diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2017-10-09 18:53:29 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2017-10-09 18:53:29 +0100 |
| commit | 4f2d7949f03e1c198bc888f2d05f421d35c57e21 (patch) | |
| tree | ba5f07bf3f9d22d82e54a462313f5d244036c768 /net-misc/openssh | |
reinit the tree, so we can have metadata
Diffstat (limited to 'net-misc/openssh')
33 files changed, 4343 insertions, 0 deletions
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest new file mode 100644 index 000000000000..5f0612756b89 --- /dev/null +++ b/net-misc/openssh/Manifest @@ -0,0 +1,49 @@ +AUX openssh-6.7_p1-openssl-ignore-status.patch 765 SHA256 b068cc30d4bce5c457cea78233396c9793864ec909f810dd0be87d913673433a SHA512 ab15d6dfdb8d59946684501f6f30ac0eb82676855b7b57f19f2027a7ada072f9062fcb96911111a50cfc3838492faddd282db381ec83d22462644ccddccf0ae7 WHIRLPOOL c0a4ff69d65eeb40c1ace8d5be6f8e59044a8f16dc6b37e87393e79ab80935abf30a9d2a6babc043aba0477f5f79412e1ae5d373daba580178fd85ca1f60e60b +AUX openssh-7.3-mips-seccomp-n32.patch 634 SHA256 a3d63f394e9ea692a5a515983f1ce85d2ba79ea6e6b0fd5659e05a18b753316a SHA512 eba3e843d3714501a1df3161d02134c54c8ce584db3af698b87d303fc17c16635bd06db4d7c2d9bb47f461c3b211d870b480fd927f4563207e11c9ed2c446770 WHIRLPOOL d1f87fbfd24694617ef1a03a55ba8f32ac6ac8c62541208f754df41bb30065a9f1bba640a645d9ef184aae2f7b35759b84d2564f38f9ab130cc2d282be203f75 +AUX openssh-7.3_p1-GSSAPI-dns.patch 11137 SHA256 081c1cee62b43aae1d84ee67e3b510f0775081c9901c971a6f60a35bb92046f1 SHA512 70db76a409d5a11513f57c67671131b95c83164af2ecafa423986def42a1a2a31c4653d06f510b8c440a974e03f0acad8cbe20d5a17cfb2ed4598a9b8ae60b91 WHIRLPOOL bd3f32d7b795d9d5948d1a2d38a3e9fc6380369378988da095e096a54bf8c41209bfa7955c04b68b3966a30ca10fd522778d76a0621d0858639f3e09f075b708 +AUX openssh-7.3_p1-NEWKEYS_null_deref.patch 857 SHA256 0d612c16c7b1b3b45fbe1c1507c4e80cfe001ab4fd7fbcfc80fb9cecc893d94a SHA512 2230ddd7473feaa22544eae5c1074981e5ade322a22016f245ec3a6b3bf260104909021497a728fbfaf5dbd6e81269b9b815a3a3de2bf8104f7b3d1bdacbcc06 WHIRLPOOL b927971ec7c07a8d350690280d9766f71ebeb03fc6ffefa2457801abf160ee331ec3bafca02acc3697899d9e2a56ce7b01e68b745cb6f5b491d8b30aea0b9366 +AUX openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch 953 SHA256 76059e75ba5f5d00c6ac74aa12017e98d1b401efb9f1c6073fa8013e5fc4204a SHA512 c705b08fa269d21da261cc9fce2ebcc409e252064d789b63ba14685495e46cb472a81fa563a74c80e4bf76e4982fba98ff5329a037f1fa4f28c75b4db18e7691 WHIRLPOOL 826f2e520742f65e0e7a2f183917483f4dd96c2fc52360d3307c41cc307eddb434e8205c7665a65eadde2e20a7a4b71020d2925ea59518234da2cbda6afb2b3b +AUX openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch 1088 SHA256 5841cc4a42238202d6fa3ee5fbccacbfad7156eb9d9b361d251f693443a0b672 SHA512 967da12f9d15e8347d9832a7fc90e378e42a49c6fb63c8ff3a28e66601c9dab64d5d43c8da34aa3fb08466088eb725abebb4efcef95b1aa0ada86cab27584106 WHIRLPOOL 50bb4bd2ff23d9aff94fa12755aebd91d0088691fb9899169e3018d91679f014f012d3b2d9c5b87a8c3edcaa2b8a19f9ec49c6803d95731f8020442840d26bbf +AUX openssh-7.3_p1-hpn-12-x509-9.2-glue.patch 1608 SHA256 9a85d7cd56be8276e6407fe70ea22554323143d57209e0881f6ec0cc16705765 SHA512 bbbeca5d683427347e9db8cdaa5c96bfdbae901245e508dec8927110e199798127b7c4df8ef2455c1fec53263d600c7957d5b55e1b78263776a45808b4c0b86a WHIRLPOOL 928a2603737c36a23d76145b0e11108645d13263ad955ad30de5a8ee7a008774cdb63ad144d141f7ed6f16f885ee427a7827ba7397a1cec465db3a32fd0ac215 +AUX openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch 7005 SHA256 44ae73966a98e0d7cf36f35b64472b62128040c86720a915b6e72ca269b72f13 SHA512 35cb90a5ebf85b31db902155a8d48a65d2734943cf46e2ac1fcbcb8a19e31d9bf6057ec3c0001a4cb14eac572e5d400087c3218c81df40146731472e406499d8 WHIRLPOOL ba47e8f157ecf448becef9f1c9dfb5bea9f6bd39b461c13cb265a7dc9fde31634a583db3849429ed27129e8c5e797eebe7141c310674126a9a0e2f232c92d8e1 +AUX openssh-7.3_p1-hpn-x509-9.2-glue.patch 1611 SHA256 7d04d19e62e688c9c12c25fd479933dd2c707f838ac810263dd1dc79a5ff55f1 SHA512 3604f0f1ea6c74b8418ac158df47910dfb2d54c7ce77f78f1a6c072acd20dc5751e24156acd9dda02aecaac250f43c8d968382f2f4b15b4706e4c4bde8ebde9a WHIRLPOOL b327a94c5b37da296caaa925bf13adf81ab3a53dffe691b33010b89b07366445613e553b4f486bacab658e2dcec143971001b4158f493e9b7e5bd427f0e072fb +AUX openssh-7.3_p1-sctp-x509-glue.patch 2447 SHA256 a6758b9bff99022b1aa1bc729fcdcc8e4e91d0a617c903d72964cc1fca1ea061 SHA512 f48c2bba7707542741e52f5d794aaafe4468d088e28bc02878c0eb9aa76d31b57dca69b85705f7a9a2d745272df3fdc39a1d13ba337cab34dd0e9d545cee7d41 WHIRLPOOL 77e2574065a78a0f7014213f5e5d64651d41f24c7652542589f1106a6a114cf27d9922ef2cddee9e62c0f0f118691d91ebe9dc4a0ae04654843f18bdd20e2cef +AUX openssh-7.3_p1-x509-9.2-warnings.patch 3060 SHA256 e7963f4946db01390831ee07a49c3a2291518b06144e95cfc47326c7209fa2e3 SHA512 f029d6f922e1632b32ac6e7b627378854f78c9d9b828dde37273b1b1a09167273fc6934bcb0653209b9e5ffd06c95d564d1bf5f1ea745993e19b062a4532f1c0 WHIRLPOOL cd4eb68bf861a50e9452c453c903946b8d067fd00171d39c6bad797d20c07631cda2379d9e41246bc93b22252a8d1bd55186e13ba492c7b8cf94048910f3a8a9 +AUX openssh-7.4_p1-GSSAPI-dns.patch 11137 SHA256 1bf065d8a8896df00d985edb232521f771e6ab0a95c6f25ceb66d23fe535a615 SHA512 6253a00644b68033f5cdba0b8a6abf5e9a6b82994a24acfd138e949ccfb0e3c5c2d58c5a94fa389d1e98ec30b07bcef048d0fb6665811376050b294986c4026a WHIRLPOOL a47626f3771494127fd5ebb1aca8d94af063d7397140f349825f4ccc7f4a5fc7ddd7f802741f0826e481f18c424d2da5763ced3b2ffcfe5c5cdb5eb41662d3a4 +AUX openssh-7.4_p1-test-bashism.patch 876 SHA256 b38f47e93db0bf6a06bb457356ce9d780e51566676d7f53e7c752e27b042c8c8 SHA512 52dda6053fe46ee42ea4ef7dad652ddfdd009ce4d165140115f965be2a8c4486652ad12b8653520f17ea7446508c08ce259eb0b906f7f5f558a3df1061e96de9 WHIRLPOOL 321cc39844460c088b3f29629d1f1439b5b323a38bcad042c010a66d14629c1d41ef6b7f8c54ab0b917b0683659c7a7fe7224d2627ecf4797ab570157535b934 +AUX openssh-7.5_p1-GSSAPI-dns.patch 11137 SHA256 e0b256646651edd7a4bf60ebe4cf2021d85a5f8f3d30393bd499655c0b0c64c1 SHA512 f84e1d3fdda7a534d9351884caaefc136be7599e735200f0393db0acad03a57abe6585f9402018b50e3454e6842c3281d630120d479ff819f591c4693252dd0e WHIRLPOOL 000276fe1e0cc9ac33da8974cc6e24803a69b3d63c20096a92d6d10206c6e27110bdcaa26c0dbd2e0d0feb501681a738d5adb9d57ae21c7c55f67396f8b26c0e +AUX openssh-7.5_p1-cross-cache.patch 1220 SHA256 693c6e28d4c1da71c67b64ef25d286f0d5128f9aebb3450283fa9ce6887186a7 SHA512 03cf3b5556fcf43c7053d1550c8aa35189759a0a2274a67427b28176ba7938b8d0019992de25fb614dc556c5f45a67649bb5d2d82889ac2c37edd986fc632550 WHIRLPOOL f7a04e19816cadce138a0beec4f1ad5f975773a1802fd1db245846ce8d5d6ec5ddfdcfa099e391172457a29eedb30c416dfa7bf4a56e99cfe507be00d2e1e718 +AUX openssh-7.5_p1-hpn-x509-10.1-glue.patch 2741 SHA256 77901da67a2bfdffbe426074bbb0416c82e99a8693103cd0e7738ed8e46c6aed SHA512 940dd448f6768bb3e94987eb86b6002d17d918310ad5c1f38f1b3fd9df263439e0fecb9c8f09c05649bfd03cb507c31ef9320522e946850e954ffdd44fdd4b73 WHIRLPOOL fcd828f9f8b1dee78308b663bbacf17ca4741c94df5e469cdd529dddc3ba266713413e035bb81c8a49d6df4ab67a865634e466b0b4e1fbad766833dbf2776e80 +AUX openssh-7.5_p1-hpn-x509-10.2-glue.patch 2847 SHA256 bddb645e4ffe6f710c10fae9bbebad33fab3bf3533d401ec54d7b8a26113f6a5 SHA512 bc23fdf5995ae38ff166f12f64082f79a2135ca28f2240e89bee42b1e3ba39ce94467ece9ddea99173f1829b09b069dbf56a0bce7dfd1ae5f63c12f73b5ffba7 WHIRLPOOL e80f6ece056cb77768e24585549a601076e57d8c143afb0c6fecd31176bccbdcc552fb98a28c6b2f68180c26c4855f2e99dd48b38d6753071b6b868d071b5e96 +AUX openssh-7.5_p1-x32-typo.patch 772 SHA256 17f2baad36e5b6d270d7377db4ebdf157f2eb3bc99d596c32a47d584a1040307 SHA512 20d19301873d4b8e908527f462f40c2f4a513d0bb89d4c7b885f9fc7eb5d483eea544eb108d87ff6aaa3d988d360c2029910c18f7125c96e8367485553f59a5e WHIRLPOOL 5141fd3a19575593f84890aaa84123373ffb81aa3e860cda2468c7578754acf0a5d8ce0ea9c5ab25a83574ad5b272b9240cdcb29724c3b7cbdc059518da8c609 +AUX openssh-7.5p1-x509-libressl.patch 7027 SHA256 8e9a7f0c891ae2324d756dc4fb93943eb39f3799d2dedccdcfdff0ad1c0067d6 SHA512 0b5fcb58ee55de7ce61bf2bcad23e4a5cdc941d81121bbf8f0dadf5e1e158c055f45a2ef1aebe8fcb1856a33e079282f4c9f21d9da6892808d7e3c172dca3365 WHIRLPOOL f5d43a4de22c70f75607f2d22251072f88d4715d207e74052f2009e6073706da2978ecb183e6c4c10cebd328ac924f33cc8cd149c7072cda3c2f084ec8ef9948 +AUX sshd.confd 396 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 SHA512 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 WHIRLPOOL 69f43e6192e009a4663d130f7e40ee8b13c6eb9cc7d960b5e0e22f5d477649c88806a9d219efef211f4346582c2bb51e40d230a8191e5953dbe08bfff976ae53 +AUX sshd.pam_include.2 156 SHA256 166136e27d653e0bf481a6ca79fecb7d9fa2fc3d597d041f97df595f65a8193c SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c WHIRLPOOL ba7a0a8c3bb39c5fda69de34b822a19696398e0a8789211ac1faae787ee34f9639eb35efe29c67f874b5f9fe674742503e570f441c005974f4a0c93468b8970b +AUX sshd.rc6.4 2108 SHA256 43a483014bf177f9238e54a7b8210d5a76830beb67c18999409e543fd744c9e4 SHA512 fe58e950514743a72467233ff2f2a63112c50e5db843d61e141a5ca3dd8ef8f42a616cd9de7748ae582054c47c2cc38ce48b638e2d88be39c1387f77e79c83e1 WHIRLPOOL ef30b1e3a118b40617e3c1de6b4ebb360f466e90e18157a08d0ed50a4acb488eb7f6159120525e2b7e85393cd19b062c97188460ea51959467eb6ab52632d064 +AUX sshd.service 242 SHA256 1351c43fe8287f61255ace9fa20790f770d69296b4dd31b0c583983d4cc59843 SHA512 77f50c85a2c944995a39819916eb860cfdc1aff90986e93282e669a0de73c287ecb92d550fd118cfcc8ab538eab677e0d103b23cd959b7e8d9801bc37250c39c WHIRLPOOL 0f5c48d709274c526ceee4f26e35dcb00816ffa9d6661acc1e4e462acb38c3c6108b0e87783eff9da1b1868127c5550c57a5a0a9d7270b927ac4b92191876989 +AUX sshd.socket 136 SHA256 c055abcd10c5d372119cbc3708661ddffccdee7a1de1282559c54d03e2f109d9 SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42 WHIRLPOOL 102d87b708c31e5994e8005437c78b1aa756c6def4ee9ae2fa9be1438f328fc28c9152a4ff2528941be18f1311594490ecd98b66716ec74e970aa3725a98e2e5 +AUX sshd_at.service 176 SHA256 332f5ffc30456fe2494095c2aabd1e6e02075ce224e2d49708ac7ccf6d341998 SHA512 662a9c2668902633e6dbcb9435ac35bec3e224afdb2ab6a1df908618536ae9fc1958ba1d611e146c01fddb0c8f41eefdc26de78f45b7f165b1d6b2ee2f23be2a WHIRLPOOL aeb32351380dd674ef7a2e7b537f43116c189f7fddb8bdb8b2c109e9f62b0a73cc0f29f2d46270e658ab6409b8d3671ce9e0d0ba7c0d3674c2f85291a73e6df1 +DIST openssh-7.3_p1-hpn-14.10-r1.patch.xz 20584 SHA256 0bbbfeb1f9f975ad591ed4ec74927172c5299ec1a76210197c14575204efa85d SHA512 f0a1c84af85f7cfc7cb58b5117b3d0f57fc25ae0dd608e38b48ef42da43780fd5cf243d26ff9b3fbd6f4cb1567852b87bcb75f98791cf3ad1892e8579a7834d3 WHIRLPOOL b1a8bae14c8189745056c15c9ed45207aa06af1f4c598a1af7dc3cc56e47bd0211a63989a920727e20311a148bbcf3202c202eae94cd1512c7d87816a9f44bcb +DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99 +DIST openssh-7.3p1+x509-9.2.diff.gz 588078 SHA256 45f054cbb2b77ac8cc7ab01439e34083382137d47b840ca274555b7e2cf7098b SHA512 fab0da148b0833a651e8a7c36f344aacecef6fa92f8f1cb6302272d98c1ab018831f5850dcaa8f54a39f9ada9b7d5b0a0ea01defc3c6f603bbe211f6bff6a841 WHIRLPOOL 53f63d879f563909c57d23ced273e23eda1eace2a2ddfd54edf5f2ef15218cc7e5d927e54714b6850db541f361c459de50d79b0a4516b43ce4cba8eb66b49485 +DIST openssh-7.3p1-hpnssh14v12.tar.xz 23448 SHA256 45b8e10f731f160ea44126bf64314d850048d98059dc22f89b3f14f46f0dcc67 SHA512 f1ee37dfd1b717963ae519b725d481de2486c9c94fd80ccd12da2ac00d13be7b6e0284a1e9239a4704014810c086eaaa81cd02344372c65d0122a3eb1c2be83c WHIRLPOOL 1fdb4e99f9d6450af73a1202c2f80d4be454fbeab723a1cf833a37fc040dc8ede592129d4e4087cf247095dbf5fa782286ab0338fe8a55675efb4ea9bfaf651c +DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c +DIST openssh-7.4_p1-sctp.patch.xz 8220 SHA256 18fa77f79ccae8b9a76bc877e9602113d91953bd487b6cc8284bfd1217438a23 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4 WHIRLPOOL 0f0ea1d36523b35d3be33d22fb84daa05fd14c464d69c19695235f81d26326bc53d6804bf34d0cc0c2584f412bfdac361d2b018032447d1033a4ff4fd9458a09 +DIST openssh-7.4p1+x509-9.3.diff.gz 446572 SHA256 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee SHA512 7ebc8d1f6ec36d652bbb6fb13d6d86f7db1abf8710af7b56c52fad9a18d73c9028a3307daabfdda26483a3bd9196120f6d18b6fb2c89b597b0a9ad0554161dfc WHIRLPOOL f878346a3154b7dbb01de41830d5857064af96d3a709aed40a112fe9aaadbe4801e5c3a22a1d2c8437b74a890596211be37e26d691ff611981d7375d262598c1 +DIST openssh-7.4p1.tar.gz 1511780 SHA256 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1 SHA512 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292 WHIRLPOOL 4ed9a277287d1f5c2fd371b53394d6dde36b25adf92d4b6b5b486a9d448648f2ecfbb721ae39ba8a129913c1148aa4db1e99f7960a7c69fa215dfa7b3b126029 +DIST openssh-7.5p1+x509-10.1.diff.gz 460721 SHA256 e7abe401e7f651779c680491cfefbfcf4f26743202641b2bda934f80bb4464d2 SHA512 d3b5a8f5e3a88eda7989b002236811867b7e2c39bf7cd29a6dbbce277fca3fbedbfdbeaf1fba7d8c19f3dea32a17790e90604765f18576bcc5627a9c1d39109c WHIRLPOOL 2d4f96b47bcde9eabd19cad2fdc4da01a3d207f6ad5f4f1ea5a7dbd708d61783ae6a53e4cb622feed838106f57dbe6a7ecd1b41426325870378caf44803ff9ef +DIST openssh-7.5p1+x509-10.2.diff.gz 467040 SHA256 24d5c1949d245b432abf2db6c28554a09bcffdcb4f4247826c0a33bdbee8b92c SHA512 ec760d38771749d09afc8d720120ea2aa065c1c7983898b45dba74a4411f7e61e7705da226864e1e8e62e2261eecc3a4ab654b528c71512a07798824d9fb1a9a WHIRLPOOL 3291a3e39b1a47efe149cdf805de11217fd55c4260477f2a6c6cc0bfa376b98a5dc7f56a49ae184fb57bae6226c73d1794db7b2285e3ea26a8fea4bc9304655b +DIST openssh-7.5p1-hpnssh14v12.tar.xz 23068 SHA256 8a1ed99c121a4ad21d7a26cd32627a8dd51595fd3ee9f95dc70e6b50fe779ce2 SHA512 45c42090a212b9ce898fbaa8284ddf0f0d17236af13c4a780e00bf265b0c7a4286027e90a7ce9ad70066309db722709dd2f0a7914f57e5364ffbaf7c4859cdf9 WHIRLPOOL 6089ad8ae16c112a6f15d168c092e7f057b9e6d815724346b5a6a1cd0de932f779d5f410d48c904d935fcb3bad3f597fa4de075ab1f49cadc9842ce7bd8fdf42 +DIST openssh-7.5p1.tar.gz 1510857 SHA256 9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0 SHA512 58c542e8a110fb4316a68db94abb663fa1c810becd0638d45281df8aeca62c1f705090437a80e788e6c29121769b72a505feced537d3118c933fde01b5285c81 WHIRLPOOL 1a42c68d8e350bc4790dd4c1a98dd6571bfa353ad6871b1462c53b6412f752719daabd1a13bb4434d294de966a00428ac66334bab45f371420029b5e34a6914c +DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c +DIST openssh-lpk-7.4p1-0.3.14.patch.xz 17076 SHA256 3a5e4104507d259ad15391136322ea5d067d7932199bbafde5cb478daf3595ad SHA512 1c91de291816ee0bb29ed3a2ffc42fb6fb4ba27a8616f8bd50accdf31d1fecc9b4fb3de6fb1ea6e722b69eb8cab68030ade87e126a4112667d14f3c2ef07d6cd WHIRLPOOL ea27224da952c6fe46b974a0e73d01e872a963e7e7cc7e9887a423357fb4ff82f4513ce48b6bbf7136afa8447bc6d93daa817cf5b2e24cb39dba15cbcff6d2cc +DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 SHA256 