mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-29 17:41:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2268 from flatcar/krnowak/openssh-update

Browse Source 
net-misc/openssh: Bump to 9.1
This commit is contained in:
Krzesimir Nowak 2022-11-17 11:19:32 +01:00 committed by GitHub
commit 052c0553ae
16 changed files with 201 additions and 935 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-11-11-openssh-update.md vendored Normal file
View File

@ -0,0 +1 @@
- OpenSSH ([9.1](http://www.openssh.com/releasenotes.html#9.1))

13
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest vendored
View File

@ -1,6 +1,7 @@
DIST openssh-8.8p1+x509-13.2.3.diff.gz 1071138 BLAKE2B dfbe53ccfdfe0a3da9bac927c5bb0ccfeb20f1ba69cef2ffb52999e6f6b0a3282e28a888aab40096fe9eed819f4c9b27592a8771d786580b8fa4f507f6b02557 SHA512 e55e9cdcde1b02b2799600083db8c3b85d207b251b99b4efabe8614bedf1daae28e5ed10cbe1f6a2e5ba766fe1eaf41be9e90fefdaae1352808c504fc0f4e7e6
DIST openssh-8.8p1-sctp-1.2.patch.xz 6744 BLAKE2B 9f99e0abfbfbda2cc1c7c2a465d044c900da862e5a38f01260f388ac089b2e66c5ea7664d71d18b924552ae177e5893cdcbfbccc20eeb3aaeae00b3d552379e3 SHA512 5290c5ef08a418dcc9260812d8e75ce266e22e2258514f11da6fb178e0ae2ef16046523f72a50f74ae7b98e7eb52d16143befc8ce2919041382d314aa05adda0
DIST openssh-8.8p1.tar.gz 1815060 BLAKE2B 3a054ce19781aceca5ab1a0839d7435d88aff4481e8c74b91ffd2046dc8b6f03d6bf584ecda066c0496acf43cea9ab4085f26a29e34e20736e752f204b8c76c3 SHA512 d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914
DIST openssh-9.1_p1-X509-glue-13.5.patch.xz 1092 BLAKE2B 19da945547472048d01a6ec26f28cba11afe1a0590a115582d1e21a852b6b66589b091ab4440d57952200522318aeffb7d9404e53f9532ae80e47685c24c4097 SHA512 96de9f59bacfd99aa9ef03362d55d88b3eea0acc57a11fb72e5c612bfb0f5e48455b0a0d0add9a8a5524b9d4701f47db1ff7859f1d3c2a12947b27292961cbd5
DIST openssh-9.1_p1-hpn-15.2-X509-glue.patch.xz 5504 BLAKE2B 776b467ddde16e268536c5632b028a32db22b26d7bc11e2a9fa6c8e29528be3eb781066d6b30fb2f561a73a24c34a29963fcd7c872aa92dc19d715d8ffbf2cbe SHA512 aa753da5f75d90165f5922ead1dd495a15a4c581360d5862ec6f802caea54055da8e308c1919efa8e78b31a7ea082f8693dda0ab84ccee414c562ec062c50fb1
DIST openssh-9.1_p1-hpn-15.2-glue.patch.xz 3840 BLAKE2B 06fb14d8c6f52f1c6fae7971fc4da810c814d7b52063f8cc7e83356baa7ed70c84476c1d1cc896eba6d0d51813dc994e3c82278e66c04998431c8123a09fe7df SHA512 99c88c08fb384336a9680629bc04a89121780d64ee8b03ac164c4e446cc30b865004292e98516b6f857bd75e1b4393291427c046ffcabc1578629e6075636cbf
DIST openssh-9.1p1+x509-13.5.diff.gz 1213948 BLAKE2B 5663a1c865c80f590642bb855f7d7a17e71e0db099deb4cea5750cfe734bd506b70a1b266fccc2a58174ae2b1b96a7f1ced56382d5d7e741b07e46422b03f7e6 SHA512 70a1f12e98b8fa8170c208803ee482aea2fcf6b9e41ecada5fabaa0288ed5a32574f42a7b50718bb484978f3c65f50e55966c9f555a9de100dc8d695b9aec531
DIST openssh-9.1p1-sctp-1.2.patch.xz 6772 BLAKE2B 8393c1ca5f0df7e4d490cef5c38d50d45da83a9c3f650e9af15d95825f9e682a6aaf6a0e85fc1704d41d6567aec8f0b34e43b20652e0141008ccdbe91426dfac SHA512 6750394d0fb7b7f93a0e4f94204e53277cc341c5b2427130559e443557dbb95f2e85a71cfe8d40cfa17dd015b0f3880f79a1f868374e60e94e8385c9b45acec5
DIST openssh-9.1p1.tar.gz 1838747 BLAKE2B 287b6b1cc4858b27af88f4a4674670afff1fb5b99461892083393c53ef3747c5a0fcd90cba95d2c27465a919e00f7f42732c93af4f306665ba0393bbb7a534f5 SHA512 a1f02c407f6b621b1d0817d1a0c9a6839b67e416c84f3b76c63003b119035b24c19a1564b22691d1152e1d2d55f4dc7eb1af2d2318751e431a99c4efa77edc70
DIST openssh-9.1p1.tar.gz.asc 833 BLAKE2B 83efe3c705f6a02c25a9fc9bac2a4efd77470598d9e0fcb86dff2d265c58cffec1afecad3621769b2bd78ac25884f0ee20ae9b311e895db93e3bb552dffd6e74 SHA512 47dc7295f9694250bcbb86d7ca0830a47da4f3df7795bb05ebaf1590284ccce5317022c536bea1b09bd2fa4d8013295cc0de287ebe3f9dc605582077e9f11ddd

