mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-19 13:31:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3609 from dm0-/glsa

Browse Source 
Upgrade OpenSSL and OpenSSH
This commit is contained in:
David Michael 2019-03-14 18:26:31 -04:00 committed by GitHub
commit 9f47fff470
18 changed files with 566 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest vendored
View File

@ -1,5 +1,5 @@
DIST openssl-1.0.2-patches-1.6.tar.xz 16004 BLAKE2B 28c7e9a8c8b09a34aa6ed21dec18b04c1d6140276e319cfa99b63db5ae188ca7837c444e8352748ffc86e6df7676534aef2f28788e825ee8207c0f876efb5b7b SHA512 eac9bbbebd8d942707ef385ee466929045bb4698985f7a0fb16f529f2101a246735cc2e654bfbdaa8a178224bb5ac564478a7587e6156cfcbdfe62a719bfb0a3
DIST openssl-1.0.2p.tar.gz 5338192 BLAKE2B fe4c0e2bf75d47a76e7377c7977be7bcaaa532061ab89ee989786eeb6495295711a29a88bf026c85d9ed55c97e71b0e9c8cf4c29b6e58a3dc56bcff518666823 SHA512 958c5a7c3324bbdc8f07dfb13e11329d9a1b4452c07cf41fbd2d42b5fe29c95679332a3476d24c2dc2b88be16e4a24744aba675a05a388c0905756c77a8a2f16
DIST openssl-1.0.2p_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15
DIST openssl-1.0.2p_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d4673582ca9acfcf5ba2a0d9d317ab6219cd0d2ff0ba3a55a317c8f5819342f05cc17ba80ec2c92b2b4cab9a3552382e1 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19
DIST openssl-1.0.2p_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e
DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
DIST openssl-1.0.2r.tar.gz 5348369 BLAKE2B 9f9c2d2fe6eaf9acacab29b394a318f30c38e831a5f9c193b2da660f9d04acbf407d8b752274783765416c0f5ba557c24ee293ad7fb7d727771db289e6acc901 SHA512 6eb2211f3ad56d7573ac26f388338592c37e5faaf5e2d44c0fa9062c12186e56a324f135d1c956a89b55fcce047e6428bec2756658d103e7275e08b46f741235
DIST openssl-1.0.2r_ec_curve.c 17254 BLAKE2B d40d8d6e770443f07abe70e2c4ddda6aec1cc8e37dc1f226a3fdd9ed5d228f09c6d372e8956b1948b55ee1d57d1429493e7288d0f54d9466a37fec805c85aacb SHA512 8e92fb100bcf4bd918c82b9a6cbd75a55abe1a2c08230a007e441c51577f974f8cc336e9ac8a672b32641480428ca8cead5380da1fe81bacb088145a1b754a15
DIST openssl-1.0.2r_ectest.c 30735 BLAKE2B 95333a27f1cf0a4305a3cee7f6d46b9d4673582ca9acfcf5ba2a0d9d317ab6219cd0d2ff0ba3a55a317c8f5819342f05cc17ba80ec2c92b2b4cab9a3552382e1 SHA512 f2e4d34327b490bc8371f0845c69df3f9fc51ea16f0ea0de0411a0c1fa9d49bb2b6fafc363eb3b3cd919dc7c24e4a0d075c6ff878c01d70dae918f2540874c19
DIST openssl-1.0.2r_hobble-openssl 1302 BLAKE2B 647caa6a0f4c53a2e77baa3b8e5961eaef3bb0ff38e7d5475eab8deef3439f7fe49028ec9ed0406f3453870b62cac67c496b3a048ee4c9ff4c6866d520235960 SHA512 3d757a4708e74a03dd5cb9b8114dfe442ed9520739a6eca693be4c4265771696f1449ea06d1c9bcfc6e94fc9b0dd0c10e153f1c3b0334831c0550b36cd63326e

18
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2p-r1.ebuild → sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2r.ebuild vendored
View File

@ -1,11 +1,14 @@
# Copyright 1999-2018 Gentoo Authors
# Copyright 1999-2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="6"
inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal systemd
PATCH_SET="openssl-1.0.2-patches-1.6"
# openssl-1.0.2-patches-1.6 contain additional CVE patches
# which got fixed with this release.
# Please use 1.7 version number when rolling a new tarball!
PATCH_SET="openssl-1.0.2-patches-1.5"
MY_P=${P/_/-}
DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
HOMEPAGE="https://www.openssl.org/"
@ -20,7 +23,8 @@ SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
LICENSE="openssl"
SLOT="0"
KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~x86-linux"
IUSE="+asm gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib"
RESTRICT="!bindist? ( bindist )"
RDEPEND=">=app-misc/c_rehash-1.7-r1
gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
@ -55,7 +59,7 @@ done
for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
done
SRC_URI+=" ${FEDORA_SRC_URI[*]} "
SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
S="${WORKDIR}/${MY_P}"
@ -64,7 +68,7 @@ MULTILIB_WRAPPED_HEADERS=(
)
src_prepare() {
if :; then
if use bindist; then
# This just removes the prefix, and puts it into WORKDIR like the RPM.
for i in "${FEDORA_SOURCE[@]}" ; do
cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die
@ -186,8 +190,8 @@ multilib_src_configure() {
$(use cpu_flags_x86_sse2 || echo "no-sse2") \
enable-camellia \
enable-ec \
no-ec2m \
no-srp \
$(use_ssl !bindist ec2m) \
$(use_ssl !bindist srp) \
${ec_nistp_64_gcc_128} \
enable-idea \
enable-mdc2 \

7
sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/dev-libs/openssl-1.0.2p-r1 → sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/dev-libs/openssl-1.0.2r vendored
View File

