From 21c3c57ce93454c588971592192be75a41017065 Mon Sep 17 00:00:00 2001
From: Krzesimir Nowak <knowak@microsoft.com>
Date: Mon, 25 Sep 2023 16:41:34 +0200
Subject: [PATCH] net-misc/openssh: Sync with Gentoo

It's from Gentoo commit 5b974a3c903327b37f46a0212bf397ef634a67fd.
---
 .../coreos-overlay/net-misc/openssh/Manifest  |  4 +-
 ...openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch | 11 ----
 ...-9.3_p1-openssl-version-compat-check.patch | 58 -------------------
 .../files/openssh-9.3_p2-zlib-1.3.patch       | 21 +++++++
 .../net-misc/openssh/files/sshd.socket        |  1 -
 ...9.3_p2-r1.ebuild => openssh-9.4_p1.ebuild} | 56 ++++--------------
 6 files changed, 34 insertions(+), 117 deletions(-)
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch
 delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch
 rename sdk_container/src/third_party/coreos-overlay/net-misc/openssh/{openssh-9.3_p2-r1.ebuild => openssh-9.4_p1.ebuild} (86%)

diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest
index c70a2636a8..570a72c142 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest
@@ -1,2 +1,2 @@
-DIST openssh-9.3p2.tar.gz 1835850 BLAKE2B 38f8d4ada263112b318fafccabf0a33a004d8290a867434004eb3d37127c9bdabe6e0225fca9d6d68fb54338fec81dcc9313ca7c91d3a033311db44174dc9f6f SHA512 15b8c57aa120186f1d1c3c2b8dc6ffd26733e12f755a6b0a4255d9ec1815a61506275ff5723b4ac029e44bc2ad22852ac36e1101f292348fbfa79aa1a4cd3f35
-DIST openssh-9.3p2.tar.gz.asc 833 BLAKE2B cfba3867d7f97cb2c904bd3ae111bd63e8a050464b66e3f3f22390839a153d57ef5819182f8ad99a6b520f27881143552dc64fccfc33dcc0483ffe1ef33a5a47 SHA512 759e512a36a3a62264803b517298a65c83e1daebd9867e28ea1ca4999c38539368815ccda86540a4f5d45fa79c539d8242995ba55f2918baf2a7404c105e337a
+DIST openssh-9.4p1.tar.gz 1845094 BLAKE2B d13d758129cce947d3f12edb6e88406aad10de6887b19ffa3ebd8e382b742a05f2a692a8824aec99939f6c7e13fbccc3bb14e5ee112f9a9255d4882eb87dcf53 SHA512 0aaedeced7dbc70419c7245eb0e9db4ef570e0e7739b890ebae04d56da5fe8d147e8e150f3c943f60730976569e3ac6cc8da62ec7e2a78e2ef47d295ca0b1d25
+DIST openssh-9.4p1.tar.gz.asc 833 BLAKE2B 95eedd9356766e5d0ea1261da3dc4c7869f054b418c626fb35815a0aa655b1ddbf54436b437d98c4344b05c9196c8fa1f592eac07b3ccf08bd3e980f8b6955af SHA512 983b4ebaa3b98e70831ce686cb503270926c065163a2510eef0c5102ef50b6e665b889ee15ea8c0bd7c4bbddb19270f036e1d554a8212ef2c292f9c682c8631a
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch
deleted file mode 100644
index b50ac7c001..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-gss-use-HOST_NAME_MAX.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/gss-serv.c
-+++ b/gss-serv.c
-@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
- 		gss_create_empty_oid_set(&status, &oidset);
- 		gss_add_oid_set_member(&status, ctx->oid, &oidset);
- 
--		if (gethostname(lname, MAXHOSTNAMELEN)) {
-+		if (gethostname(lname, HOST_NAME_MAX)) {
- 			gss_release_oid_set(&status, &oidset);
- 			return (-1);
- 		}
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch
deleted file mode 100644
index b571ae253f..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p1-openssl-version-compat-check.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-https://bugzilla.mindrot.org/show_bug.cgi?id=3548
---- a/openbsd-compat/openssl-compat.c
-+++ b/openbsd-compat/openssl-compat.c
-@@ -48,19 +48,25 @@ ssh_compatible_openssl(long headerver, long libver)
- 	if (headerver == libver)
- 		return 1;
- 
--	/* for versions < 1.0.0, major,minor,fix,status must match */
--	if (headerver < 0x1000000f) {
--		mask = 0xfffff00fL; /* major,minor,fix,status */
--		return (headerver & mask) == (libver & mask);
-+	/*
