed7d24af0181f3f454cb4c62992e1f66d86b475a48ccf995ce0ced SHA512 c5783252f16e4010c1466033c49e5a261206dd00203e9e01b55f09d9ad414def0532fc9067e1bf3cfb1e37b19db1bec2cd4c54dc89056c00f4d7c1f30d38a0fc -EBUILD openssh-8.0_p1-r5.ebuild 16691 BLAKE2B 901cd0ea83d38a5f611690ec603965923e0bae4ada7553ec7d8ed8aeac05588e81d21425f9808d245427af73f3be7023b759f69da4db84b7c6b70ee362ee0a65 SHA512 b4ffe6b7b488b27f38cf7948b81924aea39062443653f499682b3e45905598b1c882a0413dd042d9ff234af555bd21db574f732f9551f86c8d2e815ed49d5125 EBUILD openssh-8.1_p1-r3.ebuild 16430 BLAKE2B 5f87ff43f472c467a8e4dc359556b970a2d9889d45d5eb09c5eac5c0d245027764ec4d6b99853baaf7324883e5be426e20515b53f48fcc7a445a05e84fb0edde SHA512 e07cf259d7a6476c5efa4db22710bd533f86188bd1f5139e2c306858dd67e3b2a83cf5c9236c9441171e25af20a14e9f1d04aa058020ac9a20e0b0d6e7d8d89d EBUILD openssh-8.2_p1-r5.ebuild 16798 BLAKE2B 03dd8a663c89cb2185188a0fa9f72af49def3f44a9eaaa989c95f8b2812aab7a335547ff9d22edf64522576a04705e1f957d0edfe2ecf397df760f077eb846c5 SHA512 2a1714d7c8fa18a7b3bf5333625773e2125ca21dd3096766aad341663510503276db61fa42b9cc99d0531b4fcc55ae81e31c47de7502f7c2d83bdb49b91f1448 -EBUILD openssh-8.2_p1-r6.ebuild 16798 BLAKE2B 873c0b86b6c7613d7259e83f9b0377cdc9cc0b3a8dfb8db2821812a33f90f834714995c1c3d045f15691fd25412730165cc6b2fcbcc75d4f2ebfdff7824c1ccb SHA512 fa4007ec3b566c448d7fa5e257dc09aff7ab64491a7c54a19234bfd71fb165f5e46941e91c7d44f98c6819ae54b41c596869afe3e2da6a663dfab9e5db0e1c45 -MISC metadata.xml 2361 BLAKE2B c6fa43fd5cf20d97fa4d135bdef21d81b5b2ead3bcacbb9b9d7ceba7a699c9cbe7895a68a3d79e3d6afb145c8c35ed6a9a35ef7858a9474b26ee00137ea3f0f2 SHA512 7a2dacdc2a7ea1c1181b59152faeaa56c3ec563db2adb2e3b125a3819e32826edf6e8945d1a7c0328fa56f15c3d86d4dbe6afdad717cdcb0c1e92a08991d8f3e +EBUILD openssh-8.2_p1-r6.ebuild 16856 BLAKE2B f2e13e4cf7dd8f5fa5413bf66fb78116c27dc578b3a1f3368e288b26aea5a90d3e19f8a347e79d460935123169c95583c379c9db1ed352af54ed34991d02ad43 SHA512 e9bf2cda73df7d5b5a38e0ef9ce907a9be9fdeeb871e47d80809773e4119664dd42277f0d8016f4e77ae486750540c52fbdf0712fdecbac919b282a25d1e493c +MISC metadata.xml 2217 BLAKE2B 8a0d058b1177dc662b4136e53242e13b84d0dc46ae60a50d358dbbf03267089489c51e0a7332459e602c7198bda66e28e6886ef924b295f0f8648eae9f4e21d2 SHA512 a2a76c6948540615a71b75fe86cf55ada9aa1efdc1f6692665d33fe531fec10babc3a234b8b262a963ce0b3cdda00a5a34abcbe6e4d9bf1cce936a5e4d2ac7e1 diff --git a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch deleted file mode 100644 index 7eaadaf11cda..000000000000 --- a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch +++ /dev/null @@ -1,21 +0,0 @@ -https://bugs.gentoo.org/591392 -https://bugzilla.mindrot.org/show_bug.cgi?id=2590 - -7.3 added seccomp support to MIPS, but failed to handled the N32 -case. This patch is temporary until upstream fixes. - ---- openssh-7.3p1/configure.ac -+++ openssh-7.3p1/configure.ac -@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary(" - seccomp_audit_arch=AUDIT_ARCH_MIPSEL - ;; - mips64-*) -- seccomp_audit_arch=AUDIT_ARCH_MIPS64 -+ seccomp_audit_arch=AUDIT_ARCH_MIPS64N32 - ;; - mips64el-*) -- seccomp_audit_arch=AUDIT_ARCH_MIPSEL64 -+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32 - ;; - esac - if test "x$seccomp_audit_arch" != "x" ; then diff --git a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch b/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch deleted file mode 100644 index b97ceb4b2789..000000000000 --- a/net-misc/openssh/files/openssh-7.5_p1-CVE-2017-15906.patch +++ /dev/null @@ -1,31 +0,0 @@ -From a6981567e8e215acc1ef690c8dbb30f2d9b00a19 Mon Sep 17 00:00:00 2001 -From: djm <djm@openbsd.org> -Date: Tue, 4 Apr 2017 00:24:56 +0000 -Subject: [PATCH] disallow creation (of empty files) in read-only mode; - reported by Michal Zalewski, feedback & ok deraadt@ - ---- - usr.bin/ssh/sftp-server.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/usr.bin/ssh/sftp-server.c b/usr.bin/ssh/sftp-server.c -index 2510d234a3a..42249ebd60d 100644 ---- a/usr.bin/ssh/sftp-server.c -+++ b/usr.bin/ssh/sftp-server.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: sftp-server.c,v 1.110 2016/09/12 01:22:38 deraadt Exp $ */ -+/* $OpenBSD: sftp-server.c,v 1.111 2017/04/04 00:24:56 djm Exp $ */ - /* - * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. - * -@@ -683,8 +683,8 @@ process_open(u_int32_t id) - logit("open \"%s\" flags %s mode 0%o", - name, string_from_portable(pflags), mode); - if (readonly && -- ((flags & O_ACCMODE) == O_WRONLY || -- (flags & O_ACCMODE) == O_RDWR)) { -+ ((flags & O_ACCMODE) != O_RDONLY || -+ (flags & (O_CREAT|O_TRUNC)) != 0)) { - verbose("Refusing open request in read-only mode"); - status = SSH2_FX_PERMISSION_DENIED; - } else { diff --git a/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch deleted file mode 100644 index 6b1e6dd35a41..000000000000 --- a/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch +++ /dev/null @@ -1,351 +0,0 @@ -http://bugs.gentoo.org/165444 -https://bugzilla.mindrot.org/show_bug.cgi?id=1008 - ---- a/readconf.c -+++ b/readconf.c -@@ -148,6 +148,7 @@ - oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, -+ oGssTrustDns, - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oControlPath, oControlMaster, oControlPersist, - oHashKnownHosts, -@@ -194,9 +195,11 @@ - #if defined(GSSAPI) - { "gssapiauthentication", oGssAuthentication }, - { "gssapidelegatecredentials", oGssDelegateCreds }, -+ { "gssapitrustdns", oGssTrustDns }, - # else - { "gssapiauthentication", oUnsupported }, - { "gssapidelegatecredentials", oUnsupported }, -+ { "gssapitrustdns", oUnsupported }, - #endif - #ifdef ENABLE_PKCS11 - { "smartcarddevice", oPKCS11Provider }, -@@ -930,6 +933,10 @@ - intptr = &options->gss_deleg_creds; - goto parse_flag; - -+ case oGssTrustDns: -+ intptr = &options->gss_trust_dns; -+ goto parse_flag; -+ - case oBatchMode: - intptr = &options->batch_mode; - goto parse_flag; -@@ -1649,6 +1656,7 @@ - options->challenge_response_authentication = -1; - options->gss_authentication = -1; - options->gss_deleg_creds = -1; -+ options->gss_trust_dns = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->kbd_interactive_devices = NULL; -@@ -1779,6 +1787,8 @@ - options->gss_authentication = 0; - if (options->gss_deleg_creds == -1) - options->gss_deleg_creds = 0; -+ if (options->gss_trust_dns == -1) -+ options->gss_trust_dns = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) ---- a/readconf.h -+++ b/readconf.h -@@ -46,6 +46,7 @@ - /* Try S/Key or TIS, authentication. */ - int gss_authentication; /* Try GSS authentication */ - int gss_deleg_creds; /* Delegate GSS credentials */ -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ - int password_authentication; /* Try password - * authentication. */ - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ ---- a/ssh_config.5 -+++ b/ssh_config.5 -@@ -830,6 +830,16 @@ - Forward (delegate) credentials to the server. - The default is - .Cm no . -+Note that this option applies to protocol version 2 connections using GSSAPI. -+.It Cm GSSAPITrustDns -+Set to -+.Dq yes to indicate that the DNS is trusted to securely canonicalize -+the name of the host being connected to. If -+.Dq no, the hostname entered on the -+command line will be passed untouched to the GSSAPI library. -+The default is -+.Dq no . -+This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HashKnownHosts - Indicates that - .Xr ssh 1 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -656,6 +656,13 @@ - static u_int mech = 0; - OM_uint32 min; - int ok = 0; -+ const char *gss_host; -+ -+ if (options.gss_trust_dns) { -+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); -+ gss_host = auth_get_canonical_hostname(active_state, 1); -+ } else -+ gss_host = authctxt->host; - - /* Try one GSSAPI method at a time, rather than sending them all at - * once. */ -@@ -668,7 +674,7 @@ - /* My DER encoding requires length<128 */ - if (gss_supported->elements[mech].length < 128 && - ssh_gssapi_check_mechanism(&gssctxt, -- &gss_supported->elements[mech], authctxt->host)) { -+ &gss_supported->elements[mech], gss_host)) { - ok = 1; /* Mechanism works */ - } else { - mech++; - -need to move these two funcs back to canohost so they're available to clients -and the server. auth.c is only used in the server. - ---- a/auth.c -+++ b/auth.c -@@ -784,117 +784,3 @@ fakepw(void) - - return (&fake); - } -- --/* -- * Returns the remote DNS hostname as a string. The returned string must not -- * be freed. NB. this will usually trigger a DNS query the first time it is -- * called. -- * This function does additional checks on the hostname to mitigate some -- * attacks on legacy rhosts-style authentication. -- * XXX is RhostsRSAAuthentication vulnerable to these? -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) -- */ -- --static char * --remote_hostname(struct ssh *ssh) --{ -- struct sockaddr_storage from; -- socklen_t fromlen; -- struct addrinfo hints, *ai, *aitop; -- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; -- const char *ntop = ssh_remote_ipaddr(ssh); -- -- /* Get IP address of client. */ -- fromlen = sizeof(from); -- memset(&from, 0, sizeof(from)); -- if (getpeername(ssh_packet_get_connection_in(ssh), -- (struct sockaddr *)&from, &fromlen) < 0) { -- debug("getpeername failed: %.100s", strerror(errno)); -- return strdup(ntop); -- } -- -- ipv64_normalise_mapped(&from, &fromlen); -- if (from.ss_family == AF_INET6) -- fromlen = sizeof(struct sockaddr_in6); -- -- debug3("Trying to reverse map address %.100s.", ntop); -- /* Map the IP address to a host name. */ -- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), -- NULL, 0, NI_NAMEREQD) != 0) { -- /* Host name not found. Use ip address. */ -- return strdup(ntop); -- } -- -- /* -- * if reverse lookup result looks like a numeric hostname, -- * someone is trying to trick us by PTR record like following: -- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 -- */ -- memset(&hints, 0, sizeof(hints)); -- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ -- hints.ai_flags = AI_NUMERICHOST; -- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { -- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", -- name, ntop); -- freeaddrinfo(ai); -- return strdup(ntop); -- } -- -- /* Names are stored in lowercase. */ -- lowercase(name); -- -- /* -- * Map it back to an IP address and check that the given -- * address actually is an address of this host. This is -- * necessary because anyone with access to a name server can -- * define arbitrary names for an IP address. Mapping from -- * name to IP address can be trusted better (but can still be -- * fooled if the intruder has access to the name server of -- * the domain). -- */ -- memset(&hints, 0, sizeof(hints)); -- hints.ai_family = from.ss_family; -- hints.ai_socktype = SOCK_STREAM; -- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { -- logit("reverse mapping checking getaddrinfo for %.700s " -- "[%s] failed.", name, ntop); -- return strdup(ntop); -- } -- /* Look for the address from the list of addresses. */ -- for (ai = aitop; ai; ai = ai->ai_next) { -- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, -- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && -- (strcmp(ntop, ntop2) == 0)) -- break; -- } -- freeaddrinfo(aitop); -- /* If we reached the end of the list, the address was not there. */ -- if (ai == NULL) { -- /* Address not found for the host name. */ -- logit("Address %.100s maps to %.600s, but this does not " -- "map back to the address.", ntop, name); -- return strdup(ntop); -- } -- return strdup(name); --} -- --/* -- * Return the canonical name of the host in the other side of the current -- * connection. The host name is cached, so it is efficient to call this -- * several times. -- */ -- --const char * --auth_get_canonical_hostname(struct ssh *ssh, int use_dns) --{ -- static char *dnsname; -- -- if (!use_dns) -- return ssh_remote_ipaddr(ssh); -- else if (dnsname != NULL) -- return dnsname; -- else { -- dnsname = remote_hostname(ssh); -- return dnsname; -- } --} ---- a/canohost.c -+++ b/canohost.c -@@ -202,3 +202,117 @@ get_local_port(int sock) - { - return get_sock_port(sock, 1); - } -+ -+/* -+ * Returns the remote DNS hostname as a string. The returned string must not -+ * be freed. NB. this will usually trigger a DNS query the first time it is -+ * called. -+ * This function does additional checks on the hostname to mitigate some -+ * attacks on legacy rhosts-style authentication. -+ * XXX is RhostsRSAAuthentication vulnerable to these? -+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) -+ */ -+ -+static char * -+remote_hostname(struct ssh *ssh) -+{ -+ struct sockaddr_storage from; -+ socklen_t fromlen; -+ struct addrinfo hints, *ai, *aitop; -+ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; -+ const char *ntop = ssh_remote_ipaddr(ssh); -+ -+ /* Get IP address of client. */ -+ fromlen = sizeof(from); -+ memset(&from, 0, sizeof(from)); -+ if (getpeername(ssh_packet_get_connection_in(ssh), -+ (struct sockaddr *)&from, &fromlen) < 0) { -+ debug("getpeername failed: %.100s", strerror(errno)); -+ return strdup(ntop); -+ } -+ -+ ipv64_normalise_mapped(&from, &fromlen); -+ if (from.ss_family == AF_INET6) -+ fromlen = sizeof(struct sockaddr_in6); -+ -+ debug3("Trying to reverse map address %.100s.", ntop); -+ /* Map the IP address to a host name. */ -+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), -+ NULL, 0, NI_NAMEREQD) != 0) { -+ /* Host name not found. Use ip address. */ -+ return strdup(ntop); -+ } -+ -+ /* -+ * if reverse lookup result looks like a numeric hostname, -+ * someone is trying to trick us by PTR record like following: -+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 -+ */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ -+ hints.ai_flags = AI_NUMERICHOST; -+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { -+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", -+ name, ntop); -+ freeaddrinfo(ai); -+ return strdup(ntop); -+ } -+ -+ /* Names are stored in lowercase. */ -+ lowercase(name); -+ -+ /* -+ * Map it back to an IP address and check that the given -+ * address actually is an address of this host. This is -+ * necessary because anyone with access to a name server can -+ * define arbitrary names for an IP address. Mapping from -+ * name to IP address can be trusted better (but can still be -+ * fooled if the intruder has access to the name server of -+ * the domain). -+ */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = from.ss_family; -+ hints.ai_socktype = SOCK_STREAM; -+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { -+ logit("reverse mapping checking