@ -3,12 +3,13 @@ DEPEND=>=app-misc/c_rehash-1.7-r1 gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?
DESCRIPTION=full-strength general purpose cryptography library (including SSL and TLS)
EAPI=6
HOMEPAGE=https://www.openssl.org/
IUSE=+asm gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib abi_x86_32 abi_x86_64 abi_x86_x32 abi_mips_n32 abi_mips_n64 abi_mips_o32 abi_ppc_32 abi_ppc_64 abi_s390_32 abi_s390_64
IUSE=+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test +tls-heartbeat vanilla zlib abi_x86_32 abi_x86_64 abi_x86_x32 abi_mips_n32 abi_mips_n64 abi_mips_o32 abi_ppc_32 abi_ppc_64 abi_s390_32 abi_s390_64
KEYWORDS=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~x86-fbsd ~x86-linux
LICENSE=openssl
PDEPEND=app-misc/ca-certificates
RDEPEND=>=app-misc/c_rehash-1.7-r1 gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] ) kerberos? ( >=app-crypt/mit-krb5-1.11.4[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_ppc_32(-)?,abi_ppc_64(-)?,abi_s390_32(-)?,abi_s390_64(-)?] )
RESTRICT=!bindist? ( bindist )
SLOT=0
SRC_URI=mirror://openssl/source/openssl-1.0.2p.tar.gz !vanilla? ( mirror://gentoo/openssl-1.0.2-patches-1.6.tar.xz https://dev.gentoo.org/~chutzpah/dist/openssl/openssl-1.0.2-patches-1.6.tar.xz https://dev.gentoo.org/~whissi/dist/openssl/openssl-1.0.2-patches-1.6.tar.xz https://dev.gentoo.org/~polynomial-c/dist/openssl-1.0.2-patches-1.6.tar.xz ) https://src.fedoraproject.org/cgit/rpms/openssl.git/plain//hobble-openssl?h=f25 -> openssl-1.0.2p_hobble-openssl https://src.fedoraproject.org/cgit/rpms/openssl.git/plain//ec_curve.c?h=f25 -> openssl-1.0.2p_ec_curve.c https://src.fedoraproject.org/cgit/rpms/openssl.git/plain//ectest.c?h=f25 -> openssl-1.0.2p_ectest.c
SRC_URI=mirror://openssl/source/openssl-1.0.2r.tar.gz !vanilla? ( mirror://gentoo/openssl-1.0.2-patches-1.5.tar.xz https://dev.gentoo.org/~chutzpah/dist/openssl/openssl-1.0.2-patches-1.5.tar.xz https://dev.gentoo.org/~whissi/dist/openssl/openssl-1.0.2-patches-1.5.tar.xz https://dev.gentoo.org/~polynomial-c/dist/openssl-1.0.2-patches-1.5.tar.xz ) bindist? ( https://src.fedoraproject.org/cgit/rpms/openssl.git/plain//hobble-openssl?h=f25 -> openssl-1.0.2r_hobble-openssl https://src.fedoraproject.org/cgit/rpms/openssl.git/plain//ec_curve.c?h=f25 -> openssl-1.0.2r_ec_curve.c https://src.fedoraproject.org/cgit/rpms/openssl.git/plain//ectest.c?h=f25 -> openssl-1.0.2r_ectest.c )
_eclasses_=desktop b1d22ac8bdd4679ab79c71aca235009d epatch a1bf4756dba418a7238f3be0cb010c54 estack 43ddf5aaffa7a8d0482df54d25a66a1f eutils 6e6c2737b59a4b982de6fb3ecefd87f8 flag-o-matic 55aaa148741116aa54ad0d80e361818e ltprune 08f9e1d9ee0af8f5d9a7854efbcd8c0e multibuild 40fe59465edacd730c644ec2bc197809 multilib b2f01ad412baf81650c23fcf0975fa33 multilib-build b42436dc1260f475af229754c165cb6b multilib-minimal 8bddda43703ba94d8341f4e247f97566 preserve-libs ef207dc62baddfddfd39a164d9797648 systemd 71fd8d2065d102753fb9e4d20eaf3e9f toolchain-funcs f164325a2cdb5b3ea39311d483988861 vcs-clean 2a0f74a496fa2b1552c4f3398258b7bf
_md5_=faa57daab06de770227f724e9aee49bc
_md5_=cfe40ccf96e03923ff22c54a864ab483

15
sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/net-misc/openssh-7.7_p1-r9 vendored
View File

@ -1,15 +0,0 @@
DEFINED_PHASES=configure install postinst preinst prepare pretend test
DEPEND=!static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns[ecdsa,ssl(+),static-libs(+)] ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) selinux? ( >=sys-libs/libselinux-1.28 ) skey? ( >=sys-auth/skey-1.1.5-r1 ) ssl? ( !libressl? ( >=dev-libs/openssl-1.0.1:0=[-bindist(-)] dev-libs/openssl:0= ) libressl? ( dev-libs/libressl:0= ) ) >=sys-libs/zlib-1.2.3:= ) pam? ( virtual/pam ) kerberos? ( virtual/krb5 ) static? ( audit? ( sys-process/audit[static-libs(+)] ) ldns? ( net-libs/ldns[ecdsa,ssl(+),static-libs(+)] ) libedit? ( dev-libs/libedit:=[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) ssl? ( !libressl? ( >=dev-libs/openssl-1.0.1:0=[-bindist(-)] dev-libs/openssl:0=[static-libs(+)] ) libressl? ( dev-libs/libressl:0=[static-libs(+)] ) ) >=sys-libs/zlib-1.2.3:=[static-libs(+)] ) virtual/pkgconfig virtual/os-headers sys-devel/autoconf >=app-portage/elt-patches-20170815 !<sys-devel/gettext-0.18.1.1-r3 || ( >=sys-devel/automake-1.16.1:1.16 >=sys-devel/automake-1.15.1:1.15 ) >=sys-devel/autoconf-2.69 >=sys-devel/libtool-2.4 virtual/pkgconfig
DESCRIPTION=Port of OpenBSD's free SSH release
EAPI=6
HOMEPAGE=https://www.openssh.com/
IUSE=abi_mips_n32 audit debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509
KEYWORDS=alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
LICENSE=BSD GPL-2
RDEPEND=!static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns[ecdsa,ssl(+),static-libs(+)] ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) selinux? ( >=sys-libs/libselinux-1.28 ) skey? ( >=sys-auth/skey-1.1.5-r1 ) ssl? ( !libressl? ( >=dev-libs/openssl-1.0.1:0=[-bindist(-)] dev-libs/openssl:0= ) libressl? ( dev-libs/libressl:0= ) ) >=sys-libs/zlib-1.2.3:= ) pam? ( virtual/pam ) kerberos? ( virtual/krb5 ) pam? ( >=sys-auth/pambase-20081028 ) userland_GNU? ( virtual/shadow ) X? ( x11-apps/xauth )
REQUIRED_USE=ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) X509? ( !sctp ssl ) test? ( ssl )
RESTRICT=!test? ( test )
SLOT=0
SRC_URI=mirror://openbsd/OpenSSH/portable/openssh-7.7p1.tar.gz https://dev.gentoo.org/~whissi/dist/openssh/openssh-7.7p1-patches-1.2.tar.xz sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/openssh-7.7p1-sctp-1.1.patch.xz ) hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/openssh-7.7p1-hpnssh14v15-gentoo2.patch.xz ) X509? ( https://dev.gentoo.org/~whissi/dist/openssh/openssh-7.7p1-x509-11.3.1.patch.xz )
_eclasses_=autotools 1bf086cdd7356f5c9a4acd9727bd2065 desktop b1d22ac8bdd4679ab79c71aca235009d epatch a1bf4756dba418a7238f3be0cb010c54 estack 43ddf5aaffa7a8d0482df54d25a66a1f eutils 6e6c2737b59a4b982de6fb3ecefd87f8 flag-o-matic 55aaa148741116aa54ad0d80e361818e libtool f143db5a74ccd9ca28c1234deffede96 ltprune 08f9e1d9ee0af8f5d9a7854efbcd8c0e multilib b2f01ad412baf81650c23fcf0975fa33 pam 3e788d86170dfcd5b06824d898315e18 preserve-libs ef207dc62baddfddfd39a164d9797648 systemd 71fd8d2065d102753fb9e4d20eaf3e9f toolchain-funcs f164325a2cdb5b3ea39311d483988861 user 8bc2845510e2109af75e3eeac607ec81 vcs-clean 2a0f74a496fa2b1552c4f3398258b7bf
_md5_=08499a610fc3ccb2d6e5ca779fbae997