-+	 * For versions < 3.0.0, major,minor,status must match and library
-+	 * fix version must be equal to or newer than the header.
-+	 */
-+	if (headerver < 0x3000000f) {
-+		mask = 0xfff0000fL; /* major,minor,status */
-+		hfix = (headerver & 0x000ff000) >> 12;
-+		lfix = (libver & 0x000ff000) >> 12;
-+		if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
-+			return 1;
- 	}
- 
- 	/*
--	 * For versions >= 1.0.0, major,minor,status must match and library
--	 * fix version must be equal to or newer than the header.
-+	 * For versions >= 3.0.0, major must match and minor,status must be
-+	 * equal to or greater than the header.
- 	 */
--	mask = 0xfff00000L; /* major,minor,status */
--	hfix = (headerver & 0x000ff000) >> 12;
--	lfix = (libver & 0x000ff000) >> 12;
-+	mask = 0xf000000fL; /* major, status */
-+	hfix = (headerver & 0x0ffffff0L) >> 12;
-+	lfix = (libver & 0x0ffffff0L) >> 12;
- 	if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
- 		return 1;
- 	return 0;
---- a/openbsd-compat/regress/opensslvertest.c
-+++ b/openbsd-compat/regress/opensslvertest.c
-@@ -31,7 +31,7 @@ struct version_test {
- 	{ 0x0090802fL, 0x0090804fL, 1},	/* newer library fix version: ok */
- 	{ 0x0090802fL, 0x0090801fL, 1},	/* older library fix version: ok */
- 	{ 0x0090802fL, 0x0090702fL, 0},	/* older library minor version: NO */
--	{ 0x0090802fL, 0x0090902fL, 0},	/* newer library minor version: NO */
-+	{ 0x0090802fL, 0x0090902fL, 1},	/* newer library minor version: ok */
- 	{ 0x0090802fL, 0x0080802fL, 0},	/* older library major version: NO */
- 	{ 0x0090802fL, 0x1000100fL, 0},	/* newer library major version: NO */
- 
-@@ -41,7 +41,7 @@ struct version_test {
- 	{ 0x1000101fL, 0x1000100fL, 1},	/* older library patch version: ok */
- 	{ 0x1000101fL, 0x1000201fL, 1},	/* newer library fix version: ok */
- 	{ 0x1000101fL, 0x1000001fL, 0},	/* older library fix version: NO */
--	{ 0x1000101fL, 0x1010101fL, 0},	/* newer library minor version: NO */
-+	{ 0x1000101fL, 0x1010101fL, 1},	/* newer library minor version: ok */
- 	{ 0x1000101fL, 0x0000101fL, 0},	/* older library major version: NO */
- 	{ 0x1000101fL, 0x2000101fL, 0},	/* newer library major version: NO */
- };
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch
new file mode 100644
index 0000000000..f1336bbe03
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-9.3_p2-zlib-1.3.patch
@@ -0,0 +1,21 @@
+https://bugs.gentoo.org/912766
+https://github.com/openssh/openssh-portable/commit/cb4ed12ffc332d1f72d054ed92655b5f1c38f621
+
+From cb4ed12ffc332d1f72d054ed92655b5f1c38f621 Mon Sep 17 00:00:00 2001
+From: Darren Tucker <dtucker@dtucker.net>
+Date: Sat, 19 Aug 2023 07:39:08 +1000
+Subject: [PATCH] Fix zlib version check for 1.3 and future version.
+
+bz#3604.
+--- a/configure.ac
++++ b/configure.ac
+@@ -1464,7 +1464,7 @@ else
+ 	[[
+ 	int a=0, b=0, c=0, d=0, n, v;
+ 	n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
+-	if (n != 3 && n != 4)
++	if (n < 1)
+ 		exit(1);
+ 	v = a*1000000 + b*10000 + c*100 + d;
+ 	fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
+
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket
index d19f34be86..94b9533180 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket
@@ -5,7 +5,6 @@ Conflicts=sshd.service
 [Socket]
 ListenStream=22
 Accept=yes
-TriggerLimitBurst=0
 
 [Install]
 WantedBy=sockets.target
diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild
similarity index 86%
rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild
index 8f01a48dc7..5d1ffb94eb 100644
--- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.3_p2-r1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-9.4_p1.ebuild
@@ -19,7 +19,7 @@ S="${WORKDIR}/${PARCH}"
 
