diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest index 46351c43fc..9d50c1d0d4 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest @@ -1,6 +1,7 @@ -DIST openssh-7.9p1+x509-11.6.diff.gz 655819 BLAKE2B f442bb993f89782b74b0cd28906c91edfcf5b1d42a4c8135a5ccf5045e7eb000eb7aa301685b748f707506ba20e3b842d684db436872ed82b6d9b9c086879515 SHA512 0ff6ed2822aaa43cf352134b90975fb663662c5ea3d73b690601f24342ea207aecda8cdb9c1bdc3e3656fb059d842dfb3bf22646b626c303240808286103d8bc -DIST openssh-7.9p1-patches-1.0.tar.xz 9080 BLAKE2B c14106a875b6ea0672a03f6cb292386daba96da23fed4ebd04a75f712e252bc88a25116b0b3b27446421aadf112451cb3b8a96d2f7d437e6728fe782190bc69e SHA512 7903cdb4ce5be0f1b1b741788fb372e68b0c9c1d6da0d854d8bc62e4743ad7cd13101b867b541828d3786b0857783377457e5e87ba9b63bfd9afcdbfd93ac103 -DIST openssh-7.9p1-sctp-1.2.patch.xz 7360 BLAKE2B 60e209371ecac24d0b60e48459d4d4044c0f364a2eea748cc4edd1501faec69a3c5b9e0b7db336968399ec684b6c8aceeac9196ba1ecf563ae3d660682cbc9a0 SHA512 d4d37a49cd43a3b9b7b173b0935267b84133b9b0954b7f71714ba781a6129c6d424f8b7a528dd7d4f287784c5517d57b1d6d7c6df8b5d738e34eb6dc7eae7191 -DIST openssh-7.9p1.tar.gz 1565384 BLAKE2B de15795e03d33d4f9fe4792f6b14500123230b6c00c1e5bd7207bb6d6bf6df0b2e057c1b1de0fee709f58dd159203fdd69fe1473118a6baedebaa0c1c4c55b59 SHA512 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e -DIST openssh-7_8_P1-hpn-AES-CTR-14.16.diff 29231 BLAKE2B e25877c5e22f674e6db5a0bc107e5daa2509fe762fb14ce7bb2ce9a115e8177a93340c1d19247b6c2c854b7e1f9ae9af9fd932e5fa9c0a6b2ba438cd11a42991 SHA512 1867fb94c29a51294a71a3ec6a299757565a7cda5696118b0b346ed9c78f2c81bb1b888cff5e3418776b2fa277a8f070c5eb9327bb005453e2ffd72d35cdafa7 -DIST openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 43356 BLAKE2B 776fa140d64a16c339b46a7c773258d2f4fe44e48b16abccad1a8757a51cb6362722fc5f42c39159af12849f5c88cf574de64815085c97157e16653f18d4909b SHA512 53f2752b7aa02719c8dfe0fe0ef16e874101ba2ba87924aa1122cd445ece218ca09c22abaa3377307f25d459579bc28d3854e2402c71b794db65d58cdd1ebc08 +DIST openssh-8.1_p1-glibc-2.31-patches.tar.xz 1752 BLAKE2B ccab53069c0058be7ba787281f5a1775d169a9dcda6f78742eb8cb3cce4ebe3a4c506c75a8ac142700669cf04b7475e35f6a06a4499d3d076e4e88e4fc59f3e6 SHA512 270d532fc7f4ec10c5ee56677f8280dec47a96e73f8032713b212cfad64a58ef142a7f49b7981dca80cbf0dd99753ef7a93b6af164cad9492fa224d546c27f14 +DIST openssh-8.1p1+x509-12.3.diff.gz 689934 BLAKE2B 57a302a25bec1d630b9c36f74ab490e11c97f9bcbaf8f527e46ae7fd5bade19feb3d8853079870b5c08b70a55e289cf4bf7981c11983973fa588841aeb21e650 SHA512 8d7c321423940f5a78a51a25ad5373f5db17a4a8ca7e85041e503998e0823ad22068bc652e907e9f5787858d45ce438a4bba18240fa72e088eb10b903e96b192 +DIST openssh-8.1p1-sctp-1.2.patch.xz 7672 BLAKE2B f1aa0713fcb114d8774bd8d524d106401a9d7c2c73a05fbde200ccbdd2562b3636ddd2d0bc3eae9f04b4d7c729c3dafd814ae8c530a76c4a0190fae71d1edcd2 SHA512 2bffab0bbae5a4c1875e0cc229bfd83d8565bd831309158cd489d8b877556c69b936243888a181bd9ff302e19f2c174156781574294d260b6384c464d003d566 +DIST openssh-8.1p1.tar.gz 1625894 BLAKE2B d525be921a6f49420a58df5ac434d43a0c85e0f6bf8428ecebf04117c50f473185933e6e4485e506ac614f71887a513b9962d7b47969ba785da8e3a38f767322 SHA512 b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925 +DIST openssh-8_1_P1-hpn-AES-CTR-14.20.diff 29935 BLAKE2B 79101c43601e41306c957481c0680a63357d93bededdf12a32229d50acd9c1f46a386cbb91282e9e7d7bb26a9f276f5a675fd2de7662b7cbd073322b172d3bca SHA512 94f011b7e654630e968a378375aa54fa1fde087b4426d0f2225813262e6667a1073814d6a83e9005f97b371c536e462e614bfe726b092ffed8229791592ca221 +DIST openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 42696 BLAKE2B d8ac7fa1a4e4d1877acdedeaee80172da469b5a62d0aaa43d6ed46c578e7893577b9d563835d89ca2044867fc561ad3f562bf504c025cf4c78421cf3d24397e9 SHA512 768db7cca8839df4441afcb08457d13d32625b31859da527c3d7f1a92d17a4ec81d6987db00879c394bbe59589e57b10bfd98899a167ffed65ab367b1fd08739 +DIST openssh-8_1_P1-hpn-PeakTput-14.20.diff 2012 BLAKE2B e42c43128f1d82b4de1517e6a9219947da03cecb607f1bc45f0728547f17601a6ce2ec819b6434890efd19ceaf4d20cb98183596ab5ee79e104a52cda7db9cdc SHA512 238f9419efd3be80bd700f6ae7e210e522d747c363c4e670364f5191f144ae3aa8d1b1539c0bf87b3de36743aa73e8101c53c0ef1c6472d209569be389e7814d diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/README b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/README deleted file mode 100644 index abca7ba00a..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/README +++ /dev/null @@ -1,2 +0,0 @@ -If sshd.pam_include.2 changes make sure to apply the change to sys-auth/google-oslogin -Those files must be kept in sync. diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-CVE-2018-20685.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-CVE-2018-20685.patch deleted file mode 100644 index 3fa3e318af..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-CVE-2018-20685.patch +++ /dev/null @@ -1,16 +0,0 @@ -CVE-2018-20685 - -https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2 - ---- a/scp.c -+++ b/scp.c -@@ -1106,7 +1106,8 @@ sink(int argc, char **argv) - SCREWUP("size out of range"); - size = (off_t)ull; - -- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { -+ if (*cp == '\0' || strchr(cp, '/') != NULL || -+ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) { - run_err("error: unexpected filename: %s", cp); - exit(1); - } diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-X509-11.6-tests.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-X509-11.6-tests.patch deleted file mode 100644 index 9766b1594e..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-X509-11.6-tests.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -ur openssh-7.9p1.orig/openbsd-compat/regress/Makefile.in openssh-7.9p1/openbsd-compat/regress/Makefile.in ---- openssh-7.9p1.orig/openbsd-compat/regress/Makefile.in 2018-10-16 17:01:20.000000000 -0700 -+++ openssh-7.9p1/openbsd-compat/regress/Makefile.in 2018-12-19 11:03:14.421028691 -0800 -@@ -7,7 +7,7 @@ - CC=@CC@ - LD=@LD@ - CFLAGS=@CFLAGS@ --CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ -+CPPFLAGS=-I. -I.. -I$(srcdir) -I../.. @CPPFLAGS@ @DEFS@ - EXEEXT=@EXEEXT@ - LIBCOMPAT=../libopenbsd-compat.a - LIBS=@LIBS@ diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-X509-dont-make-piddir-11.6.