diff options
Diffstat (limited to 'net-misc/openssh')
| -rw-r--r-- | net-misc/openssh/Manifest | 21 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch | 31 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch | 76 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch | 14 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch | 57 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch | 359 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-8.1_p1-hpn-glue.patch | 216 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-7.5_p1-r4.ebuild | 6 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-7.7_p1-r9.ebuild | 6 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-7.9_p1-r4.ebuild | 4 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-8.0_p1-r4.ebuild (renamed from net-misc/openssh/openssh-8.0_p1.ebuild) | 34 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-8.1_p1.ebuild (renamed from net-misc/openssh/openssh-8.0_p1-r2.ebuild) | 31 |
12 files changed, 811 insertions, 44 deletions
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index a0df0f9a3cc0..900ed083938d 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -26,10 +26,16 @@ AUX openssh-8.0_p1-X509-dont-make-piddir-12.0.patch 814 BLAKE2B 596967e4b13d59b1 AUX openssh-8.0_p1-X509-dont-make-piddir-12.1.patch 812 BLAKE2B a7ded816857183e6a35dd4706ff5c4f4788e2eee5afb08dd59aedd13f0a7d3efc04f74df43bb23d808c8ba53866fdbc1cc89a15ec1b28a995a29181430bffbcf SHA512 1fdc152be81c7a19d8d15c8da03c3de0456cdccb715d1c1fdeea6b7ef89b838e560886dc20d85696fd1105d00512aff884c20ed4117a5afae5c0c00e74831aa5 AUX openssh-8.0_p1-X509-glue-12.0.patch 825 BLAKE2B 9fc0b5b291551d55770bddcf23d44601d15cbc23a6d8f0795cd064f53e1bc2e49056b23b2d7db0aa25e31e8b68c71ef476cb926a7efa765edf81440489711225 SHA512 edd8c0bdc3b90f7afce8eb5d91ec1344b6e22fc9d16787f63eaee9a576178f5e0b4937fb0dc2640779c049a9102ece63360fef4f690b09894ec46995e0f5ebe2 AUX openssh-8.0_p1-X509-glue-12.1.patch 825 BLAKE2B 494e16224e9dc9b90c61f7d3721305192344fe41631c6088768b578f8c5620d8e664403105073ef702df4cf234f00279e5e02fb637b2d392ea9b1a1b962b9b67 SHA512 966553aaf2188395f7d3ac05e91a604fe8db47f781b2c1e01ce7cd5a42bff0e3c76c1fbcf557ee3fbcf16ab77de61b8f9812499553f05c843e1048cd713593e4 +AUX openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch 977 BLAKE2B b2e28683176c4678f51a9a0be3e29496620ac795c7de4649fb3cc0bd076682e42bc1c606b17a76e140f51319e4c4a1cc890c3a37c4bc3cf9222a88e31b8a773f SHA512 8c2567ae16dccc73e302ba90c1bb03e19d4afc3892dd8e1636d7c8853932662eccbda3957e4db55a21bd37d2e65abe74b0b2c1efb74e31751335eb523759d945 +AUX openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch 2696 BLAKE2B 86bac20233102c5beefb3a79e2da8c5421d47d1c175e9e602f14c127e1bf7ec67e193620461ebd7a835bae556dbf9db904c3f63bbd3283a04dac444f34a3eab8 SHA512 f951cdc664088a124754fe963bb6abc659264183a3c773d61243bb12ca87f7554422d9acabb86c6390fe0e088fee60cc3129ad85e336ebf84f5c126d61d1fa3f +AUX openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch 506 BLAKE2B d4e88cc9553c6e2708447edd3ceeeea4f6c967893f34cad6c5fc980ee46895b64b58c5b8d271b7363e7144d34e05fd1e9519e01a9bb05d7c2cc5a9613b2b096c SHA512 cae5a9f5c46a2c70be4284bc050b69dab347181397a9e34c0c2ee5a470992070a2b8359ade42ce6840b5ff6311d3b0026bf6d548e944662c481a74456737a095 +AUX openssh-8.0_p1-fix-putty-tests.patch 1760 BLAKE2B a1127e8f2275c1e23c956b5041dbc84dbdb2cd6b788fc69bfc1f6b030afe86a827483602ce76577b4101ee2e790b1cfa8c1d2db09da59b89fe7df8083bf4695f SHA512 f544d818bdde628131f1819bf2ffb4007802ee5bf12c5cd5bd398efe0f0f430ed6b3efa7969cb2c4fa49a2bbd773d8fa09f4c927cf998a564b7611443437c310 AUX openssh-8.0_p1-hpn-X509-glue.patch 3814 BLAKE2B 9a0071d13bb602f9b0660dd74d0ae59611a0d8b8c13fab7def2ea840d1ea42bb4c0999ef44e86db2e8246c6e803797a70f9b18016da491598991052854659c03 SHA512 a986c012aa58a4764d3c4c4a5bf5d1e69edb156adf18d7e9ccae0508879da8b3e92a884d6dcfa80ec5b02d41e7784d8eb500128925ae5cee0ca948cf6bf50ba2 AUX openssh-8.0_p1-hpn-glue.patch 7029 BLAKE2B cf6fb2c59b768aecf846f0d037ae6d48f750e742f93cdd00a62caf04dfafd993e05921f5d227014e9437d3cdfff4e1b9baa832997904bf398ba06e8f874f7ceb SHA512 63eb0b12763ab53946a9f6b9db44c428d9da8b781a6e1d3f5c4b0edfca85d986cf932461205cee84f9a9db7725c9e05eb1d366b357c787a95c561bdc6514d3d7 AUX openssh-8.0_p1-hpn-version.patch 590 BLAKE2B 1ff20ab17e7e1a20f7a96ded56ff7c059fd509d7773d9abaeac83743102385d9713284c630dc932d40672a9bfc8a894b57c6b073e93a7b024de7490ea54a589c SHA512 37250881f17a44e4a4b0ac164d06961e0731528847d5cbbb263e3f9a286a192c8dae92250b85db3f2e1f280a464c7b3bfc8a7c9e85552375c013e16a6fcf28ed AUX openssh-8.0_p1-tests.patch 1493 BLAKE2B 2e28d9f27d6d9f7e1716cf5f85bbb92af96faf8842e0047d79262a36f5273cd9252bfc576a22e4fc5523942eb7dea80d968045fea317e523d430373c59160ed0 SHA512 1f191076d3199b33e4cfa66e901d086dba32d7ee620c6dfa3bdaa7c9cba8e98d36b7f27d2f2dca7eb8d2549da37dd4b3638e392d8dbd9c36cb4a9ba09a45043f +AUX openssh-8.1_p1-GSSAPI-dns.patch 11639 BLAKE2B 2bc9e618c0acbf6b85496a33055894471235d01f20b76c9b75302dce58c7d6033984c8471789d2f8095d6231f5f271a4eb2f6099936b1631ec261464bc7a3ada SHA512 722a769da482876f0629e110109f02065e47848ff79395e9e64de39ae066d8c5a207f849c59d95b72e70b874f4bedf4e52a2f7ad1752d9c84b99ccdbfa19c73d +AUX openssh-8.1_p1-hpn-glue.patch 7830 BLAKE2B 81c239f57d252b3a9bb1c7aed56ac67196ad11a316163db0cf6d4c75d73db1cbae038707ec788c5101f40ebf455257fa2cd1b9d7facab1081b5b856317543dd7 SHA512 2cf4e5da60e30932619c6915295b1659f53db3e784e87fcbbd25b8d167df8e29a1712235413bb2d485956494111aa682d086f9b5a36c3f55a286d40599df8b8c AUX sshd-r1.confd 774 BLAKE2B df3f3f28cb4d35b49851399b52408c42e242ae3168ff3fc79add211903567da370cfe86a267932ca9cf13c3afbc38a8f1b53e753a31670ee61bf8ba8747832f8 SHA512 3a69752592126024319a95f1c1747af508fd639c86eca472106c5d6c23d5eeaa441ca74740d4b1aafaa0db759d38879e3c1cee742b08d6166ebc58cddac1e2fe