mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-23 15:31:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2307 from dm0-/upgrade-openssh

Browse Source 
net-misc/openssh: sync with upstream latest stable
This commit is contained in:
David Michael 2016-12-07 15:57:45 -08:00 committed by GitHub
commit 0e8cc2458b
16 changed files with 1059 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest vendored
View File

@ -1,4 +1,4 @@
DIST openssh-7.2_p1-sctp.patch.xz 8088 SHA256 b9cc21336e23d44548e87964da9ff85ac83ce84693162abb172afb46be4a666e SHA512 b287684337a101a26ab8df6894b679b063cdaa7dfc7b78fcc0ce8350c27526f150a6463c515019beb0af2ff005cc109d2913998f95f828e553b835a4df8b64df WHIRLPOOL 16646a896f746946af84961974be08418b951c80249dce2fd4ae533a4d66e79d4372fd979aeda9c51aff51b86edf4178af18379e948195696a6fa114e2757306
DIST openssh-7.2p2+x509-8.9.diff.gz 449308 SHA256 bd77fcd285d10a86fb2934e90776fe39e4cd2da043384ec2ca45296a60669589 SHA512 c7ed07aae72fd4f967ab5717831c51ad639ca59633c3768f6930bab0947f5429391e3911a7570288a1c688c8c21747f3cb722538ae96de6b50a021010e1506fa WHIRLPOOL 7c1328e471b0e5e9576117ec563b66fea142886b0666b6d51ac9b8ec09286ba7a965b62796c32206e855e484180797a2c31d500c27289f3bc8c7db2d3af95e6f
DIST openssh-7.2p2.tar.gz 1499808 SHA256 a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c SHA512 44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b WHIRLPOOL 95e16af6d1d82f4a660b56854b8e9da947b89e47775c06fe277a612cd1a7cabe7454087eb45034aedfb9b08096ce4aa427b9a37f43f70ccf1073664bdec13386
DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d
DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99
DIST openssh-7.3p1+x509-9.2.diff.gz 588078 SHA256 45f054cbb2b77ac8cc7ab01439e34083382137d47b840ca274555b7e2cf7098b SHA512 fab0da148b0833a651e8a7c36f344aacecef6fa92f8f1cb6302272d98c1ab018831f5850dcaa8f54a39f9ada9b7d5b0a0ea01defc3c6f603bbe211f6bff6a841 WHIRLPOOL 53f63d879f563909c57d23ced273e23eda1eace2a2ddfd54edf5f2ef15218cc7e5d927e54714b6850db541f361c459de50d79b0a4516b43ce4cba8eb66b49485
DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c
DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c

51
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.1_p2-x509-hpn14v10-glue.patch vendored
View File

@ -1,51 +0,0 @@
--- openssh-7.1p2/Makefile.in
+++ openssh-7.1p2/Makefile.in
@@ -45,7 +45,7 @@
CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
+CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
LIBS=@LIBS@
K5LIBS=@K5LIBS@
GSSLIBS=@GSSLIBS@
@@ -53,6 +53,7 @@
SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@
+CPPFLAGS+=@LDAP_CPPFLAGS@
AR=@AR@
AWK=@AWK@
RANLIB=@RANLIB@
--- openssh-7.1p2/sshconnect.c
+++ openssh-7.1p2/sshconnect.c
@@ -465,7 +465,7 @@
{
/* Send our own protocol version identification. */
if (compat20) {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n",
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
} else {
xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
--- openssh-7.1p2/sshd.c
+++ openssh-7.1p2/sshd.c
@@ -472,8 +472,8 @@
comment = "";
}
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
- major, minor, SSH_VERSION, comment,
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
+ major, minor, SSH_VERSION,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);
--- openssh-7.1p2/version.h
+++ openssh-7.1p2/version.h
@@ -3,4 +3,5 @@
#define SSH_VERSION "OpenSSH_7.1"
#define SSH_PORTABLE "p2"
+#define SSH_X509 " PKIX"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE

21
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch vendored Normal file
View File

@ -0,0 +1,21 @@
https://bugs.gentoo.org/591392
https://bugzilla.mindrot.org/show_bug.cgi?id=2590
7.3 added seccomp support to MIPS, but failed to handled the N32
case. This patch is temporary until upstream fixes.
--- openssh-7.3p1/configure.ac
+++ openssh-7.3p1/configure.ac
@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary("
seccomp_audit_arch=AUDIT_ARCH_MIPSEL
;;
mips64-*)
- seccomp_audit_arch=AUDIT_ARCH_MIPS64
+ seccomp_audit_arch=AUDIT_ARCH_MIPS64N32
;;
mips64el-*)
- seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
+ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32
;;
esac
if test "x$seccomp_audit_arch" != "x" ; then

351
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch vendored Normal file
View File

