mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-11-08 04:02:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

net-misc/openssh: Sync with Gentoo

Browse Source 
It's from Gentoo commit fff6fa33d9c2e7a3c136031b5e24ee069f784b1a.

Signed-off-by: Flatcar Buildbot <buildbot@flatcar-linux.org>
This commit is contained in:
Flatcar Buildbot 2025-10-13 07:11:37 +00:00 committed by Krzesimir Nowak
parent 9b3ba10ee2
commit a72953c9db
40 changed files with 2592 additions and 709 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sdk_container/src/third_party/portage-stable/net-misc/openssh/Manifest vendored
View File

@ -1,5 +1,9 @@
DIST openssh-10.0p1.tar.gz 1972675 BLAKE2B 4ce353adf75aade8f4b2a223ad13e2f92cd23d1e60b4ee52bad0eaf036571229438cd9760dfa99c0e10fa09a8ac47b2bfb04eb183fb7b9287ac564ec75316a75 SHA512 2daa1fcf95793b23810142077e68ddfabdf3732b207ef4f033a027f72d733d0e9bcdb6f757e7f3a5934b972de05bfaae3baae381cfc7a400cd8ab4d4e277a0ed
DIST openssh-10.0p1.tar.gz.asc 833 BLAKE2B 105fd1238c9923719fb7fcbafa55806e2e5053095422b95193438d4c536d1f3bae04a1fc674fe1fee8bc14abaa5ea41c4d25134f4fe677cdf1d761c009246f0c SHA512 6ab9deb4233ff159e55a18c9fc07d5ff8a41723dad74aa3d803e1476b585f5662aba34f8a7a1f5fe1d248f3ff3cd663f2c2fb8e399c6a4723b6215b0eb423d13
DIST openssh-10.1p1.tar.gz 1972831 BLAKE2B 08864c9302935cde87eec9d736a90b0bcf23220349bf77cc177459715c567b6178722e9e5d8eea3d55eddb49fef09c187e0895e72236aede397e67674e10cd31 SHA512 9b88ac5b84461a0d4f6022b4dee294964487ea36d5ba5cb9c35d2edcba49a687c609ea30f272ebf924270a025cf2cd82677d0917e5d37334534cd5bee93452d9
DIST openssh-10.1p1.tar.gz.asc 833 BLAKE2B c9df62728276464926ac7d28d54dd23a42bef150a9f64bfec14278d0e1817a876ee76b3329aca863997107bb8d4d43a694643f730249d9940d967b4c2a18fed3 SHA512 a4082bf8526d60094b5a3207995793c44448833b1cdd7ec91f04554fd8bddc1df3b45ee9ffe42de3bfc72d4968808834e289159e3c96f031e09a78da844641ae
DIST openssh-10.2p1.tar.gz 1974519 BLAKE2B 8c031b10b1642e21b46f7d1db84ba42692e378a54af3d8e5b5c8706c3a0a06d442a02ed8803063121e7ff325ea275cad4432b9eaa6a7f47a4d7cfad504953ab6 SHA512 66f3dd646179e71aaf41c33b6f14a207dc873d71d24f11c130a89dee317ee45398b818e5b94887b5913240964a38630d7bca3e481e0f1eff2e41d9e1cfdbdfc5
DIST openssh-10.2p1.tar.gz.asc 833 BLAKE2B 34e1a697e9565f5d4e8139537e76e123512285662576f6f2b513ba129d5e42310c1997e70d7c69b2c4fe1c85f9323ef686b8f83f12a73c5a4f229ff855efd7c6 SHA512 f1f71700b1b0b2117aed505488b98b7ebb51ce26e53184b08df0b07aa2c5a1e54dc4d3cbcbe871b5ad849a2a0e22b02af318ff22a68c980ab53b04be03c9bf3c
DIST openssh-9.8p1.tar.gz 1910393 BLAKE2B 3bf983c4ef5358054ed0104cd51d3e0069fbc2b80d8522d0df644d5508ec1d26a67bf061b1b5698d1cdf0d2cbba16b4cdca12a4ce30da24429094576a075e192 SHA512 95dec2f18e58eb47994f3de4430253e0665e185564b65088ca5f4108870e05feddef8cda8d3c0a4b75f18b98cc2c024df0e27de53b48c1a16da8da483cb8292a
DIST openssh-9.8p1.tar.gz.asc 833 BLAKE2B 5291e8c03ab9a75acb44285cd7fc010f4a33551f142499624165dac708fc05a6d077df81555aa41037b45f6301e4e5db3161a7a23404473f8a233a877fc55cc3 SHA512 4df1f1be2c6ab7f3aebaedd0a773b0e8c8929abb30cd3415873ad55d012cfa113f792e888e5e772dd468c394aeb7e35d62893a514dbc0ab1a03acd79918657f7
DIST openssh-9.9p2.tar.gz 1944499 BLAKE2B 1b5bc09482b3a807ccfee52c86c6be3c363acf0c8e774862e0ae64f76bfeb4ce7cf29b3ed2f99c04c89bb4977da0cf50a7a175b15bf1d9925de1e03c66f8306d SHA512 4c6d839aa3189cd5254c745f2bd51cd3f468b02f8e427b8d7a16b9ad017888a41178d2746dc51fb2d3fec5be00e54b9ab7c32c472ca7dec57a1dea4fc9840278

41
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0001-upstream-fix-out-of-bounds-read.patch vendored Normal file
View File

@ -0,0 +1,41 @@
https://github.com/openssh/openssh-portable/commit/4b1f172fe91c253d09d75650981a3e0c87651fa3
From 4b1f172fe91c253d09d75650981a3e0c87651fa3 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 30 Apr 2025 05:23:15 +0000
Subject: [PATCH] upstream: fix a out-of-bounds read if the known_hosts file is
truncated after the hostname.
Reported by the OpenAI Security Research Team
ok deraadt@
OpenBSD-Commit-ID: c0b516d7c80c4779a403826f73bcd8adbbc54ebd
---
hostfile.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/hostfile.c b/hostfile.c
index c5669c70373..a4a5a9a5e3a 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hostfile.c,v 1.95 2023/02/21 06:48:18 dtucker Exp $ */
+/* $OpenBSD: hostfile.c,v 1.96 2025/04/30 05:23:15 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -810,6 +810,12 @@ hostkeys_foreach_file(const char *path, FILE *f, hostkeys_foreach_fn *callback,
/* Find the end of the host name portion. */
for (cp2 = cp; *cp2 && *cp2 != ' ' && *cp2 != '\t'; cp2++)
;
+ if (*cp2 == '\0') {
+ verbose_f("truncated line at %s:%lu", path, linenum);
+ if ((options & HKF_WANT_MATCH) == 0)
+ goto bad;
+ continue;
+ }
lineinfo.hosts = cp;
*cp2++ = '\0';

94
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0002-upstream-fix-mistracking-of-MaxStartups.patch vendored Normal file
View File

@ -0,0 +1,94 @@
https://github.com/openssh/openssh-portable/commit/78af391990b210ae0797c37c30719232cda61fef
From 78af391990b210ae0797c37c30719232cda61fef Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Fri, 4 Jul 2025 09:51:01 +0000
Subject: [PATCH] upstream: Fix mistracking of MaxStartups process exits in
some
situations. At worst, this can cause all MaxStartups slots to fill and sshd
to refuse new connections.
Diagnosis by xnor; ok dtucker@
OpenBSD-Commit-ID: 10273033055552557196730f898ed6308b36a78d
---
sshd.c | 28 ++++++++++++++++------------
1 file changed, 16 insertions(+), 12 deletions(-)
diff --git a/sshd.c b/sshd.c
index 4a93e29e4c0..d721a5de36a 100644
--- a/sshd.c
+++ b/sshd.c
@@ -289,8 +289,10 @@ child_finish(struct early_child *child)
{
if (children_active == 0)
fatal_f("internal error: children_active underflow");
- if (child->pipefd != -1)
+ if (child->pipefd != -1) {
+ srclimit_done(child->pipefd);
close(child->pipefd);
+ }
sshbuf_free(child->config);
sshbuf_free(child->keys);
free(child->id);
@@ -311,6 +313,7 @@ child_close(struct early_child *child, int force_final, int quiet)
if (!quiet)
debug_f("enter%s", force_final ? " (forcing)" : "");
if (child->pipefd != -1) {
+ srclimit_done(child->pipefd);
close(child->pipefd);
child->pipefd = -1;
}
@@ -1039,7 +1042,6 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
if (ret <= 0) {
if (children[i].early)
listening--;
- srclimit_done(children[i].pipefd);
child_close(&(children[i]), 0, 0);
continue;
}
@@ -1078,23 +1080,19 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
}
/* FALLTHROUGH */
case 0:
- /* child exited preauth */
+ /* child closed pipe */
if (children[i].early)
listening--;
- srclimit_done(children[i].pipefd);
+ debug3_f("child %lu for %s closed pipe",
+ (long)children[i].pid, children[i].id);
child_close(&(children[i]), 0, 0);
break;
case 1:
if (children[i].config) {
error_f("startup pipe %d (fd=%d)"
- " early read", i, children[i].pipefd);
- if (children[i].early)
- listening--;
- if (children[i].pid > 0)
- kill(children[i].pid, SIGTERM);
- srclimit_done(children[i].pipefd);
- child_close(&(children[i]), 0, 0);
- break;
+ " early read",
+ i, children[i].pipefd);
+ goto problem_child;
}
if (children[i].early && c == '\0') {
/* child has finished preliminaries */
@@ -1114,6 +1112,12 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s,
"child %ld for %s in state %d",
(int)c, (long)children[i].pid,
children[i].id, children[i].early);
+ problem_child:
+ if (children[i].early)
+ listening--;
+ if (children[i].pid > 0)
+ kill(children[i].pid, SIGTERM);
+ child_close(&(children[i]), 0, 0);
}
break;
}

76
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0001-upstream-don-t-reuse-c-isatty-for-signalling-that-th.patch vendored Normal file
View File

@ -0,0 +1,76 @@
From 979cbc2c1e0c9cd2f60d45d8d1da69519ec425cf Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Tue, 7 Oct 2025 08:02:32 +0000
Subject: [PATCH 1/6] upstream: don't reuse c->isatty for signalling that the
remote channel
has a tty attached as this causes side effects, e.g. in channel_handle_rfd().
bz3872
ok markus@
OpenBSD-Commit-ID: 4cd8a9f641498ca6089442e59bad0fd3dcbe85f8
---
channels.c | 9 +++++----
channels.h | 3 ++-
2 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/channels.c b/channels.c
index f1d7bcf34..80014ff34 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.451 2025/09/25 06:33:19 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.452 2025/10/07 08:02:32 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -362,7 +362,7 @@ channel_classify(struct ssh *ssh, Channel *c)
{
struct ssh_channels *sc = ssh->chanctxt;
const char *type = c->xctype == NULL ? c->ctype : c->xctype;
- const char *classifier = c->isatty ?
+ const char *classifier = (c->isatty || c->remote_has_tty) ?
sc->bulk_classifier_tty : sc->bulk_classifier_notty;
c->bulk = type != NULL && match_pattern_list(type, classifier, 0) == 1;
@@ -566,7 +566,7 @@ channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd,
void
channel_set_tty(struct ssh *ssh, Channel *c)
{
- c->isatty = 1;
+ c->remote_has_tty = 1;
channel_classify(ssh, c);
}
@@ -1078,7 +1078,8 @@ channel_format_status(const Channel *c)
c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan,
c->have_ctl_child_id ? "c" : "nc", c->ctl_child_id,
c->io_want, c->io_ready,
- c->isatty ? "T" : "", c->bulk ? "B" : "I");
+ c->isatty ? "T" : (c->remote_has_tty ? "RT" : ""),
+ c->bulk ? "B" : "I");
return ret;
}
diff --git a/channels.h b/channels.h
index df7c7f364..7456541f8 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.161 2025/09/25 06:33:19 djm Exp $ */
+/* $OpenBSD: channels.h,v 1.162 2025/10/07 08:02:32 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -145,6 +145,7 @@ struct Channel {
int ctl_chan; /* control channel (multiplexed connections) */
uint32_t ctl_child_id; /* child session for mux controllers */
int have_ctl_child_id;/* non-zero if ctl_child_id is valid */
+ int remote_has_tty; /* remote side has a tty */
int isatty; /* rfd is a tty */
#ifdef _AIX
int wfd_isatty; /* wfd is a tty */
--
2.51.0

69
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0002-Add-clock_gettime-compat-shim.patch vendored Normal file
View File