AUX sshd-r1.initd 2675 BLAKE2B 47e87cec2d15b90aae362ce0c8e8ba08dada9ebc244e28be1fe67d24deb00675d3d9b8fef40def8a9224a3e2d15ab717574a3d837e099133c1cf013079588b55 SHA512 257d6437162b76c4a3a648ecc5d4739ca7eaa60b192fde91422c6c05d0de6adfa9635adc24d57dc3da6beb92b1b354ffe8fddad3db453efb610195d5509a4e27 AUX sshd.confd 396 BLAKE2B 2fc146e83512d729e120cfe331441e8fe27eba804906cc0c463b938ddaf052e7392efbcda6699467afde22652c599e7d55b0ce18a344137263cd78647fea255f SHA512 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 @@ -54,14 +60,15 @@ DIST openssh-7.9p1-sctp-1.2.patch.xz 7360 BLAKE2B 60e209371ecac24d0b60e48459d4d4 DIST openssh-7.9p1.tar.gz 1565384 BLAKE2B de15795e03d33d4f9fe4792f6b14500123230b6c00c1e5bd7207bb6d6bf6df0b2e057c1b1de0fee709f58dd159203fdd69fe1473118a6baedebaa0c1c4c55b59 SHA512 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e DIST openssh-7_8_P1-hpn-AES-CTR-14.16.diff 29231 BLAKE2B e25877c5e22f674e6db5a0bc107e5daa2509fe762fb14ce7bb2ce9a115e8177a93340c1d19247b6c2c854b7e1f9ae9af9fd932e5fa9c0a6b2ba438cd11a42991 SHA512 1867fb94c29a51294a71a3ec6a299757565a7cda5696118b0b346ed9c78f2c81bb1b888cff5e3418776b2fa277a8f070c5eb9327bb005453e2ffd72d35cdafa7 DIST openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 43356 BLAKE2B 776fa140d64a16c339b46a7c773258d2f4fe44e48b16abccad1a8757a51cb6362722fc5f42c39159af12849f5c88cf574de64815085c97157e16653f18d4909b SHA512 53f2752b7aa02719c8dfe0fe0ef16e874101ba2ba87924aa1122cd445ece218ca09c22abaa3377307f25d459579bc28d3854e2402c71b794db65d58cdd1ebc08 -DIST openssh-8.0p1+x509-12.0.diff.gz 623765 BLAKE2B b1c0d533a58c55b0f8451ce5aa8ee9b462afdc1eee44018f30962d3427c73b12a57c2c88bc8656c09c2b39a2ac72755539eeb29e7060ced5d3e8470647f88c0a SHA512 5f678fd303e39df7a2fb23af682c5a02b33f7fdcafe6171b9db2067098a2048677c415c3bee75225eb9fbaf308cfac7f37b0865951cdb6dda0577908499a8295 -DIST openssh-8.0p1+x509-12.1.diff.gz 680389 BLAKE2B b1e353c496dd6dbd104c32bc5e9a3f055673a7876944d39c80f185cdb589d09b8d509754f04f2e051ceef2b39a3d810ba00b8894a4b67c7a6a0170a4ed0518a5 SHA512 831988d636a19e89a881616e07e38bc6ca44e90443b2bbf290fab3f120877e2eef60f21ad6e0c64098d07e09379f9f73f0ce2e5df975aa1bd43944582f8b8b3e +DIST openssh-8.0p1+x509-12.1-gentoo.diff.gz 680853 BLAKE2B b24ee61d6328bf2de8384d6ecbfc5ae0be4719a3c7a2d714be3a144d327bba5038e7e36ffcc313af2a8a94960ce1f56387654d2d21920af51826af61957aa4cc SHA512 178728139473b277fe50a03f37be50b3f8e539cea8f5937ddfe710082944e799d845cdb5994f585c13564c4a89b80ccf75e87753102aebacdb4c590f0b8a1482 DIST openssh-8.0p1-sctp-1.2.patch.xz 7348 BLAKE2B bc3d3815f1ef5dbab605b93182a00c2fec258f49d56684defb6564d2b60886429c615a7ab076cc071a590f9df0908b1862ceb0961b7e6f6d1090237fec9035d3 SHA512 2f9f774286db75d0240e6fb01655a8a193fb2a5dc4596ad68ed22d64f97c9c46dad61a06478f2e972fd37cbad4d9aca5829bb91097cc56638601ff94a972b24f DIST openssh-8.0p1.tar.gz 1597697 BLAKE2B 5ba79872eabb3b3964d95a8cdd690bfe0323f018d7f944d4e1acb52576c9f6d7a1ddac15e88dc42eac6ecbfabfad1c228e303a2262588769e307c38107a4cd54 SHA512 e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982 +DIST openssh-8.1p1-sctp-1.2.patch.xz 7672 BLAKE2B f1aa0713fcb114d8774bd8d524d106401a9d7c2c73a05fbde200ccbdd2562b3636ddd2d0bc3eae9f04b4d7c729c3dafd814ae8c530a76c4a0190fae71d1edcd2 SHA512 2bffab0bbae5a4c1875e0cc229bfd83d8565bd831309158cd489d8b877556c69b936243888a181bd9ff302e19f2c174156781574294d260b6384c464d003d566 +DIST openssh-8.1p1.tar.gz 1625894 BLAKE2B d525be921a6f49420a58df5ac434d43a0c85e0f6bf8428ecebf04117c50f473185933e6e4485e506ac614f71887a513b9962d7b47969ba785da8e3a38f767322 SHA512 b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925 DIST openssh-lpk-7.5p1-0.3.14.patch.xz 17040 BLAKE2B 5b2204316dd244bb8dd11db50d5bc3a194e2cc4b64964a2d3df68bbe54c53588f15fc5176dbc3811e929573fa3e41cf91f412aa2513bb9a4b6ed02c2523c1e24 SHA512 9ce5d7e5d831c972f0f866b686bf93a048a03979ab38627973f5491eeeaa45f9faab0520b3a7ed90a13a67213fdc9cd4cf11e423acad441ea91b71037c8b435b -EBUILD openssh-7.5_p1-r4.ebuild 11161 BLAKE2B e6276f34a75fbce06ebefa246786db15aff3bd9a59c77c41d96576b6aeb77c5e6fa17aceb573d4d1f0518aa703d298eb292d0d157fb843a702cbede1f42c0296 SHA512 446414c8961458b812b768d18afe46d60ef4dd54111d95b99654cfb3dfef592812b30527fdda352a595bba815e0ffea4a813e3291bcc96bacb368267ff837bdd -EBUILD openssh-7.7_p1-r9.ebuild 15943 BLAKE2B 459a0f5920b3d5b4da2835e7f3c9f1edd185e48c509e5150a1306dbca3c2f17d0d9d3f41166c4263dd60c0218c11b278a4eaa6f53ae1429710fc749994f70d11 SHA512 3aa9018173cc53de22b1e4693daf4ca2716cd0bc0066f797b6b66926481aaabb3e82942beb305a95523ba64dc9ff95f54232c7538c1d30834f38d88dd94f18a2 -EBUILD openssh-7.9_p1-r4.ebuild 16314 BLAKE2B 4b78ac7c56c7aa5ab0225b07cc8d4f4739408221372064d17bd095dd440af3a9541713ab55de5bdb2347a373b9e267c0e3f38bb992f4ea3da893ff8a808970e0 SHA512 2f9ab98645c6d2ab67ee2e715719cdb868d02e8df19de85bc2556dfa62c26f946125a9fcdbbbdd34a596961272655947d6c6657dc1b477b646d4e42e8ad931af -EBUILD openssh-8.0_p1-r2.ebuild 16221 BLAKE2B 57e648434d52495a68a444a1493e63f906afac08e06dbffff35ab6aa3a41e00b27ea27c975576934d2067ad77183795bf0c2c48e3e7d7951537d1f276005d445 SHA512 a4d21a237fb93b168f3f884923e23e4fb215f8725b076723cccefa1354dc98af11a8f8ed2448d93daa23b3c411b7ebb00c2c9013139be9c1444dd952812472b2 -EBUILD openssh-8.0_p1.ebuild 16146 BLAKE2B 613b780cdde9d39e9f1f67267c773dded920c511c6e8d1241c92c72d9957b39e870517c868d17c72db2ae68bfc2b2d64ba85b777331082d4011057ca87cdb59e SHA512 9358116310155833391140a586d4c375292a9eb68fe40bf7453e9ee547c74bbcb750e360fd43c7c585a222cb053804a413023c0dcc06ab824df964826476853e +EBUILD openssh-7.5_p1-r4.ebuild 11137 BLAKE2B 371ae94d3f12874e8ee17416cd2c1b81059b4db2cef6cad7453aa85c2c192ebac644c3907d85d42df7729044a8cebb90ef19e35036a402be404a0841333eb653 SHA512 