@ -0,0 +1,351 @@
http://bugs.gentoo.org/165444
https://bugzilla.mindrot.org/show_bug.cgi?id=1008
--- a/readconf.c
+++ b/readconf.c
@@ -148,6 +148,7 @@
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -194,9 +195,11 @@
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
+ { "gssapitrustdns", oGssTrustDns },
#else
{ "gssapiauthentication", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported },
+ { "gssapitrustdns", oUnsupported },
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
@@ -930,6 +933,10 @@
intptr = &options->gss_deleg_creds;
goto parse_flag;
+ case oGssTrustDns:
+ intptr = &options->gss_trust_dns;
+ goto parse_flag;
+
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1649,6 +1656,7 @@
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1779,6 +1787,8 @@
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
+ if (options->gss_trust_dns == -1)
+ options->gss_trust_dns = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
--- a/readconf.h
+++ b/readconf.h
@@ -46,6 +46,7 @@
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -830,6 +830,16 @@
Forward (delegate) credentials to the server.
The default is
.Dq no .
+Note that this option applies to protocol version 2 connections using GSSAPI.
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no, the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -656,6 +656,13 @@
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
+ const char *gss_host;
+
+ if (options.gss_trust_dns) {
+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
+ gss_host = auth_get_canonical_hostname(active_state, 1);
+ } else
+ gss_host = authctxt->host;
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -668,7 +674,7 @@
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], authctxt->host)) {
+ &gss_supported->elements[mech], gss_host)) {
ok = 1; /* Mechanism works */
} else {
mech++;
need to move these two funcs back to canohost so they're available to clients
and the server. auth.c is only used in the server.
--- a/auth.c
+++ b/auth.c
@@ -784,117 +784,3 @@ fakepw(void)
return (&fake);
}
-
-/*
- * Returns the remote DNS hostname as a string. The returned string must not
- * be freed. NB. this will usually trigger a DNS query the first time it is
- * called.
- * This function does additional checks on the hostname to mitigate some
- * attacks on legacy rhosts-style authentication.
- * XXX is RhostsRSAAuthentication vulnerable to these?
- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
- */
-
-static char *
-remote_hostname(struct ssh *ssh)
-{
- struct sockaddr_storage from;
- socklen_t fromlen;
- struct addrinfo hints, *ai, *aitop;
- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
- const char *ntop = ssh_remote_ipaddr(ssh);
-
- /* Get IP address of client. */
- fromlen = sizeof(from);
- memset(&from, 0, sizeof(from));
- if (getpeername(ssh_packet_get_connection_in(ssh),
- (struct sockaddr *)&from, &fromlen) < 0) {
- debug("getpeername failed: %.100s", strerror(errno));
- return strdup(ntop);
- }
-
- ipv64_normalise_mapped(&from, &fromlen);
- if (from.ss_family == AF_INET6)
- fromlen = sizeof(struct sockaddr_in6);
-
- debug3("Trying to reverse map address %.100s.", ntop);
- /* Map the IP address to a host name. */
- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
- NULL, 0, NI_NAMEREQD) != 0) {
- /* Host name not found. Use ip address. */
- return strdup(ntop);
- }
-
- /*
- * if reverse lookup result looks like a numeric hostname,
- * someone is trying to trick us by PTR record like following:
- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
- */
- memset(&hints, 0, sizeof(hints));
- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
- hints.ai_flags = AI_NUMERICHOST;
- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
- name, ntop);
- freeaddrinfo(ai);
- return strdup(ntop);
- }
-
- /* Names are stored in lowercase. */
- lowercase(name);
-
- /*
- * Map it back to an IP address and check that the given
- * address actually is an address of this host. This is
- * necessary because anyone with access to a name server can
- * define arbitrary names for an IP address. Mapping from
- * name to IP address can be trusted better (but can still be
- * fooled if the intruder has access to the name server of
- * the domain).
- */
- memset(&hints, 0, sizeof(hints));
- hints.ai_family = from.ss_family;
- hints.ai_socktype = SOCK_STREAM;
- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
- logit("reverse mapping checking getaddrinfo for %.700s "
- "[%s] failed.", name, ntop);
- return strdup(ntop);
- }
- /* Look for the address from the list of addresses. */
- for (ai = aitop; ai; ai = ai->ai_next) {
- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
- (strcmp(ntop, ntop2) == 0))
- break;
- }
- freeaddrinfo(aitop);
- /* If we reached the end of the list, the address was not there. */
- if (ai == NULL) {
- /* Address not found for the host name. */
- logit("Address %.100s maps to %.600s, but this does not "
- "map back to the address.", ntop, name);
- return strdup(ntop);
- }
- return strdup(name);
-}
-
-/*
- * Return the canonical name of the host in the other side of the current
- * connection. The host name is cached, so it is efficient to call this
- * several times.
- */
-
-const char *
-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-{
- static char *dnsname;
-
- if (!use_dns)
- return ssh_remote_ipaddr(ssh);
- else if (dnsname != NULL)
- return dnsname;
- else {
- dnsname = remote_hostname(ssh);
- return dnsname;
- }
-}
--- a/canohost.c
+++ b/canohost.c
@@ -202,3 +202,117 @@ get_local_port(int sock)
{
return get_sock_port(sock, 1);
}
+
+/*
+ * Returns the remote DNS hostname as a string. The returned string must not
+ * be freed. NB. this will usually trigger a DNS query the first time it is
+ * called.
+ * This function does additional checks on the hostname to mitigate some
+ * attacks on legacy rhosts-style authentication.
+ * XXX is RhostsRSAAuthentication vulnerable to these?
+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+ */
+
+static char *
+remote_hostname(struct ssh *ssh)
+{
+ struct sockaddr_storage from;
+ socklen_t fromlen;
+ struct addrinfo hints, *ai, *aitop;
+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+ const char *ntop = ssh_remote_ipaddr(ssh);
+
+ /* Get IP address of client. */
+ fromlen = sizeof(from);
+ memset(&from, 0, sizeof(from));
+ if (getpeername(ssh_packet_get_connection_in(ssh),
+ (struct sockaddr *)&from, &fromlen) < 0) {
+ debug("getpeername failed: %.100s", strerror(errno));
+ return strdup(ntop);
+ }
+
+ ipv64_normalise_mapped(&from, &fromlen);
+ if (from.ss_family == AF_INET6)
+ fromlen = sizeof(struct sockaddr_in6);
+
+ debug3("Trying to reverse map address %.100s.", ntop);
+ /* Map the IP address to a host name. */
+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+ NULL, 0, NI_NAMEREQD) != 0) {
+ /* Host name not found. Use ip address. */
+ return strdup(ntop);
+ }
+
+ /*
+ * if reverse lookup result looks like a numeric hostname,
+ * someone is trying to trick us by PTR record like following:
+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
+ */
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+ hints.ai_flags = AI_NUMERICHOST;
+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+ name, ntop);
+ freeaddrinfo(ai);
+ return strdup(ntop);
+ }
+
+ /* Names are stored in lowercase. */
+ lowercase(name);
+
+ /*
+ * Map it back to an IP address and check that the given
+ * address actually is an address of this host. This is
+ * necessary because anyone with access to a name server can
+ * define arbitrary names for an IP address. Mapping from
+ * name to IP address can be trusted better (but can still be
+ * fooled if the intruder has access to the name server of
+ * the domain).
+ */
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = from.ss_family;
+ hints.ai_socktype = SOCK_STREAM;
+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+ logit("reverse mapping checking getaddrinfo for %.700s "
+ "[%s] failed.", name, ntop);
+ return strdup(ntop);
+ }
+ /* Look for the address from the list of addresses. */
+ for (ai = aitop; ai; ai = ai->ai_next) {
+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+ (strcmp(ntop, ntop2) == 0))
+ break;
+ }
+ freeaddrinfo(aitop);
+ /* If we reached the end of the list, the address was not there. */
+ if (ai == NULL) {
+ /* Address not found for the host name. */
+ logit("Address %.100s maps to %.600s, but this does not "
+ "map back to the address.", ntop, name);
+ return strdup(ntop);
+ }
+ return strdup(name);
+}
+
+/*
+ * Return the canonical name of the host in the other side of the current
+ * connection. The host name is cached, so it is efficient to call this
+ * several times.
+ */
+
+const char *
+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
+{
+ static char *dnsname;
+
+ if (!use_dns)
+ return ssh_remote_ipaddr(ssh);
+ else if (dnsname != NULL)
+ return dnsname;
+ else {
+ dnsname = remote_hostname(ssh);
+ return dnsname;
+ }
+}

