mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 02:16:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1023 from kinvolk/dongsu/openssh-8.6

Browse Source 
net-misc/openssh: update to 8.6
This commit is contained in:
Dongsu Park 2021-05-27 11:49:07 +02:00 committed by GitHub
commit 71eeaa90cc
38 changed files with 2699 additions and 1019 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest vendored
View File

@ -1,13 +1,19 @@
DIST openssh-8.1_p1-glibc-2.31-patches.tar.xz 1752 BLAKE2B ccab53069c0058be7ba787281f5a1775d169a9dcda6f78742eb8cb3cce4ebe3a4c506c75a8ac142700669cf04b7475e35f6a06a4499d3d076e4e88e4fc59f3e6 SHA512 270d532fc7f4ec10c5ee56677f8280dec47a96e73f8032713b212cfad64a58ef142a7f49b7981dca80cbf0dd99753ef7a93b6af164cad9492fa224d546c27f14
DIST openssh-8.1p1+x509-12.3.diff.gz 689934 BLAKE2B 57a302a25bec1d630b9c36f74ab490e11c97f9bcbaf8f527e46ae7fd5bade19feb3d8853079870b5c08b70a55e289cf4bf7981c11983973fa588841aeb21e650 SHA512 8d7c321423940f5a78a51a25ad5373f5db17a4a8ca7e85041e503998e0823ad22068bc652e907e9f5787858d45ce438a4bba18240fa72e088eb10b903e96b192
DIST openssh-8.1p1-sctp-1.2.patch.xz 7672 BLAKE2B f1aa0713fcb114d8774bd8d524d106401a9d7c2c73a05fbde200ccbdd2562b3636ddd2d0bc3eae9f04b4d7c729c3dafd814ae8c530a76c4a0190fae71d1edcd2 SHA512 2bffab0bbae5a4c1875e0cc229bfd83d8565bd831309158cd489d8b877556c69b936243888a181bd9ff302e19f2c174156781574294d260b6384c464d003d566
DIST openssh-8.1p1.tar.gz 1625894 BLAKE2B d525be921a6f49420a58df5ac434d43a0c85e0f6bf8428ecebf04117c50f473185933e6e4485e506ac614f71887a513b9962d7b47969ba785da8e3a38f767322 SHA512 b987ea4ffd4ab0c94110723860273b06ed8ffb4d21cbd99ca144a4722dc55f4bf86f6253d500386b6bee7af50f066e2aa2dd095d50746509a10e11221d39d925
DIST openssh-8.2p1+x509-12.4.3.diff.gz 806905 BLAKE2B 8e0f0f3eeb2aafd9fc9e6eca80c0b51ffedbed9dfc46ff73bb1becd28f6ac013407d03107b59da05d9d56edbf283eef20891086867b79efd8aab81c3e9a4a32f SHA512 51117d7e4df2ff78c4fdfd08c2bb8f1739b1db064df65bab3872e1a956c277a4736c511794aa399061058fea666a76ee07bb50d83a0d077b7fa572d02c030b91
DIST openssh-8.2p1-sctp-1.2.patch.xz 7668 BLAKE2B 717487cffd235a5dfa2d9d3f2c1983f410d400b0d23f71a9b74406ac3d2f448d76381a3b7a3244942bff4e6bdc3bc78d148b9949c78dc297d99c7330179f8176 SHA512 a5fbd827e62e91b762062a29c7bc3bf569a202bdc8c91da7d77566ff8bb958b5b9fb6f8d45df586e0d7ac07a83de6e82996e9c5cdd6b3bf43336c420d3099305
DIST openssh-8.2p1.tar.gz 1701197 BLAKE2B 8b95cdebc87e8d14f655ed13c12b91b122adf47161071aa81d0763f81b12fe4bc3d409c260783d995307d4e4ed2d16080fd74b15e4dc6dcc5648d7e66720c3ed SHA512 c4db64e52a3a4c410de9de49f9cb104dd493b10250af3599b92457dd986277b3fd99a6f51cec94892fd1be5bd0369c5757262ea7805f0de464b245c3d34c120a
DIST openssh-8.3p1+x509-12.5.1.diff.gz 803054 BLAKE2B ec88959b4e3328e70d6f136f3d5bebced2e555de3ea40f55c535ca8a30a0eed84d177ad966e5bda46e1fc61d42141b13e96d068f5abfd069ae81b131dfb5a66c SHA512 28166a1a1aeff0c65f36263c0009e82cda81fc8f4efe3d11fabd0312d199a4f935476cf7074fbce68787d2fec0fd42f00fef383bf856a5767ce9d0ca6bbc8ef0
DIST openssh-8.3p1-sctp-1.2.patch.xz 7668 BLAKE2B abbc65253d842c09a04811bdbafc175c5226996cdd190812b47ce9646853cd5c1b21d733e719b481cce9c7f4dc00894b6d6be732e311850963df23b9dc55a0e6 SHA512 4e0cc1707663f902dfbf331a431325da78759cc757a4aaae33e0c7f64f21830ec805168d8ae4d47a65a20c235fa534679e288f922df2b24655b7d1ee9a3bf014
DIST openssh-8.3p1.tar.gz 1706358 BLAKE2B 0b53d92caa4a0f4cb40eee671ac889753d320b7c8e44df159a81dd8163c3663f07fa648f5dc506fb27d31893acf9701b997598c50bf204acf54172d72825a4d8 SHA512 b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40
DIST openssh-8_1_P1-hpn-AES-CTR-14.20.diff 29935 BLAKE2B 79101c43601e41306c957481c0680a63357d93bededdf12a32229d50acd9c1f46a386cbb91282e9e7d7bb26a9f276f5a675fd2de7662b7cbd073322b172d3bca SHA512 94f011b7e654630e968a378375aa54fa1fde087b4426d0f2225813262e6667a1073814d6a83e9005f97b371c536e462e614bfe726b092ffed8229791592ca221
DIST openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 42696 BLAKE2B d8ac7fa1a4e4d1877acdedeaee80172da469b5a62d0aaa43d6ed46c578e7893577b9d563835d89ca2044867fc561ad3f562bf504c025cf4c78421cf3d24397e9 SHA512 768db7cca8839df4441afcb08457d13d32625b31859da527c3d7f1a92d17a4ec81d6987db00879c394bbe59589e57b10bfd98899a167ffed65ab367b1fd08739
DIST openssh-8_1_P1-hpn-PeakTput-14.20.diff 2012 BLAKE2B e42c43128f1d82b4de1517e6a9219947da03cecb607f1bc45f0728547f17601a6ce2ec819b6434890efd19ceaf4d20cb98183596ab5ee79e104a52cda7db9cdc SHA512 238f9419efd3be80bd700f6ae7e210e522d747c363c4e670364f5191f144ae3aa8d1b1539c0bf87b3de36743aa73e8101c53c0ef1c6472d209569be389e7814d
DIST openssh-8.4p1+x509-12.6.diff.gz 857479 BLAKE2B ac8c3e8c1087ca571e5459c9826903410ff2d45de60151d9bd8e59da15805b75752f8f3ffc231c9f8aaa8f2b2c07a97a8296684f885e0d14b54ff5d7bc585588 SHA512 e56516b376ecc3e5464895744ce0616cf4446a891fbd3cbcb090d5f61ebc349d74f9c01e855ccd22e574dbfeec0cb2ba7daf582983010ff991243a6371cc5fe3
DIST openssh-8.4p1-sctp-1.2.patch.xz 7668 BLAKE2B 2e22d2a90723cea9ef958bd989b8c431fcb08b4dc5bfd3ebbf463ca9546dc37acdc185c35ddf3adbb90bde9b3902bf36524a456061a9bcbdef7a76ece79e2ff4 SHA512 90da34b7b86e52df9e0191c99c9d645a4d4671958adebeed46e1149102d4ba8c729eadb79d84fad9feac64aafa0541d2f1f4db8cdfe0af5ba893aac072ef2380
DIST openssh-8.4p1.tar.gz 1742201 BLAKE2B 4b1e60d4962095df045c3a31bbf8af725b1c07324c4aa1f6b9a3ddb7e695c98e9aa01655b268f6fd6a400f511b23be91f6b89d07b14a6a2d92f873efb4d9c146 SHA512 d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
DIST openssh-8.5p1+x509-13.0.1.diff.gz 997005 BLAKE2B b6cdc9ba12dc642c7073463fb8b153a32019e8bc4c1778c2371d89cdc8d9b43e86523d0c03ebeeafa7004a16ad46dfbc18b338bf95f46101d8865709d45aa6b0 SHA512 b0247885d3a0718eb4df123c552f9e95ad9ffd55f96189aca35006c23d76ec76b28420cac4d7b2167c07f2e0a0652edfa20c2ce60aea3f7607a1e747f836ff91
DIST openssh-8.5p1+x509-13.0.diff.gz 996872 BLAKE2B 136937e4e65e5e73d1d1b596ae6188f359daa8e95aafd57fab8cf947b59fde573ff4e6259781d1a0fd89718d14469ca4aed01bae6f37cc16df109c673fa2c73c SHA512 2276b0ac577162f7f6a56115637636a6eaaa8b3cc06e5ef053ec06e00a7c3459efe8de8dbc5f55c9f6a192534e2f7c8c7064fcdbf56d28b628bb301c5072802c
DIST openssh-8.5p1-sctp-1.2.patch.xz 7692 BLAKE2B 298bf5e2004fd864bdbb6d6f354d1fbcb7052a9caaf8e39863b840a7af8e31f87790f6aa10ae84df177d450bb34a43c4a3aa87d7472e2505d727757c016ce92b SHA512 84990f95e22c90dbc4d04d47ea88b761ff1d0101018661ff2376ac2a726b5fca43f1b5f5d926ccbe1c8d0143ac36b104616bd1a6b5dcdba4addf48a5dd196e2b
DIST openssh-8.5p1.tar.gz 1779733 BLAKE2B f4e4bd39e2dd275d4811e06ca994f2239ad27c804b003c74cc26f9dffae28f1b4006fc618580f0dc9c45f0b7361c24728c23688b45f41cb8a15cf6206c3f15c3 SHA512 af9c34d89170a30fc92a63973e32c766ed4a6d254bb210e317c000d46913e78d0c60c7befe62d993d659be000b828b9d4d3832fc40df1c3d33850aaa6293846f
DIST openssh-8.6p1+x509-13.1.diff.gz 1011666 BLAKE2B 0ac0cf2ff962b8ef677c49de0bb586f375f14d8964e077c10f6a88ec15734807940ab6c0277e44ebdfde0e50c2c80103cff614a6cde4d66e9986152032eeaa90 SHA512 ae4986dd079678c7b0cfd805136ff7ac940d1049fdddeb5a7c4ea2141bfcca70463b951485fb2b113bc930f519b1b41562900ced0269f5673dbdad867f464251
DIST openssh-8.6p1-sctp-1.2.patch.xz 7696 BLAKE2B 37f9e943a1881af05d9cf2234433711dc45ca30c60af4c0ea38a1d361df02abb491fa114f3698285f582b40b838414c1a048c4f09aa4f7ae9499adb09201d2ac SHA512 ba8c4d38a3d90854e79dc18918fffde246d7609a3f1c3a35e06c0fbe33d3688ed29b0ec33556ae37d1654e1dc2133d892613ad8d1ecbdce9aaa5b9eb10dcbb7a
DIST openssh-8.6p1.tar.gz 1786328 BLAKE2B 261a0f1a6235275894d487cce37537755c86835e3a34871462fe29bfe72b49cd9a6b6a547aea4bd554f0957e110c84458cc75a5f2560717fb04804d62228562a SHA512 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6
DIST openssh-8_3_P1-hpn-AES-CTR-14.22.diff 29963 BLAKE2B 19b82f4ff820f52dafaa5b3f09f8a0a67f318771c1c7276b9d37e4a6412052c9c53347f880f2d78981af3830432704b9ad74b375241965326530ae23ec8d74a2 SHA512 49f2778831dc768850870a1755da9cdd7d3bc83fa87069070f5a1d357ce9bdadeb2506c8ff3c6b055708da12a70e9ede7ed0e8a29fcab441abb55c9d483663be
DIST openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 42783 BLAKE2B 10940c35ae6bdc33e58bc9abd9cd7a551d4ca76a175400acb872906805bd04d384f57e81049b183d7d892ce1b5f7a138e197366369fe12e5c9dc1349850b0582 SHA512 c09162b96e0ffadc59c6076507bc843e6f8f2fb372140b84181f5fb2894225b1e05a831d85ba689c35c322b5a99302b9db77c324f978f1a46a16b185b3cb28dd
DIST openssh-8_3_P1-hpn-PeakTput-14.22.diff 2012 BLAKE2B 701f46da022e7ecf35b57f41bf5682a37be453c175928d3ff3df09292275e6021f6108a20c02eec9d636e85ee5a8e05b7233ada180edf1209a3dc4b139d58858 SHA512 026f65c62e4c05b69661094d41bf338df608e2a9b23ef95588062e3bd68729733dae32adab783609a6eca810ccdcbddee25e7649a534c9a283a03282f73438bb
DIST openssh-8_4_P1-hpn-AES-CTR-15.1.diff 29966 BLAKE2B 79dea4e16ffdda329131eb48a3c3dd40e167e5c6fa4dd2beb6c67e7e4f17a45c6645e84dcdc97baae90215a802cd1d723dfd88c981b1db826f61fca0a4e92ae1 SHA512 cdb7aa5737a1527d83ffa747d17ae997a64b7bc16e198d0721b690e5932446d30ba4129c122be2a457f261be7a11d944ef49ba2450ce90f552daab508b0c980b
DIST openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 51327 BLAKE2B 6879df5bfb4c07c44b41620bd49433591711edb08ad6b5c09af8a5f754ca09f3ff6a066ffac3210fdad6dee47710221dca0a3dc47b919498ec6939b42a073418 SHA512 1e6471e88783acf764186577a767ea7c2071bcab1b803c18288f70166d87471703b332dae3bdcaf4318039089caebfba46e5b6da218912eff1103bd03d736a60
DIST openssh-8_4_P1-hpn-PeakTput-15.1.diff 2429 BLAKE2B fc2140f4036ef57b7093696680b6e157c78bb431af9bc9e75f223c2b13693f0ec2ad214fbf6b2ba0059cbf3690a93235559f07b46dabd056d65ae1fc9d7418f0 SHA512 99801a743da8f108dcf883bc216f2abd3fc3071617566b83eb07b6627ed657cccf0ea93ea2a70eff1050a34a0e635e732665c5583e8aa35968fdeb839f837b63
DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f
DIST openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 51428 BLAKE2B 370b88a7da7f148bf5a4d445f05cf593b486e9df53bba027e2e179726f534b68cf9d94edd6e53024e0b6ff5f20e568727bc9d26c94d0d415603602a80d3ad241 SHA512 2d8d887901164b33b2799ff3ec72e86a39ae4a1696e52bcee0872dbae7772fcc534351e6e7f87126ee71b164c74e9091350f14b782f4b242a09f09b4f50d047a
DIST openssh-8_5_P1-hpn-PeakTput-15.2.diff 2429 BLAKE2B 849bf3c313719ab7a25c75e82d5dc5ac98365a038b2a66fe58d01eae5b20c7777258b94b5830e799d6909e75c69753cda05a910f3bdab9606fb7d5efa68e05f1 SHA512 c4a56fab55fabd1d902d45f235b603708d43f969920e45c9a57e557dccfa9cade2ec61f26d1ace938f6f73e79f17b12f119b5aea9166cbda8e3435b910500914