 LICENSE="BSD GPL-2"
 SLOT="0"
-KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 # Probably want to drop ssl defaulting to on in a future version.
 IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam +pie security-key selinux +ssl static test X xmss"
 
@@ -86,8 +86,7 @@ PATCHES=(
 	"${FILESDIR}/${PN}-9.3_p1-disable-conch-interop-tests.patch"
 	"${FILESDIR}/${PN}-9.3_p1-fix-putty-tests.patch"
 	"${FILESDIR}/${PN}-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch"
-	"${FILESDIR}/${PN}-9.3_p1-gss-use-HOST_NAME_MAX.patch" #834044
-	"${FILESDIR}/${PN}-9.3_p1-openssl-version-compat-check.patch"
+	"${FILESDIR}/${PN}-9.3_p2-zlib-1.3.patch" #912766
 )
 
 pkg_pretend() {
@@ -100,6 +99,9 @@ pkg_pretend() {
 	done
 
 	if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then
+		# Skip for binary packages entirely because of environment saving, bug #907892
+		[[ ${MERGE_TYPE} == binary ]] && return
+
 		ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore."
 		ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality,"
 		ewarn "since these USE flags required third-party patches that often trigger bugs"
@@ -227,37 +229,6 @@ src_test() {
 	emake -j1 "${tests[@]}" </dev/null
 }
 
-insert_include() {
-	local src_config=${1} options=${2} includedir=${3}
-	local name copy regexp_options regexp lineno comment_options
-
-	name=${src_config##*/}
-	copy="${T}/${name}"
-	cp -a "${src_config}" "${copy}" || die
-
-	# Catch "Option ", "#Option " or "# Option ".
-	regexp_options=${options//,/'\|'}
-	regexp='^[[:space:]]*#\?[[:space:]]*\('"${regexp_options}"'\)[[:space:]]'
-	lineno=$(set -o pipefail; grep -ne "${regexp}" -m 1 "${copy}" | cut -d : -f 1 || die)
-	# We have found a first line with the option, now find a first
-	# non-comment line just above the comments of the option. The
-	# lineno - 2 is here to ignore the line just above the option
-	# in case the comment block is separated by an empty line.
-	lineno=$(set -o pipefail; head -n $((lineno - 2)) "${copy}" | grep -ne '^[[:space:]]*\([^#]\|$\)' | tail -n 1 | cut -d : -f 1 || die)
-
-	comment_options=${options//,/ or }
-	{
-		head -n "${lineno}" "${copy}" || die
-		cat <<-EOF || die
-		# Make sure that all ${comment_options} options are below this Include!
-		Include "${EPREFIX}/${includedir}/*.conf"
-
-		EOF
-		tail -n "+${lineno}" "${copy}" || die
-	} >"${src_config}"
-	rm -f "${copy}" || die
-}
-
 # Gentoo tweaks to default config files.
 tweak_ssh_configs() {
 	local locale_vars=(
@@ -271,9 +242,12 @@ tweak_ssh_configs() {
 	)
 
 	dodir /etc/ssh/ssh_config.d /etc/ssh/sshd_config.d
-
-	insert_include "${ED}"/etc/ssh/ssh_config 'Host,Match' '/etc/ssh/ssh_config.d'
-	insert_include "${ED}"/etc/ssh/sshd_config 'Match' '/etc/ssh/sshd_config.d'
+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config || die
+	Include "${EPREFIX}/etc/ssh/ssh_config.d/*.conf"
+	EOF
+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config || die
+	Include "${EPREFIX}/etc/ssh/sshd_config.d/*.conf"
+	EOF
 
 	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
 	# Send locale environment variables (bug #367017)
@@ -292,10 +266,6 @@ tweak_ssh_configs() {
 	ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
 	EOF
 
-	# Move sshd's Subsystem option to a drop-in file.
-	grep -ie 'subsystem' "${ED}"/etc/ssh/sshd_config >"${ED}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die
-	sed -i -e '/[Ss]ubsystem/d' "${ED}"/etc/ssh/sshd_config
-
 	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
 	# Allow client to pass locale environment variables (bug #367017)
 	AcceptEnv ${locale_vars[*]}
@@ -321,10 +291,6 @@ tweak_ssh_configs() {
 		PermitRootLogin Yes
 		EOF
 	fi
-
-	local sshd_drop_ins=("${ED}"/etc/ssh/sshd_config.d/*.conf)
-	fperms 0700 /etc/ssh/sshd_config.d
-	fperms 0600 "${sshd_drop_ins[@]#${ED}}"
 }
 
 src_install() {