29
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch vendored Normal file
View File

@ -0,0 +1,29 @@
https://bugs.gentoo.org/595342
Backport of
https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737
--- openssh-7.3p1/kex.c
+++ openssh-7.3p1/kex.c
@@ -419,6 +419,8 @@
ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
if ((r = sshpkt_get_end(ssh)) != 0)
return r;
+ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
+ return r;
kex->done = 1;
sshbuf_reset(kex->peer);
/* sshbuf_reset(kex->my); */
--- openssh-7.3p1/packet.c
+++ openssh-7.3p1/packet.c
@@ -1919,9 +1919,7 @@
return r;
return SSH_ERR_PROTOCOL_ERROR;
}
- if (*typep == SSH2_MSG_NEWKEYS)
- r = ssh_set_newkeys(ssh, MODE_IN);
- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
+ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
r = ssh_packet_enable_delayed_compress(ssh);
else
r = 0;

32
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch vendored Normal file
View File

@ -0,0 +1,32 @@
https://bugs.gentoo.org/597360
From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
From: "markus@openbsd.org" <markus@openbsd.org>
Date: Mon, 10 Oct 2016 19:28:48 +0000
Subject: [PATCH] upstream commit
Unregister the KEXINIT handler after message has been
received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
allocation of up to 128MB -- until the connection is closed. Reported by
shilei-c at 360.cn
Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
---
kex.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kex.c b/kex.c
index 3f97f8c00919..6a94bc535bd7 100644
--- a/kex.c
+++ b/kex.c
@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
if (kex == NULL)
return SSH_ERR_INVALID_ARGUMENT;
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
ptr = sshpkt_ptr(ssh, &dlen);
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
return r;
--
2.11.0.rc2

0
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.2_p1-fix-krb5-config.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-krb5-config.patch vendored
View File

34
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch vendored Normal file
View File

@ -0,0 +1,34 @@
https://bugs.gentoo.org/592122
From e600348a7afd6325cc5cd783cb424065cbc20434 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Wed, 3 Aug 2016 04:23:55 +0000
Subject: [PATCH] upstream commit
Fix bug introduced in rev 1.467 which causes
"buffer_get_bignum_ret: incomplete message" errors when built with WITH_SSH1
and run such that no Protocol 1 ephemeral host key is generated (eg "Protocol
2", no SSH1 host key supplied). Reported by rainer.laatsch at t-online.de,
ok deraadt@
Upstream-ID: aa6b132da5c325523aed7989cc5a320497c919dc
---
sshd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sshd.c b/sshd.c
index 799c7711f49c..9fc829a91bc8 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
} else
#endif
- if ((r = sshbuf_put_u32(m, 1)) != 0)
+ if ((r = sshbuf_put_u32(m, 0)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
--
2.11.0.rc2

39
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch vendored Normal file
View File

@ -0,0 +1,39 @@
--- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
+++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
@@ -1155,7 +1155,7 @@
@@ -44,7 +44,7 @@
LD=@LD@
CFLAGS=@CFLAGS@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
--- a/0004-support-dynamically-sized-receive-buffers.patch
+++ b/0004-support-dynamically-sized-receive-buffers.patch
@@ -2144,9 +2144,9 @@
@@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1)
/* Send our own protocol version identification. */
if (compat20) {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509);
} else {
xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
@@ -2163,9 +2163,9 @@
@@ -432,7 +432,7 @@
}
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-- major, minor, SSH_VERSION,
-+ major, minor, SSH_RELEASE,
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+- major, minor, SSH_VERSION, comment,
++ major, minor, SSH_RELEASE, comment,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);

245
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch vendored Normal file
View File