111
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch vendored
View File

@ -1,111 +0,0 @@
diff -ur a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff
--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-04 15:49:15.746095444 -0800
+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-04 15:49:54.181853707 -0800
@@ -4,8 +4,8 @@
+++ b/Makefile.in
@@ -42,7 +42,7 @@ CC=@CC@
LD=@LD@
- CFLAGS=@CFLAGS@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -803,8 +803,8 @@
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
{
struct session_state *state;
-- const struct sshcipher *none = cipher_by_name("none");
-+ struct sshcipher *none = cipher_by_name("none");
+- const struct sshcipher *none = cipher_none();
++ struct sshcipher *none = cipher_none();
int r;
if (none == NULL) {
@@ -948,9 +948,9 @@
/* Portable-specific options */
sUsePAM,
+ sDisableMTAES,
- /* Standard Options */
- sPort, sHostKeyFile, sLoginGraceTime,
- sPermitRootLogin, sLogFacility, sLogLevel,
+ /* X.509 Standard Options */
+ sHostbasedAlgorithms,
+ sPubkeyAlgorithms,
@@ -643,6 +647,7 @@ static struct {
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:41:42.512910357 -0800
+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:56:40.323299499 -0800
@@ -382,7 +382,7 @@
@@ -884,6 +884,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
+ int r, first_kex_follows = 0;
+ int auth_flag;
+
+ auth_flag = packet_authentication_state(ssh);
@@ -391,8 +391,8 @@
debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
@@ -954,6 +958,14 @@ kex_choose_conf(struct ssh *ssh)
- peer[ncomp] = NULL;
- goto out;
+ else
+ fatal("Pre-authentication none cipher requests are not allowed.");
}
+ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
+ if (strcmp(newkeys->enc.name, "none") == 0) {
@@ -1169,15 +1169,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index 6b3fadf8..ec1d2e27 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,6 @@
- #define SSH_VERSION "OpenSSH_8.1"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn14v20"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-+
diff -ur a/openssh-8_1_P1-hpn-PeakTput-14.20.diff b/openssh-8_1_P1-hpn-PeakTput-14.20.diff
--- a/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-04 15:41:42.512910357 -0800
+++ b/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-04 16:02:42.203023609 -0800
@@ -12,9 +12,9 @@
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
@@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
+ off_t bytes_left;
int cur_speed;
- int hours, minutes, seconds;
- int file_len;
+ int len;
+ off_t delta_pos;
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
@@ -33,12 +33,12 @@
@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
/* filename */
- buf[0] = '\0';
-- file_len = win_size - 36;
-+ file_len = win_size - 45;
- if (file_len > 0) {
- buf[0] = '\r';
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
+ if (win_size > 36) {
+- int file_len = win_size - 36;
++ int file_len = win_size - 45;
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
+ file_len, file);
+ }
@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
(off_t)bytes_per_second);
strlcat(buf, "/s ", win_size);

11
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-X509-12.3-tests.patch vendored
View File

@ -1,11 +0,0 @@
--- a/openbsd-compat/regress/Makefile.in 2019-06-17 10:59:01.210601434 -0700
+++ b/openbsd-compat/regress/Makefile.in 2019-06-17 10:59:18.753485852 -0700
@@ -7,7 +7,7 @@
CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
-CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
+CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
EXEEXT=@EXEEXT@
LIBCOMPAT=../libopenbsd-compat.a
LIBS=@LIBS@

35
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-X509-glue-12.3.patch vendored
View File

@ -1,35 +0,0 @@
Only in b: .openssh-8.1p1+x509-12.3.diff.un~
diff -ur a/openssh-8.1p1+x509-12.3.diff b/openssh-8.1p1+x509-12.3.diff
--- a/openssh-8.1p1+x509-12.3.diff 2019-10-14 11:33:45.796485604 -0700
+++ b/openssh-8.1p1+x509-12.3.diff 2019-10-14 11:39:44.960312587 -0700
@@ -35343,12 +35343,11 @@
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
-@@ -339,6 +360,8 @@
+@@ -339,6 +360,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
@@ -83536,16 +83535,6 @@
+ return mbtowc(NULL, s, n);
+}
+#endif
-diff -ruN openssh-8.1p1/version.h openssh-8.1p1+x509-12.3/version.h
---- openssh-8.1p1/version.h 2019-10-09 03:31:03.000000000 +0300
-+++ openssh-8.1p1+x509-12.3/version.h 2019-10-13 09:07:00.000000000 +0300
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_8.1"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-8.1p1/version.m4 openssh-8.1p1+x509-12.3/version.m4
--- openssh-8.1p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-8.1p1+x509-12.3/version.m4 2019-10-13 09:07:00.000000000 +0300

19
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch vendored
View File

@ -1,19 +0,0 @@
diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800
+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 16:36:51.394069720 -0800
@@ -1191,15 +1191,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index 6b3fadf8..ec1d2e27 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,6 @@
- #define SSH_VERSION "OpenSSH_8.1"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn14v20"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-+

26
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch vendored
View File

@ -1,26 +0,0 @@
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 86ea6250..844adabc 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -252,7 +252,7 @@ test_one() {
test_one "user-certificate" failure "-n $HOSTS"
test_one "empty principals" success "-h"
test_one "wrong principals" failure "-h -n foo"
-test_one "cert not yet valid" failure "-h -V20200101:20300101"
+test_one "cert not yet valid" failure "-h -V20300101:20320101"
test_one "cert expired" failure "-h -V19800101:19900101"
test_one "cert valid interval" success "-h -V-1w:+2w"
test_one "cert has constraints" failure "-h -Oforce-command=false"
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 38c14a69..5cd02fc3 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -338,7 +338,7 @@ test_one() {
test_one "correct principal" success "-n ${USER}"
test_one "host-certificate" failure "-n ${USER} -h"
test_one "wrong principals" failure "-n foo"
-test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
+test_one "cert not yet valid" failure "-n ${USER} -V20300101:20320101"
test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"

11
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.2_p1-X509-12.4.3-tests.patch vendored
View File

@ -1,11 +0,0 @@
--- a/openbsd-compat/regress/Makefile.in 2020-02-15 10:59:01.210601434 -0700
+++ b/openbsd-compat/regress/Makefile.in 2020-02-15 10:59:18.753485852 -0700
@@ -7,7 +7,7 @@
CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
-CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
+CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
EXEEXT=@EXEEXT@
LIBCOMPAT=../libopenbsd-compat.a
LIBS=@LIBS@

128
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.2_p1-X509-glue-12.4.3.patch vendored
View File

@ -1,128 +0,0 @@
--- a/openssh-8.2p1+x509-12.4.3.diff 2020-03-21 11:15:05.939809371 -0700
+++ b/openssh-8.2p1+x509-12.4.3.diff 2020-03-21 11:23:15.424752355 -0700
@@ -39298,16 +39298,15 @@
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
-@@ -378,6 +379,8 @@
+@@ -378,6 +379,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -386,11 +389,14 @@
+@@ -386,11 +388,14 @@
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
@@ -39326,7 +39325,7 @@
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -400,12 +406,12 @@
+@@ -400,12 +405,12 @@
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
@@ -39340,7 +39339,7 @@
install-sysconf:
$(MKDIR_P) $(DESTDIR)$(sysconfdir)
-@@ -463,10 +469,9 @@
+@@ -463,10 +468,9 @@
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
@@ -39354,7 +39353,7 @@
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -478,7 +483,6 @@
+@@ -478,7 +482,6 @@
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
@@ -39362,7 +39361,7 @@
regress-prep:
$(MKDIR_P) `pwd`/regress/unittests/test_helper
-@@ -491,11 +495,11 @@
+@@ -491,11 +494,11 @@
$(MKDIR_P) `pwd`/regress/unittests/match
$(MKDIR_P) `pwd`/regress/unittests/utf8
$(MKDIR_P) `pwd`/regress/misc/kexfuzz
@@ -39376,7 +39375,7 @@
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c $(REGRESSLIBS)
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/modpipe.c \
-@@ -546,8 +550,7 @@
+@@ -546,8 +549,7 @@
regress/unittests/sshkey/tests.o \
regress/unittests/sshkey/common.o \
regress/unittests/sshkey/test_file.o \
@@ -39406,7 +39405,7 @@
regress/unittests/hostkeys/test_hostkeys$(EXEEXT): \
${UNITTESTS_TEST_HOSTKEYS_OBJS} \
-@@ -618,35 +619,18 @@
+@@ -618,35 +618,18 @@
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
MISC_KEX_FUZZ_OBJS=\
@@ -39444,7 +39443,7 @@
regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
regress/unittests/sshkey/test_sshkey$(EXEEXT) \
regress/unittests/bitmap/test_bitmap$(EXEEXT) \
-@@ -657,36 +641,29 @@
+@@ -657,36 +640,29 @@
regress/unittests/utf8/test_utf8$(EXEEXT) \
regress/misc/kexfuzz/kexfuzz$(EXEEXT)
@@ -39501,7 +39500,7 @@
TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \
TEST_SSH_UTF8="@TEST_SSH_UTF8@" ; \
TEST_SSH_ECC="@TEST_SSH_ECC@" ; \
-@@ -708,8 +685,6 @@
+@@ -708,8 +684,6 @@
TEST_SSH_SSHPKCS11HELPER="$${TEST_SSH_SSHPKCS11HELPER}" \
TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \
TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \
@@ -39510,7 +39509,7 @@
TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \
TEST_SSH_PLINK="$${TEST_SSH_PLINK}" \
TEST_SSH_PUTTYGEN="$${TEST_SSH_PUTTYGEN}" \
-@@ -717,17 +692,35 @@
+@@ -717,17 +691,35 @@
TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \
TEST_SSH_UTF8="$${TEST_SSH_UTF8}" \
TEST_SSH_ECC="$${TEST_SSH_ECC}" \
@@ -39549,7 +39548,7 @@
survey: survey.sh ssh
@$(SHELL) ./survey.sh > survey
-@@ -743,4 +736,8 @@
+@@ -743,4 +735,8 @@
sh buildpkg.sh; \
fi
@@ -98215,16 +98214,6 @@
+ return mbtowc(NULL, s, n);
+}
+#endif
-diff -ruN openssh-8.2p1/version.h openssh-8.2p1+x509-12.4.3/version.h
---- openssh-8.2p1/version.h 2020-02-14 02:40:54.000000000 +0200
-+++ openssh-8.2p1+x509-12.4.3/version.h 2020-03-21 19:07:00.000000000 +0200
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_8.2"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-8.2p1/version.m4 openssh-8.2p1+x509-12.4.3/version.m4
--- openssh-8.2p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-8.2p1+x509-12.4.3/version.m4 2020-03-21 19:07:00.000000000 +0200

151
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-glue.patch vendored
View File

@ -1,151 +0,0 @@
diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff
--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 12:50:44.413776914 -0800
+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 12:53:06.190742744 -0800
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -42,7 +42,7 @@ CC=@CC@
- LD=@LD@
- CFLAGS=@CFLAGS@
+ CFLAGS_NOPIE=@CFLAGS_NOPIE@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ PICFLAG=@PICFLAG@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -902,14 +902,14 @@
/*
@@ -2118,6 +2125,8 @@ fill_default_options(Options * options)
+ options->canonicalize_hostname = SSH_CANONICALISE_NO;
+ if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
- if (options->update_hostkeys == -1)
- options->update_hostkeys = 0;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
-
- /* Expand KEX name lists */
- all_cipher = cipher_alg_list(',', 0);
+ #ifdef ENABLE_SK_INTERNAL
+ if (options->sk_provider == NULL)
+ options->sk_provider = xstrdup("internal");
diff --git a/readconf.h b/readconf.h
index 8e36bf32..c803eca7 100644
--- a/readconf.h
@@ -952,9 +952,9 @@
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel,
@@ -643,6 +647,7 @@ static struct {
- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ { "include", sInclude, SSHCFG_ALL },
+ { "disableMTAES", sDisableMTAES, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:50:44.413776914 -0800
+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:51:19.541768656 -0800
@@ -409,18 +409,10 @@
index 817da43b..b2bcf78f 100644
--- a/packet.c
+++ b/packet.c
-@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
+/* used to determine if pre or post auth when rekeying for aes-ctr
+ * and none cipher switch */
+int
@@ -434,20 +426,6 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
-+ /* used to force rekeying when called for by the none
-+ * cipher switch methods -cjr */
-+ if (rekey_requested == 1) {
-+ rekey_requested = 0;
-+ return 1;
-+ }
-+
- /* Time-based rekeying */
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
diff --git a/packet.h b/packet.h
index 8ccfd2e0..1ad9bc06 100644
--- a/packet.h
@@ -476,9 +454,9 @@
/* Format of the configuration file:
@@ -167,6 +168,8 @@ typedef enum {
- oHashKnownHosts,
oTunnel, oTunnelDevice,
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oDisableMTAES,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneSwitch,
oVisualHostKey,
@@ -615,9 +593,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -112,7 +116,10 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none to be used */
int rekey_interval;
@@ -700,9 +678,9 @@
+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+ }
+
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
- if (options->ip_qos_bulk == -1)
@@ -486,6 +532,8 @@ typedef enum {
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
@@ -1079,11 +1057,11 @@
xxx_host = host;
xxx_hostaddr = hostaddr;
-@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
if (!authctxt.success)
fatal("Authentication failed.");
-+
+
+ /*
+ * If the user wants to use the none cipher, do it post authentication
+ * and only if the right conditions are met -- both of the NONE commands
@@ -1105,9 +1083,9 @@
+ }
+ }
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
-
+ #ifdef WITH_OPENSSL
+ if (options.disable_multithreaded == 0) {
+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
diff --git a/sshd.c b/sshd.c
index 11571c01..23a06022 100644
--- a/sshd.c

20
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-libressl.patch vendored
View File

@ -1,20 +0,0 @@
--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-04-17 10:31:37.392120799 -0700
+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-04-17 10:32:46.143684424 -0700
@@ -672,7 +672,7 @@
+const EVP_CIPHER *
+evp_aes_ctr_mt(void)
+{
-+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL
++# if (OPENSSL_VERSION_NUMBER >= 0x10100000UL || defined(HAVE_OPAQUE_STRUCTS)) && !defined(LIBRESSL_VERSION_NUMBER)
+ static EVP_CIPHER *aes_ctr;
+ aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/);
+ EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE);
@@ -701,7 +701,7 @@
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+# endif /*SSH_OLD_EVP*/
+ return &aes_ctr;
-+# endif /*OPENSSH_VERSION_NUMBER*/
++# endif /*OPENSSL_VERSION_NUMBER*/
+}
+
+#endif /* defined(WITH_OPENSSL) */

19
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-sctp-glue.patch vendored
View File

@ -1,19 +0,0 @@
diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:10:00.321998279 -0800
+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 12:10:21.759980508 -0800
@@ -1169,15 +1169,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index 6b3fadf8..ec1d2e27 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,6 @@
- #define SSH_VERSION "OpenSSH_8.1"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn14v20"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-+

35
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.3_p1-X509-glue-12.5.1.patch vendored
View File

@ -1,35 +0,0 @@
Only in b: .openssh-8.3p1+x509-12.5.1.diff.un~
diff -u a/openssh-8.3p1+x509-12.5.1.diff b/openssh-8.3p1+x509-12.5.1.diff
--- a/openssh-8.3p1+x509-12.5.1.diff 2020-06-08 10:13:08.937543708 -0700
+++ b/openssh-8.3p1+x509-12.5.1.diff 2020-06-08 10:16:33.417271984 -0700
@@ -35541,12 +35541,11 @@
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
-@@ -382,6 +363,8 @@
+@@ -382,6 +363,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
@@ -97028,16 +97027,6 @@
+int asnmprintf(char **, size_t, int *, const char *, ...)
__attribute__((format(printf, 4, 5)));
void msetlocale(void);
-diff -ruN openssh-8.3p1/version.h openssh-8.3p1+x509-12.5.1/version.h
---- openssh-8.3p1/version.h 2020-05-27 03:38:00.000000000 +0300
-+++ openssh-8.3p1+x509-12.5.1/version.h 2020-06-07 11:07:00.000000000 +0300
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_8.3"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-8.3p1/version.m4 openssh-8.3p1+x509-12.5.1/version.m4
--- openssh-8.3p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-8.3p1+x509-12.5.1/version.m4 2020-06-07 11:07:00.000000000 +0300

177
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.3_p1-hpn-14.20-glue.patch vendored
View File