18
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch vendored
View File

@ -1,18 +0,0 @@
diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:06:45.020527770 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:07:01.294423665 -0700
@@ -1414,14 +1414,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index 6b4fa372..332fb486 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_8.5"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn15v2"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN

13
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch vendored
View File

@ -1,13 +0,0 @@
diff --git a/kex.c b/kex.c
index 34808b5c..88d7ccac 100644
--- a/kex.c
+++ b/kex.c
@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
oerrno = errno;

447
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch vendored
View File

@ -1,447 +0,0 @@
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:12:46.412119817 -0700
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:26:11.116026151 -0700
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
- CFLAGS_NOPIE=@CFLAGS_NOPIE@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
- PICFLAG=@PICFLAG@
+ LD=@LD@
+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -803,8 +803,8 @@
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
{
struct session_state *state;
-- const struct sshcipher *none = cipher_by_name("none");
-+ struct sshcipher *none = cipher_by_name("none");
+- const struct sshcipher *none = cipher_none();
++ struct sshcipher *none = cipher_none();
int r;
if (none == NULL) {
@@ -894,24 +894,24 @@
intptr = &options->compression;
multistate_ptr = multistate_compression;
@@ -2272,6 +2278,7 @@ initialize_options(Options * options)
- options->revoked_host_keys = NULL;
options->fingerprint_hash = -1;
options->update_hostkeys = -1;
+ options->known_hosts_command = NULL;
+ options->disable_multithreaded = -1;
- options->hostbased_accepted_algos = NULL;
- options->pubkey_accepted_algos = NULL;
- options->known_hosts_command = NULL;
+ }
+
+ /*
@@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
+ options->update_hostkeys = 0;
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
- #endif
+ if (options->update_hostkeys == -1)
+ options->update_hostkeys = 0;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
- /* Expand KEX name lists */
- all_cipher = cipher_alg_list(',', 0);
+ /* expand KEX and etc. name lists */
+ { char *all;
diff --git a/readconf.h b/readconf.h
index 2fba866e..7f8f0227 100644
--- a/readconf.h
@@ -950,9 +950,9 @@
/* Portable-specific options */
sUsePAM,
+ sDisableMTAES,
- /* Standard Options */
- sPort, sHostKeyFile, sLoginGraceTime,
- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
+ /* X.509 Standard Options */
+ sHostbasedAlgorithms,
+ sPubkeyAlgorithms,
@@ -662,6 +666,7 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 11:12:46.412119817 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 14:17:59.366248683 -0700
@@ -157,6 +157,36 @@
+ Allan Jude provided the code for the NoneMac and buffer normalization.
+ This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation.
+diff --git a/auth2.c b/auth2.c
+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
+@@ -229,16 +229,17 @@
+ double delay;
+
+ digest_alg = ssh_digest_maxbytes();
+- len = ssh_digest_bytes(digest_alg);
+- hash = xmalloc(len);
++ if (len = ssh_digest_bytes(digest_alg) > 0) {
++ hash = xmalloc(len);
+
+- (void)snprintf(b, sizeof b, "%llu%s",
+- (unsigned long long)options.timing_secret, user);
+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
+- fatal_f("ssh_digest_memory");
+- /* 0-4.2 ms of delay */
+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+- freezero(hash, len);
++ (void)snprintf(b, sizeof b, "%llu%s",
++ (unsigned long long)options.timing_secret, user);
++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++ fatal_f("ssh_digest_memory");
++ /* 0-4.2 ms of delay */
++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
++ freezero(hash, len);
++ }
+ debug3_f("user specific delay %0.3lfms", delay/1000);
+ return MIN_FAIL_DELAY_SECONDS + delay;
+ }
diff --git a/channels.c b/channels.c
index b60d56c4..0e363c15 100644
--- a/channels.c
@@ -209,14 +239,14 @@
static void
channel_pre_open(struct ssh *ssh, Channel *c,
fd_set *readset, fd_set *writeset)
-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
if (c->type == SSH_CHANNEL_OPEN &&
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- ((c->local_window_max - c->local_window >
- c->local_maxpacket*3) ||
-+ ((ssh_packet_is_interactive(ssh) &&
-+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
++ ((ssh_packet_is_interactive(ssh) &&
++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
+ u_int addition = 0;
@@ -235,9 +265,8 @@
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
- (r = sshpkt_send(ssh)) != 0) {
- fatal_fr(r, "channel %i", c->self);
- }
+ (r = sshpkt_send(ssh)) != 0)
+ fatal_fr(r, "channel %d", c->self);
- debug2("channel %d: window %d sent adjust %d", c->self,
- c->local_window, c->local_consumed);
- c->local_window += c->local_consumed;
@@ -337,70 +366,92 @@
index 70f492f8..5503af1d 100644
--- a/clientloop.c
+++ b/clientloop.c
-@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
+@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
sock = x11_connect_display(ssh);
if (sock < 0)
return NULL;
- c = channel_new(ssh, "x11",
- SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-+ c = channel_new(ssh, "x11",
-+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-+ /* again is this really necessary for X11? */
-+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
-+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
+- CHANNEL_NONBLOCK_SET);
++ c = channel_new(ssh, "x11",
++ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
++ /* again is this really necessary for X11? */
++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
c->force_drain = 1;
return c;
}
-@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
+@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
return NULL;
}
c = channel_new(ssh, "authentication agent connection",
- SSH_CHANNEL_OPEN, sock, sock, -1,
- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-- "authentication agent connection", 1);
-+ SSH_CHANNEL_OPEN, sock, sock, -1,
-+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
-+ CHAN_TCP_PACKET_DEFAULT, 0,
-+ "authentication agent connection", 1);
+- "authentication agent connection", CHANNEL_NONBLOCK_SET);
++ SSH_CHANNEL_OPEN, sock, sock, -1,
++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
++ CHAN_TCP_PACKET_DEFAULT, 0,
++ "authentication agent connection", CHANNEL_NONBLOCK_SET);
