From 29aabba0ea759c6a2864ff5631735b67ee38e5e0 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Wed, 5 Feb 2020 18:44:56 +0000 Subject: gentoo resync : 05.02.2020 --- net-misc/openssh/Manifest | 18 +- .../files/openssh-8.0_p1-hpn-14.20-X509-glue.patch | 111 +++++ .../files/openssh-8.1_p1-hpn-14.20-glue.patch | 105 +++++ .../files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch | 19 + .../openssh/files/openssh-8.1_p1-tests-2020.patch | 26 ++ net-misc/openssh/openssh-7.5_p1-r4.ebuild | 2 +- net-misc/openssh/openssh-7.7_p1-r9.ebuild | 2 +- net-misc/openssh/openssh-7.9_p1-r4.ebuild | 2 +- net-misc/openssh/openssh-8.0_p1-r4.ebuild | 14 +- net-misc/openssh/openssh-8.1_p1-r1.ebuild | 463 -------------------- net-misc/openssh/openssh-8.1_p1-r2.ebuild | 467 +++++++++++++++++++++ 11 files changed, 750 insertions(+), 479 deletions(-) create mode 100644 net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch create mode 100644 net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch create mode 100644 net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch create mode 100644 net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch delete mode 100644 net-misc/openssh/openssh-8.1_p1-r1.ebuild create mode 100644 net-misc/openssh/openssh-8.1_p1-r2.ebuild (limited to 'net-misc/openssh') diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index 240d82c54116..d2924d77238a 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -25,6 +25,7 @@ AUX openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch 977 BL AUX openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch 2696 BLAKE2B 86bac20233102c5beefb3a79e2da8c5421d47d1c175e9e602f14c127e1bf7ec67e193620461ebd7a835bae556dbf9db904c3f63bbd3283a04dac444f34a3eab8 SHA512 f951cdc664088a124754fe963bb6abc659264183a3c773d61243bb12ca87f7554422d9acabb86c6390fe0e088fee60cc3129ad85e336ebf84f5c126d61d1fa3f AUX openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch 506 BLAKE2B d4e88cc9553c6e2708447edd3ceeeea4f6c967893f34cad6c5fc980ee46895b64b58c5b8d271b7363e7144d34e05fd1e9519e01a9bb05d7c2cc5a9613b2b096c SHA512 cae5a9f5c46a2c70be4284bc050b69dab347181397a9e34c0c2ee5a470992070a2b8359ade42ce6840b5ff6311d3b0026bf6d548e944662c481a74456737a095 AUX openssh-8.0_p1-fix-putty-tests.patch 1760 BLAKE2B a1127e8f2275c1e23c956b5041dbc84dbdb2cd6b788fc69bfc1f6b030afe86a827483602ce76577b4101ee2e790b1cfa8c1d2db09da59b89fe7df8083bf4695f SHA512 f544d818bdde628131f1819bf2ffb4007802ee5bf12c5cd5bd398efe0f0f430ed6b3efa7969cb2c4fa49a2bbd773d8fa09f4c927cf998a564b7611443437c310 +AUX openssh-8.0_p1-hpn-14.20-X509-glue.patch 4063 BLAKE2B 30a9b4df889a2ae46b7b0a4f5ab963b9258ed918756e4b05f465af2664b5ec9d149ab496b05ee2a221ffc28c84ce26ff6c3e0bb8da4c59338616c992e1412fb0 SHA512 ed2102af78a4f10dc7ae56edeb3dd94690ba4df5803ec7d68fff76226f54eca5c023d6d87735ed7f33131a0fd0c382a5503d767e91e812bfc1f5f590cf213f34 AUX openssh-8.0_p1-hpn-X509-glue.patch 3814 BLAKE2B 9a0071d13bb602f9b0660dd74d0ae59611a0d8b8c13fab7def2ea840d1ea42bb4c0999ef44e86db2e8246c6e803797a70f9b18016da491598991052854659c03 SHA512 a986c012aa58a4764d3c4c4a5bf5d1e69edb156adf18d7e9ccae0508879da8b3e92a884d6dcfa80ec5b02d41e7784d8eb500128925ae5cee0ca948cf6bf50ba2 AUX openssh-8.0_p1-hpn-glue.patch 7029 BLAKE2B cf6fb2c59b768aecf846f0d037ae6d48f750e742f93cdd00a62caf04dfafd993e05921f5d227014e9437d3cdfff4e1b9baa832997904bf398ba06e8f874f7ceb SHA512 63eb0b12763ab53946a9f6b9db44c428d9da8b781a6e1d3f5c4b0edfca85d986cf932461205cee84f9a9db7725c9e05eb1d366b357c787a95c561bdc6514d3d7 AUX openssh-8.0_p1-hpn-version.patch 590 BLAKE2B 1ff20ab17e7e1a20f7a96ded56ff7c059fd509d7773d9abaeac83743102385d9713284c630dc932d40672a9bfc8a894b57c6b073e93a7b024de7490ea54a589c SHA512 37250881f17a44e4a4b0ac164d06961e0731528847d5cbbb263e3f9a286a192c8dae92250b85db3f2e1f280a464c7b3bfc8a7c9e85552375c013e16a6fcf28ed @@ -32,7 +33,10 @@ AUX openssh-8.0_p1-tests.patch 1493 BLAKE2B 2e28d9f27d6d9f7e1716cf5f85bbb92af96f AUX openssh-8.1_p1-GSSAPI-dns.patch 11639 BLAKE2B 2bc9e618c0acbf6b85496a33055894471235d01f20b76c9b75302dce58c7d6033984c8471789d2f8095d6231f5f271a4eb2f6099936b1631ec261464bc7a3ada SHA512 722a769da482876f0629e110109f02065e47848ff79395e9e64de39ae066d8c5a207f849c59d95b72e70b874f4bedf4e52a2f7ad1752d9c84b99ccdbfa19c73d AUX openssh-8.1_p1-X509-12.3-tests.patch 405 BLAKE2B 1a1c29fea98c4ce277c943709576b5130a573e9786a33c957229d74d0e572ca6e5d0dce68b5b515b5c3f44862f1f4dafe2dad1cd3d3710ca415137f8a4013b86 SHA512 0e80b79d3aa8b7e89cf250b31e6bbc2471990b9a2c0ab8b54e6af4c3de77adff3dc6db83f4f14524f830455b5ce4d586f630d33b4ac4b134d1028e325ab351b3 AUX openssh-8.1_p1-X509-glue-12.3.patch 1613 BLAKE2B aef1de72da18a2af0fae1793eed5baa1be2af9f26a522e6772f43f1053d263f154db76cf0ebe3ddebbfd9798ffb334100ce5eb3894ad3095b1cd48d1ef5b9839 SHA512 e533175bcabd1ddbb50c6cc605cba0190d2cde24149d5451a807cdc05847fa95a2b72188bc23866876e8ec88073df8039e0e85e703560e90f53a92df6f616572 +AUX openssh-8.1_p1-hpn-14.20-glue.patch 3534 BLAKE2B 13206d78b0e344d4d90aad3f9aa4396cbe270f1004108f52e1b23fc4b106e01f94bdc6e198a42c0bfc9d885408caea890e72f2bd58df893f94dea4452ab11c00 SHA512 ab589f6d9eada3313b87e8e35aa4e3946cd057412336914c90f6266dafb997062f7b8be4ac475e66a8df896f9fb3004f0df6a4f69dc85c468bcb1f4778326f96 +AUX openssh-8.1_p1-hpn-14.20-sctp-glue.patch 737 BLAKE2B