@ -0,0 +1,245 @@
diff --git a/cipher-ctr-mt.c b/cipher-ctr-mt.c
index fdc9b2f..300cd90 100644
--- a/cipher-ctr-mt.c
+++ b/cipher-ctr-mt.c
@@ -127,7 +127,7 @@ struct kq {
u_char keys[KQLEN][AES_BLOCK_SIZE];
u_char ctr[AES_BLOCK_SIZE];
u_char pad0[CACHELINE_LEN];
- volatile int qstate;
+ int qstate;
pthread_mutex_t lock;
pthread_cond_t cond;
u_char pad1[CACHELINE_LEN];
@@ -141,6 +141,11 @@ struct ssh_aes_ctr_ctx
STATS_STRUCT(stats);
u_char aes_counter[AES_BLOCK_SIZE];
pthread_t tid[CIPHER_THREADS];
+ pthread_rwlock_t tid_lock;
+#ifdef __APPLE__
+ pthread_rwlock_t stop_lock;
+ int exit_flag;
+#endif /* __APPLE__ */
int state;
int qidx;
int ridx;
@@ -187,6 +192,57 @@ thread_loop_cleanup(void *x)
pthread_mutex_unlock((pthread_mutex_t *)x);
}
+#ifdef __APPLE__
+/* Check if we should exit, we are doing both cancel and exit condition
+ * since on OSX threads seem to occasionally fail to notice when they have
+ * been cancelled. We want to have a backup to make sure that we won't hang
+ * when the main process join()-s the cancelled thread.
+ */
+static void
+thread_loop_check_exit(struct ssh_aes_ctr_ctx *c)
+{
+ int exit_flag;
+
+ pthread_rwlock_rdlock(&c->stop_lock);
+ exit_flag = c->exit_flag;
+ pthread_rwlock_unlock(&c->stop_lock);
+
+ if (exit_flag)
+ pthread_exit(NULL);
+}
+#else
+# define thread_loop_check_exit(s)
+#endif /* __APPLE__ */
+
+/*
+ * Helper function to terminate the helper threads
+ */
+static void
+stop_and_join_pregen_threads(struct ssh_aes_ctr_ctx *c)
+{
+ int i;
+
+#ifdef __APPLE__
+ /* notify threads that they should exit */
+ pthread_rwlock_wrlock(&c->stop_lock);
+ c->exit_flag = TRUE;
+ pthread_rwlock_unlock(&c->stop_lock);
+#endif /* __APPLE__ */
+
+ /* Cancel pregen threads */
+ for (i = 0; i < CIPHER_THREADS; i++) {
+ pthread_cancel(c->tid[i]);
+ }
+ for (i = 0; i < NUMKQ; i++) {
+ pthread_mutex_lock(&c->q[i].lock);
+ pthread_cond_broadcast(&c->q[i].cond);
+ pthread_mutex_unlock(&c->q[i].lock);
+ }
+ for (i = 0; i < CIPHER_THREADS; i++) {
+ pthread_join(c->tid[i], NULL);
+ }
+}
+
/*
* The life of a pregen thread:
* Find empty keystream queues and fill them using their counter.
@@ -201,6 +257,7 @@ thread_loop(void *x)
struct kq *q;
int i;
int qidx;
+ pthread_t first_tid;
/* Threads stats on cancellation */
STATS_INIT(stats);
@@ -211,11 +268,15 @@ thread_loop(void *x)
/* Thread local copy of AES key */
memcpy(&key, &c->aes_ctx, sizeof(key));
+ pthread_rwlock_rdlock(&c->tid_lock);
+ first_tid = c->tid[0];
+ pthread_rwlock_unlock(&c->tid_lock);
+
/*
* Handle the special case of startup, one thread must fill
* the first KQ then mark it as draining. Lock held throughout.
*/
- if (pthread_equal(pthread_self(), c->tid[0])) {
+ if (pthread_equal(pthread_self(), first_tid)) {
q = &c->q[0];
pthread_mutex_lock(&q->lock);
if (q->qstate == KQINIT) {
@@ -245,12 +306,16 @@ thread_loop(void *x)
/* Check if I was cancelled, also checked in cond_wait */
pthread_testcancel();
+ /* Check if we should exit as well */
+ thread_loop_check_exit(c);
+
/* Lock queue and block if its draining */
q = &c->q[qidx];
pthread_mutex_lock(&q->lock);
pthread_cleanup_push(thread_loop_cleanup, &q->lock);
while (q->qstate == KQDRAINING || q->qstate == KQINIT) {
STATS_WAIT(stats);
+ thread_loop_check_exit(c);
pthread_cond_wait(&q->cond, &q->lock);
