diff options
| author | V3n3RiX <venerix@koprulu.sector> | 2023-05-11 23:47:37 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@koprulu.sector> | 2023-05-11 23:47:37 +0100 |
| commit | 02930d1eb5af78d32b1597af6af24163895d9e0f (patch) | |
| tree | 7908188ca5a80d7ff557ebc70fe3bdcbf2875832 /net-misc/openssh | |
| parent | 54654470d999265b5a0010be7190e8a9993b1840 (diff) | |
gentoo auto-resync : 11:05:2023 - 23:47:37
Diffstat (limited to 'net-misc/openssh')
| -rw-r--r-- | net-misc/openssh/Manifest | 15 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch | 18 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch | 13 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch | 12 | ||||
| -rw-r--r-- | net-misc/openssh/metadata.xml | 3 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-9.3_p1-r1.ebuild (renamed from net-misc/openssh/openssh-9.3_p1.ebuild) | 275 |
6 files changed, 71 insertions, 265 deletions
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index 6346e7741780..3472427f1673 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -2,12 +2,9 @@ AUX openssh-6.7_p1-openssl-ignore-status.patch 765 BLAKE2B 6ddc498cef115a38054eb AUX openssh-7.5_p1-disable-conch-interop-tests.patch 554 BLAKE2B f5f45c000ec26c1f783669c3447ea3c80c5c0f9b971b86ca1e79e99e906a90a519abb6b14db462f5766572e9759180719ea44f048ef5aa8efc37efb61d2b6ef7 SHA512 f35b15f1e8d0eb276d748ee14c71004c6599ddb124c33e2f84623bc9eb02bb4fd4680d25d0ba0289d6a723a526c95c9a56b30496bdaa565bae853bf3d1bab61f AUX openssh-7.9_p1-include-stdlib.patch 914 BLAKE2B 9c7eb79f87ecd657a80821dfa979d8b0cc12a08d385ec085724f20aa6f5332593ffc7481bb9f816e91df3eb4d75d8f7b66383ff473d271270de128c3b2bf92e5 SHA512 7dade73bdafb0da484cbd396b4a644442f8ea12fef54c07e6308ae2e73a587fa4ddf401e8a0c467469b46fe7f00585e047462545182924c157b4d3894c707a70 AUX openssh-8.0_p1-fix-putty-tests.patch 1760 BLAKE2B a1127e8f2275c1e23c956b5041dbc84dbdb2cd6b788fc69bfc1f6b030afe86a827483602ce76577b4101ee2e790b1cfa8c1d2db09da59b89fe7df8083bf4695f SHA512 f544d818bdde628131f1819bf2ffb4007802ee5bf12c5cd5bd398efe0f0f430ed6b3efa7969cb2c4fa49a2bbd773d8fa09f4c927cf998a564b7611443437c310 -AUX openssh-8.5_p1-hpn-15.2-sctp-glue.patch 727 BLAKE2B fafb6bc3ec680327abf01a7a2f673d4be601094d518d74f5afd0c596c1d60ddfc6f31add6b5533f85bc09cf2122b9e3f7243d5d26a2d6923c88c2f6a811ea2b8 SHA512 eda1c1613e94a7b10df9cc08c87ed8a39edb3f8a160600a74780877772bbd76cc9842d5d5d68ed6a9554e1e310675a1e461d894144d514b8e482d4a1affbc9bd -AUX openssh-8.6_p1-hpn-version.patch 556 BLAKE2B 26ef960db46c82ee62e6a6f1be15c2897855caa6cbd05db87d3e606ce42d03fb6e88916f0c6644f67dc008ca802617d0f63e5e8e35d1a6c6076188ba19009186 SHA512 c13d14dc496863bd6bbbf08940322a60e74fa1cc2171f81132dfd874b9371ee0edd77f75ffd606f874fa2de498b174be91da5c641029abff2d2a8503c2f0fc02 AUX openssh-8.7_p1-GSSAPI-dns.patch 11576 BLAKE2B 84aa0128ddeccf67e14c20f9d2acb61226c5091a3e3106285c79db4a297dbd781eddf7a6d4cb3b1a5a5dcbbcd158d32dbca5986b6fbf15f62cd3928cf125b083 SHA512 794b06c6ee6acd1bcd861753970cfc4d04f42499d48ff4119746dbcab8643f75761fddb9f52f49fe01e356740eb3882671ac3ae209e0e45745d195a219ffe5dd AUX openssh-8.9_p1-allow-ppoll_time64.patch 396 BLAKE2B b5bb202f79699d9037f12155044328f89ee0573efa43da7cdf8511555e706b6bf66cae069ac95cca900779c6ce293eedec48450f786fd033375e9be17bfb2872 SHA512 9b88024e6a898fc85205fbc038274a3271f787276962150965ab8f599fa355ee73cb48e7e12e3f090034293f9dca94a1ce41dfce2aaeb140693545ff3bc391f0 AUX openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch 419 BLAKE2B