b8f93cb197206eb4315c66350ce3e943cd5f1280b5294099320cbc4a611de2a23f5a5c04ed71a394e1bd23a0928df50d754f549d652e53389ceadda2ac9f1636 SHA512 96fa9a317d9cc0a77bf5a8d82d8fa0498fff04309bc4ae546b34939580c4ed945d075f26d8ea16e787d7bf631ea5067543f380ab08167993d713ec1591a346b9 AUX openssh-8.1_p1-hpn-glue.patch 7830 BLAKE2B 81c239f57d252b3a9bb1c7aed56ac67196ad11a316163db0cf6d4c75d73db1cbae038707ec788c5101f40ebf455257fa2cd1b9d7facab1081b5b856317543dd7 SHA512 2cf4e5da60e30932619c6915295b1659f53db3e784e87fcbbd25b8d167df8e29a1712235413bb2d485956494111aa682d086f9b5a36c3f55a286d40599df8b8c +AUX openssh-8.1_p1-tests-2020.patch 1332 BLAKE2B a400f6859a5d096729c9cb6047dce8612da7fe5f8d06cc891cfb6a4c88b568be3dfc7872d5be78ef349798f501828e1505bbd5ebd49d548dbbdc6bbf987dc843 SHA512 8f4c535d3ab15e4c761f6f5d4efe762ec2bc9b5de49ee369ce9186fe40095d2065418249c89161a8ef53e893079264fd9c95b73cd74937b08fa9f563a4f00290 AUX sshd-r1.confd 774 BLAKE2B df3f3f28cb4d35b49851399b52408c42e242ae3168ff3fc79add211903567da370cfe86a267932ca9cf13c3afbc38a8f1b53e753a31670ee61bf8ba8747832f8 SHA512 3a69752592126024319a95f1c1747af508fd639c86eca472106c5d6c23d5eeaa441ca74740d4b1aafaa0db759d38879e3c1cee742b08d6166ebc58cddac1e2fe AUX sshd-r1.initd 2675 BLAKE2B 47e87cec2d15b90aae362ce0c8e8ba08dada9ebc244e28be1fe67d24deb00675d3d9b8fef40def8a9224a3e2d15ab717574a3d837e099133c1cf013079588b55 SHA512 257d6437162b76c4a3a648ecc5d4739ca7eaa60b192fde91422c6c05d0de6adfa9635adc24d57dc3da6beb92b1b354ffe8fddad3db453efb610195d5509a4e27 AUX sshd.confd 396 BLAKE2B 2fc146e83512d729e120cfe331441e8fe27eba804906cc0c463b938ddaf052e7392efbcda6699467afde22652c599e7d55b0ce18a344137263cd78647fea255f SHA512 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 @@ -60,13 +64,17 @@ DIST openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 43356 BLAKE2B 776fa140d64a16 DIST openssh-8.0p1+x509-12.1-gentoo.diff.gz 680853 BLAKE2B b24ee61d6328bf2de8384d6ecbfc5ae0be4719a3c7a2d714be3a144d327bba5038e7e36ffcc313af2a8a94960ce1f56387654d2d21920af51826af61957aa4cc SHA512 178728139473b277fe50a03f37be50b3f8e539cea8f5937ddfe710082944e799d845cdb5994f585c13564c4a89b80ccf75e87753102aebacdb4c590f0b8a1482 DIST openssh-8.0p1-sctp-1.2.patch.xz 7348 BLAKE2B bc3d3815f1ef5dbab605b93182a00c2fec258f49d56684defb6564d2b60886429c615a7ab076cc071a590f9df0908b1862ceb0961b7e6f6d1090237fec9035d3 SHA512 2f9f774286db75d0240e6fb01655a8a193fb2a5dc4596ad68ed22d64f97c9c46dad61a06478f2e972fd37cbad4d9aca5829bb91097cc56638601ff94a972b24f DIST openssh-8.0p1.tar.gz 1597697 BLAKE2B 5ba79872eabb3b3964d95a8cdd690bfe0323f018d7f944d4e1acb52576c9f6d7a1ddac15e88dc42eac6ecbfabfad1c228e303a2262588769e307c38107a4cd54 SHA512 e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982 +DIST openssh-8.1_p1-glibc-2.31-patches.tar.xz 1752 BLAKE2B ccab53069c0058be7ba787281f5a1775d169a9dcda6f78742eb8cb3cce4ebe3a4c506c75a8ac142700669cf04b7475e35f6a06a4499d3d076e4e88e4fc59f3e6 SHA512 270d532fc7f4ec10c5ee56677f8280dec47a96e73f8032713b212cfad64a58ef142a7f49b7981dca80cbf0dd99753ef7a93b6af164cad9492fa224d546c27f14 DIST openssh-8.1p1+x509-12.3.diff.gz 689934 BLAKE2B 57a302a25bec1d630b9c36f74ab490e11c97f9bcbaf8f527e46ae7fd5bade19feb3d8853079870b5c08b70a55e289cf4bf7981c11983973fa588841aeb21e650 SHA512 8d7c321423940f5a78a51a25ad5373f5db17a4a8ca7e85041e503998e0823ad22068bc652e907e9f5787858d45ce438a4bba18240fa72e088eb10b903e96b192 DIST openssh-8.1p1-sctp-1.2.patch.xz 7672 BLAKE2B f1aa0713fcb114d8774bd8d524d106401a9d7c2c73a05fbde200ccbdd2562b3636ddd2d0bc3eae9f04b4d7c729c3dafd814ae8c530a76c4a0190fae71d1edcd2 SHA512 2bffab0bbae5a4c1875e0cc229bfd83d8565bd831309158cd489d8b877556c69b936243888a181bd9ff302e19f2c174156781574294d260b6384c464d003d566 DIST openssh-8.1p1.tar.gz 1625894 BLAKE2B d525be921a6f49420a58df5ac434d43a0c85e0f6bf8428ecebf04117c50f473185933e6e4485e506ac614f71887a513b9962d7b47969ba785da8e3a38f767322 SHA512 b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925 +DIST openssh-8_1_P1-hpn-AES-CTR-14.20.diff 29935 BLAKE2B 79101c43601e41306c957481c0680a63357d93bededdf12a32229d50acd9c1f46a386cbb91282e9e7d7bb26a9f276f5a675fd2de7662b7cbd073322b172d3bca SHA512 94f011b7e654630e968a378375aa54fa1fde087b4426d0f2225813262e6667a1073814d6a83e9005f97b371c536e462e614bfe726b092ffed8229791592ca221 +DIST openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 42696 BLAKE2B d8ac7fa1a4e4d1877acdedeaee80172da469b5a62d0aaa43d6ed46c578e7893577b9d563835d89ca2044867fc561ad3f562bf504c025cf4c78421cf3d24397e9 SHA512 768db7cca8839df4441afcb08457d13d32625b31859da527c3d7f1a92d17a4ec81d6987db00879c394bbe59589e57b10bfd98899a167ffed65ab367b1fd08739 +DIST openssh-8_1_P1-hpn-PeakTput-14.20.diff 2012 BLAKE2B e42c43128f1d82b4de1517e6a9219947da03cecb607f1bc45f0728547f17601a6ce2ec819b6434890efd19ceaf4d20cb98183596ab5ee79e104a52cda7db9cdc SHA512 238f9419efd3be80bd700f6ae7e210e522d747c363c4e670364f5191f144ae3aa8d1b1539c0bf87b3de36743aa73e8101c53c0ef1c6472d209569be389e7814d DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 BLAKE2B 5b2204316dd244bb8dd11db50d5bc3a194e2cc4b64964a2d3df68bbe54c53588f15fc5176dbc3811e929573fa3e41cf91f412aa2513bb9a4b6ed02c2523c1e24 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b -EBUILD openssh-7.5_p1-r4.ebuild 11164 BLAKE2B d22a97f92b786ef366c84a631d7c7d99472e0897dabd42ca5125b011b2039baacecabb86747a78c4ce80cea5e19403ba94167ff08104990cf70b2625ffa1ea41 SHA512 