From 1d4139c1f068712c330d1fc89e278061eb1ab511 Mon Sep 17 00:00:00 2001 From: David Michael Date: Tue, 31 Jan 2017 17:55:34 -0800 Subject: [PATCH 1/2] net-misc/openssh: sync with the latest Gentoo ebuild --- .../coreos-overlay/net-misc/openssh/Manifest | 8 +- .../openssh-7.3_p1-fix-krb5-config.patch | 25 -- .../files/openssh-7.4_p1-GSSAPI-dns.patch | 351 ++++++++++++++++++ .../files/openssh-7.4_p1-test-bashism.patch | 29 ++ ...7.3_p1-r7.ebuild => openssh-7.4_p1.ebuild} | 119 +++--- 5 files changed, 431 insertions(+), 101 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-krb5-config.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch rename sdk_container/src/third_party/coreos-overlay/net-misc/openssh/{openssh-7.3_p1-r7.ebuild => openssh-7.4_p1.ebuild} (74%) diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest index 178acced05..33a05ab1f4 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest @@ -1,4 +1,4 @@ -DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99 -DIST openssh-7.3p1+x509-9.2.diff.gz 588078 SHA256 45f054cbb2b77ac8cc7ab01439e34083382137d47b840ca274555b7e2cf7098b SHA512 fab0da148b0833a651e8a7c36f344aacecef6fa92f8f1cb6302272d98c1ab018831f5850dcaa8f54a39f9ada9b7d5b0a0ea01defc3c6f603bbe211f6bff6a841 WHIRLPOOL 53f63d879f563909c57d23ced273e23eda1eace2a2ddfd54edf5f2ef15218cc7e5d927e54714b6850db541f361c459de50d79b0a4516b43ce4cba8eb66b49485 -DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c -DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c +DIST openssh-7.4_p1-sctp.patch.xz 8220 SHA256 18fa77f79ccae8b9a76bc877e9602113d91953bd487b6cc8284bfd1217438a23 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4 WHIRLPOOL 0f0ea1d36523b35d3be33d22fb84daa05fd14c464d69c19695235f81d26326bc53d6804bf34d0cc0c2584f412bfdac361d2b018032447d1033a4ff4fd9458a09 +DIST openssh-7.4p1+x509-9.3.diff.gz 446572 SHA256 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee SHA512 7ebc8d1f6ec36d652bbb6fb13d6d86f7db1abf8710af7b56c52fad9a18d73c9028a3307daabfdda26483a3bd9196120f6d18b6fb2c89b597b0a9ad0554161dfc WHIRLPOOL f878346a3154b7dbb01de41830d5857064af96d3a709aed40a112fe9aaadbe4801e5c3a22a1d2c8437b74a890596211be37e26d691ff611981d7375d262598c1 +DIST openssh-7.4p1.tar.gz 1511780 SHA256 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1 SHA512 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292 WHIRLPOOL 4ed9a277287d1f5c2fd371b53394d6dde36b25adf92d4b6b5b486a9d448648f2ecfbb721ae39ba8a129913c1148aa4db1e99f7960a7c69fa215dfa7b3b126029 +DIST openssh-lpk-7.4p1-0.3.14.patch.xz 17076 SHA256 3a5e4104507d259ad15391136322ea5d067d7932199bbafde5cb478daf3595ad SHA512 1c91de291816ee0bb29ed3a2ffc42fb6fb4ba27a8616f8bd50accdf31d1fecc9b4fb3de6fb1ea6e722b69eb8cab68030ade87e126a4112667d14f3c2ef07d6cd WHIRLPOOL ea27224da952c6fe46b974a0e73d01e872a963e7e7cc7e9887a423357fb4ff82f4513ce48b6bbf7136afa8447bc6d93daa817cf5b2e24cb39dba15cbcff6d2cc diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-krb5-config.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-krb5-config.patch deleted file mode 100644 index 2b99ac8bfe..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-krb5-config.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 56d0bb7810042e3967a377cda4e321685e173969 Mon Sep 17 00:00:00 2001 -From: David Michael -Date: Tue, 6 Dec 2016 17:52:31 -0800 -Subject: [PATCH] Find a host-prefixed krb5-config when cross-compiling - ---- - configure.ac | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index 88c4633..4d9382c 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -4151,7 +4151,7 @@ AC_ARG_WITH([kerberos5], - AC_DEFINE([KRB5], [1], [Define if you want Kerberos 5 support]) - KRB5_MSG="yes" - -- AC_PATH_PROG([KRB5CONF], [krb5-config], -+ AC_PATH_TOOL([KRB5CONF], [krb5-config], - [$KRB5ROOT/bin/krb5-config], - [$KRB5ROOT/bin:$PATH]) - if test -x $KRB5CONF ; then --- -2.7.4 - diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch new file mode 100644 index 0000000000..ec2a6d8949 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch @@ -0,0 +1,351 @@ +http://bugs.gentoo.org/165444 +https://bugzilla.mindrot.org/show_bug.cgi?id=1008 + +--- a/readconf.c ++++ b/readconf.c +@@ -148,6 +148,7 @@ + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -194,9 +195,11 @@ + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + #else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + { "fallbacktorsh", oDeprecated }, + { "usersh", oDeprecated }, +@@ -930,6 +933,10 @@ + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1649,6 +1656,7 @@ + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1779,6 +1787,8 @@ + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +--- a/readconf.h ++++ b/readconf.h +@@ -46,6 +46,7 @@ + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -830,6 +830,16 @@ + Forward (delegate) credentials to the server. + The default is + .Cm no . ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -656,6 +656,13 @@ + static u_int mech = 0; + OM_uint32 min; + int ok = 0; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) { ++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); ++ gss_host = auth_get_canonical_hostname(active_state, 1); ++ } else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -668,7 +674,7 @@ + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], gss_host)) { + ok = 1; /* Mechanism works */ + } else { + mech++; + +need to move these two funcs back to canohost so they're available to clients +and the server. auth.c is only used in the server. + +--- a/auth.c ++++ b/auth.c +@@ -784,117 +784,3 @@ fakepw(void) + + return (&fake); + } +- +-/* +- * Returns the remote DNS hostname as a string. The returned string must not +- * be freed. NB. this will usually trigger a DNS query the first time it is +- * called. +- * This function does additional checks on the hostname to mitigate some +- * attacks on legacy rhosts-style authentication. +- * XXX is RhostsRSAAuthentication vulnerable to these? +- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) +- */ +- +-static char * +-remote_hostname(struct ssh *ssh) +-{ +- struct sockaddr_storage from; +- socklen_t fromlen; +- struct addrinfo hints, *ai, *aitop; +- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; +- const char *ntop = ssh_remote_ipaddr(ssh); +- +- /* Get IP address of client. */ +- fromlen = sizeof(from); +- memset(&from, 0, sizeof(from)); +- if (getpeername(ssh_packet_get_connection_in(ssh), +- (struct sockaddr *)&from, &fromlen) < 0) { +- debug("getpeername failed: %.100s", strerror(errno)); +- return strdup(ntop); +- } +- +- ipv64_normalise_mapped(&from, &fromlen); +- if (from.ss_family == AF_INET6) +- fromlen = sizeof(struct sockaddr_in6); +- +- debug3("Trying to reverse map address %.100s.", ntop); +- /* Map the IP address to a host name. */ +- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), +- NULL, 0, NI_NAMEREQD) != 0) { +- /* Host name not found. Use ip address. */ +- return strdup(ntop); +- } +- +- /* +- * if reverse lookup result looks like a numeric hostname, +- * someone is trying to trick us by PTR record like following: +- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ +- hints.ai_flags = AI_NUMERICHOST; +- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { +- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", +- name, ntop); +- freeaddrinfo(ai); +- return strdup(ntop); +- } +- +- /* Names are stored in lowercase. */ +- lowercase(name); +- +- /* +- * Map it back to an IP address and check that the given +- * address actually is an address of this host. This is +- * necessary because anyone with access to a name server can +- * define arbitrary names for an IP address. Mapping from +- * name to IP address can be trusted better (but can still be +- * fooled if the intruder has access to the name server of +- * the domain). +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_family = from.ss_family; +- hints.ai_socktype = SOCK_STREAM; +- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { +- logit("reverse mapping checking getaddrinfo for %.700s " +- "[%s] failed.", name, ntop); +- return strdup(ntop); +- } +- /* Look for the address from the list of addresses. */ +- for (ai = aitop; ai; ai = ai->ai_next) { +- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, +- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && +- (strcmp(ntop, ntop2) == 0)) +- break; +- } +- freeaddrinfo(aitop); +- /* If we reached the end of the list, the address was not there. */ +- if (ai == NULL) { +- /* Address not found for the host name. */ +- logit("Address %.100s maps to %.600s, but this does not " +- "map back to the address.", ntop, name); +- return strdup(ntop); +- } +- return strdup(name); +-} +- +-/* +- * Return the canonical name of the host in the other side of the current +- * connection. The host name is cached, so it is