}
pthread_cleanup_pop(0);
@@ -268,6 +333,7 @@ thread_loop(void *x)
* can see that it's being filled.
*/
q->qstate = KQFILLING;
+ pthread_cond_broadcast(&q->cond);
pthread_mutex_unlock(&q->lock);
for (i = 0; i < KQLEN; i++) {
AES_encrypt(q->ctr, q->keys[i], &key);
@@ -279,7 +345,7 @@ thread_loop(void *x)
ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
q->qstate = KQFULL;
STATS_FILL(stats);
- pthread_cond_signal(&q->cond);
+ pthread_cond_broadcast(&q->cond);
pthread_mutex_unlock(&q->lock);
}
@@ -371,6 +437,7 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
pthread_cond_wait(&q->cond, &q->lock);
}
q->qstate = KQDRAINING;
+ pthread_cond_broadcast(&q->cond);
pthread_mutex_unlock(&q->lock);
/* Mark consumed queue empty and signal producers */
@@ -397,6 +464,11 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
c = xmalloc(sizeof(*c));
+ pthread_rwlock_init(&c->tid_lock, NULL);
+#ifdef __APPLE__
+ pthread_rwlock_init(&c->stop_lock, NULL);
+ c->exit_flag = FALSE;
+#endif /* __APPLE__ */
c->state = HAVE_NONE;
for (i = 0; i < NUMKQ; i++) {
@@ -409,11 +481,14 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
}
if (c->state == (HAVE_KEY | HAVE_IV)) {
- /* Cancel pregen threads */
- for (i = 0; i < CIPHER_THREADS; i++)
- pthread_cancel(c->tid[i]);
- for (i = 0; i < CIPHER_THREADS; i++)
- pthread_join(c->tid[i], NULL);
+ /* tell the pregen threads to exit */
+ stop_and_join_pregen_threads(c);
+
+#ifdef __APPLE__
+ /* reset the exit flag */
+ c->exit_flag = FALSE;
+#endif /* __APPLE__ */
+
/* Start over getting key & iv */
c->state = HAVE_NONE;
}
@@ -444,10 +519,12 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
/* Start threads */
for (i = 0; i < CIPHER_THREADS; i++) {
debug("spawned a thread");
+ pthread_rwlock_wrlock(&c->tid_lock);
pthread_create(&c->tid[i], NULL, thread_loop, c);
+ pthread_rwlock_unlock(&c->tid_lock);
}
pthread_mutex_lock(&c->q[0].lock);
- while (c->q[0].qstate != KQDRAINING)
+ while (c->q[0].qstate == KQINIT)
pthread_cond_wait(&c->q[0].cond, &c->q[0].lock);
pthread_mutex_unlock(&c->q[0].lock);
}
@@ -461,15 +538,10 @@ void
ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx)
{
struct ssh_aes_ctr_ctx *c;
- int i;
+
c = EVP_CIPHER_CTX_get_app_data(ctx);
- /* destroy threads */
- for (i = 0; i < CIPHER_THREADS; i++) {
- pthread_cancel(c->tid[i]);
- }
- for (i = 0; i < CIPHER_THREADS; i++) {
- pthread_join(c->tid[i], NULL);
- }
+
+ stop_and_join_pregen_threads(c);
}
void
@@ -481,7 +553,9 @@ ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx)
/* reconstruct threads */
for (i = 0; i < CIPHER_THREADS; i++) {
debug("spawned a thread");
+ pthread_rwlock_wrlock(&c->tid_lock);
pthread_create(&c->tid[i], NULL, thread_loop, c);
+ pthread_rwlock_unlock(&c->tid_lock);
}
}
@@ -489,18 +563,13 @@ static int
ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
{
struct ssh_aes_ctr_ctx *c;
- int i;
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
#ifdef CIPHER_THREAD_STATS
debug("main thread: %u drains, %u waits", c->stats.drains,
c->stats.waits);
#endif
- /* Cancel pregen threads */
- for (i = 0; i < CIPHER_THREADS; i++)
- pthread_cancel(c->tid[i]);
- for (i = 0; i < CIPHER_THREADS; i++)
- pthread_join(c->tid[i], NULL);
+ stop_and_join_pregen_threads(c);
memset(c, 0, sizeof(*c));
free(c);