c5ef82ed92da96213c84d954541dc3d99040f95a3ce6d81ea585360200128154daaa7717a553a91e693ee11044f11b4a2c3f9f0137c4b92cb1aee01514ec7763 SHA512 cdc0894728e01b132346bf1358b2193d5349f281a086a784a4bbdf1a6ad736632cf4c4fbb900c4ebb6b31a13313ed8660dae95968f4e906d40b2aa0b7a7c2303 -AUX openssh-9.0_p1-X509-uninitialized-delay.patch 321 BLAKE2B 19bff0fc7ecdc6350f8e6bd30f36f30b455c65b7455fe8b1d481d8fa7cdfa7cc76719931857fe2c9730b05ae8fe3e7e05c538e743e055d6594dd2fc7c3f250ee SHA512 57798621a51a60abf6985391ec73dcafdb46de75c93579e23b786aa095d8eea29ebd9ab5987b951a136b15e60896332c9717c82b42e1c22b345444aedf17a9f5 AUX openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch 514 BLAKE2B d0dadfc57736cd4d2b04e46f5c0f6d5a1db1cfc7ee70d32afaa0f65269b82e66a72c46d33c9cbf7237f541a0485b25669cd2f4b34393e3a3ef0c9b4334092fe5 SHA512 f8badde54501340bde275951bc1cf653919bec02c760bf771308f10697b9ad2a483e30ae74ad124a737341f5c64657ab193a4d7fdf2baf24029b9447099da04b AUX openssh-9.3_p1-openssl-version-compat-check.patch 2588 BLAKE2B 635e9d4e0ca515d4da190075371b85b5c1885fd7d9b621d6f21399be0faf0be96e5e31875611392386b897f74087d75a00203a74c9f9ecf0be447bf354fcf4a2 SHA512 a27afa1b07a47f0ecf74d30ca85e7b4f8c79857c8019d274aeaed88b81149ce6241fd16f1023f14dbdc701e8c9d8671f6aadda2e21d620a47af8778b8531b991 AUX sshd-r1.confd 774 BLAKE2B df3f3f28cb4d35b49851399b52408c42e242ae3168ff3fc79add211903567da370cfe86a267932ca9cf13c3afbc38a8f1b53e753a31670ee61bf8ba8747832f8 SHA512 3a69752592126024319a95f1c1747af508fd639c86eca472106c5d6c23d5eeaa441ca74740d4b1aafaa0db759d38879e3c1cee742b08d6166ebc58cddac1e2fe @@ -16,15 +13,7 @@ AUX sshd.pam_include.2 156 BLAKE2B 91ebefbb1264fe3fe98df0a72ac22a4cd8a787b3b391a AUX sshd.service.1 298 BLAKE2B 7a4f2e2656096b09a8b435d393ea9b0a7bd10a2a9f0e9d9cf49b9ae9600cccfb19a64e09f4cf718e8054fc997f21656f609eb3af15ee2e3576531a88b5709842 SHA512 efc936ca412999e3b1acabe6cf4e87c033fe468cede1c3c499499e252cf7cdeca0841e5e1862ebe316ff3f4bf758fba674f08d081b403713e154b6bbc37da365 AUX sshd.socket 136 BLAKE2B 22e218c831fc384a3151ef97c391253738fa9002e20cf4628c6fe3d52d4b0ac3b957da58f816950669d0a6f8f2786251c6dfc31bbb863f837a3f52631341dc2e SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42 AUX sshd_at.service.1 163 BLAKE2B b5c77d69e3860d365ba96a5b2fe14514bda9425e170fc7f324dcaf95fb02756ef9c5c2658904e812232f40fac9a3c2f4abf61b9129038bde66bb7d3a992d2606 SHA512 fbfe0aed3a5e99f15dc68838975cc49a206d697fb3549d8b31db25617dc7b7b8dd2397d865d89f305d5da391cd56a69277c2215c4335fccb4dd6a9b95ba34e2f -DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f -DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a -DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914 -DIST openssh-9.3_p1-X509-glue-14.1.1.patch.xz 936 BLAKE2B f1716ff7801a27aa2aad06f1cca2ca6988eef65fb0ddcbde483e5c9205506ca40b658f5c8c40b2625afb38ff9b56e40831eadcf751c8ee1c11f69ec559f3c147 SHA512 dace01bcf22b625cd00e18ce019b0be31b6f47f714845f3ebb98ebee41b4db0a769fa09cab63ea17536a7106ec90f2b15f87696ae49fa6f6e31bad94ae09719d -DIST openssh-9.3_p1-hpn-15.2-X509-14.1.1-glue.patch.xz 6224 BLAKE2B 47c7054648e8d795b0d9e563d8313242c917df8a3620a60cff2d77f9ae8482cec861244e0f1433f711922f0704b775b7183284960a3baa48a27b99979ad7ffa3 SHA512 728cf2586bcc9480afe71b5106e2286b925857a9e04dce79f744b36cbe3ec2844ac5b4a6bd4b64117f32ad1b04c0943b9d6f935eee826202871588ed9a167387 -DIST openssh-9.3_p1-hpn-15.2-glue.patch.xz 5044 BLAKE2B 73205bd8f702612df7cb6f29e8b353df854428974dc20d5938033157da64418317f326ab8118893dc47173cd871dc7654a3e3ed601289744560becc98729cd3f SHA512 