diff options
| author | V3n3RiX <venerix@koprulu.sector> | 2022-05-12 16:42:50 +0300 |
|---|---|---|
| committer | V3n3RiX <venerix@koprulu.sector> | 2022-05-12 16:42:50 +0300 |
| commit | 752d6256e5204b958b0ef7905675a940b5e9172f (patch) | |
| tree | 330d16e6362a49cbed8875a777fe641a43376cd3 /net-misc/openssh | |
| parent | 0c100b7dd2b30e75b799d806df4ef899fd98e1ea (diff) | |
gentoo resync : 12.05.2022
Diffstat (limited to 'net-misc/openssh')
| -rw-r--r-- | net-misc/openssh/Manifest | 12 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch | 447 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch | 198 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch | 63 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-8.8_p1-r4.ebuild | 491 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-8.9_p1-r2.ebuild | 5 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-9.0_p1.ebuild | 5 |
7 files changed, 4 insertions, 1217 deletions
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index 685d0fe1c448..b0b04a66e42b 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -6,9 +6,6 @@ AUX openssh-8.0_p1-fix-putty-tests.patch 1760 BLAKE2B a1127e8f2275c1e23c956b5041 AUX openssh-8.5_p1-hpn-15.2-sctp-glue.patch 727 BLAKE2B fafb6bc3ec680327abf01a7a2f673d4be601094d518d74f5afd0c596c1d60ddfc6f31add6b5533f85bc09cf2122b9e3f7243d5d26a2d6923c88c2f6a811ea2b8 SHA512 eda1c1613e94a7b10df9cc08c87ed8a39edb3f8a160600a74780877772bbd76cc9842d5d5d68ed6a9554e1e310675a1e461d894144d514b8e482d4a1affbc9bd AUX openssh-8.6_p1-hpn-version.patch 556 BLAKE2B 26ef960db46c82ee62e6a6f1be15c2897855caa6cbd05db87d3e606ce42d03fb6e88916f0c6644f67dc008ca802617d0f63e5e8e35d1a6c6076188ba19009186 SHA512 c13d14dc496863bd6bbbf08940322a60e74fa1cc2171f81132dfd874b9371ee0edd77f75ffd606f874fa2de498b174be91da5c641029abff2d2a8503c2f0fc02 AUX openssh-8.7_p1-GSSAPI-dns.patch 11576 BLAKE2B 84aa0128ddeccf67e14c20f9d2acb61226c5091a3e3106285c79db4a297dbd781eddf7a6d4cb3b1a5a5dcbbcd158d32dbca5986b6fbf15f62cd3928cf125b083 SHA512 794b06c6ee6acd1bcd861753970cfc4d04f42499d48ff4119746dbcab8643f75761fddb9f52f49fe01e356740eb3882671ac3ae209e0e45745d195a219ffe5dd -AUX openssh-8.7_p1-hpn-15.2-X509-glue.patch 16283 BLAKE2B 7181c63f43398bda89f663c6de4a688e302d382519b0030ece980777d110ec56077dc6e5ca357f67c8a7a932f2df850ddc4ff7db1ea91c59d136767857c8b24e SHA512 525b68bcd9c891ab6be104d30cf4b9cc9214c257bc41a7e9c306dcfe3fb12109f7422118d9fad58698fe9a6d501b27309e675c857d00c04c46acff27eec60154 -AUX openssh-8.7_p1-hpn-15.2-glue.patch 7354 BLAKE2B 1b5afc662d39db3ab137b2a389b3a5cebf55e0c6741c12ade4977d8d5d8cb4f4cf2d8e8978150808c6570cba7b8080ace971d20913df9a740c1e03adc7134726 SHA512 ea57ea2c6138a275bce8cb7d62ea8771bf51db4d8dca4ea33f46539b33ab5a17c7c1749fa7b10c90e167846fd087f4084dcf5604017ad5c2821c2c74793ca9c2 -AUX openssh-8.8_p1-X509-glue-13.2.3.patch 2238 BLAKE2B a97643157ecf7b808ae9ee76e00cc58c4515bf5a1e2ff863124dd8b8941f390a90e2b52aa7444898782fc062ccef47983e127efaea7acf225d260479da88f12f SHA512 205c499d03f3bc2c767d406021f5f413eeae06ef5593aa11b24ccce75ebe9e90aacce4f53b120f6330326151c8f11ca43e10fe969f7ed832ef3a604f451f129f AUX openssh-8.9_p1-X509-glue-13.3.1.patch 4141 BLAKE2B aa875e0de69cdb4935b6053415833b1a0d5858f7f63084e5106dd491060a7a56c208a43a97e663289b3b832cef2d208325e573d161792d35ca4bd6a45fa8f1fa SHA512 90342932f8d191640285afc3ba82456b463640b7f30ba8193f5db023e5fcd4969fb7e57ed3637b0ea6088f4a985b85d563a17b4f0e71a1827cd3ee045e2d392a AUX openssh-8.9_p1-allow-ppoll_time64.patch 396 BLAKE2B b5bb202f79699d9037f12155044328f89ee0573efa43da7cdf8511555e706b6bf66cae069ac95cca900779c6ce293eedec48450f786fd033375e9be17bfb2872 SHA512 9b88024e6a898fc85205fbc038274a3271f787276962150965ab8f599fa355ee73cb48e7e12e3f090034293f9dca94a1ce41dfce2aaeb140693545ff3bc391f0 AUX openssh-8.9_p1-fzero-call-used-regs.patch 1182 BLAKE2B 45dda480614fd3de6aa6752d3c2f5bb34e8ef1d5576fe75878e349ca56ef451f981dc8e22ce8dd232d6a870cb3c221d8e07bccc45e3f38e43008d48941fafbe4 SHA512 0fb1ae4c4e5d44fa7d6ad301c0c36d4291611a3a34150d2a89499cd486a61b6ce0774be7387e2cd3385aa4b2be9d9b6e9dda7d3783fe1bbf7bfb36067aa973c6 @@ -22,10 +19,6 @@ AUX sshd.pam_include.2 156 BLAKE2B 91ebefbb1264fe3fe98df0a72ac22a4cd8a787b3b391a AUX sshd.service 259 BLAKE2B e65ea7227658295584c3fdee3bf46f098c1c5a53a0b433e88ae8d43f0823fade25846a5f3abbacf939a13af8195a888d0ffb937e8da943478e76eea7c0e13c82 SHA512 9656ae4c045ba47ad28f983e50d1119d51c1d0a7471fe8e792d6f734a71c8d4d900431b591f2f40bb8af3a382e6215933ae32eff56de6da0f2f166d6fb855987 AUX sshd.socket 136 BLAKE2B 22e218c831fc384a3151ef97c391253738fa9002e20cf4628c6fe3d52d4b0ac3b957da58f816950669d0a6f8f2786251c6dfc31bbb863f837a3f52631341dc2e SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42 AUX sshd_at.service 177 BLAKE2B 0e78184f58cb4c68fb834953fac3ce01f9e39e9eb1a84c03f720205f5b611365c9a48fba445962c06c7e18bdb310cdb9ffe4fc49e95f69608922d224b00c890b SHA512 423120ea2e1ac0b92575ce4eb05347483f902238dc104848e74088f49483c37d30c27364e7fe8599b3e85562159c69284ecf25a4c5394b4cfa18c5c77c6beacd -DIST openssh-8.8p1+x509-13.2.3.diff.gz 1071138 BLAKE2B dfbe53ccfdfe0a3da9bac927c5bb0ccfeb20f1ba69cef2ffb52999e6f6b0a3282e28a888aab40096fe9eed819f4c9b27592a8771d786580b8fa4f507f6b02557 SHA512 e55e9cdcde1b02b2799600083db8c3b85d207b251b99b4efabe8614bedf1daae28e5ed10cbe1f6a2e5ba766fe1eaf41be9e90fefdaae1352808c504fc0f4e7e6 -DIST openssh-8.8p1-sctp-1.2.patch.xz 6744 BLAKE2B 