41
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch vendored Normal file
View File

@ -0,0 +1,41 @@
--- a/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:00:21.561121417 -0700
+++ b/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:22:51.337118439 -0700
@@ -1155,7 +1155,7 @@
@@ -44,7 +44,7 @@
LD=@LD@
CFLAGS=@CFLAGS@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -2144,12 +2144,12 @@
/* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL && !privileged)
return sock;
-@@ -527,10 +555,10 @@
+@@ -555,10 +583,10 @@
/* Send our own protocol version identification. */
if (compat20) {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509);
} else {
xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
@@ -2163,9 +2163,9 @@
@@ -432,7 +432,7 @@
}
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-- major, minor, SSH_VERSION,
-+ major, minor, SSH_RELEASE,
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+- major, minor, SSH_VERSION, comment,
++ major, minor, SSH_RELEASE, comment,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);

33
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch vendored Normal file
View File

@ -0,0 +1,33 @@
--- a/openssh-7.3_p1-hpn-14.10.patch 12:11:41.120750207 -0700
+++ b/openssh-7.3_p1-hpn-14.10.patch 14:00:44.311487904 -0700
@@ -141,7 +141,7 @@
@@ -44,7 +44,7 @@ CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -2098,7 +2098,7 @@
@@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1)
/* Send our own protocol version identification. */
if (compat20) {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
} else {
@@ -2196,9 +2196,9 @@
@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
}
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-- major, minor, SSH_VERSION,
-+ major, minor, SSH_RELEASE,
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+- major, minor, SSH_VERSION, comment,
++ major, minor, SSH_RELEASE, comment,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);

67
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch vendored Normal file
View File

@ -0,0 +1,67 @@
--- a/openssh-7.3_p1-sctp.patch 2016-08-03 13:10:15.733228732 -0700
+++ b/openssh-7.3_p1-sctp.patch 2016-08-03 13:25:53.274630002 -0700
@@ -226,14 +226,6 @@
.Op Fl c Ar cipher
.Op Fl F Ar ssh_config
.Op Fl i Ar identity_file
-@@ -183,6 +183,7 @@ For full details of the options listed below, and their possible values, see
- .It ServerAliveCountMax
- .It StrictHostKeyChecking
- .It TCPKeepAlive
-+.It Transport
- .It UpdateHostKeys
- .It UsePrivilegedPort
- .It User
@@ -224,6 +225,8 @@ and
to print debugging messages about their progress.
This is helpful in
@@ -493,19 +485,11 @@
.Sh SYNOPSIS
.Nm ssh
.Bk -words
--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
+-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy
++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Op Fl D Oo Ar bind_address : Oc Ns Ar port
-@@ -558,6 +558,7 @@ For full details of the options listed below, and their possible values, see
- .It StreamLocalBindUnlink
- .It StrictHostKeyChecking
- .It TCPKeepAlive
-+.It Transport
- .It Tunnel
- .It TunnelDevice
- .It UpdateHostKeys
@@ -795,6 +796,8 @@ controls.
.Pp
.It Fl y
@@ -533,18 +517,18 @@
usage(void)
{
fprintf(stderr,
--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
-+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
+-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
- " [-F configfile] [-I pkcs11] [-i identity_file]\n"
- " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
+ " [-F configfile]\n"
+ #ifdef USE_OPENSSL_ENGINE
@@ -608,7 +613,7 @@ main(int ac, char **av)
- argv0 = av[0];
+ # define ENGCONFIG ""
+ #endif
- again:
-- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
-+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
+- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"
++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT
+ "ACD:E:F:" ENGCONFIG "I:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
@@ -857,6 +862,11 @@ main(int ac, char **av)