343b77109158b9af5d8d57f4ac7968bce8277fa3b4dcaa19b76593620fbddbfa832bd76c0da52e12179fe5f391f9fef67e7af51b138ab8cc69a8a6471b6a3909 -DIST openssh-9.3p1+x509-14.1.1.diff.gz 1221335 BLAKE2B 9203fbb6955fe44ebd7ed031245a90b8df7e149a6ad3205097ffd5d2d7655a0e6b8cd2e20d7f7216fbc6d3e8bd0a1453f3fc028f04e96c0f244ad0772a0e30ab SHA512 8a1036d680d25f99e1a24ea77a2c303e807c0f5c5323043684da9fcc9ff603f80384688935a654cc97216f84f85f00f590dc35d2ee2b1f0fb169f8b427559b2d -DIST openssh-9.3p1-sctp-1.2.patch.xz 6836 BLAKE2B d12394ecaa7eca6e0b3590cea83b71537edc3230bc5f7b2992a06a67c77247cc4156be0ba151038a5baee1c3f105f76f1917cc5aad08d1aadadfd6e56858781b SHA512 ba5af014e5b825bf4a57368416a15c6e56afd355780e4c5eab44a396c3f4276ac4d813c5c15b83f3b8edf4763855221743796c038433b292fda9417f0b274a71 DIST openssh-9.3p1.tar.gz 1856839 BLAKE2B 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d SHA512 087ff6fe5f6caab4c6c3001d906399e02beffad7277280f11187420c2939fd4befdcb14643862a657ce4cad2f115b82a0a1a2c99df6ee54dcd76b53647637c19 DIST openssh-9.3p1.tar.gz.asc 833 BLAKE2B e6533d64b117a400b76b90f71fa856d352dea57d91e4e89fa375429403ac0734cc0a2f075bc58c6bb4f40a8f9776735aa36bdb0bbf3880a2115cea787633e48b SHA512 6222378eb24a445c6c1db255392b405f5369b1af0e92f558d4ba05b0d83ab0d084cb8f4b91d7ae8636f333d970638a6635e2bc7af885135dd34992d87f2ef1f4 -EBUILD openssh-9.3_p1.ebuild 18303 BLAKE2B 008384b33dd35dbbf604abd51674146edd5a9766c247671d9080324c24a22a696373abfe1a44a1e4f309071b5388b729395d38efb81e38ff64083952ecc32df9 SHA512 0b2a3af3ba5b18bda746142129521ef012d6e3fa378f11f605c02dee4b8bc24c08e8169f4af32f6282456346e5dad997fa7e1c4f84ef54aef184866c2fbf91c6 -MISC metadata.xml 1970 BLAKE2B 3099c31852827b4f7b5dd82643a1388a0c1572bad3266f275b2b0de38e768e22cd2f9ff52982d03b418babca8a4ec2e62bc1fee47fba0a3df187e5a33d4e986a SHA512 1d9b54459c3ae78d0afea2b7632c2e27664d9033b6fa10f31d1a865326f495dce42a053cd77e930ca06467a61a80a096c58abbd10d9a0925d71452d173fe72de +EBUILD openssh-9.3_p1-r1.ebuild 13585 BLAKE2B 10de35ae0eb44b677c7bca48c2282c7576853615086ff347b80b5ae6b50ae701f505e38472ba594fda193ea7f21a62f1f707ac8ae76d421598b9ee266b2dc361 SHA512 ae204df789e501ce619296a6b4aab010c905410a18a941cbf3910134f67369dc5e0d64286ec47069b10efc230bc4850a51adbbe0906b3f07615ccc79dce795bd +MISC metadata.xml 1788 BLAKE2B d04d3030f70f3615522672fa56e684acaa67ddce8d16cce86ba8911fb8fc11ed152be012ecf560427d271868c4841a7422aaa644305947302d3ebab62bdb577d SHA512 bd328e3a33ce04b989149333db5f774f1b52540f12ef83b08b7fcf136ae2a3a9c83bef42c28991d3536249098ca0b9ffd21e583d93599580510d8619e9fd01ca diff --git a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch b/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch deleted file mode 100644 index 7199227589c6..000000000000 --- a/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:06:45.020527770 -0700 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:07:01.294423665 -0700 -@@ -1414,14 +1414,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index 6b4fa372..332fb486 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_8.5" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_HPN "-hpn15v2" --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch deleted file mode 100644 index 6dc290d6737b..000000000000 --- a/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/kex.c b/kex.c -index 34808b5c..88d7ccac 100644 ---- a/kex.c -+++ b/kex.c -@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, - if (version_addendum != NULL && *version_addendum == '\0') - version_addendum = NULL; - if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", -- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, -+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, - version_addendum == NULL ? "" : " ", - version_addendum == NULL ? "" : version_addendum)) != 0) { - oerrno = errno; diff --git a/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch b/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch deleted file mode 100644 index 2a83ed37d138..000000000000 --- a/net-misc/openssh/files/openssh-9.0_p1-X509-uninitialized-delay.