9f99e0abfbfbda2cc1c7c2a465d044c900da862e5a38f01260f388ac089b2e66c5ea7664d71d18b924552ae177e5893cdcbfbccc20eeb3aaeae00b3d552379e3 SHA512 5290c5ef08a418dcc9260812d8e75ce266e22e2258514f11da6fb178e0ae2ef16046523f72a50f74ae7b98e7eb52d16143befc8ce2919041382d314aa05adda0 -DIST openssh-8.8p1.tar.gz 1815060 BLAKE2B 3a054ce19781aceca5ab1a0839d7435d88aff4481e8c74b91ffd2046dc8b6f03d6bf584ecda066c0496acf43cea9ab4085f26a29e34e20736e752f204b8c76c3 SHA512 d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df -DIST openssh-8.8p1.tar.gz.asc 833 BLAKE2B ffe78af226b9c8395e60ca54bcb626cc933ee069f9f0f17f408ca1493cb346aa3fb878efeaccc646f8fa7bf1c40d6d61a81e37342ccf56ae601403bf9d59f4d6 SHA512 165e025305902f884d04d4444fa3143e4ea1a25a1c65aafe05e113537b3d3e50f7cd5f818bc2ca3404699372ca78f69c46b7452faf2d3998c448a5b80a411ae4 DIST openssh-8.9p1+x509-13.3.1.diff.gz 1113333 BLAKE2B 01fc34ed5c5c64a97db99f8f5a98f5917519474b4c22a2372f76a9c36d5dfc4efe1d03fcc43ed3d1602177f7e674a58676b9d04444d7bb66bc1c096136fd2ed0 SHA512 4fea3cf0dd0f6e0b9e28c16fb88f2a125c3ec7f86111d33e040664ab4976e697b137ffe80d02c979e2eb55a5c004f597299cfec22e730b80279665de61cb1f13 DIST openssh-8.9p1-sctp-1.2.patch.xz 6752 BLAKE2B 8f87a4e604ce412f45432ae29b6ccb5a10f6bd6ddc3c688b85d75c2126387dc5d4ed2b2396691db016cc0dee3e71a557611bcf34066dee075d62c9e69e887f14 SHA512 88a36e2d87bb8b6136885094729d001953e15799e06885ff1c489300458b6e412520f7a78c48dfd24df46e58f2561051212d7948f8af63082edcb85c33b4d32b DIST openssh-8.9p1.tar.gz 1820282 BLAKE2B 02934da7f7a2954141888e63e81e38fad4fb8558ddd1032de44f69684802c62771fdd7e9e470e0715059635999c8f9d2ab95f6351217e236573ead83a867f59b SHA512 04bd38ea6fe4be31acc8c4e83de7d3dda66fb7207be2e4ba25d3b8118d13d098a283769da9e8ce1fc4fba7edf739c14efcc6c9137132919261a7f882314b0f6b @@ -37,7 +30,6 @@ DIST openssh-9.0p1+x509-13.3.2.diff.gz 1128591 BLAKE2B fb560e2f1803ceb946a1ba8bd DIST openssh-9.0p1-sctp-1.2.patch.xz 6768 BLAKE2B 8a18aea57b0b3f8f0a641870f0cd1570c6cc48d1e28ef7261344918905e94a548d3a3acb6feb1c6ef13f0c6cacf2b845163cad2b96ab20cb9fc58a49aeb699c1 SHA512 d6aa5f32464d5f3e2e63e9ba82108f33bdaa890e2adf2ccc47ce0d672979fc67510d9dd7561b17eaba0c2f11a8eb565029b0ebff3b2d050e9e04e6143aedb8a3 DIST openssh-9.0p1.tar.gz 1822183 BLAKE2B 49724a400951964d659d136908657940f79e150056728cc4dadf8ff8652a832f7fd46eebb47b15085e57fca4b00c77d1ec4dd1b056ea2bbcee89f54a121ed5e2 SHA512 613ae95317e734868c6a60d9cc5af47a889baa3124bbdd2b31bb51dd6b57b136f4cfcb5604cca78a03bd500baab9b9b45eaf77e038b1ed776c86dce0437449a9 DIST openssh-9.0p1.tar.gz.asc 833 BLAKE2B e29ff08f10feee7347c02a7ce4b33b8d9c71a26656f0430a2511c25bc6b5006f1683d845826a68ff4eed068b30c911e273cb34e5b4880854d55a776415474019 SHA512 7b1445764058435d2fa8a9c7553643983650d4232036c088e46e44beeb538d32cba88f775b1be9da5f21a01d6caea59b3dc4714507781e9cb946546fa54f169f -EBUILD openssh-8.8_p1-r4.ebuild 17055 BLAKE2B cee54e3781c78b8f8e150d819473c3140ee07161b3bce92ba5dbe7cbf6e81d69fa3c4cf8ceba0c8d0d2f7a1c295482a3072bb8758bb3225cf011bbb74622cf06 SHA512 65f31daf43c96d56a46c6f3238471dafffe7aab2f0811c72113feda8b670100d024e6426587e3f35cc630f72e5d6ff141ee6a13b795643d2edc484472048b125 -EBUILD openssh-8.9_p1-r2.ebuild 17240 BLAKE2B fdfb71a829a3983efaa528240ced37a7cfe4843e1f6d8c02bd6c991455ef32f7ec4bc592f157d778d1cf8944e42387fb85de251e22f32b790021a663e1630afd SHA512 1fe0d20d824716cade9075266508eaf94d9e28de9a72dc51f62841dc0a052adf8933384a6eb8d577a31e79ba3fe8db5ac0de4fd8e9afc8f422e5ba4c1eac5799 -EBUILD openssh-9.0_p1.ebuild 17019 BLAKE2B 31e456333420152aca08da03b0cc0ac14c03c2771ea147c92a0e35f9777deaecd067aa16764b39ed76d2979a7ce5be9cc534be5f8f482d870cbb41632488500b SHA512 4e9f851633462a621e437c8c187f06850cd10340009093905218768c3d82ea67f606f3beb205f4d6ae454198f0ff9901f00794a28aaad77ae8c6a39f994da173 +EBUILD openssh-8.9_p1-r2.ebuild 17076 BLAKE2B d43c27180c5ea6242d3942c375da7714c915c8a7c7b50b80a963c48db6bbb100e7f7d892bcf031b62527fffc570e44ee527bc24e22e4e3611b68909ec4b24111 SHA512 88a6668e89bec99acb58890b19c744b2e194e7c7f30cdfcf8907f7ee0d8f63c986647fac1ee09394437597d27dee9392d25912b5b0470d9a31ff8e76d6f15f8b +EBUILD openssh-9.0_p1.ebuild 16870 BLAKE2B 143e4901b4dabbb1aaa7c83ecaf98618f356636f6eca747ff2ad939d9237f8dcd8b56835216fa712878f5c8efaa4ca33346f963473e4381954358e3c8870d5b0 SHA512 fa6433bc13fc8c78a42eb73c62bd4b16bf5e95bbd5d10d7dfa1a888d3fb807def36eca98491b60da03f31795014593b62f06cdfd1fce8f8b034fe9cd15da2aad MISC metadata.xml 2013 BLAKE2B 5d452c9b16516ff3a7e01ae7a6f95102bec19b3f0df1aa4607558b012718e14e72e24fa09c1bd3ea6bc48506a7fc55180a9e4735809381bf4535569de59b1409 SHA512 5b56870f1e203f339b57792fca7ddcdf488be2f010c0a23e0b811825e0d8f2f5823c2f4ae8a2ec05b27ffd663fac4f8029a3b2bede9fa1beac067f5b5a57d6bd diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch deleted file mode 100644 index 49c05917779a..000000000000 --- a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch +++ /dev/null @@ -1,447 +0,0 @@ -diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff ---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:12:46.412119817 -0700 -+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:26:11.116026151 -0700 -@@ -3,9 +3,9 @@ - --- a/Makefile.in - +++ b/Makefile.in - @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@ -- CFLAGS_NOPIE=@CFLAGS_NOPIE@ -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -- PICFLAG=@PICFLAG@ -+ LD=@LD@ -+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ - -LIBS=@LIBS@ - +LIBS=@LIBS@ -lpthread - K5LIBS=@K5LIBS@ -@@ -803,8 +803,8 @@ - ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) - { - struct session_state *state; --- const struct sshcipher *none = cipher_by_name("none"); --+ struct sshcipher *none = cipher_by_name("none"); -+- const struct sshcipher *none = cipher_none(); -++ struct sshcipher *none = cipher_none(); - int r; - - if (none == NULL) { -@@ -894,24 +894,24 @@ - intptr = &options->compression; - multistate_ptr = multistate_compression; - @@ -2272,6 +2278,7 @@ initialize_options(Options * options) -- options->revoked_host_keys = NULL; - options->fingerprint_hash = -1; - options->update_hostkeys = -1; -+ options->known_hosts_command = NULL; - + options->disable_multithreaded = -1; -- options->hostbased_accepted_algos = NULL; -- options->pubkey_accepted_algos = NULL; -- options->known_hosts_command = NULL; -+ } -+ -+ /* - @@ -2467,6 +2474,10 @@ fill_default_options(Options * options) -+ options->update_hostkeys = 0; - if (options->sk_provider == NULL) - options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); -- #endif - + if (options->update_hostkeys == -1) - + options->update_hostkeys = 0; - + if (options->disable_multithreaded == -1) - + options->disable_multithreaded = 0; - -- /* Expand KEX name lists */ -- all_cipher = cipher_alg_list(',', 0); -+ /* expand KEX and etc. name lists */ -+ { char *all; - diff --git a/readconf.h b/readconf.h - index 2fba866e..7f8f0227 100644 - --- a/readconf.h -@@ -950,9 +950,9 @@ - /* Portable-specific options */ - sUsePAM, - + sDisableMTAES, -- /* Standard Options */ -- sPort, sHostKeyFile, sLoginGraceTime, -- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, -+ /* X.509 Standard Options */ -+ sHostbasedAlgorithms, -+ sPubkeyAlgorithms, - @@ -662,6 +666,7 @@ static struct { - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, -diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 11:12:46.412119817 -0700 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 14:17:59.366248683 -0700 -@@ -157,6 +157,36 @@ - + Allan Jude provided the code for the NoneMac and buffer normalization. - + This work was financed, in part, by Cisco System, Inc., the National - + Library of Medicine, and the National Science Foundation. -+diff --git a/auth2.c b/auth2.c -+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700 -++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700 -+@@ -229,16 +229,17 @@ -+ double delay; -+ -+ digest_alg = ssh_digest_maxbytes(); -+- len = ssh_digest_bytes(digest_alg); -+- hash = xmalloc(len); -++ if (len = ssh_digest_bytes(digest_alg) > 0) { -++ hash = xmalloc(len); -+ -+- (void)snprintf(b, sizeof b, "%llu%s", -+- (unsigned long long)options.timing_secret, user); -+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) -+- fatal_f("ssh_digest_memory"); -+- /* 0-4.2 ms of delay */ -+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; -+- freezero(hash, len); -++ (void)snprintf(b, sizeof b, "%llu%s", -++ (unsigned long long)options.timing_secret, user); -++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) -++ fatal_f("ssh_digest_memory"); -++ /* 0-4.2 ms of delay */ -++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; -++ freezero(hash, len); -++ } -+ debug3_f("user specific delay %0.3lfms", delay/1000); -+ return MIN_FAIL_DELAY_SECONDS + delay; -+ } - diff --git a/channels.c b/channels.c - index b60d56c4..0e363c15 100644 - --- a/channels.c -@@ -209,14 +239,14 @@ - static void - channel_pre_open(struct ssh *ssh, Channel *c, - fd_set *readset, fd_set *writeset) --@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c) -+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c) - - if (c->type == SSH_CHANNEL_OPEN && - !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && - - ((c->local_window_max - c->local_window > - - c->local_maxpacket*3) || --+ ((ssh_packet_is_interactive(ssh) && --+ c->local_window_max - c->local_window > c->local_maxpacket*3) || -++ ((ssh_packet_is_interactive(ssh) && -++ c->local_window_max - c->local_window > c->local_maxpacket*3) || - c->local_window < c->local_window_max/2) && - c->local_consumed > 0) { - + u_int addition = 0; -@@ -235,9 +265,8 @@ - (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || - - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || - + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || -- (r = sshpkt_send(ssh)) != 0) { -- fatal_fr(r, "channel %i", c->self); -- } -+ (r = sshpkt_send(ssh)) != 0) -+ fatal_fr(r, "channel %d", c->self); - - debug2("channel %d: window %d sent adjust %d", c->self, - - c->local_window, c->local_consumed); - - c->local_window += c->local_consumed; -@@ -337,70 +366,92 @@ - index 70f492f8..5503af1d 100644 - --- a/clientloop.c - +++ b/clientloop.c --@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan) -+@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan) - sock = x11_connect_display(ssh); - if (sock < 0) - return NULL; - - c = channel_new(ssh, "x11", - - SSH_CHANNEL_X11_OPEN, sock, sock, -1, --- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); --+ c = channel_new(ssh, "x11", --+ SSH_CHANNEL_X11_OPEN, sock, sock, -1, --+ /* again is this really necessary for X11? */ --+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, --+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); -+- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", -+- CHANNEL_NONBLOCK_SET); -++ c = channel_new(ssh, "x11", -++ SSH_CHANNEL_X11_OPEN, sock, sock, -1, -++ /* again is this really necessary for X11? */ -++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, -++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET); - c->force_drain = 1; - return c; - } --@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan) -+@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan) - return NULL; - } - c = channel_new(ssh, "authentication agent connection", - - SSH_CHANNEL_OPEN, sock, sock, -1, - - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, --- "authentication agent connection", 1); --+ SSH_CHANNEL_OPEN, sock, sock, -1, --+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size, --+ CHAN_TCP_PACKET_DEFAULT, 0, --+ "authentication agent connection", 1); -+- "authentication agent connection", CHANNEL_NONBLOCK_SET); -++ SSH_CHANNEL_OPEN, sock, sock, -1, -++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size, -++ CHAN_TCP_PACKET_DEFAULT, 0, -++ "authentication agent connection", CHANNEL_NONBLOCK_SET); - c->force_drain = 1; - return c; - } --@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, -+@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, - } - debug("Tunnel forwarding using interface %s", ifname); - - - c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, --- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); --+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, -+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", -+- CHANNEL_NONBLOCK_SET); -++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, - + options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, --+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); -++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET); - c->datagram = 1; - --+ --+ - #if defined(SSH_TUN_FILTER) -- if (options.tun_open == SSH_TUNMODE_POINTOPOINT) -- channel_register_filter(ssh, c->self, sys_tun_infilter, - diff --git a/compat.c b/compat.c - index 69befa96..90b5f338 100644 - --- a/compat.c - +++ b/compat.c --@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version) -- debug_f("match: %s pat %s compat 0x%08x", -+@@ -43,7 +43,7 @@ compat_datafellows(const char *version) -+ static u_int -+ compat_datafellows(const char *version) -+ { -+- int i; -++ int i, bugs = 0; -+ static struct { -+ char *pat; -+ int bugs; -+@@ -147,11 +147,26 @@ -+ if (match_pattern_list(version, check[i].pat, 0) == 1) { -+ debug("match: %s pat %s compat 0x%08x", - version, check[i].pat, check[i].bugs); -- ssh->compat = check[i].bugs; - + /* Check to see if the remote side is OpenSSH and not HPN */ --+ /* TODO: need to use new method to test for this */ - + if (strstr(version, "OpenSSH") != NULL) { - + if (strstr(version, "hpn") == NULL) { --+ ssh->compat |= SSH_BUG_LARGEWINDOW; -++ bugs |= SSH_BUG_LARGEWINDOW; - + debug("Remote is NON-HPN aware"); - + } - + } -- return; -+- return check[i].bugs; -++ bugs |= check[i].bugs; - } - } -+- debug("no match: %s", version); -+- return 0; -++ /* Check to see if the remote side is OpenSSH and not HPN */ -++ if (strstr(version, "OpenSSH") != NULL) { -++ if (strstr(version, "hpn") == NULL) { -++ bugs |= SSH_BUG_LARGEWINDOW; -++ debug("Remote is NON-HPN aware"); -++ } -++ } -++ if (bugs == 0) -++ debug("no match: %s", version); -++ return bugs; -+ } -+ -+ char * - diff --git a/compat.h b/compat.h - index c197fafc..ea2e17a7 100644 - --- a/compat.h -@@ -459,7 +510,7 @@ - @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh) - int nenc, nmac, ncomp; - u_int mode, ctos, need, dh_need, authlen; -- int r, first_kex_follows; -+ int r, first_kex_follows = 0; - + int auth_flag = 0; - + - + auth_flag = packet_authentication_state(ssh); -@@ -553,7 +604,7 @@ - #define MAX_PACKETS (1U<<31) - static int - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) --@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) -+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) - struct session_state *state = ssh->state; - int len, r, ms_remain; - fd_set *setp; -@@ -1035,19 +1086,6 @@ - - /* Minimum amount of data to read at a time */ - #define MIN_READ_SIZE 512 --diff --git a/ssh-keygen.c b/ssh-keygen.c --index cfb5f115..36a6e519 100644 ----- a/ssh-keygen.c --+++ b/ssh-keygen.c --@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device) -- freezero(pin, strlen(pin)); -- error_r(r, "Unable to load resident keys"); -- return -1; --- } --+ } -- if (nkeys == 0) -- logit("No keys to download"); -- if (pin != NULL) - diff --git a/ssh.c b/ssh.c - index 53330da5..27b9770e 100644 - --- a/ssh.c -@@ -1093,7 +1131,7 @@ - + else - + options.hpn_buffer_size = 2 * 1024 * 1024; - + --+ if (ssh->compat & SSH_BUG_LARGEWINDOW) { -++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) { - + debug("HPN to Non-HPN Connection"); - + } else { - + int sock, socksize; -@@ -1157,14 +1195,14 @@ - } - @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh) - window, packetmax, CHAN_EXTENDED_WRITE, -- "client-session", /*nonblock*/0); -+ "client-session", CHANNEL_NONBLOCK_STDIO); - - + if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) { - + c->dynamic_window = 1; - + debug("Enabled Dynamic Window Scaling"); - + } - + -- debug3_f("channel_new: %d", c->self); -+ debug2_f("channel %d", c->self); - - channel_send_open(ssh, c->self); - @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo) -@@ -1335,7 +1373,29 @@ - /* Bind the socket to the desired port. */ - if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { - error("Bind to port %s on %s failed: %.200s.", --@@ -1727,6 +1734,19 @@ main(int ac, char **av) -+@@ -1625,13 +1632,14 @@ -+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg), -+ sshbuf_len(server_cfg)) != 0) -+ fatal_f("ssh_digest_update"); -+- len = ssh_digest_bytes(digest_alg); -+- hash = xmalloc(len); -+- if (ssh_digest_final(ctx, hash, len) != 0) -+- fatal_f("ssh_digest_final"); -+- options.timing_secret = PEEK_U64(hash); -+- freezero(hash, len); -+- ssh_digest_free(ctx); -++ if ((len = ssh_digest_bytes(digest_alg)) > 0) { -++ hash = xmalloc(len); -++ if (ssh_digest_final(ctx, hash, len) != 0) -++ fatal_f("ssh_digest_final"); -++ options.timing_secret = PEEK_U64(hash); -++ freezero(hash, len); -++ ssh_digest_free(ctx); -++ } -+ ctx = NULL; -+ return; -+ } -+@@ -1727,6 +1735,19 @@ main(int ac, char **av) - fatal("AuthorizedPrincipalsCommand set without " - "AuthorizedPrincipalsCommandUser"); - -@@ -1355,7 +1415,7 @@ - /* - * Check whether there is any path through configured auth methods. - * Unfortunately it is not possible to verify this generally before --@@ -2166,6 +2186,9 @@ main(int ac, char **av) -+@@ -2166,6 +2187,9 @@ main(int ac, char **av) - rdomain == NULL ? "" : "\""); - free(laddr); - -@@ -1365,7 +1425,7 @@ - /* - * We don't want to listen forever unless the other side - * successfully authenticates itself. So we set up an alarm which is --@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh) -+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh) - struct kex *kex; - int r; - -@@ -1405,14 +1465,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index 6b4fa372..332fb486 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_8.5" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_HPN "-hpn15v2" --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN -diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff ---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:12:16.778011216 -0700 -+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:13:11.573211934 -0700 -@@ -12,9 +12,9 @@ - static long stalled; /* how long we have been stalled */ - static int bytes_per_second; /* current speed in bytes per second */ - @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update) -+ off_t bytes_left; - int cur_speed; -- int hours, minutes, seconds; -- int file_len; -+ int len; - + off_t delta_pos; - - if ((!force_update && !alarm_fired && !win_resized) || !can_output()) -@@ -30,15 +30,17 @@ - if (bytes_left > 0) - elapsed = now - last_update; - else { --@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update) -- -+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update) -+ buf[1] = '\0'; -+ - /* filename */ -- buf[0] = '\0'; --- file_len = win_size - 36; --+ file_len = win_size - 45; -- if (file_len > 0) { -- buf[0] = '\r'; -- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s", -+- if (win_size > 36) { -++ if (win_size > 45) { -+- int file_len = win_size - 36; -++ int file_len = win_size - 45; -+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ", -+ file_len, file); -+ } - @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update) - (off_t)bytes_per_second); - strlcat(buf, "/s ", win_size); -@@ -63,15 +65,3 @@ - } - - /*ARGSUSED*/ --diff --git a/ssh-keygen.c b/ssh-keygen.c --index cfb5f115..986ff59b 100644 ----- a/ssh-keygen.c --+++ b/ssh-keygen.c --@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device) -- -- if (skprovider == NULL) -- fatal("Cannot download keys without provider"); --- -- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN); -- if (!quiet) { -- printf("You may need to touch your authenticator " diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch deleted file mode 100644 index 309e57e88643..000000000000 --- a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch +++ /dev/null @@ -1,198 +0,0 @@ -diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff ---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:49:32.351767063 -0700 -+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:58:08.746214945 -0700 -@@ -1026,9 +1026,9 @@ - + } - +#endif - + -- debug("Authentication succeeded (%s).", authctxt.method->name); -- } -- -+ if (ssh_packet_connection_is_on_socket(ssh)) { -+ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host, -+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), - diff --git a/sshd.c b/sshd.c - index 6277e6d6..bf3d6e4a 100644 - --- a/sshd.c -diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 11:49:32.351767063 -0700 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 12:04:45.008038085 -0700 -@@ -536,18 +536,10 @@ - if (state->rekey_limit) - *max_blocks = MINIMUM(*max_blocks, - state->rekey_limit / enc->block_size); --@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) -+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) - return 0; - } - --+/* this supports the forced rekeying required for the NONE cipher */ --+int rekey_requested = 0; --+void --+packet_request_rekeying(void) --+{ --+ rekey_requested = 1; --+} --+ - +/* used to determine if pre or post auth when rekeying for aes-ctr - + * and none cipher switch */ - +int -@@ -561,20 +553,6 @@ - #define MAX_PACKETS (1U<<31) - static int - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) --@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) -- if (state->p_send.packets == 0 && state->p_read.packets == 0) -- return 0; -- --+ /* used to force rekeying when called for by the none --+ * cipher switch methods -cjr */ --+ if (rekey_requested == 1) { --+ rekey_requested = 0; --+ return 1; --+ } --+ -- /* Time-based rekeying */ -- if (state->rekey_interval != 0 && -- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) - @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) - struct session_state *state = ssh->state; - int len, r, ms_remain; -@@ -598,12 +576,11 @@ - }; - - typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *, --@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *); -+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *); - int ssh_packet_set_maxsize(struct ssh *, u_int); - u_int ssh_packet_get_maxsize(struct ssh *); - - +/* for forced packet rekeying post auth */ --+void packet_request_rekeying(void); - +int packet_authentication_state(const struct ssh *); - + - int ssh_packet_get_state(struct ssh *, struct sshbuf *); -@@ -627,9 +604,9 @@ - oLocalCommand, oPermitLocalCommand, oRemoteCommand, - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, - + oNoneEnabled, oNoneMacEnabled, oNoneSwitch, -+ oDisableMTAES, - oVisualHostKey, - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, -- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, - @@ -297,6 +300,9 @@ static struct { - { "kexalgorithms", oKexAlgorithms }, - { "ipqos", oIPQoS }, -@@ -637,9 +614,9 @@ - + { "noneenabled", oNoneEnabled }, - + { "nonemacenabled", oNoneMacEnabled }, - + { "noneswitch", oNoneSwitch }, -- { "proxyusefdpass", oProxyUseFdpass }, -- { "canonicaldomains", oCanonicalDomains }, -- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal }, -+ { "sessiontype", oSessionType }, -+ { "stdinnull", oStdinNull }, -+ { "forkafterauthentication", oForkAfterAuthentication }, - @@ -317,6 +323,11 @@ static struct { - { "securitykeyprovider", oSecurityKeyProvider }, - { "knownhostscommand", oKnownHostsCommand }, -@@ -717,9 +694,9 @@ - + options->hpn_buffer_size = -1; - + options->tcp_rcv_buf_poll = -1; - + options->tcp_rcv_buf = -1; -- options->proxy_use_fdpass = -1; -- options->ignored_unknown = NULL; -- options->num_canonical_domains = 0; -+ options->session_type = -1; -+ options->stdin_null = -1; -+ options->fork_after_authentication = -1; - @@ -2426,6 +2484,41 @@ fill_default_options(Options * options) - options->server_alive_interval = 0; - if (options->server_alive_count_max == -1) -@@ -778,9 +755,9 @@ - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ - SyslogFacility log_facility; /* Facility for system logging. */ - @@ -120,7 +124,11 @@ typedef struct { -- - int enable_ssh_keysign; - int64_t rekey_limit; -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/ - + int none_switch; /* Use none cipher */ - + int none_enabled; /* Allow none cipher to be used */ - + int nonemac_enabled; /* Allow none MAC to be used */ -@@ -842,9 +819,9 @@ - /* Portable-specific options */ - if (options->use_pam == -1) - @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options) -- } -- if (options->permit_tun == -1) - options->permit_tun = SSH_TUNMODE_NO; -+ if (options->disable_multithreaded == -1) -+ options->disable_multithreaded = 0; - + if (options->none_enabled == -1) - + options->none_enabled = 0; - + if (options->nonemac_enabled == -1) -@@ -1047,17 +1024,17 @@ - Note that - diff --git a/sftp.c b/sftp.c - index fb3c08d1..89bebbb2 100644 ----- a/sftp.c --+++ b/sftp.c --@@ -71,7 +71,7 @@ typedef void EditLine; -- #include "sftp-client.h" -- -- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */ ---#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */ --+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */ -+--- a/sftp-client.c -++++ b/sftp-client.c -+@@ -65,7 +65,7 @@ typedef void EditLine; -+ #define DEFAULT_COPY_BUFLEN 32768 -+ -+ /* Default number of concurrent outstanding requests */ -+-#define DEFAULT_NUM_REQUESTS 64 -++#define DEFAULT_NUM_REQUESTS 256 - -- /* File to read commands from */ -- FILE* infile; -+ /* Minimum amount of data to read at a time */ -+ #define MIN_READ_SIZE 512 - diff --git a/ssh-keygen.c b/ssh-keygen.c - index cfb5f115..36a6e519 100644 - --- a/ssh-keygen.c -@@ -1330,9 +1307,9 @@ - + } - + } - + -- debug("Authentication succeeded (%s).", authctxt.method->name); -- } - -+ #ifdef WITH_OPENSSL -+ if (options.disable_multithreaded == 0) { - diff --git a/sshd.c b/sshd.c - index 6277e6d6..d66fa41a 100644 - --- a/sshd.c -@@ -1359,8 +1336,8 @@ - if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { - error("Bind to port %s on %s failed: %.200s.", - @@ -1727,6 +1734,19 @@ main(int ac, char **av) -- /* Fill in default values for those options not explicitly set. */ -- fill_default_server_options(&options); -+ fatal("AuthorizedPrincipalsCommand set without " -+ "AuthorizedPrincipalsCommandUser"); - - + if (options.none_enabled == 1) { - + char *old_ciphers = options.ciphers; -@@ -1375,9 +1352,9 @@ - + } - + } - + -- /* challenge-response is implemented via keyboard interactive */ -- if (options.challenge_response_authentication) -- options.kbd_interactive_authentication = 1; -+ /* -+ * Check whether there is any path through configured auth methods. -+ * Unfortunately it is not possible to verify this generally before - @@ -2166,6 +2186,9 @@ main(int ac, char **av) - rdomain == NULL ? "" : "\""); - free(laddr); diff --git a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch deleted file mode 100644 index b6827623cd66..000000000000 --- a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch +++ /dev/null @@ -1,63 +0,0 @@ -diff -ur '--exclude=.