c->force_drain = 1;
return c;
}
-@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
+@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
}
debug("Tunnel forwarding using interface %s", ifname);
- c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
-+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
+- CHANNEL_NONBLOCK_SET);
++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
-+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
c->datagram = 1;
-+
-+
#if defined(SSH_TUN_FILTER)
- if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
- channel_register_filter(ssh, c->self, sys_tun_infilter,
diff --git a/compat.c b/compat.c
index 69befa96..90b5f338 100644
--- a/compat.c
+++ b/compat.c
-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
- debug_f("match: %s pat %s compat 0x%08x",
+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
+ static u_int
+ compat_datafellows(const char *version)
+ {
+- int i;
++ int i, bugs = 0;
+ static struct {
+ char *pat;
+ int bugs;
+@@ -147,11 +147,26 @@
+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
+ debug("match: %s pat %s compat 0x%08x",
version, check[i].pat, check[i].bugs);
- ssh->compat = check[i].bugs;
+ /* Check to see if the remote side is OpenSSH and not HPN */
-+ /* TODO: need to use new method to test for this */
+ if (strstr(version, "OpenSSH") != NULL) {
+ if (strstr(version, "hpn") == NULL) {
-+ ssh->compat |= SSH_BUG_LARGEWINDOW;
++ bugs |= SSH_BUG_LARGEWINDOW;
+ debug("Remote is NON-HPN aware");
+ }
+ }
- return;
+- return check[i].bugs;
++ bugs |= check[i].bugs;
}
}
+- debug("no match: %s", version);
+- return 0;
++ /* Check to see if the remote side is OpenSSH and not HPN */
++ if (strstr(version, "OpenSSH") != NULL) {
++ if (strstr(version, "hpn") == NULL) {
++ bugs |= SSH_BUG_LARGEWINDOW;
++ debug("Remote is NON-HPN aware");
++ }
++ }
++ if (bugs == 0)
++ debug("no match: %s", version);
++ return bugs;
+ }
+
+ char *
diff --git a/compat.h b/compat.h
index c197fafc..ea2e17a7 100644
--- a/compat.h
@@ -459,7 +510,7 @@
@@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
+ int r, first_kex_follows = 0;
+ int auth_flag = 0;
+
+ auth_flag = packet_authentication_state(ssh);
@@ -553,7 +604,7 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
struct session_state *state = ssh->state;
int len, r, ms_remain;
fd_set *setp;
@@ -1035,19 +1086,6 @@
/* Minimum amount of data to read at a time */
#define MIN_READ_SIZE 512
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cfb5f115..36a6e519 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
- freezero(pin, strlen(pin));
- error_r(r, "Unable to load resident keys");
- return -1;
-- }
-+ }
- if (nkeys == 0)
- logit("No keys to download");
- if (pin != NULL)
diff --git a/ssh.c b/ssh.c
index 53330da5..27b9770e 100644
--- a/ssh.c
@@ -1093,7 +1131,7 @@
+ else
+ options.hpn_buffer_size = 2 * 1024 * 1024;
+
-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
+ debug("HPN to Non-HPN Connection");
+ } else {
+ int sock, socksize;
@@ -1157,14 +1195,14 @@
}
@@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
window, packetmax, CHAN_EXTENDED_WRITE,
- "client-session", /*nonblock*/0);
+ "client-session", CHANNEL_NONBLOCK_STDIO);
+ if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
+ c->dynamic_window = 1;
+ debug("Enabled Dynamic Window Scaling");
+ }
+
- debug3_f("channel_new: %d", c->self);
+ debug2_f("channel %d", c->self);
channel_send_open(ssh, c->self);
@@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
@@ -1335,7 +1373,29 @@
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
error("Bind to port %s on %s failed: %.200s.",
-@@ -1727,6 +1734,19 @@ main(int ac, char **av)
+@@ -1625,13 +1632,14 @@
+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
+ sshbuf_len(server_cfg)) != 0)
+ fatal_f("ssh_digest_update");
+- len = ssh_digest_bytes(digest_alg);
+- hash = xmalloc(len);
+- if (ssh_digest_final(ctx, hash, len) != 0)
+- fatal_f("ssh_digest_final");
+- options.timing_secret = PEEK_U64(hash);
+- freezero(hash, len);
+- ssh_digest_free(ctx);
++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
++ hash = xmalloc(len);
++ if (ssh_digest_final(ctx, hash, len) != 0)
++ fatal_f("ssh_digest_final");
++ options.timing_secret = PEEK_U64(hash);
++ freezero(hash, len);
++ ssh_digest_free(ctx);
++ }
+ ctx = NULL;
+ return;
+ }
+@@ -1727,6 +1735,19 @@ main(int ac, char **av)
fatal("AuthorizedPrincipalsCommand set without "
"AuthorizedPrincipalsCommandUser");
@@ -1355,7 +1415,7 @@
/*
* Check whether there is any path through configured auth methods.
* Unfortunately it is not possible to verify this generally before
-@@ -2166,6 +2186,9 @@ main(int ac, char **av)
+@@ -2166,6 +2187,9 @@ main(int ac, char **av)
rdomain == NULL ? "" : "\"");
free(laddr);
@@ -1365,7 +1425,7 @@
/*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
-@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
struct kex *kex;
int r;
@@ -1405,14 +1465,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index 6b4fa372..332fb486 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_8.5"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn15v2"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:12:16.778011216 -0700
+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:13:11.573211934 -0700
@@ -12,9 +12,9 @@
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
@@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
+ off_t bytes_left;
int cur_speed;
- int hours, minutes, seconds;
- int file_len;
+ int len;
+ off_t delta_pos;
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
@@ -30,15 +30,17 @@
if (bytes_left > 0)
elapsed = now - last_update;
else {
-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
-
+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
+ buf[1] = '\0';
+
/* filename */
- buf[0] = '\0';
-- file_len = win_size - 36;
-+ file_len = win_size - 45;
- if (file_len > 0) {
- buf[0] = '\r';
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
+- if (win_size > 36) {
++ if (win_size > 45) {
+- int file_len = win_size - 36;
++ int file_len = win_size - 45;
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
+ file_len, file);
+ }
@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
(off_t)bytes_per_second);
strlcat(buf, "/s ", win_size);
@@ -63,15 +65,3 @@
}
/*ARGSUSED*/
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cfb5f115..986ff59b 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
-
- if (skprovider == NULL)
- fatal("Cannot download keys without provider");
--
- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
- if (!quiet) {
- printf("You may need to touch your authenticator "