@ -1,177 +0,0 @@
Only in b: .openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff.un~
diff -ur a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff
--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-05-27 13:52:27.704108928 -0700
+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-05-27 13:52:49.803967500 -0700
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -42,7 +42,7 @@ CC=@CC@
- LD=@LD@
- CFLAGS=@CFLAGS@
+ CFLAGS_NOPIE=@CFLAGS_NOPIE@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ PICFLAG=@PICFLAG@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -902,14 +902,14 @@
/*
@@ -2118,6 +2125,8 @@ fill_default_options(Options * options)
+ options->canonicalize_hostname = SSH_CANONICALISE_NO;
+ if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
- if (options->update_hostkeys == -1)
- options->update_hostkeys = 0;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
-
- /* Expand KEX name lists */
- all_cipher = cipher_alg_list(',', 0);
+ #ifdef ENABLE_SK_INTERNAL
+ if (options->sk_provider == NULL)
+ options->sk_provider = xstrdup("internal");
diff --git a/readconf.h b/readconf.h
index 8e36bf32..c803eca7 100644
--- a/readconf.h
@@ -952,9 +952,9 @@
sPort, sHostKeyFile, sLoginGraceTime,
sPermitRootLogin, sLogFacility, sLogLevel,
@@ -643,6 +647,7 @@ static struct {
- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
+ { "include", sInclude, SSHCFG_ALL },
+ { "disableMTAES", sDisableMTAES, SSHCFG_ALL },
{ "ipqos", sIPQoS, SSHCFG_ALL },
{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-05-27 13:52:27.705108921 -0700
+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-05-27 14:03:57.888683100 -0700
@@ -409,18 +409,10 @@
index 817da43b..b2bcf78f 100644
--- a/packet.c
+++ b/packet.c
-@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
+/* used to determine if pre or post auth when rekeying for aes-ctr
+ * and none cipher switch */
+int
@@ -434,20 +426,6 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
-+ /* used to force rekeying when called for by the none
-+ * cipher switch methods -cjr */
-+ if (rekey_requested == 1) {
-+ rekey_requested = 0;
-+ return 1;
-+ }
-+
- /* Time-based rekeying */
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
diff --git a/packet.h b/packet.h
index 8ccfd2e0..1ad9bc06 100644
--- a/packet.h
@@ -476,9 +454,9 @@
/* Format of the configuration file:
@@ -167,6 +168,8 @@ typedef enum {
- oHashKnownHosts,
oTunnel, oTunnelDevice,
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oDisableMTAES,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneSwitch,
oVisualHostKey,
@@ -615,9 +593,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -112,7 +116,10 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none to be used */
int rekey_interval;
@@ -700,9 +678,9 @@
+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+ }
+
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
- if (options->ip_qos_bulk == -1)
@@ -486,6 +532,8 @@ typedef enum {
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
@@ -731,11 +709,10 @@
*flags = keywords[i].flags;
return keywords[i].opcode;
}
-@@ -1424,10 +1477,27 @@ process_server_config_line(ServerOptions *options, char *line,
- multistate_ptr = multistate_flag;
+@@ -1424,12 +1477,28 @@ process_server_config_line(ServerOptions *options, char *line,
+ multistate_ptr = multistate_ignore_rhosts;
goto parse_multistate;
-+
+ case sTcpRcvBufPoll:
+ intptr = &options->tcp_rcv_buf_poll;
+ goto parse_flag;
@@ -750,7 +727,9 @@
+
case sIgnoreUserKnownHosts:
intptr = &options->ignore_user_known_hosts;
- goto parse_flag;
+ parse_flag:
+ multistate_ptr = multistate_flag;
+ goto parse_multistate;
+ case sNoneEnabled:
+ intptr = &options->none_enabled;
@@ -1079,11 +1058,11 @@
xxx_host = host;
xxx_hostaddr = hostaddr;
-@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
if (!authctxt.success)
fatal("Authentication failed.");
-+
+
+ /*
+ * If the user wants to use the none cipher, do it post authentication
+ * and only if the right conditions are met -- both of the NONE commands
@@ -1105,9 +1084,9 @@
+ }
+ }
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
-
+ #ifdef WITH_OPENSSL
+ if (options.disable_multithreaded == 0) {
+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
diff --git a/sshd.c b/sshd.c
index 11571c01..23a06022 100644
--- a/sshd.c

34
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-X509-glue-12.6.patch vendored Normal file
View File

@ -0,0 +1,34 @@
diff -u a/openssh-8.4p1+x509-12.6.diff b/openssh-8.4p1+x509-12.6.diff
--- a/openssh-8.4p1+x509-12.6.diff 2020-10-04 10:58:16.980495330 -0700
+++ b/openssh-8.4p1+x509-12.6.diff 2020-10-04 11:02:31.951966223 -0700
@@ -39348,12 +39348,11 @@
install-files:
$(MKDIR_P) $(DESTDIR)$(bindir)
-@@ -384,6 +365,8 @@
+@@ -384,6 +365,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
@@ -103950,16 +103949,6 @@
+int asnmprintf(char **, size_t, int *, const char *, ...)
__attribute__((format(printf, 4, 5)));
void msetlocale(void);
-diff -ruN openssh-8.4p1/version.h openssh-8.4p1+x509-12.6/version.h
---- openssh-8.4p1/version.h 2020-09-27 10:25:01.000000000 +0300
-+++ openssh-8.4p1+x509-12.6/version.h 2020-10-03 10:07:00.000000000 +0300
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_8.4"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-8.4p1/version.m4 openssh-8.4p1+x509-12.6/version.m4
--- openssh-8.4p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-8.4p1+x509-12.6/version.m4 2020-10-03 10:07:00.000000000 +0300

30
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-fix-ssh-copy-id.patch vendored Normal file
View File

@ -0,0 +1,30 @@
From d9e727dcc04a52caaac87543ea1d230e9e6b5604 Mon Sep 17 00:00:00 2001
From: Oleg <Fallmay@users.noreply.github.com>
Date: Thu, 1 Oct 2020 12:09:08 +0300
Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
---
contrib/ssh-copy-id | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
index 392f64f94..a76907717 100644
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@@ -247,7 +247,7 @@ installkeys_sh() {
# the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
# the cat adds the keys we're getting via STDIN
# and if available restorecon is used to restore the SELinux context
- INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
+ INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
cd;
umask 077;
mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
@@ -258,6 +258,7 @@ installkeys_sh() {
restorecon -F .ssh ${AUTH_KEY_FILE};
fi
EOF
+ )
# to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"

98
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.2_p1-hpn-14.20-X509-glue.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-X509-glue.patch vendored
View File

@ -1,10 +1,10 @@
diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff
--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 13:41:56.143193830 -0800
+++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-15 13:46:40.060133610 -0800
diff -u a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff
--- a/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-10-04 11:04:44.495171346 -0700
+++ b/openssh-8_3_P1-hpn-AES-CTR-14.22.diff 2020-10-04 11:48:05.099637206 -0700
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -42,7 +42,7 @@ CC=@CC@
@@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
- CFLAGS_NOPIE=@CFLAGS_NOPIE@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
- PICFLAG=@PICFLAG@
@ -14,37 +14,40 @@ diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -803,8 +803,8 @@
@@ -803,7 +803,7 @@
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
{
struct session_state *state;
-- const struct sshcipher *none = cipher_by_name("none");
-+ struct sshcipher *none = cipher_by_name("none");
+- const struct sshcipher *none = cipher_none();
++ struct sshcipher *none = cipher_none();
+ struct sshcipher *none = cipher_by_name("none");
int r;
if (none == NULL) {
@@ -902,14 +902,14 @@
@@ -901,17 +901,18 @@
}
/*
@@ -2118,6 +2125,8 @@ fill_default_options(Options * options)
- options->canonicalize_hostname = SSH_CANONICALISE_NO;
- if (options->fingerprint_hash == -1)
options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+ if (options->update_hostkeys == -1)
+ options->update_hostkeys = 0;
-@@ -2203,6 +2210,10 @@ fill_default_options(Options * options)
+@@ -2203,5 +2210,10 @@ fill_default_options(Options * options)
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
- #endif
+
+ if (options->update_hostkeys == -1)
+ options->update_hostkeys = 0;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
- #ifdef ENABLE_SK_INTERNAL
if (options->sk_provider == NULL)
- options->sk_provider = xstrdup("internal");
+ options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
+
-
- /* Expand KEX name lists */
- all_cipher = cipher_alg_list(',', 0);
++
+ /* expand KEX and etc. name lists */
+ { char *all;
+ #define ASSEMBLE(what, defaults, all) \
diff --git a/readconf.h b/readconf.h
index 8e36bf32..c803eca7 100644
index e143a108..1383a3cd 100644
--- a/readconf.h
@@ -948,9 +948,9 @@
@@ -950,9 +951,9 @@
/* Portable-specific options */
sUsePAM,
+ sDisableMTAES,
@ -54,15 +57,14 @@ diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1
+ /* X.509 Standard Options */
+ sHostbasedAlgorithms,
+ sPubkeyAlgorithms,
@@ -643,6 +647,7 @@ static struct {
@@ -679,6 +683,7 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
Only in b: openssh-8_1_P1-hpn-AES-CTR-14.20.diff.orig
diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 13:41:56.144193830 -0800
+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-15 13:45:36.665147504 -0800
diff -u a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
--- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-10-04 11:04:37.441213650 -0700
+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-10-04 11:50:55.865616716 -0700
@@ -382,7 +382,7 @@
@@ -884,6 +884,10 @@ kex_choose_conf(struct ssh *ssh)
@@ -888,6 +888,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
@ -70,36 +72,24 @@ diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/op
+ int auth_flag;
+
+ auth_flag = packet_authentication_state(ssh);
@@ -391,8 +391,8 @@
debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
@@ -954,6 +958,14 @@ kex_choose_conf(struct ssh *ssh)
- peer[ncomp] = NULL;
- goto out;
+ else
+ fatal("Pre-authentication none cipher requests are not allowed.");
}
+ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
+ if (strcmp(newkeys->enc.name, "none") == 0) {
@@ -1169,15 +1169,3 @@
@@ -1193,14 +1193,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index 6b3fadf8..ec1d2e27 100644
-index a2eca3ec..ff654fc3 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,6 @@
- #define SSH_VERSION "OpenSSH_8.1"
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_8.3"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn14v20"
-+#define SSH_HPN "-hpn14v22"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-+
diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-PeakTput-14.20.diff b/openssh-8_1_P1-hpn-PeakTput-14.20.diff
--- a/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-15 13:41:43.834196317 -0800
+++ b/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-15 13:45:36.665147504 -0800
diff -u a/openssh-8_3_P1-hpn-PeakTput-14.22.diff b/openssh-8_3_P1-hpn-PeakTput-14.22.diff
--- a/openssh-8_3_P1-hpn-PeakTput-14.22.diff 2020-10-04 11:51:46.409313155 -0700
+++ b/openssh-8_3_P1-hpn-PeakTput-14.22.diff 2020-10-04 11:56:57.407445258 -0700
@@ -12,9 +12,9 @@
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
@ -112,8 +102,13 @@ diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-PeakTput-14.20.diff b/openssh-8_
+ off_t delta_pos;
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
@@ -33,12 +33,12 @@
@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
@@ -30,15 +30,17 @@
if (bytes_left > 0)
elapsed = now - last_update;
else {
-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
+ buf[1] = '\0';
/* filename */
- buf[0] = '\0';
@ -122,8 +117,9 @@ diff -ur '--exclude=*.un~' a/openssh-8_1_P1-hpn-PeakTput-14.20.diff b/openssh-8_
- if (file_len > 0) {
- buf[0] = '\r';
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
+ if (win_size > 36) {
+- if (win_size > 36) {
+- int file_len = win_size - 36;
++ if (win_size > 45) {
++ int file_len = win_size - 45;
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
+ file_len, file);

61
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch vendored
View File

@ -1,12 +1,12 @@
diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800
+++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:16:14.646567224 -0800
diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
--- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:15:17.780747192 -0700
+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:34:03.576552219 -0700
@@ -409,18 +409,10 @@
index 817da43b..b2bcf78f 100644
index e7abb341..c23276d4 100644
--- a/packet.c
+++ b/packet.c
-@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-@@ -961,6 +961,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -961,6 +961,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
@ -25,7 +25,7 @@ diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-D
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -987,6 +1005,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
@ -40,23 +40,23 @@ diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-D
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
diff --git a/packet.h b/packet.h
index 8ccfd2e0..1ad9bc06 100644
index c2544bd9..ebd85c88 100644
--- a/packet.h
@@ -476,9 +454,9 @@
/* Format of the configuration file:
@@ -167,6 +168,8 @@ typedef enum {
- oHashKnownHosts,
oTunnel, oTunnelDevice,
@@ -481,9 +459,9 @@
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oDisableMTAES,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneSwitch,
+ oDisableMTAES,
oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
@@ -294,6 +297,8 @@ static struct {
{ "kexalgorithms", oKexAlgorithms },
{ "ipqos", oIPQoS },
@@ -615,9 +593,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -112,7 +116,10 @@ typedef struct {
@@ -114,7 +118,10 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
@ -73,33 +73,22 @@ diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-D
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
- if (options->ip_qos_bulk == -1)
@@ -486,6 +532,8 @@ typedef enum {
@@ -519,6 +565,8 @@ typedef enum {
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
@@ -1079,11 +1057,11 @@
@@ -1081,11 +1059,11 @@
xxx_host = host;
xxx_hostaddr = hostaddr;
-@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
-@@ -435,6 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+@@ -435,7 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
+ }
+ }
+ #endif
if (!authctxt.success)
fatal("Authentication failed.");
- if (!authctxt.success)
- fatal("Authentication failed.");
-+
+
+ /*
+ * If the user wants to use the none cipher, do it post authentication
+ * and only if the right conditions are met -- both of the NONE commands
@@ -1105,9 +1083,9 @@
+ }
+ }
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
-
+ #ifdef WITH_OPENSSL
+ if (options.disable_multithreaded == 0) {
+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
diff --git a/sshd.c b/sshd.c
index 11571c01..23a06022 100644
--- a/sshd.c

18
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch vendored Normal file
View File

@ -0,0 +1,18 @@
diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
--- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:34.168386903 -0700
+++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:43.806325434 -0700
@@ -1171,14 +1171,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index a2eca3ec..ff654fc3 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_8.3"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn14v22"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN

73
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-GSSAPI-dns.patch vendored
View File