15
sdk_container/src/third_party/coreos-overlay/metadata/md5-cache/net-misc/openssh-7.9_p1-r4 vendored Normal file
View File

@ -0,0 +1,15 @@
DEFINED_PHASES=configure install postinst preinst prepare pretend test
DEPEND=!static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( !libressl? ( || ( ( >=dev-libs/openssl-1.0.1:0[bindist=] <dev-libs/openssl-1.1.0:0[bindist=] ) >=dev-libs/openssl-1.1.0g:0[bindist=] ) dev-libs/openssl:0= ) libressl? ( dev-libs/libressl:0= ) ) >=sys-libs/zlib-1.2.3:= ) pam? ( virtual/pam ) kerberos? ( virtual/krb5 ) static? ( audit? ( sys-process/audit[static-libs(+)] ) ldns? ( net-libs/ldns[static-libs(+)] !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) ) libedit? ( dev-libs/libedit:=[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) ssl? ( !libressl? ( || ( ( >=dev-libs/openssl-1.0.1:0[bindist=] <dev-libs/openssl-1.1.0:0[bindist=] ) >=dev-libs/openssl-1.1.0g:0[bindist=] ) dev-libs/openssl:0=[static-libs(+)] ) libressl? ( dev-libs/libressl:0=[static-libs(+)] ) ) >=sys-libs/zlib-1.2.3:=[static-libs(+)] ) virtual/pkgconfig virtual/os-headers sys-devel/autoconf >=app-portage/elt-patches-20170815 !<sys-devel/gettext-0.18.1.1-r3 || ( >=sys-devel/automake-1.16.1:1.16 >=sys-devel/automake-1.15.1:1.15 ) >=sys-devel/autoconf-2.69 >=sys-devel/libtool-2.4 virtual/pkgconfig
DESCRIPTION=Port of OpenBSD's free SSH release
EAPI=6
HOMEPAGE=https://www.openssh.com/
IUSE=abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509
KEYWORDS=alpha amd64 arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris
LICENSE=BSD GPL-2
RDEPEND=!static? ( audit? ( sys-process/audit ) ldns? ( net-libs/ldns !bindist? ( net-libs/ldns[ecdsa,ssl(+)] ) bindist? ( net-libs/ldns[-ecdsa,ssl(+)] ) ) libedit? ( dev-libs/libedit:= ) sctp? ( net-misc/lksctp-tools ) selinux? ( >=sys-libs/libselinux-1.28 ) ssl? ( !libressl? ( || ( ( >=dev-libs/openssl-1.0.1:0[bindist=] <dev-libs/openssl-1.1.0:0[bindist=] ) >=dev-libs/openssl-1.1.0g:0[bindist=] ) dev-libs/openssl:0= ) libressl? ( dev-libs/libressl:0= ) ) >=sys-libs/zlib-1.2.3:= ) pam? ( virtual/pam ) kerberos? ( virtual/krb5 ) pam? ( >=sys-auth/pambase-20081028 ) userland_GNU? ( virtual/shadow ) X? ( x11-apps/xauth )
REQUIRED_USE=ldns? ( ssl ) pie? ( !static ) static? ( !kerberos !pam ) X509? ( !sctp ssl ) test? ( ssl )
RESTRICT=!test? ( test )
SLOT=0
SRC_URI=mirror://openbsd/OpenSSH/portable/openssh-7.9p1.tar.gz https://dev.gentoo.org/~whissi/dist/openssh/openssh-7.9p1-patches-1.0.tar.xz sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/openssh-7.9p1-sctp-1.2.patch.xz ) hpn? ( mirror://sourceforge/hpnssh/HPN-SSH%2014v16%207.8P1/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff mirror://sourceforge/hpnssh/HPN-SSH%2014v16%207.8P1/openssh-7_8_P1-hpn-AES-CTR-14.16.diff ) X509? ( https://roumenpetrov.info/openssh/x509-11.6/openssh-7.9p1+x509-11.6.diff.gz )
_eclasses_=autotools 1bf086cdd7356f5c9a4acd9727bd2065 desktop b1d22ac8bdd4679ab79c71aca235009d epatch a1bf4756dba418a7238f3be0cb010c54 estack 43ddf5aaffa7a8d0482df54d25a66a1f eutils 6e6c2737b59a4b982de6fb3ecefd87f8 flag-o-matic 55aaa148741116aa54ad0d80e361818e libtool f143db5a74ccd9ca28c1234deffede96 ltprune 08f9e1d9ee0af8f5d9a7854efbcd8c0e multilib b2f01ad412baf81650c23fcf0975fa33 pam 3e788d86170dfcd5b06824d898315e18 preserve-libs ef207dc62baddfddfd39a164d9797648 systemd 71fd8d2065d102753fb9e4d20eaf3e9f toolchain-funcs f164325a2cdb5b3ea39311d483988861 user 8bc2845510e2109af75e3eeac607ec81 vcs-clean 2a0f74a496fa2b1552c4f3398258b7bf
_md5_=132216882fc5164a9c3f615424983c05