6655b250cbec41c4432b79a4699b15d73f246820d5f0f3c9fdfe5053388be3b0be7a26ec800055ad0824c92cb91bb1a5c9a939d15ff58af07164b9fce230a415 +EBUILD openssh-7.7_p1-r9.ebuild 15919 BLAKE2B be6c6ac296d5332805d9a90c72a23598d17ca02212f2309bbb9dbff5c0374a6ef1c7d346fdd365afc0b0b853c5744c98f2db0d66347313a173aad4942abefc23 SHA512 36357ad30be27388decd08db6ae580984363b4c98c53cb634e5164b2924887cac4d19ea941f686b2290f8ff93db8c4f506fb2f76b24a1790364677ef851f6ce3 +EBUILD openssh-7.9_p1-r4.ebuild 16293 BLAKE2B 1f96b90873bed0b45da2ba26c3b1b9fb170598e6f6bc3090b8edfc7274185291f7e351a0e945e1a04ccb4e2c8fde18ba50f7bf7cd145a98721092a7608991875 SHA512 ee4fc5f36febc96c188d30d2d46b6d14c3d80178c2801802160ffbbce2d019ba6e26f26ae41e752748dc6999e676a4b2dae9e27ab7a42500c3c386f578bc24e7 +EBUILD openssh-8.0_p1-r4.ebuild 16661 BLAKE2B 7b58c80723df0c0c8c7b2a0724b6cb7549211cd618b54bba53e769af0f29c4c887e454a29e06a9e95b30ccc23156e9cfbfc63801df3a224126c296ac43d1f277 SHA512 3d5fe15f2ae2dda9c9b42d153a4fb9efcd553a79b0c136c51f8ee5770679334580ecc062aba8c01119fe4795669b76284f1a051d58797284e0de1c0e1f296c7e +EBUILD openssh-8.1_p1.ebuild 16352 BLAKE2B 2452ba7f2ee139860e648885d6abdecbfaa2fd829090c5176334280663376c3a732dc3458fc6c1645bf9668107172a75a0dc53659dae169913b348db64877b0f SHA512 b29c5431724f708722bd5b901b77a0390a607817ed52bf38f0558e99be53c29e93eb1d91124667ae8a7b0de25d85a28c9c3d5b7d35a1329f9c39791168f95575 MISC metadata.xml 2291 BLAKE2B 9e12fbae3c37a48c3b04876a7247bf38c33d6cc5be210b382e35e45c9318b3c3e7c91a0ef32a9fda96ac7a68a00f9d703aacfc1c1f23e59511ea97d159527488 SHA512 8605c7aa2e4594a04006b3abfac3fad359e3e44182be53116e25159b7419d4429176617c10b50354d0d10c2be26af550e9a2b6e4c7085906558a569dddf5c8f3 diff --git a/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch new file mode 100644 index 000000000000..fe3be2409e2a --- /dev/null +++ b/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch @@ -0,0 +1,31 @@ +From 3ef92a657444f172b61f92d5da66d94fa8265602 Mon Sep 17 00:00:00 2001 +From: Lonnie Abelbeck <lonnie@abelbeck.com> +Date: Tue, 1 Oct 2019 09:05:09 -0500 +Subject: [PATCH] Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child. + +New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt +in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox. +--- + sandbox-seccomp-filter.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index 840c5232b..39dc289e3 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -168,6 +168,15 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_stat64 + SC_DENY(__NR_stat64, EACCES), + #endif ++#ifdef __NR_shmget ++ SC_DENY(__NR_shmget, EACCES), ++#endif ++#ifdef __NR_shmat ++ SC_DENY(__NR_shmat, EACCES), ++#endif ++#ifdef __NR_shmdt ++ SC_DENY(__NR_shmdt, EACCES), ++#endif + + /* Syscalls to permit */ + #ifdef __NR_brk diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch new file mode 100644 index 000000000000..bffc591ef667 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch @@ -0,0 +1,76 @@ +https://github.com/openssh/openssh-portable/commit/29e0ecd9b4eb3b9f305e2240351f0c59cad9ef81 + +--- a/sshkey.c ++++ b/sshkey.c +@@ -3209,6 +3209,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) + if ((r = sshkey_froms(buf, &k)) != 0 || + (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0) + goto out; ++ if (k->type != type) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } + if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) { + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; +@@ -3252,6 +3256,11 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) + if ((r = sshkey_froms(buf, &k)) != 0 || + (r = sshbuf_get_bignum2(buf, &exponent)) != 0) + goto out; ++ if (k->type != type || ++ k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } + if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) { + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; +@@ -3296,6 +3305,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) + (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 || + (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0) + goto out; ++ if (k->type != type) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } + if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) { + r = SSH_ERR_LIBCRYPTO_ERROR; + goto out; +@@ -3333,13 +3346,17 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) + (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 || + (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0) + goto out; ++ if (k->type != type) { ++ r = SSH_ERR_INVALID_FORMAT; ++ goto out; ++ } + if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) { + r = SSH_ERR_INVALID_FORMAT; + goto out; + } + k->ed25519_pk = ed25519_pk; + k->ed25519_sk = ed25519_sk; +- ed25519_pk = ed25519_sk = NULL; ++ ed25519_pk = ed25519_sk = NULL; /* transferred */ + break; + #ifdef WITH_XMSS + case KEY_XMSS: +@@ -3370,7 +3387,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp) + (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 || + (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0) + goto out; +- if (strcmp(xmss_name, k->xmss_name)) { ++ if (k->type != type || strcmp(xmss_name, k->xmss_name) != 0) { + r = SSH_ERR_INVALID_FORMAT; + goto out; + } +@@ -3877,7 +3894,8 @@ sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase, + } + + /* check that an appropriate amount of auth data is present */ +- if (sshbuf_len(decoded) < encrypted_len + authlen) { ++ if (sshbuf_len(decoded) < authlen || ++ sshbuf_len(decoded) - authlen < encrypted_len) { + r = SSH_ERR_INVALID_FORMAT; + goto out; + } diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch new file mode 100644 index 000000000000..ba0bd02371d4 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch @@ -0,0 +1,14 @@ +https://github.com/openssh/openssh-portable/commit/a546b17bbaeb12beac4c9aeed56f74a42b18a93a + +--- a/sshkey-xmss.c ++++ b/sshkey-xmss.c +@@ -977,7 +977,8 @@ sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded, + goto out; + } + /* check that an appropriate amount of auth data is present */ +- if (sshbuf_len(encoded) < encrypted_len + authlen) { ++ if (sshbuf_len(encoded) < authlen || ++ sshbuf_len(encoded) - authlen < encrypted_len) { + r = SSH_ERR_INVALID_FORMAT; + goto out; + } diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch new file mode 100644 index 000000000000..4310aa123fc8 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch @@ -0,0 +1,57 @@ +Make sure that host keys are already accepted before +running tests. + +https://bugs.gentoo.org/493866 + +--- a/regress/putty-ciphers.sh ++++ b/regress/putty-ciphers.sh +@@ -10,11 +10,17 @@ fi + + for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do + verbose "$tid: cipher $c" ++ rm -f ${COPY} + cp ${OBJ}/.putty/sessions/localhost_proxy \ + ${OBJ}/.putty/sessions/cipher_$c + echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c + +- rm -f ${COPY} ++ env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \ ++ -i ${OBJ}/putty.rsa2 "exit" ++ if [ $? -ne 0 ]; then ++ fail "failed to pre-cache host key" ++ fi ++ + env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \ + cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then +--- a/regress/putty-kex.sh ++++ b/regress/putty-kex.sh +@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do + ${OBJ}/.putty/sessions/kex_$k + echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k + ++ env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \ ++ -i ${OBJ}/putty.rsa2 "exit" ++ if [ $? -ne 0 ]; then ++ fail "failed to pre-cache host key" ++ fi ++ + env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true + if [ $? -ne 0 ]; then + fail "KEX $k failed" +--- a/regress/putty-transfer.sh ++++ b/regress/putty-transfer.sh +@@ -14,6 +14,13 @@ for c in 0 1 ; do + cp ${OBJ}/.putty/sessions/localhost_proxy \ + ${OBJ}/.putty/sessions/compression_$c + echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k ++ ++ env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \ ++ -i ${OBJ}/putty.rsa2 "exit" ++ if [ $? -ne 0 ]; then ++ fail "failed to pre-cache host key" ++ fi ++ + env HOME=$PWD ${PLINK} -load compression_$c -batch \ + -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then diff --git a/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch new file mode 100644 index 000000000000..6aba6f266945 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch @@ -0,0 +1,359 @@ +diff --git a/auth.c b/auth.c +index ca450f4e..2994a4e4 100644 +--- a/auth.c ++++ b/auth.c +@@ -723,120 +723,6 @@ fakepw(void) + return (&fake); + } + +-/* +- * Returns the remote DNS hostname as a string. The returned string must not +- * be freed. NB. this will usually trigger a DNS query the first time it is +- * called. +- * This function does additional checks on the hostname to mitigate some +- * attacks on legacy rhosts-style authentication. +- * XXX is RhostsRSAAuthentication vulnerable to these? +- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) +- */ +- +-static char * +-remote_hostname(struct ssh *ssh) +-{ +- struct sockaddr_storage from; +- socklen_t fromlen; +- struct addrinfo hints, *ai, *aitop; +- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; +- const char *ntop = ssh_remote_ipaddr(ssh); +- +- /* Get IP address of client. */ +- fromlen = sizeof(from); +- memset(&from, 0, sizeof(from)); +- if (getpeername(ssh_packet_get_connection_in(ssh), +- (struct sockaddr *)&from, &fromlen) == -1) { +- debug("getpeername failed: %.100s", strerror(errno)); +- return strdup(ntop); +- } +- +- ipv64_normalise_mapped(&from, &fromlen); +- if (from.ss_family == AF_INET6) +- fromlen = sizeof(struct sockaddr_in6); +- +- debug3("Trying to reverse map address %.100s.", ntop); +- /* Map the IP address to a host name. */ +- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), +- NULL, 0, NI_NAMEREQD) != 0) { +- /* Host name not found. Use ip address. */ +- return strdup(ntop); +- } +- +- /* +- * if reverse lookup result looks like a numeric hostname, +- * someone is trying to trick us by PTR record like following: +- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ +- hints.ai_flags = AI_NUMERICHOST; +- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { +- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", +- name, ntop); +- freeaddrinfo(ai); +- return strdup(ntop); +- } +- +- /* Names are stored in lowercase. */ +- lowercase(name); +- +- /* +- * Map it back to an IP address and check that the given +- * address actually is an address of this host. This is +- * necessary because anyone with access to a name server can +- * define arbitrary names for an IP address. Mapping from +- * name to IP address can be trusted better (but can still be +- * fooled if the intruder has access to the name server of +- * the domain). +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_family = from.ss_family; +- hints.ai_socktype = SOCK_STREAM; +- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { +- logit("reverse mapping checking getaddrinfo for %.700s " +- "[%s] failed.", name, ntop); +- return strdup(ntop); +- } +- /* Look for the address from the list of addresses. */ +- for (ai = aitop; ai; ai = ai->ai_next) { +- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, +- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && +- (strcmp(ntop, ntop2) == 0)) +- break; +- } +- freeaddrinfo(aitop); +- /* If we reached the end of the list, the address was not there. */ +- if (ai == NULL) { +- /* Address not found for the host name. */ +- logit("Address %.100s maps to %.600s, but this does not " +- "map back to the