From 752d6256e5204b958b0ef7905675a940b5e9172f Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Thu, 12 May 2022 16:42:50 +0300 Subject: gentoo resync : 12.05.2022 --- .../files/openssh-8.7_p1-hpn-15.2-X509-glue.patch | 447 --------------------- .../files/openssh-8.7_p1-hpn-15.2-glue.patch | 198 --------- .../files/openssh-8.8_p1-X509-glue-13.2.3.patch | 63 --- 3 files changed, 708 deletions(-) delete mode 100644 net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch delete mode 100644 net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch delete mode 100644 net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch (limited to 'net-misc/openssh/files') diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch deleted file mode 100644 index 49c05917779a..000000000000 --- a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch +++ /dev/null @@ -1,447 +0,0 @@ -diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff ---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:12:46.412119817 -0700 -+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:26:11.116026151 -0700 -@@ -3,9 +3,9 @@ - --- a/Makefile.in - +++ b/Makefile.in - @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@ -- CFLAGS_NOPIE=@CFLAGS_NOPIE@ -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -- PICFLAG=@PICFLAG@ -+ LD=@LD@ -+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ - -LIBS=@LIBS@ - +LIBS=@LIBS@ -lpthread - K5LIBS=@K5LIBS@ -@@ -803,8 +803,8 @@ - ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) - { - struct session_state *state; --- const struct sshcipher *none = cipher_by_name("none"); --+ struct sshcipher *none = cipher_by_name("none"); -+- const struct sshcipher *none = cipher_none(); -++ struct sshcipher *none = cipher_none(); - int r; - - if (none == NULL) { -@@ -894,24 +894,24 @@ - intptr = &options->compression; - multistate_ptr = multistate_compression; - @@ -2272,6 +2278,7 @@ initialize_options(Options * options) -- options->revoked_host_keys = NULL; - options->fingerprint_hash = -1; - options->update_hostkeys = -1; -+ options->known_hosts_command = NULL; - + options->disable_multithreaded = -1; -- options->hostbased_accepted_algos = NULL; -- options->pubkey_accepted_algos = NULL; -- options->known_hosts_command = NULL; -+ } -+ -+ /* - @@ -2467,6 +2474,10 @@ fill_default_options(Options * options) -+ options->update_hostkeys = 0; - if (options->sk_provider == NULL) - options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); -- #endif - + if (options->update_hostkeys == -1) - + options->update_hostkeys = 0; - + if (options->disable_multithreaded == -1) - + options->disable_multithreaded = 0; - -- /* Expand KEX name lists */ -- all_cipher = cipher_alg_list(',', 0); -+ /* expand KEX and etc. name lists */ -+ { char *all; - diff --git a/readconf.h b/readconf.h - index 2fba866e..7f8f0227 100644 - --- a/readconf.h -@@ -950,9 +950,9 @@ - /* Portable-specific options */ - sUsePAM, - + sDisableMTAES, -- /* Standard Options */ -- sPort, sHostKeyFile, sLoginGraceTime, -- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, -+ /* X.509 Standard Options */ -+ sHostbasedAlgorithms, -+ sPubkeyAlgorithms, - @@ -662,6 +666,7 @@ static struct { - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, -diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 11:12:46.412119817 -0700 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 14:17:59.366248683 -0700 -@@ -157,6 +157,36 @@ - + Allan Jude provided the code for the NoneMac and buffer normalization. - + This work was financed, in part, by Cisco System, Inc., the National - + Library of Medicine, and the National Science Foundation. -+diff --git a/auth2.c b/auth2.c -+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700 -++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700 -+@@ -229,16 +229,17 @@ -+ double delay; -+ -+ digest_alg = ssh_digest_maxbytes(); -+- len = ssh_digest_bytes(digest_alg); -+- hash = xmalloc(len); -++ if (len = ssh_digest_bytes(digest_alg) > 0) { -++ hash = xmalloc(len); -+ -+- (void)snprintf(b, sizeof b, "%llu%s", -+- (unsigned long long)options.timing_secret, user); -+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) -+- fatal_f("ssh_digest_memory"); -+- /* 