@ -1,8 +1,6 @@
diff --git a/auth.c b/auth.c
index ca450f4e..2994a4e4 100644
--- a/auth.c
+++ b/auth.c
@@ -723,120 +723,6 @@ fakepw(void)
--- a/auth.c 2021-03-02 04:31:47.000000000 -0600
+++ b/auth.c 2021-03-04 11:22:44.590041696 -0600
@@ -727,119 +727,6 @@ fakepw(void)
return (&fake);
}
@ -31,7 +29,7 @@ index ca450f4e..2994a4e4 100644
- if (getpeername(ssh_packet_get_connection_in(ssh),
- (struct sockaddr *)&from, &fromlen) == -1) {
- debug("getpeername failed: %.100s", strerror(errno));
- return strdup(ntop);
- return xstrdup(ntop);
- }
-
- ipv64_normalise_mapped(&from, &fromlen);
@ -43,7 +41,7 @@ index ca450f4e..2994a4e4 100644
- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
- NULL, 0, NI_NAMEREQD) != 0) {
- /* Host name not found. Use ip address. */
- return strdup(ntop);
- return xstrdup(ntop);
- }
-
- /*
@ -58,7 +56,7 @@ index ca450f4e..2994a4e4 100644
- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
- name, ntop);
- freeaddrinfo(ai);
- return strdup(ntop);
- return xstrdup(ntop);
- }
-
- /* Names are stored in lowercase. */
@ -79,7 +77,7 @@ index ca450f4e..2994a4e4 100644
- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
- logit("reverse mapping checking getaddrinfo for %.700s "
- "[%s] failed.", name, ntop);
- return strdup(ntop);
- return xstrdup(ntop);
- }
- /* Look for the address from the list of addresses. */
- for (ai = aitop; ai; ai = ai->ai_next) {
@ -94,9 +92,9 @@ index ca450f4e..2994a4e4 100644
- /* Address not found for the host name. */
- logit("Address %.100s maps to %.600s, but this does not "
- "map back to the address.", ntop, name);
- return strdup(ntop);
- return xstrdup(ntop);
- }
- return strdup(name);
- return xstrdup(name);
-}
-
-/*
@ -119,14 +117,11 @@ index ca450f4e..2994a4e4 100644
- return dnsname;
- }
-}
-
/*
* Runs command in a subprocess with a minimal environment.
* Returns pid on success, 0 on failure.
diff --git a/canohost.c b/canohost.c
index abea9c6e..4f4524d2 100644
--- a/canohost.c
+++ b/canohost.c
/* These functions link key/cert options to the auth framework */
--- a/canohost.c 2021-03-02 04:31:47.000000000 -0600
+++ b/canohost.c 2021-03-04 11:22:54.854211183 -0600
@@ -202,3 +202,117 @@ get_local_port(int sock)
{
return get_sock_port(sock, 1);
@ -155,9 +150,9 @@ index abea9c6e..4f4524d2 100644
+ fromlen = sizeof(from);
+ memset(&from, 0, sizeof(from));
+ if (getpeername(ssh_packet_get_connection_in(ssh),
+ (struct sockaddr *)&from, &fromlen) < 0) {
+ (struct sockaddr *)&from, &fromlen) == -1) {
+ debug("getpeername failed: %.100s", strerror(errno));
+ return strdup(ntop);
+ return xstrdup(ntop);
+ }
+
+ ipv64_normalise_mapped(&from, &fromlen);
@ -169,7 +164,7 @@ index abea9c6e..4f4524d2 100644
+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+ NULL, 0, NI_NAMEREQD) != 0) {
+ /* Host name not found. Use ip address. */
+ return strdup(ntop);
+ return xstrdup(ntop);
+ }
+
+ /*
@ -184,7 +179,7 @@ index abea9c6e..4f4524d2 100644
+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+ name, ntop);
+ freeaddrinfo(ai);
+ return strdup(ntop);
+ return xstrdup(ntop);
+ }
+
+ /* Names are stored in lowercase. */
@ -205,7 +200,7 @@ index abea9c6e..4f4524d2 100644
+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+ logit("reverse mapping checking getaddrinfo for %.700s "
+ "[%s] failed.", name, ntop);
+ return strdup(ntop);
+ return xstrdup(ntop);
+ }
+ /* Look for the address from the list of addresses. */
+ for (ai = aitop; ai; ai = ai->ai_next) {
@ -220,9 +215,9 @@ index abea9c6e..4f4524d2 100644
+ /* Address not found for the host name. */
+ logit("Address %.100s maps to %.600s, but this does not "
+ "map back to the address.", ntop, name);
+ return strdup(ntop);
+ return xstrdup(ntop);
+ }
+ return strdup(name);
+ return xstrdup(name);
+}
+
+/*
@ -246,10 +241,10 @@ index abea9c6e..4f4524d2 100644
+ }
+}
diff --git a/readconf.c b/readconf.c
index f78b4d6f..747287f7 100644
index 724974b7..97a1ffd8 100644
--- a/readconf.c
+++ b/readconf.c
@@ -162,6 +162,7 @@ typedef enum {
@@ -161,6 +161,7 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@ -257,7 +252,7 @@ index f78b4d6f..747287f7 100644
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -203,9 +204,11 @@ static struct {
@@ -206,9 +207,11 @@ static struct {
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
@ -269,7 +264,7 @@ index f78b4d6f..747287f7 100644
#endif
#ifdef ENABLE_PKCS11
{ "pkcs11provider", oPKCS11Provider },
@@ -992,6 +995,10 @@ parse_time:
@@ -1083,6 +1086,10 @@ parse_time:
intptr = &options->gss_deleg_creds;
goto parse_flag;
@ -280,7 +275,7 @@ index f78b4d6f..747287f7 100644
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1864,6 +1871,7 @@ initialize_options(Options * options)
@@ -2183,6 +2190,7 @@ initialize_options(Options * options)
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
@ -288,7 +283,7 @@ index f78b4d6f..747287f7 100644
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -2011,6 +2019,8 @@ fill_default_options(Options * options)
@@ -2340,6 +2348,8 @@ fill_default_options(Options * options)
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
@ -298,10 +293,10 @@ index f78b4d6f..747287f7 100644
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff --git a/readconf.h b/readconf.h
index 8e36bf32..c9e4718d 100644
index 2fba866e..da3ce87a 100644
--- a/readconf.h
+++ b/readconf.h
@@ -41,6 +41,7 @@ typedef struct {
@@ -42,6 +42,7 @@ typedef struct {
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
@ -310,10 +305,10 @@ index 8e36bf32..c9e4718d 100644
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/ssh_config.5 b/ssh_config.5
index 02a87892..95de538b 100644
index f8119189..e0fd0d76 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -762,6 +762,16 @@ The default is
@@ -783,6 +783,16 @@ The default is
Forward (delegate) credentials to the server.
The default is
.Cm no .
@ -331,10 +326,10 @@ index 02a87892..95de538b 100644
Indicates that
.Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
index 87fa70a4..a6ffdc96 100644
index 059c9480..ab6f6832 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -697,6 +697,13 @@ userauth_gssapi(struct ssh *ssh)
@@ -770,6 +770,13 @@ userauth_gssapi(struct ssh *ssh)
OM_uint32 min;
int r, ok = 0;
gss_OID mech = NULL;
@ -348,7 +343,7 @@ index 87fa70a4..a6ffdc96 100644
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -711,7 +718,7 @@ userauth_gssapi(struct ssh *ssh)
@@ -784,7 +791,7 @@ userauth_gssapi(struct ssh *ssh)
elements[authctxt->mech_tried];
/* My DER encoding requires length<128 */
if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,

72
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.1.patch vendored Normal file
View File

@ -0,0 +1,72 @@
--- a/openssh-8.5p1+x509-13.0.1.diff 2021-03-15 14:05:14.876485231 -0700
+++ b/openssh-8.5p1+x509-13.0.1.diff 2021-03-15 14:06:05.389154451 -0700
@@ -46675,12 +46675,11 @@
install-files:
$(MKDIR_P) $(DESTDIR)$(bindir)
-@@ -380,6 +364,8 @@
+@@ -380,6 +364,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
@@ -63967,7 +63966,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
verbose "$tid: cipher $c"
@@ -63982,7 +63981,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
verbose "$tid: kex $k"
@@ -63997,7 +63996,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
if [ "`${SSH} -Q compression`" = "none" ]; then
comp="0"
@@ -64129,9 +64128,9 @@
+# cross-project configuration
+if test "$sshd_type" = "pkix" ; then
-+ unset_arg=''
++ unset_arg=
+else
-+ unset_arg=none
++ unset_arg=
+fi
+
cat > $OBJ/sshd_config.i << _EOF
@@ -122247,16 +122246,6 @@
+int asnmprintf(char **, size_t, int *, const char *, ...)
__attribute__((format(printf, 4, 5)));
void msetlocale(void);
-diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0.1/version.h
---- openssh-8.5p1/version.h 2021-03-02 12:31:47.000000000 +0200
-+++ openssh-8.5p1+x509-13.0.1/version.h 2021-03-15 20:07:00.000000000 +0200
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_8.5"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0.1/version.m4
--- openssh-8.5p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-8.5p1+x509-13.0.1/version.m4 2021-03-15 20:07:00.000000000 +0200

73
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-X509-glue-13.0.patch vendored Normal file
View File

@ -0,0 +1,73 @@
diff -ur a/openssh-8.5p1+x509-13.0.diff b/openssh-8.5p1+x509-13.0.diff
--- a/openssh-8.5p1+x509-13.0.diff 2021-03-03 12:26:21.021212996 -0800
+++ b/openssh-8.5p1+x509-13.0.diff 2021-03-03 18:20:06.476490271 -0800
@@ -46675,12 +46675,11 @@
install-files:
$(MKDIR_P) $(DESTDIR)$(bindir)
-@@ -380,6 +364,8 @@
+@@ -380,6 +364,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
@@ -63967,7 +63966,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
verbose "$tid: cipher $c"
@@ -63982,7 +63981,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
verbose "$tid: kex $k"
@@ -63997,7 +63996,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
if [ "`${SSH} -Q compression`" = "none" ]; then
comp="0"
@@ -64129,9 +64128,9 @@
+# cross-project configuration
+if test "$sshd_type" = "pkix" ; then
-+ unset_arg=''
++ unset_arg=
+else
-+ unset_arg=none
++ unset_arg=
+fi
+
cat > $OBJ/sshd_config.i << _EOF
@@ -122238,16 +122237,6 @@
+int asnmprintf(char **, size_t, int *, const char *, ...)
__attribute__((format(printf, 4, 5)));
void msetlocale(void);
-diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0/version.h
---- openssh-8.5p1/version.h 2021-03-02 12:31:47.000000000 +0200
-+++ openssh-8.5p1+x509-13.0/version.h 2021-03-03 19:07:00.000000000 +0200
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_8.5"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0/version.m4
--- openssh-8.5p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-8.5p1+x509-13.0/version.m4 2021-03-03 19:07:00.000000000 +0200

325
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-X509-glue.patch vendored Normal file
View File

@ -0,0 +1,325 @@
diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
--- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 12:57:01.975827879 -0800
+++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 18:25:21.929305944 -0800
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
- CFLAGS_NOPIE=@CFLAGS_NOPIE@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
- PICFLAG=@PICFLAG@
+ LD=@LD@
+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -803,8 +803,8 @@
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
{
struct session_state *state;
-- const struct sshcipher *none = cipher_by_name("none");
-+ struct sshcipher *none = cipher_by_name("none");
+- const struct sshcipher *none = cipher_none();
++ struct sshcipher *none = cipher_none();
int r;
if (none == NULL) {
@@ -894,24 +894,24 @@
intptr = &options->compression;
multistate_ptr = multistate_compression;
@@ -2062,6 +2068,7 @@ initialize_options(Options * options)
- options->hostbased_accepted_algos = NULL;
- options->pubkey_accepted_algos = NULL;
- options->known_hosts_command = NULL;
+ options->revoked_host_keys = NULL;
+ options->fingerprint_hash = -1;
+ options->update_hostkeys = -1;
+ options->disable_multithreaded = -1;
}
/*
@@ -2247,6 +2254,10 @@ fill_default_options(Options * options)
+ options->update_hostkeys = 0;
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
- #endif
+ if (options->update_hostkeys == -1)
+ options->update_hostkeys = 0;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
- /* Expand KEX name lists */
- all_cipher = cipher_alg_list(',', 0);
+ /* expand KEX and etc. name lists */
+ { char *all;
diff --git a/readconf.h b/readconf.h
index d6a15550..d2d20548 100644
--- a/readconf.h
@@ -950,9 +950,9 @@
/* Portable-specific options */
sUsePAM,
+ sDisableMTAES,
- /* Standard Options */
- sPort, sHostKeyFile, sLoginGraceTime,
- sPermitRootLogin, sLogFacility, sLogLevel,
+ /* X.509 Standard Options */
+ sHostbasedAlgorithms,
+ sPubkeyAlgorithms,
@@ -672,6 +676,7 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
--- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 19:05:28.942903961 -0800
+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 20:36:34.702362020 -0800
@@ -157,6 +157,36 @@
+ Allan Jude provided the code for the NoneMac and buffer normalization.
+ This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation.
+diff --git a/auth2.c b/auth2.c
+--- a/auth2.c 2021-03-03 20:34:51.312051369 -0800
++++ b/auth2.c 2021-03-03 20:35:15.797888115 -0800
+@@ -229,16 +229,17 @@
+ double delay;
+
+ digest_alg = ssh_digest_maxbytes();
+- len = ssh_digest_bytes(digest_alg);
+- hash = xmalloc(len);
++ if (len = ssh_digest_bytes(digest_alg) > 0) {
++ hash = xmalloc(len);
+
+- (void)snprintf(b, sizeof b, "%llu%s",
+- (unsigned long long)options.timing_secret, user);
+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
+- fatal_f("ssh_digest_memory");
+- /* 0-4.2 ms of delay */
+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+- freezero(hash, len);
++ (void)snprintf(b, sizeof b, "%llu%s",
++ (unsigned long long)options.timing_secret, user);
++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++ fatal_f("ssh_digest_memory");
++ /* 0-4.2 ms of delay */
++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
++ freezero(hash, len);
++ }
+ debug3_f("user specific delay %0.3lfms", delay/1000);
+ return MIN_FAIL_DELAY_SECONDS + delay;
+ }
diff --git a/channels.c b/channels.c
index e4917f3c..e0db582e 100644
--- a/channels.c
@@ -209,14 +239,14 @@
static void
channel_pre_open(struct ssh *ssh, Channel *c,
fd_set *readset, fd_set *writeset)
-@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
+@@ -2179,21 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
if (c->type == SSH_CHANNEL_OPEN &&
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- ((c->local_window_max - c->local_window >
- c->local_maxpacket*3) ||
-+ ((ssh_packet_is_interactive(ssh) &&
-+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
++ ((ssh_packet_is_interactive(ssh) &&
++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
+ u_int addition = 0;
@@ -234,10 +264,12 @@
SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+- (r = sshpkt_send(ssh)) != 0)
+- fatal_fr(r, "channel %d", c->self);
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
- (r = sshpkt_send(ssh)) != 0) {
- fatal_fr(r, "channel %i", c->self);
- }
++ (r = sshpkt_send(ssh)) != 0) {
++ fatal_fr(r, "channel %i", c->self);
++ }
debug2("channel %d: window %d sent adjust %d", c->self,
- c->local_window, c->local_consumed);
- c->local_window += c->local_consumed;
@@ -384,20 +416,38 @@
index dec8e7e9..3c11558e 100644
--- a/compat.c
+++ b/compat.c
-@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version)
- debug_f("match: %s pat %s compat 0x%08x",
+@@ -43,7 +43,7 @@
+ static u_int
+ compat_datafellows(const char *version)
+ {
+- int i;
++ int i, bugs = 0;
+ static struct {
+ char *pat;
+ int bugs;
+@@ -147,11 +147,19 @@
+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
+ debug("match: %s pat %s compat 0x%08x",
version, check[i].pat, check[i].bugs);
- ssh->compat = check[i].bugs;
-+ /* Check to see if the remote side is OpenSSH and not HPN */
-+ if (strstr(version, "OpenSSH") != NULL) {
-+ if (strstr(version, "hpn") == NULL) {
-+ ssh->compat |= SSH_BUG_LARGEWINDOW;
-+ debug("Remote is NON-HPN aware");
-+ }
-+ }
- return;
+- return check[i].bugs;
++ bugs |= check[i].bugs;
}
}
+- debug("no match: %s", version);
+- return 0;
++ /* Check to see if the remote side is OpenSSH and not HPN */
++ if (strstr(version, "OpenSSH") != NULL) {
++ if (strstr(version, "hpn") == NULL) {
++ bugs |= SSH_BUG_LARGEWINDOW;
++ debug("Remote is NON-HPN aware");
++ }
++ }
++ if (bugs == 0)
++ debug("no match: %s", version);
++ return bugs;
+ }
+
+ char *
diff --git a/compat.h b/compat.h
index 66db42cc..d4e811e4 100644
--- a/compat.h
@@ -456,7 +506,7 @@
@@ -888,6 +888,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
+ int r, first_kex_follows = 0;
+ int auth_flag = 0;
+
+ auth_flag = packet_authentication_state(ssh);
@@ -1033,19 +1083,6 @@
/* File to read commands from */
FILE* infile;
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index a12b79a5..8b839219 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2999,7 +2999,7 @@ do_download_sk(const char *skprovider, const char *device)
- freezero(pin, strlen(pin));
- error("Unable to load resident keys: %s", ssh_err(r));
- return -1;
-- }
-+ }
- if (nkeys == 0)
- logit("No keys to download");
- if (pin != NULL)
diff --git a/ssh.c b/ssh.c
index f34ca0d7..d7d134f7 100644
--- a/ssh.c
@@ -1091,7 +1128,7 @@
+ else
+ options.hpn_buffer_size = 2 * 1024 * 1024;
+
-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
+ debug("HPN to Non-HPN Connection");
+ } else {
+ int sock, socksize;
@@ -1331,6 +1368,26 @@
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
error("Bind to port %s on %s failed: %.200s.",
+@@ -1625,12 +1625,13 @@
+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
+ sshbuf_len(server_cfg)) != 0)
+ fatal_f("ssh_digest_update");
+- len = ssh_digest_bytes(digest_alg);
+- hash = xmalloc(len);
+- if (ssh_digest_final(ctx, hash, len) != 0)
+- fatal_f("ssh_digest_final");
+- options.timing_secret = PEEK_U64(hash);
+- freezero(hash, len);
++ if (len = ssh_digest_bytes(digest_alg) > 0) {
++ hash = xmalloc(len);
++ if (ssh_digest_final(ctx, hash, len) != 0)
++ fatal_f("ssh_digest_final");
++ options.timing_secret = PEEK_U64(hash);
++ freezero(hash, len);
++ }
+ ssh_digest_free(ctx);
+ ctx = NULL;
+ return;
@@ -1746,6 +1753,19 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@@ -1401,14 +1458,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index c2f9c55b..f2e7fa80 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_8.4"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn15v1"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff -ur a/openssh-8_4_P1-hpn-PeakTput-15.1.diff b/openssh-8_4_P1-hpn-PeakTput-15.1.diff
--- a/openssh-8_4_P1-hpn-PeakTput-15.1.diff 2021-03-03 12:57:01.975827879 -0800
+++ b/openssh-8_4_P1-hpn-PeakTput-15.1.diff 2021-03-03 18:25:21.930305937 -0800
@@ -12,9 +12,9 @@
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
@@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
+ off_t bytes_left;
int cur_speed;
- int hours, minutes, seconds;
- int file_len;
+ int len;
+ off_t delta_pos;
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
@@ -33,12 +33,12 @@
@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
/* filename */
- buf[0] = '\0';
-- file_len = win_size - 36;
-+ file_len = win_size - 45;
- if (file_len > 0) {
- buf[0] = '\r';
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
+ if (win_size > 36) {
+- int file_len = win_size - 36;
++ int file_len = win_size - 45;
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
+ file_len, file);
+ }
@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
(off_t)bytes_per_second);
strlcat(buf, "/s ", win_size);
@@ -63,15 +63,3 @@
}
/*ARGSUSED*/
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index a12b79a5..76b22338 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2987,7 +2987,6 @@ do_download_sk(const char *skprovider, const char *device)
-
- if (skprovider == NULL)
- fatal("Cannot download keys without provider");
--
- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
- if (!quiet) {
- printf("You may need to touch your authenticator "