11
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest vendored
View File

@ -1,5 +1,6 @@
DIST openssh-7.7p1-hpnssh14v15-gentoo2.patch.xz 22060 BLAKE2B 9ee654f689d4b90bd0fe4f71d57b4a8d9d957012be3a23ff2baa6c45ae99e2f1e4daf5de24479a6a3eb761ee6847deb3c6c3021d4cbabc9089f605d8d7270efc SHA512 856d28ac89c14d01c40c7d7e93cfaebd74b091188b5b469550eb62aa5445177aec1a5f47c1e2f7173013712e98e5f9f5e46bbb3dbd4ec7c5ee8256ef45cda0f8
DIST openssh-7.7p1-patches-1.2.tar.xz 17584 BLAKE2B 192ec01906c911197abec4606cdf136cf26ac4ab4c405267cd98bafaea409d9d596b2b985eaeda6a1425d587d63b6f403b988f280aff989357586bf232d27712 SHA512 e646ec3674b5ef38abe823406d33c8a47c5f63fa962c41386709a7ad7115d968b70fbcf7a8f3efc67a3e80e0194e8e22a01c2342c830f99970fe02532cdee51b
DIST openssh-7.7p1-sctp-1.1.patch.xz 7548 BLAKE2B 3b960c2377351955007005de560c2a3e8d0d059a0435e5beda14c63e444dad8b4357edaccd1cfe446c6268514f152b2bcfa7fa3612f1ae1324a31fecb0e85ac5 SHA512 093605865262a2b972db8c92990a49ed6178ed4567fb2626518c826c8472553d9be99a9e6052a6f5e545d81867b4118e9fd8a2c0c26a2739f1720b0f13282cba
DIST openssh-7.7p1-x509-11.3.1.patch.xz 362672 BLAKE2B 55b8b0ef00dc4d962a0db1115406b7b1e84110870c74198e9e4cb081b2ffde8daca67cb281c69d73b4c5cbffde361429d62634be194b57e888a0b434a0f42a37 SHA512 f84744f6d2e5a15017bce37bfa65ebb47dbafeac07ea9aab46bdc780b4062ff70687512d9d512cab81e3b9c701adb6ce17c5474f35cb4b49f57db2e2d45ac9ac
DIST openssh-7.7p1.tar.gz 1536900 BLAKE2B 7aee360f2cea5bfa3f8426fcbd66fde2568f05f9c8e623326b60f03b7c5f8abf223e178aa1d5958015b51627565bf5b1ace35b57f309638c908f5a7bf5500d21 SHA512 597252cb48209a0cb98ca1928a67e8d63e4275252f25bc37269204c108f034baade6ba0634e32ae63422fddd280f73096a6b31ad2f2e7a848dde75ca30e14261
DIST openssh-7.9p1+x509-11.6.diff.gz 655819 BLAKE2B f442bb993f89782b74b0cd28906c91edfcf5b1d42a4c8135a5ccf5045e7eb000eb7aa301685b748f707506ba20e3b842d684db436872ed82b6d9b9c086879515 SHA512 0ff6ed2822aaa43cf352134b90975fb663662c5ea3d73b690601f24342ea207aecda8cdb9c1bdc3e3656fb059d842dfb3bf22646b626c303240808286103d8bc
DIST openssh-7.9p1-patches-1.0.tar.xz 9080 BLAKE2B c14106a875b6ea0672a03f6cb292386daba96da23fed4ebd04a75f712e252bc88a25116b0b3b27446421aadf112451cb3b8a96d2f7d437e6728fe782190bc69e SHA512 7903cdb4ce5be0f1b1b741788fb372e68b0c9c1d6da0d854d8bc62e4743ad7cd13101b867b541828d3786b0857783377457e5e87ba9b63bfd9afcdbfd93ac103
DIST openssh-7.9p1-sctp-1.2.patch.xz 7360 BLAKE2B 60e209371ecac24d0b60e48459d4d4044c0f364a2eea748cc4edd1501faec69a3c5b9e0b7db336968399ec684b6c8aceeac9196ba1ecf563ae3d660682cbc9a0 SHA512 d4d37a49cd43a3b9b7b173b0935267b84133b9b0954b7f71714ba781a6129c6d424f8b7a528dd7d4f287784c5517d57b1d6d7c6df8b5d738e34eb6dc7eae7191
DIST openssh-7.9p1.tar.gz 1565384 BLAKE2B de15795e03d33d4f9fe4792f6b14500123230b6c00c1e5bd7207bb6d6bf6df0b2e057c1b1de0fee709f58dd159203fdd69fe1473118a6baedebaa0c1c4c55b59 SHA512 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e
DIST openssh-7_8_P1-hpn-AES-CTR-14.16.diff 29231 BLAKE2B e25877c5e22f674e6db5a0bc107e5daa2509fe762fb14ce7bb2ce9a115e8177a93340c1d19247b6c2c854b7e1f9ae9af9fd932e5fa9c0a6b2ba438cd11a42991 SHA512 1867fb94c29a51294a71a3ec6a299757565a7cda5696118b0b346ed9c78f2c81bb1b888cff5e3418776b2fa277a8f070c5eb9327bb005453e2ffd72d35cdafa7
DIST openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 43356 BLAKE2B 776fa140d64a16c339b46a7c773258d2f4fe44e48b16abccad1a8757a51cb6362722fc5f42c39159af12849f5c88cf574de64815085c97157e16653f18d4909b SHA512 53f2752b7aa02719c8dfe0fe0ef16e874101ba2ba87924aa1122cd445ece218ca09c22abaa3377307f25d459579bc28d3854e2402c71b794db65d58cdd1ebc08

44
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.7_p1-GSSAPI-dns.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.8_p1-GSSAPI-dns.patch vendored
View File