0-4.2 ms of delay */ -+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; -+- freezero(hash, len); -++ (void)snprintf(b, sizeof b, "%llu%s", -++ (unsigned long long)options.timing_secret, user); -++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) -++ fatal_f("ssh_digest_memory"); -++ /* 0-4.2 ms of delay */ -++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; -++ freezero(hash, len); -++ } -+ debug3_f("user specific delay %0.3lfms", delay/1000); -+ return MIN_FAIL_DELAY_SECONDS + delay; -+ } - diff --git a/channels.c b/channels.c - index b60d56c4..0e363c15 100644 - --- a/channels.c -@@ -209,14 +239,14 @@ - static void - channel_pre_open(struct ssh *ssh, Channel *c, - fd_set *readset, fd_set *writeset) --@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c) -+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c) - - if (c->type == SSH_CHANNEL_OPEN && - !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && - - ((c->local_window_max - c->local_window > - - c->local_maxpacket*3) || --+ ((ssh_packet_is_interactive(ssh) && --+ c->local_window_max - c->local_window > c->local_maxpacket*3) || -++ ((ssh_packet_is_interactive(ssh) && -++ c->local_window_max - c->local_window > c->local_maxpacket*3) || - c->local_window < c->local_window_max/2) && - c->local_consumed > 0) { - + u_int addition = 0; -@@ -235,9 +265,8 @@ - (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || - - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || - + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || -- (r = sshpkt_send(ssh)) != 0) { -- fatal_fr(r, "channel %i", c->self); -- } -+ (r = sshpkt_send(ssh)) != 0) -+ fatal_fr(r, "channel %d", c->self); - - debug2("channel %d: window %d sent adjust %d", c->self, - - c->local_window, c->local_consumed); - - c->local_window += c->local_consumed; -@@ -337,70 +366,92 @@ - index 70f492f8..5503af1d 100644 - --- a/clientloop.c - +++ b/clientloop.c --@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan) -+@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan) - sock = x11_connect_display(ssh); - if (sock < 0) - return NULL; - - c = channel_new(ssh, "x11", - - SSH_CHANNEL_X11_OPEN, sock, sock, -1, --- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); --+ c = channel_new(ssh, "x11", --+ SSH_CHANNEL_X11_OPEN, sock, sock, -1, --+ /* again is this really necessary for X11? */ --+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, --+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); -+- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", -+- CHANNEL_NONBLOCK_SET); -++ c = channel_new(ssh, "x11", -++ SSH_CHANNEL_X11_OPEN, sock, sock, -1, -++ /* again is this really necessary for X11? */ -++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, -++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET); - c->force_drain = 1; - return c; - } --@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan) -+@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan) - return NULL; - } - c = channel_new(ssh, "authentication agent connection", - - SSH_CHANNEL_OPEN, sock, sock, -1, - - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, --- "authentication agent connection", 1); --+ SSH_CHANNEL_OPEN, sock, sock, -1, --+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size, --+ CHAN_TCP_PACKET_DEFAULT, 0, --+ "authentication agent connection", 1); -+- "authentication agent connection", CHANNEL_NONBLOCK_SET); -++ SSH_CHANNEL_OPEN, sock, sock, -1, -++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size, -++ CHAN_TCP_PACKET_DEFAULT, 0, -++ "authentication agent connection", CHANNEL_NONBLOCK_SET); - c->force_drain = 1; - return c; - } --@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, -+@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, - } - debug("Tunnel forwarding using interface %s", ifname); - - - c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, --- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); --+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, -+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", -+- CHANNEL_NONBLOCK_SET); -++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, - + options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, --+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); -++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET); - c->datagram = 1; - --+ --+ - #if defined(SSH_TUN_FILTER) -- if (options.tun_open == SSH_TUNMODE_POINTOPOINT) -- channel_register_filter(ssh, c->self, sys_tun_infilter, - diff --git a/compat.c b/compat.c - index 69befa96..90b5f338 100644 - --- a/compat.c - +++ b/compat.c --@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version) -- debug_f("match: %s pat %s compat 0x%08x", -+@@ -43,7 +43,7 @@ compat_datafellows(const char *version) -+ static u_int -+ compat_datafellows(const char *version) -+ { -+- int i; -++ int i, bugs = 0; -+ static struct { -+ char *pat; -+ int bugs; -+@@ -147,11 +147,26 @@ -+ if (match_pattern_list(version, check[i].pat, 0) == 1) { -+ debug("match: %s pat %s compat 0x%08x", - version, check[i].pat, check[i].bugs); -- ssh->compat = check[i].bugs; - + /* Check to see if the remote side is OpenSSH and not HPN */ --+ /* TODO: need to use new method to test for this */ - + if (strstr(version, "OpenSSH") != NULL) { - + if (strstr(version, "hpn") == NULL) { --+ ssh->compat |= SSH_BUG_LARGEWINDOW; -++ bugs |= SSH_BUG_LARGEWINDOW; - + debug("Remote is NON-HPN aware"); - + } - + } -- return; -+- return check[i].bugs; -++ bugs |= check[i].bugs; - } - } -+- debug("no match: %s", version); -+- return 0; -++ /* Check to see if the remote side is OpenSSH and not HPN */ -++ if (strstr(version, "OpenSSH") != NULL) { -++ if (strstr(version, "hpn") == NULL) { -++ bugs |= SSH_BUG_LARGEWINDOW; -++ debug("Remote is NON-HPN aware"); -++ } -++ } -++ if (bugs == 0) -++ debug("no match: %s", version); -++ return bugs; -+ } -+ -+ char * - diff --git a/compat.h b/compat.h - index c197fafc..ea2e17a7 100644 - --- a/compat.h -@@ -459,7 +510,7 @@ - @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh) - int nenc, nmac, ncomp; - u_int mode, ctos, need, dh_need, authlen; -- int r, first_kex_follows; -+ int r, first_kex_follows = 0; - + int auth_flag = 0; - + - + auth_flag = packet_authentication_state(ssh); -@@ -553,7 +604,7 @@ - #define MAX_PACKETS (1U<<31) - static int - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) --@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) -+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) - struct session_state *state = ssh->state; - int len, r, ms_remain; - fd_set *setp; -@@ -1035,19 +1086,6 @@ - - /* Minimum amount of data to read at a time */ - #define MIN_READ_SIZE 512 --diff --git a/ssh-keygen.c b/ssh-keygen.c --index cfb5f115..36a6e519 100644 ----- a/ssh-keygen.c --+++ b/ssh-keygen.c --@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device) -- freezero(pin, strlen(pin)); -- error_r(r, "Unable to load resident keys"); -- return -1; --- } --+ } -- if (nkeys == 0) -- logit("No keys to download"); -- if (pin != NULL) - diff --git a/ssh.c b/ssh.c - index 53330da5..27b9770e 100644 - --- a/ssh.c -@@ -1093,7 +1131,7 @@ - + else - + options.hpn_buffer_size = 2 * 1024 * 1024; - + --+ if (ssh->compat & SSH_BUG_LARGEWINDOW) { -++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) { - + debug("HPN to Non-HPN Connection"); - + } else { - + int sock, socksize; -@@ -1157,14 +1195,14 @@ - } - @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh) - window, packetmax, CHAN_EXTENDED_WRITE, -- "client-session", /*nonblock*/0); -+ "client-session", CHANNEL_NONBLOCK_STDIO); - - + if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) { - + c->dynamic_window = 1; - + debug("Enabled Dynamic Window Scaling"); - + } - + -- debug3_f("channel_new: %d", c->self); -+ debug2_f("channel %d", c->self); - - channel_send_open(ssh, c->self); - @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo) -@@ -1335,7 +1373,29 @@ - /* Bind the socket to the desired port. */ - if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { - error("Bind to port %s on %s failed: %.200s.", --@@ -1727,6 +1734,19 @@ main(int ac, char **av) -+@@ -1625,13 +1632,14 @@ -+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg), -+ sshbuf_len(server_cfg)) != 0) -+ fatal_f("ssh_digest_update"); -+- len = ssh_digest_bytes(digest_alg); -+- hash = xmalloc(len); -+- if (ssh_digest_final(ctx, hash, len) != 0) -+- fatal_f("ssh_digest_final"); -+- options.timing_secret = PEEK_U64(hash); -+- freezero(hash, len); -+- ssh_digest_free(ctx); -++ if ((len = ssh_digest_bytes(digest_alg)) > 0) { -++ hash = xmalloc(len); -++ if (ssh_digest_final(ctx, hash, len) != 0) -++ fatal_f("ssh_digest_final"); -++ options.timing_secret = PEEK_U64(hash); -++ freezero(hash, len); -++ ssh_digest_free(ctx); -++ } -+ ctx = NULL; -+ return; -+ } -+@@ -1727,6 +1735,19 @@ main(int ac, char **av) - fatal("AuthorizedPrincipalsCommand set without " - "AuthorizedPrincipalsCommandUser"); - -@@ -1355,7 +1415,7 @@ - /* - * Check whether there is any path through configured auth methods. - * Unfortunately it is not possible to verify this generally before --@@ -2166,6 +2186,9 @@ main(int ac, char **av) -+@@ -2166,6 +2187,9 @@ main(int ac, char **av) - rdomain == NULL ? "" : "\""); - free(laddr); - -@@ -1365,7 +1425,7 @@ - /* - * We don't want to listen forever unless the other side - * successfully authenticates itself. So we set up an alarm which is --@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh) -+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh) - struct kex *kex; - int r; - -@@ -1405,14 +1465,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index 6b4fa372..332fb486 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_8.5" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_HPN "-hpn15v2" --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN -diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff ---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:12:16.778011216 -0700 -+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:13:11.573211934 -0700 -@@ -12,9 +12,9 @@ - static long stalled; /* how long we have been stalled */ - static int bytes_per_second; /* current speed in bytes per second */ - @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update) -+ off_t bytes_left; - int cur_speed; -- int hours, minutes, seconds; -- int file_len; -+ int len; - + off_t delta_pos; - - if ((!force_update && !alarm_fired && !win_resized) || !can_output()) -@@ -30,15 +30,17 @@ - if (bytes_left > 0) - elapsed = now - last_update; - else { --@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update) -- -+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update) -+ buf[1] = '\0'; -+ - /* filename */ -- buf[0] = '\0'; --- file_len = win_size - 36; --+ file_len = win_size - 45; -- if (file_len > 0) { -- buf[0] = '\r'; -- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s", -+- if (win_size > 36) { -++ if (win_size > 45) { -+- int file_len = win_size - 36; -++ int file_len = win_size - 45; -+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ", -+ file_len, file); -+ } - @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update) - (off_t)bytes_per_second); - strlcat(buf, "/s ", win_size); -@@ -63,15 +65,3 @@ - } - - /*ARGSUSED*/ --diff --git a/ssh-keygen.c b/ssh-keygen.c --index cfb5f115..986ff59b 100644 ----- a/ssh-keygen.c --+++ b/ssh-keygen.c --@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device) -- -- if (skprovider == NULL) -- fatal("Cannot download keys without provider"); --- -- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN); -- if (!quiet) { -- printf("You may need to touch your authenticator " diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch deleted file mode 100644 index 309e57e88643..000000000000 --- a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch +++ /dev/null @@ -1,198 +0,0 @@ -diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff ---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:49:32.351767063 -0700 -+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:58:08.746214945 -0700 -@@ -1026,9 +1026,9 @@ - + } - +#endif - + -- debug("Authentication succeeded (%s).", authctxt.method->name); -- } -- -+ if (ssh_packet_connection_is_on_socket(ssh)) { -+ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host, -+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), - diff --git a/sshd.c b/sshd.c - index 6277e6d6..bf3d6e4a 100644 - --- a/sshd.c -diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 11:49:32.351767063 -0700 