getaddrinfo for %.700s " -+ "[%s] failed.", name, ntop); -+ return strdup(ntop); -+ } -+ /* Look for the address from the list of addresses. */ -+ for (ai = aitop; ai; ai = ai->ai_next) { -+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, -+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && -+ (strcmp(ntop, ntop2) == 0)) -+ break; -+ } -+ freeaddrinfo(aitop); -+ /* If we reached the end of the list, the address was not there. */ -+ if (ai == NULL) { -+ /* Address not found for the host name. */ -+ logit("Address %.100s maps to %.600s, but this does not " -+ "map back to the address.", ntop, name); -+ return strdup(ntop); -+ } -+ return strdup(name); -+} -+ -+/* -+ * Return the canonical name of the host in the other side of the current -+ * connection. The host name is cached, so it is efficient to call this -+ * several times. -+ */ -+ -+const char * -+auth_get_canonical_hostname(struct ssh *ssh, int use_dns) -+{ -+ static char *dnsname; -+ -+ if (!use_dns) -+ return ssh_remote_ipaddr(ssh); -+ else if (dnsname != NULL) -+ return dnsname; -+ else { -+ dnsname = remote_hostname(ssh); -+ return dnsname; -+ } -+} diff --git a/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch b/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch deleted file mode 100644 index 1c2b7b8a091a..000000000000 --- a/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch +++ /dev/null @@ -1,39 +0,0 @@ -From d588d6f83e9a3d48286929b4a705b43e74414241 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vapier@chromium.org> -Date: Wed, 24 May 2017 23:18:41 -0400 -Subject: [PATCH] configure: actually set cache vars when cross-compiling - -The cross-compiling fallback message says it's assuming the test -passed, but it didn't actually set the cache var which causes -later tests to fail. ---- - configure.ac | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 5cfea38c0a6c..895c5211ea93 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -3162,7 +3162,8 @@ AC_RUN_IFELSE( - select_works_with_rlimit=yes], - [AC_MSG_RESULT([no]) - select_works_with_rlimit=no], -- [AC_MSG_WARN([cross compiling: assuming yes])] -+ [AC_MSG_WARN([cross compiling: assuming yes]) -+ select_works_with_rlimit=yes] - ) - - AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works]) -@@ -3188,7 +3189,8 @@ AC_RUN_IFELSE( - rlimit_nofile_zero_works=yes], - [AC_MSG_RESULT([no]) - rlimit_nofile_zero_works=no], -- [AC_MSG_WARN([cross compiling: assuming yes])] -+ [AC_MSG_WARN([cross compiling: assuming yes]) -+ rlimit_nofile_zero_works=yes] - ) - - AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works]) --- -2.12.0 - diff --git a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch b/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch deleted file mode 100644 index 11a5b364be4d..000000000000 --- a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch +++ /dev/null @@ -1,67 +0,0 @@ -diff -ur a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch ---- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:31:01.816551100 -0700 -+++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:51:03.894805846 -0700 -@@ -40,7 +40,7 @@ - @@ -44,7 +44,7 @@ CC=@CC@ - LD=@LD@ - CFLAGS=@CFLAGS@ -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ - -LIBS=@LIBS@ - +LIBS=@LIBS@ -lpthread - K5LIBS=@K5LIBS@ -@@ -1023,6 +1023,3 @@ - do_authenticated(authctxt); - - /* The connection has been terminated. */ ---- --2.12.0 -- -diff -ur a/0004-support-dynamically-sized-receive-buffers.patch b/0004-support-dynamically-sized-receive-buffers.patch ---- a/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:31:01.816551100 -0700 -+++ b/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:49:44.513498976 -0700 -@@ -926,9 +926,9 @@ - @@ -526,10 +553,10 @@ send_client_banner(int connection_out, int minor1) - /* Send our own protocol version identification. */ - if (compat20) { -- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", --- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); --+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); -+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", -+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION); -++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION); - } else { - xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", - - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); -@@ -943,11 +943,11 @@ - @@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) - char remote_version[256]; /* Must be at least as big as buf. */ - -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", --- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, --+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, -+ xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s%s", -+- major, minor, SSH_VERSION, pkix_comment, -++ major, minor, SSH_RELEASE, pkix_comment, - *options.version_addendum == '\0' ? "" : " ", -- options.version_addendum); -+ options.version_addendum, newline); - - @@ -1020,6 +1020,8 @@ server_listen(void) - int ret, listen_sock, on = 1; -@@ -1006,12 +1008,9 @@ - --- a/version.h - +++ b/version.h --@@ -3,4 +3,5 @@ -+@@ -3,4 +3,6 @@ - #define SSH_VERSION "OpenSSH_7.5" - -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE -+-#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" -++#define SSH_X509 ", PKIX-SSH " PACKAGE_VERSION - +#define SSH_HPN "-hpn14v12" - +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN ---- --2.12.0 -- diff --git a/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch b/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch deleted file mode 100644 index d7932003f8f8..000000000000 --- a/net-misc/openssh/files/openssh-7.5_p1-s390-seccomp.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 58b8cfa2a062b72139d7229ae8de567f55776f24 Mon Sep 17 00:00:00 2001 -From: Damien Miller <djm@mindrot.org> -Date: Wed, 22 Mar 2017 12:43:02 +1100 -Subject: [PATCH] Missing header on Linux/s390 - -Patch from Jakub Jelen ---- - sandbox-seccomp-filter.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index a8d472a63ccb..2831e9d1083c 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -50,6 +50,9 @@ - #include <elf.h> - - #include <asm/unistd.h> -+#ifdef __s390__ -+#include <asm/zcrypt.h> -+#endif - - #include <errno.h> - #include <signal.h> --- -2.15.1 - diff --git a/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch b/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch deleted file mode 100644 index 5dca1b0e4e16..000000000000 --- a/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 596c432181e1c4a9da354388394f640afd29f44b Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vapier@gentoo.org> -Date: Mon, 20 Mar 2017 14:57:40 -0400 -Subject: [PATCH] seccomp sandbox: fix typo w/x32 check - ---- - sandbox-seccomp-filter.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c -index 3a1aedce72c2..a8d472a63ccb 100644 ---- a/sandbox-seccomp-filter.c -+++ b/sandbox-seccomp-filter.c -@@ -235,7 +235,7 @@ static const struct sock_filter preauth_insns[] = { - * x86-64 syscall under some circumstances, e.g. - * https://bugs.debian.org/849923 - */ -- SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT); -+ SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT), - #endif - - /* Default deny */ --- -2.12.0 - diff --git a/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch deleted file mode 100644 index 2840652a9b47..000000000000 --- a/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch +++ /dev/null @@ -1,351 +0,0 @@ -https://bugs.gentoo.org/165444 -https://bugzilla.mindrot.org/show_bug.cgi?id=1008 - ---- a/auth.c -+++ b/auth.c -@@ -728,120 +728,6 @@ fakepw(void) - return (&fake); - } - --/* -- * Returns the remote DNS hostname as a string. The returned string must not -- * be freed. NB. this will usually trigger a DNS query the first time it is -- * called. -- * This function does additional checks on the hostname to mitigate some -- * attacks on legacy rhosts-style authentication. -- * XXX is RhostsRSAAuthentication vulnerable to these? -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) -- */ -- --static char * --remote_hostname(struct ssh *ssh) --{ -- struct sockaddr_storage from; -- socklen_t fromlen; -- struct addrinfo hints, *ai, *aitop; -- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; -- const char *ntop = ssh_remote_ipaddr(ssh); -- -- /* Get IP address of client. */ -- fromlen = sizeof(from); -- memset(&from, 0, sizeof(from)); -- if (getpeername(ssh_packet_get_connection_in(ssh), -- (struct sockaddr *)&from, &fromlen) < 0) { -- debug("getpeername failed: %.100s", strerror(errno)); -- return strdup(ntop); -- } -- -- ipv64_normalise_mapped(&from, &fromlen); -- if (from.ss_family == AF_INET6) -- fromlen = sizeof(struct sockaddr_in6); -- -- debug3("Trying to reverse map address %.100s.", ntop); -- /* Map the IP address to a host name. */ -- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), -- NULL, 0, NI_NAMEREQD) != 0) { -- /* Host name not found. Use ip address. */ -- return strdup(ntop); -- } -- -- /* -- * if reverse lookup result looks like a numeric hostname, -- * someone is trying to trick us by PTR record like following: -- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 -- */ -- memset(&hints, 0, sizeof(hints)); -- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ -- hints.ai_flags = AI_NUMERICHOST; -- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { -- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", -- name, ntop); -- freeaddrinfo(ai); -- return strdup(ntop); -- } -- -- /* Names are stored in lowercase. */ -- lowercase(name); -- -- /* -- * Map it back to an IP address and check that the given -- * address actually is an address of this host. This is -- * necessary because anyone with access to a name server can -- * define arbitrary names for an IP address. Mapping from -- * name to IP address can be trusted better (but can still be -- * fooled if the intruder has access to the name server of -- * the domain). -- */ -- memset(&hints, 0, sizeof(hints)); -- hints.ai_family = from.ss_family; -- hints.ai_socktype = SOCK_STREAM; -- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { -- logit("reverse mapping checking getaddrinfo for %.700s " -- "[%s] failed.", name, ntop); -- return strdup(ntop); -- } -- /* Look for the address from the list of addresses. */ -- for (ai = aitop; ai; ai = ai->ai_next) { -- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, -- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && -- (strcmp(ntop, ntop2) == 0)) -- break; -- } -- freeaddrinfo(aitop); -- /* If we reached the end of the list, the address was not there. */ -- if (ai == NULL) { -- /* Address not found for the host name. */ -- logit("Address %.100s maps to %.600s, but this does not " -- "map back to the address.", ntop, name); -- return strdup(ntop); -- } -- return strdup(name); --} -- --/* -- * Return the canonical name of the host in the other side of the current -- * connection. The host name is cached, so it is efficient to call this -- * several times. -- */ -- --const char * --auth_get_canonical_hostname(struct ssh *ssh, int use_dns) --{ -- static char *dnsname; -- -- if (!use_dns) -- return ssh_remote_ipaddr(ssh); -- else if (dnsname != NULL) -- return dnsname; -- else { -- dnsname = remote_hostname(ssh); -- return dnsname; -- } --} -- - /* - * Runs command in a subprocess wuth a minimal environment. - * Returns pid on success, 0 on failure. ---- a/canohost.c -+++ b/canohost.c -@@ -202,3 +202,117 @@ get_local_port(int sock) - { - return get_sock_port(sock, 1); - } -+ -+/* -+ * Returns the remote DNS hostname as a string. The returned string must not -+ * be freed. NB. this will usually trigger a DNS query the first time it is -+ * called. -+ * This function does additional checks on the hostname to mitigate some -+ * attacks on legacy rhosts-style authentication. -+ * XXX is RhostsRSAAuthentication vulnerable to these? -+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) -+ */ -+ -+static char * -+remote_hostname(struct ssh *ssh) -+{ -+ struct sockaddr_storage from; -+ socklen_t fromlen; -+ struct addrinfo hints, *ai, *aitop; -+ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; -+ const char *ntop = ssh_remote_ipaddr(ssh); -+ -+ /* Get IP address of client. */ -+ fromlen = sizeof(from); -+ memset(&from, 0, sizeof(from)); -+ if (getpeername(ssh_packet_get_connection_in(ssh), -+ (struct sockaddr *)&from, &fromlen) < 0) { -+ debug("getpeername failed: %.100s", strerror(errno)); -+ return strdup(ntop); -+ } -+ -+ ipv64_normalise_mapped(&from, &fromlen); -+ if (from.ss_family == AF_INET6) -+ fromlen = sizeof(struct sockaddr_in6); -+ -+ debug3("Trying to reverse map address %.100s.", ntop); -+ /* Map the IP address to a host name. */ -+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), -+ NULL, 0, NI_NAMEREQD) != 0) { -+ /* Host name not found. Use ip address. */ -+ return strdup(ntop); -+ } -+ -+ /* -+ * if reverse lookup result looks like a numeric hostname, -+ * someone is trying to trick us by PTR record like following: -+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 -+ */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ -+ hints.ai_flags = AI_NUMERICHOST; -+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { -+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", -+ name, ntop); -+ freeaddrinfo(ai); -+ return strdup(ntop); -+ } -+ -+ /* Names are stored in lowercase. */ -+ lowercase(name); -+ -+ /* -+ * Map it back to an IP address and check that the given -+ * address actually is an address of this host. This is -+ * necessary because anyone with access to a name server can -+ * define arbitrary names for an IP address. Mapping from -+ * name to IP address can be trusted better (but can still be -+ * fooled if the intruder has access to the name server of -+ * the domain). -+ */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = from.ss_family; -+ hints.ai_socktype = SOCK_STREAM; -+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { -+ logit("reverse mapping checking getaddrinfo for %.700s " -+ "[%s] failed.", name, ntop); -+ return strdup(ntop); -+ } -+ /* Look for the address from the list of addresses. */ -+ for (ai = aitop; ai; ai = ai->ai_next) { -+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, -+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && -+ (strcmp(ntop, ntop2) == 0)) -+ break; -+ } -+ freeaddrinfo(aitop); -+ /* If we reached the end of the list, the address was not there. */ -+ if (ai == NULL) { -+ /* Address not found for the host name. */ -+ logit("Address %.100s maps to %.600s, but this does not " -+ "map back to the address.", ntop, name); -+ return strdup(ntop); -+ } -+ return strdup(name); -+} -+ -+/* -+ * Return the canonical name of the host in the other side of the current -+ * connection. The host name is cached, so it is efficient to call this -+ * several times. -+ */ -+ -+const char * -+auth_get_canonical_hostname(struct ssh *ssh, int use_dns) -+{ -+ static char *dnsname; -+ -+ if (!use_dns) -+ return ssh_remote_ipaddr(ssh); -+ else if (dnsname != NULL) -+ return dnsname; -+ else { -+ dnsname = remote_hostname(ssh); -+ return dnsname; -+ } -+} ---- a/readconf.c -+++ b/readconf.c -@@ -160,6 +160,7 @@ typedef enum { - oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, -+ oGssTrustDns, - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oControlPath, oControlMaster, oControlPersist, - oHashKnownHosts, -@@ -200,9 +201,11 @@ static struct { - #if defined(GSSAPI) - { "gssapiauthentication", oGssAuthentication }, - { "gssapidelegatecredentials", oGssDelegateCreds }, -+ { "gssapitrustdns", oGssTrustDns }, - # else - { "gssapiauthentication", oUnsupported }, - { "gssapidelegatecredentials", oUnsupported }, -+ { "gssapitrustdns", oUnsupported }, - #endif - #ifdef ENABLE_PKCS11 - { "smartcarddevice", oPKCS11Provider }, -@@ -954,6 +957,10 @@ parse_time: - intptr = &options->gss_deleg_creds; - goto parse_flag; - -+ case oGssTrustDns: -+ intptr = &options->gss_trust_dns; -+ goto parse_flag; -+ - case oBatchMode: - intptr = &options->batch_mode; - goto parse_flag; -@@ -1766,6 +1773,7 @@ initialize_options(Options * options) - options->challenge_response_authentication = -1; - options->gss_authentication = -1; - options->gss_deleg_creds = -1; -+ options->gss_trust_dns = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->kbd_interactive_devices = NULL; -@@ -1908,6 +1916,8 @@ fill_default_options(Options * options) - options->gss_authentication = 0; - if (options->gss_deleg_creds == -1) - options->gss_deleg_creds = 0; -+ if (options->gss_trust_dns == -1) -+ options->gss_trust_dns = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) ---- a/readconf.h -+++ b/readconf.h -@@ -43,6 +43,7 @@ typedef struct { - /* Try S/Key or TIS, authentication. */ - int gss_authentication; /* Try GSS authentication */ - int gss_deleg_creds; /* Delegate GSS credentials */ -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ - int password_authentication; /* Try password - * authentication. */ - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ ---- a/ssh_config.5 -+++ b/ssh_config.5 -@@ -731,6 +731,16 @@ The default is - Forward (delegate) credentials to the server. - The default is - .Cm no . -+Note that this option applies to protocol version 2 connections using GSSAPI. -+.It Cm GSSAPITrustDns -+Set to -+.Dq yes to indicate that the DNS is trusted to securely canonicalize -+the name of the host being connected to. If -+.Dq no, the hostname entered on the -+command line will be passed untouched to the GSSAPI library. -+The default is -+.Dq no . -+This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HashKnownHosts - Indicates that - .Xr ssh 1 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -643,6 +643,13 @@ userauth_gssapi(Authctxt *authctxt) - static u_int mech = 0; - OM_uint32 min; - int ok = 0; -+ const char *gss_host; -+ -+ if (options.gss_trust_dns) { -+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); -+ gss_host = auth_get_canonical_hostname(active_state, 1); -+ } else -+ gss_host = authctxt->host; - - /* Try one GSSAPI method at a time, rather than sending them all at - * once. */ -@@ -655,7 +662,7 @@ userauth_gssapi(Authctxt *authctxt) - /* My DER encoding requires length<128 */ - if (gss_supported->elements[mech].length < 128 && - ssh_gssapi_check_mechanism(&gssctxt, -- &gss_supported->elements[mech], authctxt->host)) { -+ &gss_supported->elements[mech], gss_host)) { - ok = 1; /* Mechanism works */ - } else { - mech++; --- diff --git a/net-misc/openssh/files/openssh-7.8_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.8_p1-GSSAPI-dns.patch deleted file mode 100644 index 989dc6cee68d..000000000000 --- a/net-misc/openssh/files/openssh-7.8_p1-GSSAPI-dns.patch +++ /dev/null @@ -1,359 +0,0 @@ -diff --git a/auth.c b/auth.c -index 9a3bc96f..fc2c3620 100644 ---- a/auth.c -+++ b/auth.c -@@ -733,120 +733,6 @@ fakepw(void) - return (&fake); - } - --/* -- * Returns the remote DNS hostname as a string. The returned string must not -- * be freed. NB. this will usually trigger a DNS query the first time it is -- * called. -- * This function does additional checks on the hostname to mitigate some -- * attacks on legacy rhosts-style authentication. -- * XXX is RhostsRSAAuthentication vulnerable to these? -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) -- */ -- --static char * --remote_hostname(struct ssh *ssh) --{ -- struct sockaddr_storage from; -- socklen_t fromlen; -- struct addrinfo hints, *ai, *aitop; -- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; -- const char *ntop = ssh_remote_ipaddr(ssh); -- -- /* Get IP address of client. */ -- fromlen = sizeof(from); -- memset(&from, 0, sizeof(from)); -- if (getpeername(ssh_packet_get_connection_in(ssh), -- (struct sockaddr *)&from, &fromlen) < 0) { -- debug("getpeername failed: %.100s", strerror(errno)); -- return strdup(ntop); -- } -- -- ipv64_normalise_mapped(&from, &fromlen); -- if (from.ss_family == AF_INET6) -- fromlen = sizeof(struct sockaddr_in6); -- -- debug3("Trying to reverse map address %.100s.", ntop); -- /* Map the IP address to a host name. */ -- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), -- NULL, 0, NI_NAMEREQD) != 0) { -- /* Host name not found. Use ip address. */ -- return strdup(ntop); -- } -- -- /* -- * if reverse lookup result looks like a numeric hostname, -- * someone is trying to trick us by PTR record like following: -- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 -- */ -- memset(&hints, 0, sizeof(hints)); -- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ -- hints.ai_flags = AI_NUMERICHOST; -- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { -- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", -- name, ntop); -- freeaddrinfo(ai); -- return strdup(ntop); -- } -- -- /* Names are stored in lowercase. */ -- lowercase(name); -- -- /* -- * Map it back to an IP address and check that the given -- * address actually is an address of this host. This is -- * necessary because anyone with access to a name server can -- * define arbitrary names for an IP address. Mapping from -- * name to IP address can be trusted better (but can still be -- * fooled if the intruder has access to the name server of -- * the domain). -- */ -- memset(&hints, 0, sizeof(hints)); -- hints.ai_family = from.ss_family; -- hints.ai_socktype = SOCK_STREAM; -- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { -- logit("reverse mapping checking getaddrinfo for %.700s " -- "[%s] failed.", name, ntop); -- return strdup(ntop); -- } -- /* Look for the address from the list of addresses. */ -- for (ai = aitop; ai; ai = ai->ai_next) { -- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, -- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && -- (strcmp(ntop, ntop2) == 0)) -- break; -- } -- freeaddrinfo(aitop); -- /* If we reached the end of the list, the address was not there. */ -- if (ai == NULL) { -- /* Address not found for the host name. */ -- logit("Address %.100s maps to %.600s, but this does not " -- "map back to the address.", ntop, name); -- return strdup(ntop); -- } -- return strdup(name); --} -- --/* -- * Return the canonical name of the host in the other side of the current -- * connection. The host name is cached, so it is efficient to call this -- * several times. -- */ -- --const char * --auth_get_canonical_hostname(struct ssh *ssh, int use_dns) --{ -- static char *dnsname; -- -- if (!use_dns) -- return ssh_remote_ipaddr(ssh); -- else if (dnsname != NULL) -- return dnsname; -- else { -- dnsname = remote_hostname(ssh); -- return dnsname; -- } --} -- - /* - * Runs command in a subprocess with a minimal environment. - * Returns pid on success, 0 on failure. -diff --git a/canohost.c b/canohost.c -index f71a0856..3e162d8c 100644 ---- a/canohost.c -+++ b/canohost.c -@@ -202,3 +202,117 @@ get_local_port(int sock) - { - return get_sock_port(sock, 1); - } -+ -+/* -+ * Returns the remote DNS hostname as a string. The returned string must not -+ * be freed. NB. this will usually trigger a DNS query the first time it is -+ * called. -+ * This function does additional checks on the hostname to mitigate some -+ * attacks on legacy rhosts-style authentication. -+ * XXX is RhostsRSAAuthentication vulnerable to these? -+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) -+ */ -+ -+static char * -+remote_hostname(struct ssh *ssh) -+{ -+ struct sockaddr_storage from; -+ socklen_t fromlen; -+ struct addrinfo hints, *ai, *aitop; -+ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; -+ const char *ntop = ssh_remote_ipaddr(ssh); -+ -+ /* Get IP address of client. */ -+ fromlen = sizeof(from); -+ memset(&from, 0, sizeof(from)); -+ if (getpeername(ssh_packet_get_connection_in(ssh), -+ (struct sockaddr *)&from, &fromlen) < 0) { -+ debug("getpeername failed: %.100s", strerror(errno)); -+ return strdup(ntop); -+ } -+ -+ ipv64_normalise_mapped(&from, &fromlen); -+ if (from.ss_family == AF_INET6) -+ fromlen = sizeof(struct sockaddr_in6); -+ -+ debug3("Trying to reverse map address %.100s.", ntop); -+ /* Map the IP address to a host name. */ -+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), -+ NULL, 0, NI_NAMEREQD) != 0) { -+ /* Host name not found. Use ip address. */ -+ return strdup(ntop); -+ } -+ -+ /* -+ * if reverse lookup result looks like a numeric hostname, -+ * someone is trying to trick us by PTR record like following: -+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 -+ */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ -+ hints.ai_flags = AI_NUMERICHOST; -+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { -+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", -+ name, ntop); -+ freeaddrinfo(ai); -+ return strdup(ntop); -+ } -+ -+ /* Names are stored in lowercase. */ -+ lowercase(name); -+ -+ /* -+ * Map it back to an IP address and check that the given -+ * address actually is an address of this host. This is -+ * necessary because anyone with access to a name server can -+ * define arbitrary names for an IP address. Mapping from -+ * name to IP address can be trusted better (but can still be -+ * fooled if the intruder has access to the name server of -+ * the domain). -+ */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = from.ss_family; -+ hints.ai_socktype = SOCK_STREAM; -+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { -+ logit("reverse mapping checking getaddrinfo for %.700s " -+ "[%s] failed.", name, ntop); -+ return strdup(ntop); -+ } -+ /* Look for the address from the list of addresses. */ -+ for (ai = aitop; ai; ai = ai->ai_next) { -+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, -+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && -+ (strcmp(ntop, ntop2) == 0)) -+ break; -+ } -+ freeaddrinfo(aitop); -+ /* If we reached the end of the list, the address was not there. */ -+ if (ai == NULL) { -+ /* Address not found for the host name. */ -+ logit("Address %.100s maps to %.600s, but this does not " -+ "map back to the address.", ntop, name); -+ return strdup(ntop); -+ } -+ return strdup(name); -+} -+ -+/* -+ * Return the canonical name of the host in the other side of the current -+ * connection. The host name is cached, so it is efficient to call this -+ * several times. -+ */ -+ -+const char * -+auth_get_canonical_hostname(struct ssh *ssh, int use_dns) -+{ -+ static char *dnsname; -+ -+ if (!use_dns) -+ return ssh_remote_ipaddr(ssh); -+ else if (dnsname != NULL) -+ return dnsname; -+ else { -+ dnsname = remote_hostname(ssh); -+ return dnsname; -+ } -+} -diff --git a/readconf.c b/readconf.c -index db5f2d54..67feffa5 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -161,6 +161,7 @@ typedef enum { - oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, -+ oGssTrustDns, - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, - oHashKnownHosts, -@@ -202,9 +203,11 @@ static struct { - #if defined(GSSAPI) - { "gssapiauthentication", oGssAuthentication }, - { "gssapidelegatecredentials", oGssDelegateCreds }, -+ { "gssapitrustdns", oGssTrustDns }, - # else - { "gssapiauthentication", oUnsupported }, - { "gssapidelegatecredentials", oUnsupported }, -+ { "gssapitrustdns", oUnsupported }, - #endif - #ifdef ENABLE_PKCS11 - { "smartcarddevice", oPKCS11Provider }, -@@ -977,6 +980,10 @@ parse_time: - intptr = &options->gss_deleg_creds; - goto parse_flag; - -+ case oGssTrustDns: -+ intptr = &options->gss_trust_dns; -+ goto parse_flag; -+ - case oBatchMode: - intptr = &options->batch_mode; - goto parse_flag; -@@ -1818,6 +1825,7 @@ initialize_options(Options * options) - options->challenge_response_authentication = -1; - options->gss_authentication = -1; - options->gss_deleg_creds = -1; -+ options->gss_trust_dns = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->kbd_interactive_devices = NULL; -@@ -1964,6 +1972,8 @@ fill_default_options(Options * options) - options->gss_authentication = 0; - if (options->gss_deleg_creds == -1) - options->gss_deleg_creds = 0; -+ if (options->gss_trust_dns == -1) -+ options->gss_trust_dns = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) -diff --git a/readconf.h b/readconf.h -index c5688781..af809cc8 100644 ---- a/readconf.h -+++ b/readconf.h -@@ -41,6 +41,7 @@ typedef struct { - /* Try S/Key or TIS, authentication. */ - int gss_authentication; /* Try GSS authentication */ - int gss_deleg_creds; /* Delegate GSS credentials */ -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ - int password_authentication; /* Try password - * authentication. */ - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff --git a/ssh_config.5 b/ssh_config.5 -index f499396a..be758544 100644 ---- a/ssh_config.5 -+++ b/ssh_config.5 -@@ -722,6 +722,16 @@ The default is - Forward (delegate) credentials to the server. - The default is - .Cm no . -+Note that this option applies to protocol version 2 connections using GSSAPI. -+.It Cm GSSAPITrustDns -+Set to -+.Dq yes to indicate that the DNS is trusted to securely canonicalize -+the name of the host being connected to. If -+.Dq no, the hostname entered on the -+command line will be passed untouched to the GSSAPI library. -+The default is -+.Dq no . -+This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HashKnownHosts - Indicates that - .Xr ssh 1 -diff --git a/sshconnect2.c b/sshconnect2.c -index 10e4f0a0..4f7d49e3 100644 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -657,6 +657,13 @@ userauth_gssapi(Authctxt *authctxt) - static u_int mech = 0; - OM_uint32 min; - int r, ok = 0; -+ const char *gss_host; -+ -+ if (options.gss_trust_dns) { -+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); -+ gss_host = auth_get_canonical_hostname(active_state, 1); -+ } else -+ gss_host = authctxt->host; - - /* Try one GSSAPI method at a time, rather than sending them all at - * once. */ -@@ -669,7 +676,7 @@ userauth_gssapi(Authctxt *authctxt) - /* My DER encoding requires length<128 */ - if (gss_supported->elements[mech].length < 128 && - ssh_gssapi_check_mechanism(&gssctxt, -- &gss_supported->elements[mech], authctxt->host)) { -+ &gss_supported->elements[mech], gss_host)) { - ok = 1; /* Mechanism works */ - } else { - mech++; diff --git a/net-misc/openssh/files/openssh-7.9_p1-CVE-2018-20685.patch b/net-misc/openssh/files/openssh-7.9_p1-CVE-2018-20685.patch deleted file mode 100644 index 3fa3e318af50..000000000000 --- a/net-misc/openssh/files/openssh-7.9_p1-CVE-2018-20685.patch +++ /dev/null @@ -1,16 +0,0 @@ -CVE-2018-20685 - -https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2 - ---- a/scp.c -+++ b/scp.c -@@ -1106,7 +1106,8 @@ sink(int argc, char **argv) - SCREWUP("size out of range"); - size = (off_t)ull; - -- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { -+ if (*cp == '\0' || strchr(cp, '/') != NULL || -+ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) { - run_err("error: unexpected filename: %s", cp); - exit(1); - } diff --git a/net-misc/openssh/files/openssh-7.9_p1-X509-11.6-tests.patch b/net-misc/openssh/files/openssh-7.9_p1-X509-11.6-tests.patch deleted file mode 100644 index 9766b1594ea0..000000000000 --- a/net-misc/openssh/files/openssh-7.9_p1-X509-11.6-tests.