@ -0,0 +1,69 @@
From 28a2788d609efe363b403432b08511c801d13667 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Tue, 7 Oct 2025 20:04:40 +1100
Subject: [PATCH 2/6] Add clock_gettime compat shim.
This fixes the build on macOS prior to 10.12 Sierra, since it does not
have it. Found and tested by Sevan Janiyan.
---
openbsd-compat/bsd-misc.c | 24 ++++++++++++++++++++++++
openbsd-compat/bsd-misc.h | 8 ++++++++
2 files changed, 32 insertions(+)
diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c
index 983cd3fe6..2c196ec23 100644
--- a/openbsd-compat/bsd-misc.c
+++ b/openbsd-compat/bsd-misc.c
@@ -494,6 +494,30 @@ localtime_r(const time_t *timep, struct tm *result)
}
#endif
+#ifndef HAVE_CLOCK_GETTIME
+int
+clock_gettime(clockid_t clockid, struct timespec *ts)
+{
+ struct timeval tv;
+
+ if (clockid != CLOCK_REALTIME) {
+ errno = ENOSYS;
+ return -1;
+ }
+ if (ts == NULL) {
+ errno = EFAULT;
+ return -1;
+ }
+
+ if (gettimeofday(&tv, NULL) == -1)
+ return -1;
+
+ ts->tv_sec = tv.tv_sec;
+ ts->tv_nsec = (long)tv.tv_usec * 1000;
+ return 0;
+}
+#endif
+
#ifdef ASAN_OPTIONS
const char *__asan_default_options(void) {
return ASAN_OPTIONS;
diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h
index 2ad89cd83..8495f471c 100644
--- a/openbsd-compat/bsd-misc.h
+++ b/openbsd-compat/bsd-misc.h
@@ -202,6 +202,14 @@ int flock(int, int);
struct tm *localtime_r(const time_t *, struct tm *);
#endif
+#ifndef HAVE_CLOCK_GETTIME
+typedef int clockid_t;
+#ifndef CLOCK_REALTIME
+# define CLOCK_REALTIME 0
+#endif
+int clock_gettime(clockid_t, struct timespec *);
+#endif
+
#ifndef HAVE_REALPATH
#define realpath(x, y) (sftp_realpath((x), (y)))
#endif
--
2.51.0

27
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0003-Don-t-copy-native-host-keys-for-hostbased-test.patch vendored Normal file
View File

@ -0,0 +1,27 @@
From aefeee5bedcf117aa9278014eda5f099b5898a10 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Tue, 7 Oct 2025 20:10:56 +1100
Subject: [PATCH 3/6] Don't copy native host keys for hostbased test.
Some github runners (notably macos-14) seem to have host keys where
public and private do not match, so generate our own keys for testing
purposes.
---
.github/run_test.sh | 1 -
1 file changed, 1 deletion(-)
diff --git a/.github/run_test.sh b/.github/run_test.sh
index aac9ce579..33c90ac29 100755
--- a/.github/run_test.sh
+++ b/.github/run_test.sh
@@ -13,7 +13,6 @@ if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then
hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null
echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null
$SUDO mkdir -p $sshconf
- $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf
$SUDO make install
for key in $sshconf/ssh_host*key*.pub; do
echo `hostname` `cat $key` | \
--
2.51.0

32
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0004-Only-set-PAM_RHOST-if-the-remote-host-is-not-UNKNOWN.patch vendored Normal file
View File

@ -0,0 +1,32 @@
From acb690b499e0ec2ce37869c26133615762f53cab Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 20 Mar 2023 20:22:14 +0100
Subject: [PATCH 4/6] Only set PAM_RHOST if the remote host is not "UNKNOWN"
When using sshd's -i option with stdio that is not a AF_INET/AF_INET6
socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then
set as the value of PAM_RHOST, causing pam to try to do a reverse DNS
query of "UNKNOWN", which times out multiple times, causing a
substantial slowdown when logging in.
To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN".
---
auth-pam.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth-pam.c b/auth-pam.c
index 5dee7601b..5591f094e 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -758,7 +758,7 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt)
sshpam_laddr = get_local_ipaddr(
ssh_packet_get_connection_in(ssh));
}
- if (sshpam_rhost != NULL) {
+ if (sshpam_rhost != NULL && strcmp(sshpam_rhost, "UNKNOWN") != 0) {
debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost);
sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST,
sshpam_rhost);
--
2.51.0

29
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0005-Add-fcntl.h-to-includes.patch vendored Normal file
View File

@ -0,0 +1,29 @@
From 9f0dd9505db695aab1148a977e2668666ad4d177 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Tue, 7 Oct 2025 20:25:07 +1100
Subject: [PATCH 5/6] Add fcntl.h to includes.
From FreeBSD via bz#3874: "This was previously included due to nested
includes in Heimdal's headers. Without this, the build fails with an
error due to redefining AT_FDCWD."
---
includes.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/includes.h b/includes.h
index 8f933568d..96cddbc26 100644
--- a/includes.h
+++ b/includes.h
@@ -34,6 +34,9 @@
#ifdef HAVE_ENDIAN_H
# include <endian.h>
#endif
+#ifdef HAVE_FCNTL_H
+# include <fcntl.h>
+#endif
#ifdef HAVE_TTYENT_H
# include <ttyent.h>
#endif
--
2.51.0

68
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0006-Use-calloc-for-sshkeys-if-mmap-is-not-supported.patch vendored Normal file
View File

@ -0,0 +1,68 @@
From fabf4cd14108a60d9486f38ae58694d615592bc9 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@dtucker.net>
Date: Tue, 7 Oct 2025 21:07:05 +1100
Subject: [PATCH 6/6] Use calloc for sshkeys if mmap is not supported.
Based on Github PR#597 from Mike Frysinger, any bugs added by me.
---
configure.ac | 2 ++
sshkey.c | 8 ++++++++
2 files changed, 10 insertions(+)
diff --git a/configure.ac b/configure.ac
index 3eb6d4697..98f2e3e1c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -536,6 +536,7 @@ AC_CHECK_HEADERS([ \
nlist.h \
poll.h \
stdint.h \
+ sys/mmap.h \
sys/stat.h \
sys/time.h \
sys/un.h \
@@ -2103,6 +2104,7 @@ AC_CHECK_FUNCS([ \
memmove \
memset_s \
mkdtemp \
+ mmap \
ngetaddrinfo \
nlist \
nsleep \
diff --git a/sshkey.c b/sshkey.c
index e17e929e0..206b72921 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -723,6 +723,7 @@ sshkey_sk_cleanup(struct sshkey *k)
static int
sshkey_prekey_alloc(u_char **prekeyp, size_t len)
{
+#if defined(HAVE_MMAP) && defined(MAP_ANON) && defined(MAP_PRIVATE)
u_char *prekey;
*prekeyp = NULL;
@@ -734,14 +735,21 @@ sshkey_prekey_alloc(u_char **prekeyp, size_t len)
#endif
*prekeyp = prekey;
return 0;
+#else
+ *prekeyp = calloc(1, len);
+#endif /* HAVE_MMAP et al */
}
static void
sshkey_prekey_free(void *prekey, size_t len)
{
+#if defined(HAVE_MMAP) && defined(MAP_ANON) && defined(MAP_PRIVATE)
if (prekey == NULL)
return;
munmap(prekey, len);
+#else
+ free(prekey);
+#endif /* HAVE_MMAP et al */
}
static void
--
2.51.0

36
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0001-Fix-detection-of-setres-id-on-GNU-Hurd.patch vendored Normal file
View File

@ -0,0 +1,36 @@
From 20950a7c047ca08f9317d27866c06587ed51a338 Mon Sep 17 00:00:00 2001
Message-ID: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Tue, 26 Mar 2024 22:15:08 +0100
Subject: [PATCH 1/7] Fix detection of setres*id on GNU/Hurd
Like Linux, proper _SOURCE macros need to be set to get declarations of
various standard functions, notably setres*id. Now that Debian is using
-Werror=implicit-function-declaration this is really required. While at
it, define other _SOURCE macros like on GNU/Linux, since GNU/Hurd uses
the same glibc.
---
configure.ac | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/configure.ac b/configure.ac
index 5a865f8e1..2eede34c3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1348,6 +1348,13 @@ EOD
AC_DEFINE([BROKEN_SETVBUF], [1],
[LynxOS has broken setvbuf() implementation])
;;
+*-*-gnu*)
+ dnl GNU Hurd. Needs to be after the linux and the other *-gnu entries.
+ dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
+ dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
+ dnl _GNU_SOURCE is needed for setres*id prototypes.
+ CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE"
+ ;;
esac
AC_MSG_CHECKING([compiler and flags for sanity])
--
2.51.0

30
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0002-Add-9.8-branch-to-ci-status-page.patch vendored Normal file
View File

@ -0,0 +1,30 @@
From 34f7a962f992a43e33b5b6e2dd71f1582433d551 Mon Sep 17 00:00:00 2001
Message-ID: <34f7a962f992a43e33b5b6e2dd71f1582433d551.1758727870.git.sam@gentoo.org>
In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
From: Darren Tucker <dtucker@dtucker.net>
Date: Thu, 4 Jul 2024 20:12:26 +1000
Subject: [PATCH 2/7] Add 9.8 branch to ci-status page.
---
.github/ci-status.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/.github/ci-status.md b/.github/ci-status.md
index fbf7c5fd6..4fa73894c 100644
--- a/.github/ci-status.md
+++ b/.github/ci-status.md
@@ -6,6 +6,10 @@ master :
[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
[![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable)
+9.8 :
+[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_8)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_8)
+
9.7 :
[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_7)
[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_7)
--
2.51.0

29
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0003-Cast-to-sockaddr-in-systemd-interface.patch vendored Normal file
View File

@ -0,0 +1,29 @@
From b35a64dd7d5278af859ff8cca1fbe42d2c308ac0 Mon Sep 17 00:00:00 2001
Message-ID: <b35a64dd7d5278af859ff8cca1fbe42d2c308ac0.1758727870.git.sam@gentoo.org>
In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
From: Darren Tucker <dtucker@dtucker.net>
Date: Sun, 7 Jul 2024 18:46:19 +1000
Subject: [PATCH 3/7] Cast to sockaddr * in systemd interface.
Fixes build with musl libx. bz#3707.
---
openbsd-compat/port-linux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 4c024c6d2..8adfec5a7 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...)
error_f("socket \"%s\": %s", path, strerror(errno));
goto out;
}
- if (connect(fd, &addr, sizeof(addr)) != 0) {
+ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) {
error_f("socket \"%s\" connect: %s", path, strerror(errno));
goto out;
}
--
2.51.0

29
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0004-upstream-correct-keyword-from-Yatao-Su-via-GHPR509.patch vendored Normal file
View File

@ -0,0 +1,29 @@
From c21fc9d953f6d858ea0a9d7da38359d2eb397ed0 Mon Sep 17 00:00:00 2001
Message-ID: <c21fc9d953f6d858ea0a9d7da38359d2eb397ed0.1758727870.git.sam@gentoo.org>
In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 10 Jul 2024 21:58:34 +0000
Subject: [PATCH 4/7] upstream: correct keyword; from Yatao Su via GHPR509
OpenBSD-Commit-ID: 81c778c76dea7ef407603caa157eb0c381c52ad2
---
sshd_config.5 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sshd_config.5 b/sshd_config.5
index 1ab0f41d9..ce872de52 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1586,7 +1586,7 @@ accumulated.
.Pp
Penalties are enabled by default with the default settings listed below
but may disabled using the
-.Cm off
+.Cm no
keyword.
The defaults may be overridden by specifying one or more of the keywords below,
separated by whitespace.
--
2.51.0

250
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0005-support-sntrup761x25519-sha512-alias.patch vendored Normal file
View File