@ -1,9 +1,8 @@
https://bugs.gentoo.org/165444
https://bugzilla.mindrot.org/show_bug.cgi?id=1008
diff --git a/auth.c b/auth.c
index 9a3bc96f..fc2c3620 100644
--- a/auth.c
+++ b/auth.c
@@ -728,120 +728,6 @@ fakepw(void)
@@ -733,120 +733,6 @@ fakepw(void)
return (&fake);
}
@ -122,8 +121,10 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=1008
-}
-
/*
* Runs command in a subprocess wuth a minimal environment.
* Runs command in a subprocess with a minimal environment.
* Returns pid on success, 0 on failure.
diff --git a/canohost.c b/canohost.c
index f71a0856..3e162d8c 100644
--- a/canohost.c
+++ b/canohost.c
@@ -202,3 +202,117 @@ get_local_port(int sock)
@ -244,17 +245,19 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=1008
+ return dnsname;
+ }
+}
diff --git a/readconf.c b/readconf.c
index db5f2d54..67feffa5 100644
--- a/readconf.c
+++ b/readconf.c
@@ -160,6 +160,7 @@ typedef enum {
@@ -161,6 +161,7 @@ typedef enum {
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -200,9 +201,11 @@ static struct {
@@ -202,9 +203,11 @@ static struct {
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
@ -266,7 +269,7 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=1008
#endif
#ifdef ENABLE_PKCS11
{ "smartcarddevice", oPKCS11Provider },
@@ -954,6 +957,10 @@ parse_time:
@@ -977,6 +980,10 @@ parse_time:
intptr = &options->gss_deleg_creds;
goto parse_flag;
@ -277,7 +280,7 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=1008
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1766,6 +1773,7 @@ initialize_options(Options * options)
@@ -1818,6 +1825,7 @@ initialize_options(Options * options)
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
@ -285,7 +288,7 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=1008
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1908,6 +1916,8 @@ fill_default_options(Options * options)
@@ -1964,6 +1972,8 @@ fill_default_options(Options * options)
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
@ -294,9 +297,11 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=1008
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
diff --git a/readconf.h b/readconf.h
index c5688781..af809cc8 100644
--- a/readconf.h
+++ b/readconf.h
@@ -43,6 +43,7 @@ typedef struct {
@@ -41,6 +41,7 @@ typedef struct {
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
@ -304,9 +309,11 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=1008
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
diff --git a/ssh_config.5 b/ssh_config.5
index f499396a..be758544 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -731,6 +731,16 @@ The default is
@@ -722,6 +722,16 @@ The default is
Forward (delegate) credentials to the server.
The default is
.Cm no .
@ -323,12 +330,14 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=1008
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
diff --git a/sshconnect2.c b/sshconnect2.c
index 10e4f0a0..4f7d49e3 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -643,6 +643,13 @@ userauth_gssapi(Authctxt *authctxt)
@@ -657,6 +657,13 @@ userauth_gssapi(Authctxt *authctxt)
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
int r, ok = 0;
+ const char *gss_host;
+
+ if (options.gss_trust_dns) {
@ -339,13 +348,12 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=1008
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -655,7 +662,7 @@ userauth_gssapi(Authctxt *authctxt)
@@ -669,7 +676,7 @@ userauth_gssapi(Authctxt *authctxt)
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt,
ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], authctxt->host)) {
+ &gss_supported->elements[mech], gss_host)) {
ok = 1; /* Mechanism works */
} else {
mech++;
--

16
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-CVE-2018-20685.patch vendored Normal file
View File

@ -0,0 +1,16 @@
CVE-2018-20685
https://github.com/openssh/openssh-portable/commit/6010c0303a422a9c5fa8860c061bf7105eb7f8b2
--- a/scp.c
+++ b/scp.c
@@ -1106,7 +1106,8 @@ sink(int argc, char **argv)
SCREWUP("size out of range");
size = (off_t)ull;
- if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+ if (*cp == '\0' || strchr(cp, '/') != NULL ||
+ strcmp(cp, ".") == 0 || strcmp(cp, "..") == 0) {
run_err("error: unexpected filename: %s", cp);
exit(1);
}

12
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-X509-11.6-tests.patch vendored Normal file
View File

@ -0,0 +1,12 @@
diff -ur openssh-7.9p1.orig/openbsd-compat/regress/Makefile.in openssh-7.9p1/openbsd-compat/regress/Makefile.in
--- openssh-7.9p1.orig/openbsd-compat/regress/Makefile.in 2018-10-16 17:01:20.000000000 -0700
+++ openssh-7.9p1/openbsd-compat/regress/Makefile.in 2018-12-19 11:03:14.421028691 -0800
@@ -7,7 +7,7 @@
CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
-CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
+CPPFLAGS=-I. -I.. -I$(srcdir) -I../.. @CPPFLAGS@ @DEFS@
EXEEXT=@EXEEXT@
LIBCOMPAT=../libopenbsd-compat.a
LIBS=@LIBS@

16
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-X509-dont-make-piddir-11.6.patch vendored Normal file
View File

@ -0,0 +1,16 @@
--- a/openssh-7.9p1+x509-11.6.diff 2018-12-07 17:24:03.211328918 -0800
+++ b/openssh-7.9p1+x509-11.6.diff 2018-12-07 17:24:13.399262277 -0800
@@ -40681,12 +40681,11 @@
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
-@@ -333,6 +351,8 @@
+@@ -333,6 +351,7 @@
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
$(MKDIR_P) $(DESTDIR)$(libexecdir)
+ $(MKDIR_P) $(DESTDIR)$(sshcadir)
-+ $(MKDIR_P) $(DESTDIR)$(piddir)
$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)

28
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-X509-glue-11.6.patch vendored Normal file
View File