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -ur openssh-7.9p1.orig/openbsd-compat/regress/Makefile.in openssh-7.9p1/openbsd-compat/regress/Makefile.in ---- openssh-7.9p1.orig/openbsd-compat/regress/Makefile.in 2018-10-16 17:01:20.000000000 -0700 -+++ openssh-7.9p1/openbsd-compat/regress/Makefile.in 2018-12-19 11:03:14.421028691 -0800 -@@ -7,7 +7,7 @@ - CC=@CC@ - LD=@LD@ - CFLAGS=@CFLAGS@ --CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ -+CPPFLAGS=-I. -I.. -I$(srcdir) -I../.. @CPPFLAGS@ @DEFS@ - EXEEXT=@EXEEXT@ - LIBCOMPAT=../libopenbsd-compat.a - LIBS=@LIBS@ diff --git a/net-misc/openssh/files/openssh-7.9_p1-X509-dont-make-piddir-11.6.patch b/net-misc/openssh/files/openssh-7.9_p1-X509-dont-make-piddir-11.6.patch deleted file mode 100644 index 487b239639a1..000000000000 --- a/net-misc/openssh/files/openssh-7.9_p1-X509-dont-make-piddir-11.6.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- a/openssh-7.9p1+x509-11.6.diff 2018-12-07 17:24:03.211328918 -0800 -+++ b/openssh-7.9p1+x509-11.6.diff 2018-12-07 17:24:13.399262277 -0800 -@@ -40681,12 +40681,11 @@ - - install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config - install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf --@@ -333,6 +351,8 @@ -+@@ -333,6 +351,7 @@ - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 - $(MKDIR_P) $(DESTDIR)$(libexecdir) - + $(MKDIR_P) $(DESTDIR)$(sshcadir) --+ $(MKDIR_P) $(DESTDIR)$(piddir) - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) diff --git a/net-misc/openssh/files/openssh-7.9_p1-X509-glue-11.6.patch b/net-misc/openssh/files/openssh-7.9_p1-X509-glue-11.6.patch deleted file mode 100644 index b807ac45f79f..000000000000 --- a/net-misc/openssh/files/openssh-7.9_p1-X509-glue-11.6.patch +++ /dev/null @@ -1,28 +0,0 @@ ---- a/openssh-7.9p1+x509-11.6.diff 2018-12-19 10:42:01.241775036 -0800 -+++ b/openssh-7.9p1+x509-11.6.diff 2018-12-19 10:43:33.383140818 -0800 -@@ -45862,7 +45862,7 @@ - ENGINE_register_all_complete(); - +#endif - ---#if OPENSSL_VERSION_NUMBER < 0x10001000L -+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - + /* OPENSSL_config will load buildin engines and engines - + * specified in configuration file, i.e. method call - + * ENGINE_load_builtin_engines. Latter is only for -@@ -81123,16 +81123,6 @@ - setlocale(LC_CTYPE, "POSIX.UTF-8") != NULL)) - return; - setlocale(LC_CTYPE, "C"); --diff -ruN openssh-7.9p1/version.h openssh-7.9p1+x509-11.6/version.h ----- openssh-7.9p1/version.h 2018-10-17 03:01:20.000000000 +0300 --+++ openssh-7.9p1+x509-11.6/version.h 2018-12-18 20:07:00.000000000 +0200 --@@ -2,5 +2,4 @@ -- -- #define SSH_VERSION "OpenSSH_7.9" -- ---#define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" - diff -ruN openssh-7.9p1/version.m4 openssh-7.9p1+x509-11.6/version.m4 - --- openssh-7.9p1/version.m4 1970-01-01 02:00:00.000000000 +0200 - +++ openssh-7.9p1+x509-11.6/version.m4 2018-12-18 20:07:00.000000000 +0200 diff --git a/net-misc/openssh/files/openssh-7.9_p1-hpn-X509-glue.patch b/net-misc/openssh/files/openssh-7.9_p1-hpn-X509-glue.patch deleted file mode 100644 index c76d454c92f8..000000000000 --- a/net-misc/openssh/files/openssh-7.9_p1-hpn-X509-glue.patch +++ /dev/null @@ -1,79 +0,0 @@ ---- temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff.orig 2018-09-12 15:58:57.377986085 -0700 -+++ temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2018-09-12 16:07:15.376711327 -0700 -@@ -4,8 +4,8 @@ - +++ b/Makefile.in - @@ -42,7 +42,7 @@ CC=@CC@ - LD=@LD@ -- CFLAGS=@CFLAGS@ -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ - -LIBS=@LIBS@ - +LIBS=@LIBS@ -lpthread - K5LIBS=@K5LIBS@ -@@ -788,8 +788,8 @@ - ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) - { - struct session_state *state; --- const struct sshcipher *none = cipher_by_name("none"); --+ struct sshcipher *none = cipher_by_name("none"); -+- const struct sshcipher *none = cipher_none(); -++ struct sshcipher *none = cipher_none(); - int r; - - if (none == NULL) { -@@ -933,9 +933,9 @@ - /* Portable-specific options */ - sUsePAM, - + sDisableMTAES, -- /* Standard Options */ -- sPort, sHostKeyFile, sLoginGraceTime, -- sPermitRootLogin, sLogFacility, sLogLevel, -+ /* X.509 Standard Options */ -+ sHostbasedAlgorithms, -+ sPubkeyAlgorithms, - @@ -626,6 +630,7 @@ static struct { - { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, ---- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig 2018-09-12 16:38:16.947447218 -0700 -+++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2018-09-12 16:32:35.479700864 -0700 -@@ -382,7 +382,7 @@ - @@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh) - int nenc, nmac, ncomp; - u_int mode, ctos, need, dh_need, authlen; -- int r, first_kex_follows; -+ int r, first_kex_follows = 0; - + int auth_flag; - + - + auth_flag = packet_authentication_state(ssh); -@@ -1125,15 +1125,6 @@ - index a738c3a..b32dbe0 100644 - --- a/sshd.c - +++ b/sshd.c --@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) -- char remote_version[256]; /* Must be at least as big as buf. */ -- -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", --- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, --+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, -- *options.version_addendum == '\0' ? "" : " ", -- options.version_addendum); -- - @@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la) - int ret, listen_sock; - struct addrinfo *ai; -@@ -1213,14 +1204,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index f1bbf00..21a70c2 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_7.8" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN --+ diff --git a/net-misc/openssh/files/openssh-7.9_p1-hpn-glue.patch b/net-misc/openssh/files/openssh-7.9_p1-hpn-glue.patch deleted file mode 100644 index 0561e3814067..000000000000 --- a/net-misc/openssh/files/openssh-7.9_p1-hpn-glue.patch +++ /dev/null @@ -1,112 +0,0 @@ ---- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig 2018-09-11 17:19:19.968420409 -0700 -+++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2018-09-11 17:39:19.977535398 -0700 -@@ -409,18 +409,10 @@ - index dcf35e6..da4ced0 100644 - --- a/packet.c - +++ b/packet.c --@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) -+@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) - return 0; - } - --+/* this supports the forced rekeying required for the NONE cipher */ --+int rekey_requested = 0; --+void --+packet_request_rekeying(void) --+{ --+ rekey_requested = 1; --+} --+ - +/* used to determine if pre or post auth when rekeying for aes-ctr - + * and none cipher switch */ - +int -@@ -434,20 +426,6 @@ - #define MAX_PACKETS (1U<<31) - static int - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) --@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) -- if (state->p_send.packets == 0 && state->p_read.packets == 0) -- return 0; -- --+ /* used to force rekeying when called for by the none --+ * cipher switch methods -cjr */ --+ if (rekey_requested == 1) { --+ rekey_requested = 0; --+ return 1; --+ } --+ -- /* Time-based rekeying */ -- if (state->rekey_interval != 0 && -- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) - diff --git a/packet.h b/packet.h - index 170203c..f4d9df2 100644 - --- a/packet.h -@@ -476,9 +454,9 @@ - /* Format of the configuration file: - - @@ -166,6 +167,8 @@ typedef enum { -- oHashKnownHosts, - oTunnel, oTunnelDevice, - oLocalCommand, oPermitLocalCommand, oRemoteCommand, -+ oDisableMTAES, - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, - + oNoneEnabled, oNoneSwitch, - oVisualHostKey, -@@ -615,9 +593,9 @@ - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ - SyslogFacility log_facility; /* Facility for system logging. */ - @@ -111,7 +115,10 @@ typedef struct { -- - int enable_ssh_keysign; - int64_t rekey_limit; -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/ - + int none_switch; /* Use none cipher */ - + int none_enabled; /* Allow none to be used */ - int rekey_interval; -@@ -673,9 +651,9 @@ - /* Portable-specific options */ - if (options->use_pam == -1) - @@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options) -- } -- if (options->permit_tun == -1) - options->permit_tun = SSH_TUNMODE_NO; -+ if (options->disable_multithreaded == -1) -+ options->disable_multithreaded = 0; - + if (options->none_enabled == -1) - + options->none_enabled = 0; - + if (options->hpn_disabled == -1) -@@ -1092,7 +1070,7 @@ - xxx_host = host; - xxx_hostaddr = hostaddr; - --@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, -+@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, - - if (!authctxt.success) - fatal("Authentication failed."); -@@ -1117,10 +1095,9 @@ - + fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n"); - + } - + } --+ -- debug("Authentication succeeded (%s).", authctxt.method->name); -- } - -+ #ifdef WITH_OPENSSL -+ if (options.disable_multithreaded == 0) { - diff --git a/sshd.c b/sshd.c - index a738c3a..b32dbe0 100644 - --- a/sshd.c -@@ -1217,11 +1194,10 @@ - index f1bbf00..21a70c2 100644 - --- a/version.h - +++ b/version.h --@@ -3,4 +3,6 @@ -+@@ -3,4 +3,5 @@ - #define SSH_VERSION "OpenSSH_7.8" - - #define SSH_PORTABLE "p1" - -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_HPN "-hpn14v16" - +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN - + diff --git a/net-misc/openssh/files/openssh-7.9_p1-hpn-openssl-1.1.patch b/net-misc/openssh/files/openssh-7.9_p1-hpn-openssl-1.1.patch deleted file mode 100644 index 78b754532740..000000000000 --- a/net-misc/openssh/files/openssh-7.9_p1-hpn-openssl-1.1.patch +++ /dev/null @@ -1,91 +0,0 @@ ---- openssh-7.9p1.orig/cipher-ctr-mt.c 2018-10-24 20:48:00.909255466 -0000 -+++ openssh-7.9p1/cipher-ctr-mt.c 2018-10-24 20:48:17.378155144 -0000 -@@ -46,7 +46,7 @@ - - /*-------------------- TUNABLES --------------------*/ - /* maximum number of threads and queues */ --#define MAX_THREADS 32 -+#define MAX_THREADS 32 - #define MAX_NUMKQ (MAX_THREADS * 2) - - /* Number of pregen threads to use */ -@@ -435,7 +435,7 @@ - destp.u += AES_BLOCK_SIZE; - srcp.u += AES_BLOCK_SIZE; - len -= AES_BLOCK_SIZE; -- ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE); -+ ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE); - - /* Increment read index, switch queues on rollover */ - if ((ridx = (ridx + 1) % KQLEN) == 0) { -@@ -481,8 +481,6 @@ - /* get the number of cores in the system */ - /* if it's not linux it currently defaults to 2 */ - /* divide by 2 to get threads for each direction (MODE_IN||MODE_OUT) */ -- /* NB: assigning a float to an int discards the remainder which is */ -- /* acceptable (and wanted) in this case */ - #ifdef __linux__ - cipher_threads = sysconf(_SC_NPROCESSORS_ONLN) / 2; - #endif /*__linux__*/ -@@ -551,16 +550,16 @@ - } - - if (iv != NULL) { -- memcpy(ctx->iv, iv, AES_BLOCK_SIZE); -+ memcpy(c->aes_counter, iv, AES_BLOCK_SIZE); - c->state |= HAVE_IV; - } - - if (c->state == (HAVE_KEY | HAVE_IV)) { - /* Clear queues */ -- memcpy(c->q[0].ctr, ctx->iv, AES_BLOCK_SIZE); -+ memcpy(c->q[0].ctr, c->aes_counter, AES_BLOCK_SIZE); - c->q[0].qstate = KQINIT; - for (i = 1; i < numkq; i++) { -- memcpy(c->q[i].ctr, ctx->iv, AES_BLOCK_SIZE); -+ memcpy(c->q[i].ctr, c->aes_counter, AES_BLOCK_SIZE); - ssh_ctr_add(c->q[i].ctr, i * KQLEN, AES_BLOCK_SIZE); - c->q[i].qstate = KQEMPTY; - } -@@ -644,8 +643,22 @@ - const EVP_CIPHER * - evp_aes_ctr_mt(void) - { -+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL && !defined(LIBRESSL_VERSION_NUMBER) -+ static EVP_CIPHER *aes_ctr; -+ aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/); -+ EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE); -+ EVP_CIPHER_meth_set_init(aes_ctr, ssh_aes_ctr_init); -+ EVP_CIPHER_meth_set_cleanup(aes_ctr, ssh_aes_ctr_cleanup); -+ EVP_CIPHER_meth_set_do_cipher(aes_ctr, ssh_aes_ctr); -+# ifndef SSH_OLD_EVP -+ EVP_CIPHER_meth_set_flags(aes_ctr, EVP_CIPH_CBC_MODE -+ | EVP_CIPH_VARIABLE_LENGTH -+ | EVP_CIPH_ALWAYS_CALL_INIT -+ | EVP_CIPH_CUSTOM_IV); -+# endif /*SSH_OLD_EVP*/ -+ return (aes_ctr); -+# else /*earlier version of openssl*/ - static EVP_CIPHER aes_ctr; -- - memset(&aes_ctr, 0, sizeof(EVP_CIPHER)); - aes_ctr.nid = NID_undef; - aes_ctr.block_size = AES_BLOCK_SIZE; -@@ -654,11 +667,12 @@ - aes_ctr.init = ssh_aes_ctr_init; - aes_ctr.cleanup = ssh_aes_ctr_cleanup; - aes_ctr.do_cipher = ssh_aes_ctr; --#ifndef SSH_OLD_EVP -- aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | -- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; --#endif -- return &aes_ctr; -+# ifndef SSH_OLD_EVP -+ aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | -+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; -+# endif /*SSH_OLD_EVP*/ -+ return &aes_ctr; -+# endif /*OPENSSH_VERSION_NUMBER*/ - } - - #endif /* defined(WITH_OPENSSL) */ diff --git a/net-misc/openssh/files/openssh-7.9_p1-hpn-sctp-glue.patch b/net-misc/openssh/files/openssh-7.9_p1-hpn-sctp-glue.patch deleted file mode 100644 index a7d51ad94839..000000000000 --- a/net-misc/openssh/files/openssh-7.9_p1-hpn-sctp-glue.