efficient to call this +- * several times. +- */ +- +-const char * +-auth_get_canonical_hostname(struct ssh *ssh, int use_dns) +-{ +- static char *dnsname; +- +- if (!use_dns) +- return ssh_remote_ipaddr(ssh); +- else if (dnsname != NULL) +- return dnsname; +- else { +- dnsname = remote_hostname(ssh); +- return dnsname; +- } +-} +--- a/canohost.c ++++ b/canohost.c +@@ -202,3 +202,117 @@ get_local_port(int sock) + { + return get_sock_port(sock, 1); + } ++ ++/* ++ * Returns the remote DNS hostname as a string. The returned string must not ++ * be freed. NB. this will usually trigger a DNS query the first time it is ++ * called. ++ * This function does additional checks on the hostname to mitigate some ++ * attacks on legacy rhosts-style authentication. ++ * XXX is RhostsRSAAuthentication vulnerable to these? ++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) ++ */ ++ ++static char * ++remote_hostname(struct ssh *ssh) ++{ ++ struct sockaddr_storage from; ++ socklen_t fromlen; ++ struct addrinfo hints, *ai, *aitop; ++ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; ++ const char *ntop = ssh_remote_ipaddr(ssh); ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getpeername(ssh_packet_get_connection_in(ssh), ++ (struct sockaddr *)&from, &fromlen) < 0) { ++ debug("getpeername failed: %.100s", strerror(errno)); ++ return strdup(ntop); ++ } ++ ++ ipv64_normalise_mapped(&from, &fromlen); ++ if (from.ss_family == AF_INET6) ++ fromlen = sizeof(struct sockaddr_in6); ++ ++ debug3("Trying to reverse map address %.100s.", ntop); ++ /* Map the IP address to a host name. */ ++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), ++ NULL, 0, NI_NAMEREQD) != 0) { ++ /* Host name not found. Use ip address. */ ++ return strdup(ntop); ++ } ++ ++ /* ++ * if reverse lookup result looks like a numeric hostname, ++ * someone is trying to trick us by PTR record like following: ++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ ++ hints.ai_flags = AI_NUMERICHOST; ++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { ++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", ++ name, ntop); ++ freeaddrinfo(ai); ++ return strdup(ntop); ++ } ++ ++ /* Names are stored in lowercase. */ ++ lowercase(name); ++ ++ /* ++ * Map it back to an IP address and check that the given ++ * address actually is an address of this host. This is ++ * necessary because anyone with access to a name server can ++ * define arbitrary names for an IP address. Mapping from ++ * name to IP address can be trusted better (but can still be ++ * fooled if the intruder has access to the name server of ++ * the domain). ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = from.ss_family; ++ hints.ai_socktype = SOCK_STREAM; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { ++ logit("reverse mapping checking getaddrinfo for %.700s " ++ "[%s] failed.", name, ntop); ++ return strdup(ntop); ++ } ++ /* Look for the address from the list of addresses. */ ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, ++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && ++ (strcmp(ntop, ntop2) == 0)) ++ break; ++ } ++ freeaddrinfo(aitop); ++ /* If we reached the end of the list, the address was not there. */ ++ if (ai == NULL) { ++ /* Address not found for the host name. */ ++ logit("Address %.100s maps to %.600s, but this does not " ++ "map back to the address.", ntop, name); ++ return strdup(ntop); ++ } ++ return strdup(name); ++} ++ ++/* ++ * Return the canonical name of the host in the other side of the current ++ * connection. The host name is cached, so it is efficient to call this ++ * several times. ++ */ ++ ++const char * ++auth_get_canonical_hostname(struct ssh *ssh, int use_dns) ++{ ++ static char *dnsname; ++ ++ if (!use_dns) ++ return ssh_remote_ipaddr(ssh); ++ else if (dnsname != NULL) ++ return dnsname; ++ else { ++ dnsname = remote_hostname(ssh); ++ return dnsname; ++ } ++} diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch new file mode 100644 index 0000000000..3e02b6f8cc --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch @@ -0,0 +1,29 @@ +https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-December/035604.html + +From dca2985bff146f756b0019b17f08c35f28841a04 Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Mon, 19 Dec 2016 15:59:00 -0500 +Subject: [PATCH] regress/allow-deny-users.sh: fix bashism in test + +The test command uses = for string compares, not ==. Using some POSIX +shells will reject this statement with an error about an unknown operator. +--- + regress/allow-deny-users.