*.un~' a/openssh-8.8p1+x509-13.2.3.diff b/openssh-8.8p1+x509-13.2.3.diff ---- a/openssh-8.8p1+x509-13.2.3.diff 2021-10-29 14:59:17.070546984 -0700 -+++ b/openssh-8.8p1+x509-13.2.3.diff 2021-10-29 14:59:55.086664489 -0700 -@@ -954,15 +954,16 @@ - char b[512]; - - size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512); - - u_char *hash = xmalloc(len); -+- double delay; - + int digest_alg; - + size_t len; - + u_char *hash; -- double delay; -- -++ double delay = 0; -++ - + digest_alg = ssh_digest_maxbytes(); - + len = ssh_digest_bytes(digest_alg); - + hash = xmalloc(len); --+ -+ - (void)snprintf(b, sizeof b, "%llu%s", - (unsigned long long)options.timing_secret, user); - - if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0) -@@ -51859,12 +51860,11 @@ - - install-files: - $(MKDIR_P) $(DESTDIR)$(bindir) --@@ -391,6 +372,8 @@ -+@@ -391,6 +372,7 @@ - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 - $(MKDIR_P) $(DESTDIR)$(libexecdir) - + $(MKDIR_P) $(DESTDIR)$(sshcadir) --+ $(MKDIR_P) $(DESTDIR)$(piddir) - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) -@@ -71985,7 +71985,7 @@ - +if test "$sshd_type" = "pkix" ; then - + unset_arg='' - +else --+ unset_arg=none -++ unset_arg= - +fi - + - cat > $OBJ/sshd_config.i << _EOF -@@ -132360,16 +132360,6 @@ - +int asnmprintf(char **, size_t, int *, const char *, ...) - __attribute__((format(printf, 4, 5))); - void msetlocale(void); --diff -ruN openssh-8.8p1/version.h openssh-8.8p1+x509-13.2.3/version.h ----- openssh-8.8p1/version.h 2021-09-26 17:03:19.000000000 +0300 --+++ openssh-8.8p1+x509-13.2.3/version.h 2021-10-23 16:27:00.000000000 +0300 --@@ -2,5 +2,4 @@ -- -- #define SSH_VERSION "OpenSSH_8.8" -- ---#define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" - diff -ruN openssh-8.8p1/version.m4 openssh-8.8p1+x509-13.2.3/version.m4 - --- openssh-8.8p1/version.m4 1970-01-01 02:00:00.000000000 +0200 - +++ openssh-8.8p1+x509-13.2.3/version.m4 2021-10-23 16:27:00.000000000 +0300 diff --git a/net-misc/openssh/openssh-8.8_p1-r4.ebuild b/net-misc/openssh/openssh-8.8_p1-r4.ebuild deleted file mode 100644 index 561dc2dd6076..000000000000 --- a/net-misc/openssh/openssh-8.8_p1-r4.ebuild +++ /dev/null @@ -1,491 +0,0 @@ -# Copyright 1999-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} - -# PV to USE for HPN patches -#HPN_PV="${PV^^}" -HPN_PV="8.5_P1" - -HPN_VER="15.2" -HPN_PATCHES=( - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff -) - -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="13.2.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} - verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) -" -VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc -S="${WORKDIR}/${PARCH}" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss" - -RESTRICT="!test? ( test )" - -REQUIRED_USE=" - hpn? ( ssl ) - ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( !sctp ssl !xmss ) - xmss? ( ssl ) - test? ( ssl ) -" - -# tests currently fail with XMSS -REQUIRED_USE+="test? ( !xmss )" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - net-libs/ldns[ecdsa(+),ssl(+)] - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) - virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] -" -RDEPEND=" - acct-group/sshd - acct-user/sshd - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 ) -" -DEPEND="${RDEPEND} - virtual/os-headers - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) - static? ( ${LIB_DEPEND} ) -" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - !prefix? ( sys-apps/shadow ) - X? ( x11-apps/xauth ) -" -BDEPEND=" - virtual/pkgconfig - sys-devel/autoconf - verify-sig? ( sec-keys/openpgp-keys-openssh ) -" - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - local missing=() - check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); } - check_feature hpn HPN_VER - check_feature sctp SCTP_PATCH - check_feature X509 X509_PATCH - if [[ ${#missing[@]} -ne 0 ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${missing[*]}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "Missing requested third party patch." - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." - fi -} - -src_unpack() { - default - - # We don't have signatures for HPN, X509, so we have to write this ourselves - use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc} -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch - eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch - - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die - eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" - popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use sctp ; then - eapply "${WORKDIR}"/${SCTP_PATCH%.