From 0f15659d48c193027158492acb726297501202c5 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sat, 25 Dec 2021 20:34:27 +0000 Subject: gentoo xmass resync : 25.12.2021 --- net-misc/openssh/Manifest | 20 +- .../openssh/files/openssh-8.0_p1-hpn-version.patch | 13 - .../openssh/files/openssh-8.5_p1-GSSAPI-dns.patch | 354 -------------- .../files/openssh-8.5_p1-X509-glue-13.0.1.patch | 72 --- .../openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch | 328 ------------- .../files/openssh-8.5_p1-hpn-15.2-glue.patch | 104 ----- .../files/openssh-8.6_p1-X509-glue-13.1.patch | 72 --- .../files/openssh-8.6_p1-hpn-15.2-X509-glue.patch | 357 -------------- .../files/openssh-8.6_p1-hpn-15.2-glue.patch | 132 ------ net-misc/openssh/metadata.xml | 1 - net-misc/openssh/openssh-8.6_p1-r2.ebuild | 515 --------------------- net-misc/openssh/openssh-8.7_p1-r2.ebuild | 513 -------------------- net-misc/openssh/openssh-8.7_p1-r3.ebuild | 498 -------------------- net-misc/openssh/openssh-8.7_p1-r4.ebuild | 498 ++++++++++++++++++++ net-misc/openssh/openssh-8.8_p1-r2.ebuild | 508 -------------------- net-misc/openssh/openssh-8.8_p1-r3.ebuild | 498 -------------------- net-misc/openssh/openssh-8.8_p1-r4.ebuild | 481 +++++++++++++++++++ 17 files changed, 982 insertions(+), 3982 deletions(-) delete mode 100644 net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch delete mode 100644 net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch delete mode 100644 net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch delete mode 100644 net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch delete mode 100644 net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch delete mode 100644 net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch delete mode 100644 net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch delete mode 100644 net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch delete mode 100644 net-misc/openssh/openssh-8.6_p1-r2.ebuild delete mode 100644 net-misc/openssh/openssh-8.7_p1-r2.ebuild delete mode 100644 net-misc/openssh/openssh-8.7_p1-r3.ebuild create mode 100644 net-misc/openssh/openssh-8.7_p1-r4.ebuild delete mode 100644 net-misc/openssh/openssh-8.8_p1-r2.ebuild delete mode 100644 net-misc/openssh/openssh-8.8_p1-r3.ebuild create mode 100644 net-misc/openssh/openssh-8.8_p1-r4.ebuild (limited to 'net-misc/openssh') diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index e64565fab4f3..5348d4d51e55 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -3,16 +3,8 @@ AUX openssh-7.5_p1-disable-conch-interop-tests.patch 554 BLAKE2B f5f45c000ec26c1 AUX openssh-7.9_p1-include-stdlib.patch 914 BLAKE2B 9c7eb79f87ecd657a80821dfa979d8b0cc12a08d385ec085724f20aa6f5332593ffc7481bb9f816e91df3eb4d75d8f7b66383ff473d271270de128c3b2bf92e5 SHA512 7dade73bdafb0da484cbd396b4a644442f8ea12fef54c07e6308ae2e73a587fa4ddf401e8a0c467469b46fe7f00585e047462545182924c157b4d3894c707a70 AUX openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch 977 BLAKE2B b2e28683176c4678f51a9a0be3e29496620ac795c7de4649fb3cc0bd076682e42bc1c606b17a76e140f51319e4c4a1cc890c3a37c4bc3cf9222a88e31b8a773f SHA512 8c2567ae16dccc73e302ba90c1bb03e19d4afc3892dd8e1636d7c8853932662eccbda3957e4db55a21bd37d2e65abe74b0b2c1efb74e31751335eb523759d945 AUX openssh-8.0_p1-fix-putty-tests.patch 1760 BLAKE2B a1127e8f2275c1e23c956b5041dbc84dbdb2cd6b788fc69bfc1f6b030afe86a827483602ce76577b4101ee2e790b1cfa8c1d2db09da59b89fe7df8083bf4695f SHA512 f544d818bdde628131f1819bf2ffb4007802ee5bf12c5cd5bd398efe0f0f430ed6b3efa7969cb2c4fa49a2bbd773d8fa09f4c927cf998a564b7611443437c310 -AUX openssh-8.0_p1-hpn-version.patch 590 BLAKE2B 1ff20ab17e7e1a20f7a96ded56ff7c059fd509d7773d9abaeac83743102385d9713284c630dc932d40672a9bfc8a894b57c6b073e93a7b024de7490ea54a589c SHA512 37250881f17a44e4a4b0ac164d06961e0731528847d5cbbb263e3f9a286a192c8dae92250b85db3f2e1f280a464c7b3bfc8a7c9e85552375c013e16a6fcf28ed AUX openssh-8.3_p1-sha2-include.patch 370 BLAKE2B 3d9ee891d9d647f4ff3b42d47cae4c7a32533bce917b35101fd3c5549717a6b285423894b3372ecb6983d4425c712f4b0590fc95799fd521523d9d74860863c6 SHA512 a1edda5dc43af79e9e4e7d3bcd78cc1c2dbf40e94f22189022dcaf1107c8f2cb2a37c949af5955144f6ada210417a695fe0c4d05d52ba2dbafb1dddf6a1bac3f -AUX openssh-8.5_p1-GSSAPI-dns.patch 11631 BLAKE2B 9ed39b04f320612f166b091979a21e7765d19afc3947a95dd3019da25eefcad32fcf2a3f17813441fce87cc03a28e0a52ac1aad3ac4b5b7ecdf3f4f8c391ba4a SHA512 d28f7df54af4cc998e1978a6c0fcb28f88affaad4a347084e429549bc0f74347dd8ad79c0ced0ca5a739e2c3cc19f6516aeb678f3a9709c40f1d0fa16d93b9e4 -AUX openssh-8.5_p1-X509-glue-13.0.1.patch 2714 BLAKE2B 03a00a1b9c62d75688706e3f4950510bafea6ae524a3bdbd08a7f059663eae3ff386ffa1ea1edfbf3349231a53b314625778043f39bb52395ffe9ef2a45a8400 SHA512 1ddf7c62ff3e73278a88f9afe5085c4101ef2cae4383cfa7bddc90403db5ea2c9c0fc630d31dc72072c4c008034f02b30cfea149aeb95e70c74292f3b978471b -AUX openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch 11238 BLAKE2B 3d16907f7330b3e30705610c10f5b5037837442df6840231073ae8d0202543b006bf9b9597df50a3173bbb823050e9c2cb5a391ed5f96c4ac2194fb1e97316a9 SHA512 d1fea164d8431282c150a513886c428f7225eb11980bd7c9cae88754d1165ec799e1ef30b17ffa38990b6c58d9626a412abd550909e34f623f311444e097baaa -AUX openssh-8.5_p1-hpn-15.2-glue.patch 3856 BLAKE2B 1661bb20e523141aae3f988f5dac664ec6f3d6517512596183c9c26d051a75b8d013e0d6e7c21aabb597b5c1a7e768c429bdef70bbfe59071f6e4cbb0956960d SHA512 0439ad0f0ab6dc21dd4279c6d252884e3c2ddaba76a207b3b26c88d8a6b8d873cc08345a1a90b8046ec79d33f47395d87e52d5b44b155a186a8aa16d316b82a9 AUX openssh-8.5_p1-hpn-15.2-sctp-glue.patch 727 BLAKE2B fafb6bc3ec680327abf01a7a2f673d4be601094d518d74f5afd0c596c1d60ddfc6f31add6b5533f85bc09cf2122b9e3f7243d5d26a2d6923c88c2f6a811ea2b8 SHA512 eda1c1613e94a7b10df9cc08c87ed8a39edb3f8a160600a74780877772bbd76cc9842d5d5d68ed6a9554e1e310675a1e461d894144d514b8e482d4a1affbc9bd -AUX openssh-8.6_p1-X509-glue-13.1.patch 2701 BLAKE2B bb1ec4018e23213117bae52c83100e47818898e06890448a82371cbd2f3f96832350c2d4fb5a7455d8d97f3ddef61cfdb106b14ed9985d741f417741dffdf328 SHA512 922d7be6671cfaeac47b28dd73e57f3f20ba10c308aa5812dec965cb0a348724a7936bbbc79a2d2987762e4fa4989f9c85963f4eddab9ca103971a61925f7c47 -AUX openssh-8.6_p1-hpn-15.2-X509-glue.patch 12374 BLAKE2B adb5327ca665f2dc89517882a78299b27dcbcffd07d304be9967900a4955464cc8fb8c5fb30124a562bc3ab98922b7ef72e7119f226e42987c0ea59ca9251b5c SHA512 b68334674c7cdb78a78af1711a822913be37a8ebaf34822d16db05e884a0b3cf576647955776df018c1e61ab9ba50ddb25f9888e0d50a9042c7942b609b34274 -AUX openssh-8.6_p1-hpn-15.2-glue.patch 4773 BLAKE2B c0db810f7c6e73b307cd9f89b9c4e8a858fde9e5fcc2f39ce02dde213d632b04edf246ec84ff69511b6e74cf4ca67395763b501cb2ddb738c20f9fa48cd4a79b SHA512 8774305853029eee9b024bc1da68134e061aa7ac1087a950e23e39160e11435b0ea9787d3490cc7f1854a9608f11abda9d271fcdce28aceb7089cfa03304e585 AUX openssh-8.6_p1-hpn-version.patch 556 BLAKE2B 26ef960db46c82ee62e6a6f1be15c2897855caa6cbd05db87d3e606ce42d03fb6e88916f0c6644f67dc008ca802617d0f63e5e8e35d1a6c6076188ba19009186 SHA512 c13d14dc496863bd6bbbf08940322a60e74fa1cc2171f81132dfd874b9371ee0edd77f75ffd606f874fa2de498b174be91da5c641029abff2d2a8503c2f0fc02 AUX openssh-8.7_p1-GSSAPI-dns.patch 11576 BLAKE2B 84aa0128ddeccf67e14c20f9d2acb61226c5091a3e3106285c79db4a297dbd781eddf7a6d4cb3b1a5a5dcbbcd158d32dbca5986b6fbf15f62cd3928cf125b083 SHA512 794b06c6ee6acd1bcd861753970cfc4d04f42499d48ff4119746dbcab8643f75761fddb9f52f49fe01e356740eb3882671ac3ae209e0e45745d195a219ffe5dd AUX openssh-8.7_p1-X509-glue-13.2.1.patch 1679 BLAKE2B 2f79c3bc5b3fd93cce0aea23cd16b98fd8031b2ebed21a5360ec84e43ec02565e464fa47db99421f8b94994073823e4dfe590bd5374bf803c8065f1a8c065d6b SHA512 05796a8c6e01456d4e6ad0cc66490b7a9479f8f36854532b392b49c20d3a62e77e13f067b77460b2b3098a6ada3944f821220aa663d6a766cb9d9e1f9bcc6b9d @@ -26,9 +18,6 @@ AUX sshd.pam_include.2 156 BLAKE2B 91ebefbb1264fe3fe98df0a72ac22a4cd8a787b3b391a AUX sshd.service 259 BLAKE2B e65ea7227658295584c3fdee3bf46f098c1c5a53a0b433e88ae8d43f0823fade25846a5f3abbacf939a13af8195a888d0ffb937e8da943478e76eea7c0e13c82 SHA512 9656ae4c045ba47ad28f983e50d1119d51c1d0a7471fe8e792d6f734a71c8d4d900431b591f2f40bb8af3a382e6215933ae32eff56de6da0f2f166d6fb855987 AUX sshd.socket 136 BLAKE2B 22e218c831fc384a3151ef97c391253738fa9002e20cf4628c6fe3d52d4b0ac3b957da58f816950669d0a6f8f2786251c6dfc31bbb863f837a3f52631341dc2e SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42 AUX sshd_at.service 177 BLAKE2B 0e78184f58cb4c68fb834953fac3ce01f9e39e9eb1a84c03f720205f5b611365c9a48fba445962c06c7e18bdb310cdb9ffe4fc49e95f69608922d224b00c890b SHA512 423120ea2e1ac0b92575ce4eb05347483f902238dc104848e74088f49483c37d30c27364e7fe8599b3e85562159c69284ecf25a4c5394b4cfa18c5c77c6beacd -DIST openssh-8.6p1+x509-13.1.diff.gz 1011666 BLAKE2B 0ac0cf2ff962b8ef677c49de0bb586f375f14d8964e077c10f6a88ec15734807940ab6c0277e44ebdfde0e50c2c80103cff614a6cde4d66e9986152032eeaa90 SHA512 ae4986dd079678c7b0cfd805136ff7ac940d1049fdddeb5a7c4ea2141bfcca70463b951485fb2b113bc930f519b1b41562900ced0269f5673dbdad867f464251 -DIST openssh-8.6p1-sctp-1.2.patch.xz 7696 BLAKE2B 37f9e943a1881af05d9cf2234433711dc45ca30c60af4c0ea38a1d361df02abb491fa114f3698285f582b40b838414c1a048c4f09aa4f7ae9499adb09201d2ac SHA512 ba8c4d38a3d90854e79dc18918fffde246d7609a3f1c3a35e06c0fbe33d3688ed29b0ec33556ae37d1654e1dc2133d892613ad8d1ecbdce9aaa5b9eb10dcbb7a -DIST openssh-8.6p1.tar.gz 1786328 BLAKE2B 261a0f1a6235275894d487cce37537755c86835e3a34871462fe29bfe72b49cd9a6b6a547aea4bd554f0957e110c84458cc75a5f2560717fb04804d62228562a SHA512 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6 DIST openssh-8.7p1+x509-13.2.1.diff.gz 1073420 BLAKE2B f9de9f797f1ec83cd56a983f5b9694b0297a60e586898a8c94b4aaa60e5f561bb3b7730590fc8f898c3de2340780d6a77d31bfcc50df0a55a0480051f37806fd SHA512 dd7afd351ddf33e8e74bceba56e5593a0546360efb34f3b954e1816751b5678da5d1bc3a9f2eaa4a745d86d96ae9b643bd549d39b59b22c8cf1a219b076c1db5 DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2 @@ -38,9 +27,6 @@ DIST openssh-8.8p1.tar.gz 1815060 BLAKE2B 3a054ce19781aceca5ab1a0839d7435d88aff4 DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914 -EBUILD openssh-8.6_p1-r2.ebuild 17655 BLAKE2B 51c2e441eebfab62ebb34eb83ab11ca024ff50a8a3444db82014e554c7d89de10757a45b0f81f4d704977cc7c75a55bae46dbd32bb88132950b72c8cb583073e SHA512 5014bbcde62554e03814906c13521a2db2dcb8df1107d1b2825a9296c85fa76a68c70f07317e57145b46f28b0d5a772aaa03b9e3f6b42db2b3fc0f3be416e527 -EBUILD openssh-8.7_p1-r2.ebuild 17549 BLAKE2B 00b3970d5724d32f81935906c8d63be1bae00a2dc5e753c039cba60ed0f1fba13c6de4a34202c34581ddb4ffe04e9a63f1268880ba2528b8f184db50276a3dd8 SHA512 ef26ff570235d2f0557ac98471f8d9eb9645d925e45d426f89981d8ace599257e5e479d920280a7bdb35ef74918fb629f6a3e5bbb6a26a265cbc667687875bdb -EBUILD openssh-8.7_p1-r3.ebuild 17203 BLAKE2B fb53113ee453fd7a6373761fe0f8f5981fd97acd0f9388710a891f481d681cd3ad491071153e80cb3e7988e189b3f5f6b81de777094e4bd7e6da1a4009179206 SHA512 8cfe82b6d523bd5584eadc5b2469cf3f509051068596160b7a39ee3d887aa5ecc6b7c805e321aa29fe84340872572fb46771ab1bf6c917c69d56518286b6cce7 -EBUILD openssh-8.8_p1-r2.ebuild 17437 BLAKE2B 774044490edbe4b1c7b3b187fbad7f94a347ad28d750153b4a7b73a5b6897ffc8f95dfd01603351b99cbfab9a432224adc53ef5e65b5ba3610de30c88976c215 SHA512 bb7d9707cde3070ed5826a473909022eaaebca2a0d8f2b4b18aafc325a0b22ce0e38fc5f387260e243506413a177ab78dd31288c354c5606a4076d385e03f481 -EBUILD openssh-8.8_p1-r3.ebuild 17220 BLAKE2B 3451f58d25412f8ed8e7d8211196beee2c8904eb00c74cc1a99df03cc285ef4dcb2bc73a0afe9c729cde8e446a5f6096bdeb7f2864bb8dc271507fdbc5b5faa5 SHA512 7865293de246ca81061a73899f0d2ee8d4348928febb6850da36d270c6d4336b98c290c75a4eca69cc30d0cc4f2b5e4679d7f50aeee347a680e0a7f35e7fea90 -MISC metadata.xml 2102 BLAKE2B 4b1464bbe657cd70e0787f1030354bf5cd87d43f4e19fbaf3686ffdf4c001449511d93d2549a29b4f11faa7901476d85ea7e2555b31f94a97bf73b7912230439 SHA512 ee3fd9db64eced5ef136dec87e5fe965381d2b83247af6e65c9f205adc8758b7bf90a3e45c0fe15dfe82e9aa0f6f25411b58183b8a56ef0ad51026cacbcd89a1 +EBUILD openssh-8.7_p1-r4.ebuild 17206 BLAKE2B b730e377c8b6f9f5c20c37cb902e17415cc70d3a64f5043ba8e9195ed8912942686febd1e411d45155fc6abe9f81f6118fd83a2a66f25fcf0aebc371494c28a2 SHA512 741b4e2b9c0adf1b9c5042f338ddc42728a60aef904d3b04b9a06893e1d1562b6ec6c7decab4694381346cebc0dbcf29e908fa8028617ebe72a70ed1c0351109 +EBUILD openssh-8.8_p1-r4.ebuild 16716 BLAKE2B 922069eff2e0eaa56e07bbb70c0390ea98b769eb88184b5d224c1c6c1b385a0820168c5da2c9dd51e61fb8d4f342eba69d1468e8fbc13f287095c1df89b25857 SHA512 a884880cbe92972f47d7ef8785f0a0945c3d2176d75d608b96042cb7c6d0157c8e06a6addb92962a58e4ec700df2ce8f920d53a5b22f1a56336b3b4cae635379 +MISC metadata.xml 2013 BLAKE2B 5d452c9b16516ff3a7e01ae7a6f95102bec19b3f0df1aa4607558b012718e14e72e24fa09c1bd3ea6bc48506a7fc55180a9e4735809381bf4535569de59b1409 SHA512 5b56870f1e203f339b57792fca7ddcdf488be2f010c0a23e0b811825e0d8f2f5823c2f4ae8a2ec05b27ffd663fac4f8029a3b2bede9fa1beac067f5b5a57d6bd diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch deleted file mode 100644 index 37905ce6afca..000000000000 --- a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/kex.c b/kex.c -index 34808b5c..88d7ccac 100644 ---- a/kex.c -+++ b/kex.c -@@ -1126,7 +1126,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, - if (version_addendum != NULL && *version_addendum == '\0') - version_addendum = NULL; - if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", -- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, -+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, - version_addendum == NULL ? "" : " ", - version_addendum == NULL ? "" : version_addendum)) != 0) { - error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); diff --git a/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch deleted file mode 100644 index eec66ade4b4e..000000000000 --- a/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch +++ /dev/null @@ -1,354 +0,0 @@ ---- a/auth.c 2021-03-02 04:31:47.000000000 -0600 -+++ b/auth.c 2021-03-04 11:22:44.590041696 -0600 -@@ -727,119 +727,6 @@ fakepw(void) - return (&fake); - } - --/* -- * Returns the remote DNS hostname as a string. The returned string must not -- * be freed. NB. this will usually trigger a DNS query the first time it is -- * called. -- * This function does additional checks on the hostname to mitigate some -- * attacks on legacy rhosts-style authentication. -- * XXX is RhostsRSAAuthentication vulnerable to these? -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) -- */ -- --static char * --remote_hostname(struct ssh *ssh) --{ -- struct sockaddr_storage from; -- socklen_t fromlen; -- struct addrinfo hints, *ai, *aitop; -- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; -- const char *ntop = ssh_remote_ipaddr(ssh); -- -- /* Get IP address of client. */ -- fromlen = sizeof(from); -- memset(&from, 0, sizeof(from)); -- if (getpeername(ssh_packet_get_connection_in(ssh), -- (struct sockaddr *)&from, &fromlen) == -1) { -- debug("getpeername failed: %.100s", strerror(errno)); -- return xstrdup(ntop); -- } -- -- ipv64_normalise_mapped(&from, &fromlen); -- if (from.ss_family == AF_INET6) -- fromlen = sizeof(struct sockaddr_in6); -- -- debug3("Trying to reverse map address %.100s.", ntop); -- /* Map the IP address to a host name. */ -- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), -- NULL, 0, NI_NAMEREQD) != 0) { -- /* Host name not found. Use ip address. */ -- return xstrdup(ntop); -- } -- -- /* -- * if reverse lookup result looks like a numeric hostname, -- * someone is trying to trick us by PTR record like following: -- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 -- */ -- memset(&hints, 0, sizeof(hints)); -- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ -- hints.ai_flags = AI_NUMERICHOST; -- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { -- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", -- name, ntop); -- freeaddrinfo(ai); -- return xstrdup(ntop); -- } -- -- /* Names are stored in lowercase. */ -- lowercase(name); -- -- /* -- * Map it back to an IP address and check that the given -- * address actually is an address of this host. This is -- * necessary because anyone with access to a name server can -- * define arbitrary names for an IP address. Mapping from -- * name to IP address can be trusted better (but can still be -- * fooled if the intruder has access to the name server of -- * the domain). -- */ -- memset(&hints, 0, sizeof(hints)); -- hints.ai_family = from.ss_family; -- hints.ai_socktype = SOCK_STREAM; -- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { -- logit("reverse mapping checking getaddrinfo for %.700s " -- "[%s] failed.", name, ntop); -- return xstrdup(ntop); -- } -- /* Look for the address from the list of addresses. */ -- for (ai = aitop; ai; ai = ai->ai_next) { -- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, -- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && -- (strcmp(ntop, ntop2) == 0)) -- break; -- } -- freeaddrinfo(aitop); -- /* If we reached the end of the list, the address was not there. */ -- if (ai == NULL) { -- /* Address not found for the host name. */ -- logit("Address %.100s maps to %.600s, but this does not " -- "map back to the address.", ntop, name); -- return xstrdup(ntop); -- } -- return xstrdup(name); --} -- --/* -- * Return the canonical name of the host in the other side of the current -- * connection. The host name is cached, so it is efficient to call this -- * several times. -- */ -- --const char * --auth_get_canonical_hostname(struct ssh *ssh, int use_dns) --{ -- static char *dnsname; -- -- if (!use_dns) -- return ssh_remote_ipaddr(ssh); -- else if (dnsname != NULL) -- return dnsname; -- else { -- dnsname = remote_hostname(ssh); -- return dnsname; -- } --} - - /* These functions link key/cert options to the auth framework */ - ---- a/canohost.c 2021-03-02 04:31:47.000000000 -0600 -+++ b/canohost.c 2021-03-04 11:22:54.854211183 -0600 -@@ -202,3 +202,117 @@ get_local_port(int sock) - { - return get_sock_port(sock, 1); - } -+ -+/* -+ * Returns the remote DNS hostname as a string. The returned string must not -+ * be freed. NB. this will usually trigger a DNS query the first time it is -+ * called. -+ * This function does additional checks on the hostname to mitigate some -+ * attacks on legacy rhosts-style authentication. -+ * XXX is RhostsRSAAuthentication vulnerable to these? -+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) -+ */ -+ -+static char * -+remote_hostname(struct ssh *ssh) -+{ -+ struct sockaddr_storage from; -+ socklen_t fromlen; -+ struct addrinfo hints, *ai, *aitop; -+ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; -+ const char *ntop = ssh_remote_ipaddr(ssh); -+ -+ /* Get IP address of client. */ -+ fromlen = sizeof(from); -+ memset(&from, 0, sizeof(from)); -+ if (getpeername(ssh_packet_get_connection_in(ssh), -+ (struct sockaddr *)&from, &fromlen) == -1) { -+ debug("getpeername failed: %.100s", strerror(errno)); -+ return xstrdup(ntop); -+ } -+ -+ ipv64_normalise_mapped(&from, &fromlen); -+ if (from.ss_family == AF_INET6) -+ fromlen = sizeof(struct sockaddr_in6); -+ -+ debug3("Trying to reverse map address %.100s.", ntop); -+ /* Map the IP address to a host name. */ -+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), -+ NULL, 0, NI_NAMEREQD) != 0) { -+ /* Host name not found. Use ip address. */ -+ return xstrdup(ntop); -+ } -+ -+ /* -+ * if reverse lookup result looks like a numeric hostname, -+ * someone is trying to trick us by PTR record like following: -+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 -+ */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ -+ hints.ai_flags = AI_NUMERICHOST; -+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { -+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", -+ name, ntop); -+ freeaddrinfo(ai); -+ return xstrdup(ntop); -+ } -+ -+ /* Names are stored in lowercase. */ -+ lowercase(name); -+ -+ /* -+ * Map it back to an IP address and check that the given -+ * address actually is an address of this host. This is -+ * necessary because anyone with access to a name server can -+ * define arbitrary names for an IP address. Mapping from -+ * name to IP address can be trusted better (but can still be -+ * fooled if the intruder has access to the name server of -+ * the domain). -+ */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = from.ss_family; -+ hints.ai_socktype = SOCK_STREAM; -+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { -+ logit("reverse mapping checking getaddrinfo for %.700s " -+ "[%s] failed.", name, ntop); -+ return xstrdup(ntop); -+ } -+ /* Look for the address from the list of addresses. */ -+ for (ai = aitop; ai; ai = ai->ai_next) { -+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, -+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && -+ (strcmp(ntop, ntop2) == 0)) -+ break; -+ } -+ freeaddrinfo(aitop); -+ /* If we reached the end of the list, the address was not there. */ -+ if (ai == NULL) { -+ /* Address not found for the host name. */ -+ logit("Address %.100s maps to %.600s, but this does not " -+ "map back to the address.", ntop, name); -+ return xstrdup(ntop); -+ } -+ return xstrdup(name); -+} -+ -+/* -+ * Return the canonical name of the host in the other side of the current -+ * connection. The host name is cached, so it is efficient to call this -+ * several times. -+ */ -+ -+const char * -+auth_get_canonical_hostname(struct ssh *ssh, int use_dns) -+{ -+ static char *dnsname; -+ -+ if (!use_dns) -+ return ssh_remote_ipaddr(ssh); -+ else if (dnsname != NULL) -+ return dnsname; -+ else { -+ dnsname = remote_hostname(ssh); -+ return dnsname; -+ } -+} -diff --git a/readconf.c b/readconf.c -index 724974b7..97a1ffd8 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -161,6 +161,7 @@ typedef enum { - oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, -+ oGssTrustDns, - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, - oHashKnownHosts, -@@ -206,9 +207,11 @@ static struct { - #if defined(GSSAPI) - { "gssapiauthentication", oGssAuthentication }, - { "gssapidelegatecredentials", oGssDelegateCreds }, -+ { "gssapitrustdns", oGssTrustDns }, - # else - { "gssapiauthentication", oUnsupported }, - { "gssapidelegatecredentials", oUnsupported }, -+ { "gssapitrustdns", oUnsupported }, - #endif - #ifdef ENABLE_PKCS11 - { "pkcs11provider", oPKCS11Provider }, -@@ -1083,6 +1086,10 @@ parse_time: - intptr = &options->gss_deleg_creds; - goto parse_flag; - -+ case oGssTrustDns: -+ intptr = &options->gss_trust_dns; -+ goto parse_flag; -+ - case oBatchMode: - intptr = &options->batch_mode; - goto parse_flag; -@@ -2183,6 +2190,7 @@ initialize_options(Options * options) - options->challenge_response_authentication = -1; - options->gss_authentication = -1; - options->gss_deleg_creds = -1; -+ options->gss_trust_dns = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->kbd_interactive_devices = NULL; -@@ -2340,6 +2348,8 @@ fill_default_options(Options * options) - options->gss_authentication = 0; - if (options->gss_deleg_creds == -1) - options->gss_deleg_creds = 0; -+ if (options->gss_trust_dns == -1) -+ options->gss_trust_dns = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) -diff --git a/readconf.h b/readconf.h -index 2fba866e..da3ce87a 100644 ---- a/readconf.h -+++ b/readconf.h -@@ -42,6 +42,7 @@ typedef struct { - /* Try S/Key or TIS, authentication. */ - int gss_authentication; /* Try GSS authentication */ - int gss_deleg_creds; /* Delegate GSS credentials */ -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ - int password_authentication; /* Try password - * authentication. */ - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff --git a/ssh_config.5 b/ssh_config.5 -index f8119189..e0fd0d76 100644 ---- a/ssh_config.5 -+++ b/ssh_config.5 -@@ -783,6 +783,16 @@ The default is - Forward (delegate) credentials to the server. - The default is - .Cm no . -+Note that this option applies to protocol version 2 connections using GSSAPI. -+.It Cm GSSAPITrustDns -+Set to -+.Dq yes to indicate that the DNS is trusted to securely canonicalize -+the name of the host being connected to. If -+.Dq no, the hostname entered on the -+command line will be passed untouched to the GSSAPI library. -+The default is -+.Dq no . -+This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HashKnownHosts - Indicates that - .Xr ssh 1 -diff --git a/sshconnect2.c b/sshconnect2.c -index 059c9480..ab6f6832 100644 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -770,6 +770,13 @@ userauth_gssapi(struct ssh *ssh) - OM_uint32 min; - int r, ok = 0; - gss_OID mech = NULL; -+ const char *gss_host; -+ -+ if (options.gss_trust_dns) { -+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); -+ gss_host = auth_get_canonical_hostname(ssh, 1); -+ } else -+ gss_host = authctxt->host; - - /* Try one GSSAPI method at a time, rather than sending them all at - * once. */ -@@ -784,7 +791,7 @@ userauth_gssapi(struct ssh *ssh) - elements[authctxt->mech_tried]; - /* My DER encoding requires length<128 */ - if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, -- mech, authctxt->host)) { -+ mech, gss_host)) { - ok = 1; /* Mechanism works */ - } else { - authctxt->mech_tried++; diff --git a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch b/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch deleted file mode 100644 index c7812c622c26..000000000000 --- a/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch +++ /dev/null @@ -1,72 +0,0 @@ ---- a/openssh-8.5p1+x509-13.0.1.diff 2021-03-15 14:05:14.876485231 -0700 -+++ b/openssh-8.5p1+x509-13.0.1.diff 2021-03-15 14:06:05.389154451 -0700 -@@ -46675,12 +46675,11 @@ - - install-files: - $(MKDIR_P) $(DESTDIR)$(bindir) --@@ -380,6 +364,8 @@ -+@@ -380,6 +364,7 @@ - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 - $(MKDIR_P) $(DESTDIR)$(libexecdir) - + $(MKDIR_P) $(DESTDIR)$(sshcadir) --+ $(MKDIR_P) $(DESTDIR)$(piddir) - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) -@@ -63967,7 +63966,7 @@ - - echo "putty interop tests not enabled" - - exit 0 - -fi --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } - - for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do - verbose "$tid: cipher $c" -@@ -63982,7 +63981,7 @@ - - echo "putty interop tests not enabled" - - exit 0 - -fi --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } - - for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do - verbose "$tid: kex $k" -@@ -63997,7 +63996,7 @@ - - echo "putty interop tests not enabled" - - exit 0 - -fi --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } - - if [ "`${SSH} -Q compression`" = "none" ]; then - comp="0" -@@ -64129,9 +64128,9 @@ - - +# cross-project configuration - +if test "$sshd_type" = "pkix" ; then --+ unset_arg='' -++ unset_arg= - +else --+ unset_arg=none -++ unset_arg= - +fi - + - cat > $OBJ/sshd_config.i << _EOF -@@ -122247,16 +122246,6 @@ - +int asnmprintf(char **, size_t, int *, const char *, ...) - __attribute__((format(printf, 4, 5))); - void msetlocale(void); --diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0.1/version.h ----- openssh-8.5p1/version.h 2021-03-02 12:31:47.000000000 +0200 --+++ openssh-8.5p1+x509-13.0.1/version.h 2021-03-15 20:07:00.000000000 +0200 --@@ -2,5 +2,4 @@ -- -- #define SSH_VERSION "OpenSSH_8.5" -- ---#define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" - diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0.1/version.m4 - --- openssh-8.5p1/version.m4 1970-01-01 02:00:00.000000000 +0200 - +++ openssh-8.5p1+x509-13.0.1/version.m4 2021-03-15 20:07:00.000000000 +0200 diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch deleted file mode 100644 index 413cc8b9c3dc..000000000000 --- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch +++ /dev/null @@ -1,328 +0,0 @@ -diff -u a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff ---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-03-15 17:45:28.550606801 -0700 -+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-03-15 17:56:36.240309581 -0700 -@@ -3,9 +3,9 @@ - --- a/Makefile.in - +++ b/Makefile.in - @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@ -- CFLAGS_NOPIE=@CFLAGS_NOPIE@ -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -- PICFLAG=@PICFLAG@ -+ LD=@LD@ -+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ - -LIBS=@LIBS@ - +LIBS=@LIBS@ -lpthread - K5LIBS=@K5LIBS@ -@@ -803,8 +803,8 @@ - ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) - { - struct session_state *state; --- const struct sshcipher *none = cipher_by_name("none"); --+ struct sshcipher *none = cipher_by_name("none"); -+- const struct sshcipher *none = cipher_none(); -++ struct sshcipher *none = cipher_none(); - int r; - - if (none == NULL) { -@@ -898,20 +898,20 @@ - options->fingerprint_hash = -1; - options->update_hostkeys = -1; - + options->disable_multithreaded = -1; -- options->hostbased_accepted_algos = NULL; -- options->pubkey_accepted_algos = NULL; -- options->known_hosts_command = NULL; -+ } -+ -+ /* - @@ -2467,6 +2474,10 @@ fill_default_options(Options * options) -+ options->update_hostkeys = 0; - if (options->sk_provider == NULL) - options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); -- #endif - + if (options->update_hostkeys == -1) - + options->update_hostkeys = 0; - + if (options->disable_multithreaded == -1) - + options->disable_multithreaded = 0; - -- /* Expand KEX name lists */ -- all_cipher = cipher_alg_list(',', 0); -+ /* expand KEX and etc. name lists */ -+ { char *all; - diff --git a/readconf.h b/readconf.h - index 2fba866e..7f8f0227 100644 - --- a/readconf.h -@@ -950,9 +950,9 @@ - /* Portable-specific options */ - sUsePAM, - + sDisableMTAES, -- /* Standard Options */ -- sPort, sHostKeyFile, sLoginGraceTime, -- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, -+ /* X.509 Standard Options */ -+ sHostbasedAlgorithms, -+ sPubkeyAlgorithms, - @@ -662,6 +666,7 @@ static struct { - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, -diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:29:42.953733894 -0700 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:47:54.198893025 -0700 -@@ -157,6 +157,36 @@ - + Allan Jude provided the code for the NoneMac and buffer normalization. - + This work was financed, in part, by Cisco System, Inc., the National - + Library of Medicine, and the National Science Foundation. -+diff --git a/auth2.c b/auth2.c -+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700 -++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700 -+@@ -229,16 +229,17 @@ -+ double delay; -+ -+ digest_alg = ssh_digest_maxbytes(); -+- len = ssh_digest_bytes(digest_alg); -+- hash = xmalloc(len); -++ if (len = ssh_digest_bytes(digest_alg) > 0) { -++ hash = xmalloc(len); -+ -+- (void)snprintf(b, sizeof b, "%llu%s", -+- (unsigned long long)options.timing_secret, user); -+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) -+- fatal_f("ssh_digest_memory"); -+- /* 0-4.2 ms of delay */ -+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; -+- freezero(hash, len); -++ (void)snprintf(b, sizeof b, "%llu%s", -++ (unsigned long long)options.timing_secret, user); -++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) -++ fatal_f("ssh_digest_memory"); -++ /* 0-4.2 ms of delay */ -++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; -++ freezero(hash, len); -++ } -+ debug3_f("user specific delay %0.3lfms", delay/1000); -+ return MIN_FAIL_DELAY_SECONDS + delay; -+ } - diff --git a/channels.c b/channels.c - index b60d56c4..0e363c15 100644 - --- a/channels.c -@@ -209,14 +239,14 @@ - static void - channel_pre_open(struct ssh *ssh, Channel *c, - fd_set *readset, fd_set *writeset) --@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c) -+@@ -2164,21 +2164,31 @@ channel_check_window(struct ssh *ssh, Channel *c) - - if (c->type == SSH_CHANNEL_OPEN && - !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && - - ((c->local_window_max - c->local_window > - - c->local_maxpacket*3) || --+ ((ssh_packet_is_interactive(ssh) && --+ c->local_window_max - c->local_window > c->local_maxpacket*3) || -++ ((ssh_packet_is_interactive(ssh) && -++ c->local_window_max - c->local_window > c->local_maxpacket*3) || - c->local_window < c->local_window_max/2) && - c->local_consumed > 0) { - + u_int addition = 0; -@@ -235,9 +265,8 @@ - (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || - - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || - + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || -- (r = sshpkt_send(ssh)) != 0) { -- fatal_fr(r, "channel %i", c->self); -- } -+ (r = sshpkt_send(ssh)) != 0) -+ fatal_fr(r, "channel %d", c->self); - - debug2("channel %d: window %d sent adjust %d", c->self, - - c->local_window, c->local_consumed); - - c->local_window += c->local_consumed; -@@ -386,21 +415,45 @@ - index 69befa96..90b5f338 100644 - --- a/compat.c - +++ b/compat.c --@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version) -- debug_f("match: %s pat %s compat 0x%08x", -+@@ -43,7 +43,7 @@ compat_datafellows(const char *version) -+ static u_int -+ compat_datafellows(const char *version) -+ { -+- int i; -++ int i, bugs = 0; -+ static struct { -+ char *pat; -+ int bugs; -+@@ -147,11 +147,26 @@ -+ if (match_pattern_list(version, check[i].pat, 0) == 1) { -+ debug("match: %s pat %s compat 0x%08x", - version, check[i].pat, check[i].bugs); -- ssh->compat = check[i].bugs; - + /* Check to see if the remote side is OpenSSH and not HPN */ --+ /* TODO: need to use new method to test for this */ - + if (strstr(version, "OpenSSH") != NULL) { - + if (strstr(version, "hpn") == NULL) { --+ ssh->compat |= SSH_BUG_LARGEWINDOW; -++ bugs |= SSH_BUG_LARGEWINDOW; - + debug("Remote is NON-HPN aware"); - + } - + } -- return; -+- return check[i].bugs; -++ bugs |= check[i].bugs; - } - } -+- debug("no match: %s", version); -+- return 0; -++ /* Check to see if the remote side is OpenSSH and not HPN */ -++ if (strstr(version, "OpenSSH") != NULL) { -++ if (strstr(version, "hpn") == NULL) { -++ bugs |= SSH_BUG_LARGEWINDOW; -++ debug("Remote is NON-HPN aware"); -++ } -++ } -++ if (bugs == 0) -++ debug("no match: %s", version); -++ return bugs; -+ } -+ -+ char * - diff --git a/compat.h b/compat.h - index c197fafc..ea2e17a7 100644 - --- a/compat.h -@@ -459,7 +512,7 @@ - @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh) - int nenc, nmac, ncomp; - u_int mode, ctos, need, dh_need, authlen; -- int r, first_kex_follows; -+ int r, first_kex_follows = 0; - + int auth_flag = 0; - + - + auth_flag = packet_authentication_state(ssh); -@@ -1035,19 +1088,6 @@ - - /* File to read commands from */ - FILE* infile; --diff --git a/ssh-keygen.c b/ssh-keygen.c --index cfb5f115..36a6e519 100644 ----- a/ssh-keygen.c --+++ b/ssh-keygen.c --@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device) -- freezero(pin, strlen(pin)); -- error_r(r, "Unable to load resident keys"); -- return -1; --- } --+ } -- if (nkeys == 0) -- logit("No keys to download"); -- if (pin != NULL) - diff --git a/ssh.c b/ssh.c - index 53330da5..27b9770e 100644 - --- a/ssh.c -@@ -1093,7 +1133,7 @@ - + else - + options.hpn_buffer_size = 2 * 1024 * 1024; - + --+ if (ssh->compat & SSH_BUG_LARGEWINDOW) { -++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) { - + debug("HPN to Non-HPN Connection"); - + } else { - + int sock, socksize; -@@ -1335,6 +1375,28 @@ - /* Bind the socket to the desired port. */ - if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { - error("Bind to port %s on %s failed: %.200s.", -+@@ -1625,13 +1625,14 @@ -+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg), -+ sshbuf_len(server_cfg)) != 0) -+ fatal_f("ssh_digest_update"); -+- len = ssh_digest_bytes(digest_alg); -+- hash = xmalloc(len); -+- if (ssh_digest_final(ctx, hash, len) != 0) -+- fatal_f("ssh_digest_final"); -+- options.timing_secret = PEEK_U64(hash); -+- freezero(hash, len); -+- ssh_digest_free(ctx); -++ if ((len = ssh_digest_bytes(digest_alg)) > 0) { -++ hash = xmalloc(len); -++ if (ssh_digest_final(ctx, hash, len) != 0) -++ fatal_f("ssh_digest_final"); -++ options.timing_secret = PEEK_U64(hash); -++ freezero(hash, len); -++ ssh_digest_free(ctx); -++ } -+ ctx = NULL; -+ return; -+ } - @@ -1727,6 +1734,19 @@ main(int ac, char **av) - /* Fill in default values for those options not explicitly set. */ - fill_default_server_options(&options); -@@ -1405,14 +1467,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index 6b4fa372..332fb486 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_8.5" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_HPN "-hpn15v2" --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN -diff -u a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff ---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-03-15 17:45:28.550606801 -0700 -+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-03-15 18:39:10.262087944 -0700 -@@ -12,9 +12,9 @@ - static long stalled; /* how long we have been stalled */ - static int bytes_per_second; /* current speed in bytes per second */ - @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update) -+ off_t bytes_left; - int cur_speed; -- int hours, minutes, seconds; -- int file_len; -+ int len; - + off_t delta_pos; - - if ((!force_update && !alarm_fired && !win_resized) || !can_output()) -@@ -30,15 +30,17 @@ - if (bytes_left > 0) - elapsed = now - last_update; - else { --@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update) -- -+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update) -+ buf[1] = '\0'; -+ - /* filename */ -- buf[0] = '\0'; --- file_len = win_size - 36; --+ file_len = win_size - 45; -- if (file_len > 0) { -- buf[0] = '\r'; -- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s", -+- if (win_size > 36) { -++ if (win_size > 45) { -+- int file_len = win_size - 36; -++ int file_len = win_size - 45; -+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ", -+ file_len, file); -+ } - @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update) - (off_t)bytes_per_second); - strlcat(buf, "/s ", win_size); -@@ -63,15 +65,3 @@ - } - - /*ARGSUSED*/ --diff --git a/ssh-keygen.c b/ssh-keygen.c --index cfb5f115..986ff59b 100644 ----- a/ssh-keygen.c --+++ b/ssh-keygen.c --@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device) -- -- if (skprovider == NULL) -- fatal("Cannot download keys without provider"); --- -- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN); -- if (!quiet) { -- printf("You may need to touch your authenticator " diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch deleted file mode 100644 index 8827fe88d7aa..000000000000 --- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch +++ /dev/null @@ -1,104 +0,0 @@ -diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-15 15:10:45.680967455 -0700 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:25:14.710431930 -0700 -@@ -536,18 +536,10 @@ - if (state->rekey_limit) - *max_blocks = MINIMUM(*max_blocks, - state->rekey_limit / enc->block_size); --@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) -+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) - return 0; - } - --+/* this supports the forced rekeying required for the NONE cipher */ --+int rekey_requested = 0; --+void --+packet_request_rekeying(void) --+{ --+ rekey_requested = 1; --+} --+ - +/* used to determine if pre or post auth when rekeying for aes-ctr - + * and none cipher switch */ - +int -@@ -561,20 +553,6 @@ - #define MAX_PACKETS (1U<<31) - static int - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) --@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) -- if (state->p_send.packets == 0 && state->p_read.packets == 0) -- return 0; -- --+ /* used to force rekeying when called for by the none --+ * cipher switch methods -cjr */ --+ if (rekey_requested == 1) { --+ rekey_requested = 0; --+ return 1; --+ } --+ -- /* Time-based rekeying */ -- if (state->rekey_interval != 0 && -- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) - @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) - struct session_state *state = ssh->state; - int len, r, ms_remain; -@@ -598,12 +576,11 @@ - }; - - typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *, --@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *); -+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *); - int ssh_packet_set_maxsize(struct ssh *, u_int); - u_int ssh_packet_get_maxsize(struct ssh *); - - +/* for forced packet rekeying post auth */ --+void packet_request_rekeying(void); - +int packet_authentication_state(const struct ssh *); - + - int ssh_packet_get_state(struct ssh *, struct sshbuf *); -@@ -627,9 +604,9 @@ - oLocalCommand, oPermitLocalCommand, oRemoteCommand, - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, - + oNoneEnabled, oNoneMacEnabled, oNoneSwitch, -+ oDisableMTAES, - oVisualHostKey, - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, -- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, - @@ -297,6 +300,9 @@ static struct { - { "kexalgorithms", oKexAlgorithms }, - { "ipqos", oIPQoS }, -@@ -778,9 +755,9 @@ - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ - SyslogFacility log_facility; /* Facility for system logging. */ - @@ -120,7 +124,11 @@ typedef struct { -- - int enable_ssh_keysign; - int64_t rekey_limit; -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/ - + int none_switch; /* Use none cipher */ - + int none_enabled; /* Allow none cipher to be used */ - + int nonemac_enabled; /* Allow none MAC to be used */ -@@ -842,9 +819,9 @@ - /* Portable-specific options */ - if (options->use_pam == -1) - @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options) -- } -- if (options->permit_tun == -1) - options->permit_tun = SSH_TUNMODE_NO; -+ if (options->disable_multithreaded == -1) -+ options->disable_multithreaded = 0; - + if (options->none_enabled == -1) - + options->none_enabled = 0; - + if (options->nonemac_enabled == -1) -@@ -1330,9 +1307,9 @@ - + } - + } - + -- debug("Authentication succeeded (%s).", authctxt.method->name); -- } - -+ #ifdef WITH_OPENSSL -+ if (options.disable_multithreaded == 0) { - diff --git a/sshd.c b/sshd.c - index 6277e6d6..d66fa41a 100644 - --- a/sshd.c diff --git a/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch b/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch deleted file mode 100644 index e23063b5db2e..000000000000 --- a/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch +++ /dev/null @@ -1,72 +0,0 @@ ---- a/openssh-8.6p1+x509-13.1.diff 2021-04-23 14:46:58.184683047 -0700 -+++ b/openssh-8.6p1+x509-13.1.diff 2021-04-23 15:00:08.455087549 -0700 -@@ -47728,12 +47728,11 @@ - - install-files: - $(MKDIR_P) $(DESTDIR)$(bindir) --@@ -389,6 +366,8 @@ -+@@ -389,6 +366,7 @@ - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 - $(MKDIR_P) $(DESTDIR)$(libexecdir) - + $(MKDIR_P) $(DESTDIR)$(sshcadir) --+ $(MKDIR_P) $(DESTDIR)$(piddir) - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) -@@ -65001,7 +65000,7 @@ - - echo "putty interop tests not enabled" - - exit 0 - -fi --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } - - for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do - verbose "$tid: cipher $c" -@@ -65016,7 +65015,7 @@ - - echo "putty interop tests not enabled" - - exit 0 - -fi --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } - - for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do - verbose "$tid: kex $k" -@@ -65031,7 +65030,7 @@ - - echo "putty interop tests not enabled" - - exit 0 - -fi --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } - - if [ "`${SSH} -Q compression`" = "none" ]; then - comp="0" -@@ -65163,9 +65162,9 @@ - - +# cross-project configuration - +if test "$sshd_type" = "pkix" ; then --+ unset_arg='' -++ unset_arg= - +else --+ unset_arg=none -++ unset_arg= - +fi - + - cat > $OBJ/sshd_config.i << _EOF -@@ -124084,16 +124083,6 @@ - +int asnmprintf(char **, size_t, int *, const char *, ...) - __attribute__((format(printf, 4, 5))); - void msetlocale(void); --diff -ruN openssh-8.6p1/version.h openssh-8.6p1+x509-13.1/version.h ----- openssh-8.6p1/version.h 2021-04-16 06:55:25.000000000 +0300 --+++ openssh-8.6p1+x509-13.1/version.h 2021-04-21 21:07:00.000000000 +0300 --@@ -2,5 +2,4 @@ -- -- #define SSH_VERSION "OpenSSH_8.6" -- ---#define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" - diff -ruN openssh-8.6p1/version.m4 openssh-8.6p1+x509-13.1/version.m4 - --- openssh-8.6p1/version.m4 1970-01-01 02:00:00.000000000 +0200 - +++ openssh-8.6p1+x509-13.1/version.m4 2021-04-21 21:07:00.000000000 +0300 diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch deleted file mode 100644 index 714dffc41712..000000000000 --- a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch +++ /dev/null @@ -1,357 +0,0 @@ -diff -ur a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff ---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-04-23 15:31:47.247434467 -0700 -+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-04-23 15:32:29.807508606 -0700 -@@ -3,9 +3,9 @@ - --- a/Makefile.in - +++ b/Makefile.in - @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@ -- CFLAGS_NOPIE=@CFLAGS_NOPIE@ -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -- PICFLAG=@PICFLAG@ -+ LD=@LD@ -+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ - -LIBS=@LIBS@ - +LIBS=@LIBS@ -lpthread - K5LIBS=@K5LIBS@ -@@ -803,8 +803,8 @@ - ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) - { - struct session_state *state; --- const struct sshcipher *none = cipher_by_name("none"); --+ struct sshcipher *none = cipher_by_name("none"); -+- const struct sshcipher *none = cipher_none(); -++ struct sshcipher *none = cipher_none(); - int r; - - if (none == NULL) { -@@ -898,20 +898,20 @@ - options->fingerprint_hash = -1; - options->update_hostkeys = -1; - + options->disable_multithreaded = -1; -- options->hostbased_accepted_algos = NULL; -- options->pubkey_accepted_algos = NULL; -- options->known_hosts_command = NULL; -+ } -+ -+ /* - @@ -2467,6 +2474,10 @@ fill_default_options(Options * options) -+ options->update_hostkeys = 0; - if (options->sk_provider == NULL) - options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); -- #endif - + if (options->update_hostkeys == -1) - + options->update_hostkeys = 0; - + if (options->disable_multithreaded == -1) - + options->disable_multithreaded = 0; - -- /* Expand KEX name lists */ -- all_cipher = cipher_alg_list(',', 0); -+ /* expand KEX and etc. name lists */ -+ { char *all; - diff --git a/readconf.h b/readconf.h - index 2fba866e..7f8f0227 100644 - --- a/readconf.h -@@ -950,9 +950,9 @@ - /* Portable-specific options */ - sUsePAM, - + sDisableMTAES, -- /* Standard Options */ -- sPort, sHostKeyFile, sLoginGraceTime, -- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, -+ /* X.509 Standard Options */ -+ sHostbasedAlgorithms, -+ sPubkeyAlgorithms, - @@ -662,6 +666,7 @@ static struct { - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, -diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-23 15:31:47.247434467 -0700 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-23 15:46:32.296026606 -0700 -@@ -157,6 +157,36 @@ - + Allan Jude provided the code for the NoneMac and buffer normalization. - + This work was financed, in part, by Cisco System, Inc., the National - + Library of Medicine, and the National Science Foundation. -+diff --git a/auth2.c b/auth2.c -+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700 -++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700 -+@@ -229,16 +229,17 @@ -+ double delay; -+ -+ digest_alg = ssh_digest_maxbytes(); -+- len = ssh_digest_bytes(digest_alg); -+- hash = xmalloc(len); -++ if (len = ssh_digest_bytes(digest_alg) > 0) { -++ hash = xmalloc(len); -+ -+- (void)snprintf(b, sizeof b, "%llu%s", -+- (unsigned long long)options.timing_secret, user); -+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) -+- fatal_f("ssh_digest_memory"); -+- /* 0-4.2 ms of delay */ -+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; -+- freezero(hash, len); -++ (void)snprintf(b, sizeof b, "%llu%s", -++ (unsigned long long)options.timing_secret, user); -++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) -++ fatal_f("ssh_digest_memory"); -++ /* 0-4.2 ms of delay */ -++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; -++ freezero(hash, len); -++ } -+ debug3_f("user specific delay %0.3lfms", delay/1000); -+ return MIN_FAIL_DELAY_SECONDS + delay; -+ } - diff --git a/channels.c b/channels.c - index b60d56c4..0e363c15 100644 - --- a/channels.c -@@ -209,14 +239,14 @@ - static void - channel_pre_open(struct ssh *ssh, Channel *c, - fd_set *readset, fd_set *writeset) --@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c) -+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c) - - if (c->type == SSH_CHANNEL_OPEN && - !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && - - ((c->local_window_max - c->local_window > - - c->local_maxpacket*3) || --+ ((ssh_packet_is_interactive(ssh) && --+ c->local_window_max - c->local_window > c->local_maxpacket*3) || -++ ((ssh_packet_is_interactive(ssh) && -++ c->local_window_max - c->local_window > c->local_maxpacket*3) || - c->local_window < c->local_window_max/2) && - c->local_consumed > 0) { - + u_int addition = 0; -@@ -235,9 +265,8 @@ - (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || - - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || - + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || -- (r = sshpkt_send(ssh)) != 0) { -- fatal_fr(r, "channel %i", c->self); -- } -+ (r = sshpkt_send(ssh)) != 0) -+ fatal_fr(r, "channel %d", c->self); - - debug2("channel %d: window %d sent adjust %d", c->self, - - c->local_window, c->local_consumed); - - c->local_window += c->local_consumed; -@@ -386,21 +415,45 @@ - index 69befa96..90b5f338 100644 - --- a/compat.c - +++ b/compat.c --@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version) -- debug_f("match: %s pat %s compat 0x%08x", -+@@ -43,7 +43,7 @@ compat_datafellows(const char *version) -+ static u_int -+ compat_datafellows(const char *version) -+ { -+- int i; -++ int i, bugs = 0; -+ static struct { -+ char *pat; -+ int bugs; -+@@ -147,11 +147,26 @@ -+ if (match_pattern_list(version, check[i].pat, 0) == 1) { -+ debug("match: %s pat %s compat 0x%08x", - version, check[i].pat, check[i].bugs); -- ssh->compat = check[i].bugs; - + /* Check to see if the remote side is OpenSSH and not HPN */ --+ /* TODO: need to use new method to test for this */ - + if (strstr(version, "OpenSSH") != NULL) { - + if (strstr(version, "hpn") == NULL) { --+ ssh->compat |= SSH_BUG_LARGEWINDOW; -++ bugs |= SSH_BUG_LARGEWINDOW; - + debug("Remote is NON-HPN aware"); - + } - + } -- return; -+- return check[i].bugs; -++ bugs |= check[i].bugs; - } - } -+- debug("no match: %s", version); -+- return 0; -++ /* Check to see if the remote side is OpenSSH and not HPN */ -++ if (strstr(version, "OpenSSH") != NULL) { -++ if (strstr(version, "hpn") == NULL) { -++ bugs |= SSH_BUG_LARGEWINDOW; -++ debug("Remote is NON-HPN aware"); -++ } -++ } -++ if (bugs == 0) -++ debug("no match: %s", version); -++ return bugs; -+ } -+ -+ char * - diff --git a/compat.h b/compat.h - index c197fafc..ea2e17a7 100644 - --- a/compat.h -@@ -459,7 +512,7 @@ - @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh) - int nenc, nmac, ncomp; - u_int mode, ctos, need, dh_need, authlen; -- int r, first_kex_follows; -+ int r, first_kex_follows = 0; - + int auth_flag = 0; - + - + auth_flag = packet_authentication_state(ssh); -@@ -553,7 +606,7 @@ - #define MAX_PACKETS (1U<<31) - static int - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) --@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) -+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) - struct session_state *state = ssh->state; - int len, r, ms_remain; - fd_set *setp; -@@ -1035,19 +1088,6 @@ - - /* Minimum amount of data to read at a time */ - #define MIN_READ_SIZE 512 --diff --git a/ssh-keygen.c b/ssh-keygen.c --index cfb5f115..36a6e519 100644 ----- a/ssh-keygen.c --+++ b/ssh-keygen.c --@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device) -- freezero(pin, strlen(pin)); -- error_r(r, "Unable to load resident keys"); -- return -1; --- } --+ } -- if (nkeys == 0) -- logit("No keys to download"); -- if (pin != NULL) - diff --git a/ssh.c b/ssh.c - index 53330da5..27b9770e 100644 - --- a/ssh.c -@@ -1093,7 +1133,7 @@ - + else - + options.hpn_buffer_size = 2 * 1024 * 1024; - + --+ if (ssh->compat & SSH_BUG_LARGEWINDOW) { -++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) { - + debug("HPN to Non-HPN Connection"); - + } else { - + int sock, socksize; -@@ -1335,7 +1375,29 @@ - /* Bind the socket to the desired port. */ - if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { - error("Bind to port %s on %s failed: %.200s.", --@@ -1727,6 +1734,19 @@ main(int ac, char **av) -+@@ -1625,13 +1632,14 @@ -+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg), -+ sshbuf_len(server_cfg)) != 0) -+ fatal_f("ssh_digest_update"); -+- len = ssh_digest_bytes(digest_alg); -+- hash = xmalloc(len); -+- if (ssh_digest_final(ctx, hash, len) != 0) -+- fatal_f("ssh_digest_final"); -+- options.timing_secret = PEEK_U64(hash); -+- freezero(hash, len); -+- ssh_digest_free(ctx); -++ if ((len = ssh_digest_bytes(digest_alg)) > 0) { -++ hash = xmalloc(len); -++ if (ssh_digest_final(ctx, hash, len) != 0) -++ fatal_f("ssh_digest_final"); -++ options.timing_secret = PEEK_U64(hash); -++ freezero(hash, len); -++ ssh_digest_free(ctx); -++ } -+ ctx = NULL; -+ return; -+ } -+@@ -1727,6 +1735,19 @@ main(int ac, char **av) - /* Fill in default values for those options not explicitly set. */ - fill_default_server_options(&options); - -@@ -1355,7 +1417,7 @@ - /* challenge-response is implemented via keyboard interactive */ - if (options.challenge_response_authentication) - options.kbd_interactive_authentication = 1; --@@ -2166,6 +2186,9 @@ main(int ac, char **av) -+@@ -2166,6 +2187,9 @@ main(int ac, char **av) - rdomain == NULL ? "" : "\""); - free(laddr); - -@@ -1365,7 +1427,7 @@ - /* - * We don't want to listen forever unless the other side - * successfully authenticates itself. So we set up an alarm which is --@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh) -+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh) - struct kex *kex; - int r; - -@@ -1405,14 +1467,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index 6b4fa372..332fb486 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_8.5" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_HPN "-hpn15v2" --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN -diff -ur a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff ---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-04-23 15:31:47.247434467 -0700 -+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-04-23 15:32:29.808508608 -0700 -@@ -12,9 +12,9 @@ - static long stalled; /* how long we have been stalled */ - static int bytes_per_second; /* current speed in bytes per second */ - @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update) -+ off_t bytes_left; - int cur_speed; -- int hours, minutes, seconds; -- int file_len; -+ int len; - + off_t delta_pos; - - if ((!force_update && !alarm_fired && !win_resized) || !can_output()) -@@ -30,15 +30,17 @@ - if (bytes_left > 0) - elapsed = now - last_update; - else { --@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update) -- -+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update) -+ buf[1] = '\0'; -+ - /* filename */ -- buf[0] = '\0'; --- file_len = win_size - 36; --+ file_len = win_size - 45; -- if (file_len > 0) { -- buf[0] = '\r'; -- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s", -+- if (win_size > 36) { -++ if (win_size > 45) { -+- int file_len = win_size - 36; -++ int file_len = win_size - 45; -+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ", -+ file_len, file); -+ } - @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update) - (off_t)bytes_per_second); - strlcat(buf, "/s ", win_size); -@@ -63,15 +65,3 @@ - } - - /*ARGSUSED*/ --diff --git a/ssh-keygen.c b/ssh-keygen.c --index cfb5f115..986ff59b 100644 ----- a/ssh-keygen.c --+++ b/ssh-keygen.c --@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device) -- -- if (skprovider == NULL) -- fatal("Cannot download keys without provider"); --- -- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN); -- if (!quiet) { -- printf("You may need to touch your authenticator " diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch deleted file mode 100644 index 30c0252ccb55..000000000000 --- a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch +++ /dev/null @@ -1,132 +0,0 @@ -diff --exclude '*.un~' -ubr a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-19 13:36:51.659996653 -0700 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-19 13:42:23.302377465 -0700 -@@ -536,18 +536,10 @@ - if (state->rekey_limit) - *max_blocks = MINIMUM(*max_blocks, - state->rekey_limit / enc->block_size); --@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) -+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) - return 0; - } - --+/* this supports the forced rekeying required for the NONE cipher */ --+int rekey_requested = 0; --+void --+packet_request_rekeying(void) --+{ --+ rekey_requested = 1; --+} --+ - +/* used to determine if pre or post auth when rekeying for aes-ctr - + * and none cipher switch */ - +int -@@ -561,20 +553,6 @@ - #define MAX_PACKETS (1U<<31) - static int - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) --@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) -- if (state->p_send.packets == 0 && state->p_read.packets == 0) -- return 0; -- --+ /* used to force rekeying when called for by the none --+ * cipher switch methods -cjr */ --+ if (rekey_requested == 1) { --+ rekey_requested = 0; --+ return 1; --+ } --+ -- /* Time-based rekeying */ -- if (state->rekey_interval != 0 && -- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) - @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) - struct session_state *state = ssh->state; - int len, r, ms_remain; -@@ -598,12 +576,11 @@ - }; - - typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *, --@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *); -+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *); - int ssh_packet_set_maxsize(struct ssh *, u_int); - u_int ssh_packet_get_maxsize(struct ssh *); - - +/* for forced packet rekeying post auth */ --+void packet_request_rekeying(void); - +int packet_authentication_state(const struct ssh *); - + - int ssh_packet_get_state(struct ssh *, struct sshbuf *); -@@ -627,9 +604,9 @@ - oLocalCommand, oPermitLocalCommand, oRemoteCommand, - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, - + oNoneEnabled, oNoneMacEnabled, oNoneSwitch, -+ oDisableMTAES, - oVisualHostKey, - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, -- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, - @@ -297,6 +300,9 @@ static struct { - { "kexalgorithms", oKexAlgorithms }, - { "ipqos", oIPQoS }, -@@ -778,9 +755,9 @@ - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ - SyslogFacility log_facility; /* Facility for system logging. */ - @@ -120,7 +124,11 @@ typedef struct { -- - int enable_ssh_keysign; - int64_t rekey_limit; -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/ - + int none_switch; /* Use none cipher */ - + int none_enabled; /* Allow none cipher to be used */ - + int nonemac_enabled; /* Allow none MAC to be used */ -@@ -842,9 +819,9 @@ - /* Portable-specific options */ - if (options->use_pam == -1) - @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options) -- } -- if (options->permit_tun == -1) - options->permit_tun = SSH_TUNMODE_NO; -+ if (options->disable_multithreaded == -1) -+ options->disable_multithreaded = 0; - + if (options->none_enabled == -1) - + options->none_enabled = 0; - + if (options->nonemac_enabled == -1) -@@ -1047,17 +1024,17 @@ - Note that - diff --git a/sftp.c b/sftp.c - index fb3c08d1..89bebbb2 100644 ----- a/sftp.c --+++ b/sftp.c --@@ -71,7 +71,7 @@ typedef void EditLine; -- #include "sftp-client.h" -- -- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */ ---#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */ --+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */ -+--- a/sftp-client.c -++++ b/sftp-client.c -+@@ -65,7 +65,7 @@ typedef void EditLine; -+ #define DEFAULT_COPY_BUFLEN 32768 -+ -+ /* Default number of concurrent outstanding requests */ -+-#define DEFAULT_NUM_REQUESTS 64 -++#define DEFAULT_NUM_REQUESTS 256 - -- /* File to read commands from */ -- FILE* infile; -+ /* Minimum amount of data to read at a time */ -+ #define MIN_READ_SIZE 512 - diff --git a/ssh-keygen.c b/ssh-keygen.c - index cfb5f115..36a6e519 100644 - --- a/ssh-keygen.c -@@ -1330,9 +1307,9 @@ - + } - + } - + -- debug("Authentication succeeded (%s).", authctxt.method->name); -- } - -+ #ifdef WITH_OPENSSL -+ if (options.disable_multithreaded == 0) { - diff --git a/sshd.c b/sshd.c - index 6277e6d6..d66fa41a 100644 - --- a/sshd.c diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml index 58ff739e1d4c..f23eae1e1222 100644 --- a/net-misc/openssh/metadata.xml +++ b/net-misc/openssh/metadata.xml @@ -20,7 +20,6 @@ the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. - Disable EC/RC5 algorithms in OpenSSL for patent reasons. Enable scp command with known security problems. See bug 733802 Enable high performance ssh Use LDNS for DNSSEC/SSHFP validation. diff --git a/net-misc/openssh/openssh-8.6_p1-r2.ebuild b/net-misc/openssh/openssh-8.6_p1-r2.ebuild deleted file mode 100644 index f896a51951ac..000000000000 --- a/net-misc/openssh/openssh-8.6_p1-r2.ebuild +++ /dev/null @@ -1,515 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit user-info flag-o-matic autotools pam systemd toolchain-funcs - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} - -# PV to USE for HPN patches -#HPN_PV="${PV^^}" -HPN_PV="8.5_P1" - -HPN_VER="15.2" -HPN_PATCHES=( - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff -) - -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="13.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} -" -S="${WORKDIR}/${PARCH}" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss" - -RESTRICT="!test? ( test )" - -REQUIRED_USE=" - ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( !sctp !security-key ssl !xmss ) - xmss? ( ssl ) - test? ( ssl ) -" - -# tests currently fail with XMSS -REQUIRED_USE+="test? ( !xmss )" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( - || ( - ( - >=dev-libs/openssl-1.0.1:0[bindist(-)=] - =dev-libs/openssl-1.1.0g:0[bindist(-)=] - ) - dev-libs/openssl:0=[static-libs(+)] - ) - virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] -" -RDEPEND=" - acct-group/sshd - acct-user/sshd - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 ) -" -DEPEND="${RDEPEND} - virtual/os-headers - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) - static? ( ${LIB_DEPEND} ) -" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( !prefix? ( sys-apps/shadow ) ) - X? ( x11-apps/xauth ) -" -BDEPEND=" - virtual/pkgconfig - sys-devel/autoconf -" - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } - local fail=" - $(use hpn && maybe_fail hpn HPN_VER) - $(use sctp && maybe_fail sctp SCTP_PATCH) - $(use X509 && maybe_fail X509 X509_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "Missing requested third party patch." - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." - fi -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch - eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch - - # workaround for https://bugs.gentoo.org/734984 - use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch - - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die - eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" - popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use sctp ; then - eapply "${WORKDIR}"/${SCTP_PATCH%.*} - - einfo "Patching version.h to expose SCTP patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in SCTP patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..." - sed -i \ - -e "/\t\tcfgparse \\\/d" \ - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" - fi - - if use hpn ; then - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" || die - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch - use X509 && eapply "${FILESDIR}"/${PN}-8.6_p1-hpn-${HPN_VER}-X509-glue.patch - use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch" - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use sctp || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - sed -i \ - -e "/#UseLogin no/d" \ - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" - - eapply_user #473004 - - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox - sed -e '/\t\tpercent \\/ d' \ - -i regress/Makefile || die - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS - - if [[ ${CHOST} == *-solaris* ]] ; then - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure - # doesn't check for this, so force the replacement to be put in - # place - append-cppflags -DBROKEN_GLOB - fi - - # use replacement, RPF_ECHO_ON doesn't exist here - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the sctp patch conditionally, so can't pass --without-sctp - # unconditionally else we get unknown flag warnings. - $(use sctp && use_with sctp) - $(use_with ldns ldns "${EPREFIX}"/usr) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(usex X509 '' "$(use_with security-key security-key-builtin)") - $(use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - $(use_with !elibc_Cygwin hardening) #659210 - ) - - if use elibc_musl; then - # stackprotect is broken on musl x86 and ppc - if use x86 || use ppc; then - myconf+=( --without-stackprotect ) - fi - - # musl defines bogus values for UTMP_FILE and WTMP_FILE - # https://bugs.gentoo.org/753230 - myconf+=( --disable-utmp --disable-wtmp ) - fi - - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - - econf "${myconf[@]}" -} - -src_test() { - local t skipped=() failed=() passed=() - local tests=( interop-tests compat-tests ) - - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped+=( tests ) - else - tests+=( tests ) - fi - - # It will also attempt to write to the homedir .ssh. - local sshhome=${T}/homedir - mkdir -p "${sshhome}"/.ssh - for t in "${tests[@]}" ; do - # Some tests read from stdin ... - HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \ - SUDO="" SSH_SK_PROVIDER="" \ - TEST_SSH_UNSAFE_PERMISSIONS=1 \ - emake -k -j1 ${t} > "${ED}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables. #367017 - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM. #658540 - AcceptEnv COLORTERM - EOF - - # Then the client config. - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config - - # Send locale environment variables. #367017 - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM. #658540 - SendEnv COLORTERM - EOF - - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED}"/etc/ssh/sshd_config || die - fi - - if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED}"/etc/ssh/sshd_config || die - fi -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd-r1.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - if use pam; then - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - fi - - tweak_ssh_configs - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog - - diropts -m 0700 - dodir /etc/skel/.ssh - - # https://bugs.gentoo.org/733802 - if ! use scp; then - rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \ - || die "failed to remove scp" - fi - - rmdir "${ED}"/var/empty || die - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' -} - -pkg_preinst() { - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then - show_ssl_warning=1 - fi -} - -pkg_postinst() { - local old_ver - for old_ver in ${REPLACING_VERSIONS}; do - if ver_test "${old_ver}" -lt "5.8_p1"; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if ver_test "${old_ver}" -lt "7.0_p1"; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if ver_test "${old_ver}" -lt "7.6_p1"; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if ver_test "${old_ver}" -lt "7.7_p1"; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ver_test "${old_ver}" -lt "8.2_p1"; then - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" - ewarn "connection is generally safe." - fi - done - - if [[ -n ${show_ssl_warning} ]]; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi -} diff --git a/net-misc/openssh/openssh-8.7_p1-r2.ebuild b/net-misc/openssh/openssh-8.7_p1-r2.ebuild deleted file mode 100644 index c44fb1a6f829..000000000000 --- a/net-misc/openssh/openssh-8.7_p1-r2.ebuild +++ /dev/null @@ -1,513 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit user-info flag-o-matic autotools pam systemd toolchain-funcs - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} - -# PV to USE for HPN patches -#HPN_PV="${PV^^}" -HPN_PV="8.5_P1" - -HPN_VER="15.2" -HPN_PATCHES=( - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff -) - -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="13.2.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} -" -S="${WORKDIR}/${PARCH}" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss" - -RESTRICT="!test? ( test )" - -REQUIRED_USE=" - hpn? ( ssl ) - ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( !sctp ssl !xmss ) - xmss? ( ssl ) - test? ( ssl ) -" - -# tests currently fail with XMSS -REQUIRED_USE+="test? ( !xmss )" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( - || ( - ( - >=dev-libs/openssl-1.0.1:0[bindist(-)=] - =dev-libs/openssl-1.1.0g:0[bindist(-)=] - ) - dev-libs/openssl:0=[static-libs(+)] - ) - virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] -" -RDEPEND=" - acct-group/sshd - acct-user/sshd - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 ) -" -DEPEND="${RDEPEND} - virtual/os-headers - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) - static? ( ${LIB_DEPEND} ) -" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( !prefix? ( sys-apps/shadow ) ) - X? ( x11-apps/xauth ) -" -BDEPEND=" - virtual/pkgconfig - sys-devel/autoconf -" - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } - local fail=" - $(use hpn && maybe_fail hpn HPN_VER) - $(use sctp && maybe_fail sctp SCTP_PATCH) - $(use X509 && maybe_fail X509 X509_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "Missing requested third party patch." - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." - fi -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch - eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch - - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die - eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" - popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use sctp ; then - eapply "${WORKDIR}"/${SCTP_PATCH%.*} - - einfo "Patching version.h to expose SCTP patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in SCTP patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..." - sed -i \ - -e "/\t\tcfgparse \\\/d" \ - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" - fi - - if use hpn ; then - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" || die - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch - use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch - use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch" - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use sctp || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - sed -i \ - -e "/#UseLogin no/d" \ - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" - - eapply_user #473004 - - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox - sed -e '/\t\tpercent \\/ d' \ - -i regress/Makefile || die - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS - - if [[ ${CHOST} == *-solaris* ]] ; then - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure - # doesn't check for this, so force the replacement to be put in - # place - append-cppflags -DBROKEN_GLOB - fi - - # use replacement, RPF_ECHO_ON doesn't exist here - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the sctp patch conditionally, so can't pass --without-sctp - # unconditionally else we get unknown flag warnings. - $(use sctp && use_with sctp) - $(use_with ldns ldns "${EPREFIX}"/usr) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(usex X509 '' "$(use_with security-key security-key-builtin)") - $(use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - $(use_with !elibc_Cygwin hardening) #659210 - ) - - if use elibc_musl; then - # stackprotect is broken on musl x86 and ppc - if use x86 || use ppc; then - myconf+=( --without-stackprotect ) - fi - - # musl defines bogus values for UTMP_FILE and WTMP_FILE - # https://bugs.gentoo.org/753230 - myconf+=( --disable-utmp --disable-wtmp ) - fi - - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - - econf "${myconf[@]}" -} - -src_test() { - local t skipped=() failed=() passed=() - local tests=( interop-tests compat-tests ) - - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped+=( tests ) - else - tests+=( tests ) - fi - - # It will also attempt to write to the homedir .ssh. - local sshhome=${T}/homedir - mkdir -p "${sshhome}"/.ssh - for t in "${tests[@]}" ; do - # Some tests read from stdin ... - HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \ - SUDO="" SSH_SK_PROVIDER="" \ - TEST_SSH_UNSAFE_PERMISSIONS=1 \ - emake -k -j1 ${t} > "${ED}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables. #367017 - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM. #658540 - AcceptEnv COLORTERM - EOF - - # Then the client config. - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config - - # Send locale environment variables. #367017 - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM. #658540 - SendEnv COLORTERM - EOF - - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED}"/etc/ssh/sshd_config || die - fi - - if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED}"/etc/ssh/sshd_config || die - fi -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd-r1.