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig 2018-09-12 18:18:51.851536374 -0700 -+++ dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2018-09-12 18:19:01.116475099 -0700 -@@ -1190,14 +1190,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index f1bbf00..21a70c2 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_7.8" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN --+ diff --git a/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch b/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch deleted file mode 100644 index c1c310e8f14a..000000000000 --- a/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c -index 8b4a3627..590b66d1 100644 ---- a/openbsd-compat/openssl-compat.c -+++ b/openbsd-compat/openssl-compat.c -@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void) - ENGINE_load_builtin_engines(); - ENGINE_register_all_complete(); - --#if OPENSSL_VERSION_NUMBER < 0x10001000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - OPENSSL_config(NULL); - #else - OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | diff --git a/net-misc/openssh/files/openssh-8.0_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.0_p1-GSSAPI-dns.patch deleted file mode 100644 index 04d622191fa6..000000000000 --- a/net-misc/openssh/files/openssh-8.0_p1-GSSAPI-dns.patch +++ /dev/null @@ -1,359 +0,0 @@ -diff --git a/auth.c b/auth.c -index 8696f258..f4cd70a3 100644 ---- a/auth.c -+++ b/auth.c -@@ -723,120 +723,6 @@ fakepw(void) - return (&fake); - } - --/* -- * Returns the remote DNS hostname as a string. The returned string must not -- * be freed. NB. this will usually trigger a DNS query the first time it is -- * called. -- * This function does additional checks on the hostname to mitigate some -- * attacks on legacy rhosts-style authentication. -- * XXX is RhostsRSAAuthentication vulnerable to these? -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) -- */ -- --static char * --remote_hostname(struct ssh *ssh) --{ -- struct sockaddr_storage from; -- socklen_t fromlen; -- struct addrinfo hints, *ai, *aitop; -- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; -- const char *ntop = ssh_remote_ipaddr(ssh); -- -- /* Get IP address of client. */ -- fromlen = sizeof(from); -- memset(&from, 0, sizeof(from)); -- if (getpeername(ssh_packet_get_connection_in(ssh), -- (struct sockaddr *)&from, &fromlen) < 0) { -- debug("getpeername failed: %.100s", strerror(errno)); -- return strdup(ntop); -- } -- -- ipv64_normalise_mapped(&from, &fromlen); -- if (from.ss_family == AF_INET6) -- fromlen = sizeof(struct sockaddr_in6); -- -- debug3("Trying to reverse map address %.100s.", ntop); -- /* Map the IP address to a host name. */ -- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), -- NULL, 0, NI_NAMEREQD) != 0) { -- /* Host name not found. Use ip address. */ -- return strdup(ntop); -- } -- -- /* -- * if reverse lookup result looks like a numeric hostname, -- * someone is trying to trick us by PTR record like following: -- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 -- */ -- memset(&hints, 0, sizeof(hints)); -- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ -- hints.ai_flags = AI_NUMERICHOST; -- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { -- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", -- name, ntop); -- freeaddrinfo(ai); -- return strdup(ntop); -- } -- -- /* Names are stored in lowercase. */ -- lowercase(name); -- -- /* -- * Map it back to an IP address and check that the given -- * address actually is an address of this host. This is -- * necessary because anyone with access to a name server can -- * define arbitrary names for an IP address. Mapping from -- * name to IP address can be trusted better (but can still be -- * fooled if the intruder has access to the name server of -- * the domain). -- */ -- memset(&hints, 0, sizeof(hints)); -- hints.ai_family = from.ss_family; -- hints.ai_socktype = SOCK_STREAM; -- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { -- logit("reverse mapping checking getaddrinfo for %.700s " -- "[%s] failed.", name, ntop); -- return strdup(ntop); -- } -- /* Look for the address from the list of addresses. */ -- for (ai = aitop; ai; ai = ai->ai_next) { -- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, -- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && -- (strcmp(ntop, ntop2) == 0)) -- break; -- } -- freeaddrinfo(aitop); -- /* If we reached the end of the list, the address was not there. */ -- if (ai == NULL) { -- /* Address not found for the host name. */ -- logit("Address %.100s maps to %.600s, but this does not " -- "map back to the address.", ntop, name); -- return strdup(ntop); -- } -- return strdup(name); --} -- --/* -- * Return the canonical name of the host in the other side of the current -- * connection. The host name is cached, so it is efficient to call this -- * several times. -- */ -- --const char * --auth_get_canonical_hostname(struct ssh *ssh, int use_dns) --{ -- static char *dnsname; -- -- if (!use_dns) -- return ssh_remote_ipaddr(ssh); -- else if (dnsname != NULL) -- return dnsname; -- else { -- dnsname = remote_hostname(ssh); -- return dnsname; -- } --} -- - /* - * Runs command in a subprocess with a minimal environment. - * Returns pid on success, 0 on failure. -diff --git a/canohost.c b/canohost.c -index f71a0856..3e162d8c 100644 ---- a/canohost.c -+++ b/canohost.c -@@ -202,3 +202,117 @@ get_local_port(int sock) - { - return get_sock_port(sock, 1); - } -+ -+/* -+ * Returns the remote DNS hostname as a string. The returned string must not -+ * be freed. NB. this will usually trigger a DNS query the first time it is -+ * called. -+ * This function does additional checks on the hostname to mitigate some -+ * attacks on legacy rhosts-style authentication. -+ * XXX is RhostsRSAAuthentication vulnerable to these? -+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) -+ */ -+ -+static char * -+remote_hostname(struct ssh *ssh) -+{ -+ struct sockaddr_storage from; -+ socklen_t fromlen; -+ struct addrinfo hints, *ai, *aitop; -+ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; -+ const char *ntop = ssh_remote_ipaddr(ssh); -+ -+ /* Get IP address of client. */ -+ fromlen = sizeof(from); -+ memset(&from, 0, sizeof(from)); -+ if (getpeername(ssh_packet_get_connection_in(ssh), -+ (struct sockaddr *)&from, &fromlen) < 0) { -+ debug("getpeername failed: %.100s", strerror(errno)); -+ return strdup(ntop); -+ } -+ -+ ipv64_normalise_mapped(&from, &fromlen); -+ if (from.ss_family == AF_INET6) -+ fromlen = sizeof(struct sockaddr_in6); -+ -+ debug3("Trying to reverse map address %.100s.", ntop); -+ /* Map the IP address to a host name. */ -+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), -+ NULL, 0, NI_NAMEREQD) != 0) { -+ /* Host name not found. Use ip address. */ -+ return strdup(ntop); -+ } -+ -+ /* -+ * if reverse lookup result looks like a numeric hostname, -+ * someone is trying to trick us by PTR record like following: -+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 -+ */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ -+ hints.ai_flags = AI_NUMERICHOST; -+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { -+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", -+ name, ntop); -+ freeaddrinfo(ai); -+ return strdup(ntop); -+ } -+ -+ /* Names are stored in lowercase. */ -+ lowercase(name); -+ -+ /* -+ * Map it back to an IP address and check that the given -+ * address actually is an address of this host. This is -+ * necessary because anyone with access to a name server can -+ * define arbitrary names for an IP address. Mapping from -+ * name to IP address can be trusted better (but can still be -+ * fooled if the intruder has access to the name server of -+ * the domain). -+ */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = from.ss_family; -+ hints.ai_socktype = SOCK_STREAM; -+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { -+ logit("reverse mapping checking getaddrinfo for %.700s " -+ "[%s] failed.", name, ntop); -+ return strdup(ntop); -+ } -+ /* Look for the address from the list of addresses. */ -+ for (ai = aitop; ai; ai = ai->ai_next) { -+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, -+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && -+ (strcmp(ntop, ntop2) == 0)) -+ break; -+ } -+ freeaddrinfo(aitop); -+ /* If we reached the end of the list, the address was not there. */ -+ if (ai == NULL) { -+ /* Address not found for the host name. */ -+ logit("Address %.100s maps to %.600s, but this does not " -+ "map back to the address.", ntop, name); -+ return strdup(ntop); -+ } -+ return strdup(name); -+} -+ -+/* -+ * Return the canonical name of the host in the other side of the current -+ * connection. The host name is cached, so it is efficient to call this -+ * several times. -+ */ -+ -+const char * -+auth_get_canonical_hostname(struct ssh *ssh, int use_dns) -+{ -+ static char *dnsname; -+ -+ if (!use_dns) -+ return ssh_remote_ipaddr(ssh); -+ else if (dnsname != NULL) -+ return dnsname; -+ else { -+ dnsname = remote_hostname(ssh); -+ return dnsname; -+ } -+} -diff --git a/readconf.c b/readconf.c -index 71a5c795..2a8c6990 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -163,6 +163,7 @@ typedef enum { - oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, -+ oGssTrustDns, - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, - oHashKnownHosts, -@@ -204,9 +205,11 @@ static struct { - #if defined(GSSAPI) - { "gssapiauthentication", oGssAuthentication }, - { "gssapidelegatecredentials", oGssDelegateCreds }, -+ { "gssapitrustdns", oGssTrustDns }, - # else - { "gssapiauthentication", oUnsupported }, - { "gssapidelegatecredentials", oUnsupported }, -+ { "gssapitrustdns", oUnsupported }, - #endif - #ifdef ENABLE_PKCS11 - { "pkcs11provider", oPKCS11Provider }, -@@ -993,6 +996,10 @@ parse_time: - intptr = &options->gss_deleg_creds; - goto parse_flag; - -+ case oGssTrustDns: -+ intptr = &options->gss_trust_dns; -+ goto parse_flag; -+ - case oBatchMode: - intptr = &options->batch_mode; - goto parse_flag; -@@ -1875,6 +1882,7 @@ initialize_options(Options * options) - options->challenge_response_authentication = -1; - options->gss_authentication = -1; - options->gss_deleg_creds = -1; -+ options->gss_trust_dns = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->kbd_interactive_devices = NULL; -@@ -2023,6 +2031,8 @@ fill_default_options(Options * options) - options->gss_authentication = 0; - if (options->gss_deleg_creds == -1) - options->gss_deleg_creds = 0; -+ if (options->gss_trust_dns == -1) -+ options->gss_trust_dns = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) -diff --git a/readconf.h b/readconf.h -index 69c24700..2758b633 100644 ---- a/readconf.h -+++ b/readconf.h -@@ -45,6 +45,7 @@ typedef struct { - /* Try S/Key or TIS, authentication. */ - int gss_authentication; /* Try GSS authentication */ - int gss_deleg_creds; /* Delegate GSS credentials */ -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ - int password_authentication; /* Try password - * authentication. */ - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff --git a/ssh_config.5 b/ssh_config.5 -index b7566782..64897e4e 100644 ---- a/ssh_config.5 -+++ b/ssh_config.5 -@@ -758,6 +758,16 @@ The default is - Forward (delegate) credentials to the server. - The default is - .Cm no . -+Note that this option applies to protocol version 2 connections using GSSAPI. -+.It Cm GSSAPITrustDns -+Set to -+.Dq yes to indicate that the DNS is trusted to securely canonicalize -+the name of the host being connected to. If -+.Dq no, the hostname entered on the -+command line will be passed untouched to the GSSAPI library. -+The default is -+.Dq no . -+This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HashKnownHosts - Indicates that - .Xr ssh 1 -diff --git a/sshconnect2.c b/sshconnect2.c -index dffee90b..a25a32b9 100644 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -698,6 +698,13 @@ userauth_gssapi(struct ssh *ssh) - OM_uint32 min; - int r, ok = 0; - gss_OID mech = NULL; -+ const char *gss_host; -+ -+ if (options.gss_trust_dns) { -+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); -+ gss_host = auth_get_canonical_hostname(ssh, 1); -+ } else -+ gss_host = authctxt->host; - - /* Try one GSSAPI method at a time, rather than sending them all at - * once. */ -@@ -712,7 +719,7 @@ userauth_gssapi(struct ssh *ssh) - elements[authctxt->mech_tried]; - /* My DER encoding requires length<128 */ - if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, -- mech, authctxt->host)) { -+ mech, gss_host)) { - ok = 1; /* Mechanism works */ - } else { - authctxt->mech_tried++; diff --git a/net-misc/openssh/files/openssh-8.0_p1-X509-12.1-tests.patch b/net-misc/openssh/files/openssh-8.0_p1-X509-12.1-tests.patch deleted file mode 100644 index 67a93fe2a0b1..000000000000 --- a/net-misc/openssh/files/openssh-8.0_p1-X509-12.1-tests.