@ -0,0 +1,28 @@
--- a/openssh-7.9p1+x509-11.6.diff 2018-12-19 10:42:01.241775036 -0800
+++ b/openssh-7.9p1+x509-11.6.diff 2018-12-19 10:43:33.383140818 -0800
@@ -45862,7 +45862,7 @@
ENGINE_register_all_complete();
+#endif
--#if OPENSSL_VERSION_NUMBER < 0x10001000L
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+ /* OPENSSL_config will load buildin engines and engines
+ * specified in configuration file, i.e. method call
+ * ENGINE_load_builtin_engines. Latter is only for
@@ -81123,16 +81123,6 @@
setlocale(LC_CTYPE, "POSIX.UTF-8") != NULL))
return;
setlocale(LC_CTYPE, "C");
-diff -ruN openssh-7.9p1/version.h openssh-7.9p1+x509-11.6/version.h
---- openssh-7.9p1/version.h 2018-10-17 03:01:20.000000000 +0300
-+++ openssh-7.9p1+x509-11.6/version.h 2018-12-18 20:07:00.000000000 +0200
-@@ -2,5 +2,4 @@
-
- #define SSH_VERSION "OpenSSH_7.9"
-
--#define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
diff -ruN openssh-7.9p1/version.m4 openssh-7.9p1+x509-11.6/version.m4
--- openssh-7.9p1/version.m4 1970-01-01 02:00:00.000000000 +0200
+++ openssh-7.9p1+x509-11.6/version.m4 2018-12-18 20:07:00.000000000 +0200

79
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-X509-glue.patch vendored Normal file
View File

@ -0,0 +1,79 @@
--- temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff.orig 2018-09-12 15:58:57.377986085 -0700
+++ temp/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2018-09-12 16:07:15.376711327 -0700
@@ -4,8 +4,8 @@
+++ b/Makefile.in
@@ -42,7 +42,7 @@ CC=@CC@
LD=@LD@
- CFLAGS=@CFLAGS@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -788,8 +788,8 @@
ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
{
struct session_state *state;
-- const struct sshcipher *none = cipher_by_name("none");
-+ struct sshcipher *none = cipher_by_name("none");
+- const struct sshcipher *none = cipher_none();
++ struct sshcipher *none = cipher_none();
int r;
if (none == NULL) {
@@ -933,9 +933,9 @@
/* Portable-specific options */
sUsePAM,
+ sDisableMTAES,
- /* Standard Options */
- sPort, sHostKeyFile, sLoginGraceTime,
- sPermitRootLogin, sLogFacility, sLogLevel,
+ /* X.509 Standard Options */
+ sHostbasedAlgorithms,
+ sPubkeyAlgorithms,
@@ -626,6 +630,7 @@ static struct {
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
--- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig 2018-09-12 16:38:16.947447218 -0700
+++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2018-09-12 16:32:35.479700864 -0700
@@ -382,7 +382,7 @@
@@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh)
int nenc, nmac, ncomp;
u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
+ int r, first_kex_follows = 0;
+ int auth_flag;
+
+ auth_flag = packet_authentication_state(ssh);
@@ -1125,15 +1125,6 @@
index a738c3a..b32dbe0 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
- char remote_version[256]; /* Must be at least as big as buf. */
-
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
- *options.version_addendum == '\0' ? "" : " ",
- options.version_addendum);
-
@@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la)
int ret, listen_sock;
struct addrinfo *ai;
@@ -1213,14 +1204,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index f1bbf00..21a70c2 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_7.8"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-+

112
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-glue.patch vendored Normal file
View File

@ -0,0 +1,112 @@
--- temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig 2018-09-11 17:19:19.968420409 -0700
+++ temp/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2018-09-11 17:39:19.977535398 -0700
@@ -409,18 +409,10 @@
index dcf35e6..da4ced0 100644
--- a/packet.c
+++ b/packet.c
-@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
+@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
return 0;
}
-+/* this supports the forced rekeying required for the NONE cipher */
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
+/* used to determine if pre or post auth when rekeying for aes-ctr
+ * and none cipher switch */
+int
@@ -434,20 +426,6 @@
#define MAX_PACKETS (1U<<31)
static int
ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
- if (state->p_send.packets == 0 && state->p_read.packets == 0)
- return 0;
-
-+ /* used to force rekeying when called for by the none
-+ * cipher switch methods -cjr */
-+ if (rekey_requested == 1) {
-+ rekey_requested = 0;
-+ return 1;
-+ }
-+
- /* Time-based rekeying */
- if (state->rekey_interval != 0 &&
- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
diff --git a/packet.h b/packet.h
index 170203c..f4d9df2 100644
--- a/packet.h
@@ -476,9 +454,9 @@
/* Format of the configuration file:
@@ -166,6 +167,8 @@ typedef enum {
- oHashKnownHosts,
oTunnel, oTunnelDevice,
oLocalCommand, oPermitLocalCommand, oRemoteCommand,
+ oDisableMTAES,
+ oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
+ oNoneEnabled, oNoneSwitch,
oVisualHostKey,
@@ -615,9 +593,9 @@
int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
SyslogFacility log_facility; /* Facility for system logging. */
@@ -111,7 +115,10 @@ typedef struct {
-
int enable_ssh_keysign;
int64_t rekey_limit;
+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
+ int none_switch; /* Use none cipher */
+ int none_enabled; /* Allow none to be used */
int rekey_interval;
@@ -673,9 +651,9 @@
/* Portable-specific options */
if (options->use_pam == -1)
@@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options)
- }
- if (options->permit_tun == -1)
options->permit_tun = SSH_TUNMODE_NO;
+ if (options->disable_multithreaded == -1)
+ options->disable_multithreaded = 0;
+ if (options->none_enabled == -1)
+ options->none_enabled = 0;
+ if (options->hpn_disabled == -1)
@@ -1092,7 +1070,7 @@
xxx_host = host;
xxx_hostaddr = hostaddr;
-@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
+@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host,
if (!authctxt.success)
fatal("Authentication failed.");
@@ -1117,10 +1095,9 @@
+ fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n");
+ }
+ }
-+
- debug("Authentication succeeded (%s).", authctxt.method->name);
- }
+ #ifdef WITH_OPENSSL
+ if (options.disable_multithreaded == 0) {
diff --git a/sshd.c b/sshd.c
index a738c3a..b32dbe0 100644
--- a/sshd.c
@@ -1217,11 +1194,10 @@
index f1bbf00..21a70c2 100644
--- a/version.h
+++ b/version.h
-@@ -3,4 +3,6 @@
+@@ -3,4 +3,5 @@
#define SSH_VERSION "OpenSSH_7.8"
#define SSH_PORTABLE "p1"
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_HPN "-hpn14v16"
+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
+

91
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-openssl-1.1.patch vendored Normal file
View File