198
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch vendored
View File

@ -1,198 +0,0 @@
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:49:32.351767063 -0700
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:58:08.746214945 -0700
@@ -1026,9 +1026,9 @@
+ }
+#endif
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
-
+ if (ssh_packet_connection_is_on_socket(ssh)) {
+ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
diff --git a/sshd.c b/sshd.c
index 6277e6d6..bf3d6e4a 100644
--- a/sshd.c
diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 11:49:32.351767063 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 12:04:45.008038085 -0700
@@ -536,18 +536,10 @@
if (state->rekey_limit)
*max_blocks = MINIMUM(*max_blocks,
state->rekey_limit / enc->block_size);
-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
+/* used to determine if pre or post auth when rekeying for aes-ctr
+ * and none cipher switch */
+int
@@ -561,20 +553,6 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
-+ /* used to force rekeying when called for by the none
-+ * cipher switch methods -cjr */
-+ if (rekey_requested == 1) {
-+ rekey_requested = 0;
-+ return 1;
-+ }
-+
- /* Time-based rekeying */
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
struct session_state *state = ssh->state;
int len, r, ms_remain;
@@ -598,12 +576,11 @@
};
typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
int ssh_packet_set_maxsize(struct ssh *, u_int);
u_int ssh_packet_get_maxsize(struct ssh *);
+/* for forced packet rekeying post auth */
-+void packet_request_rekeying(void);
+int packet_authentication_state(const struct ssh *);
+
int ssh_packet_get_state(struct ssh *, struct sshbuf *);
@@ -627,9 +604,9 @@
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
+ oDisableMTAES,
oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
@@ -297,6 +300,9 @@ static struct {
{ "kexalgorithms", oKexAlgorithms },
{ "ipqos", oIPQoS },
@@ -637,9 +614,9 @@
+ { "noneenabled", oNoneEnabled },
+ { "nonemacenabled", oNoneMacEnabled },
+ { "noneswitch", oNoneSwitch },
- { "proxyusefdpass", oProxyUseFdpass },
- { "canonicaldomains", oCanonicalDomains },
- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
+ { "sessiontype", oSessionType },
+ { "stdinnull", oStdinNull },
+ { "forkafterauthentication", oForkAfterAuthentication },
@@ -317,6 +323,11 @@ static struct {
{ "securitykeyprovider", oSecurityKeyProvider },
{ "knownhostscommand", oKnownHostsCommand },
@@ -717,9 +694,9 @@
+ options->hpn_buffer_size = -1;
+ options->tcp_rcv_buf_poll = -1;
+ options->tcp_rcv_buf = -1;
- options->proxy_use_fdpass = -1;
- options->ignored_unknown = NULL;
- options->num_canonical_domains = 0;
+ options->session_type = -1;
+ options->stdin_null = -1;
+ options->fork_after_authentication = -1;
@@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
options->server_alive_interval = 0;
if (options->server_alive_count_max == -1)
@@ -778,9 +755,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -120,7 +124,11 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none cipher to be used */
+ int nonemac_enabled; /* Allow none MAC to be used */
@@ -842,9 +819,9 @@
/* Portable-specific options */
if (options->use_pam == -1)
@@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
- }
- if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
+ if (options->none_enabled == -1)
+ options->none_enabled = 0;
+ if (options->nonemac_enabled == -1)
@@ -1047,17 +1024,17 @@
Note that
diff --git a/sftp.c b/sftp.c
index fb3c08d1..89bebbb2 100644
---- a/sftp.c
-+++ b/sftp.c
-@@ -71,7 +71,7 @@ typedef void EditLine;
- #include "sftp-client.h"
-
- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
--#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
+--- a/sftp-client.c
++++ b/sftp-client.c
+@@ -65,7 +65,7 @@ typedef void EditLine;
+ #define DEFAULT_COPY_BUFLEN 32768
+
+ /* Default number of concurrent outstanding requests */
+-#define DEFAULT_NUM_REQUESTS 64
++#define DEFAULT_NUM_REQUESTS 256
- /* File to read commands from */
- FILE* infile;
+ /* Minimum amount of data to read at a time */
+ #define MIN_READ_SIZE 512
diff --git a/ssh-keygen.c b/ssh-keygen.c
index cfb5f115..36a6e519 100644
--- a/ssh-keygen.c
@@ -1330,9 +1307,9 @@
+ }
+ }
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
+ #ifdef WITH_OPENSSL
+ if (options.disable_multithreaded == 0) {
diff --git a/sshd.c b/sshd.c
index 6277e6d6..d66fa41a 100644
--- a/sshd.c
@@ -1359,8 +1336,8 @@
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
error("Bind to port %s on %s failed: %.200s.",
@@ -1727,6 +1734,19 @@ main(int ac, char **av)
- /* Fill in default values for those options not explicitly set. */
- fill_default_server_options(&options);
+ fatal("AuthorizedPrincipalsCommand set without "
+ "AuthorizedPrincipalsCommandUser");
+ if (options.none_enabled == 1) {
+ char *old_ciphers = options.ciphers;
@@ -1375,9 +1352,9 @@
+ }
+ }
+
- /* challenge-response is implemented via keyboard interactive */
- if (options.challenge_response_authentication)
- options.kbd_interactive_authentication = 1;
+ /*
+ * Check whether there is any path through configured auth methods.
+ * Unfortunately it is not possible to verify this generally before
@@ -2166,6 +2186,9 @@ main(int ac, char **av)
rdomain == NULL ? "" : "\"");
free(laddr);