@ -0,0 +1,250 @@
From 26f73db15e0eee558a11b42a9d794d78c87dd11e Mon Sep 17 00:00:00 2001
Message-ID: <26f73db15e0eee558a11b42a9d794d78c87dd11e.1758727870.git.sam@gentoo.org>
In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
From: Damien Miller <djm@mindrot.org>
Date: Mon, 11 Aug 2025 16:40:24 +1000
Subject: [PATCH 5/7] support sntrup761x25519-sha512 alias
OpenSSH 9.8 supports the sntrup761x25519-sha512@openssh.com
key agreement algorithm. As part of standardisation, this algorithm
has been assigned the name sntrup761x25519-sha512.
This commit enables the existing algorithm under this new name.
---
configure | 3 +++
kex-names.c | 2 ++
kex.h | 1 +
moduli.0 | 2 +-
myproposal.h | 1 +
scp.0 | 2 +-
sftp-server.0 | 2 +-
sftp.0 | 2 +-
ssh-add.0 | 2 +-
ssh-agent.0 | 2 +-
ssh-keygen.0 | 2 +-
ssh-keyscan.0 | 2 +-
ssh-keysign.0 | 2 +-
ssh-pkcs11-helper.0 | 2 +-
ssh-sk-helper.0 | 2 +-
ssh.0 | 2 +-
ssh_config.0 | 2 +-
sshd.0 | 2 +-
sshd_config.0 | 6 +++---
19 files changed, 24 insertions(+), 17 deletions(-)
diff --git a/configure b/configure
index 07d19fd30..32e38c4cb 100755
--- a/configure
+++ b/configure
@@ -13317,6 +13317,9 @@ EOD
printf "%s\n" "#define BROKEN_SETVBUF 1" >>confdefs.h
;;
+*-*-gnu*)
+ CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE"
+ ;;
esac
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking compiler and flags for sanity" >&5
diff --git a/kex-names.c b/kex-names.c
index 339eb1c23..1869b8ee1 100644
--- a/kex-names.c
+++ b/kex-names.c
@@ -77,6 +77,8 @@ static const struct kexalg kexalgs[] = {
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
#ifdef USE_SNTRUP761X25519
+ { KEX_SNTRUP761X25519_SHA512_IANA, KEX_KEM_SNTRUP761X25519_SHA512, 0,
+ SSH_DIGEST_SHA512 },
{ KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0,
SSH_DIGEST_SHA512 },
#endif
diff --git a/kex.h b/kex.h
index 34665eb20..ed22b929f 100644
--- a/kex.h
+++ b/kex.h
@@ -63,6 +63,7 @@
#define KEX_CURVE25519_SHA256 "curve25519-sha256"
#define KEX_CURVE25519_SHA256_OLD "curve25519-sha256@libssh.org"
#define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512@openssh.com"
+#define KEX_SNTRUP761X25519_SHA512_IANA "sntrup761x25519-sha512"
#define COMP_NONE 0
/* pre-auth compression (COMP_ZLIB) is only supported in the client */
diff --git a/moduli.0 b/moduli.0
index 057a018ef..90700a16f 100644
--- a/moduli.0
+++ b/moduli.0
@@ -71,4 +71,4 @@ STANDARDS
M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for
the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006.
-OpenBSD 7.5 April 16, 2022 OpenBSD 7.5
+OpenBSD 7.7 April 16, 2022 OpenBSD 7.7
diff --git a/myproposal.h b/myproposal.h
index ee6e9f741..0528cd783 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -25,6 +25,7 @@
*/
#define KEX_SERVER_KEX \
+ "sntrup761x25519-sha512," \
"sntrup761x25519-sha512@openssh.com," \
"curve25519-sha256," \
"curve25519-sha256@libssh.org," \
diff --git a/scp.0 b/scp.0
index e098ddf55..85d5f83d5 100644
--- a/scp.0
+++ b/scp.0
@@ -229,4 +229,4 @@ CAVEATS
requires careful quoting of any characters that have special meaning to
the remote shell, such as quote characters.
-OpenBSD 7.5 December 16, 2022 OpenBSD 7.5
+OpenBSD 7.7 December 16, 2022 OpenBSD 7.7
diff --git a/sftp-server.0 b/sftp-server.0
index 23fdda399..273b69908 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -95,4 +95,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
-OpenBSD 7.5 July 27, 2021 OpenBSD 7.5
+OpenBSD 7.7 July 27, 2021 OpenBSD 7.7
diff --git a/sftp.0 b/sftp.0
index c6a9e60c4..0476733c1 100644
--- a/sftp.0
+++ b/sftp.0
@@ -435,4 +435,4 @@ SEE ALSO
T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
filexfer-00.txt, January 2001, work in progress material.
-OpenBSD 7.5 December 16, 2022 OpenBSD 7.5
+OpenBSD 7.7 December 16, 2022 OpenBSD 7.7
diff --git a/ssh-add.0 b/ssh-add.0
index 30eed6672..20f1a88e2 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -206,4 +206,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
+OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
diff --git a/ssh-agent.0 b/ssh-agent.0
index 2e4ef7b6e..238fa54e2 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -137,4 +137,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.5 August 10, 2023 OpenBSD 7.5
+OpenBSD 7.7 August 10, 2023 OpenBSD 7.7
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index a731a7fa8..13b032f46 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -904,4 +904,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
+OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index 110399094..cf0962c82 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -120,4 +120,4 @@ AUTHORS
Davison <wayned@users.sourceforge.net> added support for protocol version
2.
-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
+OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index 577955d1b..ff3305809 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -47,4 +47,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
+OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0
index 564587259..4b1cb8d7d 100644
--- a/ssh-pkcs11-helper.0
+++ b/ssh-pkcs11-helper.0
@@ -32,4 +32,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
-OpenBSD 7.5 April 29, 2022 OpenBSD 7.5
+OpenBSD 7.7 April 29, 2022 OpenBSD 7.7
diff --git a/ssh-sk-helper.0 b/ssh-sk-helper.0
index ea2117abd..4abc5e8a0 100644
--- a/ssh-sk-helper.0
+++ b/ssh-sk-helper.0
@@ -31,4 +31,4 @@ HISTORY
AUTHORS
Damien Miller <djm@openbsd.org>
-OpenBSD 7.5 April 29, 2022 OpenBSD 7.5
+OpenBSD 7.7 April 29, 2022 OpenBSD 7.7
diff --git a/ssh.0 b/ssh.0
index 78863b1b0..9c34e3e6e 100644
--- a/ssh.0
+++ b/ssh.0
@@ -1016,4 +1016,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.5 June 27, 2024 OpenBSD 7.5
+OpenBSD 7.7 June 27, 2024 OpenBSD 7.7
diff --git a/ssh_config.0 b/ssh_config.0
index ef6c0936a..f9a82781b 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -1428,4 +1428,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
+OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
diff --git a/sshd.0 b/sshd.0
index c7de2d311..eac127dcf 100644
--- a/sshd.0
+++ b/sshd.0
@@ -682,4 +682,4 @@ AUTHORS
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
+OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
diff --git a/sshd_config.0 b/sshd_config.0
index 6883dda4b..ca030fcca 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -950,8 +950,8 @@ DESCRIPTION
accumulated.
Penalties are enabled by default with the default settings listed
- below but may disabled using the off keyword. The defaults may
- be overridden by specifying one or more of the keywords below,
+ below but may disabled using the no keyword. The defaults may be
+ overridden by specifying one or more of the keywords below,
separated by whitespace. All keywords accept arguments, e.g.
"crash:2m".
@@ -1390,4 +1390,4 @@ AUTHORS
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
-OpenBSD 7.5 June 24, 2024 OpenBSD 7.5
+OpenBSD 7.7 June 24, 2024 OpenBSD 7.7
--
2.51.0

206
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0006-back-out-unrelated-manpages-changes.patch vendored Normal file
View File

@ -0,0 +1,206 @@
From d1460a177431d034248b62b36240f634482e48de Mon Sep 17 00:00:00 2001
Message-ID: <d1460a177431d034248b62b36240f634482e48de.1758727870.git.sam@gentoo.org>
In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
From: Damien Miller <djm@mindrot.org>
Date: Wed, 13 Aug 2025 09:19:53 +1000
Subject: [PATCH 6/7] back out unrelated manpages changes
spotted by Colin Wilson
---
configure | 3 ---
moduli.0 | 2 +-
scp.0 | 2 +-
sftp-server.0 | 2 +-
sftp.0 | 2 +-
ssh-add.0 | 2 +-
ssh-agent.0 | 2 +-
ssh-keygen.0 | 2 +-
ssh-keyscan.0 | 2 +-
ssh-keysign.0 | 2 +-
ssh-pkcs11-helper.0 | 2 +-
ssh-sk-helper.0 | 2 +-
ssh.0 | 2 +-
ssh_config.0 | 2 +-
sshd.0 | 2 +-
sshd_config.0 | 6 +++---
16 files changed, 17 insertions(+), 20 deletions(-)
diff --git a/configure b/configure
index 32e38c4cb..07d19fd30 100755
--- a/configure
+++ b/configure
@@ -13317,9 +13317,6 @@ EOD
printf "%s\n" "#define BROKEN_SETVBUF 1" >>confdefs.h
;;
-*-*-gnu*)
- CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE"
- ;;
esac
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking compiler and flags for sanity" >&5
diff --git a/moduli.0 b/moduli.0
index 90700a16f..057a018ef 100644
--- a/moduli.0
+++ b/moduli.0
@@ -71,4 +71,4 @@ STANDARDS
M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for
the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006.
-OpenBSD 7.7 April 16, 2022 OpenBSD 7.7
+OpenBSD 7.5 April 16, 2022 OpenBSD 7.5
diff --git a/scp.0 b/scp.0
index 85d5f83d5..e098ddf55 100644
--- a/scp.0
+++ b/scp.0
@@ -229,4 +229,4 @@ CAVEATS
requires careful quoting of any characters that have special meaning to
the remote shell, such as quote characters.
-OpenBSD 7.7 December 16, 2022 OpenBSD 7.7
+OpenBSD 7.5 December 16, 2022 OpenBSD 7.5
diff --git a/sftp-server.0 b/sftp-server.0
index 273b69908..23fdda399 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -95,4 +95,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
-OpenBSD 7.7 July 27, 2021 OpenBSD 7.7
+OpenBSD 7.5 July 27, 2021 OpenBSD 7.5
diff --git a/sftp.0 b/sftp.0
index 0476733c1..c6a9e60c4 100644
--- a/sftp.0
+++ b/sftp.0
@@ -435,4 +435,4 @@ SEE ALSO
T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
filexfer-00.txt, January 2001, work in progress material.
-OpenBSD 7.7 December 16, 2022 OpenBSD 7.7
+OpenBSD 7.5 December 16, 2022 OpenBSD 7.5
diff --git a/ssh-add.0 b/ssh-add.0
index 20f1a88e2..30eed6672 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -206,4 +206,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
+OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
diff --git a/ssh-agent.0 b/ssh-agent.0
index 238fa54e2..2e4ef7b6e 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -137,4 +137,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.7 August 10, 2023 OpenBSD 7.7
+OpenBSD 7.5 August 10, 2023 OpenBSD 7.5
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index 13b032f46..a731a7fa8 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -904,4 +904,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
+OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index cf0962c82..110399094 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -120,4 +120,4 @@ AUTHORS
Davison <wayned@users.sourceforge.net> added support for protocol version
2.
-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
+OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index ff3305809..577955d1b 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -47,4 +47,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
+OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0
index 4b1cb8d7d..564587259 100644
--- a/ssh-pkcs11-helper.0
+++ b/ssh-pkcs11-helper.0
@@ -32,4 +32,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
-OpenBSD 7.7 April 29, 2022 OpenBSD 7.7
+OpenBSD 7.5 April 29, 2022 OpenBSD 7.5
diff --git a/ssh-sk-helper.0 b/ssh-sk-helper.0
index 4abc5e8a0..ea2117abd 100644
--- a/ssh-sk-helper.0
+++ b/ssh-sk-helper.0
@@ -31,4 +31,4 @@ HISTORY
AUTHORS
Damien Miller <djm@openbsd.org>
-OpenBSD 7.7 April 29, 2022 OpenBSD 7.7
+OpenBSD 7.5 April 29, 2022 OpenBSD 7.5
diff --git a/ssh.0 b/ssh.0
index 9c34e3e6e..78863b1b0 100644
--- a/ssh.0
+++ b/ssh.0
@@ -1016,4 +1016,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.7 June 27, 2024 OpenBSD 7.7
+OpenBSD 7.5 June 27, 2024 OpenBSD 7.5
diff --git a/ssh_config.0 b/ssh_config.0
index f9a82781b..ef6c0936a 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -1428,4 +1428,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
+OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
diff --git a/sshd.0 b/sshd.0
index eac127dcf..c7de2d311 100644
--- a/sshd.0
+++ b/sshd.0
@@ -682,4 +682,4 @@ AUTHORS
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
+OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
diff --git a/sshd_config.0 b/sshd_config.0
index ca030fcca..6883dda4b 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -950,8 +950,8 @@ DESCRIPTION
accumulated.
Penalties are enabled by default with the default settings listed
- below but may disabled using the no keyword. The defaults may be
- overridden by specifying one or more of the keywords below,
+ below but may disabled using the off keyword. The defaults may
+ be overridden by specifying one or more of the keywords below,
separated by whitespace. All keywords accept arguments, e.g.
"crash:2m".
@@ -1390,4 +1390,4 @@ AUTHORS
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
-OpenBSD 7.7 June 24, 2024 OpenBSD 7.7
+OpenBSD 7.5 June 24, 2024 OpenBSD 7.5
--
2.51.0

48
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0007-mention-sntrup761x25519-sha512-in-manpages.patch vendored Normal file
View File