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - if use pam; then - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - fi - - tweak_ssh_configs - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog - - diropts -m 0700 - dodir /etc/skel/.ssh - - # https://bugs.gentoo.org/733802 - if ! use scp; then - rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \ - || die "failed to remove scp" - fi - - rmdir "${ED}"/var/empty || die - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' -} - -pkg_preinst() { - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then - show_ssl_warning=1 - fi -} - -pkg_postinst() { - local old_ver - for old_ver in ${REPLACING_VERSIONS}; do - if ver_test "${old_ver}" -lt "5.8_p1"; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if ver_test "${old_ver}" -lt "7.0_p1"; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if ver_test "${old_ver}" -lt "7.6_p1"; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if ver_test "${old_ver}" -lt "7.7_p1"; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ver_test "${old_ver}" -lt "8.2_p1"; then - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" - ewarn "connection is generally safe." - fi - done - - if [[ -n ${show_ssl_warning} ]]; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi -} diff --git a/net-misc/openssh/openssh-8.7_p1-r3.ebuild b/net-misc/openssh/openssh-8.7_p1-r3.ebuild deleted file mode 100644 index 488f832c164c..000000000000 --- a/net-misc/openssh/openssh-8.7_p1-r3.ebuild +++ /dev/null @@ -1,498 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit user-info flag-o-matic autotools pam systemd toolchain-funcs - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} - -# PV to USE for HPN patches -#HPN_PV="${PV^^}" -HPN_PV="8.5_P1" - -HPN_VER="15.2" -HPN_PATCHES=( - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff -) - -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="13.2.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} -" -S="${WORKDIR}/${PARCH}" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss" - -RESTRICT="!test? ( test )" - -REQUIRED_USE=" - hpn? ( ssl ) - ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( !sctp ssl !xmss ) - xmss? ( ssl ) - test? ( ssl ) -" - -# tests currently fail with XMSS -REQUIRED_USE+="test? ( !xmss )" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - net-libs/ldns[ecdsa,ssl(+)] - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) - virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] -" -RDEPEND=" - acct-group/sshd - acct-user/sshd - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 ) -" -DEPEND="${RDEPEND} - virtual/os-headers - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) - static? ( ${LIB_DEPEND} ) -" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( !prefix? ( sys-apps/shadow ) ) - X? ( x11-apps/xauth ) -" -BDEPEND=" - virtual/pkgconfig - sys-devel/autoconf -" - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } - local fail=" - $(use hpn && maybe_fail hpn HPN_VER) - $(use sctp && maybe_fail sctp SCTP_PATCH) - $(use X509 && maybe_fail X509 X509_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "Missing requested third party patch." - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." - fi -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch - eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch - - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die - eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" - popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use sctp ; then - eapply "${WORKDIR}"/${SCTP_PATCH%.*} - - einfo "Patching version.h to expose SCTP patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in SCTP patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..." - sed -i \ - -e "/\t\tcfgparse \\\/d" \ - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" - fi - - if use hpn ; then - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" || die - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch - use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch - use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch" - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use sctp || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - sed -i \ - -e "/#UseLogin no/d" \ - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" - - eapply_user #473004 - - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox - sed -e '/\t\tpercent \\/ d' \ - -i regress/Makefile || die - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS - - if [[ ${CHOST} == *-solaris* ]] ; then - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure - # doesn't check for this, so force the replacement to be put in - # place - append-cppflags -DBROKEN_GLOB - fi - - # use replacement, RPF_ECHO_ON doesn't exist here - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the sctp patch conditionally, so can't pass --without-sctp - # unconditionally else we get unknown flag warnings. - $(use sctp && use_with sctp) - $(use_with ldns ldns "${EPREFIX}"/usr) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(usex X509 '' "$(use_with security-key security-key-builtin)") - $(use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - $(use_with !elibc_Cygwin hardening) #659210 - ) - - if use elibc_musl; then - # musl defines bogus values for UTMP_FILE and WTMP_FILE - # https://bugs.gentoo.org/753230 - myconf+=( --disable-utmp --disable-wtmp ) - fi - - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - - econf "${myconf[@]}" -} - -src_test() { - local t skipped=() failed=() passed=() - local tests=( interop-tests compat-tests ) - - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped+=( tests ) - else - tests+=( tests ) - fi - - # It will also attempt to write to the homedir .ssh. - local sshhome=${T}/homedir - mkdir -p "${sshhome}"/.ssh - for t in "${tests[@]}" ; do - # Some tests read from stdin ... - HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \ - SUDO="" SSH_SK_PROVIDER="" \ - TEST_SSH_UNSAFE_PERMISSIONS=1 \ - emake -k -j1 ${t} > "${ED}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables. #367017 - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM. #658540 - AcceptEnv COLORTERM - EOF - - # Then the client config. - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config - - # Send locale environment variables. #367017 - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM. #658540 - SendEnv COLORTERM - EOF - - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED}"/etc/ssh/sshd_config || die - fi - - if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED}"/etc/ssh/sshd_config || die - fi -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd-r1.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - if use pam; then - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - fi - - tweak_ssh_configs - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog - - diropts -m 0700 - dodir /etc/skel/.ssh - - # https://bugs.gentoo.org/733802 - if ! use scp; then - rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \ - || die "failed to remove scp" - fi - - rmdir "${ED}"/var/empty || die - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' -} - -pkg_preinst() { - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then - show_ssl_warning=1 - fi -} - -pkg_postinst() { - local old_ver - for old_ver in ${REPLACING_VERSIONS}; do - if ver_test "${old_ver}" -lt "5.8_p1"; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if ver_test "${old_ver}" -lt "7.0_p1"; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if ver_test "${old_ver}" -lt "7.6_p1"; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if ver_test "${old_ver}" -lt "7.7_p1"; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ver_test "${old_ver}" -lt "8.2_p1"; then - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" - ewarn "connection is generally safe." - fi - done - - if [[ -n ${show_ssl_warning} ]]; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi -} diff --git a/net-misc/openssh/openssh-8.7_p1-r4.ebuild b/net-misc/openssh/openssh-8.7_p1-r4.ebuild new file mode 100644 index 000000000000..0d7b0c47c069 --- /dev/null +++ b/net-misc/openssh/openssh-8.7_p1-r4.ebuild @@ -0,0 +1,498 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit user-info flag-o-matic autotools pam systemd toolchain-funcs + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +# PV to USE for HPN patches +#HPN_PV="${PV^^}" +HPN_PV="8.5_P1" + +HPN_VER="15.2" +HPN_PATCHES=( + ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff + ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff + ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff +) + +SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" +X509_VER="13.2.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="https://www.openssh.com/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} + ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} + ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} +" +S="${WORKDIR}/${PARCH}" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 audit debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss" + +RESTRICT="!test? ( test )" + +REQUIRED_USE=" + hpn? ( ssl ) + ldns? ( ssl ) + pie? ( !static ) + static? ( !kerberos !pam ) + X509? ( !sctp ssl !xmss ) + xmss? ( ssl ) + test? ( ssl ) +" + +# tests currently fail with XMSS +REQUIRED_USE+="test? ( !xmss )" + +LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) + ldns? ( + net-libs/ldns[static-libs(+)] + net-libs/ldns[ecdsa(+),ssl(+)] + ) + libedit? ( dev-libs/libedit:=[static-libs(+)] ) + sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) + virtual/libcrypt:=[static-libs(+)] + >=sys-libs/zlib-1.2.3:=[static-libs(+)] +" +RDEPEND=" + acct-group/sshd + acct-user/sshd + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( sys-libs/pam ) + kerberos? ( virtual/krb5 ) +" +DEPEND="${RDEPEND} + virtual/os-headers + kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) + static? ( ${LIB_DEPEND} ) +" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( !prefix? ( sys-apps/shadow ) ) + X? ( x11-apps/xauth ) +" +BDEPEND=" + virtual/pkgconfig + sys-devel/autoconf +" + +pkg_pretend() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use hpn && maybe_fail hpn HPN_VER) + $(use sctp && maybe_fail sctp SCTP_PATCH) + $(use X509 && maybe_fail X509 X509_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "Missing requested third party patch." + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." + fi +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch + eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex + eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch + eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch + eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch + + [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches + + local PATCHSET_VERSION_MACROS=() + + if use X509 ; then + pushd "${WORKDIR}" &>/dev/null || die + eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" + popd &>/dev/null || die + + eapply "${WORKDIR}"/${X509_PATCH%.*} + + # We need to patch package version or any X.509 sshd will reject our ssh client + # with "userauth_pubkey: could not parse key: string is too large [preauth]" + # error + einfo "Patching package version for X.509 patch set ..." + sed -i \ + -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ + "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" + + einfo "Patching version.h to expose X.509 patch set ..." + sed -i \ + -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ + "${S}"/version.h || die "Failed to sed-in X.509 patch version" + PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) + fi + + if use sctp ; then + eapply "${WORKDIR}"/${SCTP_PATCH%.*} + + einfo "Patching version.h to expose SCTP patch set ..." + sed -i \ + -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ + "${S}"/version.h || die "Failed to sed-in SCTP patch version" + PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) + + einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..." + sed -i \ + -e "/\t\tcfgparse \\\/d" \ + "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" + fi + + if use hpn ; then + local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" + mkdir "${hpn_patchdir}" || die + cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die + pushd "${hpn_patchdir}" &>/dev/null || die + eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch + use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch + use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch + popd &>/dev/null || die + + eapply "${hpn_patchdir}" + + use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch" + + einfo "Patching Makefile.in for HPN patch set ..." + sed -i \ + -e "/^LIBS=/ s/\$/ -lpthread/" \ + "${S}"/Makefile.in || die "Failed to patch Makefile.in" + + einfo "Patching version.h to expose HPN patch set ..." + sed -i \ + -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ + "${S}"/version.h || die "Failed to sed-in HPN patch version" + PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) + + if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then + einfo "Disabling known non-working MT AES cipher per default ..." + + cat > "${T}"/disable_mtaes.conf <<- EOF + + # HPN's Multi-Threaded AES CTR cipher is currently known to be broken + # and therefore disabled per default. + DisableMTAES yes + EOF + sed -i \ + -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ + "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" + + sed -i \ + -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ + "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" + fi + fi + + if use X509 || use sctp || use hpn ; then + einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." + sed -i \ + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ + "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" + + einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." + sed -i \ + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ + "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" + + einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." + sed -i \ + -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ + "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" + fi + + sed -i \ + -e "/#UseLogin no/d" \ + "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" + + eapply_user #473004 + + # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox + sed -e '/\t\tpercent \\/ d' \ + -i regress/Makefile || die + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + use xmss && append-cflags -DWITH_XMSS + + if [[ ${CHOST} == *-solaris* ]] ; then + # Solaris' glob.h doesn't have things like GLOB_TILDE, configure + # doesn't check for this, so force the replacement to be put in + # place + append-cppflags -DBROKEN_GLOB + fi + + # use replacement, RPF_ECHO_ON doesn't exist here + [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + # We apply the sctp patch conditionally, so can't pass --without-sctp + # unconditionally else we get unknown flag warnings. + $(use sctp && use_with sctp) + $(use_with ldns ldns "${EPREFIX}"/usr) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use_with selinux) + $(usex X509 '' "$(use_with security-key security-key-builtin)") + $(use_with ssl openssl) + $(use_with ssl md5-passwords) + $(use_with ssl ssl-engine) + $(use_with !elibc_Cygwin hardening) #659210 + ) + + if use elibc_musl; then + # musl defines bogus values for UTMP_FILE and WTMP_FILE + # https://bugs.gentoo.org/753230 + myconf+=( --disable-utmp --disable-wtmp ) + fi + + # The seccomp sandbox is broken on x32, so use the older method for now. #553748 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) + + econf "${myconf[@]}" +} + +src_test() { + local t skipped=() failed=() passed=() + local tests=( interop-tests compat-tests ) + + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped+=( tests ) + else + tests+=( tests ) + fi + + # It will also attempt to write to the homedir .ssh. + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in "${tests[@]}" ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \ + SUDO="" SSH_SK_PROVIDER="" \ + TEST_SSH_UNSAFE_PERMISSIONS=1 \ + emake -k -j1 ${t} > "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables. #367017 + AcceptEnv ${locale_vars[*]} + + # Allow client to pass COLORTERM to match TERM. #658540 + AcceptEnv COLORTERM + EOF + + # Then the client config. + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables. #367017 + SendEnv ${locale_vars[*]} + + # Send COLORTERM to match TERM. #658540 + SendEnv COLORTERM + EOF + + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die + fi + + if use livecd ; then + sed -i \ + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ + "${ED}"/etc/ssh/sshd_config || die + fi +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd-r1.initd sshd + newconfd "${FILESDIR}"/sshd-r1.confd sshd + + if use pam; then + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + fi + + tweak_ssh_configs + + doman contrib/ssh-copy-id.1 + dodoc CREDITS OVERVIEW README* TODO sshd_config + use hpn && dodoc HPN-README + use X509 || dodoc ChangeLog + + diropts -m 0700 + dodir /etc/skel/.ssh + + # https://bugs.gentoo.org/733802 + if ! use scp; then + rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \ + || die "failed to remove scp" + fi + + rmdir "${ED}"/var/empty || die + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +pkg_preinst() { + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then + show_ssl_warning=1 + fi +} + +pkg_postinst() { + local old_ver + for old_ver in ${REPLACING_VERSIONS}; do + if ver_test "${old_ver}" -lt "5.8_p1"; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if ver_test "${old_ver}" -lt "7.0_p1"; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ver_test "${old_ver}" -lt "7.6_p1"; then + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." + elog "Furthermore, rsa keys with less than 1024 bits will be refused." + fi + if ver_test "${old_ver}" -lt "7.7_p1"; then + elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." + elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" + elog "if you need to authenticate against LDAP." + elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." + fi + if ver_test "${old_ver}" -lt "8.2_p1"; then + ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" + ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" + ewarn "connection is generally safe." + fi + done + + if [[ -n ${show_ssl_warning} ]]; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi + + if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then + elog "" + elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" + elog "and therefore disabled at runtime per default." + elog "Make sure your sshd_config is up to date and contains" + elog "" + elog " DisableMTAES yes" + elog "" + elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." + elog "" + fi +} diff --git a/net-misc/openssh/openssh-8.8_p1-r2.ebuild b/net-misc/openssh/openssh-8.8_p1-r2.ebuild deleted file mode 100644 index a8039cdc405f..000000000000 --- a/net-misc/openssh/openssh-8.8_p1-r2.ebuild +++ /dev/null @@ -1,508 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit user-info flag-o-matic autotools pam systemd toolchain-funcs - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} - -# PV to USE for HPN patches -#HPN_PV="${PV^^}" -HPN_PV="8.5_P1" - -HPN_VER="15.2" -HPN_PATCHES=( - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff -) - -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="13.2.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} -" -S="${WORKDIR}/${PARCH}" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss" - -RESTRICT="!test? ( test )" - -REQUIRED_USE=" - hpn? ( ssl ) - ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( !sctp ssl !xmss ) - xmss? ( ssl ) - test? ( ssl ) -" - -# tests currently fail with XMSS -REQUIRED_USE+="test? ( !xmss )" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( - || ( - ( - >=dev-libs/openssl-1.0.1:0[bindist(-)=] - =dev-libs/openssl-1.1.0g:0[bindist(-)=] - ) - dev-libs/openssl:0=[static-libs(+)] - ) - virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] -" -RDEPEND=" - acct-group/sshd - acct-user/sshd - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 ) -" -DEPEND="${RDEPEND} - virtual/os-headers - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) - static? ( ${LIB_DEPEND} ) -" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( !prefix? ( sys-apps/shadow ) ) - X? ( x11-apps/xauth ) -" -BDEPEND=" - virtual/pkgconfig - sys-devel/autoconf -" - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } - local fail=" - $(use hpn && maybe_fail hpn HPN_VER) - $(use sctp && maybe_fail sctp SCTP_PATCH) - $(use X509 && maybe_fail X509 X509_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "Missing requested third party patch." - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." - fi -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch - eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch - - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die - eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" - popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use sctp ; then - eapply "${WORKDIR}"/${SCTP_PATCH%.*} - - einfo "Patching version.h to expose SCTP patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in SCTP patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - - einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..." - sed -i \ - -e "/\t\tcfgparse \\\/d" \ - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" - fi - - if use hpn ; then - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" || die - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-glue.patch - use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch - use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch" - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use sctp || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - sed -i \ - -e "/#UseLogin no/d" \ - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" - - eapply_user #473004 - - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox - sed -e '/\t\tpercent \\/ d' \ - -i regress/Makefile || die - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS - - if [[ ${CHOST} == *-solaris* ]] ; then - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure - # doesn't check for this, so force the replacement to be put in - # place - append-cppflags -DBROKEN_GLOB - fi - - # use replacement, RPF_ECHO_ON doesn't exist here - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the sctp patch conditionally, so can't pass --without-sctp - # unconditionally else we get unknown flag warnings. - $(use sctp && use_with sctp) - $(use_with ldns ldns "${EPREFIX}"/usr) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(usex X509 '' "$(use_with security-key security-key-builtin)") - $(use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - $(use_with !elibc_Cygwin hardening) #659210 - ) - - if use elibc_musl; then - # musl defines bogus values for UTMP_FILE and WTMP_FILE - # https://bugs.gentoo.org/753230 - myconf+=( --disable-utmp --disable-wtmp ) - fi - - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - - econf "${myconf[@]}" -} - -src_test() { - local t skipped=() failed=() passed=() - local tests=( interop-tests compat-tests ) - - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped+=( tests ) - else - tests+=( tests ) - fi - - # It will also attempt to write to the homedir .ssh. - local sshhome=${T}/homedir - mkdir -p "${sshhome}"/.ssh - for t in "${tests[@]}" ; do - # Some tests read from stdin ... - HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \ - SUDO="" SSH_SK_PROVIDER="" \ - TEST_SSH_UNSAFE_PERMISSIONS=1 \ - emake -k -j1 ${t} > "${ED}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables. #367017 - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM. #658540 - AcceptEnv COLORTERM - EOF - - # Then the client config. - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config - - # Send locale environment variables. #367017 - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM. #658540 - SendEnv COLORTERM - EOF - - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED}"/etc/ssh/sshd_config || die - fi - - if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED}"/etc/ssh/sshd_config || die - fi -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd-r1.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - if use pam; then - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - fi - - tweak_ssh_configs - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog - - diropts -m 0700 - dodir /etc/skel/.ssh - - # https://bugs.gentoo.org/733802 - if ! use scp; then - rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \ - || die "failed to remove scp" - fi - - rmdir "${ED}"/var/empty || die - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' -} - -pkg_preinst() { - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then - show_ssl_warning=1 - fi -} - -pkg_postinst() { - local old_ver - for old_ver in ${REPLACING_VERSIONS}; do - if ver_test "${old_ver}" -lt "5.8_p1"; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if ver_test "${old_ver}" -lt "7.0_p1"; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if ver_test "${old_ver}" -lt "7.6_p1"; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if ver_test "${old_ver}" -lt "7.7_p1"; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ver_test "${old_ver}" -lt "8.2_p1"; then - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" - ewarn "connection is generally safe." - fi - done - - if [[ -n ${show_ssl_warning} ]]; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi -} diff --git a/net-misc/openssh/openssh-8.8_p1-r3.ebuild b/net-misc/openssh/openssh-8.8_p1-r3.ebuild deleted file mode 100644 index 1c1068878712..000000000000 --- a/net-misc/openssh/openssh-8.8_p1-r3.ebuild +++ /dev/null @@ -1,498 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit user-info flag-o-matic autotools pam systemd toolchain-funcs - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} - -# PV to USE for HPN patches -#HPN_PV="${PV^^}" -HPN_PV="8.5_P1" - -HPN_VER="15.2" -HPN_PATCHES=( - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff -) - -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="13.2.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} -" -S="${WORKDIR}/${PARCH}" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss" - -RESTRICT="!test? ( test )" - -REQUIRED_USE=" - hpn? ( ssl ) - ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( !sctp ssl !xmss ) - xmss? ( ssl ) - test? ( ssl ) -" - -# tests currently fail with XMSS -REQUIRED_USE+="test? ( !xmss )" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - net-libs/ldns[ecdsa,ssl(+)] - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) - virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] -" -RDEPEND=" - acct-group/sshd - acct-user/sshd - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 ) -" -DEPEND="${RDEPEND} - virtual/os-headers - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) - static? ( ${LIB_DEPEND} ) -" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( !prefix? ( sys-apps/shadow ) ) - X? ( x11-apps/xauth ) -" -BDEPEND=" - virtual/pkgconfig - sys-devel/autoconf -" - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } - local fail=" - $(use hpn && maybe_fail hpn HPN_VER) - $(use sctp && maybe_fail sctp SCTP_PATCH) - $(use X509 && maybe_fail X509 X509_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "Missing requested third party patch." - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." - fi -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch - eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch - - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die - eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" - popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use sctp ; then - eapply "${WORKDIR}"/${SCTP_PATCH%.