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -ur a/auth2.c b/auth2.c ---- a/auth2.c 2022-05-19 15:59:32.875160028 -0700 -+++ b/auth2.c 2022-05-19 16:03:44.291594908 -0700 -@@ -226,7 +226,7 @@ - int digest_alg; - size_t len; - u_char *hash; -- double delay; -+ double delay = 0; - - digest_alg = ssh_digest_maxbytes(); - if (len = ssh_digest_bytes(digest_alg) > 0) { diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml index 0ed696c82ad6..da1b4330c4d7 100644 --- a/net-misc/openssh/metadata.xml +++ b/net-misc/openssh/metadata.xml @@ -20,17 +20,14 @@ ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. </longdescription> <use> - <flag name="hpn">Enable high performance ssh</flag> <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag> <flag name="livecd">Enable root password logins for live-cd environment.</flag> <flag name="security-key">Include builtin U2F/FIDO support</flag> <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag> - <flag name="X509">Adds support for X.509 certificate authentication</flag> <flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag> </use> <upstream> <remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id> <remote-id type="github">openssh/openssh-portable</remote-id> - <remote-id type="sourceforge">hpnssh</remote-id> </upstream> </pkgmetadata> diff --git a/net-misc/openssh/openssh-9.3_p1.ebuild b/net-misc/openssh/openssh-9.3_p1-r1.ebuild index c3084f573734..ea2cc9a83d0c 100644 --- a/net-misc/openssh/openssh-9.3_p1.ebuild +++ b/net-misc/openssh/openssh-9.3_p1-r1.ebuild @@ -9,42 +9,11 @@ inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig # and _p? releases. PARCH=${P/_} -# PV to USE for HPN patches -#HPN_PV="${PV^^}" -HPN_PV="8.5_P1" - -HPN_VER="15.2" -HPN_PATCHES=( - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff -) -HPN_GLUE_PATCH="${PN}-9.3_p1-hpn-${HPN_VER}-glue.patch" -HPN_PATCH_DIR="HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}" - -SCTP_VER="1.2" -SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" - -X509_VER="14.1.1" -X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" -X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch" -X509_HPN_GLUE_PATCH="${PN}-9.3_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch" - DESCRIPTION="Port of OpenBSD's free SSH release" HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} - ${HPN_VER:+hpn? ( - $(printf "mirror://sourceforge/project/hpnssh/Patches/${HPN_PATCH_DIR}/%s\n" "${HPN_PATCHES[@]}") - https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz - )} - ${X509_VER:+X509? ( - https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} - https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz - ${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )} - )} - verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) -" +SRC_URI=" + mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )" VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc S="${WORKDIR}/${PARCH}" @@ -52,16 +21,14 @@ LICENSE="BSD GPL-2" SLOT="0" KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss" +IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X xmss" RESTRICT="!test? ( test )" REQUIRED_USE=" - hpn? ( ssl ) ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) - X509? ( !sctp ssl !xmss ) xmss? ( ssl ) test? ( ssl ) " @@ -69,16 +36,13 @@ REQUIRED_USE=" # tests currently fail with XMSS REQUIRED_USE+="test? ( !xmss )" -# Blocker on older gcc-config for bug #872416 LIB_DEPEND=" - !