commit: 4be0e5dea987af9ee4f74de79fa48ae39b208774 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> AuthorDate: Sun Apr 23 00:18:00 2017 +0000 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> CommitDate: Sun Apr 23 00:18:23 2017 +0000 URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=4be0e5de
net-misc/openssh: needs --without-stackprotect on i686 with gcc-5 net-misc/openssh/Manifest | 24 ++ .../openssh-6.7_p1-openssl-ignore-status.patch | 17 + .../files/openssh-7.3-mips-seccomp-n32.patch | 21 ++ .../openssh/files/openssh-7.3_p1-GSSAPI-dns.patch | 351 ++++++++++++++++++++ .../files/openssh-7.3_p1-NEWKEYS_null_deref.patch | 29 ++ ...egister-the-KEXINIT-handler-after-receive.patch | 32 ++ ...ssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch | 34 ++ .../openssh-7.3_p1-hpn-12-x509-9.2-glue.patch | 39 +++ ...ssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch | 245 ++++++++++++++ .../files/openssh-7.3_p1-hpn-x509-9.2-glue.patch | 41 +++ .../files/openssh-7.3_p1-sctp-x509-glue.patch | 67 ++++ .../files/openssh-7.3_p1-x509-9.2-warnings.patch | 109 +++++++ net-misc/openssh/files/sshd.confd | 21 ++ net-misc/openssh/files/sshd.pam_include.2 | 4 + net-misc/openssh/files/sshd.rc6.4 | 84 +++++ net-misc/openssh/files/sshd.service | 11 + net-misc/openssh/files/sshd.socket | 10 + net-misc/openssh/files/sshd_at.service | 8 + net-misc/openssh/metadata.xml | 40 +++ net-misc/openssh/openssh-7.3_p1-r7.ebuild | 352 +++++++++++++++++++++ 20 files changed, 1539 insertions(+) diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest new file mode 100644 index 0000000..0d77c6c --- /dev/null +++ b/net-misc/openssh/Manifest @@ -0,0 +1,24 @@ +AUX openssh-6.7_p1-openssl-ignore-status.patch 765 SHA256 b068cc30d4bce5c457cea78233396c9793864ec909f810dd0be87d913673433a SHA512 ab15d6dfdb8d59946684501f6f30ac0eb82676855b7b57f19f2027a7ada072f9062fcb96911111a50cfc3838492faddd282db381ec83d22462644ccddccf0ae7 WHIRLPOOL c0a4ff69d65eeb40c1ace8d5be6f8e59044a8f16dc6b37e87393e79ab80935abf30a9d2a6babc043aba0477f5f79412e1ae5d373daba580178fd85ca1f60e60b +AUX openssh-7.3-mips-seccomp-n32.patch 634 SHA256 a3d63f394e9ea692a5a515983f1ce85d2ba79ea6e6b0fd5659e05a18b753316a SHA512 eba3e843d3714501a1df3161d02134c54c8ce584db3af698b87d303fc17c16635bd06db4d7c2d9bb47f461c3b211d870b480fd927f4563207e11c9ed2c446770 WHIRLPOOL d1f87fbfd24694617ef1a03a55ba8f32ac6ac8c62541208f754df41bb30065a9f1bba640a645d9ef184aae2f7b35759b84d2564f38f9ab130cc2d282be203f75 +AUX openssh-7.3_p1-GSSAPI-dns.patch 11137 SHA256 081c1cee62b43aae1d84ee67e3b510f0775081c9901c971a6f60a35bb92046f1 SHA512 70db76a409d5a11513f57c67671131b95c83164af2ecafa423986def42a1a2a31c4653d06f510b8c440a974e03f0acad8cbe20d5a17cfb2ed4598a9b8ae60b91 WHIRLPOOL bd3f32d7b795d9d5948d1a2d38a3e9fc6380369378988da095e096a54bf8c41209bfa7955c04b68b3966a30ca10fd522778d76a0621d0858639f3e09f075b708 +AUX openssh-7.3_p1-NEWKEYS_null_deref.patch 857 SHA256 0d612c16c7b1b3b45fbe1c1507c4e80cfe001ab4fd7fbcfc80fb9cecc893d94a SHA512 2230ddd7473feaa22544eae5c1074981e5ade322a22016f245ec3a6b3bf260104909021497a728fbfaf5dbd6e81269b9b815a3a3de2bf8104f7b3d1bdacbcc06 WHIRLPOOL b927971ec7c07a8d350690280d9766f71ebeb03fc6ffefa2457801abf160ee331ec3bafca02acc3697899d9e2a56ce7b01e68b745cb6f5b491d8b30aea0b9366 +AUX openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch 953 SHA256 76059e75ba5f5d00c6ac74aa12017e98d1b401efb9f1c6073fa8013e5fc4204a SHA512 c705b08fa269d21da261cc9fce2ebcc409e252064d789b63ba14685495e46cb472a81fa563a74c80e4bf76e4982fba98ff5329a037f1fa4f28c75b4db18e7691 WHIRLPOOL 826f2e520742f65e0e7a2f183917483f4dd96c2fc52360d3307c41cc307eddb434e8205c7665a65eadde2e20a7a4b71020d2925ea59518234da2cbda6afb2b3b +AUX openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch 1088 SHA256 5841cc4a42238202d6fa3ee5fbccacbfad7156eb9d9b361d251f693443a0b672 SHA512 967da12f9d15e8347d9832a7fc90e378e42a49c6fb63c8ff3a28e66601c9dab64d5d43c8da34aa3fb08466088eb725abebb4efcef95b1aa0ada86cab27584106 WHIRLPOOL 50bb4bd2ff23d9aff94fa12755aebd91d0088691fb9899169e3018d91679f014f012d3b2d9c5b87a8c3edcaa2b8a19f9ec49c6803d95731f8020442840d26bbf +AUX openssh-7.3_p1-hpn-12-x509-9.2-glue.patch 1608 SHA256 9a85d7cd56be8276e6407fe70ea22554323143d57209e0881f6ec0cc16705765 SHA512 bbbeca5d683427347e9db8cdaa5c96bfdbae901245e508dec8927110e199798127b7c4df8ef2455c1fec53263d600c7957d5b55e1b78263776a45808b4c0b86a WHIRLPOOL 928a2603737c36a23d76145b0e11108645d13263ad955ad30de5a8ee7a008774cdb63ad144d141f7ed6f16f885ee427a7827ba7397a1cec465db3a32fd0ac215 +AUX openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch 7005 SHA256 44ae73966a98e0d7cf36f35b64472b62128040c86720a915b6e72ca269b72f13 SHA512 35cb90a5ebf85b31db902155a8d48a65d2734943cf46e2ac1fcbcb8a19e31d9bf6057ec3c0001a4cb14eac572e5d400087c3218c81df40146731472e406499d8 WHIRLPOOL ba47e8f157ecf448becef9f1c9dfb5bea9f6bd39b461c13cb265a7dc9fde31634a583db3849429ed27129e8c5e797eebe7141c310674126a9a0e2f232c92d8e1 +AUX openssh-7.3_p1-hpn-x509-9.2-glue.patch 1611 SHA256 7d04d19e62e688c9c12c25fd479933dd2c707f838ac810263dd1dc79a5ff55f1 SHA512 3604f0f1ea6c74b8418ac158df47910dfb2d54c7ce77f78f1a6c072acd20dc5751e24156acd9dda02aecaac250f43c8d968382f2f4b15b4706e4c4bde8ebde9a WHIRLPOOL b327a94c5b37da296caaa925bf13adf81ab3a53dffe691b33010b89b07366445613e553b4f486bacab658e2dcec143971001b4158f493e9b7e5bd427f0e072fb +AUX openssh-7.3_p1-sctp-x509-glue.patch 2447 SHA256 a6758b9bff99022b1aa1bc729fcdcc8e4e91d0a617c903d72964cc1fca1ea061 SHA512 f48c2bba7707542741e52f5d794aaafe4468d088e28bc02878c0eb9aa76d31b57dca69b85705f7a9a2d745272df3fdc39a1d13ba337cab34dd0e9d545cee7d41 WHIRLPOOL 77e2574065a78a0f7014213f5e5d64651d41f24c7652542589f1106a6a114cf27d9922ef2cddee9e62c0f0f118691d91ebe9dc4a0ae04654843f18bdd20e2cef +AUX openssh-7.3_p1-x509-9.2-warnings.patch 3060 SHA256 e7963f4946db01390831ee07a49c3a2291518b06144e95cfc47326c7209fa2e3 SHA512 f029d6f922e1632b32ac6e7b627378854f78c9d9b828dde37273b1b1a09167273fc6934bcb0653209b9e5ffd06c95d564d1bf5f1ea745993e19b062a4532f1c0 WHIRLPOOL cd4eb68bf861a50e9452c453c903946b8d067fd00171d39c6bad797d20c07631cda2379d9e41246bc93b22252a8d1bd55186e13ba492c7b8cf94048910f3a8a9 +AUX sshd.confd 396 SHA256 29c6d57ac3ec6018cadc6ba6cd9b90c9ed46e20049b970fdcc68ee2481a2ee41 SHA512 b9ae816af54a55e134a9307e376f05367b815f1b3fd545c2a2c312d18aedcf907f413e8bad8db980cdd9aad4011a72a79e1e94594f69500939a9cb46287f2f81 WHIRLPOOL 69f43e6192e009a4663d130f7e40ee8b13c6eb9cc7d960b5e0e22f5d477649c88806a9d219efef211f4346582c2bb51e40d230a8191e5953dbe08bfff976ae53 +AUX sshd.pam_include.2 156 SHA256 166136e27d653e0bf481a6ca79fecb7d9fa2fc3d597d041f97df595f65a8193c SHA512 d3f7e6ca8c9f2b5060ebccb259316bb59c9a7e158e8ef9466765a20db263a4043a590811f1a3ab072b718dbd70898bc69b77e0b19603d7f394b5ac1bd0a4a56c WHIRLPOOL