274ebe0cf4d6e3b73ad4f62852d862bebff271175086857dacad252093924a7400b969f35fccc4d07ac90de6597e19a112f79f7216371be70bf5f76021109af8 -EBUILD openssh-7.7_p1-r9.ebuild 15919 BLAKE2B be6c6ac296d5332805d9a90c72a23598d17ca02212f2309bbb9dbff5c0374a6ef1c7d346fdd365afc0b0b853c5744c98f2db0d66347313a173aad4942abefc23 SHA512 36357ad30be27388decd08db6ae580984363b4c98c53cb634e5164b2924887cac4d19ea941f686b2290f8ff93db8c4f506fb2f76b24a1790364677ef851f6ce3 -EBUILD openssh-7.9_p1-r4.ebuild 16293 BLAKE2B 1f96b90873bed0b45da2ba26c3b1b9fb170598e6f6bc3090b8edfc7274185291f7e351a0e945e1a04ccb4e2c8fde18ba50f7bf7cd145a98721092a7608991875 SHA512 ee4fc5f36febc96c188d30d2d46b6d14c3d80178c2801802160ffbbce2d019ba6e26f26ae41e752748dc6999e676a4b2dae9e27ab7a42500c3c386f578bc24e7 -EBUILD openssh-8.0_p1-r4.ebuild 16661 BLAKE2B 7b58c80723df0c0c8c7b2a0724b6cb7549211cd618b54bba53e769af0f29c4c887e454a29e06a9e95b30ccc23156e9cfbfc63801df3a224126c296ac43d1f277 SHA512 3d5fe15f2ae2dda9c9b42d153a4fb9efcd553a79b0c136c51f8ee5770679334580ecc062aba8c01119fe4795669b76284f1a051d58797284e0de1c0e1f296c7e -EBUILD openssh-8.1_p1-r1.ebuild 16292 BLAKE2B 08b5a318e7f161e329416e208d9611ad2fdd438e7d0ed5c20997005be346fc59895795a62e9d5c9d6390fc147ba9382c0b8b15b31a6cc26e3d01317cdff55844 SHA512 0da71560098f9747b061f90b0d1536cb2cd420c178eaa3ae26a272fcbb46562ed3ccc58a6922acbf4b201ecb855b7889de9accee9a68d89406edc9d06de2d553 +EBUILD openssh-7.5_p1-r4.ebuild 11165 BLAKE2B a2ec84eee8d85fcde9f1f31dd1093aacbe24fe121ee234067aa196a9e1a9399cf397396cadbc6cbd2e5b004e505ac76a67dfacf8820b4c61fc74af7932b961b3 SHA512 1023740690ecab734bc7671b65a68defccff626b9da0ef0580c45fb6d30de681d05b555bb0d74cb342aa3873f11d2ac5c6a444041f13c80b508412a7b4fcac4c +EBUILD openssh-7.7_p1-r9.ebuild 15920 BLAKE2B 421e98245cc89bb1c482a0ec3c5d35448e222430c0b1b258cfd0a7902543d1307b328e541c5418d533936c948fc67b1ece4ad9f4b48bced7f3c6061abe032f25 SHA512 4ab2bcd5bdf5ae7f5a5561c4964d3173b6f52ad95426c8db7cfbbcf4150bfb6b05e3dd72dcdf62533de0d0ed0506fc040e87fbd4212357d213bc9158d37a9130 +EBUILD openssh-7.9_p1-r4.ebuild 16294 BLAKE2B 3b5d7d2cfd03d6d22996b45cfaa467b71fa779b612e1a304cc10493587e05426d9936ed86898c11de3f1ce8068bdf429a728b63947283293f3d0a2a5ab44d019 SHA512 7a8100d59db2382be08b90e031b0e5691e22f7f66033e7ffc46d4956f1465f3ff76fc08b643799a453817e8fd75d67b550e7c741d2bdad1d7b43f9733667863b +EBUILD openssh-8.0_p1-r4.ebuild 16667 BLAKE2B ba64a43648d8cef989c078019d8a0fb06386b646136adcd08f030771014bf05de142c95eade811b7e493f6e91d520894848174c4cf1508813a8cc32fdd109d22 SHA512 b6daa06fc03f190d82fbf3b762c1a698fa9a803fbcb375c460a38cc2cb42b2a5da5d4f76529db3390554c9af861c637d918095981b8b7cf10dacf886b1051db3 +EBUILD openssh-8.1_p1-r2.ebuild 16367 BLAKE2B 6fc69bfe00c80e45f20f096bc6931d6acc020d2b0ab3b7372cab48aab7576d376adfb8c7c0b79e7ec366a1d7cd89808026d4be6091084e896d53934911631f30 SHA512 022e9673db8e18c786afa06c08ef1f29eb0be1e4f5de0e24ff088142b3be71fcc00f5c6fd5a985065da35a829f168099bbd2dabb04ce54a1132ac36765802e93 MISC metadata.xml 2291 BLAKE2B 9e12fbae3c37a48c3b04876a7247bf38c33d6cc5be210b382e35e45c9318b3c3e7c91a0ef32a9fda96ac7a68a00f9d703aacfc1c1f23e59511ea97d159527488 SHA512 8605c7aa2e4594a04006b3abfac3fad359e3e44182be53116e25159b7419d4429176617c10b50354d0d10c2be26af550e9a2b6e4c7085906558a569dddf5c8f3 diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch new file mode 100644 index 000000000000..167adfcaefb8 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch @@ -0,0 +1,111 @@ +diff -ur a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff +--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-04 15:49:15.746095444 -0800 ++++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-04 15:49:54.181853707 -0800 +@@ -4,8 +4,8 @@ + +++ b/Makefile.in + @@ -42,7 +42,7 @@ CC=@CC@ + LD=@LD@ +- CFLAGS=@CFLAGS@ +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ ++ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ + -LIBS=@LIBS@ + +LIBS=@LIBS@ -lpthread + K5LIBS=@K5LIBS@ +@@ -803,8 +803,8 @@ + ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) + { + struct session_state *state; +-- const struct sshcipher *none = cipher_by_name("none"); +-+ struct sshcipher *none = cipher_by_name("none"); ++- const struct sshcipher *none = cipher_none(); +++ struct sshcipher *none = cipher_none(); + int r; + + if (none == NULL) { +@@ -948,9 +948,9 @@ + /* Portable-specific options */ + sUsePAM, + + sDisableMTAES, +- /* Standard Options */ +- sPort, sHostKeyFile, sLoginGraceTime, +- sPermitRootLogin, sLogFacility, sLogLevel, ++ /* X.509 Standard Options */ ++ sHostbasedAlgorithms, ++ sPubkeyAlgorithms, + @@ -643,6 +647,7 @@ static struct { + { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, + { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, +diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff +--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:41:42.512910357 -0800 ++++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:56:40.323299499 -0800 +@@ -382,7 +382,7 @@ + @@ -884,6 +884,10 @@ kex_choose_conf(struct ssh *ssh) + int nenc, nmac, ncomp; + u_int mode, ctos, need, dh_need, authlen; +- int r, first_kex_follows; ++ int r, first_kex_follows = 0; + + int auth_flag; + + + + auth_flag = packet_authentication_state(ssh); +@@ -391,8 +391,8 @@ + debug2("local %s KEXINIT proposal", kex->server ? "server" : "client"); + if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0) + @@ -954,6 +958,14 @@ kex_choose_conf(struct ssh *ssh) +- peer[ncomp] = NULL; +- goto out; ++ else ++ fatal("Pre-authentication none cipher requests are not allowed."); + } + + debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); + + if (strcmp(newkeys->enc.name, "none") == 0) { +@@ -1169,15 +1169,3 @@ + # Example of overriding settings on a per-user basis + #Match User anoncvs + # X11Forwarding no +-diff --git a/version.h b/version.h +-index 6b3fadf8..ec1d2e27 100644 +---- a/version.h +-+++ b/version.h +-@@ -3,4 +3,6 @@ +- #define SSH_VERSION "OpenSSH_8.1" +- +- #define SSH_PORTABLE "p1" +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE +-+#define SSH_HPN "-hpn14v20" +-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN +-+ +diff -ur a/openssh-8_1_P1-hpn-PeakTput-14.20.diff b/openssh-8_1_P1-hpn-PeakTput-14.20.diff +--- a/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-04 15:41:42.512910357 -0800 ++++ b/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-04 16:02:42.203023609 -0800 +@@ -12,9 +12,9 @@ + static long stalled; /* how long we have been stalled */ + static int bytes_per_second; /* current speed in bytes per second */ + @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update) ++ off_t bytes_left; + int cur_speed; +- int hours, minutes, seconds; +- int file_len; ++ int len; + + off_t delta_pos; + + if ((!force_update && !alarm_fired && !win_resized) || !can_output()) +@@ -33,12 +33,12 @@ + @@ -166,7 +173,7 @@ refresh_progress_meter(int force_update) + + /* filename */ +- buf[0] = '\0'; +-- file_len = win_size - 36; +-+ file_len = win_size - 45; +- if (file_len > 0) { +- buf[0] = '\r'; +- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s", ++ if (win_size > 36) { ++- int file_len = win_size - 36; +++ int file_len = win_size - 45; ++ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ", ++ file_len, file); ++ } + @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update) + (off_t)bytes_per_second); + strlcat(buf, "/s ", win_size); diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch new file mode 100644 index 000000000000..90fa248fcbac --- /dev/null +++ b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch @@ -0,0 +1,105 @@ +diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff +--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800 ++++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:16:14.646567224 -0800 +@@ -409,18 +409,10 @@ + index 817da43b..b2bcf78f 100644 + --- a/packet.c + +++ b/packet.c +-@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) ++@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) + return 0; + } + +-+/* this supports the forced rekeying required for the NONE cipher */ +-+int rekey_requested = 0; +-+void +-+packet_request_rekeying(void) +-+{ +-+ rekey_requested = 1; +-+} +-+ + +/* used to determine if pre or post auth when rekeying for aes-ctr + + * and none cipher switch */ + +int +@@ -434,20 +426,6 @@ + #define MAX_PACKETS (1U<<31) + static int + ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) +-@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) +- if (state->p_send.packets == 0 && state->p_read.packets == 0) +- return 0; +- +-+ /* used to force rekeying when called for by the none +-+ * cipher switch methods -cjr */ +-+ if (rekey_requested == 1) { +-+ rekey_requested = 0; +-+ return 1; +-+ } +-+ +- /* Time-based rekeying */ +- if (state->rekey_interval != 0 && +- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) + diff --git a/packet.h b/packet.h + index 8ccfd2e0..1ad9bc06 100644 + --- a/packet.h +@@ -476,9 +454,9 @@ + /* Format of the configuration file: + + @@ -167,6 +168,8 @@ typedef enum { +- oHashKnownHosts, + oTunnel, oTunnelDevice, + oLocalCommand, oPermitLocalCommand, oRemoteCommand, ++ oDisableMTAES, + + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, + + oNoneEnabled, oNoneSwitch, + oVisualHostKey, +@@ -615,9 +593,9 @@ + int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ + SyslogFacility log_facility; /* Facility for system logging. */ + @@ -112,7 +116,10 @@ typedef struct { +- + int enable_ssh_keysign; + int64_t rekey_limit; ++ int disable_multithreaded; /*disable multithreaded aes-ctr*/ + + int none_switch; /* Use none cipher */ + + int none_enabled; /* Allow none to be used */ + int rekey_interval; +@@ -700,9 +678,9 @@ + + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; + + } + + ++ if (options->disable_multithreaded == -1) ++ options->disable_multithreaded = 0; + if (options->ip_qos_interactive == -1) +- options->ip_qos_interactive = IPTOS_DSCP_AF21; +- if (options->ip_qos_bulk == -1) + @@ -486,6 +532,8 @@ typedef enum { + sPasswordAuthentication, sKbdInteractiveAuthentication, + sListenAddress, sAddressFamily, +@@ -1079,11 +1057,11 @@ + xxx_host = host; + xxx_hostaddr = hostaddr; + +-@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, ++@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, + + if (!authctxt.success) + fatal("Authentication failed."); +-+ ++ + + /* + + * If the user wants to use the none cipher, do it post authentication + + * and only if the right conditions are met -- both of the NONE commands +@@ -1105,9 +1083,9 @@ + + } + + } + + +- debug("Authentication succeeded (%s).", authctxt.method->name); +- } +- ++ #ifdef WITH_OPENSSL ++ if (options.disable_multithreaded == 0) { ++ /* if we are using aes-ctr there can be issues in either a fork or sandbox + diff --git a/sshd.c b/sshd.c + index 11571c01..23a06022 100644 + --- a/sshd.c diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch new file mode 100644 index 000000000000..3f5c7a47d9c8 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch @@ -0,0 +1,19 @@ +diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff +--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800 ++++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 16:36:51.394069720 -0800 +@@ -1191,15 +1191,3 @@ + # Example of overriding settings on a per-user basis + #Match User anoncvs + # X11Forwarding no +-diff --git a/version.h b/version.h +-index 6b3fadf8..ec1d2e27 100644 +---- a/version.h +-+++ b/version.h +-@@ -3,4 +3,6 @@ +- #define SSH_VERSION "OpenSSH_8.1" +- +- #define SSH_PORTABLE "p1" +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE +-+#define SSH_HPN "-hpn14v20" +-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN +-+ diff --git a/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch b/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch new file mode 100644 index 000000000000..505e34db9d20 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch @@ -0,0 +1,26 @@ +diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh +index 86ea6250..844adabc 100644 +--- a/regress/cert-hostkey.sh ++++ b/regress/cert-hostkey.sh +@@ -252,7 +252,7 @@ test_one() { + test_one "user-certificate" failure "-n $HOSTS" + test_one "empty principals" success "-h" + test_one "wrong principals" failure "-h -n foo" +-test_one "cert not yet valid" failure "-h -V20200101:20300101" ++test_one "cert not yet valid" failure "-h -V20300101:20320101" + test_one "cert expired" failure "-h -V19800101:19900101" + test_one "cert valid interval" success "-h -V-1w:+2w" + test_one "cert has constraints" failure "-h -Oforce-command=false" +diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh +index 38c14a69..5cd02fc3 100644 +--- a/regress/cert-userkey.sh ++++ b/regress/cert-userkey.sh +@@ -338,7 +338,7 @@ test_one() { + test_one "correct principal" success "-n ${USER}" + test_one "host-certificate" failure "-n ${USER} -h" + test_one "wrong principals" failure "-n foo" +-test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101" ++test_one "cert not yet valid" failure "-n ${USER} -V20300101:20320101" + test_one "cert expired" failure "-n ${USER} -V19800101:19900101" + test_one "cert valid interval" success "-n ${USER} -V-1w:+2w" + test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8" diff --git a/net-misc/openssh/openssh-7.5_p1-r4.ebuild b/net-misc/openssh/openssh-7.5_p1-r4.ebuild index cebd6ad71ed6..184b30bcbdd7 100644 --- a/net-misc/openssh/openssh-7.5_p1-r4.ebuild +++ b/net-misc/openssh/openssh-7.5_p1-r4.ebuild @@ -25,7 +25,7 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" RESTRICT="!test? ( test )" diff --git a/net-misc/openssh/openssh-7.7_p1-r9.ebuild b/net-misc/openssh/openssh-7.7_p1-r9.ebuild index d949654c69e5..7851cc3b95e1 100644 --- a/net-misc/openssh/openssh-7.7_p1-r9.ebuild +++ b/net-misc/openssh/openssh-7.7_p1-r9.ebuild @@ -26,7 +26,7 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509" RESTRICT="!test? ( test )" diff --git a/net-misc/openssh/openssh-7.9_p1-r4.ebuild b/net-misc/openssh/openssh-7.9_p1-r4.ebuild index 6f95e59ac4ba..9064d66d9fbd 100644 --- a/net-misc/openssh/openssh-7.9_p1-r4.ebuild +++ b/net-misc/openssh/openssh-7.9_p1-r4.ebuild @@ -33,7 +33,7 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509" RESTRICT="!test? ( test )" diff --git a/net-misc/openssh/openssh-8.0_p1-r4.ebuild b/net-misc/openssh/openssh-8.0_p1-r4.ebuild index 5393ca2b81d5..2acc872e9ccc 100644 --- a/net-misc/openssh/openssh-8.0_p1-r4.ebuild +++ b/net-misc/openssh/openssh-8.0_p1-r4.ebuild @@ -1,9 +1,9 @@ -# Copyright 1999-2019 Gentoo Authors +# Copyright 1999-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=6 -inherit user eapi7-ver flag-o-matic multilib autotools pam systemd +inherit eapi7-ver flag-o-matic multilib autotools pam systemd # Make it more portable between straight releases # and _p? releases. @@ -32,7 +32,7 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509 xmss" RESTRICT="!test? ( test )" @@ -67,6 +67,8 @@ LIB_DEPEND=" ) >=sys-libs/zlib-1.2.3:=[static-libs(+)]" RDEPEND=" + acct-group/sshd + acct-user/sshd !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 )" @@ -123,6 +125,7 @@ src_prepare() { eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch eapply "${FILESDIR}"/${PN}-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch eapply "${FILESDIR}"/${PN}-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch + eapply "${FILESDIR}"/${PN}-8.1_p1-tests-2020.patch use X509 || eapply "${FILESDIR}"/${PN}-8.0_p1-tests.patch [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches @@ -410,11 +413,6 @@ src_install() { systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' } -pkg_preinst() { - enewgroup sshd 22 - enewuser sshd 22 -1 /var/empty sshd -} - pkg_postinst() { if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then elog "Starting with openssh-5.8p1, the server will default to a newer key" diff --git a/net-misc/openssh/openssh-8.1_p1-r1.ebuild b/net-misc/openssh/openssh-8.1_p1-r1.ebuild deleted file mode 100644 index 2469a92fb870..000000000000 --- a/net-misc/openssh/openssh-8.1_p1-r1.ebuild +++ /dev/null @@ -1,463 +0,0 @@ -# Copyright 1999-2019 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit user flag-o-matic multilib autotools pam systemd - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} -#HPN_PV="${PV^^}" -HPN_PV="7.8_P1" - -HPN_VER="14.16" -HPN_PATCHES=( - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff -) - -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="12.