63
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch vendored
View File

@ -1,63 +0,0 @@
diff -ur '--exclude=.*.un~' a/openssh-8.8p1+x509-13.2.3.diff b/openssh-8.8p1+x509-13.2.3.diff
--- a/openssh-8.8p1+x509-13.2.3.diff 2021-10-29 14:59:17.070546984 -0700
+++ b/openssh-8.8p1+x509-13.2.3.diff 2021-10-29 14:59:55.086664489 -0700
@@ -954,15 +954,16 @@
char b[512];
- size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
- u_char *hash = xmalloc(len);
+- double delay;
+ int digest_alg;
+ size_t len;
+ u_char *hash;
- double delay;
-
++ double delay = 0;
++
+ digest_alg = ssh_digest_maxbytes();
+ len = ssh_digest_bytes(digest_alg);
+ hash = xmalloc(len);
-+
+
(void)snprintf(b, sizeof b, "%llu%s",
(unsigned long long)options.timing_secret, user);
- if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
@@ -51859,12 +51860,11 @@
install-files:
$(MKDIR_P) $(DESTDIR)$(bindir)
-@@ -391,6 +372,8 @@
+@@ -391,6 +372,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
@@ -71985,7 +71985,7 @@
+if test "$sshd_type" = "pkix" ; then
+ unset_arg=''
+else
-+ unset_arg=none
++ unset_arg=
+fi
+
cat > $OBJ/sshd_config.i << _EOF
@@ -132360,16 +132360,6 @@
+int asnmprintf(char **, size_t, int *, const char *, ...)
__attribute__((format(printf, 4, 5)));
void msetlocale(void);
-diff -ruN openssh-8.8p1/version.h openssh-8.8p1+x509-13.2.3/version.h
---- openssh-8.8p1/version.h 2021-09-26 17:03:19.000000000 +0300
-+++ openssh-8.8p1+x509-13.2.3/version.h 2021-10-23 16:27:00.000000000 +0300
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_8.8"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-8.8p1/version.m4 openssh-8.8p1+x509-13.2.3/version.m4
--- openssh-8.8p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-8.8p1+x509-13.2.3/version.m4 2021-10-23 16:27:00.000000000 +0300

14
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.9_p1-allow-ppoll_time64.patch vendored Normal file
View File

@ -0,0 +1,14 @@
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2e065ba3..4ce80cb2 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_ppoll
SC_ALLOW(__NR_ppoll),
#endif
+#ifdef __NR_ppoll_time64
+ SC_ALLOW(__NR_ppoll_time64),
+#endif
#ifdef __NR_poll
SC_ALLOW(__NR_poll),
#endif

13
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch vendored Normal file
View File