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 12:04:45.008038085 -0700 -@@ -536,18 +536,10 @@ - if (state->rekey_limit) - *max_blocks = MINIMUM(*max_blocks, - state->rekey_limit / enc->block_size); --@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) -+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) - return 0; - } - --+/* this supports the forced rekeying required for the NONE cipher */ --+int rekey_requested = 0; --+void --+packet_request_rekeying(void) --+{ --+ rekey_requested = 1; --+} --+ - +/* used to determine if pre or post auth when rekeying for aes-ctr - + * and none cipher switch */ - +int -@@ -561,20 +553,6 @@ - #define MAX_PACKETS (1U<<31) - static int - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) --@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) -- if (state->p_send.packets == 0 && state->p_read.packets == 0) -- return 0; -- --+ /* used to force rekeying when called for by the none --+ * cipher switch methods -cjr */ --+ if (rekey_requested == 1) { --+ rekey_requested = 0; --+ return 1; --+ } --+ -- /* Time-based rekeying */ -- if (state->rekey_interval != 0 && -- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) - @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) - struct session_state *state = ssh->state; - int len, r, ms_remain; -@@ -598,12 +576,11 @@ - }; - - typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *, --@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *); -+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *); - int ssh_packet_set_maxsize(struct ssh *, u_int); - u_int ssh_packet_get_maxsize(struct ssh *); - - +/* for forced packet rekeying post auth */ --+void packet_request_rekeying(void); - +int packet_authentication_state(const struct ssh *); - + - int ssh_packet_get_state(struct ssh *, struct sshbuf *); -@@ -627,9 +604,9 @@ - oLocalCommand, oPermitLocalCommand, oRemoteCommand, - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, - + oNoneEnabled, oNoneMacEnabled, oNoneSwitch, -+ oDisableMTAES, - oVisualHostKey, - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, -- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, - @@ -297,6 +300,9 @@ static struct { - { "kexalgorithms", oKexAlgorithms }, - { "ipqos", oIPQoS }, -@@ -637,9 +614,9 @@ - + { "noneenabled", oNoneEnabled }, - + { "nonemacenabled", oNoneMacEnabled }, - + { "noneswitch", oNoneSwitch }, -- { "proxyusefdpass", oProxyUseFdpass }, -- { "canonicaldomains", oCanonicalDomains }, -- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal }, -+ { "sessiontype", oSessionType }, -+ { "stdinnull", oStdinNull }, -+ { "forkafterauthentication", oForkAfterAuthentication }, - @@ -317,6 +323,11 @@ static struct { - { "securitykeyprovider", oSecurityKeyProvider }, - { "knownhostscommand", oKnownHostsCommand }, -@@ -717,9 +694,9 @@ - + options->hpn_buffer_size = -1; - + options->tcp_rcv_buf_poll = -1; - + options->tcp_rcv_buf = -1; -- options->proxy_use_fdpass = -1; -- options->ignored_unknown = NULL; -- options->num_canonical_domains = 0; -+ options->session_type = -1; -+ options->stdin_null = -1; -+ options->fork_after_authentication = -1; - @@ -2426,6 +2484,41 @@ fill_default_options(Options * options) - options->server_alive_interval = 0; - if (options->server_alive_count_max == -1) -@@ -778,9 +755,9 @@ - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ - SyslogFacility log_facility; /* Facility for system logging. */ - @@ -120,7 +124,11 @@ typedef struct { -- - int enable_ssh_keysign; - int64_t rekey_limit; -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/ - + int none_switch; /* Use none cipher */ - + int none_enabled; /* Allow none cipher to be used */ - + int nonemac_enabled; /* Allow none MAC to be used */ -@@ -842,9 +819,9 @@ - /* Portable-specific options */ - if (options->use_pam == -1) - @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options) -- } -- if (options->permit_tun == -1) - options->permit_tun = SSH_TUNMODE_NO; -+ if (options->disable_multithreaded == -1) -+ options->disable_multithreaded = 0; - + if (options->none_enabled == -1) - + options->none_enabled = 0; - + if (options->nonemac_enabled == -1) -@@ -1047,17 +1024,17 @@ - Note that - diff --git a/sftp.c b/sftp.c - index fb3c08d1..89bebbb2 100644 ----- a/sftp.c --+++ b/sftp.c --@@ -71,7 +71,7 @@ typedef void EditLine; -- #include "sftp-client.h" -- -- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */ ---#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */ --+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */ -+--- a/sftp-client.c -++++ b/sftp-client.c -+@@ -65,7 +65,7 @@ typedef void EditLine; -+ #define DEFAULT_COPY_BUFLEN 32768 -+ -+ /* Default number of concurrent outstanding requests */ -+-#define DEFAULT_NUM_REQUESTS 64 -++#define DEFAULT_NUM_REQUESTS 256 - -- /* File to read commands from */ -- FILE* infile; -+ /* Minimum amount of data to read at a time */ -+ #define MIN_READ_SIZE 512 - diff --git a/ssh-keygen.c b/ssh-keygen.c - index cfb5f115..36a6e519 100644 - --- a/ssh-keygen.c -@@ -1330,9 +1307,9 @@ - + } - + } - + -- debug("Authentication succeeded (%s).", authctxt.method->name); -- } - -+ #ifdef WITH_OPENSSL -+ if (options.disable_multithreaded == 0) { - diff --git a/sshd.c b/sshd.c - index 6277e6d6..d66fa41a 100644 - --- a/sshd.c -@@ -1359,8 +1336,8 @@ - if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { - error("Bind to port %s on %s failed: %.200s.", - @@ -1727,6 +1734,19 @@ main(int ac, char **av) -- /* Fill in default values for those options not explicitly set. */ -- fill_default_server_options(&options); -+ fatal("AuthorizedPrincipalsCommand set without " -+ "AuthorizedPrincipalsCommandUser"); - - + if (options.none_enabled == 1) { - + char *old_ciphers = options.ciphers; -@@ -1375,9 +1352,9 @@ - + } - + } - + -- /* challenge-response is implemented via keyboard interactive */ -- if (options.challenge_response_authentication) -- options.kbd_interactive_authentication = 1; -+ /* -+ * Check whether there is any path through configured auth methods. -+ * Unfortunately it is not possible to verify this generally before - @@ -2166,6 +2186,9 @@ main(int ac, char **av) - rdomain == NULL ? "" : "\""); - free(laddr); diff --git a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch deleted file mode 100644 index b6827623cd66..000000000000 --- a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch +++ /dev/null @@ -1,63 +0,0 @@ -diff -ur '--exclude=.*.un~' a/openssh-8.8p1+x509-13.2.3.diff b/openssh-8.8p1+x509-13.2.3.diff ---- a/openssh-8.8p1+x509-13.2.3.diff 2021-10-29 14:59:17.070546984 -0700 -+++ b/openssh-8.8p1+x509-13.2.3.diff 2021-10-29 14:59:55.086664489 -0700 -@@ -954,15 +954,16 @@ - char b[512]; - - size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512); - - u_char *hash = xmalloc(len); -+- double delay; - + int digest_alg; - + size_t len; - + u_char *hash; -- double delay; -- -++ double delay = 0; -++ - + digest_alg = ssh_digest_maxbytes(); - + len = ssh_digest_bytes(digest_alg); - + hash = xmalloc(len); --+ -+ - (void)snprintf(b, sizeof b, "%llu%s", - (unsigned long long)options.timing_secret, user); - - if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0) -@@ -51859,12 +51860,11 @@ - - install-files: - $(MKDIR_P) $(DESTDIR)$(bindir) --@@ -391,6 +372,8 @@ -+@@ -391,6 +372,7 @@ - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 - $(MKDIR_P) $(DESTDIR)$(libexecdir) - + $(MKDIR_P) $(DESTDIR)$(sshcadir) --+ $(MKDIR_P) $(DESTDIR)$(piddir) - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) -@@ -71985,7 +71985,7 @@ - +if test "$sshd_type" = "pkix" ; then - + unset_arg='' - +else --+ unset_arg=none -++ unset_arg= - +fi - + - cat > $OBJ/sshd_config.i << _EOF -@@ -132360,16 +132360,6 @@ - +int asnmprintf(char **, size_t, int *, const char *, ...) - __attribute__((format(printf, 4, 5))); - void msetlocale(void); --diff -ruN openssh-8.8p1/version.h openssh-8.8p1+x509-13.2.3/version.h ----- openssh-8.8p1/version.h 2021-09-26 17:03:19.000000000 +0300 --+++ openssh-8.8p1+x509-13.2.3/version.h 2021-10-23 16:27:00.000000000 +0300 --@@ -2,5 +2,4 @@ -- -- #define SSH_VERSION "OpenSSH_8.8" -- ---#define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" - diff -ruN openssh-8.8p1/version.m4 openssh-8.8p1+x509-13.2.3/version.m4 - --- openssh-8.8p1/version.m4 1970-01-01 02:00:00.000000000 +0200 - +++ openssh-8.8p1+x509-13.2.3/version.m4 2021-10-23 16:27:00.000000000 +0300 -- cgit v1.2.3