address.", ntop, name); +- return strdup(ntop); +- } +- return strdup(name); +-} +- +-/* +- * Return the canonical name of the host in the other side of the current +- * connection. The host name is cached, so it is efficient to call this +- * several times. +- */ +- +-const char * +-auth_get_canonical_hostname(struct ssh *ssh, int use_dns) +-{ +- static char *dnsname; +- +- if (!use_dns) +- return ssh_remote_ipaddr(ssh); +- else if (dnsname != NULL) +- return dnsname; +- else { +- dnsname = remote_hostname(ssh); +- return dnsname; +- } +-} +- + /* + * Runs command in a subprocess with a minimal environment. + * Returns pid on success, 0 on failure. +diff --git a/canohost.c b/canohost.c +index abea9c6e..4f4524d2 100644 +--- a/canohost.c ++++ b/canohost.c +@@ -202,3 +202,117 @@ get_local_port(int sock) + { + return get_sock_port(sock, 1); + } ++ ++/* ++ * Returns the remote DNS hostname as a string. The returned string must not ++ * be freed. NB. this will usually trigger a DNS query the first time it is ++ * called. ++ * This function does additional checks on the hostname to mitigate some ++ * attacks on legacy rhosts-style authentication. ++ * XXX is RhostsRSAAuthentication vulnerable to these? ++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) ++ */ ++ ++static char * ++remote_hostname(struct ssh *ssh) ++{ ++ struct sockaddr_storage from; ++ socklen_t fromlen; ++ struct addrinfo hints, *ai, *aitop; ++ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; ++ const char *ntop = ssh_remote_ipaddr(ssh); ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getpeername(ssh_packet_get_connection_in(ssh), ++ (struct sockaddr *)&from, &fromlen) < 0) { ++ debug("getpeername failed: %.100s", strerror(errno)); ++ return strdup(ntop); ++ } ++ ++ ipv64_normalise_mapped(&from, &fromlen); ++ if (from.ss_family == AF_INET6) ++ fromlen = sizeof(struct sockaddr_in6); ++ ++ debug3("Trying to reverse map address %.100s.", ntop); ++ /* Map the IP address to a host name. */ ++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), ++ NULL, 0, NI_NAMEREQD) != 0) { ++ /* Host name not found. Use ip address. */ ++ return strdup(ntop); ++ } ++ ++ /* ++ * if reverse lookup result looks like a numeric hostname, ++ * someone is trying to trick us by PTR record like following: ++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ ++ hints.ai_flags = AI_NUMERICHOST; ++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { ++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", ++ name, ntop); ++ freeaddrinfo(ai); ++ return strdup(ntop); ++ } ++ ++ /* Names are stored in lowercase. */ ++ lowercase(name); ++ ++ /* ++ * Map it back to an IP address and check that the given ++ * address actually is an address of this host. This is ++ * necessary because anyone with access to a name server can ++ * define arbitrary names for an IP address. Mapping from ++ * name to IP address can be trusted better (but can still be ++ * fooled if the intruder has access to the name server of ++ * the domain). ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = from.ss_family; ++ hints.ai_socktype = SOCK_STREAM; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { ++ logit("reverse mapping checking getaddrinfo for %.700s " ++ "[%s] failed.", name, ntop); ++ return strdup(ntop); ++ } ++ /* Look for the address from the list of addresses. */ ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, ++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && ++ (strcmp(ntop, ntop2) == 0)) ++ break; ++ } ++ freeaddrinfo(aitop); ++ /* If we reached the end of the list, the address was not there. */ ++ if (ai == NULL) { ++ /* Address not found for the host name. */ ++ logit("Address %.100s maps to %.600s, but this does not " ++ "map back to the address.", ntop, name); ++ return strdup(ntop); ++ } ++ return strdup(name); ++} ++ ++/* ++ * Return the canonical name of the host in the other side of the current ++ * connection. The host name is cached, so it is efficient to call this ++ * several times. ++ */ ++ ++const char * ++auth_get_canonical_hostname(struct ssh *ssh, int use_dns) ++{ ++ static char *dnsname; ++ ++ if (!use_dns) ++ return ssh_remote_ipaddr(ssh); ++ else if (dnsname != NULL) ++ return dnsname; ++ else { ++ dnsname = remote_hostname(ssh); ++ return dnsname; ++ } ++} +diff --git a/readconf.c b/readconf.c +index f78b4d6f..747287f7 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -162,6 +162,7 @@ typedef enum { + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -203,9 +204,11 @@ static struct { + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + # else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + #ifdef ENABLE_PKCS11 + { "pkcs11provider", oPKCS11Provider }, +@@ -992,6 +995,10 @@ parse_time: + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1864,6 +1871,7 @@ initialize_options(Options * options) + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -2011,6 +2019,8 @@ fill_default_options(Options * options) + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +diff --git a/readconf.h b/readconf.h +index 8e36bf32..c9e4718d 100644 +--- a/readconf.h ++++ b/readconf.h +@@ -41,6 +41,7 @@ typedef struct { + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +diff --git a/ssh_config.5 b/ssh_config.5 +index 02a87892..95de538b 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -762,6 +762,16 @@ The default is + Forward (delegate) credentials to the server. + The default is + .Cm no . ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +diff --git a/sshconnect2.c b/sshconnect2.c +index 87fa70a4..a6ffdc96 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -697,6 +697,13 @@ userauth_gssapi(struct ssh *ssh) + OM_uint32 min; + int r, ok = 0; + gss_OID mech = NULL; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) { ++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); ++ gss_host = auth_get_canonical_hostname(ssh, 1); ++ } else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -711,7 +718,7 @@ userauth_gssapi(struct ssh *ssh) + elements[authctxt->mech_tried]; + /* My DER encoding requires length<128 */ + if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, +- mech, authctxt->host)) { ++ mech, gss_host)) { + ok = 1; /* Mechanism works */ + } else { + authctxt->mech_tried++; diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-glue.patch new file mode 100644 index 000000000000..0ad814f95d87 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.1_p1-hpn-glue.patch @@ -0,0 +1,216 @@ +Only in b: .openssh-7_8_P1-hpn-AES-CTR-14.16.diff.un~ +Only in b: .openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.un~ +diff -ru a/openssh-7_8_P1-hpn-AES-CTR-14.16.diff b/openssh-7_8_P1-hpn-AES-CTR-14.16.diff +--- a/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2019-10-10 13:48:31.513603947 -0700 ++++ b/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2019-10-10 13:50:15.012495676 -0700 +@@ -17,8 +17,8 @@ + canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \ + - cipher-ctr.o cleanup.o \ + + cipher-ctr.o cleanup.o cipher-ctr-mt.o \ +- compat.o crc32.o fatal.o hostfile.o \ +- log.o match.o moduli.o nchan.o packet.o opacket.o \ ++ compat.o fatal.o hostfile.o \ ++ log.o match.o moduli.o nchan.o packet.o \ + readpass.o ttymodes.o xmalloc.o addrmatch.o \ + diff --git a/cipher-ctr-mt.c b/cipher-ctr-mt.c + new file mode 100644 +@@ -998,7 +998,7 @@ + + * so we repoint the define to the multithreaded evp. To start the threads we + + * then force a rekey + + */ +-+ const void *cc = ssh_packet_get_send_context(active_state); +++ const void *cc = ssh_packet_get_send_context(ssh); + + + + /* only do this for the ctr cipher. otherwise gcm mode breaks. Don't know why though */ + + if (strstr(cipher_ctx_name(cc), "ctr")) { +@@ -1028,7 +1028,7 @@ + + * so we repoint the define to the multithreaded evp. To start the threads we + + * then force a rekey + + */ +-+ const void *cc = ssh_packet_get_send_context(active_state); +++ const void *cc = ssh_packet_get_send_context(ssh); + + + + /* only rekey if necessary. If we don't do this gcm mode cipher breaks */ + + if (strstr(cipher_ctx_name(cc), "ctr")) { +diff -ru a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff +--- a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-10-10 13:47:54.801642144 -0700 ++++ b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-10-10 15:58:05.085803333 -0700 +@@ -162,24 +162,24 @@ + } + + +static int +-+channel_tcpwinsz(void) +++channel_tcpwinsz(struct ssh *ssh) + +{ + + u_int32_t tcpwinsz = 0; + + socklen_t optsz = sizeof(tcpwinsz); + + int ret = -1; + + + + /* if we aren't on a socket return 128KB */ +-+ if (!packet_connection_is_on_socket()) +++ if (!ssh_packet_connection_is_on_socket(ssh)) + + return 128 * 1024; + + +-+ ret = getsockopt(packet_get_connection_in(), +++ ret = getsockopt(ssh_packet_get_connection_in(ssh), + + SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); + + /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */ + + if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX) + + tcpwinsz = SSHBUF_SIZE_MAX; + + + + debug2("tcpwinsz: tcp connection %d, Receive window: %d", +-+ packet_get_connection_in(), tcpwinsz); +++ ssh_packet_get_connection_in(ssh), tcpwinsz); + + return tcpwinsz; + +} + + +@@ -191,7 +191,7 @@ + c->local_window < c->local_window_max/2) && + c->local_consumed > 0) { + + u_int addition = 0; +-+ u_int32_t tcpwinsz = channel_tcpwinsz(); +++ u_int32_t tcpwinsz = channel_tcpwinsz(ssh); + + /* adjust max window size if we are in a dynamic environment */ + + if (c->dynamic_window && (tcpwinsz > c->local_window_max)) { + + /* grow the window somewhat aggressively to maintain pressure */ +@@ -409,18 +409,10 @@ + index dcf35e6..da4ced0 100644 + --- a/packet.c + +++ b/packet.c +-@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) ++@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) + return 0; + } + +-+/* this supports the forced rekeying required for the NONE cipher */ +-+int rekey_requested = 0; +-+void +-+packet_request_rekeying(void) +-+{ +-+ rekey_requested = 1; +-+} +-+ + +/* used to determine if pre or post auth when rekeying for aes-ctr + + * and none cipher switch */ + +int +@@ -434,20 +426,6 @@ + #define MAX_PACKETS (1U<<31) + static int + ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) +-@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) +- if (state->p_send.packets == 0 && state->p_read.packets == 0) +- return 0; +- +-+ /* used to force rekeying when called for by the none +-+ * cipher switch methods -cjr */ +-+ if (rekey_requested == 1) { +-+ rekey_requested = 0; +-+ return 1; +-+ } +-+ +- /* Time-based rekeying */ +- if (state->rekey_interval != 0 && +- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) + diff --git a/packet.h b/packet.h + index 170203c..f4d9df2 100644 + --- a/packet.h +@@ -476,9 +454,9 @@ + /* Format of the configuration file: + + @@ -166,6 +167,8 @@ typedef enum { +- oHashKnownHosts, + oTunnel, oTunnelDevice, + oLocalCommand, oPermitLocalCommand, oRemoteCommand, ++ oDisableMTAES, + + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, + + oNoneEnabled, oNoneSwitch, + oVisualHostKey, +@@ -615,9 +593,9 @@ + int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ + SyslogFacility log_facility; /* Facility for system logging. */ + @@ -111,7 +115,10 @@ typedef struct { +- + int enable_ssh_keysign; + int64_t rekey_limit; ++ int disable_multithreaded; /*disable multithreaded