@ -0,0 +1,13 @@
diff --git a/gss-serv.c b/gss-serv.c
index b5d4bb2d..00e3d118 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
gss_create_empty_oid_set(&status, &oidset);
gss_add_oid_set_member(&status, ctx->oid, &oidset);
- if (gethostname(lname, MAXHOSTNAMELEN)) {
+ if (gethostname(lname, HOST_NAME_MAX)) {
gss_release_oid_set(&status, &oidset);
return (-1);
}

54
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.0_p1-X509-glue-13.4.1.patch vendored Normal file
View File

@ -0,0 +1,54 @@
diff -ur '--exclude=.*.un~' a/openssh-9.0p1+x509-13.4.1.diff b/openssh-9.0p1+x509-13.4.1.diff
--- a/openssh-9.0p1+x509-13.4.1.diff 2022-06-23 10:43:33.957093896 -0700
+++ b/openssh-9.0p1+x509-13.4.1.diff 2022-06-23 10:44:17.232396805 -0700
@@ -48941,8 +48941,8 @@
gss_create_empty_oid_set(&status, &oidset);
gss_add_oid_set_member(&status, ctx->oid, &oidset);
-- if (gethostname(lname, MAXHOSTNAMELEN)) {
-+ if (gethostname(lname, MAXHOSTNAMELEN) == -1) {
+- if (gethostname(lname, HOST_NAME_MAX)) {
++ if (gethostname(lname, HOST_NAME_MAX) == -1) {
gss_release_oid_set(&status, &oidset);
return (-1);
}
@@ -57102,12 +57102,11 @@
install-files:
$(MKDIR_P) $(DESTDIR)$(bindir)
-@@ -395,6 +372,8 @@
+@@ -395,6 +372,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
@@ -78638,7 +78637,7 @@
+if test "$sshd_type" = "pkix" ; then
+ unset_arg=''
+else
-+ unset_arg=none
++ unset_arg=''
+fi
+
cat > $OBJ/sshd_config.i << _EOF
@@ -143777,16 +143776,6 @@
+int asnmprintf(char **, size_t, int *, const char *, ...)
__attribute__((format(printf, 4, 5)));
void msetlocale(void);
-diff -ruN openssh-9.0p1/version.h openssh-9.0p1+x509-13.4.1/version.h
---- openssh-9.0p1/version.h 2022-04-06 03:47:48.000000000 +0300
-+++ openssh-9.0p1+x509-13.4.1/version.h 2022-06-23 09:07:00.000000000 +0300
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_9.0"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-9.0p1/version.m4 openssh-9.0p1+x509-13.4.1/version.m4
--- openssh-9.0p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-9.0p1+x509-13.4.1/version.m4 2022-06-23 09:07:00.000000000 +0300

13
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.1_p1-build-tests.patch vendored Normal file
View File

@ -0,0 +1,13 @@
diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in
index dd8cdc4b7..c446f0aa2 100644
--- a/openbsd-compat/regress/Makefile.in
+++ b/openbsd-compat/regress/Makefile.in
@@ -10,7 +10,7 @@ CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. -I$(srcdir)/../.. @CPPFLAGS@ @DEFS@
EXEEXT=@EXEEXT@
LIBCOMPAT=../libopenbsd-compat.a
-LIBS=@LIBS@
+LIBS=@LIBS@ -lssl -lcrypto
LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \

100
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r2.initd vendored
View File

@ -1,100 +0,0 @@
#!/sbin/openrc-run
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
extra_commands="checkconfig"
extra_started_commands="reload"
: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
command="${SSHD_BINARY}"
pidfile="${SSHD_PIDFILE}"
command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
# Wait one second (length chosen arbitrarily) to see if sshd actually
# creates a PID file, or if it crashes for some reason like not being
# able to bind to the address in ListenAddress (bug 617596).
: ${SSHD_SSD_OPTS:=--wait 1000}
start_stop_daemon_args="${SSHD_SSD_OPTS}"
depend() {
# Entropy can be used by ssh-keygen, among other things, but
# is not strictly required (bug 470020).
use logger dns entropy
if [ "${rc_need+set}" = "set" ] ; then
: # Do nothing, the user has explicitly set rc_need
else
local x warn_addr
for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
case "${x}" in
0.0.0.0|0.0.0.0:*) ;;
::|\[::\]*) ;;
*) warn_addr="${warn_addr} ${x}" ;;
esac
done
if [ -n "${warn_addr}" ] ; then
need net
ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd"
ewarn "where FOO is the interface(s) providing the following address(es):"
ewarn "${warn_addr}"
fi
fi
}
checkconfig() {
checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
if [ ! -e "${SSHD_CONFIG}" ] ; then
eerror "You need an ${SSHD_CONFIG} file to run sshd"
eerror "There is a sample file in /usr/share/doc/openssh"
return 1
fi
${SSHD_KEYGEN_BINARY} -A || return 2
"${command}" -t ${command_args} || return 3
}
start_pre() {
# Make sure that the user's config isn't busted before we try
# to start the daemon (this will produce better error messages
# than if we just try to start it blindly).
#
# We always need to call checkconfig because this function will
# also generate any missing host key and you can start a
# non-running service with "restart" argument.
checkconfig || return $?
}
stop_pre() {
if [ "${RC_CMD}" = "restart" ] ; then
# If this is a restart, check to make sure the user's config
# isn't busted before we stop the running daemon.
checkconfig || return $?
elif yesno "${RC_GOINGDOWN}" && [ -s "${pidfile}" ] && hash pgrep 2>/dev/null ; then
# Disconnect any clients before killing the master process
local pid=$(cat "${pidfile}" 2>/dev/null)
if [ -n "${pid}" ] ; then
local ssh_session_pattern='sshd: \S.*@pts/[0-9]+'
IFS="${IFS}@"
local daemon pid pty user
pgrep -a -P ${pid} -f "$ssh_session_pattern" | while read pid daemon user pty ; do
ewarn "Found ${daemon%:} session ${pid} on ${pty}; sending SIGTERM ..."
kill "${pid}" || true
done
fi
fi
}
reload() {
checkconfig || return $?
ebegin "Reloading ${SVCNAME}"
start-stop-daemon --signal HUP --pidfile "${pidfile}"
eend $?
}