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" - -PATCH_SET="openssh-7.9p1-patches-1.0" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} - " - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509 xmss" -RESTRICT="!test? ( test )" -REQUIRED_USE="ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( !sctp ssl ) - test? ( ssl )" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( - !libressl? ( - || ( - ( - >=dev-libs/openssl-1.0.1:0[bindist=] - =dev-libs/openssl-1.1.0g:0[bindist=] - ) - dev-libs/openssl:0=[static-libs(+)] - ) - libressl? ( dev-libs/libressl:0=[static-libs(+)] ) - ) - >=sys-libs/zlib-1.2.3:=[static-libs(+)]" -RDEPEND=" - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 )" -DEPEND="${RDEPEND} - static? ( ${LIB_DEPEND} ) - virtual/os-headers" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( virtual/shadow ) - X? ( x11-apps/xauth )" -BDEPEND=" - virtual/pkgconfig - sys-devel/autoconf" - -S="${WORKDIR}/${PARCH}" - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } - local fail=" - $(use hpn && maybe_fail hpn HPN_VER) - $(use sctp && maybe_fail sctp SCTP_PATCH) - $(use X509 && maybe_fail X509 X509_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "booooo" - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." - fi -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch - eapply "${FILESDIR}"/${PN}-8.1_p1-GSSAPI-dns.patch #165444 integrated into gsskex - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch - - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die - eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" - popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - eapply "${FILESDIR}"/${P}-X509-$(ver_cut 1-2 ${X509_VER})-tests.patch - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use sctp ; then - eapply "${WORKDIR}"/${SCTP_PATCH%.*} - - einfo "Patching version.h to expose SCTP patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in SCTP patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..." - sed -i \ - -e "/\t\tcfgparse \\\/d" \ - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" - fi - - if use hpn ; then - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${FILESDIR}"/${PN}-8.1_p1-hpn-glue.patch - if use X509; then - einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set" - # X509 and AES-CTR-MT don't get along, let's just drop it - rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die - eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-X509-glue.patch - fi - use sctp && eapply "${FILESDIR}"/${PN}-7.9_p1-hpn-sctp-glue.patch - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - if ! use X509; then - eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch" - eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch" - fi - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use sctp || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - sed -i \ - -e "/#UseLogin no/d" \ - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" - - eapply_user #473004 - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX%/}"/etc/ssh - --libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX%/}"/usr/share/openssh - --with-privsep-path="${EPREFIX%/}"/var/empty - --with-privsep-user=sshd - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX%/}"/usr) - # We apply the sctp patch conditionally, so can't pass --without-sctp - # unconditionally else we get unknown flag warnings. - $(use sctp && use_with sctp) - $(use_with ldns ldns "${EPREFIX%/}"/usr) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - $(use_with !elibc_Cygwin hardening) #659210 - ) - - # stackprotect is broken on musl x86 and ppc - use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect ) - - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - - econf "${myconf[@]}" -} - -src_test() { - local t skipped=() failed=() passed=() - local tests=( interop-tests compat-tests ) - - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped+=( tests ) - else - tests+=( tests ) - fi - - # It will also attempt to write to the homedir .ssh. - local sshhome=${T}/homedir - mkdir -p "${sshhome}"/.ssh - for t in "${tests[@]}" ; do - # Some tests read from stdin ... - HOMEDIR="${sshhome}" HOME="${sshhome}" SUDO="" \ - emake -k -j1 ${t} > "${ED%/}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables. #367017 - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM. #658540 - AcceptEnv COLORTERM - EOF - - # Then the client config. - cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config - - # Send locale environment variables. #367017 - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM. #658540 - SendEnv COLORTERM - EOF - - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED%/}"/etc/ssh/sshd_config || die - fi - - if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED%/}"/etc/ssh/sshd_config || die - fi -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd-r1.