*} - - einfo "Patching version.h to expose SCTP patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in SCTP patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - - einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..." - sed -i \ - -e "/\t\tcfgparse \\\/d" \ - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" - fi - - if use hpn ; then - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" || die - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-glue.patch - use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch - use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch" - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use sctp || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - sed -i \ - -e "/#UseLogin no/d" \ - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" - - eapply_user #473004 - - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox - sed -e '/\t\tpercent \\/ d' \ - -i regress/Makefile || die - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS - - if [[ ${CHOST} == *-solaris* ]] ; then - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure - # doesn't check for this, so force the replacement to be put in - # place - append-cppflags -DBROKEN_GLOB - fi - - # use replacement, RPF_ECHO_ON doesn't exist here - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the sctp patch conditionally, so can't pass --without-sctp - # unconditionally else we get unknown flag warnings. - $(use sctp && use_with sctp) - $(use_with ldns) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(usex X509 '' "$(use_with security-key security-key-builtin)") - $(use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - $(use_with !elibc_Cygwin hardening) #659210 - ) - - if use elibc_musl; then - # musl defines bogus values for UTMP_FILE and WTMP_FILE - # https://bugs.gentoo.org/753230 - myconf+=( --disable-utmp --disable-wtmp ) - fi - - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - - econf "${myconf[@]}" -} - -src_test() { - local tests=( compat-tests ) - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - ewarn "user, so we will run a subset only." - tests+=( interop-tests ) - else - tests+=( tests ) - fi - - local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 - mkdir -p "${HOME}"/.ssh || die - emake -j1 "${tests[@]}" </dev/null -} - -# Gentoo tweaks to default config files. -tweak_ssh_configs() { - local locale_vars=( - # These are language variables that POSIX defines. - # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 - LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME - - # These are the GNU extensions. - # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html - LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE - ) - - # First the server config. - cat <<-EOF >> "${ED}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables. #367017 - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM. #658540 - AcceptEnv COLORTERM - EOF - - # Then the client config. - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config - - # Send locale environment variables. #367017 - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM. #658540 - SendEnv COLORTERM - EOF - - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED}"/etc/ssh/sshd_config || die - fi - - if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED}"/etc/ssh/sshd_config || die - fi -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd-r1.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - if use pam; then - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - fi - - tweak_ssh_configs - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog - - diropts -m 0700 - dodir /etc/skel/.ssh - - # https://bugs.gentoo.org/733802 - if ! use scp; then - rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \ - || die "failed to remove scp" - fi - - rmdir "${ED}"/var/empty || die - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' -} - -pkg_preinst() { - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then - show_ssl_warning=1 - fi -} - -pkg_postinst() { - local old_ver - for old_ver in ${REPLACING_VERSIONS}; do - if ver_test "${old_ver}" -lt "5.8_p1"; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if ver_test "${old_ver}" -lt "7.0_p1"; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if ver_test "${old_ver}" -lt "7.6_p1"; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if ver_test "${old_ver}" -lt "7.7_p1"; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ver_test "${old_ver}" -lt "8.2_p1"; then - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" - ewarn "connection is generally safe." - fi - done - - if [[ -n ${show_ssl_warning} ]]; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi -} diff --git a/net-misc/openssh/openssh-8.9_p1-r2.ebuild b/net-misc/openssh/openssh-8.9_p1-r2.ebuild index 64d88e4197f6..7cc0b4d2528a 100644 --- a/net-misc/openssh/openssh-8.9_p1-r2.ebuild +++ b/net-misc/openssh/openssh-8.9_p1-r2.ebuild @@ -36,7 +36,7 @@ S="${WORKDIR}/${PARCH}" LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss" @@ -323,9 +323,6 @@ src_configure() { myconf+=( --disable-utmp --disable-wtmp ) fi - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - econf "${myconf[@]}" } diff --git a/net-misc/openssh/openssh-9.0_p1.ebuild b/net-misc/openssh/openssh-9.0_p1.ebuild index 6e16f5eb038c..13c0bb4fa5c5 100644 --- a/net-misc/openssh/openssh-9.0_p1.ebuild +++ b/net-misc/openssh/openssh-9.0_p1.ebuild @@ -36,7 +36,7 @@ S="${WORKDIR}/${PARCH}" LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss" @@ -322,9 +322,6 @@ src_configure() { myconf+=( --disable-utmp --disable-wtmp ) fi - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - econf "${myconf[@]}" } |