@ -0,0 +1,48 @@
From a38b48e77ccfe9528dd4a8516c114950fa7a111d Mon Sep 17 00:00:00 2001
Message-ID: <a38b48e77ccfe9528dd4a8516c114950fa7a111d.1758727870.git.sam@gentoo.org>
In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
From: Damien Miller <djm@mindrot.org>
Date: Wed, 13 Aug 2025 09:16:34 +1000
Subject: [PATCH 7/7] mention sntrup761x25519-sha512 in manpages
Spotted by Colin Watson
---
ssh_config.5 | 1 +
sshd_config.5 | 3 +++
2 files changed, 4 insertions(+)
diff --git a/ssh_config.5 b/ssh_config.5
index 2e1902283..9473f4692 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1281,6 +1281,7 @@ default set.
.Pp
The default is:
.Bd -literal -offset indent
+sntrup761x25519-sha512,
sntrup761x25519-sha512@openssh.com,
curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diff --git a/sshd_config.5 b/sshd_config.5
index ce872de52..3c727f4d3 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1050,11 +1050,14 @@ ecdh-sha2-nistp384
.It
ecdh-sha2-nistp521
.It
+sntrup761x25519-sha512
+.It
sntrup761x25519-sha512@openssh.com
.El
.Pp
The default is:
.Bd -literal -offset indent
+sntrup761x25519-sha512,
sntrup761x25519-sha512@openssh.com,
curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
--
2.51.0

39
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0001-fix-utmpx-ifdef.patch vendored
View File

@ -1,39 +0,0 @@
From 27996b32a8b0fe908effc469e5c7d496e40c6671 Mon Sep 17 00:00:00 2001
Message-ID: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
From: Christoph Ostarek <christoph@zededa.com>
Date: Wed, 3 Jul 2024 12:46:59 +0200
Subject: [PATCH 1/8] fix utmpx ifdef
02e16ad95fb1f56ab004b01a10aab89f7103c55d did a copy-paste for
utmpx, but forgot to change the ifdef appropriately
(cherry picked from commit c7fda601186ff28128cfe3eab9c9c0622de096e1)
---
loginrec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/loginrec.c b/loginrec.c
index 7460bb2c0..45f13dee8 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -723,7 +723,7 @@ set_utmpx_time(struct logininfo *li, struct utmpx *utx)
void
construct_utmpx(struct logininfo *li, struct utmpx *utx)
{
-# ifdef HAVE_ADDR_V6_IN_UTMP
+# ifdef HAVE_ADDR_V6_IN_UTMPX
struct sockaddr_in6 *sa6;
# endif
memset(utx, '\0', sizeof(*utx));
@@ -769,7 +769,7 @@ construct_utmpx(struct logininfo *li, struct utmpx *utx)
if (li->hostaddr.sa.sa_family == AF_INET)
utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr;
# endif
-# ifdef HAVE_ADDR_V6_IN_UTMP
+# ifdef HAVE_ADDR_V6_IN_UTMPX
/* this is just a 128-bit IPv6 address */
if (li->hostaddr.sa.sa_family == AF_INET6) {
sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);
--
2.47.0

40
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0002-build-construct_utmp-when-USE_BTMP-is-set.patch vendored
View File

@ -1,40 +0,0 @@
From c606840894ca805472ddbd4ebad4b0a6f231ccb5 Mon Sep 17 00:00:00 2001
Message-ID: <c606840894ca805472ddbd4ebad4b0a6f231ccb5.1730162536.git.sam@gentoo.org>
In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
From: Damien Miller <djm@mindrot.org>
Date: Wed, 25 Sep 2024 11:13:05 +1000
Subject: [PATCH 2/8] build construct_utmp() when USE_BTMP is set
Fixes compile error on Void Linux/Musl
(cherry picked from commit 2c12ae8cf9b0b7549ae097c4123abeda0ee63e5b)
---
loginrec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/loginrec.c b/loginrec.c
index 45f13dee8..7b1818b86 100644
--- a/loginrec.c
+++ b/loginrec.c
@@ -614,7 +614,7 @@ line_abbrevname(char *dst, const char *src, int dstsize)
** into account.
**/
-#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
+#if defined(USE_BTMP) || defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN)
/* build the utmp structure */
void
@@ -698,7 +698,7 @@ construct_utmp(struct logininfo *li,
}
# endif
}
-#endif /* USE_UTMP || USE_WTMP || USE_LOGIN */
+#endif /* USE_BTMP || USE_UTMP || USE_WTMP || USE_LOGIN */
/**
** utmpx utility functions
--
2.47.0

30
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0003-gss-serv.c-needs-sys-param.h.patch vendored
View File

@ -1,30 +0,0 @@
From d1e0cfefc3a0f2d371f280d270e9ebc2188950c6 Mon Sep 17 00:00:00 2001
Message-ID: <d1e0cfefc3a0f2d371f280d270e9ebc2188950c6.1730162536.git.sam@gentoo.org>
In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
From: Damien Miller <djm@mindrot.org>
Date: Wed, 25 Sep 2024 11:15:45 +1000
Subject: [PATCH 3/8] gss-serv.c needs sys/param.h
From Void Linux
(cherry picked from commit ff2cd1dd5711ff88efdf26662d6189d980439a1f)
---
gss-serv.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/gss-serv.c b/gss-serv.c
index 00e3d118b..025a118f8 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -29,6 +29,7 @@
#ifdef GSSAPI
#include <sys/types.h>
+#include <sys/param.h>
#include <stdarg.h>
#include <string.h>
--
2.47.0

296
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0004-upstream-fix-regression-introduced-when-I-switched-t.patch vendored
View File

@ -1,296 +0,0 @@
From dda58ae078f4cba21c3b874e81f1d28121636985 Mon Sep 17 00:00:00 2001
Message-ID: <dda58ae078f4cba21c3b874e81f1d28121636985.1730162536.git.sam@gentoo.org>
In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 25 Sep 2024 01:24:04 +0000
Subject: [PATCH 4/8] upstream: fix regression introduced when I switched the
"Match"
criteria tokeniser to a more shell-like one. Apparently the old tokeniser
(accidentally?) allowed "Match criteria=argument" as well as the "Match
criteria argument" syntax that we tested for.
People were using this syntax so this adds back support for
"Match criteria=argument"
bz3739 ok dtucker
OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a
(cherry picked from commit 66878e12a207fa9746dee3e2bdcca29b704cf035)
---
misc.c | 23 +++++++++++++++++++++-
misc.h | 3 ++-
readconf.c | 28 ++++++++++++++++++++++-----
servconf.c | 57 ++++++++++++++++++++++++++++++++++++++++--------------
4 files changed, 89 insertions(+), 22 deletions(-)
diff --git a/misc.c b/misc.c
index afdf5142e..1b4b55c50 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.196 2024/06/06 17:15:25 djm Exp $ */
+/* $OpenBSD: misc.c,v 1.197 2024/09/25 01:24:04 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
* Copyright (c) 2005-2020 Damien Miller. All rights reserved.
@@ -107,6 +107,27 @@ rtrim(char *s)
}
}
+/*
+ * returns pointer to character after 'prefix' in 's' or otherwise NULL
+ * if the prefix is not present.
+ */
+const char *
+strprefix(const char *s, const char *prefix, int ignorecase)
+{
+ size_t prefixlen;
+
+ if ((prefixlen = strlen(prefix)) == 0)
+ return s;
+ if (ignorecase) {
+ if (strncasecmp(s, prefix, prefixlen) != 0)
+ return NULL;
+ } else {
+ if (strncmp(s, prefix, prefixlen) != 0)
+ return NULL;
+ }
+ return s + prefixlen;
+}
+
/* set/unset filedescriptor to non-blocking */
int
set_nonblock(int fd)
diff --git a/misc.h b/misc.h
index 113403896..efecdf1ad 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.h,v 1.109 2024/06/06 17:15:25 djm Exp $ */
+/* $OpenBSD: misc.h,v 1.110 2024/09/25 01:24:04 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -56,6 +56,7 @@ struct ForwardOptions {
char *chop(char *);
void rtrim(char *);
void skip_space(char **);
+const char *strprefix(const char *, const char *, int);
char *strdelim(char **);
char *strdelimw(char **);
int set_nonblock(int);
diff --git a/readconf.c b/readconf.c
index 3d9cc6dbb..de42fb6ff 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.390 2024/09/15 00:57:36 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
struct passwd *pw, const char *host_arg, const char *original_host,
int final_pass, int *want_final_pass, const char *filename, int linenum)
{
- char *arg, *oattrib, *attrib, *cmd, *host, *criteria;
+ char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria;
const char *ruser;
int r, this_result, result = 1, attributes = 0, negate;
@@ -731,7 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
debug2("checking match for '%s' host %s originally %s",
full_line, host, original_host);
- while ((oattrib = attrib = argv_next(acp, avp)) != NULL) {
+ while ((oattrib = argv_next(acp, avp)) != NULL) {
+ attrib = xstrdup(oattrib);
/* Terminate on comment */
if (*attrib == '#') {
argv_consume(acp);
@@ -777,9 +778,23 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
this_result ? "" : "not ", oattrib);
continue;
}
+
+ /* Keep this list in sync with below */
+ if (strprefix(attrib, "host=", 1) != NULL ||
+ strprefix(attrib, "originalhost=", 1) != NULL ||
+ strprefix(attrib, "user=", 1) != NULL ||
+ strprefix(attrib, "localuser=", 1) != NULL ||
+ strprefix(attrib, "localnetwork=", 1) != NULL ||
+ strprefix(attrib, "tagged=", 1) != NULL ||
+ strprefix(attrib, "exec=", 1) != NULL) {
+ arg = strchr(attrib, '=');
+ *(arg++) = '\0';
+ } else {
+ arg = argv_next(acp, avp);
+ }
+
/* All other criteria require an argument */
- if ((arg = argv_next(acp, avp)) == NULL ||
- *arg == '\0' || *arg == '#') {
+ if (arg == NULL || *arg == '\0' || *arg == '#') {
error("Missing Match criteria for %s", attrib);
result = -1;
goto out;
@@ -856,6 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
criteria == NULL ? "" : criteria,
criteria == NULL ? "" : "\"");
free(criteria);
+ free(attrib);
+ attrib = NULL;
}
if (attributes == 0) {
error("One or more attributes required for Match");
@@ -865,6 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
out:
if (result != -1)
debug2("match %sfound", result ? "" : "not ");
+ free(attrib);
free(host);
return result;
}
diff --git a/servconf.c b/servconf.c
index 89b8413e8..dd774f468 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.418 2024/09/15 03:09:44 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.419 2024/09/25 01:24:04 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -1033,7 +1033,7 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
int line, struct connection_info *ci)
{
int result = 1, attributes = 0, port;
- char *arg, *attrib;
+ char *arg, *attrib = NULL, *oattrib;
if (ci == NULL)
debug3("checking syntax for 'Match %s'", full_line);
@@ -1047,7 +1047,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
ci->laddress ? ci->laddress : "(null)", ci->lport);
}
- while ((attrib = argv_next(acp, avp)) != NULL) {
+ while ((oattrib = argv_next(acp, avp)) != NULL) {
+ attrib = xstrdup(oattrib);
/* Terminate on comment */
if (*attrib == '#') {
argv_consume(acp); /* mark all arguments consumed */
@@ -1062,11 +1063,13 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
*arg != '\0' && *arg != '#')) {
error("'all' cannot be combined with other "
"Match attributes");
- return -1;
+ result = -1;
+ goto out;
}
if (arg != NULL && *arg == '#')
argv_consume(acp); /* consume remaining args */
- return 1;
+ result = 1;
+ goto out;
}
/* Criterion "invalid-user" also has no argument */
if (strcasecmp(attrib, "invalid-user") == 0) {
@@ -1078,11 +1081,26 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
debug("matched invalid-user at line %d", line);
continue;
}
+
+ /* Keep this list in sync with below */
+ if (strprefix(attrib, "user=", 1) != NULL ||
+ strprefix(attrib, "group=", 1) != NULL ||
+ strprefix(attrib, "host=", 1) != NULL ||
+ strprefix(attrib, "address=", 1) != NULL ||
+ strprefix(attrib, "localaddress=", 1) != NULL ||
+ strprefix(attrib, "localport=", 1) != NULL ||
+ strprefix(attrib, "rdomain=", 1) != NULL) {
+ arg = strchr(attrib, '=');
+ *(arg++) = '\0';
+ } else {
+ arg = argv_next(acp, avp);
+ }
+
/* All other criteria require an argument */
- if ((arg = argv_next(acp, avp)) == NULL ||
- *arg == '\0' || *arg == '#') {
+ if (arg == NULL || *arg == '\0' || *arg == '#') {
error("Missing Match criteria for %s", attrib);
- return -1;
+ result = -1;
+ goto out;
}
if (strcasecmp(attrib, "user") == 0) {
if (ci == NULL || (ci->test && ci->user == NULL)) {
@@ -1105,7 +1123,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
match_test_missing_fatal("Group", "user");
switch (match_cfg_line_group(arg, line, ci->user)) {
case -1:
- return -1;
+ result = -1;
+ goto out;
case 0:
result = 0;
}
@@ -1141,7 +1160,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
result = 0;
break;
case -2:
- return -1;
+ result = -1;
+ goto out;
}
} else if (strcasecmp(attrib, "localaddress") == 0){
if (ci == NULL || (ci->test && ci->laddress == NULL)) {
@@ -1166,13 +1186,15 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
result = 0;
break;
case -2:
- return -1;
+ result = -1;
+ goto out;
}
} else if (strcasecmp(attrib, "localport") == 0) {
if ((port = a2port(arg)) == -1) {
error("Invalid LocalPort '%s' on Match line",
arg);
- return -1;
+ result = -1;
+ goto out;
}
if (ci == NULL || (ci->test && ci->lport == -1)) {
result = 0;
@@ -1200,16 +1222,21 @@ match_cfg_line(const char *full_line, int *acp, char ***avp,
debug("user %.100s matched 'RDomain %.100s' at "
"line %d", ci->rdomain, arg, line);
} else {
- error("Unsupported Match attribute %s", attrib);
- return -1;
+ error("Unsupported Match attribute %s", oattrib);
+ result = -1;
+ goto out;
}
+ free(attrib);
+ attrib = NULL;
}
if (attributes == 0) {
error("One or more attributes required for Match");
return -1;
}
- if (ci != NULL)
+ out:
+ if (ci != NULL && result != -1)
debug3("match %sfound", result ? "" : "not ");
+ free(attrib);
return result;
}
--
2.47.0