ba7a0a8c3bb39c5fda69de34b822a19696398e0a8789211ac1faae787ee34f9639eb35efe29c67f874b5f9fe674742503e570f441c005974f4a0c93468b8970b +AUX sshd.rc6.4 2108 SHA256 43a483014bf177f9238e54a7b8210d5a76830beb67c18999409e543fd744c9e4 SHA512 fe58e950514743a72467233ff2f2a63112c50e5db843d61e141a5ca3dd8ef8f42a616cd9de7748ae582054c47c2cc38ce48b638e2d88be39c1387f77e79c83e1 WHIRLPOOL ef30b1e3a118b40617e3c1de6b4ebb360f466e90e18157a08d0ed50a4acb488eb7f6159120525e2b7e85393cd19b062c97188460ea51959467eb6ab52632d064 +AUX sshd.service 242 SHA256 1351c43fe8287f61255ace9fa20790f770d69296b4dd31b0c583983d4cc59843 SHA512 77f50c85a2c944995a39819916eb860cfdc1aff90986e93282e669a0de73c287ecb92d550fd118cfcc8ab538eab677e0d103b23cd959b7e8d9801bc37250c39c WHIRLPOOL 0f5c48d709274c526ceee4f26e35dcb00816ffa9d6661acc1e4e462acb38c3c6108b0e87783eff9da1b1868127c5550c57a5a0a9d7270b927ac4b92191876989 +AUX sshd.socket 136 SHA256 c055abcd10c5d372119cbc3708661ddffccdee7a1de1282559c54d03e2f109d9 SHA512 4d31d373b7bdae917dc0cf05418c71d4743e98e354aefcf055f88f55c9c644a5a0e0e605dbb8372c1b98d17c0ea1c8c0fee27d38ab8dbe23c7e420a6a78c6d42 WHIRLPOOL 102d87b708c31e5994e8005437c78b1aa756c6def4ee9ae2fa9be1438f328fc28c9152a4ff2528941be18f1311594490ecd98b66716ec74e970aa3725a98e2e5 +AUX sshd_at.service 176 SHA256 332f5ffc30456fe2494095c2aabd1e6e02075ce224e2d49708ac7ccf6d341998 SHA512 662a9c2668902633e6dbcb9435ac35bec3e224afdb2ab6a1df908618536ae9fc1958ba1d611e146c01fddb0c8f41eefdc26de78f45b7f165b1d6b2ee2f23be2a WHIRLPOOL aeb32351380dd674ef7a2e7b537f43116c189f7fddb8bdb8b2c109e9f62b0a73cc0f29f2d46270e658ab6409b8d3671ce9e0d0ba7c0d3674c2f85291a73e6df1 +DIST openssh-7.3_p1-hpn-14.10-r1.patch.xz 20584 SHA256 0bbbfeb1f9f975ad591ed4ec74927172c5299ec1a76210197c14575204efa85d SHA512 f0a1c84af85f7cfc7cb58b5117b3d0f57fc25ae0dd608e38b48ef42da43780fd5cf243d26ff9b3fbd6f4cb1567852b87bcb75f98791cf3ad1892e8579a7834d3 WHIRLPOOL b1a8bae14c8189745056c15c9ed45207aa06af1f4c598a1af7dc3cc56e47bd0211a63989a920727e20311a148bbcf3202c202eae94cd1512c7d87816a9f44bcb +DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99 +DIST openssh-7.3p1+x509-9.2.diff.gz 588078 SHA256 45f054cbb2b77ac8cc7ab01439e34083382137d47b840ca274555b7e2cf7098b SHA512 fab0da148b0833a651e8a7c36f344aacecef6fa92f8f1cb6302272d98c1ab018831f5850dcaa8f54a39f9ada9b7d5b0a0ea01defc3c6f603bbe211f6bff6a841 WHIRLPOOL 53f63d879f563909c57d23ced273e23eda1eace2a2ddfd54edf5f2ef15218cc7e5d927e54714b6850db541f361c459de50d79b0a4516b43ce4cba8eb66b49485 +DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c +DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c +EBUILD openssh-7.3_p1-r7.ebuild 11539 SHA256 63fcb03fbc89af04ad3e72490cfd9ceb931699e3337b9e40aee15089bd769b36 SHA512 50b36971c70d87893374f9cd4176ddd13518d4c1a04e2682a1a7134d1d42f0fd18a69821b4d88010ef93f5432b646367c979ac02aeff66223546c41b18063a84 WHIRLPOOL 27c01ef1b50c7efeb452228c14e4b762c3c435dbfb9435bbb0f3b48cb3ea63e1592b5aabcecddb50cfd21b341a776e2df55933254ed27bd0194dfa2945dd604c +MISC metadata.xml 2212 SHA256 50f6e3651c8aeb86cfe90d92cef6a2b55640c400584f5fdbb6418cef7ac16f25 SHA512 958845fbdfb4f1d267fdbc3a005c6338da54c6a0715180a1982416a841ab4865c536de5f10bb8493d07830e182786d0c3f2ac710c9168434b3d077a59ed2ddd5 WHIRLPOOL 6d1080bc5c3b10a63836b5286d0d66b925a9d27d35e9855c9f966445458c1d6a752854d019c1740420ea78aef6f60105bef4c771fe61a95aae898034cf100705 diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch new file mode 100644 index 0000000..fa33af3 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch @@ -0,0 +1,17 @@ +the last nibble of the openssl version represents the status. that is, +whether it is a beta or release. when it comes to version checks in +openssh, this component does not matter, so ignore it. + +https://bugzilla.mindrot.org/show_bug.cgi?id=2212 + +--- a/openbsd-compat/openssl-compat.c ++++ b/openbsd-compat/openssl-compat.c +@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver) + * For versions >= 1.0.0, major,minor,status must match and library + * fix version must be equal to or newer than the header. + */ +- mask = 0xfff0000fL; /* major,minor,status */ ++ mask = 0xfff00000L; /* major,minor,status */ + hfix = (headerver & 0x000ff000) >> 12; + lfix = (libver & 0x000ff000) >> 12; + if ( (headerver & mask) == (libver & mask) && lfix >= hfix) diff --git a/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch new file mode 100644 index 0000000..7eaadaf --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch @@ -0,0 +1,21 @@ +https://bugs.gentoo.org/591392 +https://bugzilla.mindrot.org/show_bug.cgi?id=2590 + +7.3 added seccomp support to MIPS, but failed to handled the N32 +case. This patch is temporary until upstream fixes. + +--- openssh-7.3p1/configure.ac ++++ openssh-7.3p1/configure.ac +@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary(" + seccomp_audit_arch=AUDIT_ARCH_MIPSEL + ;; + mips64-*) +- seccomp_audit_arch=AUDIT_ARCH_MIPS64 ++ seccomp_audit_arch=AUDIT_ARCH_MIPS64N32 + ;; + mips64el-*) +- seccomp_audit_arch=AUDIT_ARCH_MIPSEL64 ++ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32 + ;; + esac + if test "x$seccomp_audit_arch" != "x" ; then diff --git a/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch new file mode 100644 index 0000000..806b36d --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch @@ -0,0 +1,351 @@ +http://bugs.gentoo.org/165444 +https://bugzilla.mindrot.org/show_bug.cgi?id=1008 + +--- a/readconf.c ++++ b/readconf.c +@@ -148,6 +148,7 @@ + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -194,9 +195,11 @@ + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + #else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + { "fallbacktorsh", oDeprecated }, + { "usersh", oDeprecated }, +@@ -930,6 +933,10 @@ + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1649,6 +1656,7 @@ + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1779,6 +1787,8 @@ + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +--- a/readconf.h ++++ b/readconf.h +@@ -46,6 +46,7 @@ + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -830,6 +830,16 @@ + Forward (delegate) credentials to the server. + The default is + .Dq no . ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -656,6 +656,13 @@ + static u_int mech = 0; + OM_uint32 min; + int ok = 0; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) { ++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); ++ gss_host = auth_get_canonical_hostname(active_state, 1); ++ } else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -668,7 +674,7 @@ + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], gss_host)) { + ok = 1; /* Mechanism works */ + } else { + mech++; + +need to move these two funcs back to canohost so they're available to clients +and the server. auth.c is only used in the server. + +--- a/auth.c ++++ b/auth.c +@@ -784,117 +784,3 @@ fakepw(void) + + return (&fake); + } +- +-/* +- * Returns the remote DNS hostname as a string. The returned string must not +- * be freed. NB. this will usually trigger a DNS query the first time it is +- * called. +- * This function does additional checks on the hostname to mitigate some +- * attacks on legacy rhosts-style authentication. +- * XXX is RhostsRSAAuthentication vulnerable to these? +- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) +- */ +- +-static char * +-remote_hostname(struct ssh *ssh) +-{ +- struct sockaddr_storage from; +- socklen_t fromlen; +- struct addrinfo hints, *ai, *aitop; +- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; +- const char *ntop = ssh_remote_ipaddr(ssh); +- +- /* Get IP address of client. */ +- fromlen = sizeof(from); +- memset(&from, 0, sizeof(from)); +- if (getpeername(ssh_packet_get_connection_in(ssh), +- (struct sockaddr *)&from, &fromlen) < 0) { +- debug("getpeername failed: %.100s", strerror(errno)); +- return strdup(ntop); +- } +- +- ipv64_normalise_mapped(&from, &fromlen); +- if (from.ss_family == AF_INET6) +- fromlen = sizeof(struct sockaddr_in6); +- +- debug3("Trying to reverse map address %.100s.", ntop); +- /* Map the IP address to a host name. */ +- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), +- NULL, 0, NI_NAMEREQD) != 0) { +- /* Host name not found. Use ip address. */ +- return strdup(ntop); +- } +- +- /* +- * if reverse lookup result looks like a numeric hostname, +- * someone is trying to trick us by PTR record like following: +- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ +- hints.ai_flags = AI_NUMERICHOST; +- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { +- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", +- name, ntop); +- freeaddrinfo(ai); +- return strdup(ntop); +- } +- +- /* Names are stored in lowercase. */ +- lowercase(name); +- +- /* +- * Map it back to an IP address and check that the given +- * address actually is an address of this host. This is +- * necessary because anyone with access to a name server can +- * define arbitrary names for an IP address. Mapping from +- * name to IP address can be trusted better (but can still be +- * fooled if the intruder has access to the name server of +- * the domain). +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_family = from.ss_family; +- hints.ai_socktype = SOCK_STREAM; +- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { +- logit("reverse mapping checking getaddrinfo for %.700s " +- "[%s] failed.", name, ntop); +- return strdup(ntop); +- } +- /* Look for the address from the list of addresses. */ +- for (ai = aitop; ai; ai = ai->ai_next) { +- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, +- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && +- (strcmp(ntop, ntop2) == 0)) +- break; +- } +- freeaddrinfo(aitop); +- /* If we reached the end of the list, the address was not there. */ +- if (ai == NULL) { +- /* Address not found for the host name. */ +- logit("Address %.100s maps to %.600s, but this does not " +- "map back to the address.", ntop, name); +- return strdup(ntop); +- } +- return strdup(name); +-} +- +-/* +- * Return the canonical name of the host in the other side of the current +- * connection. The host name is cached, so it is efficient to call this +- * several times. +- */ +- +-const char * +-auth_get_canonical_hostname(struct ssh *ssh, int use_dns) +-{ +- static char *dnsname; +- +- if (!use_dns) +- return ssh_remote_ipaddr(ssh); +- else if (dnsname != NULL) +- return dnsname; +- else { +- dnsname = remote_hostname(ssh); +- return dnsname; +- } +-} +--- a/canohost.c ++++ b/canohost.c +@@ -202,3 +202,117 @@ get_local_port(int sock) + { + return get_sock_port(sock, 1); + } ++ ++/* ++ * Returns the remote DNS hostname as a string. The returned string must not ++ * be freed. NB. this will usually trigger a DNS query the first time it is ++ * called. ++ * This function does additional checks on the hostname to mitigate some ++ * attacks on legacy rhosts-style authentication. ++ * XXX is RhostsRSAAuthentication vulnerable to these? ++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) ++ */ ++ ++static char * ++remote_hostname(struct ssh *ssh) ++{ ++ struct sockaddr_storage from; ++ socklen_t fromlen; ++ struct addrinfo hints, *ai, *aitop; ++ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; ++ const char *ntop = ssh_remote_ipaddr(ssh); ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getpeername(ssh_packet_get_connection_in(ssh), ++ (struct sockaddr *)&from, &fromlen) < 0) { ++ debug("getpeername failed: %.100s", strerror(errno)); ++ return strdup(ntop); ++ } ++ ++ ipv64_normalise_mapped(&from, &fromlen); ++ if (from.ss_family == AF_INET6) ++ fromlen = sizeof(struct sockaddr_in6); ++ ++ debug3("Trying to reverse map address %.100s.", ntop); ++ /* Map the IP address to a host name. */ ++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), ++ NULL, 0, NI_NAMEREQD) != 0) { ++ /* Host name not found. Use ip address. */ ++ return strdup(ntop); ++ } ++ ++ /* ++ * if reverse lookup result looks like a numeric hostname, ++ * someone is trying to trick us by PTR record like following: ++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ ++ hints.ai_flags = AI_NUMERICHOST; ++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { ++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", ++ name, ntop); ++ freeaddrinfo(ai); ++ return strdup(ntop); ++ } ++ ++ /* Names are stored in lowercase. */ ++ lowercase(name); ++ ++ /* ++ * Map it back to an IP address and check that the given ++ * address actually is an address of this host. This is ++ * necessary because anyone with access to a name server can ++ * define arbitrary names for an IP address. Mapping from ++ * name to IP address can be trusted better (but can still be ++ * fooled if the intruder has access to the name server of ++ * the domain). ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = from.ss_family; ++ hints.ai_socktype = SOCK_STREAM; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { ++ logit("reverse mapping checking getaddrinfo for %.700s " ++ "[%s] failed.", name, ntop); ++ return strdup(ntop); ++ } ++ /* Look for the address from the list of addresses. */ ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, ++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && ++ (strcmp(ntop, ntop2) == 0)) ++ break; ++ } ++ freeaddrinfo(aitop); ++ /* If we reached the end of the list, the address was not there. */ ++ if (ai == NULL) { ++ /* Address not found for the host name. */ ++ logit("Address %.100s maps to %.600s, but this does not " ++ "map back to the address.", ntop, name); ++ return strdup(ntop); ++ } ++ return strdup(name); ++} ++ ++/* ++ * Return the canonical name of the host in the other side of the current ++ * connection. The host name is cached, so it is efficient to call this ++ * several times. ++ */ ++ ++const char * ++auth_get_canonical_hostname(struct ssh *ssh, int use_dns) ++{ ++ static char *dnsname; ++ ++ if (!use_dns) ++ return ssh_remote_ipaddr(ssh); ++ else if (dnsname != NULL) ++ return dnsname; ++ else { ++ dnsname = remote_hostname(ssh); ++ return dnsname; ++ } ++} diff --git a/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch b/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch new file mode 100644 index 0000000..784cd2a --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch @@ -0,0 +1,29 @@ +https://bugs.gentoo.org/595342 + +Backport of +https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737 + +--- openssh-7.3p1/kex.c ++++ openssh-7.3p1/kex.c +@@ -419,6 +419,8 @@ + ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); + if ((r = sshpkt_get_end(ssh)) != 0) + return r; ++ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0) ++ return r; + kex->done = 1; + sshbuf_reset(kex->peer); + /* sshbuf_reset(kex->my); */ +--- openssh-7.3p1/packet.c ++++ openssh-7.3p1/packet.c +@@ -1919,9 +1919,7 @@ + return r; + return SSH_ERR_PROTOCOL_ERROR; + } +- if (*typep == SSH2_MSG_NEWKEYS) +- r = ssh_set_newkeys(ssh, MODE_IN); +- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) ++ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) + r = ssh_packet_enable_delayed_compress(ssh); + else + r = 0; diff --git a/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch b/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch new file mode 100644 index 0000000..8603601 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch @@ -0,0 +1,32 @@ +https://bugs.gentoo.org/597360 + +From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001 +From: "[email protected]" <[email protected]> +Date: Mon, 10 Oct 2016 19:28:48 +0000 +Subject: [PATCH] upstream commit + +Unregister the KEXINIT handler after message has been +received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause +allocation of up to 128MB -- until the connection is closed. Reported by +shilei-c at 360.cn + +Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05 +--- + kex.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kex.c b/kex.c +index 3f97f8c00919..6a94bc535bd7 100644 +--- a/kex.c ++++ b/kex.c +@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) + if (kex == NULL) + return SSH_ERR_INVALID_ARGUMENT; + ++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); + ptr = sshpkt_ptr(ssh, &dlen); + if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) + return r; +-- +2.11.0.rc2 + diff --git a/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch b/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch new file mode 100644 index 0000000..7fb0d80 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch @@ -0,0 +1,34 @@ +https://bugs.gentoo.org/592122 + +From e600348a7afd6325cc5cd783cb424065cbc20434 Mon Sep 17 00:00:00 2001 +From: "[email protected]" <[email protected]> +Date: Wed, 3 Aug 2016 04:23:55 +0000 +Subject: [PATCH] upstream commit + +Fix bug introduced in rev 1.467 which causes +"buffer_get_bignum_ret: incomplete message" errors when built with WITH_SSH1 +and run such that no Protocol 1 ephemeral host key is generated (eg "Protocol +2", no SSH1 host key supplied). Reported by rainer.laatsch at t-online.de, +ok deraadt@ + +Upstream-ID: aa6b132da5c325523aed7989cc5a320497c919dc +--- + sshd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sshd.c b/sshd.c +index 799c7711f49c..9fc829a91bc8 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + } else + #endif +- if ((r = sshbuf_put_u32(m, 1)) != 0) ++ if ((r = sshbuf_put_u32(m, 0)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + + #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) +-- +2.11.0.rc2 + diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch new file mode 100644 index 0000000..0602307 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch @@ -0,0 +1,39 @@ +--- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch ++++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch +@@ -1155,7 +1155,7 @@ + @@ -44,7 +44,7 @@ + LD=@LD@ + CFLAGS=@CFLAGS@ +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ + -LIBS=@LIBS@ + +LIBS=@LIBS@ -lpthread + K5LIBS=@K5LIBS@ +--- a/0004-support-dynamically-sized-receive-buffers.patch ++++ b/0004-support-dynamically-sized-receive-buffers.patch +@@ -2144,9 +2144,9 @@ + @@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1) + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", ++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509); +++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", + - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); +@@ -2163,9 +2163,9 @@ + @@ -432,7 +432,7 @@ + } + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", +-- major, minor, SSH_VERSION, +-+ major, minor, SSH_RELEASE, ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", ++- major, minor, SSH_VERSION, comment, +++ major, minor, SSH_RELEASE, comment, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch new file mode 100644 index 0000000..9cc7b61 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch @@ -0,0 +1,245 @@ +diff --git a/cipher-ctr-mt.c b/cipher-ctr-mt.c +index fdc9b2f..300cd90 100644 +--- a/cipher-ctr-mt.c ++++ b/cipher-ctr-mt.c +@@ -127,7 +127,7 @@ struct kq { + u_char keys[KQLEN][AES_BLOCK_SIZE]; + u_char ctr[AES_BLOCK_SIZE]; + u_char pad0[CACHELINE_LEN]; +- volatile int qstate; ++ int qstate; + pthread_mutex_t lock; + pthread_cond_t cond; + u_char pad1[CACHELINE_LEN]; +@@ -141,6 +141,11 @@ struct ssh_aes_ctr_ctx + STATS_STRUCT(stats); + u_char aes_counter[AES_BLOCK_SIZE]; + pthread_t tid[CIPHER_THREADS]; ++ pthread_rwlock_t tid_lock; ++#ifdef __APPLE__ ++ pthread_rwlock_t stop_lock; ++ int exit_flag; ++#endif /* __APPLE__ */ + int state; + int qidx; + int ridx; +@@ -187,6 +192,57 @@ thread_loop_cleanup(void *x) + pthread_mutex_unlock((pthread_mutex_t *)x); + } + ++#ifdef __APPLE__ ++/* Check if we should exit, we are doing both cancel and exit condition ++ * since on OSX threads seem to occasionally fail to notice when they have ++ * been cancelled. We want to have a backup to make sure that we won't hang ++ * when the main process join()-s the cancelled thread. ++ */ ++static void ++thread_loop_check_exit(struct ssh_aes_ctr_ctx *c) ++{ ++ int exit_flag; ++ ++ pthread_rwlock_rdlock(&c->stop_lock); ++ exit_flag = c->exit_flag; ++ pthread_rwlock_unlock(&c->stop_lock); ++ ++ if (exit_flag) ++ pthread_exit(NULL); ++} ++#else ++# define thread_loop_check_exit(s) ++#endif /* __APPLE__ */ ++ ++/* ++ * Helper function to terminate the helper threads ++ */ ++static void ++stop_and_join_pregen_threads(struct ssh_aes_ctr_ctx *c) ++{ ++ int i; ++ ++#ifdef __APPLE__ ++ /* notify threads that they should exit */ ++ pthread_rwlock_wrlock(&c->stop_lock); ++ c->exit_flag = TRUE; ++ pthread_rwlock_unlock(&c->stop_lock); ++#endif /* __APPLE__ */ ++ ++ /* Cancel pregen threads */ ++ for (i = 0; i < CIPHER_THREADS; i++) { ++ pthread_cancel(c->tid[i]); ++ } ++ for (i = 0; i < NUMKQ; i++) { ++ pthread_mutex_lock(&c->q[i].lock); ++ pthread_cond_broadcast(&c->q[i].cond); ++ pthread_mutex_unlock(&c->q[i].lock); ++ } ++ for (i = 0; i < CIPHER_THREADS; i++) { ++ pthread_join(c->tid[i], NULL); ++ } ++} ++ + /* + * The life of a pregen thread: + * Find empty keystream queues and fill them using their counter. +@@ -201,6 +257,7 @@ thread_loop(void *x) + struct kq *q; + int i; + int qidx; ++ pthread_t first_tid; + + /* Threads stats on cancellation */ + STATS_INIT(stats); +@@ -211,11 +268,15 @@ thread_loop(void *x) + /* Thread local copy of AES key */ + memcpy(&key, &c->aes_ctx, sizeof(key)); + ++ pthread_rwlock_rdlock(&c->tid_lock); ++ first_tid = c->tid[0]; ++ pthread_rwlock_unlock(&c->tid_lock); ++ + /* + * Handle the special case of startup, one thread must fill + * the first KQ then mark it as draining. Lock held throughout. + */ +- if (pthread_equal(pthread_self(), c->tid[0])) { ++ if (pthread_equal(pthread_self(), first_tid)) { + q = &c->q[0]; + pthread_mutex_lock(&q->lock); + if (q->qstate == KQINIT) { +@@ -245,12 +306,16 @@ thread_loop(void *x) + /* Check if I was cancelled, also checked in cond_wait */ + pthread_testcancel(); + ++ /* Check if we should exit as well */ ++ thread_loop_check_exit(c); ++ + /* Lock queue and block if its draining */ + q = &c->q[qidx]; + pthread_mutex_lock(&q->lock); + pthread_cleanup_push(thread_loop_cleanup, &q->lock); + while (q->qstate == KQDRAINING || q->qstate == KQINIT) { + STATS_WAIT(stats); ++ thread_loop_check_exit(c); + pthread_cond_wait(&q->cond, &q->lock); + } + pthread_cleanup_pop(0); +@@ -268,6 +333,7 @@ thread_loop(void *x) + * can see that it's being filled. + */ + q->qstate = KQFILLING; ++ pthread_cond_broadcast(&q->cond); + pthread_mutex_unlock(&q->lock); + for (i = 0; i < KQLEN; i++) { + AES_encrypt(q->ctr, q->keys[i], &key); +@@ -279,7 +345,7 @@ thread_loop(void *x) + ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE); + q->qstate = KQFULL; + STATS_FILL(stats); +- pthread_cond_signal(&q->cond); ++ pthread_cond_broadcast(&q->cond); + pthread_mutex_unlock(&q->lock); + } + +@@ -371,6 +437,7 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, + pthread_cond_wait(&q->cond, &q->lock); + } + q->qstate = KQDRAINING; ++ pthread_cond_broadcast(&q->cond); + pthread_mutex_unlock(&q->lock); + + /* Mark consumed queue empty and signal producers */ +@@ -397,6 +464,11 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { + c = xmalloc(sizeof(*c)); ++ pthread_rwlock_init(&c->tid_lock, NULL); ++#ifdef __APPLE__ ++ pthread_rwlock_init(&c->stop_lock, NULL); ++ c->exit_flag = FALSE; ++#endif /* __APPLE__ */ + + c->state = HAVE_NONE; + for (i = 0; i < NUMKQ; i++) { +@@ -409,11 +481,14 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + } + + if (c->state == (HAVE_KEY | HAVE_IV)) { +- /* Cancel pregen threads */ +- for (i = 0; i < CIPHER_THREADS; i++) +- pthread_cancel(c->tid[i]); +- for (i = 0; i < CIPHER_THREADS; i++) +- pthread_join(c->tid[i], NULL); ++ /* tell the pregen threads to exit */ ++ stop_and_join_pregen_threads(c); ++ ++#ifdef __APPLE__ ++ /* reset the exit flag */ ++ c->exit_flag = FALSE; ++#endif /* __APPLE__ */ ++ + /* Start over getting key & iv */ + c->state = HAVE_NONE; + } +@@ -444,10 +519,12 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + /* Start threads */ + for (i = 0; i < CIPHER_THREADS; i++) { + debug("spawned a thread"); ++ pthread_rwlock_wrlock(&c->tid_lock); + pthread_create(&c->tid[i], NULL, thread_loop, c); ++ pthread_rwlock_unlock(&c->tid_lock); + } + pthread_mutex_lock(&c->q[0].lock); +- while (c->q[0].qstate != KQDRAINING) ++ while (c->q[0].qstate == KQINIT) + pthread_cond_wait(&c->q[0].cond, &c->q[0].lock); + pthread_mutex_unlock(&c->q[0].lock); + } +@@ -461,15 +538,10 @@ void + ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx) + { + struct ssh_aes_ctr_ctx *c; +- int i; ++ + c = EVP_CIPHER_CTX_get_app_data(ctx); +- /* destroy threads */ +- for (i = 0; i < CIPHER_THREADS; i++) { +- pthread_cancel(c->tid[i]); +- } +- for (i = 0; i < CIPHER_THREADS; i++) { +- pthread_join(c->tid[i], NULL); +- } ++ ++ stop_and_join_pregen_threads(c); + } + + void +@@ -481,7 +553,9 @@ ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx) + /* reconstruct threads */ + for (i = 0; i < CIPHER_THREADS; i++) { + debug("spawned a thread"); ++ pthread_rwlock_wrlock(&c->tid_lock); + pthread_create(&c->tid[i], NULL, thread_loop, c); ++ pthread_rwlock_unlock(&c->tid_lock); + } + } + +@@ -489,18 +563,13 @@ static int + ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx) + { + struct ssh_aes_ctr_ctx *c; +- int i; + + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { + #ifdef CIPHER_THREAD_STATS + debug("main thread: %u drains, %u waits", c->stats.drains, + c->stats.waits); + #endif +- /* Cancel pregen threads */ +- for (i = 0; i < CIPHER_THREADS; i++) +- pthread_cancel(c->tid[i]); +- for (i = 0; i < CIPHER_THREADS; i++) +- pthread_join(c->tid[i], NULL); ++ stop_and_join_pregen_threads(c); + + memset(c, 0, sizeof(*c)); + free(c); diff --git a/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch new file mode 100644 index 0000000..f077c05 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch @@ -0,0 +1,41 @@ +--- a/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:00:21.561121417 -0700 ++++ b/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:22:51.337118439 -0700 +@@ -1155,7 +1155,7 @@ + @@ -44,7 +44,7 @@ + LD=@LD@ + CFLAGS=@CFLAGS@ +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ + -LIBS=@LIBS@ + +LIBS=@LIBS@ -lpthread + K5LIBS=@K5LIBS@ +@@ -2144,12 +2144,12 @@ + /* Bind the socket to an alternative local IP address */ + if (options.bind_address == NULL && !privileged) + return sock; +-@@ -527,10 +555,10 @@ ++@@ -555,10 +583,10 @@ + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", ++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509); +++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", + - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); +@@ -2163,9 +2163,9 @@ + @@ -432,7 +432,7 @@ + } + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", +-- major, minor, SSH_VERSION, +-+ major, minor, SSH_RELEASE, ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", ++- major, minor, SSH_VERSION, comment, +++ major, minor, SSH_RELEASE, comment, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + diff --git a/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch new file mode 100644 index 0000000..2def699 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch @@ -0,0 +1,67 @@ +--- a/openssh-7.3_p1-sctp.patch 2016-08-03 13:10:15.733228732 -0700 ++++ b/openssh-7.3_p1-sctp.patch 2016-08-03 13:25:53.274630002 -0700 +@@ -226,14 +226,6 @@ + .Op Fl c Ar cipher + .Op Fl F Ar ssh_config + .Op Fl i Ar identity_file +-@@ -183,6 +183,7 @@ For full details of the options listed below, and their possible values, see +- .It ServerAliveCountMax +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It UpdateHostKeys +- .It UsePrivilegedPort +- .It User + @@ -224,6 +225,8 @@ and + to print debugging messages about their progress. + This is helpful in +@@ -493,19 +485,11 @@ + .Sh SYNOPSIS + .Nm ssh + .Bk -words +--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy +-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz ++-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy +++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz + .Op Fl b Ar bind_address + .Op Fl c Ar cipher_spec + .Op Fl D Oo Ar bind_address : Oc Ns Ar port +-@@ -558,6 +558,7 @@ For full details of the options listed below, and their possible values, see +- .It StreamLocalBindUnlink +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It Tunnel +- .It TunnelDevice +- .It UpdateHostKeys + @@ -795,6 +796,8 @@ controls. + .Pp + .It Fl y +@@ -533,18 +517,18 @@ + usage(void) + { + fprintf(stderr, +--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" +-+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" ++-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" +++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" + " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" +- " [-F configfile] [-I pkcs11] [-i identity_file]\n" +- " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n" ++ " [-F configfile]\n" ++ #ifdef USE_OPENSSL_ENGINE + @@ -608,7 +613,7 @@ main(int ac, char **av) +- argv0 = av[0]; ++ # define ENGCONFIG "" ++ #endif + +- again: +-- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" +-+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT +- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { ++- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" +++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT ++ "ACD:E:F:" ENGCONFIG "I:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { + switch (opt) { + case '1': + @@ -857,6 +862,11 @@ main(int ac, char **av) diff --git a/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch b/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch new file mode 100644 index 0000000..528dc6f --- /dev/null +++ b/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch @@ -0,0 +1,109 @@ +diff --git a/kex.c b/kex.c +index 143227a..c9b84c2 100644 +--- a/kex.c ++++ b/kex.c +@@ -345,9 +345,9 @@ kex_reset_dispatch(struct ssh *ssh) + static int + kex_send_ext_info(struct ssh *ssh) + { ++#ifdef EXPERIMENTAL_RSA_SHA2_256 + int r; + +-#ifdef EXPERIMENTAL_RSA_SHA2_256 + /* IMPORTANT NOTE: + * Do not offer rsa-sha2-* until is resolved misconfiguration issue + * with allowed public key algorithms! +diff --git a/key-eng.c b/key-eng.c +index 9bc50fd..bc0d03d 100644 +--- a/key-eng.c ++++ b/key-eng.c +@@ -786,7 +786,6 @@ ssh_engines_shutdown() { + while (buffer_len(&eng_list) > 0) { + u_int k = 0; + char *s; +- ENGINE *e; + + s = buffer_get_cstring_ret(&eng_list, &k); + ssh_engine_reset(s); +diff --git a/monitor.c b/monitor.c +index 345d3df..0de30ad 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -707,7 +707,7 @@ mm_answer_sign(int sock, Buffer *m) + (r = sshbuf_get_string(m, &p, &datlen)) != 0 || + (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +- if (keyid > INT_MAX) ++ if (keyid32 > INT_MAX) + fatal("%s: invalid key ID", __func__); + + keyid = keyid32; /*save cast*/ +diff --git a/readconf.c b/readconf.c +index beb38a0..1cbda7e 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -1459,7 +1459,9 @@ parse_int: + + case oHostKeyAlgorithms: + charptr = &options->hostkeyalgorithms; ++# if 0 + parse_keytypes: ++# endif + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", +diff --git a/servconf.c b/servconf.c +index a540138..e77a344 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -1574,7 +1573,9 @@ parse_string: + + case sHostKeyAlgorithms: + charptr = &options->hostkeyalgorithms; ++# if 0 + parse_keytypes: ++#endif + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index 50f04b7..3f9a7bf 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -273,21 +273,18 @@ pkcs11_dsa_finish(DSA *dsa) + } + + #ifdef OPENSSL_HAS_ECC ++#ifdef HAVE_EC_KEY_METHOD_NEW + /* openssl callback for freeing an EC key */ + static void + pkcs11_ec_finish(EC_KEY *ec) + { + struct pkcs11_key *k11; + +-#ifdef HAVE_EC_KEY_METHOD_NEW + k11 = EC_KEY_get_ex_data(ec, ssh_pkcs11_ec_ctx_index); + EC_KEY_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL); +-#else +- k11 = ECDSA_get_ex_data(ec, ssh_pkcs11_ec_ctx_index); +- ECDSA_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL); +-#endif + pkcs11_key_free(k11); + } ++#endif /*def HAVE_EC_KEY_METHOD_NEW*/ + #endif /*def OPENSSL_HAS_ECC*/ + + +diff --git a/sshconnect.c b/sshconnect.c +index fd2a70e..0960be1 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -605,7 +605,7 @@ send_client_banner(int connection_out, int minor1) + { + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%d]\r\n", ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd new file mode 100644 index 0000000..28952b4 --- /dev/null +++ b/net-misc/openssh/files/sshd.confd @@ -0,0 +1,21 @@ +# /etc/conf.d/sshd: config file for /etc/init.d/sshd + +# Where is your sshd_config file stored? + +SSHD_CONFDIR="/etc/ssh" + + +# Any random options you want to pass to sshd. +# See the sshd(8) manpage for more info. + +SSHD_OPTS="" + + +# Pid file to use (needs to be absolute path). + +#SSHD_PIDFILE="/var/run/sshd.pid" + + +# Path to the sshd binary (needs to be absolute path). + +#SSHD_BINARY="/usr/sbin/sshd" diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2 new file mode 100644 index 0000000..b801aaa --- /dev/null +++ b/net-misc/openssh/files/sshd.pam_include.2 @@ -0,0 +1,4 @@ +auth include system-remote-login +account include system-remote-login +password include system-remote-login +session include system-remote-login diff --git a/net-misc/openssh/files/sshd.rc6.4 b/net-misc/openssh/files/sshd.rc6.4 new file mode 100644 index 0000000..5e30142 --- /dev/null +++ b/net-misc/openssh/files/sshd.rc6.4 @@ -0,0 +1,84 @@ +#!