@ -0,0 +1,91 @@
--- openssh-7.9p1.orig/cipher-ctr-mt.c 2018-10-24 20:48:00.909255466 -0000
+++ openssh-7.9p1/cipher-ctr-mt.c 2018-10-24 20:48:17.378155144 -0000
@@ -46,7 +46,7 @@
/*-------------------- TUNABLES --------------------*/
/* maximum number of threads and queues */
-#define MAX_THREADS 32
+#define MAX_THREADS 32
#define MAX_NUMKQ (MAX_THREADS * 2)
/* Number of pregen threads to use */
@@ -435,7 +435,7 @@
destp.u += AES_BLOCK_SIZE;
srcp.u += AES_BLOCK_SIZE;
len -= AES_BLOCK_SIZE;
- ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE);
+ ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
/* Increment read index, switch queues on rollover */
if ((ridx = (ridx + 1) % KQLEN) == 0) {
@@ -481,8 +481,6 @@
/* get the number of cores in the system */
/* if it's not linux it currently defaults to 2 */
/* divide by 2 to get threads for each direction (MODE_IN||MODE_OUT) */
- /* NB: assigning a float to an int discards the remainder which is */
- /* acceptable (and wanted) in this case */
#ifdef __linux__
cipher_threads = sysconf(_SC_NPROCESSORS_ONLN) / 2;
#endif /*__linux__*/
@@ -551,16 +550,16 @@
}
if (iv != NULL) {
- memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
+ memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
c->state |= HAVE_IV;
}
if (c->state == (HAVE_KEY | HAVE_IV)) {
/* Clear queues */
- memcpy(c->q[0].ctr, ctx->iv, AES_BLOCK_SIZE);
+ memcpy(c->q[0].ctr, c->aes_counter, AES_BLOCK_SIZE);
c->q[0].qstate = KQINIT;
for (i = 1; i < numkq; i++) {
- memcpy(c->q[i].ctr, ctx->iv, AES_BLOCK_SIZE);
+ memcpy(c->q[i].ctr, c->aes_counter, AES_BLOCK_SIZE);
ssh_ctr_add(c->q[i].ctr, i * KQLEN, AES_BLOCK_SIZE);
c->q[i].qstate = KQEMPTY;
}
@@ -644,8 +643,22 @@
const EVP_CIPHER *
evp_aes_ctr_mt(void)
{
+# if OPENSSL_VERSION_NUMBER >= 0x10100000UL && !defined(LIBRESSL_VERSION_NUMBER)
+ static EVP_CIPHER *aes_ctr;
+ aes_ctr = EVP_CIPHER_meth_new(NID_undef, 16/*block*/, 16/*key*/);
+ EVP_CIPHER_meth_set_iv_length(aes_ctr, AES_BLOCK_SIZE);
+ EVP_CIPHER_meth_set_init(aes_ctr, ssh_aes_ctr_init);
+ EVP_CIPHER_meth_set_cleanup(aes_ctr, ssh_aes_ctr_cleanup);
+ EVP_CIPHER_meth_set_do_cipher(aes_ctr, ssh_aes_ctr);
+# ifndef SSH_OLD_EVP
+ EVP_CIPHER_meth_set_flags(aes_ctr, EVP_CIPH_CBC_MODE
+ | EVP_CIPH_VARIABLE_LENGTH
+ | EVP_CIPH_ALWAYS_CALL_INIT
+ | EVP_CIPH_CUSTOM_IV);
+# endif /*SSH_OLD_EVP*/
+ return (aes_ctr);
+# else /*earlier version of openssl*/
static EVP_CIPHER aes_ctr;
-
memset(&aes_ctr, 0, sizeof(EVP_CIPHER));
aes_ctr.nid = NID_undef;
aes_ctr.block_size = AES_BLOCK_SIZE;
@@ -654,11 +667,12 @@
aes_ctr.init = ssh_aes_ctr_init;
aes_ctr.cleanup = ssh_aes_ctr_cleanup;
aes_ctr.do_cipher = ssh_aes_ctr;
-#ifndef SSH_OLD_EVP
- aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
- EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-#endif
- return &aes_ctr;
+# ifndef SSH_OLD_EVP
+ aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
+# endif /*SSH_OLD_EVP*/
+ return &aes_ctr;
+# endif /*OPENSSH_VERSION_NUMBER*/
}
#endif /* defined(WITH_OPENSSL) */

17
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-hpn-sctp-glue.patch vendored Normal file
View File

@ -0,0 +1,17 @@
--- dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff.orig 2018-09-12 18:18:51.851536374 -0700
+++ dd/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2018-09-12 18:19:01.116475099 -0700
@@ -1190,14 +1190,3 @@
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
-diff --git a/version.h b/version.h
-index f1bbf00..21a70c2 100644
---- a/version.h
-+++ b/version.h
-@@ -3,4 +3,5 @@
- #define SSH_VERSION "OpenSSH_7.8"
-
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-+

48
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch vendored Normal file
View File

@ -0,0 +1,48 @@
diff --git a/auth-options.c b/auth-options.c
index b05d6d6f..d1f42f04 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -26,6 +26,7 @@
#include <stdarg.h>
#include <ctype.h>
#include <limits.h>
+#include <stdlib.h>
#include "openbsd-compat/sys-queue.h"
diff --git a/hmac.c b/hmac.c
index 1c879640..a29f32c5 100644
--- a/hmac.c
+++ b/hmac.c
@@ -19,6 +19,7 @@
#include <sys/types.h>
#include <string.h>
+#include <stdlib.h>
#include "sshbuf.h"
#include "digest.h"
diff --git a/krl.c b/krl.c
index 8e2d5d5d..c32e147a 100644
--- a/krl.c
+++ b/krl.c
@@ -28,6 +28,7 @@
#include <string.h>
#include <time.h>
#include <unistd.h>
+#include <stdlib.h>
#include "sshbuf.h"
#include "ssherr.h"
diff --git a/mac.c b/mac.c
index 51dc11d7..3d11eba6 100644
--- a/mac.c
+++ b/mac.c
@@ -29,6 +29,7 @@
#include <string.h>
#include <stdio.h>
+#include <stdlib.h>
#include "digest.h"
#include "hmac.h"