<sys-devel/gcc-config-2.6 audit? ( sys-process/audit[static-libs(+)] ) ldns? ( net-libs/ldns[static-libs(+)] net-libs/ldns[ecdsa(+),ssl(+)] ) libedit? ( dev-libs/libedit:=[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) @@ -98,6 +62,7 @@ DEPEND="${RDEPEND} static? ( ${LIB_DEPEND} ) " RDEPEND="${RDEPEND} + !net-misc/openssh-contrib pam? ( >=sys-auth/pambase-20081028 ) !prefix? ( sys-apps/shadow ) X? ( x11-apps/xauth ) @@ -128,19 +93,31 @@ PATCHES=( ) pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - local missing=() - check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); } - check_feature hpn HPN_VER - check_feature sctp SCTP_PATCH - check_feature X509 X509_PATCH - if [[ ${#missing[@]} -ne 0 ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${missing[*]}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "Missing requested third party patch." + local i enabled_eol_flags disabled_eol_flags + for i in hpn sctp X509; do + if has_version "net-misc/openssh[${i}]"; then + enabled_eol_flags+="${i}," + disabled_eol_flags+="-${i}," + fi + done + + if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then + ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore." + ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality," + ewarn "since these USE flags required third-party patches that often trigger bugs" + ewarn "and are of questionable provenance." + ewarn + ewarn "If you must continue relying on this functionality, switch to" + ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your" + ewarn "world file first: 'emerge --deselect net-misc/openssh'" + ewarn + ewarn "In order to prevent loss of SSH remote login access, we will abort the build." + ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib" + ewarn "variant, when re-emerging you will have to set" + ewarn + ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + + die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" fi # Make sure people who are using tcp wrappers are notified of its removal. #531156 @@ -150,13 +127,6 @@ pkg_pretend() { fi } -src_unpack() { - default - - # We don't have signatures for HPN, X509, so we have to write this ourselves - use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc} -} - src_prepare() { sed -i \ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ @@ -169,107 +139,6 @@ src_prepare() { [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die - eapply "${WORKDIR}/${X509_GLUE_PATCH}" - popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch" - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use sctp ; then - eapply "${WORKDIR}"/${SCTP_PATCH%.