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-X509-dont-make-piddir-11.6.patch deleted file mode 100644 index 487b239639..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-X509-dont-make-piddir-11.6.patch +++ /dev/null @@ -1,16 +0,0 @@ ---- a/openssh-7.9p1+x509-11.6.diff 2018-12-07 17:24:03.211328918 -0800 -+++ b/openssh-7.9p1+x509-11.6.diff 2018-12-07 17:24:13.399262277 -0800 -@@ -40681,12 +40681,11 @@ - - install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config - install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf --@@ -333,6 +351,8 @@ -+@@ -333,6 +351,7 @@ - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 - $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 - $(MKDIR_P) $(DESTDIR)$(libexecdir) - + $(MKDIR_P) $(DESTDIR)$(sshcadir) --+ $(MKDIR_P) $(DESTDIR)$(piddir) - $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) - $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-X509-glue-11.6.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-X509-glue-11.6.patch deleted file mode 100644 index b807ac45f7..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-X509-glue-11.6.patch +++ /dev/null @@ -1,28 +0,0 @@ ---- a/openssh-7.9p1+x509-11.6.diff 2018-12-19 10:42:01.241775036 -0800 -+++ b/openssh-7.9p1+x509-11.6.diff 2018-12-19 10:43:33.383140818 -0800 -@@ -45862,7 +45862,7 @@ - ENGINE_register_all_complete(); - +#endif - ---#if OPENSSL_VERSION_NUMBER < 0x10001000L -+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - + /* OPENSSL_config will load buildin engines and engines - + * specified in configuration file, i.e. method call - + * ENGINE_load_builtin_engines. Latter is only for -@@ -81123,16 +81123,6 @@ - setlocale(LC_CTYPE, "POSIX.UTF-8") != NULL)) - return; - setlocale(LC_CTYPE, "C"); --diff -ruN openssh-7.9p1/version.h openssh-7.9p1+x509-11.6/version.h ----- openssh-7.9p1/version.h 2018-10-17 03:01:20.000000000 +0300 --+++ openssh-7.9p1+x509-11.6/version.h 2018-12-18 20:07:00.000000000 +0200 --@@ -2,5 +2,4 @@ -- -- #define SSH_VERSION "OpenSSH_7.9" -- ---#define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" - diff -ruN openssh-7.9p1/version.m4 openssh-7.9p1+x509-11.6/version.m4 - --- openssh-7.9p1/version.m4 1970-01-01 02:00:00.000000000 +0200 - +++ openssh-7.9p1+x509-11.6/version.m4 2018-12-18 20:07:00.000000000 +0200 diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-X509-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-X509-glue.patch deleted file mode 100644 index c76d454c92..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-X509-glue.patch +++ /dev/null @@ -1,79 +0,0 @@ ---- temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff.orig 2018-09-12 15:58:57.377986085 -0700 -+++ temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2018-09-12 16:07:15.376711327 -0700 -@@ -4,8 +4,8 @@ - +++ b/Makefile.in - @@ -42,7 +42,7 @@ CC=@CC@ - LD=@LD@ -- CFLAGS=@CFLAGS@ -- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ -+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) -+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ - -LIBS=@LIBS@ - +LIBS=@LIBS@ -lpthread - K5LIBS=@K5LIBS@ -@@ -788,8 +788,8 @@ - ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) - { - struct session_state *state; --- const struct sshcipher *none = cipher_by_name("none"); --+ struct sshcipher *none = cipher_by_name("none"); -+- const struct sshcipher *none = cipher_none(); -++ struct sshcipher *none = cipher_none(); - int r; - - if (none == NULL) { -@@ -933,9 +933,9 @@ - /* Portable-specific options */ - sUsePAM, - + sDisableMTAES, -- /* Standard Options */ -- sPort, sHostKeyFile, sLoginGraceTime, -- sPermitRootLogin, sLogFacility, sLogLevel, -+ /* X.509 Standard Options */ -+ sHostbasedAlgorithms, -+ sPubkeyAlgorithms, - @@ -626,6 +630,7 @@ static struct { - { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, - { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, ---- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig 2018-09-12 16:38:16.947447218 -0700 -+++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2018-09-12 16:32:35.479700864 -0700 -@@ -382,7 +382,7 @@ - @@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh) - int nenc, nmac, ncomp; - u_int mode, ctos, need, dh_need, authlen; -- int r, first_kex_follows; -+ int r, first_kex_follows = 0; - + int auth_flag; - + - + auth_flag = packet_authentication_state(ssh); -@@ -1125,15 +1125,6 @@ - index a738c3a..b32dbe0 100644 - --- a/sshd.c - +++ b/sshd.c --@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) -- char remote_version[256]; /* Must be at least as big as buf. */ -- -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", --- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, --+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, -- *options.version_addendum == '\0' ? "" : " ", -- options.version_addendum); -- - @@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la) - int ret, listen_sock; - struct addrinfo *ai; -@@ -1213,14 +1204,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index f1bbf00..21a70c2 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_7.8" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN --+ diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-openssl-1.1.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-openssl-1.1.patch deleted file mode 100644 index 78b7545327..