11060be996b291b8d78de698c68a92428430e4ff440553f5045c6de5c0e1dab3 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b WHIRLPOOL 58526777475786bb5efa193f3a3ec0500c4d48b18fef67698f8b1999cb07f04fbca7b7d3ece469f3a1e1ceca5152cdd08d3dbe7cfa4e7494740dc2c233101b93 +EBUILD openssh-7.3_p1-r7.ebuild 11515 SHA256 7c6f3448a9b16c77c6a2f7acc86f59795b7f92a20c1067c2af99eea0c9ac2afb SHA512 4fa3c73930343d65bdfbf670b226ecd66f594b0f583ce358d7b95f5f471e695c31c0bff6935509634da5d1519ec343bf5c1b394fdb62ae024cb9173a752fe14d WHIRLPOOL 5d4ed15dc34f81930b02f0853674feb03cd82ae3bd2e30e7908d9a37ddab4e3e4f8b9fbd4adeec477ae5dd48cbcb9b2c6dec9c05d023638864209162e0bdfc14 +EBUILD openssh-7.3_p1-r8.ebuild 11180 SHA256 1c80b551a6d623356be07e915f5c0b91dbb0b10c28ce8549d3f2c2f742efc11c SHA512 b0b4f48d66c64ee4cbb9f759aae82d9d01ff7c6d135b42dcd9c6538345033bd9ae05ec25eaaf6301fe8f95aef9cb9728932187e25c5f4fe07f57f932bbfeb3ec WHIRLPOOL 71028fa8ceb091ca99984a998c69018cf955ec3bd3bdc7fd503decf81d18cf2ced0b88ea69b1b22ff1ce7f6cf0cd001fdba5550924045cd9fc33feeadb715de3 +EBUILD openssh-7.4_p1.ebuild 10816 SHA256 982d991c9f2ab8d22dade9ba907dde422cd101f623cdeeae0c46144a6da47e08 SHA512 9989e23b6889ab4141aa88510abf41b0da4f49bb5be8e8b4e3474e317d42df5d953e7d0bab7ce282b2db87ff4053a5d21cb859fa63cd702f945052a8b7f056bf WHIRLPOOL 7ccccf459cfef4be505f7bdaf2f4674f5a51395394f23050b8c8e0c2699b9c5068e4e8d4c25af407330ce201a620d945d5d051751af13485f37b85463049f83f +EBUILD openssh-7.5_p1-r1.ebuild 11026 SHA256 4454081691292f2bc218292e09724693fb1b9fc54e65d31042a93bf329728a96 SHA512 2441bff83bba61ead49ce69f7682d6ff9e6629eebc7dd9208da86043c07519a4ee1b9639b5ab22b04298b214ef8ccf94149269d3980d5d48ed01bfde409e015d WHIRLPOOL a0e20cbbe1899a18697e64f33c2bf8d4f9ae51c777032d2f994eda31dc70ac6c0a66c65a9fc46783419656554ac6098b32bb27132becb284c8ccfbdc36e44aff +EBUILD openssh-7.5_p1-r2.ebuild 10966 SHA256 9aa4c233f5832ae36ea3c793828d240577f37ae96b28d3cf60c62df51623e15d SHA512 a461598a75ecb04c04c1c7e7bac216bb8a0e47ea493e8ce95d1545e96f9d0109cfd63b8be3845f31ba53b6d54e2ca99a9416c94ac9428c51666475a0ae65d3ef WHIRLPOOL a97c29508e3359d1d26d7c6f470fd96194e55fa4564e6692153385d839c5f64d37788026ba6123d8350615a515246404ef691ab6bcf079fe1e3ac8d6b05bfde3 +EBUILD openssh-7.5_p1.ebuild 10806 SHA256 cfbe54b70f9b7bf4d32a98e4acd0d44e273082b398b3e0fb5e1015e1254ce692 SHA512 a7f06a2e84bc82558be72df76f94bb08dae445a9ed83cf8641894e1727b5c8e4f3d43a1f68d28d8b8dd8faa4ec8a34174ca7adb15509bb181e92eb3dd6f6a53b WHIRLPOOL 97a3625286cddda0045e1609f5054ed21faa168f7f19afd582cd85aa7d7baf6cb15c22ecdbbf9c54aa1ae16793bd719d314cf9b7d5753b7a3f6f455ed6e938b2 +MISC ChangeLog 25370 SHA256 ad091426a190d89906e9f866e3f9545599b156b39e4b0feeb4f862997faab147 SHA512 cff2020279e7738e82fd0202b0e6de74c837d64a95f931c5ba159a8cc557f596d4b750c1527b96b9a74a8ec16bdaf0ed51457d074046f8049fdf262599394644 WHIRLPOOL ddb4f6ea4aa8051dac3da94bd4ffd94168d4e2cf2030de7841f10384c17f2e803847ccb6777c92ea5e48ce9b65d0bb5d9c77d04aa8e34fcc8fd5cfce04d8e304 +MISC ChangeLog-2015 95783 SHA256 53b51ee42a1faf42d80733382986e4fd606366b7bb6350c76f44df851e071890 SHA512 95a4f4243cb8cd8901208adc3632e191ab27a5ea2ce947e832264833262d8bd1e74a7e4f3545d6f2da8d2b473a59cfc7014aa88d5b0ea30e348c4f5d9323c8e5 WHIRLPOOL 5b56a38ddcf0308b681fc1c1fe8107c37ea1385e30ebc435d22f73c38947f9afdbb37ffb1c22bc48c83117cb91b946831cd83bab2807c248292fd2822002f828 +MISC metadata.xml 2212 SHA256 50f6e3651c8aeb86cfe90d92cef6a2b55640c400584f5fdbb6418cef7ac16f25 SHA512 958845fbdfb4f1d267fdbc3a005c6338da54c6a0715180a1982416a841ab4865c536de5f10bb8493d07830e182786d0c3f2ac710c9168434b3d077a59ed2ddd5 WHIRLPOOL 6d1080bc5c3b10a63836b5286d0d66b925a9d27d35e9855c9f966445458c1d6a752854d019c1740420ea78aef6f60105bef4c771fe61a95aae898034cf100705 diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch new file mode 100644 index 000000000000..fa33af39b6f8 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch @@ -0,0 +1,17 @@ +the last nibble of the openssl version represents the status. that is, +whether it is a beta or release. when it comes to version checks in +openssh, this component does not matter, so ignore it. + +https://bugzilla.mindrot.org/show_bug.cgi?id=2212 + +--- a/openbsd-compat/openssl-compat.c ++++ b/openbsd-compat/openssl-compat.c +@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver) + * For versions >= 1.0.0, major,minor,status must match and library + * fix version must be equal to or newer than the header. + */ +- mask = 0xfff0000fL; /* major,minor,status */ ++ mask = 0xfff00000L; /* major,minor,status */ + hfix = (headerver & 0x000ff000) >> 12; + lfix = (libver & 0x000ff000) >> 12; + if ( (headerver & mask) == (libver & mask) && lfix >= hfix) diff --git a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch new file mode 100644 index 000000000000..7eaadaf11cda --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch @@ -0,0 +1,21 @@ +https://bugs.gentoo.org/591392 +https://bugzilla.mindrot.org/show_bug.cgi?id=2590 + +7.3 added seccomp support to MIPS, but failed to handled the N32 +case. This patch is temporary until upstream fixes. + +--- openssh-7.3p1/configure.ac ++++ openssh-7.3p1/configure.ac +@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary(" + seccomp_audit_arch=AUDIT_ARCH_MIPSEL + ;; + mips64-*) +- seccomp_audit_arch=AUDIT_ARCH_MIPS64 ++ seccomp_audit_arch=AUDIT_ARCH_MIPS64N32 + ;; + mips64el-*) +- seccomp_audit_arch=AUDIT_ARCH_MIPSEL64 ++ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32 + ;; + esac + if test "x$seccomp_audit_arch" != "x" ; then diff --git a/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch new file mode 100644 index 000000000000..806b36d0ca94 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch @@ -0,0 +1,351 @@ +http://bugs.gentoo.org/165444 +https://bugzilla.mindrot.org/show_bug.cgi?id=1008 + +--- a/readconf.c ++++ b/readconf.c +@@ -148,6 +148,7 @@ + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -194,9 +195,11 @@ + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + #else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + { "fallbacktorsh", oDeprecated }, + { "usersh", oDeprecated }, +@@ -930,6 +933,10 @@ + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1649,6 +1656,7 @@ + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1779,6 +1787,8 @@ + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +--- a/readconf.h ++++ b/readconf.h +@@ -46,6 +46,7 @@ + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -830,6 +830,16 @@ + Forward (delegate) credentials to the server. + The default is + .Dq no . ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -656,6 +656,13 @@ + static u_int mech = 0; + OM_uint32 min; + int ok = 0; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) { ++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); ++ gss_host = auth_get_canonical_hostname(active_state, 1); ++ } else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -668,7 +674,7 @@ + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], gss_host)) { + ok = 1; /* Mechanism works */ + } else { + mech++; + +need to move these two funcs back to canohost so they're available to clients +and the server. auth.c is only used in the server. + +--- a/auth.c ++++ b/auth.c +@@ -784,117 +784,3 @@ fakepw(void) + + return (&fake); + } +- +-/* +- * Returns the remote DNS hostname as a string. The returned string must not +- * be freed. NB. this will usually trigger a DNS query the first time it is +- * called. +- * This function does additional checks on the hostname to mitigate some +- * attacks on legacy rhosts-style authentication. +- * XXX is RhostsRSAAuthentication vulnerable to these? +- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) +- */ +- +-static char * +-remote_hostname(struct ssh *ssh) +-{ +- struct sockaddr_storage from; +- socklen_t fromlen; +- struct addrinfo hints, *ai, *aitop; +- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; +- const char *ntop = ssh_remote_ipaddr(ssh); +- +- /* Get IP address of client. */ +- fromlen = sizeof(from); +- memset(&from, 0, sizeof(from)); +- if (getpeername(ssh_packet_get_connection_in(ssh), +- (struct sockaddr *)&from, &fromlen) < 0) { +- debug("getpeername failed: %.100s", strerror(errno)); +- return strdup(ntop); +- } +- +- ipv64_normalise_mapped(&from, &fromlen); +- if (from.ss_family == AF_INET6) +- fromlen = sizeof(struct sockaddr_in6); +- +- debug3("Trying to reverse map address %.100s.", ntop); +- /* Map the IP address to a host name. */ +- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), +- NULL, 0, NI_NAMEREQD) != 0) { +- /* Host name not found. Use ip address. */ +- return strdup(ntop); +- } +- +- /* +- * if reverse lookup result looks like a numeric hostname, +- * someone is trying to trick us by PTR record like following: +- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ +- hints.ai_flags = AI_NUMERICHOST; +- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { +- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", +- name, ntop); +- freeaddrinfo(ai); +- return strdup(ntop); +- } +- +- /* Names are stored in lowercase. */ +- lowercase(name); +- +- /* +- * Map it back to an IP address and check that the given +- * address actually is an address of this host. This is +- * necessary because anyone with access to a name server can +- * define arbitrary names for an IP address. Mapping from +- * name to IP address can be trusted better (but can still be +- * fooled if the intruder has access to the name server of +- * the domain). +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_family = from.ss_family; +- hints.ai_socktype = SOCK_STREAM; +- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { +- logit("reverse mapping checking getaddrinfo for %.700s " +- "[%s] failed.", name, ntop); +- return strdup(ntop); +- } +- /* Look for the address from the list of addresses. */ +- for (ai = aitop; ai; ai = ai->ai_next) { +- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, +- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && +- (strcmp(ntop, ntop2) == 0)) +- break; +- } +- freeaddrinfo(aitop); +- /* If we reached the end of the list, the address was not there. */ +- if (ai == NULL) { +- /* Address not found for the host name. */ +- logit("Address %.100s maps to %.600s, but this does not " +- "map back to the address.", ntop, name); +- return strdup(ntop); +- } +- return strdup(name); +-} +- +-/* +- * Return the canonical name of the host in the other side of the current +- * connection. The host name is cached, so it is efficient to call this +- * several times. +- */ +- +-const char * +-auth_get_canonical_hostname(struct ssh *ssh, int use_dns) +-{ +- static char *dnsname; +- +- if (!use_dns) +- return ssh_remote_ipaddr(ssh); +- else if (dnsname != NULL) +- return dnsname; +- else { +- dnsname = remote_hostname(ssh); +- return dnsname; +- } +-} +--- a/canohost.c ++++ b/canohost.c +@@ -202,3 +202,117 @@ get_local_port(int sock) + { + return get_sock_port(sock, 1); + } ++ ++/* ++ * Returns the remote DNS hostname as a string. The returned string must not ++ * be freed. NB. this will usually trigger a DNS query the first time it is ++ * called. ++ * This function does additional checks on the hostname to mitigate some ++ * attacks on legacy rhosts-style authentication. ++ * XXX is RhostsRSAAuthentication vulnerable to these? ++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) ++ */ ++ ++static char * ++remote_hostname(struct ssh *ssh) ++{ ++ struct sockaddr_storage from; ++ socklen_t fromlen; ++ struct addrinfo hints, *ai, *aitop; ++ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; ++ const char *ntop = ssh_remote_ipaddr(ssh); ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getpeername(ssh_packet_get_connection_in(ssh), ++ (struct sockaddr *)&from, &fromlen) < 0) { ++ debug("getpeername failed: %.100s", strerror(errno)); ++ return strdup(ntop); ++ } ++ ++ ipv64_normalise_mapped(&from, &fromlen); ++ if (from.ss_family == AF_INET6) ++ fromlen = sizeof(struct sockaddr_in6); ++ ++ debug3("Trying to reverse map address %.100s.", ntop); ++ /* Map the IP address to a host name. */ ++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), ++ NULL, 0, NI_NAMEREQD) != 0) { ++ /* Host name not found. Use ip address. */ ++ return strdup(ntop); ++ } ++ ++ /* ++ * if reverse lookup result looks like a numeric hostname, ++ * someone is trying to trick us by PTR record like following: ++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ ++ hints.ai_flags = AI_NUMERICHOST; ++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { ++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", ++ name, ntop); ++ freeaddrinfo(ai); ++ return strdup(ntop); ++ } ++ ++ /* Names are stored in lowercase. */ ++ lowercase(name); ++ ++ /* ++ * Map it back to an IP address and check that the given ++ * address actually is an address of this host. This is ++ * necessary because anyone with access to a name server can ++ * define arbitrary names for an IP address. Mapping from ++ * name to IP address can be trusted better (but can still be ++ * fooled if the intruder has access to the name server of ++ * the domain). ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = from.ss_family; ++ hints.ai_socktype = SOCK_STREAM; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { ++ logit("reverse mapping checking getaddrinfo for %.700s " ++ "[%s] failed.", name, ntop); ++ return strdup(ntop); ++ } ++ /* Look for the address from the list of addresses. */ ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, ++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && ++ (strcmp(ntop, ntop2) == 0)) ++ break; ++ } ++ freeaddrinfo(aitop); ++ /* If we reached the end of the list, the address was not there. */ ++ if (ai == NULL) { ++ /* Address not found for the host name. */ ++ logit("Address %.100s maps to %.600s, but this does not " ++ "map back to the address.", ntop, name); ++ return strdup(ntop); ++ } ++ return strdup(name); ++} ++ ++/* ++ * Return the canonical name of the host in the other side of the current ++ * connection. The host name is cached, so it is efficient to call this ++ * several times. ++ */ ++ ++const char * ++auth_get_canonical_hostname(struct ssh *ssh, int use_dns) ++{ ++ static char *dnsname; ++ ++ if (!use_dns) ++ return ssh_remote_ipaddr(ssh); ++ else if (dnsname != NULL) ++ return dnsname; ++ else { ++ dnsname = remote_hostname(ssh); ++ return dnsname; ++ } ++} diff --git a/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch b/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch new file mode 100644 index 000000000000..784cd2aa7efb --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch @@ -0,0 +1,29 @@ +https://bugs.gentoo.org/595342 + +Backport of +https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737 + +--- openssh-7.3p1/kex.c ++++ openssh-7.3p1/kex.c +@@ -419,6 +419,8 @@ + ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); + if ((r = sshpkt_get_end(ssh)) != 0) + return r; ++ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0) ++ return r; + kex->done = 1; + sshbuf_reset(kex->peer); + /* sshbuf_reset(kex->my); */ +--- openssh-7.3p1/packet.c ++++ openssh-7.3p1/packet.c +@@ -1919,9 +1919,7 @@ + return r; + return SSH_ERR_PROTOCOL_ERROR; + } +- if (*typep == SSH2_MSG_NEWKEYS) +- r = ssh_set_newkeys(ssh, MODE_IN); +- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) ++ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) + r = ssh_packet_enable_delayed_compress(ssh); + else + r = 0; diff --git a/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch b/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch new file mode 100644 index 000000000000..8603601ca7b6 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch @@ -0,0 +1,32 @@ +https://bugs.gentoo.org/597360 + +From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001 +From: "markus@openbsd.org" <markus@openbsd.org> +Date: Mon, 10 Oct 2016 19:28:48 +0000 +Subject: [PATCH] upstream commit + +Unregister the KEXINIT handler after message has been +received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause +allocation of up to 128MB -- until the connection is closed. Reported by +shilei-c at 360.cn + +Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05 +--- + kex.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kex.c b/kex.c +index 3f97f8c00919..6a94bc535bd7 100644 +--- a/kex.c ++++ b/kex.c +@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) + if (kex == NULL) + return SSH_ERR_INVALID_ARGUMENT; + ++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); + ptr = sshpkt_ptr(ssh, &dlen); + if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) + return r; +-- +2.11.0.rc2 + diff --git a/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch b/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch new file mode 100644 index 000000000000..7fb0d8069b94 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch @@ -0,0 +1,34 @@ +https://bugs.gentoo.org/592122 + +From e600348a7afd6325cc5cd783cb424065cbc20434 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" <dtucker@openbsd.org> +Date: Wed, 3 Aug 2016 04:23:55 +0000 +Subject: [PATCH] upstream commit + +Fix bug introduced in rev 1.467 which causes +"buffer_get_bignum_ret: incomplete message" errors when built with WITH_SSH1 +and run such that no Protocol 1 ephemeral host key is generated (eg "Protocol +2", no SSH1 host key supplied). Reported by rainer.laatsch at t-online.de, +ok deraadt@ + +Upstream-ID: aa6b132da5c325523aed7989cc5a320497c919dc +--- + sshd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sshd.c b/sshd.c +index 799c7711f49c..9fc829a91bc8 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + } else + #endif +- if ((r = sshbuf_put_u32(m, 1)) != 0) ++ if ((r = sshbuf_put_u32(m, 0)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + + #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) +-- +2.11.0.rc2 + diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch new file mode 100644 index 000000000000..0602307128f0 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch @@ -0,0 +1,39 @@ +--- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch ++++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch +@@ -1155,7 +1155,7 @@ + @@ -44,7 +44,7 @@ + LD=@LD@ + CFLAGS=@CFLAGS@ +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ + -LIBS=@LIBS@ + +LIBS=@LIBS@ -lpthread + K5LIBS=@K5LIBS@ +--- a/0004-support-dynamically-sized-receive-buffers.patch ++++ b/0004-support-dynamically-sized-receive-buffers.patch +@@ -2144,9 +2144,9 @@ + @@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1) + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", ++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509); +++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", + - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); +@@ -2163,9 +2163,9 @@ + @@ -432,7 +432,7 @@ + } + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", +-- major, minor, SSH_VERSION, +-+ major, minor, SSH_RELEASE, ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", ++- major, minor, SSH_VERSION, comment, +++ major, minor, SSH_RELEASE, comment, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch new file mode 100644 index 000000000000..9cc7b61a6ab5 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch @@ -0,0 +1,245 @@ +diff --git a/cipher-ctr-mt.c b/cipher-ctr-mt.c +index fdc9b2f..300cd90 100644 +--- a/cipher-ctr-mt.c ++++ b/cipher-ctr-mt.c +@@ -127,7 +127,7 @@ struct kq { + u_char keys[KQLEN][AES_BLOCK_SIZE]; + u_char ctr[AES_BLOCK_SIZE]; + u_char pad0[CACHELINE_LEN]; +- volatile int qstate; ++ int qstate; + pthread_mutex_t lock; + pthread_cond_t cond; + u_char pad1[CACHELINE_LEN]; +@@ -141,6 +141,11 @@ struct ssh_aes_ctr_ctx + STATS_STRUCT(stats); + u_char aes_counter[AES_BLOCK_SIZE]; + pthread_t tid[CIPHER_THREADS]; ++ pthread_rwlock_t tid_lock; ++#ifdef __APPLE__ ++ pthread_rwlock_t stop_lock; ++ int exit_flag; ++#endif /* __APPLE__ */ + int state; + int qidx; + int ridx; +@@ -187,6 +192,57 @@ thread_loop_cleanup(void *x) + pthread_mutex_unlock((pthread_mutex_t *)x); + } + ++#ifdef __APPLE__ ++/* Check if we should exit, we are doing both cancel and exit condition ++ * since on OSX threads seem to occasionally fail to notice when they have ++ * been cancelled. We want to have a backup to make sure that we won't hang ++ * when the main process join()-s the cancelled thread. ++ */ ++static void ++thread_loop_check_exit(struct ssh_aes_ctr_ctx *c) ++{ ++ int exit_flag; ++ ++ pthread_rwlock_rdlock(&c->stop_lock); ++ exit_flag = c->exit_flag; ++ pthread_rwlock_unlock(&c->stop_lock); ++ ++ if (exit_flag) ++ pthread_exit(NULL); ++} ++#else ++# define thread_loop_check_exit(s) ++#endif /* __APPLE__ */ ++ ++/* ++ * Helper function to terminate the helper threads ++ */ ++static void ++stop_and_join_pregen_threads(struct ssh_aes_ctr_ctx *c) ++{ ++ int i; ++ ++#ifdef __APPLE__ ++ /* notify threads that they should exit */ ++ pthread_rwlock_wrlock(&c->stop_lock); ++ c->exit_flag = TRUE; ++ pthread_rwlock_unlock(&c->stop_lock); ++#endif /* __APPLE__ */ ++ ++ /* Cancel pregen threads */ ++ for (i = 0; i < CIPHER_THREADS; i++) { ++ pthread_cancel(c->tid[i]); ++ } ++ for (i = 0; i < NUMKQ; i++) { ++ pthread_mutex_lock(&c->q[i].lock); ++ pthread_cond_broadcast(&c->q[i].cond); ++ pthread_mutex_unlock(&c->q[i].lock); ++ } ++ for (i = 0; i < CIPHER_THREADS; i++) { ++ pthread_join(c->tid[i], NULL); ++ } ++} ++ + /* + * The life of a pregen thread: + * Find empty keystream queues and fill them using their counter. +@@ -201,6 +257,7 @@ thread_loop(void *x) + struct kq *q; + int i; + int qidx; ++ pthread_t first_tid; + + /* Threads stats on cancellation */ + STATS_INIT(stats); +@@ -211,11 +268,15 @@ thread_loop(void *x) + /* Thread local copy of AES key */ + memcpy(&key, &c->aes_ctx, sizeof(key)); + ++ pthread_rwlock_rdlock(&c->tid_lock); ++ first_tid = c->tid[0]; ++ pthread_rwlock_unlock(&c->tid_lock); ++ + /* + * Handle the special case of startup, one thread must fill + * the first KQ then mark it as draining. Lock held throughout. + */ +- if (pthread_equal(pthread_self(), c->tid[0])) { ++ if (pthread_equal(pthread_self(), first_tid)) { + q = &c->q[0]; + pthread_mutex_lock(&q->lock); + if (q->qstate == KQINIT) { +@@ -245,12 +306,16 @@ thread_loop(void *x) + /* Check if I was cancelled, also checked in cond_wait */ + pthread_testcancel(); + ++ /* Check if we should exit as well */ ++ thread_loop_check_exit(c); ++ + /* Lock queue and block if its draining */ + q = &c->q[qidx]; + pthread_mutex_lock(&q->lock); + pthread_cleanup_push(thread_loop_cleanup, &q->lock); + while (q->qstate == KQDRAINING || q->qstate == KQINIT) { + STATS_WAIT(stats); ++ thread_loop_check_exit(c); + pthread_cond_wait(&q->cond, &q->lock); + } + pthread_cleanup_pop(0); +@@ -268,6 +333,7 @@ thread_loop(void *x) + * can see that it's being filled. + */ + q->qstate = KQFILLING; ++ pthread_cond_broadcast(&q->cond); + pthread_mutex_unlock(&q->lock); + for (i = 0; i < KQLEN; i++) { + AES_encrypt(q->ctr, q->keys[i], &key); +@@ -279,7 +345,7 @@ thread_loop(void *x) + ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE); + q->qstate = KQFULL; + STATS_FILL(stats); +- pthread_cond_signal(&q->cond); ++ pthread_cond_broadcast(&q->cond); + pthread_mutex_unlock(&q->lock); + } + +@@ -371,6 +437,7 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, + pthread_cond_wait(&q->cond, &q->lock); + } + q->qstate = KQDRAINING; ++ pthread_cond_broadcast(&q->cond); + pthread_mutex_unlock(&q->lock); + + /* Mark consumed queue empty and signal producers */ +@@ -397,6 +464,11 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { + c = xmalloc(sizeof(*c)); ++ pthread_rwlock_init(&c->tid_lock, NULL); ++#ifdef __APPLE__ ++ pthread_rwlock_init(&c->stop_lock, NULL); ++ c->exit_flag = FALSE; ++#endif /* __APPLE__ */ + + c->state = HAVE_NONE; + for (i = 0; i < NUMKQ; i++) { +@@ -409,11 +481,14 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + } + + if (c->state == (HAVE_KEY | HAVE_IV)) { +- /* Cancel pregen threads */ +- for (i = 0; i < CIPHER_THREADS; i++) +- pthread_cancel(c->tid[i]); +- for (i = 0; i < CIPHER_THREADS; i++) +- pthread_join(c->tid[i], NULL); ++ /* tell the pregen threads to exit */ ++ stop_and_join_pregen_threads(c); ++ ++#ifdef __APPLE__ ++ /* reset the exit flag */ ++ c->exit_flag = FALSE; ++#endif /* __APPLE__ */ ++ + /* Start over getting key & iv */ + c->state = HAVE_NONE; + } +@@ -444,10 +519,12 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + /* Start threads */ + for (i = 0; i < CIPHER_THREADS; i++) { + debug("spawned a thread"); ++ pthread_rwlock_wrlock(&c->tid_lock); + pthread_create(&c->tid[i], NULL, thread_loop, c); ++ pthread_rwlock_unlock(&c->tid_lock); + } + pthread_mutex_lock(&c->q[0].lock); +- while (c->q[0].qstate != KQDRAINING) ++ while (c->q[0].qstate == KQINIT) + pthread_cond_wait(&c->q[0].cond, &c->q[0].lock); + pthread_mutex_unlock(&c->q[0].lock); + } +@@ -461,15 +538,10 @@ void + ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx) + { + struct ssh_aes_ctr_ctx *c; +- int i; ++ + c = EVP_CIPHER_CTX_get_app_data(ctx); +- /* destroy threads */ +- for (i = 0; i < CIPHER_THREADS; i++) { +- pthread_cancel(c->tid[i]); +- } +- for (i = 0; i < CIPHER_THREADS; i++) { +- pthread_join(c->tid[i], NULL); +- } ++ ++ stop_and_join_pregen_threads(c); + } + + void +@@ -481,7 +553,9 @@ ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx) + /* reconstruct threads */ + for (i = 0; i < CIPHER_THREADS; i++) { + debug("spawned a thread"); ++ pthread_rwlock_wrlock(&c->tid_lock); + pthread_create(&c->tid[i], NULL, thread_loop, c); ++ pthread_rwlock_unlock(&c->tid_lock); + } + } + +@@ -489,18 +563,13 @@ static int + ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx) + { + struct ssh_aes_ctr_ctx *c; +- int i; + + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { + #ifdef CIPHER_THREAD_STATS + debug("main thread: %u drains, %u waits", c->stats.drains, + c->stats.waits); + #endif +- /* Cancel pregen threads */ +- for (i = 0; i < CIPHER_THREADS; i++) +- pthread_cancel(c->tid[i]); +- for (i = 0; i < CIPHER_THREADS; i++) +- pthread_join(c->tid[i], NULL); ++ stop_and_join_pregen_threads(c); + + memset(c, 0, sizeof(*c)); + free(c); diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch new file mode 100644 index 000000000000..f077c0517fa2 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch @@ -0,0 +1,41 @@ +--- a/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:00:21.561121417 -0700 ++++ b/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:22:51.337118439 -0700 +@@ -1155,7 +1155,7 @@ + @@ -44,7 +44,7 @@ + LD=@LD@ + CFLAGS=@CFLAGS@ +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ + -LIBS=@LIBS@ + +LIBS=@LIBS@ -lpthread + K5LIBS=@K5LIBS@ +@@ -2144,12 +2144,12 @@ + /* Bind the socket to an alternative local IP address */ + if (options.bind_address == NULL && !privileged) + return sock; +-@@ -527,10 +555,10 @@ ++@@ -555,10 +583,10 @@ + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", ++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509); +++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", + - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); +@@ -2163,9 +2163,9 @@ + @@ -432,7 +432,7 @@ + } + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", +-- major, minor, SSH_VERSION, +-+ major, minor, SSH_RELEASE, ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", ++- major, minor, SSH_VERSION, comment, +++ major, minor, SSH_RELEASE, comment, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + diff --git a/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch new file mode 100644 index 000000000000..2def6993e6c3 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch @@ -0,0 +1,67 @@ +--- a/openssh-7.3_p1-sctp.patch 2016-08-03 13:10:15.733228732 -0700 ++++ b/openssh-7.3_p1-sctp.patch 2016-08-03 13:25:53.274630002 -0700 +@@ -226,14 +226,6 @@ + .Op Fl c Ar cipher + .Op Fl F Ar ssh_config + .Op Fl i Ar identity_file +-@@ -183,6 +183,7 @@ For full details of the options listed below, and their possible values, see +- .It ServerAliveCountMax +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It UpdateHostKeys +- .It UsePrivilegedPort +- .It User + @@ -224,6 +225,8 @@ and + to print debugging messages about their progress. + This is helpful in +@@ -493,19 +485,11 @@ + .Sh SYNOPSIS + .Nm ssh + .Bk -words +--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy +-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz ++-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy +++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz + .Op Fl b Ar bind_address + .Op Fl c Ar cipher_spec + .Op Fl D Oo Ar bind_address : Oc Ns Ar port +-@@ -558,6 +558,7 @@ For full details of the options listed below, and their possible values, see +- .It StreamLocalBindUnlink +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It Tunnel +- .It TunnelDevice +- .It UpdateHostKeys + @@ -795,6 +796,8 @@ controls. + .Pp + .It Fl y +@@ -533,18 +517,18 @@ + usage(void) + { + fprintf(stderr, +--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" +-+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" ++-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" +++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" + " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" +- " [-F configfile] [-I pkcs11] [-i identity_file]\n" +- " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n" ++ " [-F configfile]\n" ++ #ifdef USE_OPENSSL_ENGINE + @@ -608,7 +613,7 @@ main(int ac, char **av) +- argv0 = av[0]; ++ # define ENGCONFIG "" ++ #endif + +- again: +-- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" +-+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT +- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { ++- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" +++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT ++ "ACD:E:F:" ENGCONFIG "I:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { + switch (opt) { + case '1': + @@ -857,6 +862,11 @@ main(int ac, char **av) diff --git a/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch b/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch new file mode 100644 index 000000000000..528dc6f22a94 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch @@ -0,0 +1,109 @@ +diff --git a/kex.c b/kex.c +index 143227a..c9b84c2 100644 +--- a/kex.c ++++ b/kex.c +@@ -345,9 +345,9 @@ kex_reset_dispatch(struct ssh *ssh) + static int + kex_send_ext_info(struct ssh *ssh) + { ++#ifdef EXPERIMENTAL_RSA_SHA2_256 + int r; + +-#ifdef EXPERIMENTAL_RSA_SHA2_256 + /* IMPORTANT NOTE: + * Do not offer rsa-sha2-* until is resolved misconfiguration issue + * with allowed public key algorithms! +diff --git a/key-eng.c b/key-eng.c +index 9bc50fd..bc0d03d 100644 +--- a/key-eng.c ++++ b/key-eng.c +@@ -786,7 +786,6 @@ ssh_engines_shutdown() { + while (buffer_len(&eng_list) > 0) { + u_int k = 0; + char *s; +- ENGINE *e; + + s = buffer_get_cstring_ret(&eng_list, &k); + ssh_engine_reset(s); +diff --git a/monitor.c b/monitor.c +index 345d3df..0de30ad 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -707,7 +707,7 @@ mm_answer_sign(int sock, Buffer *m) + (r = sshbuf_get_string(m, &p, &datlen)) != 0 || + (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +- if (keyid > INT_MAX) ++ if (keyid32 > INT_MAX) + fatal("%s: invalid key ID", __func__); + + keyid = keyid32; /*save cast*/ +diff --git a/readconf.c b/readconf.c +index beb38a0..1cbda7e 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -1459,7 +1459,9 @@ parse_int: + + case oHostKeyAlgorithms: + charptr = &options->hostkeyalgorithms; ++# if 0 + parse_keytypes: ++# endif + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", +diff --git a/servconf.c b/servconf.c +index a540138..e77a344 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -1574,7 +1573,9 @@ parse_string: + + case sHostKeyAlgorithms: + charptr = &options->hostkeyalgorithms; ++# if 0 + parse_keytypes: ++#endif + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index 50f04b7..3f9a7bf 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -273,21 +273,18 @@ pkcs11_dsa_finish(DSA *dsa) + } + + #ifdef OPENSSL_HAS_ECC ++#ifdef HAVE_EC_KEY_METHOD_NEW + /* openssl callback for freeing an EC key */ + static void + pkcs11_ec_finish(EC_KEY *ec) + { + struct pkcs11_key *k11; + +-#ifdef HAVE_EC_KEY_METHOD_NEW + k11 = EC_KEY_get_ex_data(ec, ssh_pkcs11_ec_ctx_index); + EC_KEY_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL); +-#else +- k11 = ECDSA_get_ex_data(ec, ssh_pkcs11_ec_ctx_index); +- ECDSA_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL); +-#endif + pkcs11_key_free(k11); + } ++#endif /*def HAVE_EC_KEY_METHOD_NEW*/ + #endif /*def OPENSSL_HAS_ECC*/ + + +diff --git a/sshconnect.c b/sshconnect.c +index fd2a70e..0960be1 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -605,7 +605,7 @@ send_client_banner(int connection_out, int minor1) + { + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%d]\r\n", ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", diff --git a/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch new file mode 100644 index 000000000000..ec2a6d894938 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch @@ -0,0 +1,351 @@ +http://bugs.gentoo.org/165444 +https://bugzilla.mindrot.org/show_bug.cgi?id=1008 + +--- a/readconf.c ++++ b/readconf.c +@@ -148,6 +148,7 @@ + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -194,9 +195,11 @@ + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + #else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + { "fallbacktorsh", oDeprecated }, + { "usersh", oDeprecated }, +@@ -930,6 +933,10 @@ + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1649,6 +1656,7 @@ + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1779,6 +1787,8 @@ + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +--- a/readconf.h ++++ b/readconf.h +@@ -46,6 +46,7 @@ + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -830,6 +830,16 @@ + Forward (delegate) credentials to the server. + The default is + .Cm no . ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -656,6 +656,13 @@ + static u_int mech = 0; + OM_uint32 min; + int ok = 0; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) { ++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); ++ gss_host = auth_get_canonical_hostname(active_state, 1); ++ } else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -668,7 +674,7 @@ + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], gss_host)) { + ok = 1; /* Mechanism works */ + } else { + mech++; + +need to move these two funcs back to canohost so they're available to clients +and the server. auth.c is only used in the server. + +--- a/auth.c ++++ b/auth.c +@@ -784,117 +784,3 @@ fakepw(void) + + return (&fake); + } +- +-/* +- * Returns the remote DNS hostname as a string. The returned string must not +- * be freed. NB. this will usually trigger a DNS query the first time it is +- * called. +- * This function does additional checks on the hostname to mitigate some +- * attacks on legacy rhosts-style authentication. +- * XXX is RhostsRSAAuthentication vulnerable to these? +- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) +- */ +- +-static char * +-remote_hostname(struct ssh *ssh) +-{ +- struct sockaddr_storage from; +- socklen_t fromlen; +- struct addrinfo hints, *ai, *aitop; +- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; +- const char *ntop = ssh_remote_ipaddr(ssh); +- +- /* Get IP address of client. */ +- fromlen = sizeof(from); +- memset(&from, 0, sizeof(from)); +- if (getpeername(ssh_packet_get_connection_in(ssh), +- (struct sockaddr *)&from, &fromlen) < 0) { +- debug("getpeername failed: %.100s", strerror(errno)); +- return strdup(ntop); +- } +- +- ipv64_normalise_mapped(&from, &fromlen); +- if (from.ss_family == AF_INET6) +- fromlen = sizeof(struct sockaddr_in6); +- +- debug3("Trying to reverse map address %.100s.", ntop); +- /* Map the IP address to a host name. */ +- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), +- NULL, 0, NI_NAMEREQD) != 0) { +- /* Host name not found. Use ip address. */ +- return strdup(ntop); +- } +- +- /* +- * if reverse lookup result looks like a numeric hostname, +- * someone is trying to trick us by PTR record like following: +- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ +- hints.ai_flags = AI_NUMERICHOST; +- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { +- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", +- name, ntop); +- freeaddrinfo(ai); +- return strdup(ntop); +- } +- +- /* Names are stored in lowercase. */ +- lowercase(name); +- +- /* +- * Map it back to an IP address and check that the given +- * address actually is an address of this host. This is +- * necessary because anyone with access to a name server can +- * define arbitrary names for an IP address. Mapping from +- * name to IP address can be trusted better (but can still be +- * fooled if the intruder has access to the name server of +- * the domain). +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_family = from.ss_family; +- hints.ai_socktype = SOCK_STREAM; +- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { +- logit("reverse mapping checking getaddrinfo for %.700s " +- "[%s] failed.", name, ntop); +- return strdup(ntop); +- } +- /* Look for the address from the list of addresses. */ +- for (ai = aitop; ai; ai = ai->ai_next) { +- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, +- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && +- (strcmp(ntop, ntop2) == 0)) +- break; +- } +- freeaddrinfo(aitop); +- /* If we reached the end of the list, the address was not there. */ +- if (ai == NULL) { +- /* Address not found for the host name. */ +- logit("Address %.100s maps to %.600s, but this does not " +- "map back to the address.", ntop, name); +- return strdup(ntop); +- } +- return strdup(name); +-} +- +-/* +- * Return the canonical name of the host in the other side of the current +- * connection. The host name is cached, so it is efficient to call this +- * several times. +- */ +- +-const char * +-auth_get_canonical_hostname(struct ssh *ssh, int use_dns) +-{ +- static char *dnsname; +- +- if (!use_dns) +- return ssh_remote_ipaddr(ssh); +- else if (dnsname != NULL) +- return dnsname; +- else { +- dnsname = remote_hostname(ssh); +- return dnsname; +- } +-} +--- a/canohost.c ++++ b/canohost.c +@@ -202,3 +202,117 @@ get_local_port(int sock) + { + return get_sock_port(sock, 1); + } ++ ++/* ++ * Returns the remote DNS hostname as a string. The returned string must not ++ * be freed. NB. this will usually trigger a DNS query the first time it is ++ * called. ++ * This function does additional checks on the hostname to mitigate some ++ * attacks on legacy rhosts-style authentication. ++ * XXX is RhostsRSAAuthentication vulnerable to these? ++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) ++ */ ++ ++static char * ++remote_hostname(struct ssh *ssh) ++{ ++ struct sockaddr_storage from; ++ socklen_t fromlen; ++ struct addrinfo hints, *ai, *aitop; ++ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; ++ const char *ntop = ssh_remote_ipaddr(ssh); ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getpeername(ssh_packet_get_connection_in(ssh), ++ (struct sockaddr *)&from, &fromlen) < 0) { ++ debug("getpeername failed: %.100s", strerror(errno)); ++ return strdup(ntop); ++ } ++ ++ ipv64_normalise_mapped(&from, &fromlen); ++ if (from.ss_family == AF_INET6) ++ fromlen = sizeof(struct sockaddr_in6); ++ ++ debug3("Trying to reverse map address %.100s.", ntop); ++ /* Map the IP address to a host name. */ ++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), ++ NULL, 0, NI_NAMEREQD) != 0) { ++ /* Host name not found. Use ip address. */ ++ return strdup(ntop); ++ } ++ ++ /* ++ * if reverse lookup result looks like a numeric hostname, ++ * someone is trying to trick us by PTR record like following: ++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ ++ hints.ai_flags = AI_NUMERICHOST; ++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { ++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", ++ name, ntop); ++ freeaddrinfo(ai); ++ return strdup(ntop); ++ } ++ ++ /* Names are stored in lowercase. */ ++ lowercase(name); ++ ++ /* ++ * Map it back to an IP address and check that the given ++ * address actually is an address of this host. This is ++ * necessary because anyone with access to a name server can ++ * define arbitrary names for an IP address. Mapping from ++ * name to IP address can be trusted better (but can still be ++ * fooled if the intruder has access to the name server of ++ * the domain). ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = from.ss_family; ++ hints.ai_socktype = SOCK_STREAM; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { ++ logit("reverse mapping checking getaddrinfo for %.700s " ++ "[%s] failed.", name, ntop); ++ return strdup(ntop); ++ } ++ /* Look for the address from the list of addresses. */ ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, ++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && ++ (strcmp(ntop, ntop2) == 0)) ++ break; ++ } ++ freeaddrinfo(aitop); ++ /* If we reached the end of the list, the address was not there. */ ++ if (ai == NULL) { ++ /* Address not found for the host name. */ ++ logit("Address %.100s maps to %.600s, but this does not " ++ "map back to the address.", ntop, name); ++ return strdup(ntop); ++ } ++ return strdup(name); ++} ++ ++/* ++ * Return the canonical name of the host in the other side of the current ++ * connection. The host name is cached, so it is efficient to call this ++ * several times. ++ */ ++ ++const char * ++auth_get_canonical_hostname(struct ssh *ssh, int use_dns) ++{ ++ static char *dnsname; ++ ++ if (!use_dns) ++ return ssh_remote_ipaddr(ssh); ++ else if (dnsname != NULL) ++ return dnsname; ++ else { ++ dnsname = remote_hostname(ssh); ++ return dnsname; ++ } ++} diff --git a/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch b/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch new file mode 100644 index 000000000000..3e02b6f8ccc0 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch @@ -0,0 +1,29 @@ +https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-December/035604.html + +From dca2985bff146f756b0019b17f08c35f28841a04 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Mon, 19 Dec 2016 15:59:00 -0500 +Subject: [PATCH] regress/allow-deny-users.sh: fix bashism in test + +The test command uses = for string compares, not ==. Using some POSIX +shells will reject this statement with an error about an unknown operator. +--- + regress/allow-deny-users.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh +index 32a269afa97c..86805e19322b 100644 +--- a/regress/allow-deny-users.sh ++++ b/regress/allow-deny-users.sh +@@ -4,7 +4,7 @@ + tid="AllowUsers/DenyUsers" + + me="$LOGNAME" +-if [ "x$me" == "x" ]; then ++if [ "x$me" = "x" ]; then + me=`whoami` + fi + other="nobody" +-- +2.11.0.rc2 + diff --git a/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch new file mode 100644 index 000000000000..6b1e6dd35a41 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch @@ -0,0 +1,351 @@ +http://bugs.gentoo.org/165444 +https://bugzilla.mindrot.org/show_bug.cgi?id=1008 + +--- a/readconf.c ++++ b/readconf.c +@@ -148,6 +148,7 @@ + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -194,9 +195,11 @@ + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + # else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + #ifdef ENABLE_PKCS11 + { "smartcarddevice", oPKCS11Provider }, +@@ -930,6 +933,10 @@ + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1649,6 +1656,7 @@ + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1779,6 +1787,8 @@ + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +--- a/readconf.h ++++ b/readconf.h +@@ -46,6 +46,7 @@ + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -830,6 +830,16 @@ + Forward (delegate) credentials to the server. + The default is + .Cm no . ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -656,6 +656,13 @@ + static u_int mech = 0; + OM_uint32 min; + int ok = 0; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) { ++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); ++ gss_host = auth_get_canonical_hostname(active_state, 1); ++ } else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -668,7 +674,7 @@ + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], gss_host)) { + ok = 1; /* Mechanism works */ + } else { + mech++; + +need to move these two funcs back to canohost so they're available to clients +and the server. auth.c is only used in the server. + +--- a/auth.c ++++ b/auth.c +@@ -784,117 +784,3 @@ fakepw(void) + + return (&fake); + } +- +-/* +- * Returns the remote DNS hostname as a string. The returned string must not +- * be freed. NB. this will usually trigger a DNS query the first time it is +- * called. +- * This function does additional checks on the hostname to mitigate some +- * attacks on legacy rhosts-style authentication. +- * XXX is RhostsRSAAuthentication vulnerable to these? +- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) +- */ +- +-static char * +-remote_hostname(struct ssh *ssh) +-{ +- struct sockaddr_storage from; +- socklen_t fromlen; +- struct addrinfo hints, *ai, *aitop; +- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; +- const char *ntop = ssh_remote_ipaddr(ssh); +- +- /* Get IP address of client. */ +- fromlen = sizeof(from); +- memset(&from, 0, sizeof(from)); +- if (getpeername(ssh_packet_get_connection_in(ssh), +- (struct sockaddr *)&from, &fromlen) < 0) { +- debug("getpeername failed: %.100s", strerror(errno)); +- return strdup(ntop); +- } +- +- ipv64_normalise_mapped(&from, &fromlen); +- if (from.ss_family == AF_INET6) +- fromlen = sizeof(struct sockaddr_in6); +- +- debug3("Trying to reverse map address %.100s.", ntop); +- /* Map the IP address to a host name. */ +- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), +- NULL, 0, NI_NAMEREQD) != 0) { +- /* Host name not found. Use ip address. */ +- return strdup(ntop); +- } +- +- /* +- * if reverse lookup result looks like a numeric hostname, +- * someone is trying to trick us by PTR record like following: +- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ +- hints.ai_flags = AI_NUMERICHOST; +- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { +- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", +- name, ntop); +- freeaddrinfo(ai); +- return strdup(ntop); +- } +- +- /* Names are stored in lowercase. */ +- lowercase(name); +- +- /* +- * Map it back to an IP address and check that the given +- * address actually is an address of this host. This is +- * necessary because anyone with access to a name server can +- * define arbitrary names for an IP address. Mapping from +- * name to IP address can be trusted better (but can still be +- * fooled if the intruder has access to the name server of +- * the domain). +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_family = from.ss_family; +- hints.ai_socktype = SOCK_STREAM; +- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { +- logit("reverse mapping checking getaddrinfo for %.700s " +- "[%s] failed.", name, ntop); +- return strdup(ntop); +- } +- /* Look for the address from the list of addresses. */ +- for (ai = aitop; ai; ai = ai->ai_next) { +- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, +- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && +- (strcmp(ntop, ntop2) == 0)) +- break; +- } +- freeaddrinfo(aitop); +- /* If we reached the end of the list, the address was not there. */ +- if (ai == NULL) { +- /* Address not found for the host name. */ +- logit("Address %.100s maps to %.600s, but this does not " +- "map back to the address.", ntop, name); +- return strdup(ntop); +- } +- return strdup(name); +-} +- +-/* +- * Return the canonical name of the host in the other side of the current +- * connection. The host name is cached, so it is efficient to call this +- * several times. +- */ +- +-const char * +-auth_get_canonical_hostname(struct ssh *ssh, int use_dns) +-{ +- static char *dnsname; +- +- if (!use_dns) +- return ssh_remote_ipaddr(ssh); +- else if (dnsname != NULL) +- return dnsname; +- else { +- dnsname = remote_hostname(ssh); +- return dnsname; +- } +-} +--- a/canohost.c ++++ b/canohost.c +@@ -202,3 +202,117 @@ get_local_port(int sock) + { + return get_sock_port(sock, 1); + } ++ ++/* ++ * Returns the remote DNS hostname as a string. The returned string must not ++ * be freed. NB. this will usually trigger a DNS query the first time it is ++ * called. ++ * This function does additional checks on the hostname to mitigate some ++ * attacks on legacy rhosts-style authentication. ++ * XXX is RhostsRSAAuthentication vulnerable to these? ++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) ++ */ ++ ++static char * ++remote_hostname(struct ssh *ssh) ++{ ++ struct sockaddr_storage from; ++ socklen_t fromlen; ++ struct addrinfo hints, *ai, *aitop; ++ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; ++ const char *ntop = ssh_remote_ipaddr(ssh); ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getpeername(ssh_packet_get_connection_in(ssh), ++ (struct sockaddr *)&from, &fromlen) < 0) { ++ debug("getpeername failed: %.100s", strerror(errno)); ++ return strdup(ntop); ++ } ++ ++ ipv64_normalise_mapped(&from, &fromlen); ++ if (from.ss_family == AF_INET6) ++ fromlen = sizeof(struct sockaddr_in6); ++ ++ debug3("Trying to reverse map address %.100s.", ntop); ++ /* Map the IP address to a host name. */ ++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), ++ NULL, 0, NI_NAMEREQD) != 0) { ++ /* Host name not found. Use ip address. */ ++ return strdup(ntop); ++ } ++ ++ /* ++ * if reverse lookup result looks like a numeric hostname, ++ * someone is trying to trick us by PTR record like following: ++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ ++ hints.ai_flags = AI_NUMERICHOST; ++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { ++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", ++ name, ntop); ++ freeaddrinfo(ai); ++ return strdup(ntop); ++ } ++ ++ /* Names are stored in lowercase. */ ++ lowercase(name); ++ ++ /* ++ * Map it back to an IP address and check that the given ++ * address actually is an address of this host. This is ++ * necessary because anyone with access to a name server can ++ * define arbitrary names for an IP address. Mapping from ++ * name to IP address can be trusted better (but can still be ++ * fooled if the intruder has access to the name server of ++ * the domain). ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = from.ss_family; ++ hints.ai_socktype = SOCK_STREAM; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { ++ logit("reverse mapping checking getaddrinfo for %.700s " ++ "[%s] failed.", name, ntop); ++ return strdup(ntop); ++ } ++ /* Look for the address from the list of addresses. */ ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, ++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && ++ (strcmp(ntop, ntop2) == 0)) ++ break; ++ } ++ freeaddrinfo(aitop); ++ /* If we reached the end of the list, the address was not there. */ ++ if (ai == NULL) { ++ /* Address not found for the host name. */ ++ logit("Address %.100s maps to %.600s, but this does not " ++ "map back to the address.", ntop, name); ++ return strdup(ntop); ++ } ++ return strdup(name); ++} ++ ++/* ++ * Return the canonical name of the host in the other side of the current ++ * connection. The host name is cached, so it is efficient to call this ++ * several times. ++ */ ++ ++const char * ++auth_get_canonical_hostname(struct ssh *ssh, int use_dns) ++{ ++ static char *dnsname; ++ ++ if (!use_dns) ++ return ssh_remote_ipaddr(ssh); ++ else if (dnsname != NULL) ++ return dnsname; ++ else { ++ dnsname = remote_hostname(ssh); ++ return dnsname; ++ } ++} diff --git a/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch b/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch new file mode 100644 index 000000000000..1c2b7b8a091a --- /dev/null +++ b/net-misc/openssh/files/openssh-7.5_p1-cross-cache.patch @@ -0,0 +1,39 @@ +From d588d6f83e9a3d48286929b4a705b43e74414241 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@chromium.org> +Date: Wed, 24 May 2017 23:18:41 -0400 +Subject: [PATCH] configure: actually set cache vars when cross-compiling + +The cross-compiling fallback message says it's assuming the test +passed, but it didn't actually set the cache var which causes +later tests to fail. +--- + configure.ac | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 5cfea38c0a6c..895c5211ea93 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3162,7 +3162,8 @@ AC_RUN_IFELSE( + select_works_with_rlimit=yes], + [AC_MSG_RESULT([no]) + select_works_with_rlimit=no], +- [AC_MSG_WARN([cross compiling: assuming yes])] ++ [AC_MSG_WARN([cross compiling: assuming yes]) ++ select_works_with_rlimit=yes] + ) + + AC_MSG_CHECKING([if setrlimit(RLIMIT_NOFILE,{0,0}) works]) +@@ -3188,7 +3189,8 @@ AC_RUN_IFELSE( + rlimit_nofile_zero_works=yes], + [AC_MSG_RESULT([no]) + rlimit_nofile_zero_works=no], +- [AC_MSG_WARN([cross compiling: assuming yes])] ++ [AC_MSG_WARN([cross compiling: assuming yes]) ++ rlimit_nofile_zero_works=yes] + ) + + AC_MSG_CHECKING([if setrlimit RLIMIT_FSIZE works]) +-- +2.12.0 + diff --git a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.1-glue.patch b/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.1-glue.patch new file mode 100644 index 000000000000..e55a8b14c573 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.1-glue.patch @@ -0,0 +1,63 @@ +diff -ur a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch +--- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:31:01.816551100 -0700 ++++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:51:03.894805846 -0700 +@@ -40,7 +40,7 @@ + @@ -44,7 +44,7 @@ CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ + -LIBS=@LIBS@ + +LIBS=@LIBS@ -lpthread + K5LIBS=@K5LIBS@ +@@ -1023,6 +1023,3 @@ + do_authenticated(authctxt); + + /* The connection has been terminated. */ +--- +-2.12.0 +- +diff -ur a/0004-support-dynamically-sized-receive-buffers.patch b/0004-support-dynamically-sized-receive-buffers.patch +--- a/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:31:01.816551100 -0700 ++++ b/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:49:44.513498976 -0700 +@@ -926,9 +926,9 @@ + @@ -526,10 +553,10 @@ send_client_banner(int connection_out, int minor1) + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", ++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION); +++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", + - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); +@@ -943,11 +943,11 @@ + @@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) + char remote_version[256]; /* Must be at least as big as buf. */ + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", ++- major, minor, SSH_VERSION, comment, +++ major, minor, SSH_RELEASE, comment, + *options.version_addendum == '\0' ? "" : " ", +- options.version_addendum); ++ options.version_addendum, newline); + + @@ -1020,6 +1020,8 @@ server_listen(void) + int ret, listen_sock, on = 1; +@@ -1008,10 +1008,6 @@ + @@ -3,4 +3,5 @@ + #define SSH_VERSION "OpenSSH_7.5" + +- #define SSH_PORTABLE "p1" +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ++-#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" + +#define SSH_HPN "-hpn14v12" + +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN +--- +-2.12.0 +- diff --git a/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch b/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch new file mode 100644 index 000000000000..11a5b364be4d --- /dev/null +++ b/net-misc/openssh/files/openssh-7.5_p1-hpn-x509-10.2-glue.patch @@ -0,0 +1,67 @@ +diff -ur a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch +--- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:31:01.816551100 -0700 ++++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch 2017-03-27 13:51:03.894805846 -0700 +@@ -40,7 +40,7 @@ + @@ -44,7 +44,7 @@ CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ + -LIBS=@LIBS@ + +LIBS=@LIBS@ -lpthread + K5LIBS=@K5LIBS@ +@@ -1023,6 +1023,3 @@ + do_authenticated(authctxt); + + /* The connection has been terminated. */ +--- +-2.12.0 +- +diff -ur a/0004-support-dynamically-sized-receive-buffers.patch b/0004-support-dynamically-sized-receive-buffers.patch +--- a/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:31:01.816551100 -0700 ++++ b/0004-support-dynamically-sized-receive-buffers.patch 2017-03-27 13:49:44.513498976 -0700 +@@ -926,9 +926,9 @@ + @@ -526,10 +553,10 @@ send_client_banner(int connection_out, int minor1) + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", ++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION); +++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", + - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); +@@ -943,11 +943,11 @@ + @@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) + char remote_version[256]; /* Must be at least as big as buf. */ + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, ++ xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s%s", ++- major, minor, SSH_VERSION, pkix_comment, +++ major, minor, SSH_RELEASE, pkix_comment, + *options.version_addendum == '\0' ? "" : " ", +- options.version_addendum); ++ options.version_addendum, newline); + + @@ -1020,6 +1020,8 @@ server_listen(void) + int ret, listen_sock, on = 1; +@@ -1006,12 +1008,9 @@ + --- a/version.h + +++ b/version.h +-@@ -3,4 +3,5 @@ ++@@ -3,4 +3,6 @@ + #define SSH_VERSION "OpenSSH_7.5" + +- #define SSH_PORTABLE "p1" +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ++-#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" +++#define SSH_X509 ", PKIX-SSH " PACKAGE_VERSION + +#define SSH_HPN "-hpn14v12" + +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN +--- +-2.12.0 +- diff --git a/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch b/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch new file mode 100644 index 000000000000..5dca1b0e4e16 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.5_p1-x32-typo.patch @@ -0,0 +1,25 @@ +From 596c432181e1c4a9da354388394f640afd29f44b Mon Sep 17 00:00:00 2001 +From: Mike Frysinger <vapier@gentoo.org> +Date: Mon, 20 Mar 2017 14:57:40 -0400 +Subject: [PATCH] seccomp sandbox: fix typo w/x32 check + +--- + sandbox-seccomp-filter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index 3a1aedce72c2..a8d472a63ccb 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -235,7 +235,7 @@ static const struct sock_filter preauth_insns[] = { + * x86-64 syscall under some circumstances, e.g. + * https://bugs.debian.org/849923 + */ +- SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT); ++ SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT), + #endif + + /* Default deny */ +-- +2.12.0 + diff --git a/net-misc/openssh/files/openssh-7.5p1-x509-libressl.patch b/net-misc/openssh/files/openssh-7.5p1-x509-libressl.patch new file mode 100644 index 000000000000..b4f36a513180 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.5p1-x509-libressl.patch @@ -0,0 +1,202 @@ +diff -urN openssh-7.5p1.orig/a_utf8.c openssh-7.5p1/a_utf8.c +--- openssh-7.5p1.orig/a_utf8.c 1970-01-01 00:00:00.000000000 +0000 ++++ openssh-7.5p1/a_utf8.c 2017-03-30 17:38:25.179532110 +0000 +@@ -0,0 +1,186 @@ ++/* ++ * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include <stdio.h> ++ ++/* UTF8 utilities */ ++ ++/*- ++ * This parses a UTF8 string one character at a time. It is passed a pointer ++ * to the string and the length of the string. It sets 'value' to the value of ++ * the current character. It returns the number of characters read or a ++ * negative error code: ++ * -1 = string too short ++ * -2 = illegal character ++ * -3 = subsequent characters not of the form 10xxxxxx ++ * -4 = character encoded incorrectly (not minimal length). ++ */ ++ ++int UTF8_getc(const unsigned char *str, int len, unsigned long *val) ++{ ++ const unsigned char *p; ++ unsigned long value; ++ int ret; ++ if (len <= 0) ++ return 0; ++ p = str; ++ ++ /* Check syntax and work out the encoded value (if correct) */ ++ if ((*p & 0x80) == 0) { ++ value = *p++ & 0x7f; ++ ret = 1; ++ } else if ((*p & 0xe0) == 0xc0) { ++ if (len < 2) ++ return -1; ++ if ((p[1] & 0xc0) != 0x80) ++ return -3; ++ value = (*p++ & 0x1f) << 6; ++ value |= *p++ & 0x3f; ++ if (value < 0x80) ++ return -4; ++ ret = 2; ++ } else if ((*p & 0xf0) == 0xe0) { ++ if (len < 3) ++ return -1; ++ if (((p[1] & 0xc0) != 0x80) ++ || ((p[2] & 0xc0) != 0x80)) ++ return -3; ++ value = (*p++ & 0xf) << 12; ++ value |= (*p++ & 0x3f) << 6; ++ value |= *p++ & 0x3f; ++ if (value < 0x800) ++ return -4; ++ ret = 3; ++ } else if ((*p & 0xf8) == 0xf0) { ++ if (len < 4) ++ return -1; ++ if (((p[1] & 0xc0) != 0x80) ++ || ((p[2] & 0xc0) != 0x80) ++ || ((p[3] & 0xc0) != 0x80)) ++ return -3; ++ value = ((unsigned long)(*p++ & 0x7)) << 18; ++ value |= (*p++ & 0x3f) << 12; ++ value |= (*p++ & 0x3f) << 6; ++ value |= *p++ & 0x3f; ++ if (value < 0x10000) ++ return -4; ++ ret = 4; ++ } else if ((*p & 0xfc) == 0xf8) { ++ if (len < 5) ++ return -1; ++ if (((p[1] & 0xc0) != 0x80) ++ || ((p[2] & 0xc0) != 0x80) ++ || ((p[3] & 0xc0) != 0x80) ++ || ((p[4] & 0xc0) != 0x80)) ++ return -3; ++ value = ((unsigned long)(*p++ & 0x3)) << 24; ++ value |= ((unsigned long)(*p++ & 0x3f)) << 18; ++ value |= ((unsigned long)(*p++ & 0x3f)) << 12; ++ value |= (*p++ & 0x3f) << 6; ++ value |= *p++ & 0x3f; ++ if (value < 0x200000) ++ return -4; ++ ret = 5; ++ } else if ((*p & 0xfe) == 0xfc) { ++ if (len < 6) ++ return -1; ++ if (((p[1] & 0xc0) != 0x80) ++ || ((p[2] & 0xc0) != 0x80) ++ || ((p[3] & 0xc0) != 0x80) ++ || ((p[4] & 0xc0) != 0x80) ++ || ((p[5] & 0xc0) != 0x80)) ++ return -3; ++ value = ((unsigned long)(*p++ & 0x1)) << 30; ++ value |= ((unsigned long)(*p++ & 0x3f)) << 24; ++ value |= ((unsigned long)(*p++ & 0x3f)) << 18; ++ value |= ((unsigned long)(*p++ & 0x3f)) << 12; ++ value |= (*p++ & 0x3f) << 6; ++ value |= *p++ & 0x3f; ++ if (value < 0x4000000) ++ return -4; ++ ret = 6; ++ } else ++ return -2; ++ *val = value; ++ return ret; ++} ++ ++/* ++ * This takes a character 'value' and writes the UTF8 encoded value in 'str' ++ * where 'str' is a buffer containing 'len' characters. Returns the number of ++ * characters written or -1 if 'len' is too small. 'str' can be set to NULL ++ * in which case it just returns the number of characters. It will need at ++ * most 6 characters. ++ */ ++ ++int UTF8_putc(unsigned char *str, int len, unsigned long value) ++{ ++ if (!str) ++ len = 6; /* Maximum we will need */ ++ else if (len <= 0) ++ return -1; ++ if (value < 0x80) { ++ if (str) ++ *str = (unsigned char)value; ++ return 1; ++ } ++ if (value < 0x800) { ++ if (len < 2) ++ return -1; ++ if (str) { ++ *str++ = (unsigned char)(((value >> 6) & 0x1f) | 0xc0); ++ *str = (unsigned char)((value & 0x3f) | 0x80); ++ } ++ return 2; ++ } ++ if (value < 0x10000) { ++ if (len < 3) ++ return -1; ++ if (str) { ++ *str++ = (unsigned char)(((value >> 12) & 0xf) | 0xe0); ++ *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80); ++ *str = (unsigned char)((value & 0x3f) | 0x80); ++ } ++ return 3; ++ } ++ if (value < 0x200000) { ++ if (len < 4) ++ return -1; ++ if (str) { ++ *str++ = (unsigned char)(((value >> 18) & 0x7) | 0xf0); ++ *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80); ++ *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80); ++ *str = (unsigned char)((value & 0x3f) | 0x80); ++ } ++ return 4; ++ } ++ if (value < 0x4000000) { ++ if (len < 5) ++ return -1; ++ if (str) { ++ *str++ = (unsigned char)(((value >> 24) & 0x3) | 0xf8); ++ *str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80); ++ *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80); ++ *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80); ++ *str = (unsigned char)((value & 0x3f) | 0x80); ++ } ++ return 5; ++ } ++ if (len < 6) ++ return -1; ++ if (str) { ++ *str++ = (unsigned char)(((value >> 30) & 0x1) | 0xfc); ++ *str++ = (unsigned char)(((value >> 24) & 0x3f) | 0x80); ++ *str++ = (unsigned char)(((value >> 18) & 0x3f) | 0x80); ++ *str++ = (unsigned char)(((value >> 12) & 0x3f) | 0x80); ++ *str++ = (unsigned char)(((value >> 6) & 0x3f) | 0x80); ++ *str = (unsigned char)((value & 0x3f) | 0x80); ++ } ++ return 6; ++} +diff -urN openssh-7.5p1.orig/Makefile.in openssh-7.5p1/Makefile.in +--- openssh-7.5p1.orig/Makefile.in 2017-03-30 17:33:30.983830629 +0000 ++++ openssh-7.5p1/Makefile.in 2017-03-30 17:39:28.392905858 +0000 +@@ -74,7 +74,7 @@ + @OCSP_ON@OCSP_OBJS=ssh-ocsp.o + @OCSP_OFF@OCSP_OBJS= + +-SSHX509_OBJS=ssh-x509.o ssh-xkalg.o x509_nm_cmp.o key-eng.o ++SSHX509_OBJS=ssh-x509.o ssh-xkalg.o x509_nm_cmp.o key-eng.o a_utf8.o + X509STORE_OBJS=x509store.o $(LDAP_OBJS) + + TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd new file mode 100644 index 000000000000..28952b4a285a --- /dev/null +++ b/net-misc/openssh/files/sshd.confd @@ -0,0 +1,21 @@ +# /etc/conf.d/sshd: config file for /etc/init.d/sshd + +# Where is your sshd_config file stored? + +SSHD_CONFDIR="/etc/ssh" + + +# Any random options you want to pass to sshd. +# See the sshd(8) manpage for more info. + +SSHD_OPTS="" + + +# Pid file to use (needs to be absolute path). + +#SSHD_PIDFILE="/var/run/sshd.pid" + + +# Path to the sshd binary (needs to be absolute path). + +#SSHD_BINARY="/usr/sbin/sshd" diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2 new file mode 100644 index 000000000000..b801aaafa0f9 --- /dev/null +++ b/net-misc/openssh/files/sshd.pam_include.2 @@ -0,0 +1,4 @@ +auth include system-remote-login +account include system-remote-login +password include system-remote-login +session include system-remote-login diff --git a/net-misc/openssh/files/sshd.rc6.4 b/net-misc/openssh/files/sshd.rc6.4 new file mode 100644 index 000000000000..5e301420361f --- /dev/null +++ b/net-misc/openssh/files/sshd.rc6.4 @@ -0,0 +1,84 @@ +#!/sbin/openrc-run +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="checkconfig" +extra_started_commands="reload" + +: ${SSHD_CONFDIR:=/etc/ssh} +: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config} +: ${SSHD_PIDFILE:=/var/run/${SVCNAME}.pid} +: ${SSHD_BINARY:=/usr/sbin/sshd} + +depend() { + use logger dns + if [ "${rc_need+set}" = "set" ] ; then + : # Do nothing, the user has explicitly set rc_need + else + local x warn_addr + for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do + case "${x}" in + 0.0.0.0|0.0.0.0:*) ;; + ::|\[::\]*) ;; + *) warn_addr="${warn_addr} ${x}" ;; + esac + done + if [ -n "${warn_addr}" ] ; then + need net + ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" + ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd" + ewarn "where FOO is the interface(s) providing the following address(es):" + ewarn "${warn_addr}" + fi + fi +} + +checkconfig() { + if [ ! -d /var/empty ] ; then + mkdir -p /var/empty || return 1 + fi + + if [ ! -e "${SSHD_CONFIG}" ] ; then + eerror "You need an ${SSHD_CONFIG} file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + ssh-keygen -A || return 1 + + [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ + && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}" + [ "${SSHD_CONFIG}" != "/etc/ssh/sshd_config" ] \ + && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFIG}" + + "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1 +} + +start() { + checkconfig || return 1 + + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" \ + -- ${SSHD_OPTS} + eend $? +} + +stop() { + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return 1 + fi + + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" --quiet + eend $? +} + +reload() { + checkconfig || return 1 + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP \ + --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" + eend $? +} diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service new file mode 100644 index 000000000000..b5e96b3a251f --- /dev/null +++ b/net-misc/openssh/files/sshd.service @@ -0,0 +1,11 @@ +[Unit] +Description=OpenSSH server daemon +After=syslog.target network.target auditd.service + +[Service] +ExecStartPre=/usr/bin/ssh-keygen -A +ExecStart=/usr/sbin/sshd -D -e +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket new file mode 100644 index 000000000000..94b9533180da --- /dev/null +++ b/net-misc/openssh/files/sshd.socket @@ -0,0 +1,10 @@ +[Unit] +Description=OpenSSH Server Socket +Conflicts=sshd.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service new file mode 100644 index 000000000000..2645ad047cc6 --- /dev/null +++ b/net-misc/openssh/files/sshd_at.service @@ -0,0 +1,8 @@ +[Unit] +Description=OpenSSH per-connection server daemon +After=syslog.target auditd.service + +[Service] +ExecStart=-/usr/sbin/sshd -i -e +StandardInput=socket +StandardError=syslog diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml new file mode 100644 index 000000000000..29134fc060db --- /dev/null +++ b/net-misc/openssh/metadata.xml @@ -0,0 +1,40 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> + <maintainer type="project"> + <email>base-system@gentoo.org</email> + <name>Gentoo Base System</name> + </maintainer> + <maintainer type="person"> + <email>robbat2@gentoo.org</email> + <description>LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else.</description> + </maintainer> + <longdescription> +OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that +increasing numbers of people on the Internet are coming to rely on. Many users of telnet, +rlogin, ftp, and other such programs might not realize that their password is transmitted +across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) +to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. +Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety +of authentication methods. + +The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which +replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of +the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, +ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. +</longdescription> + <use> + <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag> + <flag name="hpn">Enable high performance ssh</flag> + <flag name="ldap">Add support for storing SSH public keys in LDAP</flag> + <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag> + <flag name="livecd">Enable root password logins for live-cd environment.</flag> + <flag name="ssh1">Support the legacy/weak SSH1 protocol</flag> + <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag> + <flag name="X509">Adds support for X.509 certificate authentication</flag> + </use> + <upstream> + <remote-id type="cpe">cpe:/a:openssh:openssh</remote-id> + <remote-id type="sourceforge">hpnssh</remote-id> + </upstream> +</pkgmetadata> diff --git a/net-misc/openssh/openssh-7.3_p1-r7.ebuild b/net-misc/openssh/openssh-7.3_p1-r7.ebuild new file mode 100644 index 000000000000..419efd3205b5 --- /dev/null +++ b/net-misc/openssh/openssh-7.3_p1-r7.ebuild @@ -0,0 +1,351 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" + +inherit eutils user flag-o-matic multilib autotools pam systemd versionator + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} +HPN_PV="${PV}" +HPN_VER="14.10" + +HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10-r1.patch" +SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz" +LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz" +X509_VER="9.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}} + ${HPN_PATCH:+hpn? ( + mirror://gentoo/${HPN_PATCH}.xz + https://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz + )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + " + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" +REQUIRED_USE="ldns? ( ssl ) + pie? ( !static ) + ssh1? ( ssl ) + static? ( !kerberos !pam ) + X509? ( !ldap ssl ) + test? ( ssl )" + +LIB_DEPEND=" + ldns? ( + net-libs/ldns[static-libs(+)] + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) + ) + libedit? ( dev-libs/libedit[static-libs(+)] ) + sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) + ssl? ( + !libressl? ( + >=dev-libs/openssl-0.9.8f:0[bindist=] + dev-libs/openssl:0[static-libs(+)] + ) + libressl? ( dev-libs/libressl[static-libs(+)] ) + ) + >=sys-libs/zlib-1.2.3[static-libs(+)]" +RDEPEND=" + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap )" +DEPEND="${RDEPEND} + static? ( ${LIB_DEPEND} ) + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth )" + +S=${WORKDIR}/${PARCH} + +pkg_pretend() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." + fi +} + +save_version() { + # version.h patch conflict avoidence + mv version.h version.h.