*} - - einfo "Patching version.h to expose SCTP patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in SCTP patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - - einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..." - sed -i \ - -e "/\t\tcfgparse \\\/d" \ - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" - fi - - if use hpn ; then - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" || die - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-glue.patch - use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch - use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch" - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use sctp || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - sed -i \ - -e "/#UseLogin no/d" \ - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" - - eapply_user #473004 - - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox - sed -e '/\t\tpercent \\/ d' \ - -i regress/Makefile || die - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS - - if [[ ${CHOST} == *-solaris* ]] ; then - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure - # doesn't check for this, so force the replacement to be put in - # place - append-cppflags -DBROKEN_GLOB - fi - - # use replacement, RPF_ECHO_ON doesn't exist here - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the sctp patch conditionally, so can't pass --without-sctp - # unconditionally else we get unknown flag warnings. - $(use sctp && use_with sctp) - $(use_with ldns ldns "${EPREFIX}"/usr) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(usex X509 '' "$(use_with security-key security-key-builtin)") - $(use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - $(use_with !elibc_Cygwin hardening) #659210 - ) - - if use elibc_musl; then - # musl defines bogus values for UTMP_FILE and WTMP_FILE - # https://bugs.gentoo.org/753230 - myconf+=( --disable-utmp --disable-wtmp ) - fi - - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - - econf "${myconf[@]}" -} - -src_test() { - local t skipped=() failed=() passed=() - local tests=( interop-tests compat-tests ) - - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped+=( tests ) - else - tests+=( tests ) - fi - - # It will also attempt to write to the homedir .ssh. - local sshhome=${T}/homedir - mkdir -p "${sshhome}"/.ssh - for t in "${tests[@]}" ; do - # Some tests read from stdin ... - HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \ - SUDO="" SSH_SK_PROVIDER="" \ - TEST_SSH_UNSAFE_PERMISSIONS=1 \ - emake -k -j1 ${t} > "${ED}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables. #367017 - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM. #658540 - AcceptEnv COLORTERM - EOF - - # Then the client config. - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config - - # Send locale environment variables. #367017 - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM. #658540 - SendEnv COLORTERM - EOF - - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED}"/etc/ssh/sshd_config || die - fi - - if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED}"/etc/ssh/sshd_config || die - fi -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd-r1.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - if use pam; then - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - fi - - tweak_ssh_configs - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog - - diropts -m 0700 - dodir /etc/skel/.ssh - - # https://bugs.gentoo.org/733802 - if ! use scp; then - rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \ - || die "failed to remove scp" - fi - - rmdir "${ED}"/var/empty || die - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' -} - -pkg_preinst() { - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then - show_ssl_warning=1 - fi -} - -pkg_postinst() { - local old_ver - for old_ver in ${REPLACING_VERSIONS}; do - if ver_test "${old_ver}" -lt "5.8_p1"; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if ver_test "${old_ver}" -lt "7.0_p1"; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if ver_test "${old_ver}" -lt "7.6_p1"; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if ver_test "${old_ver}" -lt "7.7_p1"; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ver_test "${old_ver}" -lt "8.2_p1"; then - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" - ewarn "connection is generally safe." - fi - done - - if [[ -n ${show_ssl_warning} ]]; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi -} diff --git a/net-misc/openssh/openssh-8.8_p1-r4.ebuild b/net-misc/openssh/openssh-8.8_p1-r4.ebuild new file mode 100644 index 000000000000..cc2c72f2fd25 --- /dev/null +++ b/net-misc/openssh/openssh-8.8_p1-r4.ebuild @@ -0,0 +1,481 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit user-info flag-o-matic autotools pam systemd toolchain-funcs + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +# PV to USE for HPN patches +#HPN_PV="${PV^^}" +HPN_PV="8.5_P1" + +HPN_VER="15.2" +HPN_PATCHES=( + ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff + ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff + ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff +) + +SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" +X509_VER="13.2.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="https://www.openssh.com/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} + ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} + ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} +" +S="${WORKDIR}/${PARCH}" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 audit debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss" + +RESTRICT="!test? ( test )" + +REQUIRED_USE=" + hpn? ( ssl ) + ldns? ( ssl ) + pie? ( !static ) + static? ( !kerberos !pam ) + X509? ( !sctp ssl !xmss ) + xmss? ( ssl ) + test? ( ssl ) +" + +# tests currently fail with XMSS +REQUIRED_USE+="test? ( !xmss )" + +LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) + ldns? ( + net-libs/ldns[static-libs(+)] + net-libs/ldns[ecdsa(+),ssl(+)] + ) + libedit? ( dev-libs/libedit:=[static-libs(+)] ) + sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) + virtual/libcrypt:=[static-libs(+)] + >=sys-libs/zlib-1.2.3:=[static-libs(+)] +" +RDEPEND=" + acct-group/sshd + acct-user/sshd + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( sys-libs/pam ) + kerberos? ( virtual/krb5 ) +" +DEPEND="${RDEPEND} + virtual/os-headers + kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) + static? ( ${LIB_DEPEND} ) +" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( !prefix? ( sys-apps/shadow ) ) + X? ( x11-apps/xauth ) +" +BDEPEND=" + virtual/pkgconfig + sys-devel/autoconf +" + +pkg_pretend() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + local missing=() + check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); } + check_feature hpn HPN_VER + check_feature sctp SCTP_PATCH + check_feature X509 X509_PATCH + if [[ ${#missing[@]} -ne 0 ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${missing[*]}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "Missing requested third party patch." + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." + fi +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch + eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex + eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch + eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch + eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch + + [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches + + local PATCHSET_VERSION_MACROS=() + + if use X509 ; then + pushd "${WORKDIR}" &>/dev/null || die + eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" + popd &>/dev/null || die + + eapply "${WORKDIR}"/${X509_PATCH%.*} + + # We need to patch package version or any X.509 sshd will reject our ssh client + # with "userauth_pubkey: could not parse key: string is too large [preauth]" + # error + einfo "Patching package version for X.509 patch set ..." + sed -i \ + -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ + "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" + + einfo "Patching version.h to expose X.509 patch set ..." + sed -i \ + -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ + "${S}"/version.h || die "Failed to sed-in X.509 patch version" + PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) + fi + + if use sctp ; then + eapply "${WORKDIR}"/${SCTP_PATCH%.*} + + einfo "Patching version.h to expose SCTP patch set ..." + sed -i \ + -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ + "${S}"/version.h || die "Failed to sed-in SCTP patch version" + PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) + + einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..." + sed -i \ + -e "/\t\tcfgparse \\\/d" \ + "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" + fi + + if use hpn ; then + local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" + mkdir "${hpn_patchdir}" || die + cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die + pushd "${hpn_patchdir}" &>/dev/null || die + eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-glue.patch + use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch + use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch + popd &>/dev/null || die + + eapply "${hpn_patchdir}" + + use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch" + + einfo "Patching Makefile.in for HPN patch set ..." + sed -i \ + -e "/^LIBS=/ s/\$/ -lpthread/" \ + "${S}"/Makefile.in || die "Failed to patch Makefile.in" + + einfo "Patching version.h to expose HPN patch set ..." + sed -i \ + -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ + "${S}"/version.h || die "Failed to sed-in HPN patch version" + PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) + + if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then + einfo "Disabling known non-working MT AES cipher per default ..." + + cat > "${T}"/disable_mtaes.conf <<- EOF + + # HPN's Multi-Threaded AES CTR cipher is currently known to be broken + # and therefore disabled per default. + DisableMTAES yes + EOF + sed -i \ + -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ + "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" + + sed -i \ + -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ + "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" + fi + fi + + if use X509 || use sctp || use hpn ; then + einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." + sed -i \ + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ + "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" + + einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." + sed -i \ + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ + "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" + + einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." + sed -i \ + -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ + "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" + fi + + sed -i \ + -e "/#UseLogin no/d" \ + "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" + + eapply_user #473004 + + # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox + sed -e '/\t\tpercent \\/ d' \ + -i regress/Makefile || die + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + use xmss && append-cflags -DWITH_XMSS + + if [[ ${CHOST} == *-solaris* ]] ; then + # Solaris' glob.h doesn't have things like GLOB_TILDE, configure + # doesn't check for this, so force the replacement to be put in + # place + append-cppflags -DBROKEN_GLOB + fi + + # use replacement, RPF_ECHO_ON doesn't exist here + [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + # We apply the sctp patch conditionally, so can't pass --without-sctp + # unconditionally else we get unknown flag warnings. + $(use sctp && use_with sctp) + $(use_with ldns ldns "${EPREFIX}"/usr) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use_with selinux) + $(usex X509 '' "$(use_with security-key security-key-builtin)") + $(use_with ssl openssl) + $(use_with ssl md5-passwords) + $(use_with ssl ssl-engine) + $(use_with !elibc_Cygwin hardening) #659210 + ) + + if use elibc_musl; then + # musl defines bogus values for UTMP_FILE and WTMP_FILE + # https://bugs.gentoo.org/753230 + myconf+=( --disable-utmp --disable-wtmp ) + fi + + # The seccomp sandbox is broken on x32, so use the older method for now. #553748 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) + + econf "${myconf[@]}" +} + +src_test() { + local tests=( compat-tests ) + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + ewarn "user, so we will run a subset only." + tests+=( interop-tests ) + else + tests+=( tests ) + fi + + local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 + mkdir -p "${HOME}"/.ssh || die + emake -j1 "${tests[@]}" > "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables. #367017 + AcceptEnv ${locale_vars[*]} + + # Allow client to pass COLORTERM to match TERM. #658540 + AcceptEnv COLORTERM + EOF + + # Then the client config. + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables. #367017 + SendEnv ${locale_vars[*]} + + # Send COLORTERM to match TERM. #658540 + SendEnv COLORTERM + EOF + + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die + fi + + if use livecd ; then + sed -i \ + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ + "${ED}"/etc/ssh/sshd_config || die + fi +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd-r1.initd sshd + newconfd "${FILESDIR}"/sshd-r1.confd sshd + + if use pam; then + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + fi + + tweak_ssh_configs + + doman contrib/ssh-copy-id.1 + dodoc CREDITS OVERVIEW README* TODO sshd_config + use hpn && dodoc HPN-README + use X509 || dodoc ChangeLog + + diropts -m 0700 + dodir /etc/skel/.ssh + + # https://bugs.gentoo.org/733802 + if ! use scp; then + rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \ + || die "failed to remove scp" + fi + + rmdir "${ED}"/var/empty || die + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +pkg_preinst() { + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then + show_ssl_warning=1 + fi +} + +pkg_postinst() { + local old_ver + for old_ver in ${REPLACING_VERSIONS}; do + if ver_test "${old_ver}" -lt "5.8_p1"; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if ver_test "${old_ver}" -lt "7.0_p1"; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ver_test "${old_ver}" -lt "7.6_p1"; then + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." + elog "Furthermore, rsa keys with less than 1024 bits will be refused." + fi + if ver_test "${old_ver}" -lt "7.7_p1"; then + elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." + elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" + elog "if you need to authenticate against LDAP." + elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." + fi + if ver_test "${old_ver}" -lt "8.2_p1"; then + ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" + ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" + ewarn "connection is generally safe." + fi + done + + if [[ -n ${show_ssl_warning} ]]; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi + + if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then + elog "" + elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" + elog "and therefore disabled at runtime per default." + elog "Make sure your sshd_config is up to date and contains" + elog "" + elog " DisableMTAES yes" + elog "" + elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." + elog "" + fi +} -- cgit v1.2.3