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-openssl-1.1.patch +++ /dev/null @@ -1,91 +0,0 @@ ---- openssh-7.9p1.orig/cipher-ctr-mt.c 2018-10-24 20:48:00.909255466 -0000 -+++ openssh-7.9p1/cipher-ctr-mt.c 2018-10-24 20:48:17.378155144 -0000 -@@ -46,7 +46,7 @@ - - /*-------------------- TUNABLES --------------------*/ - /* maximum number of threads and queues */ --#define MAX_THREADS 32 -+#define MAX_THREADS 32 - #define MAX_NUMKQ (MAX_THREADS * 2) - - /* Number of pregen threads to use */ -@@ -435,7 +435,7 @@ - destp.u += AES_BLOCK_SIZE; - srcp.u += AES_BLOCK_SIZE; - len -= AES_BLOCK_SIZE; -- ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE); -+ ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE); - - /* Increment read index, switch queues on rollover */ - if ((ridx = (ridx + 1) % KQLEN) == 0) { -@@ -481,8 +481,6 @@ - /* get the number of cores in the system */ - /* if it's not linux it currently defaults to 2 */ - /* divide by 2 to get threads for each direction (MODE_IN||MODE_OUT) */ -- /* NB: assigning a float to an int discards the remainder which is */ -- /* acceptable (and wanted) in this case */ - #ifdef __linux__ - cipher_threads = sysconf(_SC_NPROCESSORS_ONLN) / 2; - #endif /*__linux__*/ -@@ -551,16 +550,16 @@ - } - - if (iv != NULL) { -- memcpy(ctx->iv, iv, AES_BLOCK_SIZE); -+ memcpy(c->aes_counter, iv, AES_BLOCK_SIZE); - c->state |= HAVE_IV; - } - - if (c->state == (HAVE_KEY | HAVE_IV)) { - /* Clear queues */ -- memcpy(c->q[0].ctr, ctx->iv, AES_BLOCK_SIZE); -+ memcpy(c->q[0].ctr, c->aes_counter, AES_BLOCK_SIZE); - c->q[0].qstate = KQINIT; - for (i = 1; i < numkq; i++) { -- memcpy(c->q[i].ctr, ctx->iv, AES_BLOCK_SIZE); -+ memcpy(c->q[i].ctr, c->aes_counter, AES_BLOCK_SIZE); - ssh_ctr_add(c->q[i].ctr, i * KQLEN, AES_BLOCK_SIZE); - c->q[i].qstate = KQEMPTY; - } -@@ -644,8 +643,22 @@ - const EVP_CIPHER * - evp_aes_ctr_mt(void) - { -+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL && !defined(LIBRESSL_VERSION_NUMBER) -+ static EVP_CIPHER *aes_ctr; -+ aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/); -+ EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE); -+ EVP_CIPHER_meth_set_init(aes_ctr, ssh_aes_ctr_init); -+ EVP_CIPHER_meth_set_cleanup(aes_ctr, ssh_aes_ctr_cleanup); -+ EVP_CIPHER_meth_set_do_cipher(aes_ctr, ssh_aes_ctr); -+# ifndef SSH_OLD_EVP -+ EVP_CIPHER_meth_set_flags(aes_ctr, EVP_CIPH_CBC_MODE -+ | EVP_CIPH_VARIABLE_LENGTH -+ | EVP_CIPH_ALWAYS_CALL_INIT -+ | EVP_CIPH_CUSTOM_IV); -+# endif /*SSH_OLD_EVP*/ -+ return (aes_ctr); -+# else /*earlier version of openssl*/ - static EVP_CIPHER aes_ctr; -- - memset(&aes_ctr, 0, sizeof(EVP_CIPHER)); - aes_ctr.nid = NID_undef; - aes_ctr.block_size = AES_BLOCK_SIZE; -@@ -654,11 +667,12 @@ - aes_ctr.init = ssh_aes_ctr_init; - aes_ctr.cleanup = ssh_aes_ctr_cleanup; - aes_ctr.do_cipher = ssh_aes_ctr; --#ifndef SSH_OLD_EVP -- aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | -- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; --#endif -- return &aes_ctr; -+# ifndef SSH_OLD_EVP -+ aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | -+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; -+# endif /*SSH_OLD_EVP*/ -+ return &aes_ctr; -+# endif /*OPENSSH_VERSION_NUMBER*/ - } - - #endif /* defined(WITH_OPENSSL) */ diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-sctp-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-sctp-glue.patch deleted file mode 100644 index a7d51ad948..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-sctp-glue.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig 2018-09-12 18:18:51.851536374 -0700 -+++ dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2018-09-12 18:19:01.116475099 -0700 -@@ -1190,14 +1190,3 @@ - # Example of overriding settings on a per-user basis - #Match User anoncvs - # X11Forwarding no --diff --git a/version.h b/version.h --index f1bbf00..21a70c2 100644 ----- a/version.h --+++ b/version.h --@@ -3,4 +3,5 @@ -- #define SSH_VERSION "OpenSSH_7.8" -- -- #define SSH_PORTABLE "p1" ---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN --+ diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch deleted file mode 100644 index c1c310e8f1..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c -index 8b4a3627..590b66d1 100644 ---- a/openbsd-compat/openssl-compat.c -+++ b/openbsd-compat/openssl-compat.c -@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void) - ENGINE_load_builtin_engines(); - ENGINE_register_all_complete(); - --#if OPENSSL_VERSION_NUMBER < 0x10001000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - OPENSSL_config(NULL); - #else - OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch new file mode 100644 index 0000000000..fe3be2409e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch @@ -0,0 +1,31 @@ +From 3ef92a657444f172b61f92d5da66d94fa8265602 Mon Sep 17 00:00:00 2001 +From: Lonnie Abelbeck +Date: Tue, 1 Oct 2019 09:05:09 -0500 +Subject: [PATCH] Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child. + +New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt +in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox. +--- + sandbox-seccomp-filter.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index 840c5232b..39dc289e3 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -168,6 +168,15 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_stat64 + SC_DENY(__NR_stat64, EACCES), + #endif ++#ifdef __NR_shmget ++ SC_DENY(__NR_shmget, EACCES), ++#endif ++#ifdef __NR_shmat ++ SC_DENY(__NR_shmat, EACCES), ++#endif ++#ifdef __NR_shmdt ++ SC_DENY(__NR_shmdt, EACCES), ++#endif + + /* Syscalls to permit */ + #ifdef __NR_brk diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch new file mode 100644 index 0000000000..4310aa123f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch @@ -0,0 +1,57 @@ +Make sure that host keys are already accepted before +running tests. + +https://bugs.gentoo.org/493866 + +--- a/regress/putty-ciphers.sh ++++ b/regress/putty-ciphers.sh +@@ -10,11 +10,17 @@ fi + + for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do + verbose "$tid: cipher $c" ++ rm -f ${COPY} + cp ${OBJ}/.putty/sessions/localhost_proxy \ + ${OBJ}/.putty/sessions/cipher_$c + echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c + +- rm -f ${COPY} ++ env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \ ++ -i ${OBJ}/putty.rsa2 "exit" ++ if [ $? -ne 0 ]; then ++ fail "failed to pre-cache host key" ++ fi ++ + env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \ + cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then +--- a/regress/putty-kex.sh ++++ b/regress/putty-kex.sh +@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do + ${OBJ}/.putty/sessions/kex_$k + echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k + ++ env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \ ++ -i ${OBJ}/putty.rsa2 "exit" ++ if [ $? -ne 0 ]; then ++ fail "failed to pre-cache host key" ++ fi ++ + env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true + if [ $? -ne 0 ]; then + fail "KEX $k failed" +--- a/regress/putty-transfer.sh ++++ b/regress/putty-transfer.sh +@@ -14,6 +14,13 @@ for c in 0 1 ; do + cp ${OBJ}/.putty/sessions/localhost_proxy \ + ${OBJ}/.putty/sessions/compression_$c + echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k ++ ++ env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \ ++ -i ${OBJ}/putty.rsa2 "exit" ++ if [ $? -ne 0 ]; then ++ fail "failed to pre-cache host key" ++ fi ++ + env HOME=$PWD ${PLINK} -load compression_$c -batch \ + -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-hpn-X509-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-hpn-X509-glue.patch new file mode 100644 index 0000000000..2a9d3bd2f3 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-hpn-X509-glue.patch @@ -0,0 +1,114 @@ +--- a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-04-18 17:07:59.413376785 -0700 ++++ b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-04-18 20:05:12.622588051 -0700 +@@ -382,7 +382,7 @@ + @@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh) + int nenc, nmac, ncomp; + u_int mode, ctos, need, dh_need, authlen; +- int r, first_kex_follows; ++ int r, first_kex_follows = 0; + + int auth_flag; + + + + auth_flag = packet_authentication_state(ssh); +@@ -441,6 +441,39 @@ + int ssh_packet_get_state(struct ssh *, struct sshbuf *); + int ssh_packet_set_state(struct ssh *, struct sshbuf *); + ++diff --git a/packet.c b/packet.c ++index dcf35e6..9433f08 100644 ++--- a/packet.c +++++ b/packet.c ++@@ -920,6 +920,14 @@ ssh_set_newkeys(struct ssh *ssh, int mode) ++ return 0; ++ } ++ +++/* this supports the forced rekeying required for the NONE cipher */ +++int rekey_requested = 0; +++void +++packet_request_rekeying(void) +++{ +++ rekey_requested = 1; +++} +++ ++ #define MAX_PACKETS (1U<<31) ++ static int ++ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) ++@@ -946,6 +954,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) ++ if (state->p_send.packets == 0 && state->p_read.packets == 0) ++ return 0; ++ +++ /* used to force rekeying when called for by the none +++ * cipher switch and aes-mt-ctr methods -cjr */ +++ if (rekey_requested == 1) { +++ rekey_requested = 0; +++ return 1; +++ } +++ ++ /* Time-based rekeying */ ++ if (state->rekey_interval != 0 && ++ (int64_t)state->rekey_time + state->rekey_interval <= monotime()) + diff --git a/readconf.c b/readconf.c + index db5f2d5..33f18c9 100644 + --- a/readconf.c +@@ -453,10 +486,9 @@ + + /* Format of the configuration file: + +-@@ -166,6 +167,8 @@ typedef enum { ++@@ -166,5 +167,7 @@ typedef enum { + oTunnel, oTunnelDevice, + oLocalCommand, oPermitLocalCommand, oRemoteCommand, +- oDisableMTAES, + + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, + + oNoneEnabled, oNoneSwitch, + oVisualHostKey, +@@ -592,10 +624,9 @@ + int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ + int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ + SyslogFacility log_facility; /* Facility for system logging. */ +-@@ -111,7 +115,10 @@ typedef struct { ++@@ -111,6 +115,9 @@ typedef struct { + int enable_ssh_keysign; + int64_t rekey_limit; +- int disable_multithreaded; /*disable multithreaded aes-ctr*/ + + int none_switch; /* Use none cipher */ + + int none_enabled; /* Allow none to be used */ + int rekey_interval; +@@ -650,10 +681,8 @@ + + /* Portable-specific options */ + if (options->use_pam == -1) +-@@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options) ++@@ -391,4 +400,41 @@ fill_default_server_options(ServerOptions *options) + options->permit_tun = SSH_TUNMODE_NO; +- if (options->disable_multithreaded == -1) +- options->disable_multithreaded = 0; + + if (options->none_enabled == -1) + + options->none_enabled = 0; + + if (options->hpn_disabled == -1) +@@ -1095,9 +1124,9 @@ + + fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n"); + + } + + } ++ debug("Authentication succeeded (%s).", authctxt.method->name); ++ } + +- #ifdef WITH_OPENSSL +- if (options.disable_multithreaded == 0) { + diff --git a/sshd.c b/sshd.c + index a738c3a..b32dbe0 100644 + --- a/sshd.c +@@ -1181,14 +1210,3 @@ + # Example of overriding settings on a per-user basis + #Match User anoncvs + # X11Forwarding no +-diff --git a/version.h b/version.h +-index f1bbf00..21a70c2 100644 +---- a/version.h +-+++ b/version.h +-@@ -3,4 +3,5 @@ +- #define SSH_VERSION "OpenSSH_7.8" +- +- #define SSH_PORTABLE "p1" +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE +-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN +-+ diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch new file mode 100644 index 0000000000..37905ce6af --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch @@ -0,0 +1,13 @@ +diff --git a/kex.c b/kex.c +index 34808b5c..88d7ccac 100644 +--- a/kex.c ++++ b/kex.c +@@ -1126,7 +1126,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, + if (version_addendum != NULL && *version_addendum == '\0') + version_addendum = NULL; + if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", +- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, ++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, + version_addendum == NULL ? "" : " ", + version_addendum == NULL ? "" : version_addendum)) != 0) { + error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.8_p1-GSSAPI-dns.