aes-ctr*/ + + int none_switch; /* Use none cipher */ + + int none_enabled; /* Allow none to be used */ + int rekey_interval; +@@ -633,7 +611,7 @@ + off_t i, statbytes; + size_t amt, nr; + int fd = -1, haderr, indx; +-- char *last, *name, buf[2048], encname[PATH_MAX]; ++- char *last, *name, buf[PATH_MAX + 128], encname[PATH_MAX]; + + char *last, *name, buf[16384], encname[PATH_MAX]; + int len; + +@@ -673,9 +651,9 @@ + /* Portable-specific options */ + if (options->use_pam == -1) + @@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options) +- } +- if (options->permit_tun == -1) + options->permit_tun = SSH_TUNMODE_NO; ++ if (options->disable_multithreaded == -1) ++ options->disable_multithreaded = 0; + + if (options->none_enabled == -1) + + options->none_enabled = 0; + + if (options->hpn_disabled == -1) +@@ -1092,7 +1070,7 @@ + xxx_host = host; + xxx_hostaddr = hostaddr; + +-@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, ++@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, + + if (!authctxt.success) + fatal("Authentication failed."); +@@ -1108,7 +1086,7 @@ + + memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); + + myproposal[PROPOSAL_ENC_ALGS_STOC] = "none"; + + myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none"; +-+ kex_prop2buf(active_state->kex->my, myproposal); +++ kex_prop2buf(ssh->kex->my, myproposal); + + packet_request_rekeying(); + + fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n"); + + } else { +@@ -1117,23 +1095,13 @@ + + fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n"); + + } + + } +-+ +- debug("Authentication succeeded (%s).", authctxt.method->name); +- } + ++ #ifdef WITH_OPENSSL ++ if (options.disable_multithreaded == 0) { + diff --git a/sshd.c b/sshd.c + index a738c3a..b32dbe0 100644 + --- a/sshd.c + +++ b/sshd.c +-@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) +- char remote_version[256]; /* Must be at least as big as buf. */ +- +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, +- *options.version_addendum == '\0' ? "" : " ", +- options.version_addendum); +- + @@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la) + int ret, listen_sock; + struct addrinfo *ai; +@@ -1217,11 +1185,10 @@ + index f1bbf00..21a70c2 100644 + --- a/version.h + +++ b/version.h +-@@ -3,4 +3,6 @@ ++@@ -3,4 +3,5 @@ + #define SSH_VERSION "OpenSSH_7.8" + + #define SSH_PORTABLE "p1" + -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE +-+#define SSH_HPN "-hpn14v16" + +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN + + diff --git a/net-misc/openssh/openssh-7.5_p1-r4.ebuild b/net-misc/openssh/openssh-7.5_p1-r4.ebuild index cbe425c4eeff..4b4ae5463ae3 100644 --- a/net-misc/openssh/openssh-7.5_p1-r4.ebuild +++ b/net-misc/openssh/openssh-7.5_p1-r4.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2018 Gentoo Foundation +# Copyright 1999-2019 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="5" @@ -25,7 +25,7 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" REQUIRED_USE="ldns? ( ssl ) @@ -56,7 +56,7 @@ LIB_DEPEND=" >=sys-libs/zlib-1.2.3:=[static-libs(+)]" RDEPEND=" !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( virtual/pam ) + pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 ) ldap? ( net-nds/openldap )" DEPEND="${RDEPEND} diff --git a/net-misc/openssh/openssh-7.7_p1-r9.ebuild b/net-misc/openssh/openssh-7.7_p1-r9.ebuild index 0a21486e685f..d949654c69e5 100644 --- a/net-misc/openssh/openssh-7.7_p1-r9.ebuild +++ b/net-misc/openssh/openssh-7.7_p1-r9.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2018 Gentoo Foundation +# Copyright 1999-2019 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI="6" @@ -26,7 +26,7 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509" RESTRICT="!test? ( test )" @@ -57,7 +57,7 @@ LIB_DEPEND=" >=sys-libs/zlib-1.2.3:=[static-libs(+)]" RDEPEND=" !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( virtual/pam ) + pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 )" DEPEND="${RDEPEND} static? ( ${LIB_DEPEND} ) diff --git a/net-misc/openssh/openssh-7.9_p1-r4.ebuild b/net-misc/openssh/openssh-7.9_p1-r4.ebuild index de21ccc51cbe..6f95e59ac4ba 100644 --- a/net-misc/openssh/openssh-7.9_p1-r4.ebuild +++ b/net-misc/openssh/openssh-7.9_p1-r4.ebuild @@ -33,7 +33,7 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509" RESTRICT="!test? ( test )" @@ -69,7 +69,7 @@ LIB_DEPEND=" >=sys-libs/zlib-1.2.3:=[static-libs(+)]" RDEPEND=" !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( virtual/pam ) + pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 )" DEPEND="${RDEPEND} static? ( ${LIB_DEPEND} ) diff --git a/net-misc/openssh/openssh-8.0_p1.ebuild b/net-misc/openssh/openssh-8.0_p1-r4.ebuild index c468c3f26f80..5393ca2b81d5 100644 --- a/net-misc/openssh/openssh-8.0_p1.ebuild +++ b/net-misc/openssh/openssh-8.0_p1-r4.ebuild @@ -3,7 +3,7 @@ EAPI=6 -inherit user flag-o-matic multilib autotools pam systemd +inherit user eapi7-ver flag-o-matic multilib autotools pam systemd # Make it more portable between straight releases # and _p? releases. @@ -18,7 +18,7 @@ HPN_PATCHES=( ) SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="12.0" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" +X509_VER="12.1-gentoo" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" PATCH_SET="openssh-7.9p1-patches-1.0" @@ -27,14 +27,14 @@ HOMEPAGE="https://www.openssh.com/" SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )} ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + ${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )} " LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509" +IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509 xmss" RESTRICT="!test? ( test )" REQUIRED_USE="ldns? ( ssl ) pie? ( !static ) @@ -68,7 +68,7 @@ LIB_DEPEND=" >=sys-libs/zlib-1.2.3:=[static-libs(+)]" RDEPEND=" !