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/openbsd-compat/regress/Makefile.in 2019-06-17 10:59:01.210601434 -0700 -+++ b/openbsd-compat/regress/Makefile.in 2019-06-17 10:59:18.753485852 -0700 -@@ -7,7 +7,7 @@ - CC=@CC@ - LD=@LD@ - CFLAGS=@CFLAGS@ --CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ -+CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ - EXEEXT=@EXEEXT@ - LIBCOMPAT=../libopenbsd-compat.a - LIBS=@LIBS@ diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch deleted file mode 100644 index bffc591ef667..000000000000 --- a/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch +++ /dev/null @@ -1,76 +0,0 @@ -https://github.com/openssh/openssh-portable/commit/29e0ecd9b4eb3b9f305e2240351f0c59cad9ef81 - ---- a/sshkey.c -+++ b/sshkey.c -@@ -3209,6 +3209,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) - if ((r = sshkey_froms(buf, &k)) != 0 || - (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) - goto out; -+ if (k->type != type) { -+ r = SSH_ERR_INVALID_FORMAT; -+ goto out; -+ } - if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) { - r = SSH_ERR_LIBCRYPTO_ERROR; - goto out; -@@ -3252,6 +3256,11 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) - if ((r = sshkey_froms(buf, &k)) != 0 || - (r = sshbuf_get_bignum2(buf, &exponent)) != 0) - goto out; -+ if (k->type != type || -+ k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) { -+ r = SSH_ERR_INVALID_FORMAT; -+ goto out; -+ } - if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { - r = SSH_ERR_LIBCRYPTO_ERROR; - goto out; -@@ -3296,6 +3305,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) - (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || - (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) - goto out; -+ if (k->type != type) { -+ r = SSH_ERR_INVALID_FORMAT; -+ goto out; -+ } - if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) { - r = SSH_ERR_LIBCRYPTO_ERROR; - goto out; -@@ -3333,13 +3346,17 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) - (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || - (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) - goto out; -+ if (k->type != type) { -+ r = SSH_ERR_INVALID_FORMAT; -+ goto out; -+ } - if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { - r = SSH_ERR_INVALID_FORMAT; - goto out; - } - k->ed25519_pk = ed25519_pk; - k->ed25519_sk = ed25519_sk; -- ed25519_pk = ed25519_sk = NULL; -+ ed25519_pk = ed25519_sk = NULL; /* transferred */ - break; - #ifdef WITH_XMSS - case KEY_XMSS: -@@ -3370,7 +3387,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) - (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || - (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) - goto out; -- if (strcmp(xmss_name, k->xmss_name)) { -+ if (k->type != type || strcmp(xmss_name, k->xmss_name) != 0) { - r = SSH_ERR_INVALID_FORMAT; - goto out; - } -@@ -3877,7 +3894,8 @@ sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, - } - - /* check that an appropriate amount of auth data is present */ -- if (sshbuf_len(decoded) < encrypted_len + authlen) { -+ if (sshbuf_len(decoded) < authlen || -+ sshbuf_len(decoded) - authlen < encrypted_len) { - r = SSH_ERR_INVALID_FORMAT; - goto out; - } diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch deleted file mode 100644 index ba0bd02371d4..000000000000 --- a/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch +++ /dev/null @@ -1,14 +0,0 @@ -https://github.com/openssh/openssh-portable/commit/a546b17bbaeb12beac4c9aeed56f74a42b18a93a - ---- a/sshkey-xmss.c -+++ b/sshkey-xmss.c -@@ -977,7 +977,8 @@ sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded, - goto out; - } - /* check that an appropriate amount of auth data is present */ -- if (sshbuf_len(encoded) < encrypted_len + authlen) { -+ if (sshbuf_len(encoded) < authlen || -+ sshbuf_len(encoded) - authlen < encrypted_len) { - r = SSH_ERR_INVALID_FORMAT; - goto out; - } diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-X509-glue.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-X509-glue.patch deleted file mode 100644 index 2a9d3bd2f331..000000000000 --- a/net-misc/openssh/files/openssh-8.0_p1-hpn-X509-glue.patch +++ /dev/null @@ -1,114 +0,0 @@ ---- a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-04-18 17:07:59.413376785 -0700 -+++ b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-04-18 20:05:12.622588051 -0700 -@@ -382,7 +382,7 @@ - @@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh) - int nenc, nmac, ncomp; - u_int mode, ctos, need, dh_need, authlen; -- int r, first_kex_follows; -+ int r, first_kex_follows = 0; - + int auth_flag; - + - + auth_flag = packet_authentication_state(ssh); -@@ -441,6 +441,39 @@ - int ssh_packet_get_state(struct ssh *, struct sshbuf *); - int ssh_packet_set_state(struct ssh *, struct sshbuf *); - -+diff --git a/packet.c b/packet.c -+index dcf35e6..9433f08 100644 -+--- a/packet.c -++++ b/packet.c -+@@ -920,6 +920,14 @@ ssh_set_newkeys(struct ssh *ssh, int mode) -+ return 0; -+ } -+ -++/* this supports the forced rekeying required for the NONE cipher */ -++int rekey_requested = 0; -++void -++packet_request_rekeying(void) -++{ -++ rekey_requested = 1; -++} -++ -+ #define MAX_PACKETS (1U<<31) -+ static int -+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) -+@@ -946,6 +954,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) -+ if (state->p_send.packets == 0 && state->p_read.packets == 0) -+ return 0; -+ -++ /* used to force rekeying when called for by the none -++ * cipher switch and aes-mt-ctr methods -cjr */ -++ if (rekey_requested == 1) { -++ rekey_requested = 0; -++ return 1; -++ } -++ -+ /* Time-based rekeying */ -+ if (state->rekey_interval != 0 && -+ (int64_t)state->rekey_time + state->rekey_interval <= monotime()) - diff --git a/readconf.c b/readconf.c - index db5f2d5..33f18c9 100644 - --- a/readconf.c -@@ -453,10 +486,9 @@ - - /* Format of the configuration file: - --@@ -166,6 +167,8 @@ typedef enum { -+@@ -166,5 +167,7 @@ typedef enum { - oTunnel, oTunnelDevice, - oLocalCommand, oPermitLocalCommand, oRemoteCommand, -- oDisableMTAES, - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, - + oNoneEnabled, oNoneSwitch, - oVisualHostKey, -@@ -592,10 +624,9 @@ - int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ - SyslogFacility log_facility; /* Facility for system logging. */ --@@ -111,7 +115,10 @@ typedef struct { -+@@ -111,6 +115,9 @@ typedef struct { - int enable_ssh_keysign; - int64_t rekey_limit; -- int disable_multithreaded; /*disable multithreaded aes-ctr*/ - + int none_switch; /* Use none cipher */ - + int none_enabled; /* Allow none to be used */ - int rekey_interval; -@@ -650,10 +681,8 @@ - - /* Portable-specific options */ - if (options->use_pam == -1) --@@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options) -+@@ -391,4 +400,41 @@ fill_default_server_options(ServerOptions *options) - options->permit_tun = SSH_TUNMODE_NO; -- if (options->disable_multithreaded == -1) -- options->disable_multithreaded = 0; - + if (options->none_enabled == -1) - + options->none_enabled = 0; - + if (options->hpn_disabled == -1) -@@ -1095,9 +1124,9 @@ - + fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n"); - + } - + } -+ debug("Authentication succeeded (%s).", authctxt.method->name); -+ } - -- #ifdef WITH_OPENSSL -- if (options.disable_multithreaded == 0) { - diff --git a/sshd.c b/sshd.c - index a738c3a..b32dbe0 100644 - --- a/sshd.c -@@ -1181,14 +1210,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index f1bbf00..21a70c2 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_7.8" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN --+ diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-glue.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-glue.patch deleted file mode 100644 index adbfa87af68b..000000000000 --- a/net-misc/openssh/files/openssh-8.0_p1-hpn-glue.patch +++ /dev/null @@ -1,194 +0,0 @@ -diff -ur --exclude '.*.un*' a/openssh-7_8_P1-hpn-AES-CTR-14.16.diff b/openssh-7_8_P1-hpn-AES-CTR-14.16.diff ---- a/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2019-04-18 15:07:06.748067368 -0700 -+++ b/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2019-04-18 19:42:26.689298696 -0700 -@@ -998,7 +998,7 @@ - + * so we repoint the define to the multithreaded evp. To start the threads we - + * then force a rekey - + */ --+ const void *cc = ssh_packet_get_send_context(active_state); -++ const void *cc = ssh_packet_get_send_context(ssh); - + - + /* only do this for the ctr cipher. otherwise gcm mode breaks. Don't know why though */ - + if (strstr(cipher_ctx_name(cc), "ctr")) { -@@ -1028,7 +1028,7 @@ - + * so we repoint the define to the multithreaded evp. To start the threads we - + * then force a rekey - + */ --+ const void *cc = ssh_packet_get_send_context(active_state); -++ const void *cc = ssh_packet_get_send_context(ssh); - + - + /* only rekey if necessary. If we don't do this gcm mode cipher breaks */ - + if (strstr(cipher_ctx_name(cc), "ctr")) { -diff -ur --exclude '.*.un*' a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff ---- a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-04-18 15:07:11.289035776 -0700 -+++ b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-04-18 17:07:59.413376785 -0700 -@@ -162,24 +162,24 @@ - } - - +static int --+channel_tcpwinsz(void) -++channel_tcpwinsz(struct ssh *ssh) - +{ - + u_int32_t tcpwinsz = 0; - + socklen_t optsz = sizeof(tcpwinsz); - + int ret = -1; - + - + /* if we aren't on a socket return 128KB */ --+ if (!packet_connection_is_on_socket()) -++ if (!ssh_packet_connection_is_on_socket(ssh)) - + return 128 * 1024; - + --+ ret = getsockopt(packet_get_connection_in(), -++ ret = getsockopt(ssh_packet_get_connection_in(ssh), - + SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); - + /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */ - + if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX) - + tcpwinsz = SSHBUF_SIZE_MAX; - + - + debug2("tcpwinsz: tcp connection %d, Receive window: %d", --+ packet_get_connection_in(), tcpwinsz); -++ ssh_packet_get_connection_in(ssh), tcpwinsz); - + return tcpwinsz; - +} - + -@@ -191,7 +191,7 @@ - c->local_window < c->local_window_max/2) && - c->local_consumed > 0) { - + u_int addition = 0; --+ u_int32_t tcpwinsz = channel_tcpwinsz(); -++ u_int32_t tcpwinsz = channel_tcpwinsz(ssh); - + /* adjust max window size if we are in a dynamic environment */ - + if (c->dynamic_window && (tcpwinsz > c->local_window_max)) { - + /* grow the window somewhat aggressively to maintain pressure */ -@@ -409,18 +409,10 @@ - index dcf35e6..da4ced0 100644 - --- a/packet.c - +++ b/packet.c --@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) -+@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) - return 0; - } - --+/* this supports the forced rekeying required for the NONE cipher */ --+int rekey_requested = 0; --+void --+packet_request_rekeying(void) --+{ --+ rekey_requested = 1; --+} --+ - +/* used to determine if pre or post auth when rekeying for aes-ctr - + * and none cipher switch */ - +int -@@ -434,20 +426,6 @@ - #define MAX_PACKETS (1U<<31) - static int - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) --@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) -- if (state->p_send.packets == 0 && state->p_read.packets == 0) -- return 0; -- --+ /* used to force rekeying when called for by the none --+ * cipher switch methods -cjr */ --+ if (rekey_requested == 1) { --+ rekey_requested = 0; --+ return 1; --+ } --+ -- /* Time-based rekeying */ -- if (state->rekey_interval != 0 && -- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) - diff --git a/packet.h b/packet.h - index 170203c..f4d9df2 100644 - --- a/packet.h -@@ -476,9 +454,9 @@ - /* Format of the configuration file: - - @@ -166,6 +167,8 @@ typedef enum { -- oHashKnownHosts, - oTunnel, oTunnelDevice, - oLocalCommand, oPermitLocalCommand, oRemoteCommand, -+ oDisableMTAES, - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, - + oNoneEnabled, oNoneSwitch, - oVisualHostKey, -@@ -615,9 +593,9 @@ - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ - SyslogFacility log_facility; /* Facility for system logging. */ - @@ -111,7 +115,10 @@ typedef struct { -- - int enable_ssh_keysign; - int64_t rekey_limit; -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/ - + int none_switch; /* Use none cipher */ - + int none_enabled; /* Allow none to be used */ - int rekey_interval; -@@ -673,9 +651,9 @@ - /* Portable-specific options */ - if (options->use_pam == -1) - @@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options) -- } -- if (options->permit_tun == -1) - options->permit_tun = SSH_TUNMODE_NO; -+ if (options->disable_multithreaded == -1) -+ options->disable_multithreaded = 0; - + if (options->none_enabled == -1) - + options->none_enabled = 0; - + if (options->hpn_disabled == -1) -@@ -1092,7 +1070,7 @@ - xxx_host = host; - xxx_hostaddr = hostaddr; - --@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, -+@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, - - if (!authctxt.success) - fatal("Authentication failed."); -@@ -1108,7 +1086,7 @@ - + memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); - + myproposal[PROPOSAL_ENC_ALGS_STOC] = "none"; - + myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none"; --+ kex_prop2buf(active_state->kex->my, myproposal); -++ kex_prop2buf(ssh->kex->my, myproposal); - + packet_request_rekeying(); - + fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n"); - + } else { -@@ -1117,23 +1095,13 @@ - + fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n"); - + } - + } --+ -- debug("Authentication succeeded (%s).", authctxt.method->name); -- } - -+ #ifdef WITH_OPENSSL -+ if (options.disable_multithreaded == 0) { - diff --git a/sshd.c b/sshd.c - index a738c3a..b32dbe0 100644 - --- a/sshd.c - +++ b/sshd.c --@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) -- char remote_version[256]; /* Must be at least as big as buf. */ -- -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", --- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, --+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, -- *options.version_addendum == '\0' ? "" : " ", -- options.version_addendum); -- - @@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la) - int ret, listen_sock; - struct addrinfo *ai; -@@ -1217,11 +1185,10 @@ - index f1bbf00..21a70c2 100644 - --- a/version.h - +++ b/version.h --@@ -3,4 +3,6 @@ -+@@ -3,4 +3,5 @@ - #define SSH_VERSION "OpenSSH_7.8" - - #define SSH_PORTABLE "p1" - -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_HPN "-hpn14v16" - +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN - + diff --git a/net-misc/openssh/files/openssh-8.0_p1-tests.patch b/net-misc/openssh/files/openssh-8.0_p1-tests.patch deleted file mode 100644 index 6b2ae489d0e8..000000000000 --- a/net-misc/openssh/files/openssh-8.0_p1-tests.patch +++ /dev/null @@ -1,43 +0,0 @@ -diff --git a/openbsd-compat/regress/utimensattest.c b/openbsd-compat/regress/utimensattest.c -index a7bc7634..46f79db2 100644 ---- a/openbsd-compat/regress/utimensattest.c -+++ b/openbsd-compat/regress/utimensattest.c -@@ -23,6 +23,7 @@ - #include <stdlib.h> - #include <string.h> - #include <unistd.h> -+#include <time.h> - - #define TMPFILE "utimensat.tmp" - #define TMPFILE2 "utimensat.tmp2" -@@ -88,8 +89,30 @@ main(void) - if (symlink(TMPFILE2, TMPFILE) == -1) - fail("symlink", 0, 0); - -+#ifdef __linux__ -+ /* -+ * The semantics of the original test are wrong on Linux -+ * From the man page for utimensat(): -+ * AT_SYMLINK_NOFOLLOW -+ * If pathname specifies a symbolic link, then update the -+ * timestamps of the link, rather than the file to which it refers. -+ * -+ * So the call will succeed, and update the times on the symlink. -+ */ -+ if (utimensat(AT_FDCWD, TMPFILE, ts, AT_SYMLINK_NOFOLLOW) != -1) { -+ if (fstatat(AT_FDCWD, TMPFILE, &sb, 0) == -1) -+ fail("could not follow and stat symlink", 0, 0); -+ -+ if (sb.st_atim.tv_sec == ts[0].tv_sec -+ && sb.st_atim.tv_nsec == ts[0].tv_nsec -+ && sb.st_mtim.tv_nsec == ts[1].tv_sec -+ && sb.st_mtim.tv_nsec == ts[1].tv_nsec) -+ fail("utimensat followed symlink", 0, 0); -+ } -+#else /* __linux__ */ - if (utimensat(AT_FDCWD, TMPFILE, ts, AT_SYMLINK_NOFOLLOW) != -1) - fail("utimensat followed symlink", 0, 0); -+#endif /* __linux__ */ - - if (!