$1 + cp -f version.h.pristine version.h +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + if use X509 ; then + pushd .. >/dev/null + if use hpn ; then + pushd "${WORKDIR}" >/dev/null + epatch "${FILESDIR}"/${P}-hpn-x509-9.2-glue.patch + popd >/dev/null + fi + epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch + sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} || die + popd >/dev/null + epatch "${WORKDIR}"/${X509_PATCH%.*} + epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch + save_version X509 + else + # bug #592122, fixed by X509 patch + epatch "${FILESDIR}"/${P}-fix-ssh1-with-no-ssh1-host-key.patch + fi + if use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + save_version LPK + fi + + epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + epatch "${WORKDIR}"/${SCTP_PATCH%.*} + + if use hpn ; then + #EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ + # EPATCH_MULTI_MSG="Applying HPN patchset ..." \ + # epatch "${WORKDIR}"/${HPN_PATCH%.*.*} + epatch "${WORKDIR}"/${HPN_PATCH} + epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch + save_version HPN + fi + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + # 7.3 added seccomp support to MIPS, but failed to handled the N32 + # case. This patch is temporary until upstream fixes. See + # Gentoo bug #591392 or upstream #2590. + [[ ${CHOST} == mips64*-linux-* && ${ABI} == "n32" ]] \ + && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch + + epatch "${FILESDIR}"/${P}-NEWKEYS_null_deref.patch # 595342 + epatch "${FILESDIR}"/${P}-Unregister-the-KEXINIT-handler-after-receive.patch # 597360 + + epatch_user #473004 + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + macros=() + for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" + ) > version.h + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + # We apply the ldap patch conditionally, so can't pass --without-ldap + # unconditionally else we get unknown flag warnings. + $(use ldap && use_with ldap) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use_with sctp) + $(use_with selinux) + $(use_with skey) + $(use_with ssh1) + $(use_with ssl openssl) + $(use_with ssl md5-passwords) + $(use_with ssl ssl-engine) + ) + + # The seccomp sandbox is broken on x32, so use the older method for now. #553748 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) + + econf "${myconf[@]}" +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + keepdir /var/empty + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die + fi + + # Gentoo tweaks to default config files + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables #367017 + AcceptEnv LANG LC_* + EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables #367017 + SendEnv LANG LC_* + EOF + + if use livecd ; then + sed -i \ + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ + "${ED}"/etc/ssh/sshd_config || die + fi + + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc CREDITS OVERVIEW README* TODO sshd_config + use X509 || dodoc ChangeLog + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +src_test() { + local t tests skipped failed passed shell + tests="interop-tests compat-tests" + skipped="" + shell=$(egetshell ${UID}) + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite" + elog "requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped="${skipped} tests" + else + tests="${tests} tests" + fi + # It will also attempt to write to the homedir .ssh + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in ${tests} ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" HOME="${sshhome}" \ + emake -k -j1 ${t} </dev/null \ + && passed="${passed}${t} " \ + || failed="${failed}${t} " + done + einfo "Passed tests: ${passed}" + ewarn "Skipped tests: ${skipped}" + if [[ -n ${failed} ]] ; then + ewarn "Failed tests: ${failed}" + die "Some tests failed: ${failed}" + else + einfo "Failed tests: ${failed}" + return 0 + fi +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then + elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." + fi + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi +} diff --git a/net-misc/openssh/openssh-7.3_p1-r8.ebuild b/net-misc/openssh/openssh-7.3_p1-r8.ebuild new file mode 100644 index 000000000000..4f9371ee6a84 --- /dev/null +++ b/net-misc/openssh/openssh-7.3_p1-r8.ebuild @@ -0,0 +1,337 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" + +inherit eutils user flag-o-matic multilib autotools pam systemd versionator + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz" +SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz" +LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz" +X509_VER="9.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}} + ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + " + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" +REQUIRED_USE="ldns? ( ssl ) + pie? ( !static ) + ssh1? ( ssl ) + static? ( !kerberos !pam ) + X509? ( !ldap ssl ) + test? ( ssl )" + +LIB_DEPEND=" + ldns? ( + net-libs/ldns[static-libs(+)] + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) + ) + libedit? ( dev-libs/libedit[static-libs(+)] ) + sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) + ssl? ( + !libressl? ( + >=dev-libs/openssl-0.9.8f:0[bindist=] + dev-libs/openssl:0[static-libs(+)] + ) + libressl? ( dev-libs/libressl[static-libs(+)] ) + ) + >=sys-libs/zlib-1.2.3[static-libs(+)]" +RDEPEND=" + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap )" +DEPEND="${RDEPEND} + static? ( ${LIB_DEPEND} ) + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth )" + +S=${WORKDIR}/${PARCH} + +pkg_pretend() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." + fi +} + +save_version() { + # version.h patch conflict avoidence + mv version.h version.h.$1 + cp -f version.h.pristine version.h +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + if use X509 ; then + pushd .. >/dev/null + if use hpn ; then + pushd ${HPN_PATCH%.*.*} >/dev/null + epatch "${FILESDIR}"/${P}-hpn-12-x509-9.2-glue.patch + popd >/dev/null + fi + epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch + sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} || die + popd >/dev/null + epatch "${WORKDIR}"/${X509_PATCH%.*} + epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch + save_version X509 + else + epatch "${FILESDIR}"/${P}-fix-ssh1-with-no-ssh1-host-key.patch #592122 inc in X509 patch + fi + + if use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + save_version LPK + fi + + epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + epatch "${WORKDIR}"/${SCTP_PATCH%.*} + epatch "${FILESDIR}"/${P}-NEWKEYS_null_deref.patch #595342 + epatch "${FILESDIR}"/${P}-Unregister-the-KEXINIT-handler-after-receive.patch #597360 + use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch + + if use hpn ; then + EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ + EPATCH_MULTI_MSG="Applying HPN patchset ..." \ + epatch "${WORKDIR}"/${HPN_PATCH%.*.*} + save_version HPN + fi + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + epatch_user #473004 + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + macros=() + for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" + ) > version.h + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + # We apply the ldap patch conditionally, so can't pass --without-ldap + # unconditionally else we get unknown flag warnings. + $(use ldap && use_with ldap) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use_with sctp) + $(use_with selinux) + $(use_with skey) + $(use_with ssh1) + $(use_with ssl openssl) + $(use_with ssl md5-passwords) + $(use_with ssl ssl-engine) + ) + + # The seccomp sandbox is broken on x32, so use the older method for now. #553748 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) + + econf "${myconf[@]}" +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + keepdir /var/empty + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die + fi + + # Gentoo tweaks to default config files + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables #367017 + AcceptEnv LANG LC_* + EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables #367017 + SendEnv LANG LC_* + EOF + + if use livecd ; then + sed -i \ + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ + "${ED}"/etc/ssh/sshd_config || die + fi + + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc CREDITS OVERVIEW README* TODO sshd_config + use X509 || dodoc ChangeLog + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +src_test() { + local t skipped=() failed=() passed=() + local tests=( interop-tests compat-tests ) + + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped+=( tests ) + else + tests+=( tests ) + fi + + # It will also attempt to write to the homedir .ssh. + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in "${tests[@]}" ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" HOME="${sshhome}" \ + emake -k -j1 ${t} </dev/null \ + && passed+=( "${t}" ) \ + || failed+=( "${t}" ) + done + + einfo "Passed tests: ${passed[*]}" + [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}" + [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}" +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then + elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." + fi + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi +} diff --git a/net-misc/openssh/openssh-7.4_p1.ebuild b/net-misc/openssh/openssh-7.4_p1.ebuild new file mode 100644 index 000000000000..41790fb15b3c --- /dev/null +++ b/net-misc/openssh/openssh-7.4_p1.ebuild @@ -0,0 +1,327 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" + +inherit eutils user flag-o-matic multilib autotools pam systemd versionator + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +#HPN_PATCH= #"${PARCH}-hpnssh14v12.tar.xz" +SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz" +LDAP_PATCH="${PN}-lpk-7.4p1-0.3.14.patch.xz" +X509_VER="9.3" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}} + ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + " + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" +REQUIRED_USE="ldns? ( ssl ) + pie? ( !static ) + ssh1? ( ssl ) + static? ( !kerberos !pam ) + X509? ( !hpn !ldap !sctp ssl ) + test? ( ssl )" + +LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) + ldns? ( + net-libs/ldns[static-libs(+)] + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) + ) + libedit? ( dev-libs/libedit[static-libs(+)] ) + sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) + ssl? ( + !libressl? ( + >=dev-libs/openssl-0.9.8f:0[bindist=] + dev-libs/openssl:0[static-libs(+)] + ) + libressl? ( dev-libs/libressl[static-libs(+)] ) + ) + >=sys-libs/zlib-1.2.3[static-libs(+)]" +RDEPEND=" + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap )" +DEPEND="${RDEPEND} + static? ( ${LIB_DEPEND} ) + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth )" + +S=${WORKDIR}/${PARCH} + +pkg_pretend() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." + fi +} + +save_version() { + # version.h patch conflict avoidence + mv version.h version.h.$1 + cp -f version.h.pristine version.h +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + if use X509 ; then + epatch "${WORKDIR}"/${X509_PATCH%.*} + # We no longer allow X509 to be used with anything else. + #save_version X509 + fi + + if use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + save_version LPK + fi + + epatch "${FILESDIR}"/${PN}-7.4_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*} + epatch "${FILESDIR}"/${P}-test-bashism.patch + use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch + + if use hpn ; then + EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ + EPATCH_MULTI_MSG="Applying HPN patchset ..." \ + epatch "${WORKDIR}"/${HPN_PATCH%.*.*} + save_version HPN + fi + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + epatch_user #473004 + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + macros=() + for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" + ) > version.h + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + # We apply the ldap patch conditionally, so can't pass --without-ldap + # unconditionally else we get unknown flag warnings. + $(use ldap && use_with ldap) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use X509 || use_with sctp) + $(use_with selinux) + $(use_with skey) + $(use_with ssh1) + $(use_with ssl openssl) + $(use_with ssl md5-passwords) + $(use_with ssl ssl-engine) + ) + + # The seccomp sandbox is broken on x32, so use the older method for now. #553748 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) + + econf "${myconf[@]}" +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + keepdir /var/empty + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die + fi + + # Gentoo tweaks to default config files + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables #367017 + AcceptEnv LANG LC_* + EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables #367017 + SendEnv LANG LC_* + EOF + + if use livecd ; then + sed -i \ + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ + "${ED}"/etc/ssh/sshd_config || die + fi + + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc CREDITS OVERVIEW README* TODO sshd_config + use X509 || dodoc ChangeLog + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +src_test() { + local t skipped=() failed=() passed=() + local tests=( interop-tests compat-tests ) + + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped+=( tests ) + else + tests+=( tests ) + fi + + # It will also attempt to write to the homedir .ssh. + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in "${tests[@]}" ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" HOME="${sshhome}" \ + emake -k -j1 ${t} </dev/null \ + && passed+=( "${t}" ) \ + || failed+=( "${t}" ) + done + + einfo "Passed tests: ${passed[*]}" + [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}" + [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}" +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then + elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." + fi + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi +} diff --git a/net-misc/openssh/openssh-7.5_p1-r1.ebuild b/net-misc/openssh/openssh-7.5_p1-r1.ebuild new file mode 100644 index 000000000000..553f37b620d9 --- /dev/null +++ b/net-misc/openssh/openssh-7.5_p1-r1.ebuild @@ -0,0 +1,332 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" + +inherit eutils user flag-o-matic multilib autotools pam systemd versionator + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz" +SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz" +LDAP_PATCH="${PN}-lpk-7.5p1-0.3.14.patch.xz" +X509_VER="10.1" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}} + ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + " + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" +REQUIRED_USE="ldns? ( ssl ) + pie? ( !static ) + ssh1? ( ssl ) + static? ( !kerberos !pam ) + X509? ( !ldap !sctp ssl ) + test? ( ssl )" + +LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) + ldns? ( + net-libs/ldns[static-libs(+)] + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) + ) + libedit? ( dev-libs/libedit:=[static-libs(+)] ) + sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) + ssl? ( + !libressl? ( + >=dev-libs/openssl-1.0.1:0=[bindist=] + dev-libs/openssl:0=[static-libs(+)] + ) + libressl? ( dev-libs/libressl:0=[static-libs(+)] ) + ) + >=sys-libs/zlib-1.2.3:=[static-libs(+)]" +RDEPEND=" + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap )" +DEPEND="${RDEPEND} + static? ( ${LIB_DEPEND} ) + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth )" + +S=${WORKDIR}/${PARCH} + +pkg_pretend() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." + fi +} + +save_version() { + # version.h patch conflict avoidence + mv version.h version.h.