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh +index 32a269afa97c..86805e19322b 100644 +--- a/regress/allow-deny-users.sh ++++ b/regress/allow-deny-users.sh +@@ -4,7 +4,7 @@ + tid="AllowUsers/DenyUsers" + + me="$LOGNAME" +-if [ "x$me" == "x" ]; then ++if [ "x$me" = "x" ]; then + me=`whoami` + fi + other="nobody" +-- +2.11.0.rc2 + diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.3_p1-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.4_p1.ebuild similarity index 74% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.3_p1-r7.ebuild rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.4_p1.ebuild index a9655a1fad..a21ea916d4 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.3_p1-r7.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.4_p1.ebuild @@ -1,6 +1,5 @@ -# Copyright 1999-2016 Gentoo Foundation +# Copyright 1999-2017 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Id$ EAPI="5" @@ -9,41 +8,38 @@ inherit eutils user flag-o-matic multilib autotools pam systemd versionator # Make it more portable between straight releases # and _p? releases. PARCH=${P/_} -HPN_PV="${PV}" -HPN_VER="14.10" -HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10-r1.patch" -SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz" -LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz" -X509_VER="9.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" +#HPN_PATCH= #"${PARCH}-hpnssh14v12.tar.xz" +SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz" +LDAP_PATCH="${PN}-lpk-7.4p1-0.3.14.patch.xz" +X509_VER="9.3" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" DESCRIPTION="Port of OpenBSD's free SSH release" HOMEPAGE="http://www.openssh.org/" SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}} - ${HPN_PATCH:+hpn? ( - mirror://gentoo/${HPN_PATCH}.xz - http://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz - )} + ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )} ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} " LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. -IUSE="debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" +IUSE="abi_mips_n32 bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" REQUIRED_USE="ldns? ( ssl ) pie? ( !static ) ssh1? ( ssl ) static? ( !kerberos !pam ) - X509? ( !ldap ssl ) + X509? ( !hpn !ldap !sctp ssl ) test? ( ssl )" LIB_DEPEND=" ldns? ( - net-libs/ldns[ecdsa,ssl,static-libs(+)] + net-libs/ldns[static-libs(+)] + !bindist? ( net-libs/ldns[ecdsa,ssl] ) + bindist? ( net-libs/ldns[-ecdsa,ssl] ) ) libedit? ( dev-libs/libedit[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) @@ -51,7 +47,7 @@ LIB_DEPEND=" skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) ssl? ( !libressl? ( - >=dev-libs/openssl-0.9.8f:0[-bindist(-)] + >=dev-libs/openssl-0.9.8f:0[bindist=] dev-libs/openssl:0[static-libs(+)] ) libressl? ( dev-libs/libressl[static-libs(+)] ) @@ -74,7 +70,7 @@ RDEPEND="${RDEPEND} S=${WORKDIR}/${PARCH} -pkg_setup() { +pkg_pretend() { # this sucks, but i'd rather have people unable to `emerge -u openssh` # than not be able to log in to their server any more maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } @@ -117,37 +113,26 @@ src_prepare() { sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die if use X509 ; then - pushd .. >/dev/null - if use hpn ; then - pushd "${WORKDIR}" >/dev/null - epatch "${FILESDIR}"/${P}-hpn-x509-9.2-glue.patch - popd >/dev/null - fi - epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch - sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} || die - popd >/dev/null epatch "${WORKDIR}"/${X509_PATCH%.*} - epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch - save_version X509 - else - # bug #592122, fixed by X509 patch - epatch "${FILESDIR}"/${P}-fix-ssh1-with-no-ssh1-host-key.patch + # We no longer allow X509 to be used with anything else. + #save_version X509 fi + if use ldap ; then epatch "${WORKDIR}"/${LDAP_PATCH%.*} save_version LPK fi - epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-7.4_p1-GSSAPI-dns.patch #165444 integrated into gsskex epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - epatch "${WORKDIR}"/${SCTP_PATCH%.