242
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-glue.patch vendored Normal file
View File

@ -0,0 +1,242 @@
diff -ur a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff
--- a/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:08:18.300474672 -0800
+++ b/openssh-8_4_P1-hpn-AES-CTR-15.1.diff 2021-03-03 11:18:42.408298903 -0800
@@ -894,9 +894,9 @@
intptr = &options->compression;
multistate_ptr = multistate_compression;
@@ -2062,6 +2068,7 @@ initialize_options(Options * options)
- options->update_hostkeys = -1;
- options->hostbased_key_types = NULL;
- options->pubkey_key_types = NULL;
+ options->hostbased_accepted_algos = NULL;
+ options->pubkey_accepted_algos = NULL;
+ options->known_hosts_command = NULL;
+ options->disable_multithreaded = -1;
}
diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
--- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 11:08:18.300474672 -0800
+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 12:53:24.117319233 -0800
@@ -209,7 +209,7 @@
static void
channel_pre_open(struct ssh *ssh, Channel *c,
fd_set *readset, fd_set *writeset)
-@@ -2179,25 +2206,34 @@ channel_check_window(struct ssh *ssh, Channel *c)
+@@ -2179,22 +2206,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
if (c->type == SSH_CHANNEL_OPEN &&
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
@@ -229,22 +229,19 @@
+ debug("Channel: Window growth to %d by %d bytes", c->local_window_max, addition);
+ }
if (!c->have_remote_id)
- fatal(":%s: channel %d: no remote id",
- __func__, c->self);
+ fatal_f("channel %d: no remote id", c->self);
if ((r = sshpkt_start(ssh,
SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
(r = sshpkt_send(ssh)) != 0) {
- fatal("%s: channel %i: %s", __func__,
- c->self, ssh_err(r));
+ fatal_fr(r, "channel %i", c->self);
}
- debug2("channel %d: window %d sent adjust %d",
- c->self, c->local_window,
-- c->local_consumed);
+ debug2("channel %d: window %d sent adjust %d", c->self,
+- c->local_window, c->local_consumed);
- c->local_window += c->local_consumed;
-+ c->local_consumed + addition);
++ c->local_window, c->local_consumed + addition);
+ c->local_window += c->local_consumed + addition;
c->local_consumed = 0;
}
@@ -387,18 +384,18 @@
index dec8e7e9..3c11558e 100644
--- a/compat.c
+++ b/compat.c
-@@ -150,6 +150,13 @@ compat_datafellows(const char *version)
- debug("match: %s pat %s compat 0x%08x",
+@@ -150,6 +150,13 @@ compat_banner(struct ssh *ssh, const char *version)
+ debug_f("match: %s pat %s compat 0x%08x",
version, check[i].pat, check[i].bugs);
- datafellows = check[i].bugs; /* XXX for now */
+ ssh->compat = check[i].bugs;
+ /* Check to see if the remote side is OpenSSH and not HPN */
+ if (strstr(version, "OpenSSH") != NULL) {
+ if (strstr(version, "hpn") == NULL) {
-+ datafellows |= SSH_BUG_LARGEWINDOW;
++ ssh->compat |= SSH_BUG_LARGEWINDOW;
+ debug("Remote is NON-HPN aware");
+ }
+ }
- return check[i].bugs;
+ return;
}
}
diff --git a/compat.h b/compat.h
@@ -431,9 +428,9 @@
--- a/digest-openssl.c
+++ b/digest-openssl.c
@@ -61,6 +61,7 @@ const struct ssh_digest digests[] = {
- { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
+ { SSH_DIGEST_SHA256, "SHA256", 32, EVP_sha256 },
{ SSH_DIGEST_SHA384, "SHA384", 48, EVP_sha384 },
- { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
+ { SSH_DIGEST_SHA512, "SHA512", 64, EVP_sha512 },
+ { SSH_DIGEST_NULL, "NONEMAC", 0, EVP_md_null},
{ -1, NULL, 0, NULL },
};
@@ -536,18 +533,10 @@
if (state->rekey_limit)
*max_blocks = MINIMUM(*max_blocks,
state->rekey_limit / enc->block_size);
-@@ -966,6 +975,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -966,6 +975,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
+/* used to determine if pre or post auth when rekeying for aes-ctr
+ * and none cipher switch */
+int
@@ -561,20 +550,6 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -992,6 +1019,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
-+ /* used to force rekeying when called for by the none
-+ * cipher switch methods -cjr */
-+ if (rekey_requested == 1) {
-+ rekey_requested = 0;
-+ return 1;
-+ }
-+
- /* Time-based rekeying */
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
@@ -1330,7 +1364,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
struct session_state *state = ssh->state;
int len, r, ms_remain;
@@ -622,9 +597,9 @@
/* Format of the configuration file:
@@ -165,6 +166,8 @@ typedef enum {
- oHashKnownHosts,
oTunnel, oTunnelDevice,
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oDisableMTAES,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
oVisualHostKey,
@@ -778,9 +753,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -115,7 +119,11 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none cipher to be used */
+ int nonemac_enabled; /* Allow none MAC to be used */
@@ -888,9 +863,9 @@
+ options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+ }
+
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_DSCP_AF21;
- if (options->ip_qos_bulk == -1)
@@ -511,6 +564,8 @@ typedef enum {
sPasswordAuthentication, sKbdInteractiveAuthentication,
sListenAddress, sAddressFamily,
@@ -1091,7 +1066,7 @@
}
+static void
-+hpn_options_init(void)
++hpn_options_init(struct ssh *ssh)
+{
+ /*
+ * We need to check to see if what they want to do about buffer
@@ -1116,7 +1091,7 @@
+ else
+ options.hpn_buffer_size = 2 * 1024 * 1024;
+
-+ if (datafellows & SSH_BUG_LARGEWINDOW) {
++ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
+ debug("HPN to Non-HPN Connection");
+ } else {
+ int sock, socksize;
@@ -1186,7 +1161,7 @@
+ c->dynamic_window = 1;
+ debug("Enabled Dynamic Window Scaling");
+ }
- debug3("%s: channel_new: %d", __func__, c->self);
+ debug3_f("channel_new: %d", c->self);
channel_send_open(ssh, c->self);
@@ -2078,6 +2160,13 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
@@ -1198,7 +1173,7 @@
+ * might open channels that use the hpn buffer sizes. We can't send a
+ * window of -1 (the default) to the server as it breaks things.
+ */
-+ hpn_options_init();
++ hpn_options_init(ssh);
+
/* XXX should be pre-session */
if (!options.control_persist)
@@ -1297,11 +1272,10 @@
xxx_host = host;
xxx_hostaddr = hostaddr;
-@@ -482,6 +493,34 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
-
+@@ -482,6 +493,33 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
if (!authctxt.success)
fatal("Authentication failed.");
-+
+
+ /*
+ * If the user wants to use the none cipher, do it post authentication
+ * and only if the right conditions are met -- both of the NONE commands
@@ -1329,9 +1303,9 @@
+ }
+ }
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
-
+ #ifdef WITH_OPENSSL
+ if (options.disable_multithreaded == 0) {
+ /* if we are using aes-ctr there can be issues in either a fork or sandbox
diff --git a/sshd.c b/sshd.c
index 8aa7f3df..d0e3f1b0 100644
--- a/sshd.c
@@ -1397,9 +1371,9 @@
+ if (options.nonemac_enabled == 1)
+ debug("WARNING: None MAC enabled");
+
- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh,
options.kex_algorithms);
- myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
+ myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh,
diff --git a/sshd_config b/sshd_config
index 19b7c91a..cdd889b2 100644
--- a/sshd_config

18
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.1-sctp-glue.patch vendored Normal file
View File

@ -0,0 +1,18 @@
diff -ur a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff
--- a/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 15:36:29.211246123 -0800
+++ b/openssh-8_4_P1-hpn-DynWinNoneSwitch-15.1.diff 2021-03-03 15:36:53.607089097 -0800
@@ -1401,14 +1401,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index c2f9c55b..f2e7fa80 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_8.4"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn15v1"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN

328
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-X509-13.0.1-glue.patch vendored Normal file
View File

@ -0,0 +1,328 @@
diff -u a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-03-15 17:45:28.550606801 -0700
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-03-15 17:56:36.240309581 -0700
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
- CFLAGS_NOPIE=@CFLAGS_NOPIE@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
- PICFLAG=@PICFLAG@
+ LD=@LD@
+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -803,8 +803,8 @@
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
{
struct session_state *state;
-- const struct sshcipher *none = cipher_by_name("none");
-+ struct sshcipher *none = cipher_by_name("none");
+- const struct sshcipher *none = cipher_none();
++ struct sshcipher *none = cipher_none();
int r;
if (none == NULL) {
@@ -898,20 +898,20 @@
options->fingerprint_hash = -1;
options->update_hostkeys = -1;
+ options->disable_multithreaded = -1;
- options->hostbased_accepted_algos = NULL;
- options->pubkey_accepted_algos = NULL;
- options->known_hosts_command = NULL;
+ }
+
+ /*
@@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
+ options->update_hostkeys = 0;
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
- #endif
+ if (options->update_hostkeys == -1)
+ options->update_hostkeys = 0;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
- /* Expand KEX name lists */
- all_cipher = cipher_alg_list(',', 0);
+ /* expand KEX and etc. name lists */
+ { char *all;
diff --git a/readconf.h b/readconf.h
index 2fba866e..7f8f0227 100644
--- a/readconf.h
@@ -950,9 +950,9 @@
/* Portable-specific options */
sUsePAM,
+ sDisableMTAES,
- /* Standard Options */
- sPort, sHostKeyFile, sLoginGraceTime,
- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
+ /* X.509 Standard Options */
+ sHostbasedAlgorithms,
+ sPubkeyAlgorithms,
@@ -662,6 +666,7 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:29:42.953733894 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:47:54.198893025 -0700
@@ -157,6 +157,36 @@
+ Allan Jude provided the code for the NoneMac and buffer normalization.
+ This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation.
+diff --git a/auth2.c b/auth2.c
+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
+@@ -229,16 +229,17 @@
+ double delay;
+
+ digest_alg = ssh_digest_maxbytes();
+- len = ssh_digest_bytes(digest_alg);
+- hash = xmalloc(len);
++ if (len = ssh_digest_bytes(digest_alg) > 0) {
++ hash = xmalloc(len);
+
+- (void)snprintf(b, sizeof b, "%llu%s",
+- (unsigned long long)options.timing_secret, user);
+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
+- fatal_f("ssh_digest_memory");
+- /* 0-4.2 ms of delay */
+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+- freezero(hash, len);
++ (void)snprintf(b, sizeof b, "%llu%s",
++ (unsigned long long)options.timing_secret, user);
++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++ fatal_f("ssh_digest_memory");
++ /* 0-4.2 ms of delay */
++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
++ freezero(hash, len);
++ }
+ debug3_f("user specific delay %0.3lfms", delay/1000);
+ return MIN_FAIL_DELAY_SECONDS + delay;
+ }
diff --git a/channels.c b/channels.c
index b60d56c4..0e363c15 100644
--- a/channels.c
@@ -209,14 +239,14 @@
static void
channel_pre_open(struct ssh *ssh, Channel *c,
fd_set *readset, fd_set *writeset)
-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
+@@ -2164,21 +2164,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
if (c->type == SSH_CHANNEL_OPEN &&
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- ((c->local_window_max - c->local_window >
- c->local_maxpacket*3) ||
-+ ((ssh_packet_is_interactive(ssh) &&
-+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
++ ((ssh_packet_is_interactive(ssh) &&
++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
+ u_int addition = 0;
@@ -235,9 +265,8 @@
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
- (r = sshpkt_send(ssh)) != 0) {
- fatal_fr(r, "channel %i", c->self);
- }
+ (r = sshpkt_send(ssh)) != 0)
+ fatal_fr(r, "channel %d", c->self);
- debug2("channel %d: window %d sent adjust %d", c->self,
- c->local_window, c->local_consumed);
- c->local_window += c->local_consumed;
@@ -386,21 +415,45 @@
index 69befa96..90b5f338 100644
--- a/compat.c
+++ b/compat.c
-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
- debug_f("match: %s pat %s compat 0x%08x",
+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
+ static u_int
+ compat_datafellows(const char *version)
+ {
+- int i;
++ int i, bugs = 0;
+ static struct {
+ char *pat;
+ int bugs;
+@@ -147,11 +147,26 @@
+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
+ debug("match: %s pat %s compat 0x%08x",
version, check[i].pat, check[i].bugs);
- ssh->compat = check[i].bugs;
+ /* Check to see if the remote side is OpenSSH and not HPN */
-+ /* TODO: need to use new method to test for this */
+ if (strstr(version, "OpenSSH") != NULL) {
+ if (strstr(version, "hpn") == NULL) {
-+ ssh->compat |= SSH_BUG_LARGEWINDOW;
++ bugs |= SSH_BUG_LARGEWINDOW;
+ debug("Remote is NON-HPN aware");
+ }
+ }
- return;
+- return check[i].bugs;
++ bugs |= check[i].bugs;
}
}
+- debug("no match: %s", version);
+- return 0;
++ /* Check to see if the remote side is OpenSSH and not HPN */
++ if (strstr(version, "OpenSSH") != NULL) {
++ if (strstr(version, "hpn") == NULL) {
++ bugs |= SSH_BUG_LARGEWINDOW;
++ debug("Remote is NON-HPN aware");
++ }
++ }
++ if (bugs == 0)
++ debug("no match: %s", version);
++ return bugs;
+ }
+
+ char *
diff --git a/compat.h b/compat.h
index c197fafc..ea2e17a7 100644
--- a/compat.h
@@ -459,7 +512,7 @@
@@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
+ int r, first_kex_follows = 0;
+ int auth_flag = 0;
+
+ auth_flag = packet_authentication_state(ssh);
@@ -1035,19 +1088,6 @@
/* File to read commands from */
FILE* infile;
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cfb5f115..36a6e519 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
- freezero(pin, strlen(pin));
- error_r(r, "Unable to load resident keys");
- return -1;
-- }
-+ }
- if (nkeys == 0)
- logit("No keys to download");
- if (pin != NULL)
diff --git a/ssh.c b/ssh.c
index 53330da5..27b9770e 100644
--- a/ssh.c
@@ -1093,7 +1133,7 @@
+ else
+ options.hpn_buffer_size = 2 * 1024 * 1024;
+
-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
+ debug("HPN to Non-HPN Connection");
+ } else {
+ int sock, socksize;
@@ -1335,6 +1375,28 @@
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
error("Bind to port %s on %s failed: %.200s.",
+@@ -1625,13 +1625,14 @@
+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
+ sshbuf_len(server_cfg)) != 0)
+ fatal_f("ssh_digest_update");
+- len = ssh_digest_bytes(digest_alg);
+- hash = xmalloc(len);
+- if (ssh_digest_final(ctx, hash, len) != 0)
+- fatal_f("ssh_digest_final");
+- options.timing_secret = PEEK_U64(hash);
+- freezero(hash, len);
+- ssh_digest_free(ctx);
++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
++ hash = xmalloc(len);
++ if (ssh_digest_final(ctx, hash, len) != 0)
++ fatal_f("ssh_digest_final");
++ options.timing_secret = PEEK_U64(hash);
++ freezero(hash, len);
++ ssh_digest_free(ctx);
++ }
+ ctx = NULL;
+ return;
+ }
@@ -1727,6 +1734,19 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@@ -1405,14 +1467,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index 6b4fa372..332fb486 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_8.5"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn15v2"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff -u a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-03-15 17:45:28.550606801 -0700
+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-03-15 18:39:10.262087944 -0700
@@ -12,9 +12,9 @@
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
@@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
+ off_t bytes_left;
int cur_speed;
- int hours, minutes, seconds;
- int file_len;
+ int len;
+ off_t delta_pos;
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
@@ -30,15 +30,17 @@
if (bytes_left > 0)
elapsed = now - last_update;
else {
-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
-
+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
+ buf[1] = '\0';
+
/* filename */
- buf[0] = '\0';
-- file_len = win_size - 36;
-+ file_len = win_size - 45;
- if (file_len > 0) {
- buf[0] = '\r';
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
+- if (win_size > 36) {
++ if (win_size > 45) {
+- int file_len = win_size - 36;
++ int file_len = win_size - 45;
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
+ file_len, file);
+ }
@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
(off_t)bytes_per_second);
strlcat(buf, "/s ", win_size);
@@ -63,15 +65,3 @@
}
/*ARGSUSED*/
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cfb5f115..986ff59b 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
-
- if (skprovider == NULL)
- fatal("Cannot download keys without provider");
--
- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
- if (!quiet) {
- printf("You may need to touch your authenticator "