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - - tweak_ssh_configs - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog - - diropts -m 0700 - dodir /etc/skel/.ssh - - keepdir /var/empty - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' -} - -pkg_preinst() { - enewgroup sshd 22 - enewuser sshd 22 -1 /var/empty sshd -} - -pkg_postinst() { - if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi -} diff --git a/net-misc/openssh/openssh-8.1_p1-r2.ebuild b/net-misc/openssh/openssh-8.1_p1-r2.ebuild new file mode 100644 index 000000000000..fe7b7fb1bb49 --- /dev/null +++ b/net-misc/openssh/openssh-8.1_p1-r2.ebuild @@ -0,0 +1,467 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit flag-o-matic multilib autotools pam systemd + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} +HPN_PV="${PV^^}" + +HPN_VER="14.20" +HPN_PATCHES=( + ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff + ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff + ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff +) + +SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" +X509_VER="12.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" + +PATCH_SET="openssh-7.9p1-patches-1.0" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="https://www.openssh.com/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + https://dev.gentoo.org/~chutzpah/dist/openssh/${P}-glibc-2.31-patches.tar.xz + ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} + ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} + ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} +" +S="${WORKDIR}/${PARCH}" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509 xmss" + +RESTRICT="!test? ( test )" + +REQUIRED_USE=" + ldns? ( ssl ) + pie? ( !static ) + static? ( !kerberos !pam ) + X509? ( !sctp ssl ) + test? ( ssl ) +" + +LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) + ldns? ( + net-libs/ldns[static-libs(+)] + !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) + bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) + ) + libedit? ( dev-libs/libedit:=[static-libs(+)] ) + sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + ssl? ( + !libressl? ( + || ( + ( + >=dev-libs/openssl-1.0.1:0[bindist=] + =dev-libs/openssl-1.1.0g:0[bindist=] + ) + dev-libs/openssl:0=[static-libs(+)] + ) + libressl? ( dev-libs/libressl:0=[static-libs(+)] ) + ) + >=sys-libs/zlib-1.2.3:=[static-libs(+)] +" +RDEPEND=" + acct-group/sshd + acct-user/sshd + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( sys-libs/pam ) + kerberos? ( virtual/krb5 ) +" +DEPEND="${RDEPEND} + static? ( ${LIB_DEPEND} ) + virtual/os-headers +" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth ) +" +BDEPEND=" + virtual/pkgconfig + sys-devel/autoconf +" + +pkg_pretend() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use hpn && maybe_fail hpn HPN_VER) + $(use sctp && maybe_fail sctp SCTP_PATCH) + $(use X509 && maybe_fail X509 X509_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." + fi +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch + eapply "${FILESDIR}"/${PN}-8.1_p1-GSSAPI-dns.patch #165444 integrated into gsskex + eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch + eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch + eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch + eapply "${FILESDIR}"/${PN}-8.1_p1-tests-2020.patch + + [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches + + local PATCHSET_VERSION_MACROS=() + + if use X509 ; then + pushd "${WORKDIR}" &>/dev/null || die + eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" + popd &>/dev/null || die + + eapply "${WORKDIR}"/${X509_PATCH%.*} + eapply "${FILESDIR}"/${P}-X509-$(ver_cut 1-2 ${X509_VER})-tests.patch + + # We need to patch package version or any X.509 sshd will reject our ssh client + # with "userauth_pubkey: could not parse key: string is too large [preauth]" + # error + einfo "Patching package version for X.509 patch set ..." + sed -i \ + -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ + "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" + + einfo "Patching version.h to expose X.509 patch set ..." + sed -i \ + -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ + "${S}"/version.h || die "Failed to sed-in X.509 patch version" + PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) + fi + + if use sctp ; then + eapply "${WORKDIR}"/${SCTP_PATCH%.