109
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch vendored Normal file
View File

@ -0,0 +1,109 @@
diff --git a/kex.c b/kex.c
index 143227a..c9b84c2 100644
--- a/kex.c
+++ b/kex.c
@@ -345,9 +345,9 @@ kex_reset_dispatch(struct ssh *ssh)
static int
kex_send_ext_info(struct ssh *ssh)
{
+#ifdef EXPERIMENTAL_RSA_SHA2_256
int r;
-#ifdef EXPERIMENTAL_RSA_SHA2_256
/* IMPORTANT NOTE:
* Do not offer rsa-sha2-* until is resolved misconfiguration issue
* with allowed public key algorithms!
diff --git a/key-eng.c b/key-eng.c
index 9bc50fd..bc0d03d 100644
--- a/key-eng.c
+++ b/key-eng.c
@@ -786,7 +786,6 @@ ssh_engines_shutdown() {
while (buffer_len(&eng_list) > 0) {
u_int k = 0;
char *s;
- ENGINE *e;
s = buffer_get_cstring_ret(&eng_list, &k);
ssh_engine_reset(s);
diff --git a/monitor.c b/monitor.c
index 345d3df..0de30ad 100644
--- a/monitor.c
+++ b/monitor.c
@@ -707,7 +707,7 @@ mm_answer_sign(int sock, Buffer *m)
(r = sshbuf_get_string(m, &p, &datlen)) != 0 ||
(r = sshbuf_get_cstring(m, &alg, &alglen)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
- if (keyid > INT_MAX)
+ if (keyid32 > INT_MAX)
fatal("%s: invalid key ID", __func__);
keyid = keyid32; /*save cast*/
diff --git a/readconf.c b/readconf.c
index beb38a0..1cbda7e 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1459,7 +1459,9 @@ parse_int:
case oHostKeyAlgorithms:
charptr = &options->hostkeyalgorithms;
+# if 0
parse_keytypes:
+# endif
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing argument.",
diff --git a/servconf.c b/servconf.c
index a540138..e77a344 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1574,7 +1573,9 @@ parse_string:
case sHostKeyAlgorithms:
charptr = &options->hostkeyalgorithms;
+# if 0
parse_keytypes:
+#endif
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: Missing argument.",
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index 50f04b7..3f9a7bf 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -273,21 +273,18 @@ pkcs11_dsa_finish(DSA *dsa)
}
#ifdef OPENSSL_HAS_ECC
+#ifdef HAVE_EC_KEY_METHOD_NEW
/* openssl callback for freeing an EC key */
static void
pkcs11_ec_finish(EC_KEY *ec)
{
struct pkcs11_key *k11;
-#ifdef HAVE_EC_KEY_METHOD_NEW
k11 = EC_KEY_get_ex_data(ec, ssh_pkcs11_ec_ctx_index);
EC_KEY_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL);
-#else
- k11 = ECDSA_get_ex_data(ec, ssh_pkcs11_ec_ctx_index);
- ECDSA_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL);
-#endif
pkcs11_key_free(k11);
}
+#endif /*def HAVE_EC_KEY_METHOD_NEW*/
#endif /*def OPENSSL_HAS_ECC*/
diff --git a/sshconnect.c b/sshconnect.c
index fd2a70e..0960be1 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -605,7 +605,7 @@ send_client_banner(int connection_out, int minor1)
{
/* Send our own protocol version identification. */
if (compat20) {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%d]\r\n",
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
} else {
xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",

2
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml vendored
View File

@ -28,7 +28,7 @@ ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and
<flag name="hpn">Enable high performance ssh</flag>
<flag name="ldap">Add support for storing SSH public keys in LDAP</flag>
<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
<flag name="sctp">Support for Stream Control Transmission Protocol</flag>
<flag name="livecd">Enable root password logins for live-cd environment.</flag>
<flag name="ssh1">Support the legacy/weak SSH1 protocol</flag>
<flag name="ssl">Enable additional crypto algorithms via OpenSSL</flag>
<flag name="X509">Adds support for X.509 certificate authentication</flag>