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( virtual/pam ) + pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 )" DEPEND="${RDEPEND} static? ( ${LIB_DEPEND} ) @@ -119,20 +119,25 @@ src_prepare() { eapply "${FILESDIR}"/${PN}-8.0_p1-GSSAPI-dns.patch #165444 integrated into gsskex eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-tests.patch + eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch + eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch + eapply "${FILESDIR}"/${PN}-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch + eapply "${FILESDIR}"/${PN}-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch + use X509 || eapply "${FILESDIR}"/${PN}-8.0_p1-tests.patch [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches local PATCHSET_VERSION_MACROS=() if use X509 ; then - pushd "${WORKDIR}" || die - eapply "${FILESDIR}/${P}-X509-glue-${X509_VER}.patch" - eapply "${FILESDIR}/${P}-X509-dont-make-piddir-${X509_VER}.patch" - popd || die + # X509 12.1-gentoo patch contains the changes from below + #pushd "${WORKDIR}" &>/dev/null || die + #eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" + #eapply "${FILESDIR}/${P}-X509-dont-make-piddir-"${X509_VER}".patch" + #popd &>/dev/null || die eapply "${WORKDIR}"/${X509_PATCH%.*} - eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch + eapply "${FILESDIR}"/${P}-X509-$(ver_cut 1-2 ${X509_VER})-tests.patch # We need to patch package version or any X.509 sshd will reject our ssh client # with "userauth_pubkey: could not parse key: string is too large [preauth]" @@ -168,7 +173,7 @@ src_prepare() { local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" mkdir "${hpn_patchdir}" cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" - pushd "${hpn_patchdir}" + pushd "${hpn_patchdir}" &>/dev/null || die eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-glue.patch if use X509; then einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set" @@ -177,7 +182,7 @@ src_prepare() { eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-X509-glue.patch fi use sctp && eapply "${FILESDIR}"/${PN}-7.9_p1-hpn-sctp-glue.patch - popd + popd &>/dev/null || die eapply "${hpn_patchdir}" @@ -267,6 +272,7 @@ src_configure() { use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG use static && append-ldflags -static + use xmss && append-cflags -DWITH_XMSS local myconf=( --with-ldflags="${LDFLAGS}" diff --git a/net-misc/openssh/openssh-8.0_p1-r2.ebuild b/net-misc/openssh/openssh-8.1_p1.ebuild index c0a1abeb3597..b75fb6f1a88f 100644 --- a/net-misc/openssh/openssh-8.0_p1-r2.ebuild +++ b/net-misc/openssh/openssh-8.1_p1.ebuild @@ -1,9 +1,9 @@ # Copyright 1999-2019 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=6 +EAPI=7 -inherit user eapi7-ver flag-o-matic multilib autotools pam systemd +inherit user flag-o-matic multilib autotools pam systemd # Make it more portable between straight releases # and _p? releases. @@ -18,21 +18,21 @@ HPN_PATCHES=( ) SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="12.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" +#X509_VER="12.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" PATCH_SET="openssh-7.9p1-patches-1.0" DESCRIPTION="Port of OpenBSD's free SSH release" HOMEPAGE="https://www.openssh.com/" SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )} + ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} " LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="alpha amd64 ~arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~riscv s390 ~sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509 xmss" RESTRICT="!test? ( test )" @@ -68,7 +68,7 @@ LIB_DEPEND=" >=sys-libs/zlib-1.2.3:=[static-libs(+)]" RDEPEND=" !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( virtual/pam ) + pam? ( sys-libs/pam ) kerberos? ( virtual/krb5 )" DEPEND="${RDEPEND} static? ( ${LIB_DEPEND} ) @@ -101,9 +101,9 @@ pkg_pretend() { fi # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." + ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." fi } @@ -116,20 +116,21 @@ src_prepare() { sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-GSSAPI-dns.patch #165444 integrated into gsskex + eapply "${FILESDIR}"/${PN}-8.1_p1-GSSAPI-dns.patch #165444 integrated into gsskex eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - use X509 || eapply "${FILESDIR}"/${PN}-8.0_p1-tests.patch + eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch + eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches local PATCHSET_VERSION_MACROS=() if use X509 ; then - pushd "${WORKDIR}" || die + pushd "${WORKDIR}" &>/dev/null || die eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" eapply "${FILESDIR}/${P}-X509-dont-make-piddir-"${X509_VER}".patch" - popd || die + popd &>/dev/null || die eapply "${WORKDIR}"/${X509_PATCH%.*} eapply "${FILESDIR}"/${P}-X509-$(ver_cut 1-2 ${X509_VER})-tests.patch @@ -168,8 +169,8 @@ src_prepare() { local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" mkdir "${hpn_patchdir}" cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" - pushd "${hpn_patchdir}" - eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-glue.patch + pushd "${hpn_patchdir}" &>/dev/null || die + eapply "${FILESDIR}"/${PN}-8.1_p1-hpn-glue.patch if use X509; then einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set" # X509 and AES-CTR-MT don't get along, let's just drop it @@ -177,7 +178,7 @@ src_prepare() { eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-X509-glue.patch fi use sctp && eapply "${FILESDIR}"/${PN}-7.9_p1-hpn-sctp-glue.patch - popd + popd &>/dev/null || die eapply "${hpn_patchdir}" |