104
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-glue.patch vendored Normal file
View File

@ -0,0 +1,104 @@
diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-15 15:10:45.680967455 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:25:14.710431930 -0700
@@ -536,18 +536,10 @@
if (state->rekey_limit)
*max_blocks = MINIMUM(*max_blocks,
state->rekey_limit / enc->block_size);
-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
+/* used to determine if pre or post auth when rekeying for aes-ctr
+ * and none cipher switch */
+int
@@ -561,20 +553,6 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
-+ /* used to force rekeying when called for by the none
-+ * cipher switch methods -cjr */
-+ if (rekey_requested == 1) {
-+ rekey_requested = 0;
-+ return 1;
-+ }
-+
- /* Time-based rekeying */
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
struct session_state *state = ssh->state;
int len, r, ms_remain;
@@ -598,12 +576,11 @@
};
typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
int ssh_packet_set_maxsize(struct ssh *, u_int);
u_int ssh_packet_get_maxsize(struct ssh *);
+/* for forced packet rekeying post auth */
-+void packet_request_rekeying(void);
+int packet_authentication_state(const struct ssh *);
+
int ssh_packet_get_state(struct ssh *, struct sshbuf *);
@@ -627,9 +604,9 @@
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
+ oDisableMTAES,
oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
@@ -297,6 +300,9 @@ static struct {
{ "kexalgorithms", oKexAlgorithms },
{ "ipqos", oIPQoS },
@@ -778,9 +755,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -120,7 +124,11 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none cipher to be used */
+ int nonemac_enabled; /* Allow none MAC to be used */
@@ -842,9 +819,9 @@
/* Portable-specific options */
if (options->use_pam == -1)
@@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
- }
- if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
+ if (options->none_enabled == -1)
+ options->none_enabled = 0;
+ if (options->nonemac_enabled == -1)
@@ -1330,9 +1307,9 @@
+ }
+ }
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
+ #ifdef WITH_OPENSSL
+ if (options.disable_multithreaded == 0) {
diff --git a/sshd.c b/sshd.c
index 6277e6d6..d66fa41a 100644
--- a/sshd.c

18
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch vendored Normal file
View File

@ -0,0 +1,18 @@
diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:06:45.020527770 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:07:01.294423665 -0700
@@ -1414,14 +1414,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index 6b4fa372..332fb486 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_8.5"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn15v2"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN

72
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.1.patch vendored Normal file
View File

@ -0,0 +1,72 @@
--- a/openssh-8.6p1+x509-13.1.diff 2021-04-23 14:46:58.184683047 -0700
+++ b/openssh-8.6p1+x509-13.1.diff 2021-04-23 15:00:08.455087549 -0700
@@ -47728,12 +47728,11 @@
install-files:
$(MKDIR_P) $(DESTDIR)$(bindir)
-@@ -389,6 +366,8 @@
+@@ -389,6 +366,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
@@ -65001,7 +65000,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do
verbose "$tid: cipher $c"
@@ -65016,7 +65015,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do
verbose "$tid: kex $k"
@@ -65031,7 +65030,7 @@
- echo "putty interop tests not enabled"
- exit 0
-fi
-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; }
++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; }
if [ "`${SSH} -Q compression`" = "none" ]; then
comp="0"
@@ -65163,9 +65162,9 @@
+# cross-project configuration
+if test "$sshd_type" = "pkix" ; then
-+ unset_arg=''
++ unset_arg=
+else
-+ unset_arg=none
++ unset_arg=
+fi
+
cat > $OBJ/sshd_config.i << _EOF
@@ -124084,16 +124083,6 @@
+int asnmprintf(char **, size_t, int *, const char *, ...)
__attribute__((format(printf, 4, 5)));
void msetlocale(void);
-diff -ruN openssh-8.6p1/version.h openssh-8.6p1+x509-13.1/version.h
---- openssh-8.6p1/version.h 2021-04-16 06:55:25.000000000 +0300
-+++ openssh-8.6p1+x509-13.1/version.h 2021-04-21 21:07:00.000000000 +0300
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_8.6"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-8.6p1/version.m4 openssh-8.6p1+x509-13.1/version.m4
--- openssh-8.6p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-8.6p1+x509-13.1/version.m4 2021-04-21 21:07:00.000000000 +0300

357
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-X509-glue.patch vendored Normal file
View File

@ -0,0 +1,357 @@
diff -ur a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-04-23 15:31:47.247434467 -0700
+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-04-23 15:32:29.807508606 -0700
@@ -3,9 +3,9 @@
--- a/Makefile.in
+++ b/Makefile.in
@@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
- CFLAGS_NOPIE=@CFLAGS_NOPIE@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
- PICFLAG=@PICFLAG@
+ LD=@LD@
+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -803,8 +803,8 @@
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
{
struct session_state *state;
-- const struct sshcipher *none = cipher_by_name("none");
-+ struct sshcipher *none = cipher_by_name("none");
+- const struct sshcipher *none = cipher_none();
++ struct sshcipher *none = cipher_none();
int r;
if (none == NULL) {
@@ -898,20 +898,20 @@
options->fingerprint_hash = -1;
options->update_hostkeys = -1;
+ options->disable_multithreaded = -1;
- options->hostbased_accepted_algos = NULL;
- options->pubkey_accepted_algos = NULL;
- options->known_hosts_command = NULL;
+ }
+
+ /*
@@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
+ options->update_hostkeys = 0;
if (options->sk_provider == NULL)
options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
- #endif
+ if (options->update_hostkeys == -1)
+ options->update_hostkeys = 0;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
- /* Expand KEX name lists */
- all_cipher = cipher_alg_list(',', 0);
+ /* expand KEX and etc. name lists */
+ { char *all;
diff --git a/readconf.h b/readconf.h
index 2fba866e..7f8f0227 100644
--- a/readconf.h
@@ -950,9 +950,9 @@
/* Portable-specific options */
sUsePAM,
+ sDisableMTAES,
- /* Standard Options */
- sPort, sHostKeyFile, sLoginGraceTime,
- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
+ /* X.509 Standard Options */
+ sHostbasedAlgorithms,
+ sPubkeyAlgorithms,
@@ -662,6 +666,7 @@ static struct {
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
diff -ur a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-23 15:31:47.247434467 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-23 15:46:32.296026606 -0700
@@ -157,6 +157,36 @@
+ Allan Jude provided the code for the NoneMac and buffer normalization.
+ This work was financed, in part, by Cisco System, Inc., the National
+ Library of Medicine, and the National Science Foundation.
+diff --git a/auth2.c b/auth2.c
+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
+@@ -229,16 +229,17 @@
+ double delay;
+
+ digest_alg = ssh_digest_maxbytes();
+- len = ssh_digest_bytes(digest_alg);
+- hash = xmalloc(len);
++ if (len = ssh_digest_bytes(digest_alg) > 0) {
++ hash = xmalloc(len);
+
+- (void)snprintf(b, sizeof b, "%llu%s",
+- (unsigned long long)options.timing_secret, user);
+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
+- fatal_f("ssh_digest_memory");
+- /* 0-4.2 ms of delay */
+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
+- freezero(hash, len);
++ (void)snprintf(b, sizeof b, "%llu%s",
++ (unsigned long long)options.timing_secret, user);
++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
++ fatal_f("ssh_digest_memory");
++ /* 0-4.2 ms of delay */
++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
++ freezero(hash, len);
++ }
+ debug3_f("user specific delay %0.3lfms", delay/1000);
+ return MIN_FAIL_DELAY_SECONDS + delay;
+ }
diff --git a/channels.c b/channels.c
index b60d56c4..0e363c15 100644
--- a/channels.c
@@ -209,14 +239,14 @@
static void
channel_pre_open(struct ssh *ssh, Channel *c,
fd_set *readset, fd_set *writeset)
-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
if (c->type == SSH_CHANNEL_OPEN &&
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- ((c->local_window_max - c->local_window >
- c->local_maxpacket*3) ||
-+ ((ssh_packet_is_interactive(ssh) &&
-+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
++ ((ssh_packet_is_interactive(ssh) &&
++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
+ u_int addition = 0;
@@ -235,9 +265,8 @@
(r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
+ (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
- (r = sshpkt_send(ssh)) != 0) {
- fatal_fr(r, "channel %i", c->self);
- }
+ (r = sshpkt_send(ssh)) != 0)
+ fatal_fr(r, "channel %d", c->self);
- debug2("channel %d: window %d sent adjust %d", c->self,
- c->local_window, c->local_consumed);
- c->local_window += c->local_consumed;
@@ -386,21 +415,45 @@
index 69befa96..90b5f338 100644
--- a/compat.c
+++ b/compat.c
-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
- debug_f("match: %s pat %s compat 0x%08x",
+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
+ static u_int
+ compat_datafellows(const char *version)
+ {
+- int i;
++ int i, bugs = 0;
+ static struct {
+ char *pat;
+ int bugs;
+@@ -147,11 +147,26 @@
+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
+ debug("match: %s pat %s compat 0x%08x",
version, check[i].pat, check[i].bugs);
- ssh->compat = check[i].bugs;
+ /* Check to see if the remote side is OpenSSH and not HPN */
-+ /* TODO: need to use new method to test for this */
+ if (strstr(version, "OpenSSH") != NULL) {
+ if (strstr(version, "hpn") == NULL) {
-+ ssh->compat |= SSH_BUG_LARGEWINDOW;
++ bugs |= SSH_BUG_LARGEWINDOW;
+ debug("Remote is NON-HPN aware");
+ }
+ }
- return;
+- return check[i].bugs;
++ bugs |= check[i].bugs;
}
}
+- debug("no match: %s", version);
+- return 0;
++ /* Check to see if the remote side is OpenSSH and not HPN */
++ if (strstr(version, "OpenSSH") != NULL) {
++ if (strstr(version, "hpn") == NULL) {
++ bugs |= SSH_BUG_LARGEWINDOW;
++ debug("Remote is NON-HPN aware");
++ }
++ }
++ if (bugs == 0)
++ debug("no match: %s", version);
++ return bugs;
+ }
+
+ char *
diff --git a/compat.h b/compat.h
index c197fafc..ea2e17a7 100644
--- a/compat.h
@@ -459,7 +512,7 @@
@@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
+ int r, first_kex_follows = 0;
+ int auth_flag = 0;
+
+ auth_flag = packet_authentication_state(ssh);
@@ -553,7 +606,7 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
struct session_state *state = ssh->state;
int len, r, ms_remain;
fd_set *setp;
@@ -1035,19 +1088,6 @@
/* Minimum amount of data to read at a time */
#define MIN_READ_SIZE 512
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cfb5f115..36a6e519 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
- freezero(pin, strlen(pin));
- error_r(r, "Unable to load resident keys");
- return -1;
-- }
-+ }
- if (nkeys == 0)
- logit("No keys to download");
- if (pin != NULL)
diff --git a/ssh.c b/ssh.c
index 53330da5..27b9770e 100644
--- a/ssh.c
@@ -1093,7 +1133,7 @@
+ else
+ options.hpn_buffer_size = 2 * 1024 * 1024;
+
-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
+ debug("HPN to Non-HPN Connection");
+ } else {
+ int sock, socksize;
@@ -1335,7 +1375,29 @@
/* Bind the socket to the desired port. */
if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
error("Bind to port %s on %s failed: %.200s.",
-@@ -1727,6 +1734,19 @@ main(int ac, char **av)
+@@ -1625,13 +1632,14 @@
+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
+ sshbuf_len(server_cfg)) != 0)
+ fatal_f("ssh_digest_update");
+- len = ssh_digest_bytes(digest_alg);
+- hash = xmalloc(len);
+- if (ssh_digest_final(ctx, hash, len) != 0)
+- fatal_f("ssh_digest_final");
+- options.timing_secret = PEEK_U64(hash);
+- freezero(hash, len);
+- ssh_digest_free(ctx);
++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
++ hash = xmalloc(len);
++ if (ssh_digest_final(ctx, hash, len) != 0)
++ fatal_f("ssh_digest_final");
++ options.timing_secret = PEEK_U64(hash);
++ freezero(hash, len);
++ ssh_digest_free(ctx);
++ }
+ ctx = NULL;
+ return;
+ }
+@@ -1727,6 +1735,19 @@ main(int ac, char **av)
/* Fill in default values for those options not explicitly set. */
fill_default_server_options(&options);
@@ -1355,7 +1417,7 @@
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
-@@ -2166,6 +2186,9 @@ main(int ac, char **av)
+@@ -2166,6 +2187,9 @@ main(int ac, char **av)
rdomain == NULL ? "" : "\"");
free(laddr);
@@ -1365,7 +1427,7 @@
/*
* We don't want to listen forever unless the other side
* successfully authenticates itself. So we set up an alarm which is
-@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
struct kex *kex;
int r;
@@ -1405,14 +1467,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index 6b4fa372..332fb486 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_8.5"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn15v2"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff -ur a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-04-23 15:31:47.247434467 -0700
+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-04-23 15:32:29.808508608 -0700
@@ -12,9 +12,9 @@
static long stalled; /* how long we have been stalled */
static int bytes_per_second; /* current speed in bytes per second */
@@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
+ off_t bytes_left;
int cur_speed;
- int hours, minutes, seconds;
- int file_len;
+ int len;
+ off_t delta_pos;
if ((!force_update && !alarm_fired && !win_resized) || !can_output())
@@ -30,15 +30,17 @@
if (bytes_left > 0)
elapsed = now - last_update;
else {
-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
-
+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
+ buf[1] = '\0';
+
/* filename */
- buf[0] = '\0';
-- file_len = win_size - 36;
-+ file_len = win_size - 45;
- if (file_len > 0) {
- buf[0] = '\r';
- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
+- if (win_size > 36) {
++ if (win_size > 45) {
+- int file_len = win_size - 36;
++ int file_len = win_size - 45;
+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
+ file_len, file);
+ }
@@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
(off_t)bytes_per_second);
strlcat(buf, "/s ", win_size);
@@ -63,15 +65,3 @@
}
/*ARGSUSED*/
-diff --git a/ssh-keygen.c b/ssh-keygen.c
-index cfb5f115..986ff59b 100644
---- a/ssh-keygen.c
-+++ b/ssh-keygen.c
-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
-
- if (skprovider == NULL)
- fatal("Cannot download keys without provider");
--
- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
- if (!quiet) {
- printf("You may need to touch your authenticator "