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.8_p1-GSSAPI-dns.patch rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch index 989dc6cee6..6aba6f2669 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.8_p1-GSSAPI-dns.patch +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch @@ -1,8 +1,8 @@ diff --git a/auth.c b/auth.c -index 9a3bc96f..fc2c3620 100644 +index ca450f4e..2994a4e4 100644 --- a/auth.c +++ b/auth.c -@@ -733,120 +733,6 @@ fakepw(void) +@@ -723,120 +723,6 @@ fakepw(void) return (&fake); } @@ -29,7 +29,7 @@ index 9a3bc96f..fc2c3620 100644 - fromlen = sizeof(from); - memset(&from, 0, sizeof(from)); - if (getpeername(ssh_packet_get_connection_in(ssh), -- (struct sockaddr *)&from, &fromlen) < 0) { +- (struct sockaddr *)&from, &fromlen) == -1) { - debug("getpeername failed: %.100s", strerror(errno)); - return strdup(ntop); - } @@ -124,7 +124,7 @@ index 9a3bc96f..fc2c3620 100644 * Runs command in a subprocess with a minimal environment. * Returns pid on success, 0 on failure. diff --git a/canohost.c b/canohost.c -index f71a0856..3e162d8c 100644 +index abea9c6e..4f4524d2 100644 --- a/canohost.c +++ b/canohost.c @@ -202,3 +202,117 @@ get_local_port(int sock) @@ -246,10 +246,10 @@ index f71a0856..3e162d8c 100644 + } +} diff --git a/readconf.c b/readconf.c -index db5f2d54..67feffa5 100644 +index f78b4d6f..747287f7 100644 --- a/readconf.c +++ b/readconf.c -@@ -161,6 +161,7 @@ typedef enum { +@@ -162,6 +162,7 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, @@ -257,7 +257,7 @@ index db5f2d54..67feffa5 100644 oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, oHashKnownHosts, -@@ -202,9 +203,11 @@ static struct { +@@ -203,9 +204,11 @@ static struct { #if defined(GSSAPI) { "gssapiauthentication", oGssAuthentication }, { "gssapidelegatecredentials", oGssDelegateCreds }, @@ -268,8 +268,8 @@ index db5f2d54..67feffa5 100644 + { "gssapitrustdns", oUnsupported }, #endif #ifdef ENABLE_PKCS11 - { "smartcarddevice", oPKCS11Provider }, -@@ -977,6 +980,10 @@ parse_time: + { "pkcs11provider", oPKCS11Provider }, +@@ -992,6 +995,10 @@ parse_time: intptr = &options->gss_deleg_creds; goto parse_flag; @@ -280,7 +280,7 @@ index db5f2d54..67feffa5 100644 case oBatchMode: intptr = &options->batch_mode; goto parse_flag; -@@ -1818,6 +1825,7 @@ initialize_options(Options * options) +@@ -1864,6 +1871,7 @@ initialize_options(Options * options) options->challenge_response_authentication = -1; options->gss_authentication = -1; options->gss_deleg_creds = -1; @@ -288,7 +288,7 @@ index db5f2d54..67feffa5 100644 options->password_authentication = -1; options->kbd_interactive_authentication = -1; options->kbd_interactive_devices = NULL; -@@ -1964,6 +1972,8 @@ fill_default_options(Options * options) +@@ -2011,6 +2019,8 @@ fill_default_options(Options * options) options->gss_authentication = 0; if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; @@ -298,7 +298,7 @@ index db5f2d54..67feffa5 100644 options->password_authentication = 1; if (options->kbd_interactive_authentication == -1) diff --git a/readconf.h b/readconf.h -index c5688781..af809cc8 100644 +index 8e36bf32..c9e4718d 100644 --- a/readconf.h +++ b/readconf.h @@ -41,6 +41,7 @@ typedef struct { @@ -310,10 +310,10 @@ index c5688781..af809cc8 100644 * authentication. */ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ diff --git a/ssh_config.5 b/ssh_config.5 -index f499396a..be758544 100644 +index 02a87892..95de538b 100644 --- a/ssh_config.5 +++ b/ssh_config.5 -@@ -722,6 +722,16 @@ The default is +@@ -762,6 +762,16 @@ The default is Forward (delegate) credentials to the server. The default is .Cm no . @@ -331,29 +331,29 @@ index f499396a..be758544 100644 Indicates that .Xr ssh 1 diff --git a/sshconnect2.c b/sshconnect2.c -index 10e4f0a0..4f7d49e3 100644 +index 87fa70a4..a6ffdc96 100644 --- a/sshconnect2.c +++ b/sshconnect2.c -@@ -657,6 +657,13 @@ userauth_gssapi(Authctxt *authctxt) - static u_int mech = 0; +@@ -697,6 +697,13 @@ userauth_gssapi(struct ssh *ssh) OM_uint32 min; int r, ok = 0; + gss_OID mech = NULL; + const char *gss_host; + + if (options.gss_trust_dns) { + extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); -+ gss_host = auth_get_canonical_hostname(active_state, 1); ++ gss_host = auth_get_canonical_hostname(ssh, 1); + } else + gss_host = authctxt->host; /* Try one GSSAPI method at a time, rather than sending them all at * once. */ -@@ -669,7 +676,7 @@ userauth_gssapi(Authctxt *authctxt) +@@ -711,7 +718,7 @@ userauth_gssapi(struct ssh *ssh) + elements[authctxt->mech_tried]; /* My DER encoding requires length<128 */ - if (gss_supported->elements[mech].length < 128 && - ssh_gssapi_check_mechanism(&gssctxt, -- &gss_supported->elements[mech], authctxt->host)) { -+ &gss_supported->elements[mech], gss_host)) { + if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, +- mech, authctxt->host)) { ++ mech, gss_host)) { ok = 1; /* Mechanism works */ } else { - mech++; + authctxt->mech_tried++; diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch similarity index 57% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-glue.patch rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch index 0561e38140..90fa248fcb 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-glue.patch +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch @@ -1,11 +1,12 @@ ---- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig 2018-09-11 17:19:19.968420409 -0700 -+++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2018-09-11 17:39:19.977535398 -0700 +diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff +--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800 ++++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:16:14.646567224 -0800 @@ -409,18 +409,10 @@ - index dcf35e6..da4ced0 100644 + index 817da43b..b2bcf78f 100644 --- a/packet.c +++ b/packet.c --@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) -+@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) +-@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) ++@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) return 0; } @@ -24,7 +25,7 @@ #define MAX_PACKETS (1U<<31) static int ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) --@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) +-@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) - if (state->p_send.packets == 0 && state->p_read.packets == 0) - return 0; - @@ -39,12 +40,12 @@ - if (state->rekey_interval != 0 && - (int64_t)state->rekey_time + state->rekey_interval <= monotime()) diff --git a/packet.h b/packet.h - index 170203c..f4d9df2 100644 + index 8ccfd2e0..1ad9bc06 100644 --- a/packet.h @@ -476,9 +454,9 @@ /* Format of the configuration file: - @@ -166,6 +167,8 @@ typedef enum { + @@ -167,6 +168,8 @@ typedef enum { - oHashKnownHosts, oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand, oRemoteCommand, @@ -55,7 +56,7 @@ @@ -615,9 +593,9 @@ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ SyslogFacility log_facility; /* Facility for system logging. */ - @@ -111,7 +115,10 @@ typedef struct { + @@ -112,7 +116,10 @@ typedef struct { - int enable_ssh_keysign; int64_t rekey_limit; @@ -63,50 +64,42 @@ + int none_switch; /* Use none cipher */ + int none_enabled; /* Allow none to be used */ int rekey_interval; -@@ -673,9 +651,9 @@ - /* Portable-specific options */ - if (options->use_pam == -1) - @@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options) -- } -- if (options->permit_tun == -1) - options->permit_tun = SSH_TUNMODE_NO; +@@ -700,9 +678,9 @@ + + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; + + } + + + if (options->disable_multithreaded == -1) + options->disable_multithreaded = 0; - + if (options->none_enabled == -1) - + options->none_enabled = 0; - + if (options->hpn_disabled == -1) -@@ -1092,7 +1070,7 @@ + if (options->ip_qos_interactive == -1) +- options->ip_qos_interactive = IPTOS_DSCP_AF21; +- if (options->ip_qos_bulk == -1) + @@ -486,6 +532,8 @@ typedef enum { + sPasswordAuthentication, sKbdInteractiveAuthentication, + sListenAddress, sAddressFamily, +@@ -1079,11 +1057,11 @@ xxx_host = host; xxx_hostaddr = hostaddr; --@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, -+@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, +-@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, ++@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, if (!authctxt.success) fatal("Authentication failed."); -@@ -1117,10 +1095,9 @@ - + fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n"); +-+ ++ + + /* + + * If the user wants to use the none cipher, do it post authentication + + * and only if the right conditions are met -- both of the NONE commands +@@ -1105,9 +1083,9 @@ + } + } --+ + + - debug("Authentication succeeded (%s).", authctxt.method->name); - } - +- + #ifdef WITH_OPENSSL + if (options.disable_multithreaded == 0) { ++ /* if we are using aes-ctr there can be issues in either a fork or sandbox diff --git a/sshd.c b/sshd.c - index a738c3a..b32dbe0 100644 + index 11571c01..23a06022 100644 --- a/sshd.c -@@ -1217,11 +1194,10 @@ - index f1bbf00..21a70c2 100644 - --- a/version.h - +++ b/version.h --@@ -3,4 +3,6 @@ -+@@ -3,4 +3,5 @@ - #define SSH_VERSION "OpenSSH_7.8" - - #define SSH_PORTABLE "p1" - -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE --+#define SSH_HPN "-hpn14v16" - +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN - + diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch new file mode 100644 index 0000000000..3f5c7a47d9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch @@ -0,0 +1,19 @@ +diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff +--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800 ++++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 16:36:51.394069720 -0800 +@@ -1191,15 +1191,3 @@ + # Example of overriding settings on a per-user basis + #Match User anoncvs + # X11Forwarding no +-diff --git a/version.h b/version.h +-index 6b3fadf8..ec1d2e27 100644 +---- a/version.h +-+++ b/version.h +-@@ -3,4 +3,6 @@ +- #define SSH_VERSION "OpenSSH_8.1" +- +- #define SSH_PORTABLE "p1" +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE +-+#define SSH_HPN "-hpn14v20" +-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN +-+ diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch new file mode 100644 index 0000000000..505e34db9d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch @@ -0,0 +1,26 @@ +diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh +index 86ea6250..844adabc 100644 +--- a/regress/cert-hostkey.sh ++++ b/regress/cert-hostkey.sh +@@ -252,7 +252,7 @@ test_one() { + test_one "user-certificate" failure "-n $HOSTS" + test_one "empty principals" success "-h" + test_one "wrong principals" failure "-h -n foo" +-test_one "cert not yet valid" failure "-h -V20200101:20300101" ++test_one "cert not yet valid" failure "-h -V20300101:20320101" + test_one "cert expired" failure "-h -V19800101:19900101" + test_one "cert valid interval" success "-h -V-1w:+2w" + test_one "cert has constraints" failure "-h -Oforce-command=false" +diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh +index 38c14a69..5cd02fc3 100644 +--- a/regress/cert-userkey.sh ++++ b/regress/cert-userkey.sh +@@ -338,7 +338,7 @@ test_one() { + test_one "correct principal" success "-n ${USER}" + test_one "host-certificate" failure "-n ${USER} -h" + test_one "wrong principals" failure "-n foo" +-test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101" ++test_one "cert not yet valid" failure "-n ${USER} -V20300101:20320101" + test_one "cert expired" failure "-n ${USER} -V19800101:19900101" + test_one "cert valid interval" success "-n ${USER} -V-1w:+2w" + test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8" diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.confd b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.confd new file mode 100644 index 0000000000..28952b4a28 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.confd @@ -0,0 +1,21 @@ +# /etc/conf.d/sshd: config file for /etc/init.d/sshd + +# Where is your sshd_config file stored? + +SSHD_CONFDIR="/etc/ssh" + + +# Any random options you want to pass to sshd. +# See the sshd(8) manpage for more info. + +SSHD_OPTS="" + + +# Pid file to use (needs to be absolute path). + +#SSHD_PIDFILE="/var/run/sshd.pid" + + +# Path to the sshd binary (needs to be absolute path). + +#SSHD_BINARY="/usr/sbin/sshd" diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.initd b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.initd new file mode 100644 index 0000000000..c5df4693db --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.initd @@ -0,0 +1,89 @@ +#!