$1 + cp -f version.h.pristine version.h +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + if use X509 ; then + if use hpn ; then + pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null + epatch "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch + popd >/dev/null + fi + save_version X509 + epatch "${WORKDIR}"/${X509_PATCH%.*} + use libressl && epatch "${FILESDIR}"/${PN}-7.5p1-x509-libressl.patch + fi + + if use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + save_version LPK + fi + + epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + epatch "${FILESDIR}"/${PN}-7.5_p1-cross-cache.patch + use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*} + use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch + use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch + + if use hpn ; then + EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ + EPATCH_MULTI_MSG="Applying HPN patchset ..." \ + epatch "${WORKDIR}"/${HPN_PATCH%.*.*} + save_version HPN + fi + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + epatch_user #473004 + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + macros=() + for p in HPN LPK X509 ; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" + ) > version.h + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + # We apply the ldap patch conditionally, so can't pass --without-ldap + # unconditionally else we get unknown flag warnings. + $(use ldap && use_with ldap) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use X509 || use_with sctp) + $(use_with selinux) + $(use_with skey) + $(use_with ssh1) + $(use_with ssl openssl) + $(use_with ssl md5-passwords) + $(use_with ssl ssl-engine) + ) + + # The seccomp sandbox is broken on x32, so use the older method for now. #553748 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) + + econf "${myconf[@]}" +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die + fi + + # Gentoo tweaks to default config files + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables #367017 + AcceptEnv LANG LC_* + EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables #367017 + SendEnv LANG LC_* + EOF + + if use livecd ; then + sed -i \ + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ + "${ED}"/etc/ssh/sshd_config || die + fi + + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc CREDITS OVERVIEW README* TODO sshd_config + use X509 || dodoc ChangeLog + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +src_test() { + local t skipped=() failed=() passed=() + local tests=( interop-tests compat-tests ) + + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped+=( tests ) + else + tests+=( tests ) + fi + + # It will also attempt to write to the homedir .ssh. + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in "${tests[@]}" ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" HOME="${sshhome}" \ + emake -k -j1 ${t} </dev/null \ + && passed+=( "${t}" ) \ + || failed+=( "${t}" ) + done + + einfo "Passed tests: ${passed[*]}" + [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}" + [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}" +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then + elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." + fi + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi +} diff --git a/net-misc/openssh/openssh-7.5_p1-r2.ebuild b/net-misc/openssh/openssh-7.5_p1-r2.ebuild new file mode 100644 index 000000000000..c5d657ba7c11 --- /dev/null +++ b/net-misc/openssh/openssh-7.5_p1-r2.ebuild @@ -0,0 +1,331 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" + +inherit eutils user flag-o-matic multilib autotools pam systemd versionator + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz" +SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz" +LDAP_PATCH="${PN}-lpk-7.5p1-0.3.14.patch.xz" +X509_VER="10.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}} + ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + " + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" +REQUIRED_USE="ldns? ( ssl ) + pie? ( !static ) + ssh1? ( ssl ) + static? ( !kerberos !pam ) + X509? ( !ldap !sctp ssl ) + test? ( ssl )" + +LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) + ldns? ( + net-libs/ldns[static-libs(+)] + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) + ) + libedit? ( dev-libs/libedit:=[static-libs(+)] ) + sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) + ssl? ( + !libressl? ( + >=dev-libs/openssl-1.0.1:0=[bindist=] + dev-libs/openssl:0=[static-libs(+)] + ) + libressl? ( dev-libs/libressl:0=[static-libs(+)] ) + ) + >=sys-libs/zlib-1.2.3:=[static-libs(+)]" +RDEPEND=" + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap )" +DEPEND="${RDEPEND} + static? ( ${LIB_DEPEND} ) + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth )" + +S=${WORKDIR}/${PARCH} + +pkg_pretend() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." + fi +} + +save_version() { + # version.h patch conflict avoidence + mv version.h version.h.$1 + cp -f version.h.pristine version.h +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + if use X509 ; then + if use hpn ; then + pushd "${WORKDIR}"/${HPN_PATCH%.*.*} >/dev/null + epatch "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch + popd >/dev/null + fi + save_version X509 + epatch "${WORKDIR}"/${X509_PATCH%.*} + fi + + if use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + save_version LPK + fi + + epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + epatch "${FILESDIR}"/${PN}-7.5_p1-cross-cache.patch + use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*} + use X509 || epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch + use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch + + if use hpn ; then + EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ + EPATCH_MULTI_MSG="Applying HPN patchset ..." \ + epatch "${WORKDIR}"/${HPN_PATCH%.*.*} + save_version HPN + fi + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + epatch_user #473004 + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + macros=() + for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}" + ) > version.h + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + # We apply the ldap patch conditionally, so can't pass --without-ldap + # unconditionally else we get unknown flag warnings. + $(use ldap && use_with ldap) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use X509 || use_with sctp) + $(use_with selinux) + $(use_with skey) + $(use_with ssh1) + $(use_with ssl openssl) + $(use_with ssl md5-passwords) + $(use_with ssl ssl-engine) + ) + + # The seccomp sandbox is broken on x32, so use the older method for now. #553748 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) + + econf "${myconf[@]}" +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die + fi + + # Gentoo tweaks to default config files + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables #367017 + AcceptEnv LANG LC_* + EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables #367017 + SendEnv LANG LC_* + EOF + + if use livecd ; then + sed -i \ + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ + "${ED}"/etc/ssh/sshd_config || die + fi + + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc CREDITS OVERVIEW README* TODO sshd_config + use X509 || dodoc ChangeLog + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +src_test() { + local t skipped=() failed=() passed=() + local tests=( interop-tests compat-tests ) + + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped+=( tests ) + else + tests+=( tests ) + fi + + # It will also attempt to write to the homedir .ssh. + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in "${tests[@]}" ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" HOME="${sshhome}" \ + emake -k -j1 ${t} </dev/null \ + && passed+=( "${t}" ) \ + || failed+=( "${t}" ) + done + + einfo "Passed tests: ${passed[*]}" + [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}" + [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}" +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then + elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." + fi + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi +} diff --git a/net-misc/openssh/openssh-7.5_p1.ebuild b/net-misc/openssh/openssh-7.5_p1.ebuild new file mode 100644 index 000000000000..220b1ad28983 --- /dev/null +++ b/net-misc/openssh/openssh-7.5_p1.ebuild @@ -0,0 +1,326 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" + +inherit eutils user flag-o-matic multilib autotools pam systemd versionator + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz" +SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz" +LDAP_PATCH="${PN}-lpk-7.5p1-0.3.14.patch.xz" +#X509_VER="9.3" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/" +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}} + ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + " + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" +REQUIRED_USE="ldns? ( ssl ) + pie? ( !static ) + ssh1? ( ssl ) + static? ( !kerberos !pam ) + X509? ( !hpn !ldap !sctp ssl ) + test? ( ssl )" + +LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) + ldns? ( + net-libs/ldns[static-libs(+)] + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) + ) + libedit? ( dev-libs/libedit:=[static-libs(+)] ) + sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) + ssl? ( + !libressl? ( + >=dev-libs/openssl-1.0.1:0=[bindist=] + dev-libs/openssl:0=[static-libs(+)] + ) + libressl? ( dev-libs/libressl:0=[static-libs(+)] ) + ) + >=sys-libs/zlib-1.2.3:=[static-libs(+)]" +RDEPEND=" + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap )" +DEPEND="${RDEPEND} + static? ( ${LIB_DEPEND} ) + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth )" + +S=${WORKDIR}/${PARCH} + +pkg_pretend() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." + fi +} + +save_version() { + # version.h patch conflict avoidence + mv version.h version.h.$1 + cp -f version.h.pristine version.h +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + if use X509 ; then + epatch "${WORKDIR}"/${X509_PATCH%.*} + # We no longer allow X509 to be used with anything else. + #save_version X509 + fi + + if use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + save_version LPK + fi + + epatch "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*} + epatch "${FILESDIR}"/${PN}-7.5_p1-x32-typo.patch + use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch + + if use hpn ; then + EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ + EPATCH_MULTI_MSG="Applying HPN patchset ..." \ + epatch "${WORKDIR}"/${HPN_PATCH%.*.*} + save_version HPN + fi + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + epatch_user #473004 + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + macros=() + for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" + ) > version.h + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + # We apply the ldap patch conditionally, so can't pass --without-ldap + # unconditionally else we get unknown flag warnings. + $(use ldap && use_with ldap) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use X509 || use_with sctp) + $(use_with selinux) + $(use_with skey) + $(use_with ssh1) + $(use_with ssl openssl) + $(use_with ssl md5-passwords) + $(use_with ssl ssl-engine) + ) + + # The seccomp sandbox is broken on x32, so use the older method for now. #553748 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) + + econf "${myconf[@]}" +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die + fi + + # Gentoo tweaks to default config files + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables #367017 + AcceptEnv LANG LC_* + EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables #367017 + SendEnv LANG LC_* + EOF + + if use livecd ; then + sed -i \ + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ + "${ED}"/etc/ssh/sshd_config || die + fi + + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc CREDITS OVERVIEW README* TODO sshd_config + use X509 || dodoc ChangeLog + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' +} + +src_test() { + local t skipped=() failed=() passed=() + local tests=( interop-tests compat-tests ) + + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped+=( tests ) + else + tests+=( tests ) + fi + + # It will also attempt to write to the homedir .ssh. + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in "${tests[@]}" ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" HOME="${sshhome}" \ + emake -k -j1 ${t} </dev/null \ + && passed+=( "${t}" ) \ + || failed+=( "${t}" ) + done + + einfo "Passed tests: ${passed[*]}" + [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}" + [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}" +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then + elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." + fi + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi +} |