132
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch vendored Normal file
View File

@ -0,0 +1,132 @@
diff --exclude '*.un~' -ubr a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-19 13:36:51.659996653 -0700
+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-04-19 13:42:23.302377465 -0700
@@ -536,18 +536,10 @@
if (state->rekey_limit)
*max_blocks = MINIMUM(*max_blocks,
state->rekey_limit / enc->block_size);
-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
+/* used to determine if pre or post auth when rekeying for aes-ctr
+ * and none cipher switch */
+int
@@ -561,20 +553,6 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
-+ /* used to force rekeying when called for by the none
-+ * cipher switch methods -cjr */
-+ if (rekey_requested == 1) {
-+ rekey_requested = 0;
-+ return 1;
-+ }
-+
- /* Time-based rekeying */
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
struct session_state *state = ssh->state;
int len, r, ms_remain;
@@ -598,12 +576,11 @@
};
typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
-@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
int ssh_packet_set_maxsize(struct ssh *, u_int);
u_int ssh_packet_get_maxsize(struct ssh *);
+/* for forced packet rekeying post auth */
-+void packet_request_rekeying(void);
+int packet_authentication_state(const struct ssh *);
+
int ssh_packet_get_state(struct ssh *, struct sshbuf *);
@@ -627,9 +604,9 @@
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
+ oDisableMTAES,
oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
@@ -297,6 +300,9 @@ static struct {
{ "kexalgorithms", oKexAlgorithms },
{ "ipqos", oIPQoS },
@@ -778,9 +755,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -120,7 +124,11 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none cipher to be used */
+ int nonemac_enabled; /* Allow none MAC to be used */
@@ -842,9 +819,9 @@
/* Portable-specific options */
if (options->use_pam == -1)
@@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
- }
- if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
+ if (options->none_enabled == -1)
+ options->none_enabled = 0;
+ if (options->nonemac_enabled == -1)
@@ -1047,17 +1024,17 @@
Note that
diff --git a/sftp.c b/sftp.c
index fb3c08d1..89bebbb2 100644
---- a/sftp.c
-+++ b/sftp.c
-@@ -71,7 +71,7 @@ typedef void EditLine;
- #include "sftp-client.h"
-
- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
--#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
-+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
+--- a/sftp-client.c
++++ b/sftp-client.c
+@@ -65,7 +65,7 @@ typedef void EditLine;
+ #define DEFAULT_COPY_BUFLEN 32768
+
+ /* Default number of concurrent outstanding requests */
+-#define DEFAULT_NUM_REQUESTS 64
++#define DEFAULT_NUM_REQUESTS 256
- /* File to read commands from */
- FILE* infile;
+ /* Minimum amount of data to read at a time */
+ #define MIN_READ_SIZE 512
diff --git a/ssh-keygen.c b/ssh-keygen.c
index cfb5f115..36a6e519 100644
--- a/ssh-keygen.c
@@ -1330,9 +1307,9 @@
+ }
+ }
+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
+ #ifdef WITH_OPENSSL
+ if (options.disable_multithreaded == 0) {
diff --git a/sshd.c b/sshd.c
index 6277e6d6..d66fa41a 100644
--- a/sshd.c

13
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch vendored Normal file
View File

@ -0,0 +1,13 @@
diff --git a/kex.c b/kex.c
index 34808b5c..88d7ccac 100644
--- a/kex.c
+++ b/kex.c
@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
if (version_addendum != NULL && *version_addendum == '\0')
version_addendum = NULL;
if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
version_addendum == NULL ? "" : " ",
version_addendum == NULL ? "" : version_addendum)) != 0) {
oerrno = errno;

1
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.service vendored
View File

@ -6,6 +6,7 @@ After=syslog.target network.target auditd.service
ExecStartPre=/usr/bin/ssh-keygen -A
ExecStart=/usr/sbin/sshd -D -e
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
[Install]
WantedBy=multi-user.target

2
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd_at.service vendored
View File

@ -5,4 +5,4 @@ After=syslog.target auditd.service
[Service]
ExecStart=-/usr/sbin/sshd -i -e
StandardInput=socket
StandardError=syslog
StandardError=journal

98
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.2_p1-r6.ebuild → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.4_p1-r3.ebuild vendored
View File

@ -1,16 +1,19 @@
# Copyright 1999-2020 Gentoo Authors
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
HPN_PV="8.1_P1"
HPN_VER="14.20"
# PV to USE for HPN patches
#HPN_PV="${PV^^}"
HPN_PV="8.3_P1"
HPN_VER="14.22"
HPN_PATCHES=(
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
@ -18,22 +21,22 @@ HPN_PATCHES=(
)
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="12.4.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
X509_VER="12.6" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
"
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss"
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
RESTRICT="!test? ( test )"
@ -42,7 +45,7 @@ REQUIRED_USE="
pie? ( !static )
static? ( !kerberos !pam )
X509? ( !sctp !security-key ssl !xmss )
xmss? ( || ( ssl libressl ) )
xmss? ( ssl )
test? ( ssl )
"
@ -55,10 +58,9 @@ LIB_DEPEND="
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
security-key? ( dev-libs/libfido2:=[static-libs(+)] )
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
ssl? (
!libressl? (
|| (
(
>=dev-libs/openssl-1.0.1:0[bindist=]
@ -67,8 +69,6 @@ LIB_DEPEND="
>=dev-libs/openssl-1.1.0g:0[bindist=]
)
dev-libs/openssl:0=[static-libs(+)]
)
libressl? ( dev-libs/libressl:0=[static-libs(+)] )
)
virtual/libcrypt:=[static-libs(+)]
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
@ -81,8 +81,9 @@ RDEPEND="
kerberos? ( virtual/krb5 )
"
DEPEND="${RDEPEND}
static? ( ${LIB_DEPEND} )
virtual/os-headers
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
static? ( ${LIB_DEPEND} )
"
RDEPEND="${RDEPEND}
pam? ( >=sys-auth/pambase-20081028 )
@ -109,7 +110,7 @@ pkg_pretend() {
eerror "that you requested: ${fail}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "booooo"
die "Missing requested third party patch."
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
@ -134,6 +135,12 @@ src_prepare() {
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
# https://bugs.gentoo.org/749026
use X509 || eapply "${FILESDIR}"/${PN}-8.4_p1-fix-ssh-copy-id.patch
# workaround for https://bugs.gentoo.org/734984
use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
local PATCHSET_VERSION_MACROS=()
@ -144,7 +151,6 @@ src_prepare() {
popd &>/dev/null || die
eapply "${WORKDIR}"/${X509_PATCH%.*}
eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch
# We need to patch package version or any X.509 sshd will reject our ssh client
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
@ -182,14 +188,8 @@ src_prepare() {
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
pushd "${hpn_patchdir}" &>/dev/null || die
eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-libressl.patch
if use X509; then
# einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
# # X509 and AES-CTR-MT don't get along, let's just drop it
# rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-X509-glue.patch
fi
use sctp && eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-sctp-glue.patch
use X509 && eapply "${FILESDIR}"/${PN}-8.4_p1-hpn-${HPN_VER}-X509-glue.patch
use sctp && eapply "${FILESDIR}"/${PN}-8.4_p1-hpn-${HPN_VER}-sctp-glue.patch
popd &>/dev/null || die
eapply "${hpn_patchdir}"
@ -249,6 +249,10 @@ src_prepare() {
eapply_user #473004
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
sed -e '/\t\tpercent \\/ d' \
-i regress/Makefile || die
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
@ -279,6 +283,16 @@ src_configure() {
use static && append-ldflags -static
use xmss && append-cflags -DWITH_XMSS
if [[ ${CHOST} == *-solaris* ]] ; then
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
# doesn't check for this, so force the replacement to be put in
# place
append-cppflags -DBROKEN_GLOB
fi
# use replacement, RPF_ECHO_ON doesn't exist here
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
@ -298,15 +312,23 @@ src_configure() {
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(use_with security-key security-key-builtin)
$(usex X509 '' "$(use_with security-key security-key-builtin)")
$(use_with ssl openssl)
$(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
$(use_with !elibc_Cygwin hardening) #659210
)
# stackprotect is broken on musl x86 and ppc
use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
if use elibc_musl; then
# stackprotect is broken on musl x86 and ppc
if use x86 || use ppc; then
myconf+=( --without-stackprotect )
fi
# musl defines bogus values for UTMP_FILE and WTMP_FILE
# https://bugs.gentoo.org/753230
myconf+=( --disable-utmp --disable-wtmp )
fi
# The seccomp sandbox is broken on x32, so use the older method for now. #553748
use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
@ -332,10 +354,12 @@ src_test() {
mkdir -p "${sshhome}"/.ssh
for t in "${tests[@]}" ; do
# Some tests read from stdin ...
HOMEDIR="${sshhome}" HOME="${sshhome}" SUDO="" \
emake -k -j1 ${t} </dev/null \
&& passed+=( "${t}" ) \
|| failed+=( "${t}" )
HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
SUDO="" SSH_SK_PROVIDER="" \
TEST_SSH_UNSAFE_PERMISSIONS=1 \
emake -k -j1 ${t} </dev/null \
&& passed+=( "${t}" ) \
|| failed+=( "${t}" )
done
einfo "Passed tests: ${passed[*]}"
@ -398,7 +422,9 @@ src_install() {
newinitd "${FILESDIR}"/sshd-r1.initd sshd
newconfd "${FILESDIR}"/sshd-r1.confd sshd
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
if use pam; then
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
fi
tweak_ssh_configs
@ -410,7 +436,13 @@ src_install() {
diropts -m 0700
dodir /etc/skel/.ssh
keepdir /var/empty
# https://bugs.gentoo.org/733802
if ! use scp; then
rm "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
|| die "failed to remove scp"
fi
rmdir "${ED}"/var/empty || die
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'

185
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.1_p1-r3.ebuild → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.5_p1-r1.ebuild vendored
View File

@ -1,19 +1,18 @@
# Difference to upstream from ./update_ebuilds:
# - Ported changes from 775af6c96219eba4bc6294712a36bddc0e6db00f
#
# Copyright 1999-2020 Gentoo Authors
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
# PV to USE for HPN patches
HPN_PV="${PV^^}"
HPN_VER="14.20"
HPN_VER="15.2"
HPN_PATCHES=(
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
@ -21,25 +20,22 @@ HPN_PATCHES=(
)
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="12.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
PATCH_SET="openssh-7.9p1-patches-1.0"
X509_VER="13.0.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
https://dev.gentoo.org/~chutzpah/dist/openssh/${P}-glibc-2.31-patches.tar.xz
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
"
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv s390 sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509 xmss"
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
RESTRICT="!test? ( test )"
@ -47,22 +43,22 @@ REQUIRED_USE="
ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
X509? ( !sctp ssl )
X509? ( !sctp !security-key ssl !xmss )
xmss? ( ssl )
test? ( ssl )
"
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
net-libs/ldns[static-libs(+)] !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
ssl? (
!libressl? (
|| (
(
>=dev-libs/openssl-1.0.1:0[bindist=]
@ -71,8 +67,6 @@ LIB_DEPEND="
>=dev-libs/openssl-1.1.0g:0[bindist=]
)
dev-libs/openssl:0=[static-libs(+)]
)
libressl? ( dev-libs/libressl:0=[static-libs(+)] )
)
virtual/libcrypt:=[static-libs(+)]
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
@ -85,8 +79,9 @@ RDEPEND="
kerberos? ( virtual/krb5 )
"
DEPEND="${RDEPEND}
static? ( ${LIB_DEPEND} )
virtual/os-headers
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
static? ( ${LIB_DEPEND} )
"
RDEPEND="${RDEPEND}
pam? ( >=sys-auth/pambase-20081028 )
@ -113,7 +108,7 @@ pkg_pretend() {
eerror "that you requested: ${fail}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "booooo"
die "Missing requested third party patch."
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
@ -132,12 +127,14 @@ src_prepare() {
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
eapply "${FILESDIR}"/${PN}-8.1_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
eapply "${FILESDIR}"/${PN}-8.1_p1-tests-2020.patch
# workaround for https://bugs.gentoo.org/734984
use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
@ -145,11 +142,10 @@ src_prepare() {
if use X509 ; then
pushd "${WORKDIR}" &>/dev/null || die
eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
eapply "${FILESDIR}/${P}-X509-glue-${X509_VER}.patch"
popd &>/dev/null || die
eapply "${WORKDIR}"/${X509_PATCH%.*}
eapply "${FILESDIR}"/${P}-X509-$(ver_cut 1-2 ${X509_VER})-tests.patch
# We need to patch package version or any X.509 sshd will reject our ssh client
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
@ -186,14 +182,9 @@ src_prepare() {
mkdir "${hpn_patchdir}" || die
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
pushd "${hpn_patchdir}" &>/dev/null || die
eapply "${FILESDIR}"/${PN}-8.1_p1-hpn-${HPN_VER}-glue.patch
if use X509; then
# einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
# # X509 and AES-CTR-MT don't get along, let's just drop it
# rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-${HPN_VER}-X509-glue.patch
fi
use sctp && eapply "${FILESDIR}"/${PN}-8.1_p1-hpn-${HPN_VER}-sctp-glue.patch
eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
use X509 && eapply "${FILESDIR}/${PN}-8.5_p1-hpn-${HPN_VER}-X509-${X509_VER}-glue.patch"
use sctp && eapply "${FILESDIR}/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch"
popd &>/dev/null || die
eapply "${hpn_patchdir}"
@ -253,6 +244,10 @@ src_prepare() {
eapply_user #473004
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
sed -e '/\t\tpercent \\/ d' \
-i regress/Makefile || die
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
@ -283,6 +278,16 @@ src_configure() {
use static && append-ldflags -static
use xmss && append-cflags -DWITH_XMSS
if [[ ${CHOST} == *-solaris* ]] ; then
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
# doesn't check for this, so force the replacement to be put in
# place
append-cppflags -DBROKEN_GLOB
fi
# use replacement, RPF_ECHO_ON doesn't exist here
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
@ -302,14 +307,23 @@ src_configure() {
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(usex X509 '' "$(use_with security-key security-key-builtin)")
$(use_with ssl openssl)
$(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
$(use_with !elibc_Cygwin hardening) #659210
)
# stackprotect is broken on musl x86 and ppc
use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
if use elibc_musl; then
# stackprotect is broken on musl x86 and ppc
if use x86 || use ppc; then
myconf+=( --without-stackprotect )
fi
# musl defines bogus values for UTMP_FILE and WTMP_FILE
# https://bugs.gentoo.org/753230
myconf+=( --disable-utmp --disable-wtmp )
fi
# The seccomp sandbox is broken on x32, so use the older method for now. #553748
use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
@ -335,10 +349,12 @@ src_test() {
mkdir -p "${sshhome}"/.ssh
for t in "${tests[@]}" ; do
# Some tests read from stdin ...
HOMEDIR="${sshhome}" HOME="${sshhome}" SUDO="" \
emake -k -j1 ${t} </dev/null \
&& passed+=( "${t}" ) \
|| failed+=( "${t}" )
HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
SUDO="" SSH_SK_PROVIDER="" \
TEST_SSH_UNSAFE_PERMISSIONS=1 \
emake -k -j1 ${t} </dev/null \
&& passed+=( "${t}" ) \
|| failed+=( "${t}" )
done
einfo "Passed tests: ${passed[*]}"
@ -398,8 +414,12 @@ src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newinitd "${FILESDIR}"/sshd-r1.initd sshd
newconfd "${FILESDIR}"/sshd-r1.confd sshd
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
if use pam; then
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
fi
tweak_ssh_configs
@ -411,45 +431,66 @@ src_install() {
diropts -m 0700
dodir /etc/skel/.ssh
keepdir /var/empty
# https://bugs.gentoo.org/733802
if ! use scp; then
rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
|| die "failed to remove scp"
fi
rmdir "${ED}"/var/empty || die
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
}
pkg_postinst() {
if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
elog "Starting with openssh-5.8p1, the server will default to a newer key"
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
pkg_preinst() {
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
show_ssl_warning=1
fi
if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
elog "be an alternative for you as it supports USE=tcpd."
fi
if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
elog "adding to your sshd_config or ~/.ssh/config files:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
}
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
elog "if you need to authenticate against LDAP."
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
fi
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
pkg_postinst() {
local old_ver
for old_ver in ${REPLACING_VERSIONS}; do
if ver_test "${old_ver}" -lt "5.8_p1"; then
elog "Starting with openssh-5.8p1, the server will default to a newer key"
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
if ver_test "${old_ver}" -lt "7.0_p1"; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
elog "be an alternative for you as it supports USE=tcpd."
fi
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
elog "adding to your sshd_config or ~/.ssh/config files:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if ver_test "${old_ver}" -lt "7.6_p1"; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if ver_test "${old_ver}" -lt "7.7_p1"; then
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
elog "if you need to authenticate against LDAP."
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
fi
if ver_test "${old_ver}" -lt "8.2_p1"; then
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
ewarn "connection is generally safe."
fi
done
if [[ -n ${show_ssl_warning} ]]; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."