/sbin/openrc-run +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="checkconfig" +extra_started_commands="reload" + +: ${SSHD_CONFDIR:=/etc/ssh} +: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config} +: ${SSHD_PIDFILE:=/var/run/${SVCNAME}.pid} +: ${SSHD_BINARY:=/usr/sbin/sshd} + +depend() { + use logger dns + if [ "${rc_need+set}" = "set" ] ; then + : # Do nothing, the user has explicitly set rc_need + else + local x warn_addr + for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do + case "${x}" in + 0.0.0.0|0.0.0.0:*) ;; + ::|\[::\]*) ;; + *) warn_addr="${warn_addr} ${x}" ;; + esac + done + if [ -n "${warn_addr}" ] ; then + need net + ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" + ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd" + ewarn "where FOO is the interface(s) providing the following address(es):" + ewarn "${warn_addr}" + fi + fi +} + +checkconfig() { + if [ ! -d /var/empty ] ; then + mkdir -p /var/empty || return 1 + fi + + if [ ! -e "${SSHD_CONFIG}" ] ; then + eerror "You need an ${SSHD_CONFIG} file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + ssh-keygen -A || return 1 + + [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \ + && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}" + [ "${SSHD_CONFIG}" != "/etc/ssh/sshd_config" ] \ + && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFIG}" + + "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1 +} + +start() { + checkconfig || return 1 + + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" \ + -- ${SSHD_OPTS} + eend $? +} + +stop() { + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return 1 + fi + + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec "${SSHD_BINARY}" \ + --pidfile "${SSHD_PIDFILE}" --quiet + eend $? +} + +reload() { + checkconfig || return 1 + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP \ + --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}" + eend $? +} diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service new file mode 100644 index 0000000..b5e96b3 --- /dev/null +++ b/net-misc/openssh/files/sshd.service @@ -0,0 +1,11 @@ +[Unit] +Description=OpenSSH server daemon +After=syslog.target network.target auditd.service + +[Service] +ExecStartPre=/usr/bin/ssh-keygen -A +ExecStart=/usr/sbin/sshd -D -e +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket new file mode 100644 index 0000000..94b9533 --- /dev/null +++ b/net-misc/openssh/files/sshd.socket @@ -0,0 +1,10 @@ +[Unit] +Description=OpenSSH Server Socket +Conflicts=sshd.service + +[Socket] +ListenStream=22 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service new file mode 100644 index 0000000..2645ad0 --- /dev/null +++ b/net-misc/openssh/files/sshd_at.service @@ -0,0 +1,8 @@ +[Unit] +Description=OpenSSH per-connection server daemon +After=syslog.target auditd.service + +[Service] +ExecStart=-/usr/sbin/sshd -i -e +StandardInput=socket +StandardError=syslog diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml new file mode 100644 index 0000000..29134fc --- /dev/null +++ b/net-misc/openssh/metadata.xml @@ -0,0 +1,40 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd";> +<pkgmetadata> + <maintainer type="project"> + <email>[email protected]</email> + <name>Gentoo Base System</name> + </maintainer> + <maintainer type="person"> + <email>[email protected]</email> + <description>LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else.</description> + </maintainer> + <longdescription> +OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that +increasing numbers of people on the Internet are coming to rely on. Many users of telnet, +rlogin, ftp, and other such programs might not realize that their password is transmitted +across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords) +to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. +Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety +of authentication methods. + +The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which +replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of +the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan, +ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0. +</longdescription> + <use> + <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag> + <flag name="hpn">Enable high performance ssh</flag> + <flag name="ldap">Add support for storing SSH public keys in LDAP</flag> + <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag> + <flag name="livecd">Enable root password logins for live-cd environment.</flag> + <flag name="ssh1">Support the legacy/weak SSH1 protocol</flag> + <flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag> + <flag name="X509">Adds support for X.509 certificate authentication</flag> + </use> + <upstream> + <remote-id type="cpe">cpe:/a:openssh:openssh</remote-id> + <remote-id type="sourceforge">hpnssh</remote-id> + </upstream> +</pkgmetadata> diff --git a/net-misc/openssh/openssh-7.3_p1-r7.ebuild b/net-misc/openssh/openssh-7.3_p1-r7.ebuild new file mode 100644 index 0000000..6f494dc --- /dev/null +++ b/net-misc/openssh/openssh-7.3_p1-r7.ebuild @@ -0,0 +1,352 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI="5" + +inherit eutils user flag-o-matic multilib autotools pam systemd versionator + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} +HPN_PV="${PV}" +HPN_VER="14.10" + +HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10-r1.patch" +SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz" +LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz" +X509_VER="9.