42
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml vendored
View File

@ -1,11 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>base-system@gentoo.org</email>
<name>Gentoo Base System</name>
</maintainer>
<longdescription>
<maintainer type="project">
<email>base-system@gentoo.org</email>
<name>Gentoo Base System</name>
</maintainer>
<longdescription>
OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
rlogin, ftp, and other such programs might not realize that their password is transmitted
@ -18,20 +18,20 @@ The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp
replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of
the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan,
ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
</longdescription>
<use>
<flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
<flag name="scp">Enable scp command with known security problems. See bug 733802</flag>
<flag name="hpn">Enable high performance ssh</flag>
<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
<flag name="livecd">Enable root password logins for live-cd environment.</flag>
<flag name="security-key">Include builtin U2F/FIDO support</flag>
<flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
<flag name="X509">Adds support for X.509 certificate authentication</flag>
<flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>
</use>
<upstream>
<remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id>
<remote-id type="sourceforge">hpnssh</remote-id>
</upstream>
</longdescription>
<use>
<flag name="scp">Enable scp command with known security problems. See bug 733802</flag>
<flag name="hpn">Enable high performance ssh</flag>
<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
<flag name="livecd">Enable root password logins for live-cd environment.</flag>
<flag name="security-key">Include builtin U2F/FIDO support</flag>
<flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
<flag name="X509">Adds support for X.509 certificate authentication</flag>
<flag name="xmss">Enable XMSS post-quantum authentication algorithm</flag>
</use>
<upstream>
<remote-id type="cpe">cpe:/a:openbsd:openssh</remote-id>
<remote-id type="github">openssh/openssh-portable</remote-id>
<remote-id type="sourceforge">hpnssh</remote-id>
</upstream>
</pkgmetadata>

140
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.8_p1-r3.ebuild → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.1_p1.ebuild vendored
View File