71
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.3_p1-r4.ebuild → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.5_p1.ebuild vendored
View File

@ -1,9 +1,9 @@
# Copyright 1999-2020 Gentoo Authors
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
# Make it more portable between straight releases
# and _p? releases.
@ -11,9 +11,9 @@ PARCH=${P/_}
# PV to USE for HPN patches
#HPN_PV="${PV^^}"
HPN_PV="8.1_P1"
HPN_PV="8.4_P1"
HPN_VER="14.20"
HPN_VER="15.1"
HPN_PATCHES=(
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
@ -21,22 +21,22 @@ HPN_PATCHES=(
)
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="12.5.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
X509_VER="13.0" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
"
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
RESTRICT="!test? ( test )"
@ -45,7 +45,7 @@ REQUIRED_USE="
pie? ( !static )
static? ( !kerberos !pam )
X509? ( !sctp !security-key ssl !xmss )
xmss? ( || ( ssl libressl ) )
xmss? ( ssl )
test? ( ssl )
"
@ -58,10 +58,9 @@ LIB_DEPEND="
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
security-key? ( >=dev-libs/libfido2-1.4.0:=[static-libs(+)] )
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
ssl? (
!libressl? (
|| (
(
>=dev-libs/openssl-1.0.1:0[bindist=]
@ -70,8 +69,6 @@ LIB_DEPEND="
>=dev-libs/openssl-1.1.0g:0[bindist=]
)
dev-libs/openssl:0=[static-libs(+)]
)
libressl? ( dev-libs/libressl:0=[static-libs(+)] )
)
virtual/libcrypt:=[static-libs(+)]
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
@ -84,8 +81,9 @@ RDEPEND="
kerberos? ( virtual/krb5 )
"
DEPEND="${RDEPEND}
static? ( ${LIB_DEPEND} )
virtual/os-headers
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
static? ( ${LIB_DEPEND} )
"
RDEPEND="${RDEPEND}
pam? ( >=sys-auth/pambase-20081028 )
@ -112,7 +110,7 @@ pkg_pretend() {
eerror "that you requested: ${fail}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "booooo"
die "Missing requested third party patch."
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
@ -131,7 +129,7 @@ src_prepare() {
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
eapply "${FILESDIR}"/${PN}-8.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
@ -187,15 +185,8 @@ src_prepare() {
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
pushd "${hpn_patchdir}" &>/dev/null || die
eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-libressl.patch
if use X509; then
# einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
# # X509 and AES-CTR-MT don't get along, let's just drop it
# rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-X509-glue.patch
fi
use sctp && eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-sctp-glue.patch
use X509 && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-X509-glue.patch
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
popd &>/dev/null || die
eapply "${hpn_patchdir}"
@ -289,6 +280,16 @@ src_configure() {
use static && append-ldflags -static
use xmss && append-cflags -DWITH_XMSS
if [[ ${CHOST} == *-solaris* ]] ; then
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
# doesn't check for this, so force the replacement to be put in
# place
append-cppflags -DBROKEN_GLOB
fi
# use replacement, RPF_ECHO_ON doesn't exist here
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
@ -315,8 +316,16 @@ src_configure() {
$(use_with !elibc_Cygwin hardening) #659210
)
# stackprotect is broken on musl x86 and ppc
use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
if use elibc_musl; then
# stackprotect is broken on musl x86 and ppc
if use x86 || use ppc; then
myconf+=( --without-stackprotect )
fi
# musl defines bogus values for UTMP_FILE and WTMP_FILE
# https://bugs.gentoo.org/753230
myconf+=( --disable-utmp --disable-wtmp )
fi
# The seccomp sandbox is broken on x32, so use the older method for now. #553748
use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
@ -410,7 +419,9 @@ src_install() {
newinitd "${FILESDIR}"/sshd-r1.initd sshd
newconfd "${FILESDIR}"/sshd-r1.confd sshd
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
if use pam; then
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
fi
tweak_ssh_configs
@ -424,11 +435,11 @@ src_install() {
# https://bugs.gentoo.org/733802
if ! use scp; then
rm "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
|| die "failed to remove scp"
fi
keepdir /var/empty
rmdir "${ED}"/var/empty || die
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'

516
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-8.6_p1-r1.ebuild vendored Normal file
View File

@ -0,0 +1,516 @@
# Difference to upstream from ./update_ebuilds:
# - Ported changes from 529e323aad6b43a9a0c06520c1e4f6ae69b9bafa
#
# Copyright 1999-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
inherit user-info flag-o-matic autotools pam systemd toolchain-funcs
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
# PV to USE for HPN patches
#HPN_PV="${PV^^}"
HPN_PV="8.5_P1"
HPN_VER="15.2"
HPN_PATCHES=(
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
)
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="13.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
"
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
RESTRICT="!test? ( test )"
REQUIRED_USE="
ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
X509? ( !sctp !security-key ssl !xmss )
xmss? ( ssl )
test? ( ssl )
"
# tests currently fail with XMSS
REQUIRED_USE+="test? ( !xmss )"
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
ssl? (
|| (
(
>=dev-libs/openssl-1.0.1:0[bindist=]
<dev-libs/openssl-1.1.0:0[bindist=]
)
>=dev-libs/openssl-1.1.0g:0[bindist=]
)
dev-libs/openssl:0=[static-libs(+)]
)
virtual/libcrypt:=[static-libs(+)]
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
"
RDEPEND="
acct-group/sshd
acct-user/sshd
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( sys-libs/pam )
kerberos? ( virtual/krb5 )
"
DEPEND="${RDEPEND}
virtual/os-headers
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
static? ( ${LIB_DEPEND} )
"
RDEPEND="${RDEPEND}
pam? ( >=sys-auth/pambase-20081028 )
userland_GNU? ( !prefix? ( sys-apps/shadow ) )
X? ( x11-apps/xauth )
"
BDEPEND="
virtual/pkgconfig
sys-devel/autoconf
"
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
# than not be able to log in to their server any more
maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
local fail="
$(use hpn && maybe_fail hpn HPN_VER)
$(use sctp && maybe_fail sctp SCTP_PATCH)
$(use X509 && maybe_fail X509 X509_PATCH)
"
fail=$(echo ${fail})
if [[ -n ${fail} ]] ; then
eerror "Sorry, but this version does not yet support features"
eerror "that you requested: ${fail}"
eerror "Please mask ${PF} for now and check back later:"
eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
die "Missing requested third party patch."
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
fi
}
src_prepare() {
sed -i \
-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
pathnames.h || die
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
# workaround for https://bugs.gentoo.org/734984
use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
local PATCHSET_VERSION_MACROS=()
if use X509 ; then
pushd "${WORKDIR}" &>/dev/null || die
eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
popd &>/dev/null || die
eapply "${WORKDIR}"/${X509_PATCH%.*}
# We need to patch package version or any X.509 sshd will reject our ssh client
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
# error
einfo "Patching package version for X.509 patch set ..."
sed -i \
-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
einfo "Patching version.h to expose X.509 patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
fi
if use sctp ; then
eapply "${WORKDIR}"/${SCTP_PATCH%.*}
einfo "Patching version.h to expose SCTP patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
"${S}"/version.h || die "Failed to sed-in SCTP patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
sed -i \
-e "/\t\tcfgparse \\\/d" \
"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
fi
if use hpn ; then
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
mkdir "${hpn_patchdir}" || die
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
pushd "${hpn_patchdir}" &>/dev/null || die
eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
use X509 && eapply "${FILESDIR}"/${PN}-8.6_p1-hpn-${HPN_VER}-X509-glue.patch
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
popd &>/dev/null || die
eapply "${hpn_patchdir}"
use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
einfo "Patching Makefile.in for HPN patch set ..."
sed -i \
-e "/^LIBS=/ s/\$/ -lpthread/" \
"${S}"/Makefile.in || die "Failed to patch Makefile.in"
einfo "Patching version.h to expose HPN patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
"${S}"/version.h || die "Failed to sed-in HPN patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
einfo "Disabling known non-working MT AES cipher per default ..."
cat > "${T}"/disable_mtaes.conf <<- EOF
# HPN's Multi-Threaded AES CTR cipher is currently known to be broken
# and therefore disabled per default.
DisableMTAES yes
EOF
sed -i \
-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
sed -i \
-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
fi
fi
if use X509 || use sctp || use hpn ; then
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
sed -i \
-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
sed -i \
-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
fi
sed -i \
-e "/#UseLogin no/d" \
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
eapply_user #473004
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
sed -e '/\t\tpercent \\/ d' \
-i regress/Makefile || die
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
# Disable PATH reset, trust what portage gives us #254615
-e 's:^PATH=/:#PATH=/:'
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
# The -ftrapv flag ICEs on hppa #505182
use hppa && sed_args+=(
-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
)
# _XOPEN_SOURCE causes header conflicts on Solaris
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-e 's/-D_XOPEN_SOURCE//'
)
sed -i "${sed_args[@]}" configure{.ac,} || die
eautoreconf
}
src_configure() {
addwrite /dev/ptmx
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
use static && append-ldflags -static
use xmss && append-cflags -DWITH_XMSS
if [[ ${CHOST} == *-solaris* ]] ; then
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
# doesn't check for this, so force the replacement to be put in
# place
append-cppflags -DBROKEN_GLOB
fi
# use replacement, RPF_ECHO_ON doesn't exist here
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
--sysconfdir="${EPREFIX}"/etc/ssh
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
--datadir="${EPREFIX}"/usr/share/openssh
--with-privsep-path="${EPREFIX}"/var/empty
--with-privsep-user=sshd
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
# We apply the sctp patch conditionally, so can't pass --without-sctp
# unconditionally else we get unknown flag warnings.
$(use sctp && use_with sctp)
$(use_with ldns ldns "${EPREFIX}"/usr)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(usex X509 '' "$(use_with security-key security-key-builtin)")
$(use_with ssl openssl)
$(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
$(use_with !elibc_Cygwin hardening) #659210
)
if use elibc_musl; then
# stackprotect is broken on musl x86 and ppc
if use x86 || use ppc; then
myconf+=( --without-stackprotect )
fi
# musl defines bogus values for UTMP_FILE and WTMP_FILE
# https://bugs.gentoo.org/753230
myconf+=( --disable-utmp --disable-wtmp )
fi
# The seccomp sandbox is broken on x32, so use the older method for now. #553748
use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
econf "${myconf[@]}"
}
src_test() {
local t skipped=() failed=() passed=()
local tests=( interop-tests compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
elog "user, so we will run a subset only."
skipped+=( tests )
else
tests+=( tests )
fi
# It will also attempt to write to the homedir .ssh.
local sshhome=${T}/homedir
mkdir -p "${sshhome}"/.ssh
for t in "${tests[@]}" ; do
# Some tests read from stdin ...
HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
SUDO="" SSH_SK_PROVIDER="" \
TEST_SSH_UNSAFE_PERMISSIONS=1 \
emake -k -j1 ${t} </dev/null \
&& passed+=( "${t}" ) \
|| failed+=( "${t}" )
done
einfo "Passed tests: ${passed[*]}"
[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
[[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
}
# Gentoo tweaks to default config files.
tweak_ssh_configs() {
local locale_vars=(
# These are language variables that POSIX defines.
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
# These are the GNU extensions.
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
)
# First the server config.
cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
# Allow client to pass locale environment variables. #367017
AcceptEnv ${locale_vars[*]}
# Allow client to pass COLORTERM to match TERM. #658540
AcceptEnv COLORTERM
EOF
# Then the client config.
cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
# Send locale environment variables. #367017
SendEnv ${locale_vars[*]}
# Send COLORTERM to match TERM. #658540
SendEnv COLORTERM
EOF
if use pam ; then
sed -i \
-e "/^#UsePAM /s:.*:UsePAM yes:" \
-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
-e "/^#PrintMotd /s:.*:PrintMotd no:" \
-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
"${ED}"/etc/ssh/sshd_config || die
fi
if use livecd ; then
sed -i \
-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
"${ED}"/etc/ssh/sshd_config || die
fi
}
src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
if use pam; then
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
fi
tweak_ssh_configs
doman contrib/ssh-copy-id.1
dodoc CREDITS OVERVIEW README* TODO sshd_config
use hpn && dodoc HPN-README
use X509 || dodoc ChangeLog
diropts -m 0700
dodir /etc/skel/.ssh
# https://bugs.gentoo.org/733802
if ! use scp; then
rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
|| die "failed to remove scp"
fi
rmdir "${ED}"/var/empty || die
systemd_dounit "${FILESDIR}"/sshd.{service,socket}
systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
}
pkg_preinst() {
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
show_ssl_warning=1
fi
}
pkg_postinst() {
local old_ver
for old_ver in ${REPLACING_VERSIONS}; do
if ver_test "${old_ver}" -lt "5.8_p1"; then
elog "Starting with openssh-5.8p1, the server will default to a newer key"
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
if ver_test "${old_ver}" -lt "7.0_p1"; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
elog "be an alternative for you as it supports USE=tcpd."
fi
if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
elog "adding to your sshd_config or ~/.ssh/config files:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if ver_test "${old_ver}" -lt "7.6_p1"; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if ver_test "${old_ver}" -lt "7.7_p1"; then
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
elog "if you need to authenticate against LDAP."
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
fi
if ver_test "${old_ver}" -lt "8.2_p1"; then
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
ewarn "connection is generally safe."
fi
done
if [[ -n ${show_ssl_warning} ]]; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
elog ""
elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
elog "and therefore disabled at runtime per default."
elog "Make sure your sshd_config is up to date and contains"
elog ""
elog " DisableMTAES yes"
elog ""
elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
elog ""
fi
}

2
sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.accept_keywords vendored
View File

@ -72,7 +72,7 @@ dev-util/checkbashisms
=sys-libs/libsepol-2.4 **
=sys-libs/libselinux-2.4 **
=net-misc/openssh-8.1_p1-r3 ~arm64
=net-misc/openssh-8.6_p1-r1 ~amd64 ~arm64
=sys-firmware/sgabios-0.1_pre8-r1 ~amd64 ~arm64