13
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.9_p1-openssl-1.0.2-compat.patch vendored Normal file
View File

@ -0,0 +1,13 @@
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index 8b4a3627..590b66d1 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void)
ENGINE_load_builtin_engines();
ENGINE_register_all_complete();
-#if OPENSSL_VERSION_NUMBER < 0x10001000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
OPENSSL_config(NULL);
#else
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |

109
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.7_p1-r9.ebuild → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.9_p1-r4.ebuild vendored
View File

@ -1,34 +1,41 @@
# Copyright 1999-2018 Gentoo Foundation
# Copyright 1999-2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="6"
EAPI=6
inherit user flag-o-matic multilib autotools pam systemd
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
#HPN_PV="${PV^^}"
HPN_PV="7.8_P1"
HPN_VER="14v15-gentoo2" HPN_PATCH="${PARCH}-hpnssh${HPN_VER}.patch.xz"
SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="11.3.1" X509_PATCH="${PARCH}-x509-${X509_VER}.patch.xz"
HPN_VER="14.16"
HPN_PATCHES=(
${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
)
PATCH_SET="openssh-7.7p1-patches-1.2"
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
X509_VER="11.6" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
PATCH_SET="openssh-7.9p1-patches-1.0"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
${HPN_PATCH:+hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/${HPN_PATCH} )}
${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )}
${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_}/%s\n" "${HPN_PATCHES[@]}") )}
${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
RESTRICT="!test? ( test )"
REQUIRED_USE="ldns? ( ssl )
pie? ( !static )
@ -39,15 +46,22 @@ REQUIRED_USE="ldns? ( ssl )
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[ecdsa,ssl(+),static-libs(+)]
net-libs/ldns[static-libs(+)]
!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
ssl? (
!libressl? (
>=dev-libs/openssl-1.0.1:0=[-bindist(-)]
|| (
(
>=dev-libs/openssl-1.0.1:0[bindist=]
<dev-libs/openssl-1.1.0:0[bindist=]
)
>=dev-libs/openssl-1.1.0g:0[bindist=]
)
dev-libs/openssl:0=[static-libs(+)]
)
libressl? ( dev-libs/libressl:0=[static-libs(+)] )
@ -74,7 +88,7 @@ pkg_pretend() {
# than not be able to log in to their server any more
maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
local fail="
$(use hpn && maybe_fail hpn HPN_PATCH)
$(use hpn && maybe_fail hpn HPN_VER)
$(use sctp && maybe_fail sctp SCTP_PATCH)
$(use X509 && maybe_fail X509 X509_PATCH)
"
@ -102,14 +116,39 @@ src_prepare() {
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
eapply "${FILESDIR}"/${PN}-7.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-7.9_p1-openssl-1.0.2-compat.patch
eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
if use X509 ; then
# patch doesn't apply due to X509 modifications
rm \
"${WORKDIR}"/patches/0001-fix-key-type-check.patch \
"${WORKDIR}"/patches/0002-request-rsa-sha2-cert-signatures.patch \
|| die
else
eapply "${FILESDIR}"/${PN}-7.9_p1-CVE-2018-20685.patch # X509 patch set includes this patch
fi
[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
local PATCHSET_VERSION_MACROS=()
if use X509 ; then
pushd "${WORKDIR}" || die
eapply "${FILESDIR}/${P}-X509-glue-${X509_VER}.patch"
eapply "${FILESDIR}/${P}-X509-dont-make-piddir-${X509_VER}.patch"
popd || die
if use hpn ; then
einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
HPN_DISABLE_MTAES=1
fi
eapply "${WORKDIR}"/${X509_PATCH%.*}
eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch
# We need to patch package version or any X.509 sshd will reject our ssh client
# with "userauth_pubkey: could not parse key: string is too large [preauth]"
@ -124,20 +163,6 @@ src_prepare() {
-e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
"${S}"/version.h || die "Failed to sed-in X.509 patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
einfo "Disabling broken X.509 agent test ..."
sed -i \
-e "/^ agent$/d" \
"${S}"/tests/CA/config || die "Failed to disable broken X.509 agent test"
# The following patches don't apply on top of X509 patch
rm "${WORKDIR}"/patch/2002_all_openssh-7.7p1_upstream_bug2840.patch || die
rm "${WORKDIR}"/patch/2009_all_openssh-7.7p1_make-shell-tests-portable.patch || die
rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1_implement-EMFILE-mitigation-for-ssh-agent.patch || die
rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
else
rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1-X509_implement-EMFILE-mitigation-for-ssh-agent.patch || die
rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1-X509_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
fi
if use sctp ; then
@ -156,7 +181,17 @@ src_prepare() {
fi
if use hpn ; then
eapply "${WORKDIR}"/${HPN_PATCH%.*}
local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
mkdir "${hpn_patchdir}"
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
pushd "${hpn_patchdir}"
eapply "${FILESDIR}"/${P}-hpn-glue.patch
use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch
use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch
popd
eapply "${hpn_patchdir}"
eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch"
einfo "Patching Makefile.in for HPN patch set ..."
sed -i \
@ -165,7 +200,7 @@ src_prepare() {
einfo "Patching version.h to expose HPN patch set ..."
sed -i \
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER}\"" \
-e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
"${S}"/version.h || die "Failed to sed-in HPN patch version"
PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
@ -188,13 +223,6 @@ src_prepare() {
fi
fi
if use X509 || use hpn ; then
einfo "Patching packet.c for X509 and/or HPN patch set ..."
sed -i \
-e "s/const struct sshcipher/struct sshcipher/" \
"${S}"/packet.c || die "Failed to patch ssh_packet_set_connection() (packet.c)"
fi
if use X509 || use sctp || use hpn ; then
einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
sed -i \
@ -216,8 +244,6 @@ src_prepare() {
-e "/#UseLogin no/d" \
"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
eapply "${WORKDIR}"/patch/*.patch
eapply_user #473004
tc-export PKG_CONFIG
@ -263,12 +289,11 @@ src_configure() {
# We apply the sctp patch conditionally, so can't pass --without-sctp
# unconditionally else we get unknown flag warnings.
$(use sctp && use_with sctp)
$(use_with ldns)
$(use_with ldns ldns "${EPREFIX%/}"/usr)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(use_with skey)
$(use_with ssl openssl)
$(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)