(unlink(TMPFILE) == 0 && unlink(TMPFILE2) == 0)) - fail("unlink", 0, 0); diff --git a/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-libressl.patch b/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-libressl.patch new file mode 100644 index 000000000000..aa6eea44107e --- /dev/null +++ b/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-libressl.patch @@ -0,0 +1,20 @@ +--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-04-17 10:31:37.392120799 -0700 ++++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-04-17 10:32:46.143684424 -0700 +@@ -672,7 +672,7 @@ + +const EVP_CIPHER * + +evp_aes_ctr_mt(void) + +{ +-+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL +++# if OPENSSL_VERSION_NUMBER >= 0x10100000UL || defined(HAVE_OPAQUE_STRUCTS) + + static EVP_CIPHER *aes_ctr; + + aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/); + + EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE); +@@ -701,7 +701,7 @@ + + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; + +# endif /*SSH_OLD_EVP*/ + + return &aes_ctr; +-+# endif /*OPENSSH_VERSION_NUMBER*/ +++# endif /*OPENSSL_VERSION_NUMBER*/ + +} + + + +#endif /* defined(WITH_OPENSSL) */ diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml index 22ea5e88361e..bc9c3e6e16dc 100644 --- a/net-misc/openssh/metadata.xml +++ b/net-misc/openssh/metadata.xml @@ -26,11 +26,9 @@ ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and <use> <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag> <flag name="hpn">Enable high performance ssh</flag> - <flag name="ldap">Add support for storing SSH public keys in LDAP</flag> <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag> <flag name="livecd">Enable root password logins for live-cd environment.</flag> <flag name="security-key">Include builtin U2F/FIDO support</flag> - <flag name="ssh1">Support the legacy/weak SSH1 protocol</flag> <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag> <flag name="X509">Adds support for X.509 certificate authentication</flag> <flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag> diff --git a/net-misc/openssh/openssh-7.5_p1-r5.ebuild b/net-misc/openssh/openssh-7.5_p1-r5.ebuild deleted file mode 100644 index ed2f28ee78ec..000000000000 --- a/net-misc/openssh/openssh-7.5_p1-r5.ebuild +++ /dev/null @@ -1,335 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="5" - -inherit eutils user flag-o-matic multilib autotools pam systemd toolchain-funcs - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} - -HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz" -SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz" -LDAP_PATCH="${PN}-lpk-7.5p1-0.3.14.patch.xz" -X509_VER="10.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="http://www.openssh.org/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}} - ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )} - ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} - ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} - " - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 m68k ~mips ppc ppc64 s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" -RESTRICT="!test? ( test )" -REQUIRED_USE="ldns? ( ssl ) - pie? ( !static ) - ssh1? ( ssl ) - static? ( !kerberos !pam ) - X509? ( !ldap !sctp ssl ) - test? ( ssl )" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) - ssl? ( - !libressl? ( - >=dev-libs/openssl-1.0.1:0=[bindist=] - dev-libs/openssl:0=[static-libs(+)] - ) - libressl? ( dev-libs/libressl:0=[static-libs(+)] ) - ) - >=sys-libs/zlib-1.2.3:=[static-libs(+)]" -RDEPEND=" - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 ) - ldap? ( net-nds/openldap )" -DEPEND="${RDEPEND} - static? ( ${LIB_DEPEND} ) - virtual/pkgconfig - virtual/os-headers - sys-devel/autoconf" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( !prefix? ( sys-apps/shadow ) ) - X? ( x11-apps/xauth )" - -S=${WORKDIR}/${PARCH} - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } - local fail=" - $(use X509 && maybe_fail X509 X509_PATCH) - $(use ldap && maybe_fail ldap LDAP_PATCH) - $(use hpn && maybe_fail hpn HPN_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "booooo" - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." - fi -} - -save_version() { - # version.h patch conflict avoidence - mv version.h version.h.$1 - cp -f version.h.pristine version.h -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - # keep this as we need it to avoid the conflict between LPK and HPN changing - # this file. - cp version.h version.h.pristine - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - if use X509 ; then - if use hpn ; then - pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null - epatch "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch - popd >/dev/null - fi - save_version X509 - epatch "${WORKDIR}"/${X509_PATCH%.*} - fi - - if use ldap ; then - epatch "${WORKDIR}"/${LDAP_PATCH%.*} - save_version LPK - fi - - epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex - epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - epatch "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - epatch "${FILESDIR}"/${PN}-7.5_p1-cross-cache.patch - epatch "${FILESDIR}"/${PN}-7.5_p1-CVE-2017-15906.patch - use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-s390-seccomp.patch # already included in X509 patch set, #644252 - use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*} - use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch - use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch - - if use hpn ; then - EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ - EPATCH_MULTI_MSG="Applying HPN patchset ..." \ - epatch "${WORKDIR}"/${HPN_PATCH%.*.*} - save_version HPN - fi - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - epatch_user #473004 - - # Now we can build a sane merged version.h - ( - sed '/^#define SSH_RELEASE/d' version.h.* | sort -u - macros=() - for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done - printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}" - ) > version.h - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the ldap patch conditionally, so can't pass --without-ldap - # unconditionally else we get unknown flag warnings. - $(use ldap && use_with ldap) - $(use_with ldns) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use X509 || use_with sctp) - $(use_with selinux) - $(use_with skey) - $(use_with ssh1) - $(use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - ) - - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - - econf "${myconf[@]}" -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd.rc6.4 sshd - newconfd "${FILESDIR}"/sshd.confd sshd - - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED}"/etc/ssh/sshd_config || die - fi - - # Gentoo tweaks to default config files - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables #367017 - AcceptEnv LANG LC_* - EOF - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config - - # Send locale environment variables #367017 - SendEnv LANG LC_* - EOF - - if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED}"/etc/ssh/sshd_config || die - fi - - if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then - insinto /etc/openldap/schema/ - newins openssh-lpk_openldap.schema openssh-lpk.schema - fi - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use X509 || dodoc ChangeLog - - diropts -m 0700 - dodir /etc/skel/.ssh - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' -} - -src_test() { - local t skipped=() failed=() passed=() - local tests=( interop-tests compat-tests ) - - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped+=( tests ) - else - tests+=( tests ) - fi - - # It will also attempt to write to the homedir .ssh. - local sshhome=${T}/homedir - mkdir -p "${sshhome}"/.ssh - for t in "${tests[@]}" ; do - # Some tests read from stdin ... - HOMEDIR="${sshhome}" HOME="${sshhome}" \ - emake -k -j1 ${t} </dev/null \ - && passed+=( "${t}" ) \ - || failed+=( "${t}" ) - done - - einfo "Passed tests: ${passed[*]}" - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}" - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}" -} - -pkg_preinst() { - enewgroup sshd 22 - enewuser sshd 22 -1 /var/empty sshd -} - -pkg_postinst() { - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then - elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." - fi - if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi -} diff --git a/net-misc/openssh/openssh-7.7_p1-r10.ebuild b/net-misc/openssh/openssh-7.7_p1-r10.ebuild deleted file mode 100644 index 9a0e976efb97..000000000000 --- a/net-misc/openssh/openssh-7.7_p1-r10.ebuild +++ /dev/null @@ -1,445 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" - -inherit user flag-o-matic multilib autotools pam systemd toolchain-funcs - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} - -HPN_VER="14v15-gentoo2" HPN_PATCH="${PARCH}-hpnssh${HPN_VER}.patch.xz" -SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="11.3.1" X509_PATCH="${PARCH}-x509-${X509_VER}.patch.xz" - -PATCH_SET="openssh-7.7p1-patches-1.2" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )} - ${HPN_PATCH:+hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/${HPN_PATCH} )} - ${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )} - " - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 m68k ~mips ppc ppc64 s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509" -RESTRICT="!test? ( test )" -REQUIRED_USE="ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( !sctp ssl ) - test? ( ssl )" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) - ssl? ( - !libressl? ( - >=dev-libs/openssl-1.0.1:0=[bindist=] - dev-libs/openssl:0=[static-libs(+)] - ) - libressl? ( dev-libs/libressl:0=[static-libs(+)] ) - ) - >=sys-libs/zlib-1.2.3:=[static-libs(+)]" -RDEPEND=" - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 )" -DEPEND="${RDEPEND} - static? ( ${LIB_DEPEND} ) - virtual/pkgconfig - virtual/os-headers - sys-devel/autoconf" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( !prefix? ( sys-apps/shadow ) ) - X? ( x11-apps/xauth )" - -S="${WORKDIR}/${PARCH}" - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } - local fail=" - $(use hpn && maybe_fail hpn HPN_PATCH) - $(use sctp && maybe_fail sctp SCTP_PATCH) - $(use X509 && maybe_fail X509 X509_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "booooo" - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." - fi -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - eapply "${FILESDIR}"/${PN}-7.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - eapply "${WORKDIR}"/${X509_PATCH%.*} - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - - einfo "Disabling broken X.509 agent test ..." - sed -i \ - -e "/^ agent$/d" \ - "${S}"/tests/CA/config || die "Failed to disable broken X.509 agent test" - - # The following patches don't apply on top of X509 patch - rm "${WORKDIR}"/patch/2002_all_openssh-7.7p1_upstream_bug2840.patch || die - rm "${WORKDIR}"/patch/2009_all_openssh-7.7p1_make-shell-tests-portable.patch || die - rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1_implement-EMFILE-mitigation-for-ssh-agent.patch || die - rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die - else - rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1-X509_implement-EMFILE-mitigation-for-ssh-agent.patch || die - rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1-X509_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die - fi - - if use sctp ; then - eapply "${WORKDIR}"/${SCTP_PATCH%.*} - - einfo "Patching version.h to expose SCTP patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in SCTP patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..." - sed -i \ - -e "/\t\tcfgparse \\\/d" \ - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" - fi - - if use hpn ; then - eapply "${WORKDIR}"/${HPN_PATCH%.*} - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use hpn ; then - einfo "Patching packet.c for X509 and/or HPN patch set ..." - sed -i \ - -e "s/const struct sshcipher/struct sshcipher/" \ - "${S}"/packet.c || die "Failed to patch ssh_packet_set_connection() (packet.c)" - fi - - if use X509 || use sctp || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - sed -i \ - -e "/#UseLogin no/d" \ - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" - - eapply "${WORKDIR}"/patch/*.patch - - eapply_user #473004 - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the sctp patch conditionally, so can't pass --without-sctp - # unconditionally else we get unknown flag warnings. - $(use sctp && use_with sctp) - $(use_with ldns) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(use_with skey) - $(use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - $(use_with !elibc_Cygwin hardening) #659210 - ) - - # stackprotect is broken on musl x86 - use elibc_musl && use x86 && myconf+=( --without-stackprotect ) - - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - - econf "${myconf[@]}" -} - -src_test() { - local t skipped=() failed=() passed=() - local tests=( interop-tests compat-tests ) - - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped+=( tests ) - else - tests+=( tests ) - fi - - # It will also attempt to write to the homedir .ssh. - local sshhome=${T}/homedir - mkdir -p "${sshhome}"/.ssh - for t in "${tests[@]}" ; do - # Some tests read from stdin ... - HOMEDIR="${sshhome}" HOME="${sshhome}" \ - emake -k -j1 ${t} </dev/null \ - && passed+=( "${t}" ) \ - || failed+=( "${t}" ) - done - - einfo "Passed tests: ${passed[*]}" - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}" - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}" -} - -# Gentoo tweaks to default config files. -tweak_ssh_configs() { - local locale_vars=( - # These are language variables that POSIX defines. - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME - - # These are the GNU extensions. - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE - ) - - # First the server config. - cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables. #367017 - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM. #658540 - AcceptEnv COLORTERM - EOF - - # Then the client config. - cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config - - # Send locale environment variables. #367017 - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM. #658540 - SendEnv COLORTERM - EOF - - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED%/}"/etc/ssh/sshd_config || die - fi - - if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED%/}"/etc/ssh/sshd_config || die - fi -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - - tweak_ssh_configs - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog - - diropts -m 0700 - dodir /etc/skel/.ssh - - keepdir /var/empty - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' -} - -pkg_preinst() { - enewgroup sshd 22 - enewuser sshd 22 -1 /var/empty sshd -} - -pkg_postinst() { - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi -} diff --git a/net-misc/openssh/openssh-7.9_p1-r5.ebuild b/net-misc/openssh/openssh-7.9_p1-r5.ebuild deleted file mode 100644 index 0eedfd4b682e..000000000000 --- a/net-misc/openssh/openssh-7.9_p1-r5.ebuild +++ /dev/null @@ -1,468 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -inherit user flag-o-matic multilib autotools pam systemd toolchain-funcs - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} -#HPN_PV="${PV^^}" -HPN_PV="7.8_P1" - -HPN_VER="14.16" -HPN_PATCHES=( - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff -) - -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="11.6" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" - -PATCH_SET="openssh-7.9p1-patches-1.0" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )} - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} - " - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 m68k ~mips ppc ppc64 s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509" -RESTRICT="!test? ( test )" -REQUIRED_USE="ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( !sctp ssl ) - test? ( ssl )" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( - !libressl? ( - || ( - ( - >=dev-libs/openssl-1.0.1:0[bindist=] - <dev-libs/openssl-1.1.0:0[bindist=] - ) - >=dev-libs/openssl-1.1.0g:0[bindist=] - ) - dev-libs/openssl:0=[static-libs(+)] - ) - libressl? ( dev-libs/libressl:0=[static-libs(+)] ) - ) - >=sys-libs/zlib-1.2.3:=[static-libs(+)]" -RDEPEND=" - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 )" -DEPEND="${RDEPEND} - static? ( ${LIB_DEPEND} ) - virtual/pkgconfig - virtual/os-headers - sys-devel/autoconf" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( !prefix? ( sys-apps/shadow ) ) - X? ( x11-apps/xauth )" - -S="${WORKDIR}/${PARCH}" - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } - local fail=" - $(use hpn && maybe_fail hpn HPN_VER) - $(use sctp && maybe_fail sctp SCTP_PATCH) - $(use X509 && maybe_fail X509 X509_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "booooo" - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." - fi -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - eapply "${FILESDIR}"/${PN}-7.9_p1-openssl-1.0.2-compat.patch - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch - eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - - if use X509 ; then - # patch doesn't apply due to X509 modifications - rm \ - "${WORKDIR}"/patches/0001-fix-key-type-check.patch \ - "${WORKDIR}"/patches/0002-request-rsa-sha2-cert-signatures.patch \ - || die - else - eapply "${FILESDIR}"/${PN}-7.9_p1-CVE-2018-20685.patch # X509 patch set includes this patch - fi - - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" || die - eapply "${FILESDIR}/${P}-X509-glue-${X509_VER}.patch" - eapply "${FILESDIR}/${P}-X509-dont-make-piddir-${X509_VER}.patch" - popd || die - - if use hpn ; then - einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set" - HPN_DISABLE_MTAES=1 - fi - - eapply "${WORKDIR}"/${X509_PATCH%.*} - eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use sctp ; then - eapply "${WORKDIR}"/${SCTP_PATCH%.*} - - einfo "Patching version.h to expose SCTP patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in SCTP patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..." - sed -i \ - -e "/\t\tcfgparse \\\/d" \ - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" - fi - - if use hpn ; then - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" - pushd "${hpn_patchdir}" - eapply "${FILESDIR}"/${P}-hpn-glue.patch - use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch - use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch - popd - - eapply "${hpn_patchdir}" - eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch" - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use sctp || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - sed -i \ - -e "/#UseLogin no/d" \ - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" - - eapply_user #473004 - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the sctp patch conditionally, so can't pass --without-sctp - # unconditionally else we get unknown flag warnings. - $(use sctp && use_with sctp) - $(use_with ldns ldns "${EPREFIX}"/usr) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - $(use_with !elibc_Cygwin hardening) #659210 - ) - - # stackprotect is broken on musl x86 and ppc - use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect ) - - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - - econf "${myconf[@]}" -} - -src_test() { - local t skipped=() failed=() passed=() - local tests=( interop-tests compat-tests ) - - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped+=( tests ) - else - tests+=( tests ) - fi - - # It will also attempt to write to the homedir .ssh. - local sshhome=${T}/homedir - mkdir -p "${sshhome}"/.ssh - for t in "${tests[@]}" ; do - # Some tests read from stdin ... - HOMEDIR="${sshhome}" HOME="${sshhome}" \ - emake -k -j1 ${t} </dev/null \ - && passed+=( "${t}" ) \ - || failed+=( "${t}" ) - done - - einfo "Passed tests: ${passed[*]}" - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}" - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}" -} - -# Gentoo tweaks to default config files. -tweak_ssh_configs() { - local locale_vars=( - # These are language variables that POSIX defines. - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME - - # These are the GNU extensions. - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE - ) - - # First the server config. - cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables. #367017 - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM. #658540 - AcceptEnv COLORTERM - EOF - - # Then the client config. - cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config - - # Send locale environment variables. #367017 - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM. #658540 - SendEnv COLORTERM - EOF - - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED%/}"/etc/ssh/sshd_config || die - fi - - if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED%/}"/etc/ssh/sshd_config || die - fi -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd-r1.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - - tweak_ssh_configs - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog - - diropts -m 0700 - dodir /etc/skel/.ssh - - keepdir /var/empty - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' -} - -pkg_preinst() { - enewgroup sshd 22 - enewuser sshd 22 -1 /var/empty sshd -} - -pkg_postinst() { - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi -} diff --git a/net-misc/openssh/openssh-8.0_p1-r5.ebuild b/net-misc/openssh/openssh-8.0_p1-r5.ebuild deleted file mode 100644 index f292c8e6b003..000000000000 --- a/net-misc/openssh/openssh-8.0_p1-r5.ebuild +++ /dev/null @@ -1,465 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=6 - -inherit user-info eapi7-ver flag-o-matic multilib autotools pam systemd toolchain-funcs - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} -#HPN_PV="${PV^^}" -HPN_PV="7.8_P1" - -HPN_VER="14.16" -HPN_PATCHES=( - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff -) - -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="12.1-gentoo" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" - -PATCH_SET="openssh-7.9p1-patches-1.0" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )} - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} - ${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )} - " - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509 xmss" -RESTRICT="!test? ( test )" -REQUIRED_USE="ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( !sctp ssl ) - test? ( ssl )" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( - !libressl? ( - || ( - ( - >=dev-libs/openssl-1.0.1:0[bindist=] - <dev-libs/openssl-1.1.0:0[bindist=] - ) - >=dev-libs/openssl-1.1.0g:0[bindist=] - ) - dev-libs/openssl:0=[static-libs(+)] - ) - libressl? ( dev-libs/libressl:0=[static-libs(+)] ) - ) - >=sys-libs/zlib-1.2.3:=[static-libs(+)]" -RDEPEND=" - acct-group/sshd - acct-user/sshd - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 )" -DEPEND="${RDEPEND} - static? ( ${LIB_DEPEND} ) - virtual/pkgconfig - virtual/os-headers - sys-devel/autoconf" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( !prefix? ( sys-apps/shadow ) ) - X? ( x11-apps/xauth )" - -S="${WORKDIR}/${PARCH}" - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } - local fail=" - $(use hpn && maybe_fail hpn HPN_VER) - $(use sctp && maybe_fail sctp SCTP_PATCH) - $(use X509 && maybe_fail X509 X509_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "booooo" - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." - fi -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-GSSAPI-dns.patch #165444 integrated into gsskex - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch - eapply "${FILESDIR}"/${PN}-8.1_p1-tests-2020.patch - use X509 || eapply "${FILESDIR}"/${PN}-8.0_p1-tests.patch - - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - # X509 12.1-gentoo patch contains the changes from below - #pushd "${WORKDIR}" &>/dev/null || die - #eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" - #eapply "${FILESDIR}/${P}-X509-dont-make-piddir-"${X509_VER}".patch" - #popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - eapply "${FILESDIR}"/${P}-X509-$(ver_cut 1-2 ${X509_VER})-tests.patch - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use sctp ; then - eapply "${WORKDIR}"/${SCTP_PATCH%.*} - - einfo "Patching version.h to expose SCTP patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in SCTP patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..." - sed -i \ - -e "/\t\tcfgparse \\\/d" \ - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" - fi - - if use hpn ; then - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-glue.patch - if use X509; then - einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set" - # X509 and AES-CTR-MT don't get along, let's just drop it - rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die - eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-X509-glue.patch - fi - use sctp && eapply "${FILESDIR}"/${PN}-7.9_p1-hpn-sctp-glue.patch - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - if ! use X509; then - eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch" - eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch" - fi - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use sctp || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - sed -i \ - -e "/#UseLogin no/d" \ - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" - - eapply_user #473004 - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the sctp patch conditionally, so can't pass --without-sctp - # unconditionally else we get unknown flag warnings. - $(use sctp && use_with sctp) - $(use_with ldns ldns "${EPREFIX}"/usr) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - $(use_with !elibc_Cygwin hardening) #659210 - ) - - # stackprotect is broken on musl x86 and ppc - use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect ) - - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - - econf "${myconf[@]}" -} - -src_test() { - local t skipped=() failed=() passed=() - local tests=( interop-tests compat-tests ) - - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped+=( tests ) - else - tests+=( tests ) - fi - - # It will also attempt to write to the homedir .ssh. - local sshhome=${T}/homedir - mkdir -p "${sshhome}"/.ssh - for t in "${tests[@]}" ; do - # Some tests read from stdin ... - HOMEDIR="${sshhome}" HOME="${sshhome}" SUDO="" \ - emake -k -j1 ${t} </dev/null \ - && passed+=( "${t}" ) \ - || failed+=( "${t}" ) - done - - einfo "Passed tests: ${passed[*]}" - [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}" - [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}" -} - -# Gentoo tweaks to default config files. -tweak_ssh_configs() { - local locale_vars=( - # These are language variables that POSIX defines. - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME - - # These are the GNU extensions. - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE - ) - - # First the server config. - cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables. #367017 - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM. #658540 - AcceptEnv COLORTERM - EOF - - # Then the client config. - cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config - - # Send locale environment variables. #367017 - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM. #658540 - SendEnv COLORTERM - EOF - - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED%/}"/etc/ssh/sshd_config || die - fi - - if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED%/}"/etc/ssh/sshd_config || die - fi -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd-r1.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - - tweak_ssh_configs - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog - - diropts -m 0700 - dodir /etc/skel/.ssh - - keepdir /var/empty - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' -} - -pkg_postinst() { - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi -} diff --git a/net-misc/openssh/openssh-8.2_p1-r6.ebuild b/net-misc/openssh/openssh-8.2_p1-r6.ebuild index 55d2852ebb93..c0ed8f5dec46 100644 --- a/net-misc/openssh/openssh-8.2_p1-r6.ebuild +++ b/net-misc/openssh/openssh-8.2_p1-r6.ebuild @@ -182,6 +182,7 @@ src_prepare() { cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die pushd "${hpn_patchdir}" &>/dev/null || die eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch + eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-libressl.patch if use X509; then # einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set" # # X509 and AES-CTR-MT don't get along, let's just drop it |