*} + use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*} + epatch "${FILESDIR}"/${P}-test-bashism.patch + use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch if use hpn ; then - #EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ - # EPATCH_MULTI_MSG="Applying HPN patchset ..." \ - # epatch "${WORKDIR}"/${HPN_PATCH%.*.*} - epatch "${WORKDIR}"/${HPN_PATCH} - epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch + EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ + EPATCH_MULTI_MSG="Applying HPN patchset ..." \ + epatch "${WORKDIR}"/${HPN_PATCH%.*.*} save_version HPN fi @@ -164,19 +149,12 @@ src_prepare() { -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' ) + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) sed -i "${sed_args[@]}" configure{.ac,} || die - # 7.3 added seccomp support to MIPS, but failed to handled the N32 - # case. This patch is temporary until upstream fixes. See - # Gentoo bug #591392 or upstream #2590. - [[ ${CHOST} == mips64*-linux-* && ${ABI} == "n32" ]] \ - && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch - - epatch "${FILESDIR}"/${P}-NEWKEYS_null_deref.patch # 595342 - epatch "${FILESDIR}"/${P}-Unregister-the-KEXINIT-handler-after-receive.patch # 597360 - - epatch "${FILESDIR}"/${PN}-7.3_p1-fix-krb5-config.patch - epatch_user #473004 # Now we can build a sane merged version.h @@ -213,7 +191,7 @@ src_configure() { $(use_with libedit) $(use_with pam) $(use_with pie) - $(use_with sctp) + $(use X509 || use_with sctp) $(use_with selinux) $(use_with skey) $(use_with ssh1) @@ -232,6 +210,8 @@ src_install() { emake install-nokeys DESTDIR="${D}" fperms 600 /etc/ssh/sshd_config dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd.rc6.4 sshd + newconfd "${FILESDIR}"/sshd.confd sshd keepdir /var/empty newpamd "${FILESDIR}"/sshd.pam_include.2 sshd @@ -279,37 +259,32 @@ src_install() { } src_test() { - local t tests skipped failed passed shell - tests="interop-tests compat-tests" - skipped="" - shell=$(egetshell ${UID}) + local t skipped=() failed=() passed=() + local tests=( interop-tests compat-tests ) + + local shell=$(egetshell "${UID}") if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite" - elog "requires a usable shell for the 'portage'" + elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" elog "user, so we will run a subset only." - skipped="${skipped} tests" + skipped+=( tests ) else - tests="${tests} tests" + tests+=( tests ) fi - # It will also attempt to write to the homedir .ssh + + # It will also attempt to write to the homedir .ssh. local sshhome=${T}/homedir mkdir -p "${sshhome}"/.ssh - for t in ${tests} ; do + for t in "${tests[@]}" ; do # Some tests read from stdin ... HOMEDIR="${sshhome}" HOME="${sshhome}" \ emake -k -j1 ${t} Date: Tue, 31 Jan 2017 18:01:04 -0800 Subject: [PATCH 2/2] net-misc/openssh: apply our changes to the new version Specifically, this drops the bindist USE flag, skips installing some init.d files, and updates KEYWORDS for our architectures. The build fix carried previously has been dropped since it is now included in the upstream source archive. --- .../net-misc/openssh/openssh-7.4_p1.ebuild | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.4_p1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.4_p1.ebuild index a21ea916d4..3d15e17c8d 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.4_p1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.4_p1.ebuild @@ -25,9 +25,9 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" +IUSE="abi_mips_n32 debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" REQUIRED_USE="ldns? ( ssl ) pie? ( !static ) ssh1? ( ssl ) @@ -37,9 +37,7 @@ REQUIRED_USE="ldns? ( ssl ) LIB_DEPEND=" ldns? ( - net-libs/ldns[static-libs(+)] - !bindist? ( net-libs/ldns[ecdsa,ssl] ) - bindist? ( net-libs/ldns[-ecdsa,ssl] ) + net-libs/ldns[ecdsa,ssl,static-libs(+)] ) libedit? ( dev-libs/libedit[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) @@ -47,7 +45,7 @@ LIB_DEPEND=" skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) ssl? ( !libressl? ( - >=dev-libs/openssl-0.9.8f:0[bindist=] + >=dev-libs/openssl-0.9.8f:0[-bindist(-)] dev-libs/openssl:0[static-libs(+)] ) libressl? ( dev-libs/libressl[static-libs(+)] ) @@ -210,8 +208,6 @@ src_install() { emake install-nokeys DESTDIR="${D}" fperms 600 /etc/ssh/sshd_config dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd.rc6.4 sshd - newconfd "${FILESDIR}"/sshd.confd sshd keepdir /var/empty newpamd "${FILESDIR}"/sshd.pam_include.2 sshd