/sbin/openrc-run +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_commands="checkconfig" +extra_started_commands="reload" + +: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh} +: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config} +: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid} +: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd} +: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen} + +command="${SSHD_BINARY}" +pidfile="${SSHD_PIDFILE}" +command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}" + +# Wait one second (length chosen arbitrarily) to see if sshd actually +# creates a PID file, or if it crashes for some reason like not being +# able to bind to the address in ListenAddress (bug 617596). +: ${SSHD_SSD_OPTS:=--wait 1000} +start_stop_daemon_args="${SSHD_SSD_OPTS}" + +depend() { + # Entropy can be used by ssh-keygen, among other things, but + # is not strictly required (bug 470020). + use logger dns entropy + if [ "${rc_need+set}" = "set" ] ; then + : # Do nothing, the user has explicitly set rc_need + else + local x warn_addr + for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do + case "${x}" in + 0.0.0.0|0.0.0.0:*) ;; + ::|\[::\]*) ;; + *) warn_addr="${warn_addr} ${x}" ;; + esac + done + if [ -n "${warn_addr}" ] ; then + need net + ewarn "You are binding an interface in ListenAddress statement in your sshd_config!" + ewarn "You must add rc_need=\"net.FOO\" to your ${RC_PREFIX%/}/etc/conf.d/sshd" + ewarn "where FOO is the interface(s) providing the following address(es):" + ewarn "${warn_addr}" + fi + fi +} + +checkconfig() { + checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty" + + if [ ! -e "${SSHD_CONFIG}" ] ; then + eerror "You need an ${SSHD_CONFIG} file to run sshd" + eerror "There is a sample file in /usr/share/doc/openssh" + return 1 + fi + + ${SSHD_KEYGEN_BINARY} -A || return 2 + + "${command}" -t ${command_args} || return 3 +} + +start_pre() { + # If this isn't a restart, make sure that the user's config isn't + # busted before we try to start the daemon (this will produce + # better error messages than if we just try to start it blindly). + # + # If, on the other hand, this *is* a restart, then the stop_pre + # action will have ensured that the config is usable and we don't + # need to do that again. + if [ "${RC_CMD}" != "restart" ] ; then + checkconfig || return $? + fi +} + +stop_pre() { + # If this is a restart, check to make sure the user's config + # isn't busted before we stop the running daemon. + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return $? + fi +} + +reload() { + checkconfig || return $? + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP --pidfile "${pidfile}" + eend $? +} diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml index 29134fc060..6cc1ea7842 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml @@ -29,9 +29,11 @@ ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and Add support for storing SSH public keys in LDAP Use LDNS for DNSSEC/SSHFP validation. Enable root password logins for live-cd environment. + Include builtin U2F/FIDO support Support the legacy/weak SSH1 protocol Enable additional crypto algorithms via OpenSSL Adds support for X.509 certificate authentication + Enable XMSS post-quantum authentication algorithm cpe:/a:openssh:openssh diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.9_p1-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.1_p1-r3.ebuild similarity index 81% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.9_p1-r4.ebuild rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.1_p1-r3.ebuild index 19e64121b3..75a4549b39 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.9_p1-r4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.1_p1-r3.ebuild @@ -1,47 +1,52 @@ -# Copyright 1999-2019 Gentoo Authors +# Copyright 1999-2020 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=6 +EAPI=7 -inherit user flag-o-matic multilib autotools pam systemd +inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs # Make it more portable between straight releases # and _p? releases. PARCH=${P/_} -#HPN_PV="${PV^^}" -HPN_PV="7.8_P1" +HPN_PV="${PV^^}" -HPN_VER="14.16" +HPN_VER="14.20" HPN_PATCHES=( ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff + ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff ) SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" -X509_VER="11.6" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" +X509_VER="12.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" PATCH_SET="openssh-7.9p1-patches-1.0" DESCRIPTION="Port of OpenBSD's free SSH release" HOMEPAGE="https://www.openssh.com/" SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz - ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )} - ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_}/%s\n" "${HPN_PATCHES[@]}") )} + https://dev.gentoo.org/~chutzpah/dist/openssh/${P}-glibc-2.31-patches.tar.xz + ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )} + ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )} ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} - " +" +S="${WORKDIR}/${PARCH}" LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509" +IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509 xmss" + RESTRICT="!test? ( test )" -REQUIRED_USE="ldns? ( ssl ) + +REQUIRED_USE=" + ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) X509? ( !sctp ssl ) - test? ( ssl )" + test? ( ssl ) +" LIB_DEPEND=" audit? ( sys-process/audit[static-libs(+)] ) @@ -66,22 +71,29 @@ LIB_DEPEND=" ) libressl? ( dev-libs/libressl:0=[static-libs(+)] ) ) - >=sys-libs/zlib-1.2.3:=[static-libs(+)]" + virtual/libcrypt:=[static-libs(+)] + >=sys-libs/zlib-1.2.3:=[static-libs(+)] +" RDEPEND=" + acct-group/sshd + acct-user/sshd !