70
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0005-upstream-fix-previous-change-to-ssh_config-Match-whi.patch vendored
View File

@ -1,70 +0,0 @@
From 3e95023995e1d0249febab2b804f51b7673e07de Mon Sep 17 00:00:00 2001
Message-ID: <3e95023995e1d0249febab2b804f51b7673e07de.1730162536.git.sam@gentoo.org>
In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Thu, 26 Sep 2024 23:55:08 +0000
Subject: [PATCH 5/8] upstream: fix previous change to ssh_config Match, which
broken on
negated Matches; spotted by phessler@ ok deraadt@
OpenBSD-Commit-ID: b1c6acec66cd5bd1252feff1d02ad7129ced37c7
(cherry picked from commit 19bcb2d90c6caf14abf386b644fb24eb7afab889)
---
readconf.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/readconf.c b/readconf.c
index de42fb6ff..9f5592698 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.392 2024/09/26 23:55:08 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
struct passwd *pw, const char *host_arg, const char *original_host,
int final_pass, int *want_final_pass, const char *filename, int linenum)
{
- char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria;
+ char *arg, *oattrib = NULL, *attrib = NULL, *cmd, *host, *criteria;
const char *ruser;
int r, this_result, result = 1, attributes = 0, negate;
@@ -731,8 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
debug2("checking match for '%s' host %s originally %s",
full_line, host, original_host);
- while ((oattrib = argv_next(acp, avp)) != NULL) {
- attrib = xstrdup(oattrib);
+ while ((attrib = argv_next(acp, avp)) != NULL) {
+ attrib = oattrib = xstrdup(attrib);
/* Terminate on comment */
if (*attrib == '#') {
argv_consume(acp);
@@ -871,8 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
criteria == NULL ? "" : criteria,
criteria == NULL ? "" : "\"");
free(criteria);
- free(attrib);
- attrib = NULL;
+ free(oattrib);
+ oattrib = attrib = NULL;
}
if (attributes == 0) {
error("One or more attributes required for Match");
@@ -882,7 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp,
out:
if (result != -1)
debug2("match %sfound", result ? "" : "not ");
- free(attrib);
+ free(oattrib);
free(host);
return result;
}
--
2.47.0

99
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0006-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-syste.patch vendored
View File

@ -1,99 +0,0 @@
From 3c10bf179b0029e0412e4b0fecf2e31d53b4ef08 Mon Sep 17 00:00:00 2001
Message-ID: <3c10bf179b0029e0412e4b0fecf2e31d53b4ef08.1730162536.git.sam@gentoo.org>
In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 27 Oct 2024 02:06:01 +0000
Subject: [PATCH 6/8] upstream: fix ML-KEM768x25519 KEX on big-endian systems;
spotted by
jsg@ feedback/ok deraadt@
OpenBSD-Commit-ID: 26d81a430811672bc762687166986cad40d28cc0
(cherry picked from commit 11f348196b3fb51c3d8d1f4f36db9d73f03149ed)
---
libcrux_mlkem768_sha3.h | 8 +++++---
mlkem768.sh | 17 ++++++++++++-----
2 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/libcrux_mlkem768_sha3.h b/libcrux_mlkem768_sha3.h
index a82d60e83..b8ac1436f 100644
--- a/libcrux_mlkem768_sha3.h
+++ b/libcrux_mlkem768_sha3.h
@@ -1,4 +1,5 @@
-/* $OpenBSD: libcrux_mlkem768_sha3.h,v 1.1 2024/09/02 12:13:56 djm Exp $ */
+/* $OpenBSD: libcrux_mlkem768_sha3.h,v 1.2 2024/10/27 02:06:01 djm Exp $ */
+
/* Extracted from libcrux revision 84c5d87b3092c59294345aa269ceefe0eb97cc35 */
/*
@@ -160,18 +161,19 @@ static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok,
// CORE STUFF (conversions, endianness, ...)
static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) {
+ v = htole64(v);
memcpy(buf, &v, sizeof(v));
}
static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) {
uint64_t v;
memcpy(&v, buf, sizeof(v));
- return v;
+ return le64toh(v);
}
static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) {
uint32_t v;
memcpy(&v, buf, sizeof(v));
- return v;
+ return le32toh(v);
}
static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) {
diff --git a/mlkem768.sh b/mlkem768.sh
index 2fdc28312..3d12b2ed8 100644
--- a/mlkem768.sh
+++ b/mlkem768.sh
@@ -1,9 +1,10 @@
#!/bin/sh
-# $OpenBSD: mlkem768.sh,v 1.2 2024/09/04 05:11:33 djm Exp $
+# $OpenBSD: mlkem768.sh,v 1.3 2024/10/27 02:06:01 djm Exp $
# Placed in the Public Domain.
#
-WANT_LIBCRUX_REVISION="origin/main"
+#WANT_LIBCRUX_REVISION="origin/main"
+WANT_LIBCRUX_REVISION="84c5d87b3092c59294345aa269ceefe0eb97cc35"
FILES="
libcrux/libcrux-ml-kem/cg/eurydice_glue.h
@@ -47,6 +48,7 @@ echo '#define KRML_NOINLINE __attribute__((noinline, unused))'
echo '#define KRML_HOST_EPRINTF(...)'
echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")'
echo
+
for i in $FILES; do
echo "/* from $i */"
# Changes to all files:
@@ -56,11 +58,16 @@ for i in $FILES; do
-e 's/[ ]*$//' \
$i | \
case "$i" in
- # XXX per-file handling goes here.
+ */libcrux-ml-kem/cg/eurydice_glue.h)
+ # Replace endian functions with versions that work.
+ perl -0777 -pe 's/(static inline void core_num__u64_9__to_le_bytes.*\n)([^}]*\n)/\1 v = htole64(v);\n\2/' |
+ perl -0777 -pe 's/(static inline uint64_t core_num__u64_9__from_le_bytes.*?)return v;/\1return le64toh(v);/s' |
+ perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s'
+ ;;
# Default: pass through.
*)
- cat
- ;;
+ cat
+ ;;
esac
echo
done
--
2.47.0

37
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0007-upstream-explicitly-include-endian.h.patch vendored
View File

@ -1,37 +0,0 @@
From f87403aba3e7926ab47f4c9a821300a705b070f2 Mon Sep 17 00:00:00 2001
Message-ID: <f87403aba3e7926ab47f4c9a821300a705b070f2.1730162536.git.sam@gentoo.org>
In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 27 Oct 2024 02:06:59 +0000
Subject: [PATCH 7/8] upstream: explicitly include endian.h
OpenBSD-Commit-ID: 13511fdef7535bdbc35b644c90090013da43a318
(cherry picked from commit fe8d28a7ebbaa35cfc04a21263627f05c237e460)
---
kexmlkem768x25519.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/kexmlkem768x25519.c b/kexmlkem768x25519.c
index 679446e97..2b5d39608 100644
--- a/kexmlkem768x25519.c
+++ b/kexmlkem768x25519.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexmlkem768x25519.c,v 1.1 2024/09/02 12:13:56 djm Exp $ */
+/* $OpenBSD: kexmlkem768x25519.c,v 1.2 2024/10/27 02:06:59 djm Exp $ */
/*
* Copyright (c) 2023 Markus Friedl. All rights reserved.
*
@@ -34,6 +34,9 @@
#include <stdbool.h>
#include <string.h>
#include <signal.h>
+#ifdef HAVE_ENDIAN_H
+# include <endian.h>
+#endif
#include "sshkey.h"
#include "kex.h"
--
2.47.0

66
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0008-htole64-etc-for-systems-without-endian.h.patch vendored
View File

@ -1,66 +0,0 @@
From 88e0d4645af6e4d4fb1b0dd320b83dd83ca6e73c Mon Sep 17 00:00:00 2001
Message-ID: <88e0d4645af6e4d4fb1b0dd320b83dd83ca6e73c.1730162536.git.sam@gentoo.org>
In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org>
From: Damien Miller <djm@mindrot.org>
Date: Sun, 27 Oct 2024 13:28:11 +1100
Subject: [PATCH 8/8] htole64() etc for systems without endian.h
(cherry picked from commit 33c5f384ae03a5d1a0bd46ca0fac3c62e4eaf784)
---
configure.ac | 1 -
defines.h | 26 ++++++++++++++++++++++++++
2 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 591d5a388..9053a9a2b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2013,7 +2013,6 @@ AC_CHECK_FUNCS([ \
strtoll \
strtoul \
strtoull \
- swap32 \
sysconf \
tcgetpgrp \
timegm \
diff --git a/defines.h b/defines.h
index ed860e78b..b02f2942a 100644
--- a/defines.h
+++ b/defines.h
@@ -646,6 +646,32 @@ struct winsize {
# endif /* WORDS_BIGENDIAN */
#endif /* BYTE_ORDER */
+#ifndef HAVE_ENDIAN_H
+# define openssh_swap32(v) \
+ (uint32_t)(((uint32_t)(v) & 0xff) << 24 | \
+ ((uint32_t)(v) & 0xff00) << 8 | \
+ ((uint32_t)(v) & 0xff0000) >> 8 | \
+ ((uint32_t)(v) & 0xff000000) >> 24)
+# define openssh_swap64(v) \
+ (__uint64_t)((((__uint64_t)(v) & 0xff) << 56) | \
+ ((__uint64_t)(v) & 0xff00ULL) << 40 | \
+ ((__uint64_t)(v) & 0xff0000ULL) << 24 | \
+ ((__uint64_t)(v) & 0xff000000ULL) << 8 | \
+ ((__uint64_t)(v) & 0xff00000000ULL) >> 8 | \
+ ((__uint64_t)(v) & 0xff0000000000ULL) >> 24 | \
+ ((__uint64_t)(v) & 0xff000000000000ULL) >> 40 | \
+ ((__uint64_t)(v) & 0xff00000000000000ULL) >> 56)
+# ifdef WORDS_BIGENDIAN
+# define le32toh(v) (openssh_swap32(v))
+# define le64toh(v) (openssh_swap64(v))
+# define htole64(v) (openssh_swap64(v))
+# else
+# define le32toh(v) ((uint32_t)v)
+# define le64toh(v) ((uint64_t)v)
+# define htole64(v) ((uint64_t)v)
+# endif
+#endif
+
/* Function replacement / compatibility hacks */
#if !defined(HAVE_GETADDRINFO) && (defined(HAVE_OGETADDRINFO) || defined(HAVE_NGETADDRINFO))
--
2.47.0

87
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0001-Check-for-le32toh-le64toh-htole64-individually.patch vendored Normal file
View File