76
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.2_p2-r1.ebuild → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.3_p1-r7.ebuild vendored
View File

@ -9,18 +9,21 @@ inherit eutils user flag-o-matic multilib autotools pam systemd versionator
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
HPN_PV="${PV}"
HPN_VER="14.10"
#HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz"
LDAP_PATCH="${PN}-lpk-7.2p2-0.3.14.patch.xz"
X509_VER="8.9" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10-r1.patch"
SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
X509_VER="9.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="http://www.openssh.org/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
mirror://gentoo/${PN}-7.2_p1-sctp.patch.xz
${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
${HPN_PATCH:+hpn? (
mirror://gentoo/${HPN_PATCH}
mirror://sourceforge/hpnssh/${HPN_PATCH}
mirror://gentoo/${HPN_PATCH}.xz
http://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz
)}
${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
@ -28,17 +31,20 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509"
IUSE="debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
REQUIRED_USE="ldns? ( ssl )
pie? ( !static )
ssh1? ( ssl )
static? ( !kerberos !pam )
X509? ( !ldap ssl )"
X509? ( !ldap ssl )
test? ( ssl )"
LIB_DEPEND="
ldns? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] )
ldns? (
net-libs/ldns[ecdsa,ssl,static-libs(+)]
)
libedit? ( dev-libs/libedit[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
@ -113,27 +119,35 @@ src_prepare() {
if use X509 ; then
pushd .. >/dev/null
if use hpn ; then
pushd ${HPN_PATCH%.*.*} >/dev/null
epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch
pushd "${WORKDIR}" >/dev/null
epatch "${FILESDIR}"/${P}-hpn-x509-9.2-glue.patch
popd >/dev/null
fi
epatch "${FILESDIR}"/${PN}-7.2_p1-sctp-x509-glue.patch
epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} || die
popd >/dev/null
epatch "${WORKDIR}"/${X509_PATCH%.*}
#epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch
#save_version X509
epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch
save_version X509
else
# bug #592122, fixed by X509 patch
epatch "${FILESDIR}"/${P}-fix-ssh1-with-no-ssh1-host-key.patch
fi
if use ldap ; then
epatch "${WORKDIR}"/${LDAP_PATCH%.*}
save_version LPK
fi
epatch "${FILESDIR}"/${PN}-7.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
epatch "${WORKDIR}"/${PN}-7.2_p1-sctp.patch
epatch "${WORKDIR}"/${SCTP_PATCH%.*}
if use hpn ; then
EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
EPATCH_MULTI_MSG="Applying HPN patchset ..." \
epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
#EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
# EPATCH_MULTI_MSG="Applying HPN patchset ..." \
# epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
epatch "${WORKDIR}"/${HPN_PATCH}
epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch
save_version HPN
fi
@ -152,7 +166,16 @@ src_prepare() {
)
sed -i "${sed_args[@]}" configure{.ac,} || die
epatch "${FILESDIR}"/${PN}-7.2_p1-fix-krb5-config.patch
# 7.3 added seccomp support to MIPS, but failed to handled the N32
# case. This patch is temporary until upstream fixes. See
# Gentoo bug #591392 or upstream #2590.
[[ ${CHOST} == mips64*-linux-* && ${ABI} == "n32" ]] \
&& epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
epatch "${FILESDIR}"/${P}-NEWKEYS_null_deref.patch # 595342
epatch "${FILESDIR}"/${P}-Unregister-the-KEXINIT-handler-after-receive.patch # 597360
epatch "${FILESDIR}"/${PN}-7.3_p1-fix-krb5-config.patch
epatch_user #473004
@ -233,13 +256,20 @@ src_install() {
SendEnv LANG LC_*
EOF
if use livecd ; then
sed -i \
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
"${ED}"/etc/ssh/sshd_config || die
fi
if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
insinto /etc/openldap/schema/
newins openssh-lpk_openldap.schema openssh-lpk.schema
fi
doman contrib/ssh-copy-id.1
dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
dodoc CREDITS OVERVIEW README* TODO sshd_config
use X509 || dodoc ChangeLog
diropts -m 0700
dodir /etc/skel/.ssh
@ -266,7 +296,7 @@ src_test() {
mkdir -p "${sshhome}"/.ssh
for t in ${tests} ; do
# Some tests read from stdin ...
HOMEDIR="${sshhome}" \
HOMEDIR="${sshhome}" HOME="${sshhome}" \
emake -k -j1 ${t} </dev/null \
&& passed="${passed}${t} " \
|| failed="${failed}${t} "