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) - pam? ( virtual/pam ) - kerberos? ( virtual/krb5 )" + pam? ( sys-libs/pam ) + kerberos? ( virtual/krb5 ) +" DEPEND="${RDEPEND} static? ( ${LIB_DEPEND} ) - virtual/pkgconfig virtual/os-headers - sys-devel/autoconf" +" RDEPEND="${RDEPEND} pam? ( >=sys-auth/pambase-20081028 ) - userland_GNU? ( virtual/shadow ) - X? ( x11-apps/xauth )" - -S="${WORKDIR}/${PARCH}" + userland_GNU? ( !prefix? ( sys-apps/shadow ) ) + X? ( x11-apps/xauth ) +" +BDEPEND=" + virtual/pkgconfig + sys-devel/autoconf +" pkg_pretend() { # this sucks, but i'd rather have people unable to `emerge -u openssh` @@ -102,53 +114,39 @@ pkg_pretend() { fi # Make sure people who are using tcp wrappers are notified of its removal. #531156 - if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" - ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please." + ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." fi } src_prepare() { sed -i \ - -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \ + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \ pathnames.h || die # don't break .ssh/authorized_keys2 for fun sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die - eapply "${FILESDIR}"/${PN}-7.9_p1-openssl-1.0.2-compat.patch eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch - eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex + eapply "${FILESDIR}"/${PN}-8.1_p1-GSSAPI-dns.patch #165444 integrated into gsskex eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch - - if use X509 ; then - # patch doesn't apply due to X509 modifications - rm \ - "${WORKDIR}"/patches/0001-fix-key-type-check.patch \ - "${WORKDIR}"/patches/0002-request-rsa-sha2-cert-signatures.patch \ - || die - else - eapply "${FILESDIR}"/${PN}-7.9_p1-CVE-2018-20685.patch # X509 patch set includes this patch - fi + eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch + eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch + eapply "${FILESDIR}"/${PN}-8.1_p1-tests-2020.patch [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches local PATCHSET_VERSION_MACROS=() if use X509 ; then - pushd "${WORKDIR}" || die - eapply "${FILESDIR}/${P}-X509-glue-${X509_VER}.patch" - eapply "${FILESDIR}/${P}-X509-dont-make-piddir-${X509_VER}.patch" - popd || die - - if use hpn ; then - einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set" - HPN_DISABLE_MTAES=1 - fi + pushd "${WORKDIR}" &>/dev/null || die + eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch" + popd &>/dev/null || die eapply "${WORKDIR}"/${X509_PATCH%.*} - eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch + eapply "${FILESDIR}"/${P}-X509-$(ver_cut 1-2 ${X509_VER})-tests.patch # We need to patch package version or any X.509 sshd will reject our ssh client # with "userauth_pubkey: could not parse key: string is too large [preauth]" @@ -182,16 +180,22 @@ src_prepare() { if use hpn ; then local hpn_patchdir="${T}/${P}-hpn${HPN_VER}" - mkdir "${hpn_patchdir}" - cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" - pushd "${hpn_patchdir}" - eapply "${FILESDIR}"/${P}-hpn-glue.patch - use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch - use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch - popd + mkdir "${hpn_patchdir}" || die + cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die + pushd "${hpn_patchdir}" &>/dev/null || die + eapply "${FILESDIR}"/${PN}-8.1_p1-hpn-${HPN_VER}-glue.patch + if use X509; then + # einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set" + # # X509 and AES-CTR-MT don't get along, let's just drop it + # rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die + eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-${HPN_VER}-X509-glue.patch + fi + use sctp && eapply "${FILESDIR}"/${PN}-8.1_p1-hpn-${HPN_VER}-sctp-glue.patch + popd &>/dev/null || die eapply "${hpn_patchdir}" - eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch" + + use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch" einfo "Patching Makefile.in for HPN patch set ..." sed -i \ @@ -274,22 +278,23 @@ src_configure() { use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG use static && append-ldflags -static + use xmss && append-cflags -DWITH_XMSS local myconf=( --with-ldflags="${LDFLAGS}" --disable-strip --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run - --sysconfdir="${EPREFIX%/}"/etc/ssh - --libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc - --datadir="${EPREFIX%/}"/usr/share/openssh - --with-privsep-path="${EPREFIX%/}"/var/empty + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty --with-privsep-user=sshd $(use_with audit audit linux) - $(use_with kerberos kerberos5 "${EPREFIX%/}"/usr) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) # We apply the sctp patch conditionally, so can't pass --without-sctp # unconditionally else we get unknown flag warnings. $(use sctp && use_with sctp) - $(use_with ldns ldns "${EPREFIX%/}"/usr) + $(use_with ldns ldns "${EPREFIX}"/usr) $(use_with libedit) $(use_with pam) $(use_with pie) @@ -300,8 +305,8 @@ src_configure() { $(use_with !elibc_Cygwin hardening) #659210 ) - # stackprotect is broken on musl x86 - use elibc_musl && use x86 && myconf+=( --without-stackprotect ) + # stackprotect is broken on musl x86 and ppc + use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect ) # The seccomp sandbox is broken on x32, so use the older method for now. #553748 use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit ) @@ -327,7 +332,7 @@ src_test() { mkdir -p "${sshhome}"/.ssh for t in "${tests[@]}" ; do # Some tests read from stdin ... - HOMEDIR="${sshhome}" HOME="${sshhome}" \ + HOMEDIR="${sshhome}" HOME="${sshhome}" SUDO="" \ emake -k -j1 ${t} > "${ED%/}"/etc/ssh/sshd_config + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config # Allow client to pass locale environment variables. #367017 AcceptEnv ${locale_vars[*]} @@ -361,7 +366,7 @@ tweak_ssh_configs() { EOF # Then the client config. - cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config # Send locale environment variables. #367017 SendEnv ${locale_vars[*]} @@ -376,13 +381,13 @@ tweak_ssh_configs() { -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \ -e "/^#PrintMotd /s:.*:PrintMotd no:" \ -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \ - "${ED%/}"/etc/ssh/sshd_config || die + "${ED}"/etc/ssh/sshd_config || die fi if use livecd ; then sed -i \ -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ - "${ED%/}"/etc/ssh/sshd_config || die + "${ED}"/etc/ssh/sshd_config || die fi } @@ -409,11 +414,6 @@ src_install() { systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service' } -pkg_preinst() { - enewgroup sshd 22 - enewuser sshd 22 -1 /var/empty sshd -} - pkg_postinst() { if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then elog "Starting with openssh-5.8p1, the server will default to a newer key"