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.org/"; +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}} + ${HPN_PATCH:+hpn? ( + mirror://gentoo/${HPN_PATCH}.xz + http://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz + )} + ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} + ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} + " + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" +REQUIRED_USE="ldns? ( ssl ) + pie? ( !static ) + ssh1? ( ssl ) + static? ( !kerberos !pam ) + X509? ( !ldap ssl ) + test? ( ssl )" + +LIB_DEPEND=" + ldns? ( + net-libs/ldns[static-libs(+)] + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) + ) + libedit? ( dev-libs/libedit[static-libs(+)] ) + sctp? ( net-misc/lksctp-tools[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) + ssl? ( + !libressl? ( + >=dev-libs/openssl-0.9.8f:0[bindist=] + dev-libs/openssl:0[static-libs(+)] + ) + libressl? ( dev-libs/libressl[static-libs(+)] ) + ) + >=sys-libs/zlib-1.2.3[static-libs(+)]" +RDEPEND=" + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( virtual/pam ) + kerberos? ( virtual/krb5 ) + ldap? ( net-nds/openldap )" +DEPEND="${RDEPEND} + static? ( ${LIB_DEPEND} ) + virtual/pkgconfig + virtual/os-headers + sys-devel/autoconf" +RDEPEND="${RDEPEND} + pam? ( >=sys-auth/pambase-20081028 ) + userland_GNU? ( virtual/shadow ) + X? ( x11-apps/xauth )" + +S=${WORKDIR}/${PARCH} + +pkg_pretend() { + # this sucks, but i'd rather have people unable to `emerge -u openssh` + # than not be able to log in to their server any more + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } + local fail=" + $(use X509 && maybe_fail X509 X509_PATCH) + $(use ldap && maybe_fail ldap LDAP_PATCH) + $(use hpn && maybe_fail hpn HPN_PATCH) + " + fail=$(echo ${fail}) + if [[ -n ${fail} ]] ; then + eerror "Sorry, but this version does not yet support features" + eerror "that you requested: ${fail}" + eerror "Please mask ${PF} for now and check back later:" + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" + die "booooo" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." + fi +} + +save_version() { + # version.h patch conflict avoidence + mv version.h version.h.$1 + cp -f version.h.pristine version.h +} + +src_prepare() { + sed -i \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ + pathnames.h || die + # keep this as we need it to avoid the conflict between LPK and HPN changing + # this file. + cp version.h version.h.pristine + + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + if use X509 ; then + pushd .. >/dev/null + if use hpn ; then + pushd "${WORKDIR}" >/dev/null + epatch "${FILESDIR}"/${P}-hpn-x509-9.2-glue.patch + popd >/dev/null + fi + epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch + sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} || die + popd >/dev/null + epatch "${WORKDIR}"/${X509_PATCH%.*} + epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch + save_version X509 + else + # bug #592122, fixed by X509 patch + epatch "${FILESDIR}"/${P}-fix-ssh1-with-no-ssh1-host-key.patch + fi + if use ldap ; then + epatch "${WORKDIR}"/${LDAP_PATCH%.*} + save_version LPK + fi + + epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch + epatch "${WORKDIR}"/${SCTP_PATCH%.*} + + if use hpn ; then + #EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ + # EPATCH_MULTI_MSG="Applying HPN patchset ..." \ + # epatch "${WORKDIR}"/${HPN_PATCH%.*.*} + epatch "${WORKDIR}"/${HPN_PATCH} + epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch + save_version HPN + fi + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable PATH reset, trust what portage gives us #254615 + -e 's:^PATH=/:#PATH=/:' + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + # 7.3 added seccomp support to MIPS, but failed to handled the N32 + # case. This patch is temporary until upstream fixes. See + # Gentoo bug #591392 or upstream #2590. + [[ ${CHOST} == mips64*-linux-* && ${ABI} == "n32" ]] \ + && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch + + epatch "${FILESDIR}"/${P}-NEWKEYS_null_deref.patch # 595342 + epatch "${FILESDIR}"/${P}-Unregister-the-KEXINIT-handler-after-receive.patch # 597360 + + epatch_user #473004 + + # Now we can build a sane merged version.h + ( + sed '/^#define SSH_RELEASE/d' version.h.* | sort -u + macros=() + for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done + printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" + ) > version.h + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + local myconf=( + --without-stackprotect + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + # We apply the ldap patch conditionally, so can't pass --without-ldap + # unconditionally else we get unknown flag warnings. + $(use ldap && use_with ldap) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use_with sctp) + $(use_with selinux) + $(use_with skey) + $(use_with ssh1) + $(use_with ssl openssl) + $(use_with ssl md5-passwords) + $(use_with ssl ssl-engine) + ) + + # The seccomp sandbox is broken on x32, so use the older method for now. #553748 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) + + econf "${myconf[@]}" +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd + keepdir /var/empty + + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + if use pam ; then + sed -i \ + -e "/^#UsePAM /s:.*:UsePAM yes:" \ + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ + -e "/^#PrintMotd /s:.*:PrintMotd no:" \ + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ + "${ED}"/etc/ssh/sshd_config || die + fi + + # Gentoo tweaks to default config files + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config + + # Allow client to pass locale environment variables #367017 + AcceptEnv LANG LC_* + EOF + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config + + # Send locale environment variables #367017 + SendEnv LANG LC_* + EOF + + if use livecd ; then + sed -i \ + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ + "${ED}"/etc/ssh/sshd_config || die + fi + + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then + insinto /etc/openldap/schema/ + newins openssh-lpk_openldap.schema openssh-lpk.schema + fi + + doman contrib/ssh-copy-id.1 + dodoc CREDITS OVERVIEW README* TODO sshd_config + use X509 || dodoc ChangeLog + + diropts -m 0700 + dodir /etc/skel/.ssh + + systemd_dounit "${FILESDIR}"/sshd.{service,socket} + systemd_newunit "${FILESDIR}"/sshd_at.service '[email protected]' +} + +src_test() { + local t tests skipped failed passed shell + tests="interop-tests compat-tests" + skipped="" + shell=$(egetshell ${UID}) + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + elog "Running the full OpenSSH testsuite" + elog "requires a usable shell for the 'portage'" + elog "user, so we will run a subset only." + skipped="${skipped} tests" + else + tests="${tests} tests" + fi + # It will also attempt to write to the homedir .ssh + local sshhome=${T}/homedir + mkdir -p "${sshhome}"/.ssh + for t in ${tests} ; do + # Some tests read from stdin ... + HOMEDIR="${sshhome}" HOME="${sshhome}" \ + emake -k -j1 ${t} </dev/null \ + && passed="${passed}${t} " \ + || failed="${failed}${t} " + done + einfo "Passed tests: ${passed}" + ewarn "Skipped tests: ${skipped}" + if [[ -n ${failed} ]] ; then + ewarn "Failed tests: ${failed}" + die "Some tests failed: ${failed}" + else + einfo "Failed tests: ${failed}" + return 0 + fi +} + +pkg_preinst() { + enewgroup sshd 22 + enewuser sshd 22 -1 /var/empty sshd +} + +pkg_postinst() { + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then + elog "Starting with openssh-6.9p1, ssh1 support is disabled by default." + fi + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi +}