*} - - einfo "Patching version.h to expose SCTP patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in SCTP patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - - einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..." - sed -i \ - -e "/\t\tcfgparse \\\/d" \ - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" - fi - - if use hpn ; then - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" || die - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${WORKDIR}/${HPN_GLUE_PATCH}" - use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}" - use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch" - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use sctp || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - eapply_user #473004 # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox @@ -283,11 +152,6 @@ src_prepare() { -e 's:-D_FORTIFY_SOURCE=2::' ) - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) # _XOPEN_SOURCE causes header conflicts on Solaris [[ ${CHOST} == *-solaris* ]] && sed_args+=( -e 's/-D_XOPEN_SOURCE//' @@ -325,15 +189,12 @@ src_configure() { --with-privsep-user=sshd $(use_with audit audit linux) $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the sctp patch conditionally, so can't pass --without-sctp - # unconditionally else we get unknown flag warnings. - $(use sctp && use_with sctp) $(use_with ldns) $(use_with libedit) $(use_with pam) $(use_with pie) $(use_with selinux) - $(usex X509 '' "$(use_with security-key security-key-builtin)") + $(use_with security-key security-key-builtin) $(use_with ssl openssl) $(use_with ssl ssl-engine) $(use_with !elibc_Cygwin hardening) #659210 @@ -380,39 +241,55 @@ tweak_ssh_configs() { LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE ) - # First the server config. - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die + Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf" + EOF + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die + Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf" + EOF - # Allow client to pass locale environment variables. #367017 - AcceptEnv ${locale_vars[*]} + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die + # Send locale environment variables (bug #367017) + SendEnv ${locale_vars[*]} - # Allow client to pass COLORTERM to match TERM. #658540 - AcceptEnv COLORTERM + # Send COLORTERM to match TERM (bug #658540) + SendEnv COLORTERM EOF - # Then the client config. - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die + RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" + EOF - # Send locale environment variables. #367017 - SendEnv ${locale_vars[*]} + cat <<-EOF >> "${ED}"/etc/ssh/ssh_revoked_hosts || die + # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ + ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + EOF - # Send COLORTERM to match TERM. #658540 - SendEnv COLORTERM + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die + # Allow client to pass locale environment variables (bug #367017) + AcceptEnv ${locale_vars[*]} + + # Allow client to pass COLORTERM to match TERM (bug #658540) + AcceptEnv COLORTERM EOF if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED}"/etc/ssh/sshd_config || die + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die + UsePAM yes + # This interferes with PAM. + PasswordAuthentication no + # PAM can do its own handling of MOTD. + PrintMotd no + PrintLastLog no + EOF fi if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED}"/etc/ssh/sshd_config || die + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die + # Allow root login with password on livecds. + PermitRootLogin Yes + EOF fi } @@ -430,9 +307,7 @@ src_install() { tweak_ssh_configs doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config diropts -m 0700 dodir /etc/skel/.ssh @@ -503,16 +378,4 @@ pkg_postinst() { elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" elog "and update all clients/servers that utilize them." fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi } |