diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest index 51b6a2c9d3..abbd256887 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest @@ -1,19 +1,6 @@ -DIST openssh-8.4p1+x509-12.6.diff.gz 857479 BLAKE2B ac8c3e8c1087ca571e5459c9826903410ff2d45de60151d9bd8e59da15805b75752f8f3ffc231c9f8aaa8f2b2c07a97a8296684f885e0d14b54ff5d7bc585588 SHA512 e56516b376ecc3e5464895744ce0616cf4446a891fbd3cbcb090d5f61ebc349d74f9c01e855ccd22e574dbfeec0cb2ba7daf582983010ff991243a6371cc5fe3 -DIST openssh-8.4p1-sctp-1.2.patch.xz 7668 BLAKE2B 2e22d2a90723cea9ef958bd989b8c431fcb08b4dc5bfd3ebbf463ca9546dc37acdc185c35ddf3adbb90bde9b3902bf36524a456061a9bcbdef7a76ece79e2ff4 SHA512 90da34b7b86e52df9e0191c99c9d645a4d4671958adebeed46e1149102d4ba8c729eadb79d84fad9feac64aafa0541d2f1f4db8cdfe0af5ba893aac072ef2380 -DIST openssh-8.4p1.tar.gz 1742201 BLAKE2B 4b1e60d4962095df045c3a31bbf8af725b1c07324c4aa1f6b9a3ddb7e695c98e9aa01655b268f6fd6a400f511b23be91f6b89d07b14a6a2d92f873efb4d9c146 SHA512 d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce -DIST openssh-8.5p1+x509-13.0.1.diff.gz 997005 BLAKE2B b6cdc9ba12dc642c7073463fb8b153a32019e8bc4c1778c2371d89cdc8d9b43e86523d0c03ebeeafa7004a16ad46dfbc18b338bf95f46101d8865709d45aa6b0 SHA512 b0247885d3a0718eb4df123c552f9e95ad9ffd55f96189aca35006c23d76ec76b28420cac4d7b2167c07f2e0a0652edfa20c2ce60aea3f7607a1e747f836ff91 -DIST openssh-8.5p1+x509-13.0.diff.gz 996872 BLAKE2B 136937e4e65e5e73d1d1b596ae6188f359daa8e95aafd57fab8cf947b59fde573ff4e6259781d1a0fd89718d14469ca4aed01bae6f37cc16df109c673fa2c73c SHA512 2276b0ac577162f7f6a56115637636a6eaaa8b3cc06e5ef053ec06e00a7c3459efe8de8dbc5f55c9f6a192534e2f7c8c7064fcdbf56d28b628bb301c5072802c -DIST openssh-8.5p1-sctp-1.2.patch.xz 7692 BLAKE2B 298bf5e2004fd864bdbb6d6f354d1fbcb7052a9caaf8e39863b840a7af8e31f87790f6aa10ae84df177d450bb34a43c4a3aa87d7472e2505d727757c016ce92b SHA512 84990f95e22c90dbc4d04d47ea88b761ff1d0101018661ff2376ac2a726b5fca43f1b5f5d926ccbe1c8d0143ac36b104616bd1a6b5dcdba4addf48a5dd196e2b -DIST openssh-8.5p1.tar.gz 1779733 BLAKE2B f4e4bd39e2dd275d4811e06ca994f2239ad27c804b003c74cc26f9dffae28f1b4006fc618580f0dc9c45f0b7361c24728c23688b45f41cb8a15cf6206c3f15c3 SHA512 af9c34d89170a30fc92a63973e32c766ed4a6d254bb210e317c000d46913e78d0c60c7befe62d993d659be000b828b9d4d3832fc40df1c3d33850aaa6293846f -DIST openssh-8.6p1+x509-13.1.diff.gz 1011666 BLAKE2B 0ac0cf2ff962b8ef677c49de0bb586f375f14d8964e077c10f6a88ec15734807940ab6c0277e44ebdfde0e50c2c80103cff614a6cde4d66e9986152032eeaa90 SHA512 ae4986dd079678c7b0cfd805136ff7ac940d1049fdddeb5a7c4ea2141bfcca70463b951485fb2b113bc930f519b1b41562900ced0269f5673dbdad867f464251 -DIST openssh-8.6p1-sctp-1.2.patch.xz 7696 BLAKE2B 37f9e943a1881af05d9cf2234433711dc45ca30c60af4c0ea38a1d361df02abb491fa114f3698285f582b40b838414c1a048c4f09aa4f7ae9499adb09201d2ac SHA512 ba8c4d38a3d90854e79dc18918fffde246d7609a3f1c3a35e06c0fbe33d3688ed29b0ec33556ae37d1654e1dc2133d892613ad8d1ecbdce9aaa5b9eb10dcbb7a -DIST openssh-8.6p1.tar.gz 1786328 BLAKE2B 261a0f1a6235275894d487cce37537755c86835e3a34871462fe29bfe72b49cd9a6b6a547aea4bd554f0957e110c84458cc75a5f2560717fb04804d62228562a SHA512 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6 -DIST openssh-8_3_P1-hpn-AES-CTR-14.22.diff 29963 BLAKE2B 19b82f4ff820f52dafaa5b3f09f8a0a67f318771c1c7276b9d37e4a6412052c9c53347f880f2d78981af3830432704b9ad74b375241965326530ae23ec8d74a2 SHA512 49f2778831dc768850870a1755da9cdd7d3bc83fa87069070f5a1d357ce9bdadeb2506c8ff3c6b055708da12a70e9ede7ed0e8a29fcab441abb55c9d483663be -DIST openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 42783 BLAKE2B 10940c35ae6bdc33e58bc9abd9cd7a551d4ca76a175400acb872906805bd04d384f57e81049b183d7d892ce1b5f7a138e197366369fe12e5c9dc1349850b0582 SHA512 c09162b96e0ffadc59c6076507bc843e6f8f2fb372140b84181f5fb2894225b1e05a831d85ba689c35c322b5a99302b9db77c324f978f1a46a16b185b3cb28dd -DIST openssh-8_3_P1-hpn-PeakTput-14.22.diff 2012 BLAKE2B 701f46da022e7ecf35b57f41bf5682a37be453c175928d3ff3df09292275e6021f6108a20c02eec9d636e85ee5a8e05b7233ada180edf1209a3dc4b139d58858 SHA512 026f65c62e4c05b69661094d41bf338df608e2a9b23ef95588062e3bd68729733dae32adab783609a6eca810ccdcbddee25e7649a534c9a283a03282f73438bb -DIST openssh-8_4_P1-hpn-AES-CTR-15.1.diff 29966 BLAKE2B 79dea4e16ffdda329131eb48a3c3dd40e167e5c6fa4dd2beb6c67e7e4f17a45c6645e84dcdc97baae90215a802cd1d723dfd88c981b1db826f61fca0a4e92ae1 SHA512 cdb7aa5737a1527d83ffa747d17ae997a64b7bc16e198d0721b690e5932446d30ba4129c122be2a457f261be7a11d944ef49ba2450ce90f552daab508b0c980b -DIST openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 51327 BLAKE2B 6879df5bfb4c07c44b41620bd49433591711edb08ad6b5c09af8a5f754ca09f3ff6a066ffac3210fdad6dee47710221dca0a3dc47b919498ec6939b42a073418 SHA512 1e6471e88783acf764186577a767ea7c2071bcab1b803c18288f70166d87471703b332dae3bdcaf4318039089caebfba46e5b6da218912eff1103bd03d736a60 -DIST openssh-8_4_P1-hpn-PeakTput-15.1.diff 2429 BLAKE2B fc2140f4036ef57b7093696680b6e157c78bb431af9bc9e75f223c2b13693f0ec2ad214fbf6b2ba0059cbf3690a93235559f07b46dabd056d65ae1fc9d7418f0 SHA512 99801a743da8f108dcf883bc216f2abd3fc3071617566b83eb07b6627ed657cccf0ea93ea2a70eff1050a34a0e635e732665c5583e8aa35968fdeb839f837b63 +DIST openssh-8.7p1+x509-13.2.diff.gz 1068695 BLAKE2B e542e5444f8360e0e28288d6a58d66995ff90e9f6bb1490b04a205162036e371a20d612655ca1bd479b8a04d5ccbfd9b7189b090d50ccbb019848e28571b036b SHA512 342e1ee050258c99f8f206664ef756e1be2c82e5faa5f966b80385aa2c6c601974681459ddba32c1ca5c33eda530af681e753471706c71902c1045a2913cd540 +DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c +DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2 DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914 diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch deleted file mode 100644 index 37905ce6af..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/kex.c b/kex.c -index 34808b5c..88d7ccac 100644 ---- a/kex.c -+++ b/kex.c -@@ -1126,7 +1126,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, - if (version_addendum != NULL && *version_addendum == '\0') - version_addendum = NULL; - if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", -- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, -+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, - version_addendum == NULL ? "" : " ", - version_addendum == NULL ? "" : version_addendum)) != 0) { - error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch deleted file mode 100644 index d4db77b985..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.2_p1-GSSAPI-dns.patch +++ /dev/null @@ -1,359 +0,0 @@ -diff --git a/auth.c b/auth.c -index 086b8ebb..a267353c 100644 ---- a/auth.c -+++ b/auth.c -@@ -724,120 +724,6 @@ fakepw(void) - return (&fake); - } - --/* -- * Returns the remote DNS hostname as a string. The returned string must not -- * be freed. NB. this will usually trigger a DNS query the first time it is -- * called. -- * This function does additional checks on the hostname to mitigate some -- * attacks on legacy rhosts-style authentication. -- * XXX is RhostsRSAAuthentication vulnerable to these? -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) -- */ -- --static char * --remote_hostname(struct ssh *ssh) --{ -- struct sockaddr_storage from; -- socklen_t fromlen; -- struct addrinfo hints, *ai, *aitop; -- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; -- const char *ntop = ssh_remote_ipaddr(ssh); -- -- /* Get IP address of client. */ -- fromlen = sizeof(from); -- memset(&from, 0, sizeof(from)); -- if (getpeername(ssh_packet_get_connection_in(ssh), -- (struct sockaddr *)&from, &fromlen) == -1) { -- debug("getpeername failed: %.100s", strerror(errno)); -- return xstrdup(ntop); -- } -- -- ipv64_normalise_mapped(&from, &fromlen); -- if (from.ss_family == AF_INET6) -- fromlen = sizeof(struct sockaddr_in6); -- -- debug3("Trying to reverse map address %.100s.", ntop); -- /* Map the IP address to a host name. */ -- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), -- NULL, 0, NI_NAMEREQD) != 0) { -- /* Host name not found. Use ip address. */ -- return xstrdup(ntop); -- } -- -- /* -- * if reverse lookup result looks like a numeric hostname, -- * someone is trying to trick us by PTR record like following: -- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 -- */ -- memset(&hints, 0, sizeof(hints)); -- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ -- hints.ai_flags = AI_NUMERICHOST; -- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { -- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", -- name, ntop); -- freeaddrinfo(ai); -- return xstrdup(ntop); -- } -- -- /* Names are stored in lowercase. */ -- lowercase(name); -- -- /* -- * Map it back to an IP address and check that the given -- * address actually is an address of this host. This is -- * necessary because anyone with access to a name server can -- * define arbitrary names for an IP address. Mapping from -- * name to IP address can be trusted better (but can still be -- * fooled if the intruder has access to the name server of -- * the domain). -- */ -- memset(&hints, 0, sizeof(hints)); -- hints.ai_family = from.ss_family; -- hints.ai_socktype = SOCK_STREAM; -- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { -- logit("reverse mapping checking getaddrinfo for %.700s " -- "[%s] failed.", name, ntop); -- return xstrdup(ntop); -- } -- /* Look for the address from the list of addresses. */ -- for (ai = aitop; ai; ai = ai->ai_next) { -- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, -- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && -- (strcmp(ntop, ntop2) == 0)) -- break; -- } -- freeaddrinfo(aitop); -- /* If we reached the end of the list, the address was not there. */ -- if (ai == NULL) { -- /* Address not found for the host name. */ -- logit("Address %.100s maps to %.600s, but this does not " -- "map back to the address.", ntop, name); -- return xstrdup(ntop); -- } -- return xstrdup(name); --} -- --/* -- * Return the canonical name of the host in the other side of the current -- * connection. The host name is cached, so it is efficient to call this -- * several times. -- */ -- --const char * --auth_get_canonical_hostname(struct ssh *ssh, int use_dns) --{ -- static char *dnsname; -- -- if (!use_dns) -- return ssh_remote_ipaddr(ssh); -- else if (dnsname != NULL) -- return dnsname; -- else { -- dnsname = remote_hostname(ssh); -- return dnsname; -- } --} -- - /* - * Runs command in a subprocess with a minimal environment. - * Returns pid on success, 0 on failure. -diff --git a/canohost.c b/canohost.c -index abea9c6e..4f4524d2 100644 ---- a/canohost.c -+++ b/canohost.c -@@ -202,3 +202,117 @@ get_local_port(int sock) - { - return get_sock_port(sock, 1); - } -+ -+/* -+ * Returns the remote DNS hostname as a string. The returned string must not -+ * be freed. NB. this will usually trigger a DNS query the first time it is -+ * called. -+ * This function does additional checks on the hostname to mitigate some -+ * attacks on legacy rhosts-style authentication. -+ * XXX is RhostsRSAAuthentication vulnerable to these? -+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) -+ */ -+ -+static char * -+remote_hostname(struct ssh *ssh) -+{ -+ struct sockaddr_storage from; -+ socklen_t fromlen; -+ struct addrinfo hints, *ai, *aitop; -+ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; -+ const char *ntop = ssh_remote_ipaddr(ssh); -+ -+ /* Get IP address of client. */ -+ fromlen = sizeof(from); -+ memset(&from, 0, sizeof(from)); -+ if (getpeername(ssh_packet_get_connection_in(ssh), -+ (struct sockaddr *)&from, &fromlen) < 0) { -+ debug("getpeername failed: %.100s", strerror(errno)); -+ return strdup(ntop); -+ } -+ -+ ipv64_normalise_mapped(&from, &fromlen); -+ if (from.ss_family == AF_INET6) -+ fromlen = sizeof(struct sockaddr_in6); -+ -+ debug3("Trying to reverse map address %.100s.", ntop); -+ /* Map the IP address to a host name. */ -+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), -+ NULL, 0, NI_NAMEREQD) != 0) { -+ /* Host name not found. Use ip address. */ -+ return strdup(ntop); -+ } -+ -+ /* -+ * if reverse lookup result looks like a numeric hostname, -+ * someone is trying to trick us by PTR record like following: -+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 -+ */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ -+ hints.ai_flags = AI_NUMERICHOST; -+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { -+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", -+ name, ntop); -+ freeaddrinfo(ai); -+ return strdup(ntop); -+ } -+ -+ /* Names are stored in lowercase. */ -+ lowercase(name); -+ -+ /* -+ * Map it back to an IP address and check that the given -+ * address actually is an address of this host. This is -+ * necessary because anyone with access to a name server can -+ * define arbitrary names for an IP address. Mapping from -+ * name to IP address can be trusted better (but can still be -+ * fooled if the intruder has access to the name server of -+ * the domain). -+ */ -+ memset(&hints, 0, sizeof(hints)); -+ hints.ai_family = from.ss_family; -+ hints.ai_socktype = SOCK_STREAM; -+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { -+ logit("reverse mapping checking getaddrinfo for %.700s " -+ "[%s] failed.", name, ntop); -+ return strdup(ntop); -+ } -+ /* Look for the address from the list of addresses. */ -+ for (ai = aitop; ai; ai = ai->ai_next) { -+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, -+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && -+ (strcmp(ntop, ntop2) == 0)) -+ break; -+ } -+ freeaddrinfo(aitop); -+ /* If we reached the end of the list, the address was not there. */ -+ if (ai == NULL) { -+ /* Address not found for the host name. */ -+ logit("Address %.100s maps to %.600s, but this does not " -+ "map back to the address.", ntop, name); -+ return strdup(ntop); -+ } -+ return strdup(name); -+} -+ -+/* -+ * Return the canonical name of the host in the other side of the current -+ * connection. The host name is cached, so it is efficient to call this -+ * several times. -+ */ -+ -+const char * -+auth_get_canonical_hostname(struct ssh *ssh, int use_dns) -+{ -+ static char *dnsname; -+ -+ if (!use_dns) -+ return ssh_remote_ipaddr(ssh); -+ else if (dnsname != NULL) -+ return dnsname; -+ else { -+ dnsname = remote_hostname(ssh); -+ return dnsname; -+ } -+} -diff --git a/readconf.c b/readconf.c -index f3cac6b3..adfd7a4e 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -160,6 +160,7 @@ typedef enum { - oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, -+ oGssTrustDns, - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, - oHashKnownHosts, -@@ -205,9 +206,11 @@ static struct { - #if defined(GSSAPI) - { "gssapiauthentication", oGssAuthentication }, - { "gssapidelegatecredentials", oGssDelegateCreds }, -+ { "gssapitrustdns", oGssTrustDns }, - # else - { "gssapiauthentication", oUnsupported }, - { "gssapidelegatecredentials", oUnsupported }, -+ { "gssapitrustdns", oUnsupported }, - #endif - #ifdef ENABLE_PKCS11 - { "pkcs11provider", oPKCS11Provider }, -@@ -1033,6 +1036,10 @@ parse_time: - intptr = &options->gss_deleg_creds; - goto parse_flag; - -+ case oGssTrustDns: -+ intptr = &options->gss_trust_dns; -+ goto parse_flag; -+ - case oBatchMode: - intptr = &options->batch_mode; - goto parse_flag; -@@ -1912,6 +1919,7 @@ initialize_options(Options * options) - options->challenge_response_authentication = -1; - options->gss_authentication = -1; - options->gss_deleg_creds = -1; -+ options->gss_trust_dns = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->kbd_interactive_devices = NULL; -@@ -2061,6 +2069,8 @@ fill_default_options(Options * options) - options->gss_authentication = 0; - if (options->gss_deleg_creds == -1) - options->gss_deleg_creds = 0; -+ if (options->gss_trust_dns == -1) -+ options->gss_trust_dns = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) -diff --git a/readconf.h b/readconf.h -index feedb3d2..c7139c1b 100644 ---- a/readconf.h -+++ b/readconf.h -@@ -42,6 +42,7 @@ typedef struct { - /* Try S/Key or TIS, authentication. */ - int gss_authentication; /* Try GSS authentication */ - int gss_deleg_creds; /* Delegate GSS credentials */ -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ - int password_authentication; /* Try password - * authentication. */ - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ -diff --git a/ssh_config.5 b/ssh_config.5 -index 06a32d31..6871ff36 100644 ---- a/ssh_config.5 -+++ b/ssh_config.5 -@@ -770,6 +770,16 @@ The default is - Forward (delegate) credentials to the server. - The default is - .Cm no . -+Note that this option applies to protocol version 2 connections using GSSAPI. -+.It Cm GSSAPITrustDns -+Set to -+.Dq yes to indicate that the DNS is trusted to securely canonicalize -+the name of the host being connected to. If -+.Dq no, the hostname entered on the -+command line will be passed untouched to the GSSAPI library. -+The default is -+.Dq no . -+This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HashKnownHosts - Indicates that - .Xr ssh 1 -diff --git a/sshconnect2.c b/sshconnect2.c -index af00fb30..652463c5 100644 ---- a/sshconnect2.c -+++ b/sshconnect2.c -@@ -716,6 +716,13 @@ userauth_gssapi(struct ssh *ssh) - OM_uint32 min; - int r, ok = 0; - gss_OID mech = NULL; -+ const char *gss_host; -+ -+ if (options.gss_trust_dns) { -+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); -+ gss_host = auth_get_canonical_hostname(ssh, 1); -+ } else -+ gss_host = authctxt->host; - - /* Try one GSSAPI method at a time, rather than sending them all at - * once. */ -@@ -730,7 +737,7 @@ userauth_gssapi(struct ssh *ssh) - elements[authctxt->mech_tried]; - /* My DER encoding requires length<128 */ - if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, -- mech, authctxt->host)) { -+ mech, gss_host)) { - ok = 1; /* Mechanism works */ - } else { - authctxt->mech_tried++; diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch deleted file mode 100644 index 6bd7166197..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.3_p1-sha2-include.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/Makefile.in b/Makefile.in -index c9e4294d..2dbfac24 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -44,7 +44,7 @@ CC=@CC@ - LD=@LD@ - CFLAGS=@CFLAGS@ - CFLAGS_NOPIE=@CFLAGS_NOPIE@ --CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -+CPPFLAGS=-I. -I$(srcdir) -I$(srcdir)/openbsd-compat @CPPFLAGS@ $(PATHS) @DEFS@ - PICFLAG=@PICFLAG@ - LIBS=@LIBS@ - K5LIBS=@K5LIBS@ diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch deleted file mode 100644 index f12a3096b6..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff -u a/openssh-8.4p1+x509-12.6.diff b/openssh-8.4p1+x509-12.6.diff ---- a/openssh-8.4p1+x509-12.6.diff 2020-10-04 10:58:16.980495330 -0700 -+++ b/openssh-8.4p1+x509-12.6.diff 2020-10-04 11:02:31.951966223 -0700 -@@ -39348,12 +39348,11 @@ - - install-files: - $(MKDIR_P) $(DESTDIR)$(bindir) --@@ -384,6 +365,8 @@ -+@@ -384,6 +365,7 @@ - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 - $(MKDIR_P) $(DESTDIR)$(libexecdir) - + $(MKDIR_P) $(DESTDIR)$(sshcadir) --+ $(MKDIR_P) $(DESTDIR)$(piddir) - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) -@@ -103950,16 +103949,6 @@ - +int asnmprintf(char **, size_t, int *, const char *, ...) - __attribute__((format(printf, 4, 5))); - void msetlocale(void); --diff -ruN openssh-8.4p1/version.h openssh-8.4p1+x509-12.6/version.h ----- openssh-8.4p1/version.h 2020-09-27 10:25:01.000000000 +0300 --+++ openssh-8.4p1+x509-12.6/version.h 2020-10-03 10:07:00.000000000 +0300 --@@ -2,5 +2,4 @@ -- -- #define SSH_VERSION "OpenSSH_8.4" -- ---#define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" - diff -ruN openssh-8.4p1/version.m4 openssh-8.4p1+x509-12.6/version.m4 - --- openssh-8.4p1/version.m4 1970-01-01 02:00:00.000000000 +0200 - +++ openssh-8.4p1+x509-12.6/version.m4 2020-10-03 10:07:00.000000000 +0300 diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch deleted file mode 100644 index 32713d43ff..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch +++ /dev/null @@ -1,30 +0,0 @@ -From d9e727dcc04a52caaac87543ea1d230e9e6b5604 Mon Sep 17 00:00:00 2001 -From: Oleg -Date: Thu, 1 Oct 2020 12:09:08 +0300 -Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id - ---- - contrib/ssh-copy-id | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id -index 392f64f94..a76907717 100644 ---- a/contrib/ssh-copy-id -+++ b/contrib/ssh-copy-id -@@ -247,7 +247,7 @@ installkeys_sh() { - # the -z `tail ...` checks for a trailing newline. The echo adds one if was missing - # the cat adds the keys we're getting via STDIN - # and if available restorecon is used to restore the SELinux context -- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF) -+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF - cd; - umask 077; - mkdir -p $(dirname "${AUTH_KEY_FILE}") && -@@ -258,6 +258,7 @@ installkeys_sh() { - restorecon -F .ssh ${AUTH_KEY_FILE}; - fi - EOF -+ ) - - # to defend against quirky remote shells: use 'exec sh -c' to get POSIX; - printf "exec sh -c '%s'" "${INSTALLKEYS_SH}" diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch deleted file mode 100644 index 9bd600b6a1..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch +++ /dev/null @@ -1,129 +0,0 @@ -diff -u a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff ---- a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-10-04 11:04:44.495171346 -0700 -+++ b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-10-04 11:48:05.099637206 -0700 -@@ -3,9 +3,9 @@ - --- a/Makefile.in - +++ b/Makefile.in - @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@ -- CFLAGS_NOPIE=@CFLAGS_NOPIE@ -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -- PICFLAG=@PICFLAG@ -+ LD=@LD@ -+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ - -LIBS=@LIBS@ - +LIBS=@LIBS@ -lpthread - K5LIBS=@K5LIBS@ -@@ -803,7 +803,7 @@ - ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) - { - struct session_state *state; --- const struct sshcipher *none = cipher_by_name("none"); -+- const struct sshcipher *none = cipher_none(); - + struct sshcipher *none = cipher_by_name("none"); - int r; - -@@ -901,17 +901,18 @@ - } - - /* --@@ -2203,6 +2210,10 @@ fill_default_options(Options * options) -+@@ -2203,5 +2210,10 @@ fill_default_options(Options * options) - if (options->sk_provider == NULL) - options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); -- #endif -+ - + if (options->update_hostkeys == -1) - + options->update_hostkeys = 0; - + if (options->disable_multithreaded == -1) - + options->disable_multithreaded = 0; -- -- /* Expand KEX name lists */ -- all_cipher = cipher_alg_list(',', 0); -++ -+ /* expand KEX and etc. name lists */ -+ { char *all; -+ #define ASSEMBLE(what, defaults, all) \ - diff --git a/readconf.h b/readconf.h - index e143a108..1383a3cd 100644 - --- a/readconf.h -@@ -950,9 +951,9 @@ - /* Portable-specific options */ - sUsePAM, - + sDisableMTAES, -- /* Standard Options */ -- sPort, sHostKeyFile, sLoginGraceTime, -- sPermitRootLogin, sLogFacility, sLogLevel, -+ /* X.509 Standard Options */ -+ sHostbasedAlgorithms, -+ sPubkeyAlgorithms, - @@ -679,6 +683,7 @@ static struct { - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, -diff -u a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff ---- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-10-04 11:04:37.441213650 -0700 -+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-10-04 11:50:55.865616716 -0700 -@@ -382,7 +382,7 @@ - @@ -888,6 +888,10 @@ kex_choose_conf(struct ssh *ssh) - int nenc, nmac, ncomp; - u_int mode, ctos, need, dh_need, authlen; -- int r, first_kex_follows; -+ int r, first_kex_follows = 0; - + int auth_flag; - + - + auth_flag = packet_authentication_state(ssh); -@@ -1193,14 +1193,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index a2eca3ec..ff654fc3 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_8.3" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_HPN "-hpn14v22" --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN -diff -u a/openssh-8_3_P1-hpn-PeakTput-14.22.diff b/openssh-8_3_P1-hpn-PeakTput-14.22.diff ---- a/openssh-8_3_P1-hpn-PeakTput-14.22.diff 2020-10-04 11:51:46.409313155 -0700 -+++ b/openssh-8_3_P1-hpn-PeakTput-14.22.diff 2020-10-04 11:56:57.407445258 -0700 -@@ -12,9 +12,9 @@ - static long stalled; /* how long we have been stalled */ - static int bytes_per_second; /* current speed in bytes per second */ - @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update) -+ off_t bytes_left; - int cur_speed; -- int hours, minutes, seconds; -- int file_len; -+ int len; - + off_t delta_pos; - - if ((!force_update && !alarm_fired && !win_resized) || !can_output()) -@@ -30,15 +30,17 @@ - if (bytes_left > 0) - elapsed = now - last_update; - else { --@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update) -+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update) -+ buf[1] = '\0'; - - /* filename */ -- buf[0] = '\0'; --- file_len = win_size - 36; --+ file_len = win_size - 45; -- if (file_len > 0) { -- buf[0] = '\r'; -- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s", -+- if (win_size > 36) { -+- int file_len = win_size - 36; -++ if (win_size > 45) { -++ int file_len = win_size - 45; -+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ", -+ file_len, file); -+ } - @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update) - (off_t)bytes_per_second); - strlcat(buf, "/s ", win_size); diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch deleted file mode 100644 index 884063c60f..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch +++ /dev/null @@ -1,94 +0,0 @@ -diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff ---- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:15:17.780747192 -0700 -+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:34:03.576552219 -0700 -@@ -409,18 +409,10 @@ - index e7abb341..c23276d4 100644 - --- a/packet.c - +++ b/packet.c --@@ -961,6 +961,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) -+@@ -961,6 +961,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) - return 0; - } - --+/* this supports the forced rekeying required for the NONE cipher */ --+int rekey_requested = 0; --+void --+packet_request_rekeying(void) --+{ --+ rekey_requested = 1; --+} --+ - +/* used to determine if pre or post auth when rekeying for aes-ctr - + * and none cipher switch */ - +int -@@ -434,20 +426,6 @@ - #define MAX_PACKETS (1U<<31) - static int - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) --@@ -987,6 +1005,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) -- if (state->p_send.packets == 0 && state->p_read.packets == 0) -- return 0; -- --+ /* used to force rekeying when called for by the none --+ * cipher switch methods -cjr */ --+ if (rekey_requested == 1) { --+ rekey_requested = 0; --+ return 1; --+ } --+ -- /* Time-based rekeying */ -- if (state->rekey_interval != 0 && -- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) - diff --git a/packet.h b/packet.h - index c2544bd9..ebd85c88 100644 - --- a/packet.h -@@ -481,9 +459,9 @@ - oLocalCommand, oPermitLocalCommand, oRemoteCommand, - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, - + oNoneEnabled, oNoneSwitch, -+ oDisableMTAES, - oVisualHostKey, - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, -- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, - @@ -294,6 +297,8 @@ static struct { - { "kexalgorithms", oKexAlgorithms }, - { "ipqos", oIPQoS }, -@@ -615,9 +593,9 @@ - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ - SyslogFacility log_facility; /* Facility for system logging. */ - @@ -114,7 +118,10 @@ typedef struct { -- - int enable_ssh_keysign; - int64_t rekey_limit; -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/ - + int none_switch; /* Use none cipher */ - + int none_enabled; /* Allow none to be used */ - int rekey_interval; -@@ -700,9 +678,9 @@ - + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; - + } - + -+ if (options->disable_multithreaded == -1) -+ options->disable_multithreaded = 0; - if (options->ip_qos_interactive == -1) -- options->ip_qos_interactive = IPTOS_DSCP_AF21; -- if (options->ip_qos_bulk == -1) - @@ -519,6 +565,8 @@ typedef enum { - sPasswordAuthentication, sKbdInteractiveAuthentication, - sListenAddress, sAddressFamily, -@@ -1081,11 +1059,11 @@ - xxx_host = host; - xxx_hostaddr = hostaddr; - --@@ -435,6 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, -+@@ -435,7 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, -+ } -+ } -+ #endif - -- if (!authctxt.success) -- fatal("Authentication failed."); --+ - + /* - + * If the user wants to use the none cipher, do it post authentication - + * and only if the right conditions are met -- both of the NONE commands diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch deleted file mode 100644 index 52ec42e37f..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff ---- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:34.168386903 -0700 -+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:43.806325434 -0700 -@@ -1171,14 +1171,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index a2eca3ec..ff654fc3 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_8.3" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_HPN "-hpn14v22" --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch deleted file mode 100644 index c7812c622c..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch +++ /dev/null @@ -1,72 +0,0 @@ ---- a/openssh-8.5p1+x509-13.0.1.diff 2021-03-15 14:05:14.876485231 -0700 -+++ b/openssh-8.5p1+x509-13.0.1.diff 2021-03-15 14:06:05.389154451 -0700 -@@ -46675,12 +46675,11 @@ - - install-files: - $(MKDIR_P) $(DESTDIR)$(bindir) --@@ -380,6 +364,8 @@ -+@@ -380,6 +364,7 @@ - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 - $(MKDIR_P) $(DESTDIR)$(libexecdir) - + $(MKDIR_P) $(DESTDIR)$(sshcadir) --+ $(MKDIR_P) $(DESTDIR)$(piddir) - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) -@@ -63967,7 +63966,7 @@ - - echo "putty interop tests not enabled" - - exit 0 - -fi --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } - - for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do - verbose "$tid: cipher $c" -@@ -63982,7 +63981,7 @@ - - echo "putty interop tests not enabled" - - exit 0 - -fi --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } - - for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do - verbose "$tid: kex $k" -@@ -63997,7 +63996,7 @@ - - echo "putty interop tests not enabled" - - exit 0 - -fi --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } - - if [ "`${SSH} -Q compression`" = "none" ]; then - comp="0" -@@ -64129,9 +64128,9 @@ - - +# cross-project configuration - +if test "$sshd_type" = "pkix" ; then --+ unset_arg='' -++ unset_arg= - +else --+ unset_arg=none -++ unset_arg= - +fi - + - cat > $OBJ/sshd_config.i << _EOF -@@ -122247,16 +122246,6 @@ - +int asnmprintf(char **, size_t, int *, const char *, ...) - __attribute__((format(printf, 4, 5))); - void msetlocale(void); --diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0.1/version.h ----- openssh-8.5p1/version.h 2021-03-02 12:31:47.000000000 +0200 --+++ openssh-8.5p1+x509-13.0.1/version.h 2021-03-15 20:07:00.000000000 +0200 --@@ -2,5 +2,4 @@ -- -- #define SSH_VERSION "OpenSSH_8.5" -- ---#define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" - diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0.1/version.m4 - --- openssh-8.5p1/version.m4 1970-01-01 02:00:00.000000000 +0200 - +++ openssh-8.5p1+x509-13.0.1/version.m4 2021-03-15 20:07:00.000000000 +0200 diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch deleted file mode 100644 index 71b27f284a..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch +++ /dev/null @@ -1,73 +0,0 @@ -diff -ur a/openssh-8.5p1+x509-13.0.diff b/openssh-8.5p1+x509-13.0.diff ---- a/openssh-8.5p1+x509-13.0.diff 2021-03-03 12:26:21.021212996 -0800 -+++ b/openssh-8.5p1+x509-13.0.diff 2021-03-03 18:20:06.476490271 -0800 -@@ -46675,12 +46675,11 @@ - - install-files: - $(MKDIR_P) $(DESTDIR)$(bindir) --@@ -380,6 +364,8 @@ -+@@ -380,6 +364,7 @@ - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 - $(MKDIR_P) $(DESTDIR)$(libexecdir) - + $(MKDIR_P) $(DESTDIR)$(sshcadir) --+ $(MKDIR_P) $(DESTDIR)$(piddir) - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) -@@ -63967,7 +63966,7 @@ - - echo "putty interop tests not enabled" - - exit 0 - -fi --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } - - for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do - verbose "$tid: cipher $c" -@@ -63982,7 +63981,7 @@ - - echo "putty interop tests not enabled" - - exit 0 - -fi --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } - - for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do - verbose "$tid: kex $k" -@@ -63997,7 +63996,7 @@ - - echo "putty interop tests not enabled" - - exit 0 - -fi --+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } -++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } - - if [ "`${SSH} -Q compression`" = "none" ]; then - comp="0" -@@ -64129,9 +64128,9 @@ - - +# cross-project configuration - +if test "$sshd_type" = "pkix" ; then --+ unset_arg='' -++ unset_arg= - +else --+ unset_arg=none -++ unset_arg= - +fi - + - cat > $OBJ/sshd_config.i << _EOF -@@ -122238,16 +122237,6 @@ - +int asnmprintf(char **, size_t, int *, const char *, ...) - __attribute__((format(printf, 4, 5))); - void msetlocale(void); --diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0/version.h ----- openssh-8.5p1/version.h 2021-03-02 12:31:47.000000000 +0200 --+++ openssh-8.5p1+x509-13.0/version.h 2021-03-03 19:07:00.000000000 +0200 --@@ -2,5 +2,4 @@ -- -- #define SSH_VERSION "OpenSSH_8.5" -- ---#define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" - diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0/version.m4 - --- openssh-8.5p1/version.m4 1970-01-01 02:00:00.000000000 +0200 - +++ openssh-8.5p1+x509-13.0/version.m4 2021-03-03 19:07:00.000000000 +0200 diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch deleted file mode 100644 index e2d4ce826e..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch +++ /dev/null @@ -1,325 +0,0 @@ -diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff ---- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 12:57:01.975827879 -0800 -+++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 18:25:21.929305944 -0800 -@@ -3,9 +3,9 @@ - --- a/Makefile.in - +++ b/Makefile.in - @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@ -- CFLAGS_NOPIE=@CFLAGS_NOPIE@ -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -- PICFLAG=@PICFLAG@ -+ LD=@LD@ -+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ - -LIBS=@LIBS@ - +LIBS=@LIBS@ -lpthread - K5LIBS=@K5LIBS@ -@@ -803,8 +803,8 @@ - ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) - { - struct session_state *state; --- const struct sshcipher *none = cipher_by_name("none"); --+ struct sshcipher *none = cipher_by_name("none"); -+- const struct sshcipher *none = cipher_none(); -++ struct sshcipher *none = cipher_none(); - int r; - - if (none == NULL) { -@@ -894,24 +894,24 @@ - intptr = &options->compression; - multistate_ptr = multistate_compression; - @@ -2062,6 +2068,7 @@ initialize_options(Options * options) -- options->hostbased_accepted_algos = NULL; -- options->pubkey_accepted_algos = NULL; -- options->known_hosts_command = NULL; -+ options->revoked_host_keys = NULL; -+ options->fingerprint_hash = -1; -+ options->update_hostkeys = -1; - + options->disable_multithreaded = -1; - } - - /* - @@ -2247,6 +2254,10 @@ fill_default_options(Options * options) -+ options->update_hostkeys = 0; - if (options->sk_provider == NULL) - options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); -- #endif - + if (options->update_hostkeys == -1) - + options->update_hostkeys = 0; - + if (options->disable_multithreaded == -1) - + options->disable_multithreaded = 0; - -- /* Expand KEX name lists */ -- all_cipher = cipher_alg_list(',', 0); -+ /* expand KEX and etc. name lists */ -+ { char *all; - diff --git a/readconf.h b/readconf.h - index d6a15550..d2d20548 100644 - --- a/readconf.h -@@ -950,9 +950,9 @@ - /* Portable-specific options */ - sUsePAM, - + sDisableMTAES, -- /* Standard Options */ -- sPort, sHostKeyFile, sLoginGraceTime, -- sPermitRootLogin, sLogFacility, sLogLevel, -+ /* X.509 Standard Options */ -+ sHostbasedAlgorithms, -+ sPubkeyAlgorithms, - @@ -672,6 +676,7 @@ static struct { - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, -diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff ---- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 19:05:28.942903961 -0800 -+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 20:36:34.702362020 -0800 -@@ -157,6 +157,36 @@ - + Allan Jude provided the code for the NoneMac and buffer normalization. - + This work was financed, in part, by Cisco System, Inc., the National - + Library of Medicine, and the National Science Foundation. -+diff --git a/auth2.c b/auth2.c -+--- a/auth2.c 2021-03-03 20:34:51.312051369 -0800 -++++ b/auth2.c 2021-03-03 20:35:15.797888115 -0800 -+@@ -229,16 +229,17 @@ -+ double delay; -+ -+ digest_alg = ssh_digest_maxbytes(); -+- len = ssh_digest_bytes(digest_alg); -+- hash = xmalloc(len); -++ if (len = ssh_digest_bytes(digest_alg) > 0) { -++ hash = xmalloc(len); -+ -+- (void)snprintf(b, sizeof b, "%llu%s", -+- (unsigned long long)options.timing_secret, user); -+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) -+- fatal_f("ssh_digest_memory"); -+- /* 0-4.2 ms of delay */ -+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; -+- freezero(hash, len); -++ (void)snprintf(b, sizeof b, "%llu%s", -++ (unsigned long long)options.timing_secret, user); -++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) -++ fatal_f("ssh_digest_memory"); -++ /* 0-4.2 ms of delay */ -++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; -++ freezero(hash, len); -++ } -+ debug3_f("user specific delay %0.3lfms", delay/1000); -+ return MIN_FAIL_DELAY_SECONDS + delay; -+ } - diff --git a/channels.c b/channels.c - index e4917f3c..e0db582e 100644 - --- a/channels.c -@@ -209,14 +239,14 @@ - static void - channel_pre_open(struct ssh *ssh, Channel *c, - fd_set *readset, fd_set *writeset) --@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c) -+@@ -2179,21 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c) - - if (c->type == SSH_CHANNEL_OPEN && - !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && - - ((c->local_window_max - c->local_window > - - c->local_maxpacket*3) || --+ ((ssh_packet_is_interactive(ssh) && --+ c->local_window_max - c->local_window > c->local_maxpacket*3) || -++ ((ssh_packet_is_interactive(ssh) && -++ c->local_window_max - c->local_window > c->local_maxpacket*3) || - c->local_window < c->local_window_max/2) && - c->local_consumed > 0) { - + u_int addition = 0; -@@ -234,10 +264,12 @@ - SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 || - (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || - - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || -+- (r = sshpkt_send(ssh)) != 0) -+- fatal_fr(r, "channel %d", c->self); - + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || -- (r = sshpkt_send(ssh)) != 0) { -- fatal_fr(r, "channel %i", c->self); -- } -++ (r = sshpkt_send(ssh)) != 0) { -++ fatal_fr(r, "channel %i", c->self); -++ } - debug2("channel %d: window %d sent adjust %d", c->self, - - c->local_window, c->local_consumed); - - c->local_window += c->local_consumed; -@@ -384,20 +416,38 @@ - index dec8e7e9..3c11558e 100644 - --- a/compat.c - +++ b/compat.c --@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version) -- debug_f("match: %s pat %s compat 0x%08x", -+@@ -43,7 +43,7 @@ -+ static u_int -+ compat_datafellows(const char *version) -+ { -+- int i; -++ int i, bugs = 0; -+ static struct { -+ char *pat; -+ int bugs; -+@@ -147,11 +147,19 @@ -+ if (match_pattern_list(version, check[i].pat, 0) == 1) { -+ debug("match: %s pat %s compat 0x%08x", - version, check[i].pat, check[i].bugs); -- ssh->compat = check[i].bugs; --+ /* Check to see if the remote side is OpenSSH and not HPN */ --+ if (strstr(version, "OpenSSH") != NULL) { --+ if (strstr(version, "hpn") == NULL) { --+ ssh->compat |= SSH_BUG_LARGEWINDOW; --+ debug("Remote is NON-HPN aware"); --+ } --+ } -- return; -+- return check[i].bugs; -++ bugs |= check[i].bugs; - } - } -+- debug("no match: %s", version); -+- return 0; -++ /* Check to see if the remote side is OpenSSH and not HPN */ -++ if (strstr(version, "OpenSSH") != NULL) { -++ if (strstr(version, "hpn") == NULL) { -++ bugs |= SSH_BUG_LARGEWINDOW; -++ debug("Remote is NON-HPN aware"); -++ } -++ } -++ if (bugs == 0) -++ debug("no match: %s", version); -++ return bugs; -+ } -+ -+ char * - diff --git a/compat.h b/compat.h - index 66db42cc..d4e811e4 100644 - --- a/compat.h -@@ -456,7 +506,7 @@ - @@ -888,6 +888,10 @@ kex_choose_conf(struct ssh *ssh) - int nenc, nmac, ncomp; - u_int mode, ctos, need, dh_need, authlen; -- int r, first_kex_follows; -+ int r, first_kex_follows = 0; - + int auth_flag = 0; - + - + auth_flag = packet_authentication_state(ssh); -@@ -1033,19 +1083,6 @@ - - /* File to read commands from */ - FILE* infile; --diff --git a/ssh-keygen.c b/ssh-keygen.c --index a12b79a5..8b839219 100644 ----- a/ssh-keygen.c --+++ b/ssh-keygen.c --@@ -2999,7 +2999,7 @@ do_download_sk(const char *skprovider, const char *device) -- freezero(pin, strlen(pin)); -- error("Unable to load resident keys: %s", ssh_err(r)); -- return -1; --- } --+ } -- if (nkeys == 0) -- logit("No keys to download"); -- if (pin != NULL) - diff --git a/ssh.c b/ssh.c - index f34ca0d7..d7d134f7 100644 - --- a/ssh.c -@@ -1091,7 +1128,7 @@ - + else - + options.hpn_buffer_size = 2 * 1024 * 1024; - + --+ if (ssh->compat & SSH_BUG_LARGEWINDOW) { -++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) { - + debug("HPN to Non-HPN Connection"); - + } else { - + int sock, socksize; -@@ -1331,6 +1368,26 @@ - /* Bind the socket to the desired port. */ - if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { - error("Bind to port %s on %s failed: %.200s.", -+@@ -1625,12 +1625,13 @@ -+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg), -+ sshbuf_len(server_cfg)) != 0) -+ fatal_f("ssh_digest_update"); -+- len = ssh_digest_bytes(digest_alg); -+- hash = xmalloc(len); -+- if (ssh_digest_final(ctx, hash, len) != 0) -+- fatal_f("ssh_digest_final"); -+- options.timing_secret = PEEK_U64(hash); -+- freezero(hash, len); -++ if (len = ssh_digest_bytes(digest_alg) > 0) { -++ hash = xmalloc(len); -++ if (ssh_digest_final(ctx, hash, len) != 0) -++ fatal_f("ssh_digest_final"); -++ options.timing_secret = PEEK_U64(hash); -++ freezero(hash, len); -++ } -+ ssh_digest_free(ctx); -+ ctx = NULL; -+ return; - @@ -1746,6 +1753,19 @@ main(int ac, char **av) - /* Fill in default values for those options not explicitly set. */ - fill_default_server_options(&options); -@@ -1401,14 +1458,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index c2f9c55b..f2e7fa80 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_8.4" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_HPN "-hpn15v1" --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN -diff -ur a/openssh-8_4_P1-hpn-PeakTput-15.1.diff b/openssh-8_4_P1-hpn-PeakTput-15.1.diff ---- a/openssh-8_4_P1-hpn-PeakTput-15.1.diff 2021-03-03 12:57:01.975827879 -0800 -+++ b/openssh-8_4_P1-hpn-PeakTput-15.1.diff 2021-03-03 18:25:21.930305937 -0800 -@@ -12,9 +12,9 @@ - static long stalled; /* how long we have been stalled */ - static int bytes_per_second; /* current speed in bytes per second */ - @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update) -+ off_t bytes_left; - int cur_speed; -- int hours, minutes, seconds; -- int file_len; -+ int len; - + off_t delta_pos; - - if ((!force_update && !alarm_fired && !win_resized) || !can_output()) -@@ -33,12 +33,12 @@ - @@ -166,7 +173,7 @@ refresh_progress_meter(int force_update) - - /* filename */ -- buf[0] = '\0'; --- file_len = win_size - 36; --+ file_len = win_size - 45; -- if (file_len > 0) { -- buf[0] = '\r'; -- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s", -+ if (win_size > 36) { -+- int file_len = win_size - 36; -++ int file_len = win_size - 45; -+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ", -+ file_len, file); -+ } - @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update) - (off_t)bytes_per_second); - strlcat(buf, "/s ", win_size); -@@ -63,15 +63,3 @@ - } - - /*ARGSUSED*/ --diff --git a/ssh-keygen.c b/ssh-keygen.c --index a12b79a5..76b22338 100644 ----- a/ssh-keygen.c --+++ b/ssh-keygen.c --@@ -2987,7 +2987,6 @@ do_download_sk(const char *skprovider, const char *device) -- -- if (skprovider == NULL) -- fatal("Cannot download keys without provider"); --- -- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN); -- if (!quiet) { -- printf("You may need to touch your authenticator " diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch deleted file mode 100644 index ec6e687271..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch +++ /dev/null @@ -1,242 +0,0 @@ -diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff ---- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:08:18.300474672 -0800 -+++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:18:42.408298903 -0800 -@@ -894,9 +894,9 @@ - intptr = &options->compression; - multistate_ptr = multistate_compression; - @@ -2062,6 +2068,7 @@ initialize_options(Options * options) -- options->update_hostkeys = -1; -- options->hostbased_key_types = NULL; -- options->pubkey_key_types = NULL; -+ options->hostbased_accepted_algos = NULL; -+ options->pubkey_accepted_algos = NULL; -+ options->known_hosts_command = NULL; - + options->disable_multithreaded = -1; - } - -diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff ---- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 11:08:18.300474672 -0800 -+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 12:53:24.117319233 -0800 -@@ -209,7 +209,7 @@ - static void - channel_pre_open(struct ssh *ssh, Channel *c, - fd_set *readset, fd_set *writeset) --@@ -2179,25 +2206,34 @@ channel_check_window(struct ssh *ssh, Channel *c) -+@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c) - - if (c->type == SSH_CHANNEL_OPEN && - !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && -@@ -229,22 +229,19 @@ - + debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition); - + } - if (!c->have_remote_id) -- fatal(":%s: channel %d: no remote id", -- __func__, c->self); -+ fatal_f("channel %d: no remote id", c->self); - if ((r = sshpkt_start(ssh, - SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 || - (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || - - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || - + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || - (r = sshpkt_send(ssh)) != 0) { -- fatal("%s: channel %i: %s", __func__, -- c->self, ssh_err(r)); -+ fatal_fr(r, "channel %i", c->self); - } -- debug2("channel %d: window %d sent adjust %d", -- c->self, c->local_window, --- c->local_consumed); -+ debug2("channel %d: window %d sent adjust %d", c->self, -+- c->local_window, c->local_consumed); - - c->local_window += c->local_consumed; --+ c->local_consumed + addition); -++ c->local_window, c->local_consumed + addition); - + c->local_window += c->local_consumed + addition; - c->local_consumed = 0; - } -@@ -387,18 +384,18 @@ - index dec8e7e9..3c11558e 100644 - --- a/compat.c - +++ b/compat.c --@@ -150,6 +150,13 @@ compat_datafellows(const char *version) -- debug("match: %s pat %s compat 0x%08x", -+@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version) -+ debug_f("match: %s pat %s compat 0x%08x", - version, check[i].pat, check[i].bugs); -- datafellows = check[i].bugs; /* XXX for now */ -+ ssh->compat = check[i].bugs; - + /* Check to see if the remote side is OpenSSH and not HPN */ - + if (strstr(version, "OpenSSH") != NULL) { - + if (strstr(version, "hpn") == NULL) { --+ datafellows |= SSH_BUG_LARGEWINDOW; -++ ssh->compat |= SSH_BUG_LARGEWINDOW; - + debug("Remote is NON-HPN aware"); - + } - + } -- return check[i].bugs; -+ return; - } - } - diff --git a/compat.h b/compat.h -@@ -431,9 +428,9 @@ - --- a/digest-openssl.c - +++ b/digest-openssl.c - @@ -61,6 +61,7 @@ const struct ssh_digest digests[] = { -- { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 }, -+ { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 }, - { SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 }, -- { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 }, -+ { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 }, - + { SSH_DIGEST_NULL, "NONEMAC", 0, EVP_md_null}, - { -1, NULL, 0, NULL }, - }; -@@ -536,18 +533,10 @@ - if (state->rekey_limit) - *max_blocks = MINIMUM(*max_blocks, - state->rekey_limit / enc->block_size); --@@ -966,6 +975,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) -+@@ -966,6 +975,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) - return 0; - } - --+/* this supports the forced rekeying required for the NONE cipher */ --+int rekey_requested = 0; --+void --+packet_request_rekeying(void) --+{ --+ rekey_requested = 1; --+} --+ - +/* used to determine if pre or post auth when rekeying for aes-ctr - + * and none cipher switch */ - +int -@@ -561,20 +550,6 @@ - #define MAX_PACKETS (1U<<31) - static int - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) --@@ -992,6 +1019,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) -- if (state->p_send.packets == 0 && state->p_read.packets == 0) -- return 0; -- --+ /* used to force rekeying when called for by the none --+ * cipher switch methods -cjr */ --+ if (rekey_requested == 1) { --+ rekey_requested = 0; --+ return 1; --+ } --+ -- /* Time-based rekeying */ -- if (state->rekey_interval != 0 && -- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) - @@ -1330,7 +1364,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) - struct session_state *state = ssh->state; - int len, r, ms_remain; -@@ -622,9 +597,9 @@ - /* Format of the configuration file: - - @@ -165,6 +166,8 @@ typedef enum { -- oHashKnownHosts, - oTunnel, oTunnelDevice, - oLocalCommand, oPermitLocalCommand, oRemoteCommand, -+ oDisableMTAES, - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, - + oNoneEnabled, oNoneMacEnabled, oNoneSwitch, - oVisualHostKey, -@@ -778,9 +753,9 @@ - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ - SyslogFacility log_facility; /* Facility for system logging. */ - @@ -115,7 +119,11 @@ typedef struct { -- - int enable_ssh_keysign; - int64_t rekey_limit; -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/ - + int none_switch; /* Use none cipher */ - + int none_enabled; /* Allow none cipher to be used */ - + int nonemac_enabled; /* Allow none MAC to be used */ -@@ -888,9 +863,9 @@ - + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; - + } - + -+ if (options->disable_multithreaded == -1) -+ options->disable_multithreaded = 0; - if (options->ip_qos_interactive == -1) -- options->ip_qos_interactive = IPTOS_DSCP_AF21; -- if (options->ip_qos_bulk == -1) - @@ -511,6 +564,8 @@ typedef enum { - sPasswordAuthentication, sKbdInteractiveAuthentication, - sListenAddress, sAddressFamily, -@@ -1091,7 +1066,7 @@ - } - - +static void --+hpn_options_init(void) -++hpn_options_init(struct ssh *ssh) - +{ - + /* - + * We need to check to see if what they want to do about buffer -@@ -1116,7 +1091,7 @@ - + else - + options.hpn_buffer_size = 2 * 1024 * 1024; - + --+ if (datafellows & SSH_BUG_LARGEWINDOW) { -++ if (ssh->compat & SSH_BUG_LARGEWINDOW) { - + debug("HPN to Non-HPN Connection"); - + } else { - + int sock, socksize; -@@ -1186,7 +1161,7 @@ - + c->dynamic_window = 1; - + debug("Enabled Dynamic Window Scaling"); - + } -- debug3("%s: channel_new: %d", __func__, c->self); -+ debug3_f("channel_new: %d", c->self); - - channel_send_open(ssh, c->self); - @@ -2078,6 +2160,13 @@ ssh_session2(struct ssh *ssh, struct passwd *pw) -@@ -1198,7 +1173,7 @@ - + * might open channels that use the hpn buffer sizes. We can't send a - + * window of -1 (the default) to the server as it breaks things. - + */ --+ hpn_options_init(); -++ hpn_options_init(ssh); - + - /* XXX should be pre-session */ - if (!options.control_persist) -@@ -1297,11 +1272,10 @@ - xxx_host = host; - xxx_hostaddr = hostaddr; - --@@ -482,6 +493,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, -- -+@@ -482,6 +493,33 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, - if (!authctxt.success) - fatal("Authentication failed."); --+ -+ - + /* - + * If the user wants to use the none cipher, do it post authentication - + * and only if the right conditions are met -- both of the NONE commands -@@ -1329,9 +1303,9 @@ - + } - + } - + -- debug("Authentication succeeded (%s).", authctxt.method->name); -- } -- -+ #ifdef WITH_OPENSSL -+ if (options.disable_multithreaded == 0) { -+ /* if we are using aes-ctr there can be issues in either a fork or sandbox - diff --git a/sshd.c b/sshd.c - index 8aa7f3df..d0e3f1b0 100644 - --- a/sshd.c -@@ -1397,9 +1371,9 @@ - + if (options.nonemac_enabled == 1) - + debug("WARNING: None MAC enabled"); - + -- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( -+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, - options.kex_algorithms); -- myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal( -+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh, - diff --git a/sshd_config b/sshd_config - index 19b7c91a..cdd889b2 100644 - --- a/sshd_config diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch deleted file mode 100644 index d4835d1209..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff ---- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 15:36:29.211246123 -0800 -+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 15:36:53.607089097 -0800 -@@ -1401,14 +1401,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index c2f9c55b..f2e7fa80 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_8.4" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_HPN "-hpn15v1" --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch deleted file mode 100644 index 413cc8b9c3..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch +++ /dev/null @@ -1,328 +0,0 @@ -diff -u a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff ---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-03-15 17:45:28.550606801 -0700 -+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-03-15 17:56:36.240309581 -0700 -@@ -3,9 +3,9 @@ - --- a/Makefile.in - +++ b/Makefile.in - @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@ -- CFLAGS_NOPIE=@CFLAGS_NOPIE@ -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -- PICFLAG=@PICFLAG@ -+ LD=@LD@ -+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ - -LIBS=@LIBS@ - +LIBS=@LIBS@ -lpthread - K5LIBS=@K5LIBS@ -@@ -803,8 +803,8 @@ - ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) - { - struct session_state *state; --- const struct sshcipher *none = cipher_by_name("none"); --+ struct sshcipher *none = cipher_by_name("none"); -+- const struct sshcipher *none = cipher_none(); -++ struct sshcipher *none = cipher_none(); - int r; - - if (none == NULL) { -@@ -898,20 +898,20 @@ - options->fingerprint_hash = -1; - options->update_hostkeys = -1; - + options->disable_multithreaded = -1; -- options->hostbased_accepted_algos = NULL; -- options->pubkey_accepted_algos = NULL; -- options->known_hosts_command = NULL; -+ } -+ -+ /* - @@ -2467,6 +2474,10 @@ fill_default_options(Options * options) -+ options->update_hostkeys = 0; - if (options->sk_provider == NULL) - options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); -- #endif - + if (options->update_hostkeys == -1) - + options->update_hostkeys = 0; - + if (options->disable_multithreaded == -1) - + options->disable_multithreaded = 0; - -- /* Expand KEX name lists */ -- all_cipher = cipher_alg_list(',', 0); -+ /* expand KEX and etc. name lists */ -+ { char *all; - diff --git a/readconf.h b/readconf.h - index 2fba866e..7f8f0227 100644 - --- a/readconf.h -@@ -950,9 +950,9 @@ - /* Portable-specific options */ - sUsePAM, - + sDisableMTAES, -- /* Standard Options */ -- sPort, sHostKeyFile, sLoginGraceTime, -- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, -+ /* X.509 Standard Options */ -+ sHostbasedAlgorithms, -+ sPubkeyAlgorithms, - @@ -662,6 +666,7 @@ static struct { - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, - { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, -diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:29:42.953733894 -0700 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:47:54.198893025 -0700 -@@ -157,6 +157,36 @@ - + Allan Jude provided the code for the NoneMac and buffer normalization. - + This work was financed, in part, by Cisco System, Inc., the National - + Library of Medicine, and the National Science Foundation. -+diff --git a/auth2.c b/auth2.c -+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700 -++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700 -+@@ -229,16 +229,17 @@ -+ double delay; -+ -+ digest_alg = ssh_digest_maxbytes(); -+- len = ssh_digest_bytes(digest_alg); -+- hash = xmalloc(len); -++ if (len = ssh_digest_bytes(digest_alg) > 0) { -++ hash = xmalloc(len); -+ -+- (void)snprintf(b, sizeof b, "%llu%s", -+- (unsigned long long)options.timing_secret, user); -+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) -+- fatal_f("ssh_digest_memory"); -+- /* 0-4.2 ms of delay */ -+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; -+- freezero(hash, len); -++ (void)snprintf(b, sizeof b, "%llu%s", -++ (unsigned long long)options.timing_secret, user); -++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) -++ fatal_f("ssh_digest_memory"); -++ /* 0-4.2 ms of delay */ -++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; -++ freezero(hash, len); -++ } -+ debug3_f("user specific delay %0.3lfms", delay/1000); -+ return MIN_FAIL_DELAY_SECONDS + delay; -+ } - diff --git a/channels.c b/channels.c - index b60d56c4..0e363c15 100644 - --- a/channels.c -@@ -209,14 +239,14 @@ - static void - channel_pre_open(struct ssh *ssh, Channel *c, - fd_set *readset, fd_set *writeset) --@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c) -+@@ -2164,21 +2164,31 @@ channel_check_window(struct ssh *ssh, Channel *c) - - if (c->type == SSH_CHANNEL_OPEN && - !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && - - ((c->local_window_max - c->local_window > - - c->local_maxpacket*3) || --+ ((ssh_packet_is_interactive(ssh) && --+ c->local_window_max - c->local_window > c->local_maxpacket*3) || -++ ((ssh_packet_is_interactive(ssh) && -++ c->local_window_max - c->local_window > c->local_maxpacket*3) || - c->local_window < c->local_window_max/2) && - c->local_consumed > 0) { - + u_int addition = 0; -@@ -235,9 +265,8 @@ - (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || - - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || - + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || -- (r = sshpkt_send(ssh)) != 0) { -- fatal_fr(r, "channel %i", c->self); -- } -+ (r = sshpkt_send(ssh)) != 0) -+ fatal_fr(r, "channel %d", c->self); - - debug2("channel %d: window %d sent adjust %d", c->self, - - c->local_window, c->local_consumed); - - c->local_window += c->local_consumed; -@@ -386,21 +415,45 @@ - index 69befa96..90b5f338 100644 - --- a/compat.c - +++ b/compat.c --@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version) -- debug_f("match: %s pat %s compat 0x%08x", -+@@ -43,7 +43,7 @@ compat_datafellows(const char *version) -+ static u_int -+ compat_datafellows(const char *version) -+ { -+- int i; -++ int i, bugs = 0; -+ static struct { -+ char *pat; -+ int bugs; -+@@ -147,11 +147,26 @@ -+ if (match_pattern_list(version, check[i].pat, 0) == 1) { -+ debug("match: %s pat %s compat 0x%08x", - version, check[i].pat, check[i].bugs); -- ssh->compat = check[i].bugs; - + /* Check to see if the remote side is OpenSSH and not HPN */ --+ /* TODO: need to use new method to test for this */ - + if (strstr(version, "OpenSSH") != NULL) { - + if (strstr(version, "hpn") == NULL) { --+ ssh->compat |= SSH_BUG_LARGEWINDOW; -++ bugs |= SSH_BUG_LARGEWINDOW; - + debug("Remote is NON-HPN aware"); - + } - + } -- return; -+- return check[i].bugs; -++ bugs |= check[i].bugs; - } - } -+- debug("no match: %s", version); -+- return 0; -++ /* Check to see if the remote side is OpenSSH and not HPN */ -++ if (strstr(version, "OpenSSH") != NULL) { -++ if (strstr(version, "hpn") == NULL) { -++ bugs |= SSH_BUG_LARGEWINDOW; -++ debug("Remote is NON-HPN aware"); -++ } -++ } -++ if (bugs == 0) -++ debug("no match: %s", version); -++ return bugs; -+ } -+ -+ char * - diff --git a/compat.h b/compat.h - index c197fafc..ea2e17a7 100644 - --- a/compat.h -@@ -459,7 +512,7 @@ - @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh) - int nenc, nmac, ncomp; - u_int mode, ctos, need, dh_need, authlen; -- int r, first_kex_follows; -+ int r, first_kex_follows = 0; - + int auth_flag = 0; - + - + auth_flag = packet_authentication_state(ssh); -@@ -1035,19 +1088,6 @@ - - /* File to read commands from */ - FILE* infile; --diff --git a/ssh-keygen.c b/ssh-keygen.c --index cfb5f115..36a6e519 100644 ----- a/ssh-keygen.c --+++ b/ssh-keygen.c --@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device) -- freezero(pin, strlen(pin)); -- error_r(r, "Unable to load resident keys"); -- return -1; --- } --+ } -- if (nkeys == 0) -- logit("No keys to download"); -- if (pin != NULL) - diff --git a/ssh.c b/ssh.c - index 53330da5..27b9770e 100644 - --- a/ssh.c -@@ -1093,7 +1133,7 @@ - + else - + options.hpn_buffer_size = 2 * 1024 * 1024; - + --+ if (ssh->compat & SSH_BUG_LARGEWINDOW) { -++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) { - + debug("HPN to Non-HPN Connection"); - + } else { - + int sock, socksize; -@@ -1335,6 +1375,28 @@ - /* Bind the socket to the desired port. */ - if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { - error("Bind to port %s on %s failed: %.200s.", -+@@ -1625,13 +1625,14 @@ -+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg), -+ sshbuf_len(server_cfg)) != 0) -+ fatal_f("ssh_digest_update"); -+- len = ssh_digest_bytes(digest_alg); -+- hash = xmalloc(len); -+- if (ssh_digest_final(ctx, hash, len) != 0) -+- fatal_f("ssh_digest_final"); -+- options.timing_secret = PEEK_U64(hash); -+- freezero(hash, len); -+- ssh_digest_free(ctx); -++ if ((len = ssh_digest_bytes(digest_alg)) > 0) { -++ hash = xmalloc(len); -++ if (ssh_digest_final(ctx, hash, len) != 0) -++ fatal_f("ssh_digest_final"); -++ options.timing_secret = PEEK_U64(hash); -++ freezero(hash, len); -++ ssh_digest_free(ctx); -++ } -+ ctx = NULL; -+ return; -+ } - @@ -1727,6 +1734,19 @@ main(int ac, char **av) - /* Fill in default values for those options not explicitly set. */ - fill_default_server_options(&options); -@@ -1405,14 +1467,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index 6b4fa372..332fb486 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_8.5" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_HPN "-hpn15v2" --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN -diff -u a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff ---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-03-15 17:45:28.550606801 -0700 -+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-03-15 18:39:10.262087944 -0700 -@@ -12,9 +12,9 @@ - static long stalled; /* how long we have been stalled */ - static int bytes_per_second; /* current speed in bytes per second */ - @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update) -+ off_t bytes_left; - int cur_speed; -- int hours, minutes, seconds; -- int file_len; -+ int len; - + off_t delta_pos; - - if ((!force_update && !alarm_fired && !win_resized) || !can_output()) -@@ -30,15 +30,17 @@ - if (bytes_left > 0) - elapsed = now - last_update; - else { --@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update) -- -+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update) -+ buf[1] = '\0'; -+ - /* filename */ -- buf[0] = '\0'; --- file_len = win_size - 36; --+ file_len = win_size - 45; -- if (file_len > 0) { -- buf[0] = '\r'; -- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s", -+- if (win_size > 36) { -++ if (win_size > 45) { -+- int file_len = win_size - 36; -++ int file_len = win_size - 45; -+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ", -+ file_len, file); -+ } - @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update) - (off_t)bytes_per_second); - strlcat(buf, "/s ", win_size); -@@ -63,15 +65,3 @@ - } - - /*ARGSUSED*/ --diff --git a/ssh-keygen.c b/ssh-keygen.c --index cfb5f115..986ff59b 100644 ----- a/ssh-keygen.c --+++ b/ssh-keygen.c --@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device) -- -- if (skprovider == NULL) -- fatal("Cannot download keys without provider"); --- -- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN); -- if (!quiet) { -- printf("You may need to touch your authenticator " diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch deleted file mode 100644 index 8827fe88d7..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch +++ /dev/null @@ -1,104 +0,0 @@ -diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-15 15:10:45.680967455 -0700 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:25:14.710431930 -0700 -@@ -536,18 +536,10 @@ - if (state->rekey_limit) - *max_blocks = MINIMUM(*max_blocks, - state->rekey_limit / enc->block_size); --@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) -+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) - return 0; - } - --+/* this supports the forced rekeying required for the NONE cipher */ --+int rekey_requested = 0; --+void --+packet_request_rekeying(void) --+{ --+ rekey_requested = 1; --+} --+ - +/* used to determine if pre or post auth when rekeying for aes-ctr - + * and none cipher switch */ - +int -@@ -561,20 +553,6 @@ - #define MAX_PACKETS (1U<<31) - static int - ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) --@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) -- if (state->p_send.packets == 0 && state->p_read.packets == 0) -- return 0; -- --+ /* used to force rekeying when called for by the none --+ * cipher switch methods -cjr */ --+ if (rekey_requested == 1) { --+ rekey_requested = 0; --+ return 1; --+ } --+ -- /* Time-based rekeying */ -- if (state->rekey_interval != 0 && -- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) - @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) - struct session_state *state = ssh->state; - int len, r, ms_remain; -@@ -598,12 +576,11 @@ - }; - - typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *, --@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *); -+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *); - int ssh_packet_set_maxsize(struct ssh *, u_int); - u_int ssh_packet_get_maxsize(struct ssh *); - - +/* for forced packet rekeying post auth */ --+void packet_request_rekeying(void); - +int packet_authentication_state(const struct ssh *); - + - int ssh_packet_get_state(struct ssh *, struct sshbuf *); -@@ -627,9 +604,9 @@ - oLocalCommand, oPermitLocalCommand, oRemoteCommand, - + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, - + oNoneEnabled, oNoneMacEnabled, oNoneSwitch, -+ oDisableMTAES, - oVisualHostKey, - oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass, -- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots, - @@ -297,6 +300,9 @@ static struct { - { "kexalgorithms", oKexAlgorithms }, - { "ipqos", oIPQoS }, -@@ -778,9 +755,9 @@ - int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ - SyslogFacility log_facility; /* Facility for system logging. */ - @@ -120,7 +124,11 @@ typedef struct { -- - int enable_ssh_keysign; - int64_t rekey_limit; -+ int disable_multithreaded; /*disable multithreaded aes-ctr*/ - + int none_switch; /* Use none cipher */ - + int none_enabled; /* Allow none cipher to be used */ - + int nonemac_enabled; /* Allow none MAC to be used */ -@@ -842,9 +819,9 @@ - /* Portable-specific options */ - if (options->use_pam == -1) - @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options) -- } -- if (options->permit_tun == -1) - options->permit_tun = SSH_TUNMODE_NO; -+ if (options->disable_multithreaded == -1) -+ options->disable_multithreaded = 0; - + if (options->none_enabled == -1) - + options->none_enabled = 0; - + if (options->nonemac_enabled == -1) -@@ -1330,9 +1307,9 @@ - + } - + } - + -- debug("Authentication succeeded (%s).", authctxt.method->name); -- } - -+ #ifdef WITH_OPENSSL -+ if (options.disable_multithreaded == 0) { - diff --git a/sshd.c b/sshd.c - index 6277e6d6..d66fa41a 100644 - --- a/sshd.c diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch index eec66ade4b..ffc40b70ae 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-GSSAPI-dns.patch @@ -1,6 +1,8 @@ ---- a/auth.c 2021-03-02 04:31:47.000000000 -0600 -+++ b/auth.c 2021-03-04 11:22:44.590041696 -0600 -@@ -727,119 +727,6 @@ fakepw(void) +diff --git a/auth.c b/auth.c +index 00b168b4..8ee93581 100644 +--- a/auth.c ++++ b/auth.c +@@ -729,118 +729,6 @@ fakepw(void) return (&fake); } @@ -9,9 +11,7 @@ - * be freed. NB. this will usually trigger a DNS query the first time it is - * called. - * This function does additional checks on the hostname to mitigate some -- * attacks on legacy rhosts-style authentication. -- * XXX is RhostsRSAAuthentication vulnerable to these? -- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) +- * attacks on based on conflation of hostnames and IP addresses. - */ - -static char * @@ -117,11 +117,14 @@ - return dnsname; - } -} - +- /* These functions link key/cert options to the auth framework */ ---- a/canohost.c 2021-03-02 04:31:47.000000000 -0600 -+++ b/canohost.c 2021-03-04 11:22:54.854211183 -0600 + /* Log sshauthopt options locally and (optionally) for remote transmission */ +diff --git a/canohost.c b/canohost.c +index a810da0e..18e9d8d4 100644 +--- a/canohost.c ++++ b/canohost.c @@ -202,3 +202,117 @@ get_local_port(int sock) { return get_sock_port(sock, 1); @@ -241,7 +244,7 @@ + } +} diff --git a/readconf.c b/readconf.c -index 724974b7..97a1ffd8 100644 +index 03369a08..b45898ce 100644 --- a/readconf.c +++ b/readconf.c @@ -161,6 +161,7 @@ typedef enum { @@ -252,7 +255,7 @@ index 724974b7..97a1ffd8 100644 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, -@@ -206,9 +207,11 @@ static struct { +@@ -207,9 +208,11 @@ static struct { #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, { "gssapidelegatecredentials", oGssDelegateCreds }, @@ -264,7 +267,7 @@ index 724974b7..97a1ffd8 100644 #endif #ifdef ENABLE_PKCS11 { "pkcs11provider", oPKCS11Provider }, -@@ -1083,6 +1086,10 @@ parse_time: +@@ -1117,6 +1120,10 @@ parse_time: intptr = &options->gss_deleg_creds; goto parse_flag; @@ -275,15 +278,15 @@ index 724974b7..97a1ffd8 100644 case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -2183,6 +2190,7 @@ initialize_options(Options * options) - options->challenge_response_authentication = -1; +@@ -2307,6 +2314,7 @@ initialize_options(Options * options) + options->pubkey_authentication = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; + options->gss_trust_dns = -1; options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -2340,6 +2348,8 @@ fill_default_options(Options * options) +@@ -2465,6 +2473,8 @@ fill_default_options(Options * options) options->gss_authentication = 0; if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; @@ -293,11 +296,11 @@ index 724974b7..97a1ffd8 100644 options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) diff --git a/readconf.h b/readconf.h -index 2fba866e..da3ce87a 100644 +index f7d53b06..c3a91898 100644 --- a/readconf.h +++ b/readconf.h -@@ -42,6 +42,7 @@ typedef struct { - /* Try S/Key or TIS, authentication. */ +@@ -40,6 +40,7 @@ typedef struct { + int hostbased_authentication; /* ssh2's rhosts_rsa */ int gss_authentication; /* Try GSS authentication */ int gss_deleg_creds; /* Delegate GSS credentials */ + int gss_trust_dns; /* Trust DNS for GSS canonicalization */ @@ -305,10 +308,10 @@ index 2fba866e..da3ce87a 100644 * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ diff --git a/ssh_config.5 b/ssh_config.5 -index f8119189..e0fd0d76 100644 +index cd0eea86..27101943 100644 --- a/ssh_config.5 +++ b/ssh_config.5 -@@ -783,6 +783,16 @@ The default is +@@ -832,6 +832,16 @@ The default is Forward (delegate) credentials to the server. The default is .Cm no . @@ -326,10 +329,10 @@ index f8119189..e0fd0d76 100644 Indicates that .Xr ssh 1 diff --git a/sshconnect2.c b/sshconnect2.c -index 059c9480..ab6f6832 100644 +index fea50fab..aeff639b 100644 --- a/sshconnect2.c +++ b/sshconnect2.c -@@ -770,6 +770,13 @@ userauth_gssapi(struct ssh *ssh) +@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh) OM_uint32 min; int r, ok = 0; gss_OID mech = NULL; @@ -343,7 +346,7 @@ index 059c9480..ab6f6832 100644 /* Try one GSSAPI method at a time, rather than sending them all at * once. */ -@@ -784,7 +791,7 @@ userauth_gssapi(struct ssh *ssh) +@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh) elements[authctxt->mech_tried]; /* My DER encoding requires length<128 */ if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch similarity index 70% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch index e23063b5db..d6f5e42027 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch @@ -1,11 +1,12 @@ ---- a/openssh-8.6p1+x509-13.1.diff 2021-04-23 14:46:58.184683047 -0700 -+++ b/openssh-8.6p1+x509-13.1.diff 2021-04-23 15:00:08.455087549 -0700 -@@ -47728,12 +47728,11 @@ +diff -ur '--exclude=.*.un~' a/openssh-8.7p1+x509-13.2.diff b/openssh-8.7p1+x509-13.2.diff +--- a/openssh-8.7p1+x509-13.2.diff 2021-08-30 17:47:40.415668320 -0700 ++++ b/openssh-8.7p1+x509-13.2.diff 2021-08-30 17:49:14.916114987 -0700 +@@ -51082,12 +51082,11 @@ install-files: $(MKDIR_P) $(DESTDIR)$(bindir) --@@ -389,6 +366,8 @@ -+@@ -389,6 +366,7 @@ +-@@ -391,6 +368,8 @@ ++@@ -391,6 +368,7 @@ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 $(MKDIR_P) $(DESTDIR)$(libexecdir) @@ -14,7 +15,7 @@ $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) -@@ -65001,7 +65000,7 @@ +@@ -69793,7 +69792,7 @@ - echo "putty interop tests not enabled" - exit 0 -fi @@ -23,7 +24,7 @@ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do verbose "$tid: cipher $c" -@@ -65016,7 +65015,7 @@ +@@ -69808,7 +69807,7 @@ - echo "putty interop tests not enabled" - exit 0 -fi @@ -32,7 +33,7 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do verbose "$tid: kex $k" -@@ -65031,7 +65030,7 @@ +@@ -69823,7 +69822,7 @@ - echo "putty interop tests not enabled" - exit 0 -fi @@ -41,7 +42,7 @@ if [ "`${SSH} -Q compression`" = "none" ]; then comp="0" -@@ -65163,9 +65162,9 @@ +@@ -70130,9 +70129,9 @@ +# cross-project configuration +if test "$sshd_type" = "pkix" ; then @@ -53,20 +54,20 @@ +fi + cat > $OBJ/sshd_config.i << _EOF -@@ -124084,16 +124083,6 @@ +@@ -131673,16 +131672,6 @@ +int asnmprintf(char **, size_t, int *, const char *, ...) __attribute__((format(printf, 4, 5))); void msetlocale(void); --diff -ruN openssh-8.6p1/version.h openssh-8.6p1+x509-13.1/version.h ----- openssh-8.6p1/version.h 2021-04-16 06:55:25.000000000 +0300 --+++ openssh-8.6p1+x509-13.1/version.h 2021-04-21 21:07:00.000000000 +0300 +-diff -ruN openssh-8.7p1/version.h openssh-8.7p1+x509-13.2/version.h +---- openssh-8.7p1/version.h 2021-08-20 07:03:49.000000000 +0300 +-+++ openssh-8.7p1+x509-13.2/version.h 2021-08-30 20:07:00.000000000 +0300 -@@ -2,5 +2,4 @@ - -- #define SSH_VERSION "OpenSSH_8.6" +- #define SSH_VERSION "OpenSSH_8.7" - --#define SSH_PORTABLE "p1" --#define SSH_RELEASE SSH_VERSION SSH_PORTABLE -+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" - diff -ruN openssh-8.6p1/version.m4 openssh-8.6p1+x509-13.1/version.m4 - --- openssh-8.6p1/version.m4 1970-01-01 02:00:00.000000000 +0200 - +++ openssh-8.6p1+x509-13.1/version.m4 2021-04-21 21:07:00.000000000 +0300 + diff -ruN openssh-8.7p1/version.m4 openssh-8.7p1+x509-13.2/version.m4 + --- openssh-8.7p1/version.m4 1970-01-01 02:00:00.000000000 +0200 + +++ openssh-8.7p1+x509-13.2/version.m4 2021-08-30 20:07:00.000000000 +0300 diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch similarity index 68% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch index 714dffc417..49c0591777 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch @@ -1,6 +1,6 @@ -diff -ur a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff ---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-04-23 15:31:47.247434467 -0700 -+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-04-23 15:32:29.807508606 -0700 +diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff +--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:12:46.412119817 -0700 ++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:26:11.116026151 -0700 @@ -3,9 +3,9 @@ --- a/Makefile.in +++ b/Makefile.in @@ -25,9 +25,14 @@ diff -ur a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15. int r; if (none == NULL) { -@@ -898,20 +898,20 @@ +@@ -894,24 +894,24 @@ + intptr = &options->compression; + multistate_ptr = multistate_compression; + @@ -2272,6 +2278,7 @@ initialize_options(Options * options) +- options->revoked_host_keys = NULL; options->fingerprint_hash = -1; options->update_hostkeys = -1; ++ options->known_hosts_command = NULL; + options->disable_multithreaded = -1; - options->hostbased_accepted_algos = NULL; - options->pubkey_accepted_algos = NULL; @@ -65,9 +70,9 @@ diff -ur a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15. @@ -662,6 +666,7 @@ static struct { { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, -diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-23 15:31:47.247434467 -0700 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-23 15:46:32.296026606 -0700 +diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff +--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 11:12:46.412119817 -0700 ++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 14:17:59.366248683 -0700 @@ -157,6 +157,36 @@ + Allan Jude provided the code for the NoneMac and buffer normalization. + This work was financed, in part, by Cisco System, Inc., the National @@ -135,7 +140,75 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy - debug2("channel %d: window %d sent adjust %d", c->self, - c->local_window, c->local_consumed); - c->local_window += c->local_consumed; -@@ -386,21 +415,45 @@ +@@ -337,70 +366,92 @@ + index 70f492f8..5503af1d 100644 + --- a/clientloop.c + +++ b/clientloop.c +-@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan) ++@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan) + sock = x11_connect_display(ssh); + if (sock < 0) + return NULL; + - c = channel_new(ssh, "x11", + - SSH_CHANNEL_X11_OPEN, sock, sock, -1, +-- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); +-+ c = channel_new(ssh, "x11", +-+ SSH_CHANNEL_X11_OPEN, sock, sock, -1, +-+ /* again is this really necessary for X11? */ +-+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, +-+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); ++- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", ++- CHANNEL_NONBLOCK_SET); +++ c = channel_new(ssh, "x11", +++ SSH_CHANNEL_X11_OPEN, sock, sock, -1, +++ /* again is this really necessary for X11? */ +++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, +++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET); + c->force_drain = 1; + return c; + } +-@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan) ++@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan) + return NULL; + } + c = channel_new(ssh, "authentication agent connection", + - SSH_CHANNEL_OPEN, sock, sock, -1, + - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, +-- "authentication agent connection", 1); +-+ SSH_CHANNEL_OPEN, sock, sock, -1, +-+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size, +-+ CHAN_TCP_PACKET_DEFAULT, 0, +-+ "authentication agent connection", 1); ++- "authentication agent connection", CHANNEL_NONBLOCK_SET); +++ SSH_CHANNEL_OPEN, sock, sock, -1, +++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size, +++ CHAN_TCP_PACKET_DEFAULT, 0, +++ "authentication agent connection", CHANNEL_NONBLOCK_SET); + c->force_drain = 1; + return c; + } +-@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, ++@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, + } + debug("Tunnel forwarding using interface %s", ifname); + + - c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, +-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); +-+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, ++- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", ++- CHANNEL_NONBLOCK_SET); +++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, + + options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, +-+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); +++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET); + c->datagram = 1; + +-+ +-+ + #if defined(SSH_TUN_FILTER) +- if (options.tun_open == SSH_TUNMODE_POINTOPOINT) +- channel_register_filter(ssh, c->self, sys_tun_infilter, + diff --git a/compat.c b/compat.c index 69befa96..90b5f338 100644 --- a/compat.c +++ b/compat.c @@ -187,7 +260,7 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy diff --git a/compat.h b/compat.h index c197fafc..ea2e17a7 100644 --- a/compat.h -@@ -459,7 +512,7 @@ +@@ -459,7 +510,7 @@ @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh) int nenc, nmac, ncomp; u_int mode, ctos, need, dh_need, authlen; @@ -196,7 +269,7 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy + int auth_flag = 0; + + auth_flag = packet_authentication_state(ssh); -@@ -553,7 +606,7 @@ +@@ -553,7 +604,7 @@ #define MAX_PACKETS (1U<<31) static int ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) @@ -205,7 +278,7 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy struct session_state *state = ssh->state; int len, r, ms_remain; fd_set *setp; -@@ -1035,19 +1088,6 @@ +@@ -1035,19 +1086,6 @@ /* Minimum amount of data to read at a time */ #define MIN_READ_SIZE 512 @@ -225,7 +298,7 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy diff --git a/ssh.c b/ssh.c index 53330da5..27b9770e 100644 --- a/ssh.c -@@ -1093,7 +1133,7 @@ +@@ -1093,7 +1131,7 @@ + else + options.hpn_buffer_size = 2 * 1024 * 1024; + @@ -234,7 +307,24 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy + debug("HPN to Non-HPN Connection"); + } else { + int sock, socksize; -@@ -1335,7 +1375,29 @@ +@@ -1157,14 +1195,14 @@ + } + @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh) + window, packetmax, CHAN_EXTENDED_WRITE, +- "client-session", /*nonblock*/0); ++ "client-session", CHANNEL_NONBLOCK_STDIO); + + + if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) { + + c->dynamic_window = 1; + + debug("Enabled Dynamic Window Scaling"); + + } + + +- debug3_f("channel_new: %d", c->self); ++ debug2_f("channel %d", c->self); + + channel_send_open(ssh, c->self); + @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo) +@@ -1335,7 +1373,29 @@ /* Bind the socket to the desired port. */ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { error("Bind to port %s on %s failed: %.200s.", @@ -262,19 +352,19 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy + return; + } +@@ -1727,6 +1735,19 @@ main(int ac, char **av) - /* Fill in default values for those options not explicitly set. */ - fill_default_server_options(&options); + fatal("AuthorizedPrincipalsCommand set without " + "AuthorizedPrincipalsCommandUser"); -@@ -1355,7 +1417,7 @@ - /* challenge-response is implemented via keyboard interactive */ - if (options.challenge_response_authentication) - options.kbd_interactive_authentication = 1; +@@ -1355,7 +1415,7 @@ + /* + * Check whether there is any path through configured auth methods. + * Unfortunately it is not possible to verify this generally before -@@ -2166,6 +2186,9 @@ main(int ac, char **av) +@@ -2166,6 +2187,9 @@ main(int ac, char **av) rdomain == NULL ? "" : "\""); free(laddr); -@@ -1365,7 +1427,7 @@ +@@ -1365,7 +1425,7 @@ /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is @@ -283,7 +373,7 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy struct kex *kex; int r; -@@ -1405,14 +1467,3 @@ +@@ -1405,14 +1465,3 @@ # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no @@ -298,9 +388,9 @@ diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-Dy --#define SSH_RELEASE SSH_VERSION SSH_PORTABLE -+#define SSH_HPN "-hpn15v2" -+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN -diff -ur a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff ---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-04-23 15:31:47.247434467 -0700 -+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-04-23 15:32:29.808508608 -0700 +diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff +--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:12:16.778011216 -0700 ++++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:13:11.573211934 -0700 @@ -12,9 +12,9 @@ static long stalled; /* how long we have been stalled */ static int bytes_per_second; /* current speed in bytes per second */ diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch similarity index 61% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch index 30c0252ccb..309e57e886 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch @@ -1,6 +1,22 @@ -diff --exclude '*.un~' -ubr a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff ---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-19 13:36:51.659996653 -0700 -+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-19 13:42:23.302377465 -0700 +diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff +--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:49:32.351767063 -0700 ++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:58:08.746214945 -0700 +@@ -1026,9 +1026,9 @@ + + } + +#endif + + +- debug("Authentication succeeded (%s).", authctxt.method->name); +- } +- ++ if (ssh_packet_connection_is_on_socket(ssh)) { ++ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host, ++ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), + diff --git a/sshd.c b/sshd.c + index 6277e6d6..bf3d6e4a 100644 + --- a/sshd.c +diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff +--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 11:49:32.351767063 -0700 ++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 12:04:45.008038085 -0700 @@ -536,18 +536,10 @@ if (state->rekey_limit) *max_blocks = MINIMUM(*max_blocks, @@ -67,6 +83,32 @@ diff --exclude '*.un~' -ubr a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/op @@ -297,6 +300,9 @@ static struct { { "kexalgorithms", oKexAlgorithms }, { "ipqos", oIPQoS }, +@@ -637,9 +614,9 @@ + + { "noneenabled", oNoneEnabled }, + + { "nonemacenabled", oNoneMacEnabled }, + + { "noneswitch", oNoneSwitch }, +- { "proxyusefdpass", oProxyUseFdpass }, +- { "canonicaldomains", oCanonicalDomains }, +- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal }, ++ { "sessiontype", oSessionType }, ++ { "stdinnull", oStdinNull }, ++ { "forkafterauthentication", oForkAfterAuthentication }, + @@ -317,6 +323,11 @@ static struct { + { "securitykeyprovider", oSecurityKeyProvider }, + { "knownhostscommand", oKnownHostsCommand }, +@@ -717,9 +694,9 @@ + + options->hpn_buffer_size = -1; + + options->tcp_rcv_buf_poll = -1; + + options->tcp_rcv_buf = -1; +- options->proxy_use_fdpass = -1; +- options->ignored_unknown = NULL; +- options->num_canonical_domains = 0; ++ options->session_type = -1; ++ options->stdin_null = -1; ++ options->fork_after_authentication = -1; + @@ -2426,6 +2484,41 @@ fill_default_options(Options * options) + options->server_alive_interval = 0; + if (options->server_alive_count_max == -1) @@ -778,9 +755,9 @@ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ SyslogFacility log_facility; /* Facility for system logging. */ @@ -130,3 +172,27 @@ diff --exclude '*.un~' -ubr a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/op diff --git a/sshd.c b/sshd.c index 6277e6d6..d66fa41a 100644 --- a/sshd.c +@@ -1359,8 +1336,8 @@ + if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { + error("Bind to port %s on %s failed: %.200s.", + @@ -1727,6 +1734,19 @@ main(int ac, char **av) +- /* Fill in default values for those options not explicitly set. */ +- fill_default_server_options(&options); ++ fatal("AuthorizedPrincipalsCommand set without " ++ "AuthorizedPrincipalsCommandUser"); + + + if (options.none_enabled == 1) { + + char *old_ciphers = options.ciphers; +@@ -1375,9 +1352,9 @@ + + } + + } + + +- /* challenge-response is implemented via keyboard interactive */ +- if (options.challenge_response_authentication) +- options.kbd_interactive_authentication = 1; ++ /* ++ * Check whether there is any path through configured auth methods. ++ * Unfortunately it is not possible to verify this generally before + @@ -2166,6 +2186,9 @@ main(int ac, char **av) + rdomain == NULL ? "" : "\""); + free(laddr); diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r2.initd b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r2.initd new file mode 100644 index 0000000000..3381fb965d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd-r2.initd @@ -0,0 +1,100 @@ +#!/sbin/openrc-run +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="checkconfig" +extra_started_commands="reload" + +: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh} +: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config} +: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid} +: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd} +: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen} + +command="${SSHD_BINARY}" +pidfile="${SSHD_PIDFILE}" +command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}" + +# Wait one second (length chosen arbitrarily) to see if sshd actually +# creates a PID file, or if it crashes for some reason like not being +# able to bind to the address in ListenAddress (bug 617596). +: ${SSHD_SSD_OPTS:=--wait 1000} +start_stop_daemon_args="${SSHD_SSD_OPTS}" + +depend() { + # Entropy can be used by ssh-keygen, among other things, but + # is not strictly required (bug 470020). + use logger dns entropy + if [ "${rc_need+set}" = "set" ] ; then + : # Do nothing, the user has explicitly set rc_need + else + local x warn_addr + for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do + case "${x}" in + 0.0.0.0|0.0.0.0:*) ;; + ::|\[::\]*) ;; + *) warn_addr="${warn_addr} ${x}" ;; + esac + done + if [ -n "${warn_addr}" ] ; then + need net + ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" + ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd" + ewarn "where FOO is the interface(s) providing the following address(es):" + ewarn "${warn_addr}" + fi + fi +} + +checkconfig() { + checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty" + + if [ ! -e "${SSHD_CONFIG}" ] ; then + eerror "You need an ${SSHD_CONFIG} file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + ${SSHD_KEYGEN_BINARY} -A || return 2 + + "${command}" -t ${command_args} || return 3 +} + +start_pre() { + # Make sure that the user's config isn't busted before we try + # to start the daemon (this will produce better error messages + # than if we just try to start it blindly). + # + # We always need to call checkconfig because this function will + # also generate any missing host key and you can start a + # non-running service with "restart" argument. + checkconfig || return $? +} + +stop_pre() { + if [ "${RC_CMD}" = "restart" ] ; then + # If this is a restart, check to make sure the user's config + # isn't busted before we stop the running daemon. + checkconfig || return $? + elif yesno "${RC_GOINGDOWN}" && [ -s "${pidfile}" ] && hash pgrep 2>/dev/null ; then + # Disconnect any clients before killing the master process + local pid=$(cat "${pidfile}" 2>/dev/null) + if [ -n "${pid}" ] ; then + local ssh_session_pattern='sshd: \S.*@pts/[0-9]+' + + IFS="${IFS}@" + local daemon pid pty user + pgrep -a -P ${pid} -f "$ssh_session_pattern" | while read pid daemon user pty ; do + ewarn "Found ${daemon%:} session ${pid} on ${pty}; sending SIGTERM ..." + kill "${pid}" || true + done + fi + fi +} + +reload() { + checkconfig || return $? + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP --pidfile "${pidfile}" + eend $? +} diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.4_p1-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.4_p1-r3.ebuild deleted file mode 100644 index bc42f87054..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.4_p1-r3.ebuild +++ /dev/null @@ -1,515 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit user-info flag-o-matic autotools pam systemd toolchain-funcs - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} - -# PV to USE for HPN patches -#HPN_PV="${PV^^}" -HPN_PV="8.3_P1" - -HPN_VER="14.22" -HPN_PATCHES=( - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff -) - -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="12.6" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} -" -S="${WORKDIR}/${PARCH}" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss" - -RESTRICT="!test? ( test )" - -REQUIRED_USE=" - ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( !sctp !security-key ssl !xmss ) - xmss? ( ssl ) - test? ( ssl ) -" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( - || ( - ( - >=dev-libs/openssl-1.0.1:0[bindist=] - =dev-libs/openssl-1.1.0g:0[bindist=] - ) - dev-libs/openssl:0=[static-libs(+)] - ) - virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] -" -RDEPEND=" - acct-group/sshd - acct-user/sshd - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 ) -" -DEPEND="${RDEPEND} - virtual/os-headers - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) - static? ( ${LIB_DEPEND} ) -" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( !prefix? ( sys-apps/shadow ) ) - X? ( x11-apps/xauth ) -" -BDEPEND=" - virtual/pkgconfig - sys-devel/autoconf -" - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } - local fail=" - $(use hpn && maybe_fail hpn HPN_VER) - $(use sctp && maybe_fail sctp SCTP_PATCH) - $(use X509 && maybe_fail X509 X509_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "Missing requested third party patch." - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." - fi -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch - eapply "${FILESDIR}"/${PN}-8.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch - - # https://bugs.gentoo.org/749026 - use X509 || eapply "${FILESDIR}"/${PN}-8.4_p1-fix-ssh-copy-id.patch - - # workaround for https://bugs.gentoo.org/734984 - use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch - - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die - eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" - popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use sctp ; then - eapply "${WORKDIR}"/${SCTP_PATCH%.*} - - einfo "Patching version.h to expose SCTP patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in SCTP patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..." - sed -i \ - -e "/\t\tcfgparse \\\/d" \ - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" - fi - - if use hpn ; then - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" || die - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch - use X509 && eapply "${FILESDIR}"/${PN}-8.4_p1-hpn-${HPN_VER}-X509-glue.patch - use sctp && eapply "${FILESDIR}"/${PN}-8.4_p1-hpn-${HPN_VER}-sctp-glue.patch - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch" - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use sctp || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - sed -i \ - -e "/#UseLogin no/d" \ - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" - - eapply_user #473004 - - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox - sed -e '/\t\tpercent \\/ d' \ - -i regress/Makefile || die - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS - - if [[ ${CHOST} == *-solaris* ]] ; then - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure - # doesn't check for this, so force the replacement to be put in - # place - append-cppflags -DBROKEN_GLOB - fi - - # use replacement, RPF_ECHO_ON doesn't exist here - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the sctp patch conditionally, so can't pass --without-sctp - # unconditionally else we get unknown flag warnings. - $(use sctp && use_with sctp) - $(use_with ldns ldns "${EPREFIX}"/usr) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(usex X509 '' "$(use_with security-key security-key-builtin)") - $(use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - $(use_with !elibc_Cygwin hardening) #659210 - ) - - if use elibc_musl; then - # stackprotect is broken on musl x86 and ppc - if use x86 || use ppc; then - myconf+=( --without-stackprotect ) - fi - - # musl defines bogus values for UTMP_FILE and WTMP_FILE - # https://bugs.gentoo.org/753230 - myconf+=( --disable-utmp --disable-wtmp ) - fi - - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - - econf "${myconf[@]}" -} - -src_test() { - local t skipped=() failed=() passed=() - local tests=( interop-tests compat-tests ) - - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped+=( tests ) - else - tests+=( tests ) - fi - - # It will also attempt to write to the homedir .ssh. - local sshhome=${T}/homedir - mkdir -p "${sshhome}"/.ssh - for t in "${tests[@]}" ; do - # Some tests read from stdin ... - HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \ - SUDO="" SSH_SK_PROVIDER="" \ - TEST_SSH_UNSAFE_PERMISSIONS=1 \ - emake -k -j1 ${t} > "${ED}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables. #367017 - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM. #658540 - AcceptEnv COLORTERM - EOF - - # Then the client config. - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config - - # Send locale environment variables. #367017 - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM. #658540 - SendEnv COLORTERM - EOF - - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED}"/etc/ssh/sshd_config || die - fi - - if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED}"/etc/ssh/sshd_config || die - fi -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd-r1.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - if use pam; then - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - fi - - tweak_ssh_configs - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog - - diropts -m 0700 - dodir /etc/skel/.ssh - - # https://bugs.gentoo.org/733802 - if ! use scp; then - rm "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \ - || die "failed to remove scp" - fi - - rmdir "${ED}"/var/empty || die - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' -} - -pkg_preinst() { - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then - show_ssl_warning=1 - fi -} - -pkg_postinst() { - local old_ver - for old_ver in ${REPLACING_VERSIONS}; do - if ver_test "${old_ver}" -lt "5.8_p1"; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if ver_test "${old_ver}" -lt "7.0_p1"; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if ver_test "${old_ver}" -lt "7.6_p1"; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if ver_test "${old_ver}" -lt "7.7_p1"; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ver_test "${old_ver}" -lt "8.2_p1"; then - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" - ewarn "connection is generally safe." - fi - done - - if [[ -n ${show_ssl_warning} ]]; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi -} diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.5_p1-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.5_p1-r1.ebuild deleted file mode 100644 index 8aea025ac7..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.5_p1-r1.ebuild +++ /dev/null @@ -1,510 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit user-info flag-o-matic autotools pam systemd toolchain-funcs - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} - -# PV to USE for HPN patches -HPN_PV="${PV^^}" - -HPN_VER="15.2" -HPN_PATCHES=( - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff -) - -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="13.0.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} -" -S="${WORKDIR}/${PARCH}" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss" - -RESTRICT="!test? ( test )" - -REQUIRED_USE=" - ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( !sctp !security-key ssl !xmss ) - xmss? ( ssl ) - test? ( ssl ) -" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( - || ( - ( - >=dev-libs/openssl-1.0.1:0[bindist=] - =dev-libs/openssl-1.1.0g:0[bindist=] - ) - dev-libs/openssl:0=[static-libs(+)] - ) - virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] -" -RDEPEND=" - acct-group/sshd - acct-user/sshd - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 ) -" -DEPEND="${RDEPEND} - virtual/os-headers - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) - static? ( ${LIB_DEPEND} ) -" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( !prefix? ( sys-apps/shadow ) ) - X? ( x11-apps/xauth ) -" -BDEPEND=" - virtual/pkgconfig - sys-devel/autoconf -" - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } - local fail=" - $(use hpn && maybe_fail hpn HPN_VER) - $(use sctp && maybe_fail sctp SCTP_PATCH) - $(use X509 && maybe_fail X509 X509_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "Missing requested third party patch." - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." - fi -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch - eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch - - # workaround for https://bugs.gentoo.org/734984 - use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch - - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die - eapply "${FILESDIR}/${P}-X509-glue-${X509_VER}.patch" - popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use sctp ; then - eapply "${WORKDIR}"/${SCTP_PATCH%.*} - - einfo "Patching version.h to expose SCTP patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in SCTP patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..." - sed -i \ - -e "/\t\tcfgparse \\\/d" \ - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" - fi - - if use hpn ; then - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" || die - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch - use X509 && eapply "${FILESDIR}/${PN}-8.5_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch" - use sctp && eapply "${FILESDIR}/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch" - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch" - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use sctp || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - sed -i \ - -e "/#UseLogin no/d" \ - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" - - eapply_user #473004 - - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox - sed -e '/\t\tpercent \\/ d' \ - -i regress/Makefile || die - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS - - if [[ ${CHOST} == *-solaris* ]] ; then - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure - # doesn't check for this, so force the replacement to be put in - # place - append-cppflags -DBROKEN_GLOB - fi - - # use replacement, RPF_ECHO_ON doesn't exist here - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the sctp patch conditionally, so can't pass --without-sctp - # unconditionally else we get unknown flag warnings. - $(use sctp && use_with sctp) - $(use_with ldns ldns "${EPREFIX}"/usr) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(usex X509 '' "$(use_with security-key security-key-builtin)") - $(use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - $(use_with !elibc_Cygwin hardening) #659210 - ) - - if use elibc_musl; then - # stackprotect is broken on musl x86 and ppc - if use x86 || use ppc; then - myconf+=( --without-stackprotect ) - fi - - # musl defines bogus values for UTMP_FILE and WTMP_FILE - # https://bugs.gentoo.org/753230 - myconf+=( --disable-utmp --disable-wtmp ) - fi - - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - - econf "${myconf[@]}" -} - -src_test() { - local t skipped=() failed=() passed=() - local tests=( interop-tests compat-tests ) - - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped+=( tests ) - else - tests+=( tests ) - fi - - # It will also attempt to write to the homedir .ssh. - local sshhome=${T}/homedir - mkdir -p "${sshhome}"/.ssh - for t in "${tests[@]}" ; do - # Some tests read from stdin ... - HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \ - SUDO="" SSH_SK_PROVIDER="" \ - TEST_SSH_UNSAFE_PERMISSIONS=1 \ - emake -k -j1 ${t} > "${ED}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables. #367017 - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM. #658540 - AcceptEnv COLORTERM - EOF - - # Then the client config. - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config - - # Send locale environment variables. #367017 - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM. #658540 - SendEnv COLORTERM - EOF - - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED}"/etc/ssh/sshd_config || die - fi - - if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED}"/etc/ssh/sshd_config || die - fi -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd-r1.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - if use pam; then - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - fi - - tweak_ssh_configs - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog - - diropts -m 0700 - dodir /etc/skel/.ssh - - # https://bugs.gentoo.org/733802 - if ! use scp; then - rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \ - || die "failed to remove scp" - fi - - rmdir "${ED}"/var/empty || die - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' -} - -pkg_preinst() { - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then - show_ssl_warning=1 - fi -} - -pkg_postinst() { - local old_ver - for old_ver in ${REPLACING_VERSIONS}; do - if ver_test "${old_ver}" -lt "5.8_p1"; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if ver_test "${old_ver}" -lt "7.0_p1"; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if ver_test "${old_ver}" -lt "7.6_p1"; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if ver_test "${old_ver}" -lt "7.7_p1"; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ver_test "${old_ver}" -lt "8.2_p1"; then - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" - ewarn "connection is generally safe." - fi - done - - if [[ -n ${show_ssl_warning} ]]; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi -} diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.5_p1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.5_p1.ebuild deleted file mode 100644 index 340080016b..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.5_p1.ebuild +++ /dev/null @@ -1,512 +0,0 @@ -# Copyright 1999-2021 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -inherit user-info flag-o-matic autotools pam systemd toolchain-funcs - -# Make it more portable between straight releases -# and _p? releases. -PARCH=${P/_} - -# PV to USE for HPN patches -#HPN_PV="${PV^^}" -HPN_PV="8.4_P1" - -HPN_VER="15.1" -HPN_PATCHES=( - ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff - ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff -) - -SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="13.0" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" - -DESCRIPTION="Port of OpenBSD's free SSH release" -HOMEPAGE="https://www.openssh.com/" -SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} - ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} -" -S="${WORKDIR}/${PARCH}" - -LICENSE="BSD GPL-2" -SLOT="0" -KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" -# Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss" - -RESTRICT="!test? ( test )" - -REQUIRED_USE=" - ldns? ( ssl ) - pie? ( !static ) - static? ( !kerberos !pam ) - X509? ( !sctp !security-key ssl !xmss ) - xmss? ( ssl ) - test? ( ssl ) -" - -LIB_DEPEND=" - audit? ( sys-process/audit[static-libs(+)] ) - ldns? ( - net-libs/ldns[static-libs(+)] - !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) - bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) - ) - libedit? ( dev-libs/libedit:=[static-libs(+)] ) - sctp? ( net-misc/lksctp-tools[static-libs(+)] ) - security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) - selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) - ssl? ( - || ( - ( - >=dev-libs/openssl-1.0.1:0[bindist=] - =dev-libs/openssl-1.1.0g:0[bindist=] - ) - dev-libs/openssl:0=[static-libs(+)] - ) - virtual/libcrypt:=[static-libs(+)] - >=sys-libs/zlib-1.2.3:=[static-libs(+)] -" -RDEPEND=" - acct-group/sshd - acct-user/sshd - !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( sys-libs/pam ) - kerberos? ( virtual/krb5 ) -" -DEPEND="${RDEPEND} - virtual/os-headers - kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) - static? ( ${LIB_DEPEND} ) -" -RDEPEND="${RDEPEND} - pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( !prefix? ( sys-apps/shadow ) ) - X? ( x11-apps/xauth ) -" -BDEPEND=" - virtual/pkgconfig - sys-devel/autoconf -" - -pkg_pretend() { - # this sucks, but i'd rather have people unable to `emerge -u openssh` - # than not be able to log in to their server any more - maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; } - local fail=" - $(use hpn && maybe_fail hpn HPN_VER) - $(use sctp && maybe_fail sctp SCTP_PATCH) - $(use X509 && maybe_fail X509 X509_PATCH) - " - fail=$(echo ${fail}) - if [[ -n ${fail} ]] ; then - eerror "Sorry, but this version does not yet support features" - eerror "that you requested: ${fail}" - eerror "Please mask ${PF} for now and check back later:" - eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask" - die "Missing requested third party patch." - fi - - # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then - ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." - fi -} - -src_prepare() { - sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ - pathnames.h || die - - # don't break .ssh/authorized_keys2 for fun - sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - - eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch - eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex - eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch - eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch - - # workaround for https://bugs.gentoo.org/734984 - use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch - - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches - - local PATCHSET_VERSION_MACROS=() - - if use X509 ; then - pushd "${WORKDIR}" &>/dev/null || die - eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" - popd &>/dev/null || die - - eapply "${WORKDIR}"/${X509_PATCH%.*} - - # We need to patch package version or any X.509 sshd will reject our ssh client - # with "userauth_pubkey: could not parse key: string is too large [preauth]" - # error - einfo "Patching package version for X.509 patch set ..." - sed -i \ - -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \ - "${S}"/configure.ac || die "Failed to patch package version for X.509 patch" - - einfo "Patching version.h to expose X.509 patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in X.509 patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_X509' ) - fi - - if use sctp ; then - eapply "${WORKDIR}"/${SCTP_PATCH%.*} - - einfo "Patching version.h to expose SCTP patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \ - "${S}"/version.h || die "Failed to sed-in SCTP patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' ) - - einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..." - sed -i \ - -e "/\t\tcfgparse \\\/d" \ - "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch" - fi - - if use hpn ; then - local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" || die - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die - pushd "${hpn_patchdir}" &>/dev/null || die - eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch - use X509 && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-X509-glue.patch - use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch - popd &>/dev/null || die - - eapply "${hpn_patchdir}" - - use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch" - - einfo "Patching Makefile.in for HPN patch set ..." - sed -i \ - -e "/^LIBS=/ s/\$/ -lpthread/" \ - "${S}"/Makefile.in || die "Failed to patch Makefile.in" - - einfo "Patching version.h to expose HPN patch set ..." - sed -i \ - -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \ - "${S}"/version.h || die "Failed to sed-in HPN patch version" - PATCHSET_VERSION_MACROS+=( 'SSH_HPN' ) - - if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - einfo "Disabling known non-working MT AES cipher per default ..." - - cat > "${T}"/disable_mtaes.conf <<- EOF - - # HPN's Multi-Threaded AES CTR cipher is currently known to be broken - # and therefore disabled per default. - DisableMTAES yes - EOF - sed -i \ - -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \ - "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config" - - sed -i \ - -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \ - "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config" - fi - fi - - if use X509 || use sctp || use hpn ; then - einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)" - - einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..." - sed -i \ - -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \ - "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)" - - einfo "Patching version.h to add our patch sets to SSH_RELEASE ..." - sed -i \ - -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \ - "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)" - fi - - sed -i \ - -e "/#UseLogin no/d" \ - "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)" - - eapply_user #473004 - - # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox - sed -e '/\t\tpercent \\/ d' \ - -i regress/Makefile || die - - tc-export PKG_CONFIG - local sed_args=( - -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" - # Disable PATH reset, trust what portage gives us #254615 - -e 's:^PATH=/:#PATH=/:' - # Disable fortify flags ... our gcc does this for us - -e 's:-D_FORTIFY_SOURCE=2::' - ) - - # The -ftrapv flag ICEs on hppa #505182 - use hppa && sed_args+=( - -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' - -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' - ) - # _XOPEN_SOURCE causes header conflicts on Solaris - [[ ${CHOST} == *-solaris* ]] && sed_args+=( - -e 's/-D_XOPEN_SOURCE//' - ) - sed -i "${sed_args[@]}" configure{.ac,} || die - - eautoreconf -} - -src_configure() { - addwrite /dev/ptmx - - use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG - use static && append-ldflags -static - use xmss && append-cflags -DWITH_XMSS - - if [[ ${CHOST} == *-solaris* ]] ; then - # Solaris' glob.h doesn't have things like GLOB_TILDE, configure - # doesn't check for this, so force the replacement to be put in - # place - append-cppflags -DBROKEN_GLOB - fi - - # use replacement, RPF_ECHO_ON doesn't exist here - [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no - - local myconf=( - --with-ldflags="${LDFLAGS}" - --disable-strip - --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX}"/etc/ssh - --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX}"/usr/share/openssh - --with-privsep-path="${EPREFIX}"/var/empty - --with-privsep-user=sshd - $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX}"/usr) - # We apply the sctp patch conditionally, so can't pass --without-sctp - # unconditionally else we get unknown flag warnings. - $(use sctp && use_with sctp) - $(use_with ldns ldns "${EPREFIX}"/usr) - $(use_with libedit) - $(use_with pam) - $(use_with pie) - $(use_with selinux) - $(usex X509 '' "$(use_with security-key security-key-builtin)") - $(use_with ssl openssl) - $(use_with ssl md5-passwords) - $(use_with ssl ssl-engine) - $(use_with !elibc_Cygwin hardening) #659210 - ) - - if use elibc_musl; then - # stackprotect is broken on musl x86 and ppc - if use x86 || use ppc; then - myconf+=( --without-stackprotect ) - fi - - # musl defines bogus values for UTMP_FILE and WTMP_FILE - # https://bugs.gentoo.org/753230 - myconf+=( --disable-utmp --disable-wtmp ) - fi - - # The seccomp sandbox is broken on x32, so use the older method for now. #553748 - use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) - - econf "${myconf[@]}" -} - -src_test() { - local t skipped=() failed=() passed=() - local tests=( interop-tests compat-tests ) - - local shell=$(egetshell "${UID}") - if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then - elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" - elog "user, so we will run a subset only." - skipped+=( tests ) - else - tests+=( tests ) - fi - - # It will also attempt to write to the homedir .ssh. - local sshhome=${T}/homedir - mkdir -p "${sshhome}"/.ssh - for t in "${tests[@]}" ; do - # Some tests read from stdin ... - HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \ - SUDO="" SSH_SK_PROVIDER="" \ - TEST_SSH_UNSAFE_PERMISSIONS=1 \ - emake -k -j1 ${t} > "${ED}"/etc/ssh/sshd_config - - # Allow client to pass locale environment variables. #367017 - AcceptEnv ${locale_vars[*]} - - # Allow client to pass COLORTERM to match TERM. #658540 - AcceptEnv COLORTERM - EOF - - # Then the client config. - cat <<-EOF >> "${ED}"/etc/ssh/ssh_config - - # Send locale environment variables. #367017 - SendEnv ${locale_vars[*]} - - # Send COLORTERM to match TERM. #658540 - SendEnv COLORTERM - EOF - - if use pam ; then - sed -i \ - -e "/^#UsePAM /s:.*:UsePAM yes:" \ - -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ - -e "/^#PrintMotd /s:.*:PrintMotd no:" \ - -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED}"/etc/ssh/sshd_config || die - fi - - if use livecd ; then - sed -i \ - -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED}"/etc/ssh/sshd_config || die - fi -} - -src_install() { - emake install-nokeys DESTDIR="${D}" - fperms 600 /etc/ssh/sshd_config - dobin contrib/ssh-copy-id - newinitd "${FILESDIR}"/sshd-r1.initd sshd - newconfd "${FILESDIR}"/sshd-r1.confd sshd - - if use pam; then - newpamd "${FILESDIR}"/sshd.pam_include.2 sshd - fi - - tweak_ssh_configs - - doman contrib/ssh-copy-id.1 - dodoc CREDITS OVERVIEW README* TODO sshd_config - use hpn && dodoc HPN-README - use X509 || dodoc ChangeLog - - diropts -m 0700 - dodir /etc/skel/.ssh - - # https://bugs.gentoo.org/733802 - if ! use scp; then - rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \ - || die "failed to remove scp" - fi - - rmdir "${ED}"/var/empty || die - - systemd_dounit "${FILESDIR}"/sshd.{service,socket} - systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' -} - -pkg_preinst() { - if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then - show_ssl_warning=1 - fi -} - -pkg_postinst() { - local old_ver - for old_ver in ${REPLACING_VERSIONS}; do - if ver_test "${old_ver}" -lt "5.8_p1"; then - elog "Starting with openssh-5.8p1, the server will default to a newer key" - elog "algorithm (ECDSA). You are encouraged to manually update your stored" - elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." - fi - if ver_test "${old_ver}" -lt "7.0_p1"; then - elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." - elog "Make sure to update any configs that you might have. Note that xinetd might" - elog "be an alternative for you as it supports USE=tcpd." - fi - if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 - elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" - elog "weak sizes. If you rely on these key types, you can re-enable the key types by" - elog "adding to your sshd_config or ~/.ssh/config files:" - elog " PubkeyAcceptedKeyTypes=+ssh-dss" - elog "You should however generate new keys using rsa or ed25519." - - elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" - elog "to 'prohibit-password'. That means password auth for root users no longer works" - elog "out of the box. If you need this, please update your sshd_config explicitly." - fi - if ver_test "${old_ver}" -lt "7.6_p1"; then - elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." - elog "Furthermore, rsa keys with less than 1024 bits will be refused." - fi - if ver_test "${old_ver}" -lt "7.7_p1"; then - elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." - elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" - elog "if you need to authenticate against LDAP." - elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." - fi - if ver_test "${old_ver}" -lt "8.2_p1"; then - ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" - ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" - ewarn "connection is generally safe." - fi - done - - if [[ -n ${show_ssl_warning} ]]; then - elog "Be aware that by disabling openssl support in openssh, the server and clients" - elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" - elog "and update all clients/servers that utilize them." - fi - - if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then - elog "" - elog "HPN's multi-threaded AES CTR cipher is currently known to be broken" - elog "and therefore disabled at runtime per default." - elog "Make sure your sshd_config is up to date and contains" - elog "" - elog " DisableMTAES yes" - elog "" - elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher." - elog "" - fi -} diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.6_p1-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.7_p1-r1.ebuild similarity index 97% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.6_p1-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.7_p1-r1.ebuild index 02e92246ce..6f85969abe 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.6_p1-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.7_p1-r1.ebuild @@ -1,5 +1,5 @@ # Difference to upstream from ./update_ebuilds: -# - Ported changes from 529e323aad6b43a9a0c06520c1e4f6ae69b9bafa +# - Ported changes from 11d6f23704e7ab84191e28e034816bfdb151d406 # # Copyright 1999-2021 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 @@ -24,7 +24,7 @@ HPN_PATCHES=( ) SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="13.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" +X509_VER="13.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" DESCRIPTION="Port of OpenBSD's free SSH release" HOMEPAGE="https://www.openssh.com/" @@ -44,6 +44,7 @@ IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit li RESTRICT="!test? ( test )" REQUIRED_USE=" + hpn? ( ssl ) ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) @@ -69,10 +70,10 @@ LIB_DEPEND=" ssl? ( || ( ( - >=dev-libs/openssl-1.0.1:0[bindist=] - =dev-libs/openssl-1.0.1:0[bindist(-)=] + =dev-libs/openssl-1.1.0g:0[bindist=] + >=dev-libs/openssl-1.1.0g:0[bindist(-)=] ) dev-libs/openssl:0=[static-libs(+)] ) @@ -135,15 +136,12 @@ src_prepare() { sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch - eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex + eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch - # workaround for https://bugs.gentoo.org/734984 - use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch - [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches local PATCHSET_VERSION_MACROS=() @@ -191,7 +189,7 @@ src_prepare() { cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die pushd "${hpn_patchdir}" &>/dev/null || die eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch - use X509 && eapply "${FILESDIR}"/${PN}-8.6_p1-hpn-${HPN_VER}-X509-glue.patch + use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch popd &>/dev/null || die diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords index a9ab6cc8e8..4efbaad75e 100644 --- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords +++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords @@ -76,7 +76,7 @@ dev-util/checkbashisms =sec-policy/selinux-unconfined-2.20200818-r2 ** =sec-policy/selinux-virt-2.20200818-r2 ** -=net-misc/openssh-8.6_p1-r1 ~amd64 ~arm64 +=net-misc/openssh-8.7_p1-r1 ~amd64 ~arm64 =sys-firmware/sgabios-0.1_pre8-r1 ~amd64 ~arm64