@ -0,0 +1,87 @@
From 4b8d141ec165aa29a48316768089cb03aed3aada Mon Sep 17 00:00:00 2001
Message-ID: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: Darren Tucker <dtucker@dtucker.net>
Date: Wed, 26 Feb 2025 18:16:03 +1100
Subject: [PATCH 01/10] Check for le32toh, le64toh, htole64 individually.
It appears that at least some versions of endian.h in glibc do not have
the latter two, so check for and replace each one individually.
bz#3794, ok djm@
---
configure.ac | 12 ++++++++++++
defines.h | 28 +++++++++++++++++++++-------
2 files changed, 33 insertions(+), 7 deletions(-)
diff --git a/configure.ac b/configure.ac
index 9053a9a2b..57a8d1007 100644
--- a/configure.ac
+++ b/configure.ac
@@ -536,6 +536,18 @@ AC_CHECK_HEADERS([ \
wchar.h \
])
+AC_CHECK_DECLS([le32toh, le64toh, htole64], [], [], [
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_ENDIAN_H
+# include <endian.h>
+#endif
+])
+
# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
# to be included first.
AC_CHECK_HEADERS([sys/audit.h], [], [], [
diff --git a/defines.h b/defines.h
index c1c21aba6..090f49f55 100644
--- a/defines.h
+++ b/defines.h
@@ -646,7 +646,9 @@ struct winsize {
# endif /* WORDS_BIGENDIAN */
#endif /* BYTE_ORDER */
-#ifndef HAVE_ENDIAN_H
+#if (defined(HAVE_DECL_LE32TOH) && HAVE_DECL_LE32TOH == 0) || \
+ (defined(HAVE_DECL_LE64TOH) && HAVE_DECL_LE64TOH == 0) || \
+ (defined(HAVE_DECL_HTOLE64) && HAVE_DECL_HTOLE64 == 0)
# define openssh_swap32(v) \
(uint32_t)(((uint32_t)(v) & 0xff) << 24 | \
((uint32_t)(v) & 0xff00) << 8 | \
@@ -662,13 +664,25 @@ struct winsize {
((uint64_t)(v) & 0xff000000000000ULL) >> 40 | \
((uint64_t)(v) & 0xff00000000000000ULL) >> 56)
# ifdef WORDS_BIGENDIAN
-# define le32toh(v) (openssh_swap32(v))
-# define le64toh(v) (openssh_swap64(v))
-# define htole64(v) (openssh_swap64(v))
+# if defined(HAVE_DECL_LE32TOH) && HAVE_DECL_LE32TOH == 0
+# define le32toh(v) (openssh_swap32(v))
+# endif
+# if defined(HAVE_DECL_LE64TOH) && HAVE_DECL_LE64TOH == 0
+# define le64toh(v) (openssh_swap64(v))
+# endif
+# if defined(HAVE_DECL_HTOLE64) && HAVE_DECL_HTOLE64 == 0
+# define htole64(v) (openssh_swap64(v))
+# endif
# else
-# define le32toh(v) ((uint32_t)v)
-# define le64toh(v) ((uint64_t)v)
-# define htole64(v) ((uint64_t)v)
+# if defined(HAVE_DECL_LE32TOH) && HAVE_DECL_LE32TOH == 0
+# define le32toh(v) ((uint32_t)v)
+# endif
+# if defined(HAVE_DECL_LE64TOH) && HAVE_DECL_LE64TOH == 0
+# define le64toh(v) ((uint64_t)v)
+# endif
+# if defined(HAVE_DECL_HTOLE64) && HAVE_DECL_HTOLE64 == 0
+# define htole64(v) ((uint64_t)v)
+# endif
# endif
#endif
--
2.51.0

118
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0002-Update-autoconf-files-for-endian.h-change.patch vendored Normal file
View File

@ -0,0 +1,118 @@
From de4bcb51c893d81a741d4fac37c10107738a952f Mon Sep 17 00:00:00 2001
Message-ID: <de4bcb51c893d81a741d4fac37c10107738a952f.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: Darren Tucker <dtucker@dtucker.net>
Date: Wed, 26 Feb 2025 18:25:33 +1100
Subject: [PATCH 02/10] Update autoconf files for endian.h change.
---
config.h.in | 12 +++++++++++
configure | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 72 insertions(+)
diff --git a/config.h.in b/config.h.in
index 14bee6087..c841417f4 100644
--- a/config.h.in
+++ b/config.h.in
@@ -363,10 +363,22 @@
don't. */
#undef HAVE_DECL_HOWMANY
+/* Define to 1 if you have the declaration of `htole64', and to 0 if you
+ don't. */
+#undef HAVE_DECL_HTOLE64
+
/* Define to 1 if you have the declaration of `h_errno', and to 0 if you
don't. */
#undef HAVE_DECL_H_ERRNO
+/* Define to 1 if you have the declaration of `le32toh', and to 0 if you
+ don't. */
+#undef HAVE_DECL_LE32TOH
+
+/* Define to 1 if you have the declaration of `le64toh', and to 0 if you
+ don't. */
+#undef HAVE_DECL_LE64TOH
+
/* Define to 1 if you have the declaration of `loginfailed', and to 0 if you
don't. */
#undef HAVE_DECL_LOGINFAILED
diff --git a/configure b/configure
index b4d33b7cd..ec1de26c2 100755
--- a/configure
+++ b/configure
@@ -11325,6 +11325,65 @@ then :
fi
+ac_fn_check_decl "$LINENO" "le32toh" "ac_cv_have_decl_le32toh" "
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_ENDIAN_H
+# include <endian.h>
+#endif
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_le32toh" = xyes
+then :
+ ac_have_decl=1
+else $as_nop
+ ac_have_decl=0
+fi
+printf "%s\n" "#define HAVE_DECL_LE32TOH $ac_have_decl" >>confdefs.h
+ac_fn_check_decl "$LINENO" "le64toh" "ac_cv_have_decl_le64toh" "
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_ENDIAN_H
+# include <endian.h>
+#endif
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_le64toh" = xyes
+then :
+ ac_have_decl=1
+else $as_nop
+ ac_have_decl=0
+fi
+printf "%s\n" "#define HAVE_DECL_LE64TOH $ac_have_decl" >>confdefs.h
+ac_fn_check_decl "$LINENO" "htole64" "ac_cv_have_decl_htole64" "
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_ENDIAN_H
+# include <endian.h>
+#endif
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_htole64" = xyes
+then :
+ ac_have_decl=1
+else $as_nop
+ ac_have_decl=0
+fi
+printf "%s\n" "#define HAVE_DECL_HTOLE64 $ac_have_decl" >>confdefs.h
+
+
# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
# to be included first.
ac_fn_c_check_header_compile "$LINENO" "sys/audit.h" "ac_cv_header_sys_audit_h" "
@@ -27710,3 +27769,4 @@ if test "$AUDIT_MODULE" = "bsm" ; then
echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
echo "See the Solaris section in README.platform for details."
fi
+
--
2.51.0

30
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0003-Rebuild-config-files-if-Makefile-changes.patch vendored Normal file
View File

@ -0,0 +1,30 @@
From ef95df4089f0dba640671ca6acfb876a78794b83 Mon Sep 17 00:00:00 2001
Message-ID: <ef95df4089f0dba640671ca6acfb876a78794b83.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: Darren Tucker <dtucker@dtucker.net>
Date: Sat, 1 Mar 2025 10:28:59 +1100
Subject: [PATCH 03/10] Rebuild config files if Makefile changes.
This ensures paths are updated if they are changed by re-running configure.
Patch from rapier at psc.edu.
---
Makefile.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.in b/Makefile.in
index 4243006b0..fc7a1a354 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -267,7 +267,7 @@ $(MANPAGES): $(MANPAGES_IN)
$(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \
fi
-$(CONFIGFILES): $(CONFIGFILES_IN)
+$(CONFIGFILES): $(CONFIGFILES_IN) Makefile
conffile=`echo $@ | sed 's/.out$$//'`; \
$(FIXPATHSCMD) $(srcdir)/$${conffile} > $@
--
2.51.0

92
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0004-include-__builtin_popcount-replacement-function.patch vendored Normal file
View File

@ -0,0 +1,92 @@
From 3b4adf2018ae8fdd48623b6b5ede182319a76b8f Mon Sep 17 00:00:00 2001
Message-ID: <3b4adf2018ae8fdd48623b6b5ede182319a76b8f.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: Damien Miller <djm@mindrot.org>
Date: Sun, 2 Mar 2025 22:06:53 +1100
Subject: [PATCH 04/10] include __builtin_popcount replacement function
Some systems/compilers lack __builtin_popcount(), so replace it as
necessary. Reported by Dennis Clarke; ok dtucker@
---
configure.ac | 13 +++++++++++++
libcrux_mlkem768_sha3.h | 8 ++++++--
mlkem768.sh | 10 +++++++++-
3 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 57a8d1007..dbe189066 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2041,6 +2041,19 @@ AC_CHECK_FUNCS([ \
warn \
])
+AC_MSG_CHECKING([whether compiler supports __builtin_popcount])
+AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+ #include <stdlib.h>
+ ]],
+ [[ int x = 123, y;
+ y = __builtin_popcount(123);
+ exit(y == 6 ? 0 : -1); ]])],
+ [ AC_MSG_RESULT([yes]) ], [
+ AC_MSG_RESULT([no])
+ AC_DEFINE([MISSING_BUILTIN_POPCOUNT], [1], [Define if your compiler lacks __builtin_popcount])
+ ]
+)
+
AC_CHECK_DECLS([bzero, memmem])
dnl Wide character support.
diff --git a/libcrux_mlkem768_sha3.h b/libcrux_mlkem768_sha3.h
index b8ac1436f..885e82baf 100644
--- a/libcrux_mlkem768_sha3.h
+++ b/libcrux_mlkem768_sha3.h
@@ -177,10 +177,14 @@ static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) {
}
static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) {
-#ifdef _MSC_VER
+#if defined(_MSC_VER)
return __popcnt(x0);
-#else
+#elif !defined(MISSING_BUILTIN_POPCOUNT)
return __builtin_popcount(x0);
+#else
+ const uint8_t v[16] = { 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4 };
+ return v[x0 & 0xf] + v[(x0 >> 4) & 0xf];
+
#endif
}
diff --git a/mlkem768.sh b/mlkem768.sh
index 3d12b2ed8..cbc3d14da 100644
--- a/mlkem768.sh
+++ b/mlkem768.sh
@@ -49,6 +49,11 @@ echo '#define KRML_HOST_EPRINTF(...)'
echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")'
echo
+__builtin_popcount_replacement='
+ const uint8_t v[16] = { 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4 };
+ return v[x0 & 0xf] + v[(x0 >> 4) & 0xf];
+'
+
for i in $FILES; do
echo "/* from $i */"
# Changes to all files:
@@ -62,7 +67,10 @@ for i in $FILES; do
# Replace endian functions with versions that work.
perl -0777 -pe 's/(static inline void core_num__u64_9__to_le_bytes.*\n)([^}]*\n)/\1 v = htole64(v);\n\2/' |
perl -0777 -pe 's/(static inline uint64_t core_num__u64_9__from_le_bytes.*?)return v;/\1return le64toh(v);/s' |
- perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s'
+ perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s' |
+ # Compat for popcount.
+ perl -0777 -pe 's/\#ifdef (_MSC_VER)(.*?return __popcnt\(x0\);)/\#if defined(\1)\2/s' |
+ perl -0777 -pe "s/\\#else(\\n\\s+return __builtin_popcount\\(x0\\);)/\\#elif !defined(MISSING_BUILTIN_POPCOUNT)\\1\\n#else$__builtin_popcount_replacement/s"
;;
# Default: pass through.
*)
--
2.51.0

32
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0005-upstream-fix-PerSourcePenalty-incorrectly-using-cras.patch vendored Normal file
View File

@ -0,0 +1,32 @@
From d58ae05bb7838e1fdae967752f06b0b2471a63f5 Mon Sep 17 00:00:00 2001
Message-ID: <d58ae05bb7838e1fdae967752f06b0b2471a63f5.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 2 Mar 2025 22:44:00 +0000
Subject: [PATCH 05/10] upstream: fix PerSourcePenalty incorrectly using
"crash" penalty when
LoginGraceTime was exceeded. Reported by irwin AT princeton.edu via bz3797
OpenBSD-Commit-ID: 1ba3e490a5a9451359618c550d995380af454d25
---
srclimit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/srclimit.c b/srclimit.c
index 33116fa52..c63a462e2 100644
--- a/srclimit.c
+++ b/srclimit.c
@@ -386,7 +386,7 @@ srclimit_penalise(struct xaddr *addr, int penalty_type)
reason = "penalty: connection prohibited by RefuseConnection";
break;
case SRCLIMIT_PENALTY_GRACE_EXCEEDED:
- penalty_secs = penalty_cfg.penalty_crash;
+ penalty_secs = penalty_cfg.penalty_grace;
reason = "penalty: exceeded LoginGraceTime";
break;
default:
--
2.51.0

80
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0006-regenerate-configure-config.h.in.patch vendored Normal file
View File

@ -0,0 +1,80 @@
From 7d5b6c7ec3c597a6d57f64d0db925142bccd38a3 Mon Sep 17 00:00:00 2001
Message-ID: <7d5b6c7ec3c597a6d57f64d0db925142bccd38a3.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: Damien Miller <djm@mindrot.org>
Date: Mon, 3 Mar 2025 14:21:12 +1100
Subject: [PATCH 06/10] regenerate configure, config.h.in
---
config.h.in | 3 +++
configure | 35 ++++++++++++++++++++++++++++++++++-
2 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/config.h.in b/config.h.in
index c841417f4..57f63355b 100644
--- a/config.h.in
+++ b/config.h.in
@@ -1748,6 +1748,9 @@
/* Set this to your mail directory if you do not have _PATH_MAILDIR */
#undef MAIL_DIRECTORY
+/* Define if your compiler lacks __builtin_popcount */
+#undef MISSING_BUILTIN_POPCOUNT
+
/* Need setpgrp to for controlling tty */
#undef NEED_SETPGRP
diff --git a/configure b/configure
index ec1de26c2..a18079da2 100755
--- a/configure
+++ b/configure
@@ -16785,6 +16785,40 @@ then :
fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether compiler supports __builtin_popcount" >&5
+printf %s "checking whether compiler supports __builtin_popcount... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+ #include <stdlib.h>
+
+int
+main (void)
+{
+ int x = 123, y;
+ y = __builtin_popcount(123);
+ exit(y == 6 ? 0 : -1);
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"
+then :
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+printf "%s\n" "yes" >&6; }
+else $as_nop
+
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+
+printf "%s\n" "#define MISSING_BUILTIN_POPCOUNT 1" >>confdefs.h
+
+
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam \
+ conftest$ac_exeext conftest.$ac_ext
+
ac_fn_check_decl "$LINENO" "bzero" "ac_cv_have_decl_bzero" "$ac_includes_default" "$ac_c_undeclared_builtin_options" "CFLAGS"
if test "x$ac_cv_have_decl_bzero" = xyes
then :
@@ -27769,4 +27803,3 @@ if test "$AUDIT_MODULE" = "bsm" ; then
echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
echo "See the Solaris section in README.platform for details."
fi
-
--
2.51.0