*} + + einfo "Patching version.h to expose SCTP patch set ..." + sed -i \ + -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ + "${S}"/version.h || die "Failed to sed-in SCTP patch version" + PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) + + einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..." + sed -i \ + -e "/\t\tcfgparse \\\/d" \ + "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" + fi + + if use hpn ; then + local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" + mkdir "${hpn_patchdir}" || die + cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die + pushd "${hpn_patchdir}" &>/dev/null || die + eapply "${FILESDIR}"/${PN}-8.1_p1-hpn-${HPN_VER}-glue.patch + if use X509; then + # einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set" + # # X509 and AES-CTR-MT don't get along, let's just drop it + # rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die + eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-${HPN_VER}-X509-glue.patch + fi + use sctp && eapply "${FILESDIR}"/${PN}-8.1_p1-hpn-${HPN_VER}-sctp-glue.patch + popd &>/dev/null || die + + eapply "${hpn_patchdir}" + + use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch" + + einfo "Patching Makefile.in for HPN patch set ..." + sed -i \ + -e "/^LIBS=/ s/\$/ -lpthread/" \ + "${S}"/Makefile.in || die "Failed to patch Makefile.in" + + einfo "Patching version.h to expose HPN patch set ..." + sed -i \ + -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ + "${S}"/version.h || die "Failed to sed-in HPN patch version" + PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) + + if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then + einfo "Disabling known non-working MT AES cipher per default ..." + + cat > "${T}"/disable_mtaes.conf <<- EOF + + # HPN's Multi-Threaded AES CTR cipher is currently known to be broken + # and therefore disabled per default. + DisableMTAES yes + EOF + sed -i \ + -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ + "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" + + sed -i \ + -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ + "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" + fi + fi + + if use X509 || use sctp || use hpn ; then + einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." + sed -i \ + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ + "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" + + einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." + sed -i \ + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ + "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" + + einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." + sed -i \ + -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ + "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" + fi + + sed -i \ + -e "/#UseLogin no/d" \ + "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" + + eapply_user #473004 + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + use xmss && append-cflags -DWITH_XMSS + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + # We apply the sctp patch conditionally, so can't pass --without-sctp + # unconditionally else we get unknown flag warnings. + $(use sctp && use_with sctp) + $(use_with ldns ldns "${EPREFIX}"/usr) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use_with selinux) + $(use_with ssl openssl) + $(use_with ssl md5-passwords) + $(use_with ssl ssl-engine) + $(use_with !elibc_Cygwin hardening) #659210 + ) + + # stackprotect is broken on musl x86 and ppc + use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect ) + + # The seccomp sandbox is broken on x32, so use the older method for now. #553748 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) + + econf "${myconf[@]}" +} + +src_test() { + local t skipped=() failed=() passed=() + local tests=( interop-tests compat-tests ) + + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped+=( tests ) + else + tests+=( tests ) + fi + + # It will also attempt to write to the homedir .ssh. + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in "${tests[@]}" ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" HOME="${sshhome}" SUDO="" \ + emake -k -j1 ${t} > "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables. #367017 + AcceptEnv ${locale_vars[*]} + + # Allow client to pass COLORTERM to match TERM. #658540 + AcceptEnv COLORTERM + EOF + + # Then the client config. + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables. #367017 + SendEnv ${locale_vars[*]} + + # Send COLORTERM to match TERM. #658540 + SendEnv COLORTERM + EOF + + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die + fi + + if use livecd ; then + sed -i \ + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ + "${ED}"/etc/ssh/sshd_config || die + fi +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd-r1.initd sshd + newconfd "${FILESDIR}"/sshd-r1.confd sshd + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + + tweak_ssh_configs + + doman contrib/ssh-copy-id.1 + dodoc CREDITS OVERVIEW README* TODO sshd_config + use hpn && dodoc HPN-README + use X509 || dodoc ChangeLog + + diropts -m 0700 + dodir /etc/skel/.ssh + + keepdir /var/empty + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." + elog "Furthermore, rsa keys with less than 1024 bits will be refused." + fi + if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then + elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." + elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" + elog "if you need to authenticate against LDAP." + elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." + fi + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi + + if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then + elog "" + elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" + elog "and therefore disabled at runtime per default." + elog "Make sure your sshd_config is up to date and contains" + elog "" + elog " DisableMTAES yes" + elog "" + elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." + elog "" + fi +} -- cgit v1.2.3