@ -1,9 +1,9 @@
# Copyright 1999-2021 Gentoo Authors
# Copyright 1999-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
# Make it more portable between straight releases
# and _p? releases.
@ -19,24 +19,39 @@ HPN_PATCHES=(
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
)
HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-glue.patch"
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="13.2.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
SCTP_VER="1.2"
SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="13.5"
X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
X509_GLUE_PATCH="${P}-X509-glue-${X509_VER}.patch"
X509_HPN_GLUE_PATCH="${PN}-9.1_p1-hpn-${HPN_VER}-X509-glue.patch"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
${HPN_VER:+hpn? (
$(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}")
https://dev.gentoo.org/~chutzpah/dist/openssh/${HPN_GLUE_PATCH}.xz
)}
${X509_PATCH:+X509? (
https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH}
https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_GLUE_PATCH}.xz
${HPN_VER:+hpn? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${X509_HPN_GLUE_PATCH}.xz )}
)}
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
"
VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
RESTRICT="!test? ( test )"
@ -53,11 +68,13 @@ REQUIRED_USE="
# tests currently fail with XMSS
REQUIRED_USE+="test? ( !xmss )"
# Blocker on older gcc-config for bug #872416
LIB_DEPEND="
!<sys-devel/gcc-config-2.6
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
net-libs/ldns[ecdsa,ssl(+)]
net-libs/ldns[ecdsa(+),ssl(+)]
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
@ -81,27 +98,45 @@ DEPEND="${RDEPEND}
"
RDEPEND="${RDEPEND}
pam? ( >=sys-auth/pambase-20081028 )
userland_GNU? ( !prefix? ( sys-apps/shadow ) )
!prefix? ( sys-apps/shadow )
X? ( x11-apps/xauth )
"
# Weird dep construct for newer gcc-config for bug #872416
BDEPEND="
virtual/pkgconfig
sys-devel/autoconf
virtual/pkgconfig
|| (
>=sys-devel/gcc-config-2.6
>=sys-devel/clang-toolchain-symlinks-14-r1:14
>=sys-devel/clang-toolchain-symlinks-15-r1:15
>=sys-devel/clang-toolchain-symlinks-16-r1:*
)
verify-sig? ( sec-keys/openpgp-keys-openssh )
"
PATCHES=(
"${FILESDIR}/${PN}-7.9_p1-include-stdlib.patch"
"${FILESDIR}/${PN}-8.7_p1-GSSAPI-dns.patch" #165444 integrated into gsskex
"${FILESDIR}/${PN}-6.7_p1-openssl-ignore-status.patch"
"${FILESDIR}/${PN}-7.5_p1-disable-conch-interop-tests.patch"
"${FILESDIR}/${PN}-8.0_p1-fix-putty-tests.patch"
"${FILESDIR}/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
"${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019
"${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044
"${FILESDIR}/${PN}-9.1_p1-build-tests.patch"
)
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
# than not be able to log in to their server any more
maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
local fail="
$(use hpn && maybe_fail hpn HPN_VER)
$(use sctp && maybe_fail sctp SCTP_PATCH)
$(use X509 && maybe_fail X509 X509_PATCH)
"
fail=$(echo ${fail})
if [[ -n ${fail} ]] ; then
local missing=()
check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
check_feature hpn HPN_VER
check_feature sctp SCTP_PATCH
check_feature X509 X509_PATCH
if [[ ${#missing[@]} -ne 0 ]] ; then
eerror "Sorry, but this version does not yet support features"
eerror "that you requested: ${fail}"
eerror "that you requested: ${missing[*]}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "Missing requested third party patch."
@ -114,6 +149,13 @@ pkg_pretend() {
fi
}
src_unpack() {
default
# We don't have signatures for HPN, X509, so we have to write this ourselves
use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
}
src_prepare() {
sed -i \
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
@ -122,12 +164,7 @@ src_prepare() {
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
eapply "${PATCHES[@]}"
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
@ -135,10 +172,11 @@ src_prepare() {
if use X509 ; then
pushd "${WORKDIR}" &>/dev/null || die
eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
eapply "${WORKDIR}/${X509_GLUE_PATCH}"
popd &>/dev/null || die
eapply "${WORKDIR}"/${X509_PATCH%.*}
eapply "${FILESDIR}/${PN}-9.0_p1-X509-uninitialized-delay.patch"
# We need to patch package version or any X.509 sshd will reject our ssh client
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
@ -175,8 +213,8 @@ src_prepare() {
mkdir "${hpn_patchdir}" || die
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
pushd "${hpn_patchdir}" &>/dev/null || die
eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-glue.patch
use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
eapply "${WORKDIR}/${HPN_GLUE_PATCH}"
use X509 && eapply "${WORKDIR}/${X509_HPN_GLUE_PATCH}"
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
popd &>/dev/null || die
@ -295,14 +333,13 @@ src_configure() {
# We apply the sctp patch conditionally, so can't pass --without-sctp
# unconditionally else we get unknown flag warnings.
$(use sctp && use_with sctp)
$(use_with ldns ldns "${EPREFIX}"/usr)
$(use_with ldns)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(usex X509 '' "$(use_with security-key security-key-builtin)")
$(use_with ssl openssl)
$(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
$(use_with !elibc_Cygwin hardening) #659210
)
@ -313,41 +350,27 @@ src_configure() {
myconf+=( --disable-utmp --disable-wtmp )
fi
# The seccomp sandbox is broken on x32, so use the older method for now. #553748
use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
tc-is-clang && myconf+=( --without-hardening )
econf "${myconf[@]}"
}
src_test() {
local t skipped=() failed=() passed=()
local tests=( interop-tests compat-tests )
local tests=( compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
elog "user, so we will run a subset only."
skipped+=( tests )
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
ewarn "user, so we will run a subset only."
tests+=( interop-tests )
else
tests+=( tests )
fi
# It will also attempt to write to the homedir .ssh.
local sshhome=${T}/homedir
mkdir -p "${sshhome}"/.ssh
for t in "${tests[@]}" ; do
# Some tests read from stdin ...
HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
SUDO="" SSH_SK_PROVIDER="" \
TEST_SSH_UNSAFE_PERMISSIONS=1 \
emake -k -j1 ${t} </dev/null \
&& passed+=( "${t}" ) \
|| failed+=( "${t}" )
done
einfo "Passed tests: ${passed[*]}"
[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
[[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
mkdir -p "${HOME}"/.ssh || die
emake -j1 "${tests[@]}" </dev/null
}
# Gentoo tweaks to default config files.
@ -416,13 +439,6 @@ src_install() {
diropts -m 0700
dodir /etc/skel/.ssh
# https://bugs.gentoo.org/733802
if ! use scp; then
rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
|| die "failed to remove scp"
fi
rmdir "${ED}"/var/empty || die
systemd_dounit "${FILESDIR}"/sshd.{service,socket}

2
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords vendored
View File

@ -21,8 +21,6 @@
=app-editors/vim-9.0.0655-r1 ~amd64 ~arm64
=app-editors/vim-core-9.0.0655 ~amd64 ~arm64
=net-misc/openssh-8.8_p1-r3 ~amd64 ~arm64
# Required for addressing CVE-2022-29154
=net-misc/rsync-3.2.6 ~amd64 ~arm64

5
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use vendored
View File

@ -128,11 +128,6 @@ dev-lang/perl minimal
# Remove support for GObject introspection
sys-auth/polkit -introspection
# `bindist` pulls patches from https://dev.gentoo.org/~whissi/dist/openssl/
# and there is no patches for opensslv3 at the moment.
# https://marc.info/?l=gentoo-dev&m=163216172229772&w=2
net-misc/openssh -bindist
# enables ELF support to e.g. allow tc to handle BPF filters.
sys-apps/iproute2 elf