44
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0007-upstream-Prime-caches-for-DNS-names-needed-for-tests.patch vendored Normal file
View File

@ -0,0 +1,44 @@
From be8026caf9da985638c762c353c397c0922be233 Mon Sep 17 00:00:00 2001
Message-ID: <be8026caf9da985638c762c353c397c0922be233.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Tue, 11 Mar 2025 11:46:44 +0000
Subject: [PATCH 07/10] upstream: Prime caches for DNS names needed for tests.
When running the SSHFP tests, particularly on an ephemeral VM, the first
query or two can fail for some reason, presumably because something isn't
fully initialized or something. To work around this, issue queries for the
names we'll need before we need them.
OpenBSD-Regress-ID: 900841133540e7dead253407db5a874a6ed09eca
---
regress/sshfp-connect.sh | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/regress/sshfp-connect.sh b/regress/sshfp-connect.sh
index f78646922..3c73a35d0 100644
--- a/regress/sshfp-connect.sh
+++ b/regress/sshfp-connect.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: sshfp-connect.sh,v 1.4 2021/09/01 00:50:27 dtucker Exp $
+# $OpenBSD: sshfp-connect.sh,v 1.5 2025/03/11 11:46:44 dtucker Exp $
# Placed in the Public Domain.
# This test requires external setup and thus is skipped unless
@@ -29,6 +29,12 @@ if ! $SSH -Q key-plain | grep ssh-rsa >/dev/null; then
elif [ -z "${TEST_SSH_SSHFP_DOMAIN}" ]; then
skip "TEST_SSH_SSHFP_DOMAIN not set."
else
+ # Prime any DNS caches and resolvers.
+ for i in sshtest sshtest-sha1 sshtest-sha256; do
+ host -t sshfp ${i}.${TEST_SSH_SSHFP_DOMAIN} >/dev/null 2>&1
+ host -t sshfp ${i}-bad.${TEST_SSH_SSHFP_DOMAIN} >/dev/null 2>&1
+ done
+
# Set RSA host key to match fingerprints above.
mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
$SUDO cp $SRC/rsa_openssh.prv $OBJ/host.ssh-rsa
--
2.51.0

41
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0008-MacOS-12-runners-are-deprecated-replace-with-15.patch vendored Normal file
View File

@ -0,0 +1,41 @@
From aab12549a939d07f638df486f910544c6b11b972 Mon Sep 17 00:00:00 2001
Message-ID: <aab12549a939d07f638df486f910544c6b11b972.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: Darren Tucker <dtucker@dtucker.net>
Date: Thu, 17 Oct 2024 19:18:23 +1100
Subject: [PATCH 08/10] MacOS 12 runners are deprecated, replace with 15.
---
.github/workflows/c-cpp.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml
index c179f73d1..c49aa5ee8 100644
--- a/.github/workflows/c-cpp.yml
+++ b/.github/workflows/c-cpp.yml
@@ -17,9 +17,9 @@ jobs:
target:
- ubuntu-20.04
- ubuntu-22.04
- - macos-12
- macos-13
- macos-14
+ - macos-15
- windows-2019
- windows-2022
config: [default]
@@ -100,9 +100,9 @@ jobs:
- { target: ubuntu-22.04, config: selinux }
- { target: ubuntu-22.04, config: kitchensink }
- { target: ubuntu-22.04, config: without-openssl }
- - { target: macos-12, config: pam }
- { target: macos-13, config: pam }
- { target: macos-14, config: pam }
+ - { target: macos-15, config: pam }
runs-on: ${{ matrix.target }}
steps:
- name: set cygwin git params
--
2.51.0

51
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0009-upstream-Remove-redundant-field-of-definition-check.patch vendored Normal file
View File

@ -0,0 +1,51 @@
From 8e4bd6ebdbde0ff22e0c1c1f1a134ef255af7595 Mon Sep 17 00:00:00 2001
Message-ID: <8e4bd6ebdbde0ff22e0c1c1f1a134ef255af7595.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: "tb@openbsd.org" <tb@openbsd.org>
Date: Tue, 3 Dec 2024 15:53:51 +0000
Subject: [PATCH 09/10] upstream: Remove redundant field of definition check
This will allow us to get rid of EC_GROUP_method_of() in the near future.
ok djm
OpenBSD-Commit-ID: b4a3d2e00990cf5c2ec6881c21ddca67327c2df8
---
sshkey.c | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/sshkey.c b/sshkey.c
index 1db83788d..44be674d1 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -2708,14 +2708,6 @@ sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
* EC_POINT_oct2point then the caller will need to explicitly check.
*/
- /*
- * We shouldn't ever hit this case because bignum_get_ecpoint()
- * refuses to load GF2m points.
- */
- if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
- NID_X9_62_prime_field)
- goto out;
-
/* Q != infinity */
if (EC_POINT_is_at_infinity(group, public))
goto out;
@@ -2815,11 +2807,6 @@ sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point)
fprintf(stderr, "%s: BN_new failed\n", __func__);
goto out;
}
- if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
- NID_X9_62_prime_field) {
- fprintf(stderr, "%s: group is not a prime field\n", __func__);
- goto out;
- }
if (EC_POINT_get_affine_coordinates_GFp(group, point,
x, y, NULL) != 1) {
fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n",
--
2.51.0

64
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0010-upstream-Check-if-dbclient-supports-SHA1-before-tryi.patch vendored Normal file
View File

@ -0,0 +1,64 @@
From 3eeda15eb9d3b9f2fd762ba3493ba88abe6bbcd9 Mon Sep 17 00:00:00 2001
Message-ID: <3eeda15eb9d3b9f2fd762ba3493ba88abe6bbcd9.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Tue, 11 Mar 2025 07:42:08 +0000
Subject: [PATCH 10/10] upstream: Check if dbclient supports SHA1 before trying
SHA1-based
KEX.
Dropbear 2025.87 removed SHA1 support by default, which means
diffie-hellman-group14-sha1 is not available. Unfortunately there isn't a
flag to query supported KEX, so instead check MACs and if it doesn't have
SHA1 methods, assuming SHA1 based KEXes are likewise not available. Spotted
by anton@.
OpenBSD-Regress-ID: acfa8e26c001cb18b9fb81a27271c3b51288d304
---
regress/dropbear-kex.sh | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/regress/dropbear-kex.sh b/regress/dropbear-kex.sh
index d9f1b32c0..72717fbb7 100644
--- a/regress/dropbear-kex.sh
+++ b/regress/dropbear-kex.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: dropbear-kex.sh,v 1.3 2024/06/19 10:10:46 dtucker Exp $
+# $OpenBSD: dropbear-kex.sh,v 1.4 2025/03/11 07:42:08 dtucker Exp $
# Placed in the Public Domain.
tid="dropbear kex"
@@ -10,8 +10,14 @@ fi
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
kex="curve25519-sha256 curve25519-sha256@libssh.org"
-if $SSH -Q kex | grep 'diffie-hellman-group14-sha1'; then
- kex="$kex diffie-hellman-group14-sha256 diffie-hellman-group14-sha1"
+if $SSH -Q kex | grep 'diffie-hellman-group14-sha256' >/dev/null; then
+ kex="$kex diffie-hellman-group14-sha256"
+fi
+# There's no flag to query KEX, so if MACs does not contain SHA1, assume
+# there's also SHA1-based KEX methods either.
+if $SSH -Q kex | grep 'diffie-hellman-group14-sha1' >/dev/null && \
+ $DBCLIENT -m help hst 2>&1 | grep -- '-sha1' >/dev/null ; then
+ kex="$kex diffie-hellman-group14-sha1"
fi
for k in $kex; do
@@ -19,8 +25,9 @@ for k in $kex; do
rm -f ${COPY}
# dbclient doesn't have switch for kex, so force in server
(cat $OBJ/sshd_proxy.bak; echo "KexAlgorithms $k") >$OBJ/sshd_proxy
- env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/id_ed25519 2>$OBJ/dbclient.log \
- -J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY}
+ env HOME=$OBJ \
+ ${DBCLIENT} -y -i $OBJ/.dropbear/id_ed25519 2>$OBJ/dbclient.log \
+ -J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY}
if [ $? -ne 0 ]; then
fail "ssh cat $DATA failed"
fi
--
2.51.0

14
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-9.8_p1-musl-connect.patch vendored
View File

@ -1,14 +0,0 @@
https://bugzilla.mindrot.org/show_bug.cgi?id=3707
https://bugs.gentoo.org/935353
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...)
error_f("socket \"%s\": %s", path, strerror(errno));
goto out;
}
- if (connect(fd, &addr, sizeof(addr)) != 0) {
+ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) {
error_f("socket \"%s\" connect: %s", path, strerror(errno));
goto out;
}

34
sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2.ebuild → sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild vendored
View File

@ -11,7 +11,7 @@ inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
PARCH=${PN}-10.0p1
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
@ -19,19 +19,21 @@ SRC_URI="
mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
"
S="${WORKDIR}/${PARCH}"
if [[ ${PV} != 10.0_p2 ]] ; then
die "Please restore the old S/PATCHES. 10.0_p2 had a workaround that should be dropped."
fi
S="${WORKDIR}/${PN}-10.0p1"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit debug kerberos ldns legacy-ciphers libedit livecd pam +pie security-key selinux +ssl static test xmss"
IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam security-key selinux +ssl static test xmss"
RESTRICT="!test? ( test )"
REQUIRED_USE="
ldns? ( ssl )
pie? ( !static )
static? ( !kerberos !pam )
xmss? ( ssl )
test? ( ssl )
@ -83,9 +85,8 @@ PATCHES=(
"${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch"
"${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch"
# Backports from upstream release branch
#"${FILESDIR}/${PV}"
"${FILESDIR}/${PV}"
# Our own backports
"${FILESDIR}/${PN}-9.9_p1-x-forwarding-slow.patch"
)
pkg_pretend() {
@ -192,22 +193,25 @@ src_configure() {
# Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086,
# gcc PR104820, gcc PR104817, gcc PR110934)).
#
# Furthermore, OSSH_CHECK_CFLAG_COMPILE does not use AC_CACHE_CHECK,
# so we cannot just disable -fzero-call-used-regs=used.
# Furthermore, OSSH_CHECK_CFLAG_COMPILE does not use AC_CACHE_CHECK
# util 10.1_p1, so we cannot just disable -fzero-call-used-regs=used.
#
# Therefore, just pass --without-hardening, given it doesn't negate
# our already hardened toolchain defaults, and avoids adding flags
# which are known-broken in both Clang and GCC and haven't been
# proven reliable.
--without-hardening
--without-pie
--without-stackprotect
# wtmpdb not yet packaged
--without-wtmpdb
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
$(use_with ldns)
$(use_enable legacy-ciphers dsa-keys)
$(use_with libedit)
$(use_with pam)
$(use_with pie)
$(use_with selinux)
$(use_with security-key security-key-builtin)
$(use_with ssl openssl)
@ -219,10 +223,6 @@ src_configure() {
myconf+=( --disable-utmp --disable-wtmp )
fi
# Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all
# bug #869839 (https://github.com/llvm/llvm-project/issues/57692)
tc-is-clang && myconf+=( --without-hardening )
econf "${myconf[@]}"
}
@ -299,7 +299,7 @@ src_test() {
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
ewarn "user, so we will run a subset only."
tests+=( interop-tests )
tests+=( interop-tests file-tests unit )
else
tests+=( tests )
fi
@ -315,6 +315,8 @@ src_install() {
dobin contrib/ssh-copy-id
newinitd "${FILESDIR}"/sshd-r1.initd sshd
newconfd "${FILESDIR}"/sshd-r1.confd sshd
exeinto /etc/user/init.d
newexe "${FILESDIR}"/ssh-agent.initd ssh-agent
if use pam; then
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd

432
sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.1_p1-r1.ebuild vendored Normal file
View File

@ -0,0 +1,432 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Remember to check the upstream release/stable branches for patches
# to backport! See https://marc.info/?l=openssh-unix-dev&m=172723798122122&w=2.
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc
inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig eapi9-ver
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="
mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
"
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam security-key selinux +ssl static test"
RESTRICT="!test? ( test )"
REQUIRED_USE="
ldns? ( ssl )
static? ( !kerberos !pam )
test? ( ssl )
"
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
net-libs/ldns[ecdsa(+),ssl(+)]
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
virtual/libcrypt:=[static-libs(+)]
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
"
RDEPEND="
acct-group/sshd
acct-user/sshd
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( sys-libs/pam )
kerberos? ( virtual/krb5 )
"
DEPEND="
${RDEPEND}
virtual/os-headers
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
static? ( ${LIB_DEPEND} )
"
RDEPEND="
${RDEPEND}
!net-misc/openssh-contrib
pam? ( >=sys-auth/pambase-20081028 )
!prefix? ( sys-apps/shadow )
"
BDEPEND="
dev-build/autoconf
virtual/pkgconfig
verify-sig? ( sec-keys/openpgp-keys-openssh )
"
PATCHES=(
"${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch"
"${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch"
# Backports from upstream release branch
"${FILESDIR}/${PV}"
# Our own backports
)
pkg_pretend() {
local i enabled_eol_flags disabled_eol_flags
for i in hpn sctp X509; do
if has_version "net-misc/openssh[${i}]"; then
enabled_eol_flags+="${i},"
disabled_eol_flags+="-${i},"
fi
done
if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then
# Skip for binary packages entirely because of environment saving, bug #907892
[[ ${MERGE_TYPE} == binary ]] && return
ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore."
ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality,"
ewarn "since these USE flags required third-party patches that often trigger bugs"
ewarn "and are of questionable provenance."
ewarn
ewarn "If you must continue relying on this functionality, switch to"
ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your"
ewarn "world file first: 'emerge --deselect net-misc/openssh'"
ewarn
ewarn "In order to prevent loss of SSH remote login access, we will abort the build."
ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib"
ewarn "variant, when re-emerging you will have to set"
ewarn
ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
fi
}
src_prepare() {
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
[[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches )
default
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
sed -e '/\t\tpercent \\/ d' \
-i regress/Makefile || die
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
# _XOPEN_SOURCE causes header conflicts on Solaris
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-e 's/-D_XOPEN_SOURCE//'
)
sed -i "${sed_args[@]}" configure{.ac,} || die
eautoreconf
}
src_configure() {
addwrite /dev/ptmx
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
use static && append-ldflags -static
if [[ ${CHOST} == *-solaris* ]] ; then
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
# doesn't check for this, so force the replacement to be put in
# place
append-cppflags -DBROKEN_GLOB
fi
# use replacement, RPF_ECHO_ON doesn't exist here
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
--sysconfdir="${EPREFIX}"/etc/ssh
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
--datadir="${EPREFIX}"/usr/share/openssh
--with-privsep-path="${EPREFIX}"/var/empty
--with-privsep-user=sshd
# optional at runtime; guarantee a known path
--with-xauth="${EPREFIX}"/usr/bin/xauth
# --with-hardening adds the following in addition to flags we
# already set in our toolchain:
# * -ftrapv (which is broken with GCC anyway),
# * -ftrivial-auto-var-init=zero (which is nice, but not the end of
# the world to not have)
# * -fzero-call-used-regs=used (history of miscompilations with
# Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086,
# gcc PR104820, gcc PR104817, gcc PR110934)).
#
# Furthermore, OSSH_CHECK_CFLAG_COMPILE did not use AC_CACHE_CHECK
# until 10.1_p1, so we couldn't disable -fzero-call-used-regs=used.
#
# Therefore, just pass --without-hardening, given it doesn't negate
# our already hardened toolchain defaults, and avoids adding flags
# which are known-broken in both Clang and GCC and haven't been
# proven reliable.
--without-hardening
--without-pie
--without-stackprotect
# wtmpdb not yet packaged
--without-wtmpdb
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
$(use_with ldns)
$(use_with libedit)
$(use_with pam)
$(use_with selinux)
$(use_with security-key security-key-builtin)
$(use_with ssl openssl)
$(use_with ssl ssl-engine)
)
if use elibc_musl; then
# musl defines bogus values for UTMP_FILE and WTMP_FILE (bug #753230)
myconf+=( --disable-utmp --disable-wtmp )
fi
econf "${myconf[@]}"
}
create_config_dropins() {
local locale_vars=(
# These are language variables that POSIX defines.
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
# These are the GNU extensions.
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
)
mkdir -p "${WORKDIR}"/etc/ssh/ssh{,d}_config.d || die
cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
# Send locale environment variables (bug #367017)
SendEnv ${locale_vars[*]}
# Send COLORTERM to match TERM (bug #658540)
SendEnv COLORTERM
EOF
cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die
RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
EOF
cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die
# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
EOF
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
# Allow client to pass locale environment variables (bug #367017)
AcceptEnv ${locale_vars[*]}
# Allow client to pass COLORTERM to match TERM (bug #658540)
AcceptEnv COLORTERM
EOF
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die
# override default of no subsystems
Subsystem sftp ${EPREFIX}/usr/$(get_libdir)/misc/sftp-server
EOF
if use pam ; then
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die
UsePAM yes
# This interferes with PAM.
PasswordAuthentication no
# PAM can do its own handling of MOTD.
PrintMotd no
PrintLastLog no
EOF
fi
if use livecd ; then
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die
# Allow root login with password on livecds.
PermitRootLogin Yes
EOF
fi
}
src_compile() {
default
create_config_dropins
}
src_test() {
local tests=( compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
ewarn "user, so we will run a subset only."
tests+=( interop-tests file-tests unit )
else
tests+=( tests )
fi
local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
mkdir -p "${HOME}"/.ssh || die
emake -j1 "${tests[@]}" </dev/null
}
src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newinitd "${FILESDIR}"/sshd-r1.initd sshd
newconfd "${FILESDIR}"/sshd-r1.confd sshd
exeinto /etc/user/init.d
newexe "${FILESDIR}"/ssh-agent.initd ssh-agent
if use pam; then
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
fi
doman contrib/ssh-copy-id.1
dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
rmdir "${ED}"/var/empty || die
systemd_dounit "${FILESDIR}"/sshd.socket
systemd_newunit "${FILESDIR}"/sshd.service.2 sshd.service
systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
# Install dropins with explicit mode, bug 906638, 915840
diropts -m0755
insopts -m0644
insinto /etc/ssh
doins -r "${WORKDIR}"/etc/ssh/ssh_config.d
doins "${WORKDIR}"/etc/ssh/ssh_revoked_hosts
diropts -m0700
insopts -m0600
doins -r "${WORKDIR}"/etc/ssh/sshd_config.d
}
pkg_preinst() {
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
show_ssl_warning=1
fi
}
pkg_postinst() {
# bug #139235
optfeature "x11 forwarding" x11-apps/xauth
if ver_replacing -lt "5.8_p1"; then
elog "Starting with openssh-5.8p1, the server will default to a newer key"
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
if ver_replacing -lt "7.0_p1"; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
elog "be an alternative for you as it supports USE=tcpd."
fi
if ver_replacing -lt "7.1_p1"; then #557388 #555518
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
elog "adding to your sshd_config or ~/.ssh/config files:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if ver_replacing -lt "7.6_p1"; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if ver_replacing -lt "7.7_p1"; then
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
elog "if you need to authenticate against LDAP."
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
fi
if ver_replacing -lt "8.2_p1"; then
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
ewarn "connection is generally safe."
fi
if ver_replacing -lt "9.2_p1-r1" && systemd_is_booted; then
ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
ewarn "set 'Restart=no' in your sshd unit file."
fi
if [[ -n ${show_ssl_warning} ]]; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
openssh_maybe_restart
}
openssh_maybe_restart() {
local ver
declare -a versions
read -ra versions <<<"${REPLACING_VERSIONS}"
for ver in "${versions[@]}"; do
# Exclude 9.8_p1 because it didn't have the safety check
[[ ${ver} == 9.8_p1 ]] && break
if [[ ${ver%_*} == "${PV%_*}" ]]; then
# No major version change has occurred
return
fi
done
if [[ ${ROOT} ]]; then
return
elif [[ -d /run/systemd/system ]] && sshd -t >/dev/null 2>&1; then
ewarn "The ebuild will now attempt to restart OpenSSH to avoid"
ewarn "bricking the running instance. See bug #709748."
ebegin "Attempting to restart openssh via 'systemctl try-restart sshd'"
systemctl try-restart sshd
eend $?
elif [[ -d /run/openrc ]]; then
# We don't check for sshd -t here because the OpenRC init script
# has a stop_pre() which does checkconfig, i.e. we defer to it
# to give nicer output for a failed sanity check.
ewarn "The ebuild will now attempt to restart OpenSSH to avoid"
ewarn "bricking the running instance. See bug #709748."
ebegin "Attempting to restart openssh via 'rc-service -q --ifstarted --nodeps sshd restart'"
rc-service -q --ifstarted --nodeps sshd restart
eend $?
fi
}

432
sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.2_p1.ebuild vendored Normal file
View File

@ -0,0 +1,432 @@
# Copyright 1999-2025 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Remember to check the upstream release/stable branches for patches
# to backport! See https://marc.info/?l=openssh-unix-dev&m=172723798122122&w=2.
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc
inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig eapi9-ver
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="
mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
"
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam security-key selinux +ssl static test"
RESTRICT="!test? ( test )"
REQUIRED_USE="
ldns? ( ssl )
static? ( !kerberos !pam )
test? ( ssl )
"
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
net-libs/ldns[ecdsa(+),ssl(+)]
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
virtual/libcrypt:=[static-libs(+)]
>=sys-libs/zlib-1.2.3:=[static-libs(+)]
"
RDEPEND="
acct-group/sshd
acct-user/sshd
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( sys-libs/pam )
kerberos? ( virtual/krb5 )
"
DEPEND="
${RDEPEND}
virtual/os-headers
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
static? ( ${LIB_DEPEND} )
"
RDEPEND="
${RDEPEND}
!net-misc/openssh-contrib
pam? ( >=sys-auth/pambase-20081028 )
!prefix? ( sys-apps/shadow )
"
BDEPEND="
dev-build/autoconf
virtual/pkgconfig
verify-sig? ( sec-keys/openpgp-keys-openssh )
"
PATCHES=(
"${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch"
"${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch"
# Backports from upstream release branch
#"${FILESDIR}/${PV}"
# Our own backports
)
pkg_pretend() {
local i enabled_eol_flags disabled_eol_flags
for i in hpn sctp X509; do
if has_version "net-misc/openssh[${i}]"; then
enabled_eol_flags+="${i},"
disabled_eol_flags+="-${i},"
fi
done
if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then
# Skip for binary packages entirely because of environment saving, bug #907892
[[ ${MERGE_TYPE} == binary ]] && return
ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore."
ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality,"
ewarn "since these USE flags required third-party patches that often trigger bugs"
ewarn "and are of questionable provenance."
ewarn
ewarn "If you must continue relying on this functionality, switch to"
ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your"
ewarn "world file first: 'emerge --deselect net-misc/openssh'"
ewarn
ewarn "In order to prevent loss of SSH remote login access, we will abort the build."
ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib"
ewarn "variant, when re-emerging you will have to set"
ewarn
ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
fi
}
src_prepare() {
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
[[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches )
default
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
sed -e '/\t\tpercent \\/ d' \
-i regress/Makefile || die
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
# _XOPEN_SOURCE causes header conflicts on Solaris
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-e 's/-D_XOPEN_SOURCE//'
)
sed -i "${sed_args[@]}" configure{.ac,} || die
eautoreconf
}
src_configure() {
addwrite /dev/ptmx
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
use static && append-ldflags -static
if [[ ${CHOST} == *-solaris* ]] ; then
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
# doesn't check for this, so force the replacement to be put in
# place
append-cppflags -DBROKEN_GLOB
fi
# use replacement, RPF_ECHO_ON doesn't exist here
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
--sysconfdir="${EPREFIX}"/etc/ssh
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
--datadir="${EPREFIX}"/usr/share/openssh
--with-privsep-path="${EPREFIX}"/var/empty
--with-privsep-user=sshd
# optional at runtime; guarantee a known path
--with-xauth="${EPREFIX}"/usr/bin/xauth
# --with-hardening adds the following in addition to flags we
# already set in our toolchain:
# * -ftrapv (which is broken with GCC anyway),
# * -ftrivial-auto-var-init=zero (which is nice, but not the end of
# the world to not have)
# * -fzero-call-used-regs=used (history of miscompilations with
# Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086,
# gcc PR104820, gcc PR104817, gcc PR110934)).
#
# Furthermore, OSSH_CHECK_CFLAG_COMPILE did not use AC_CACHE_CHECK
# until 10.1_p1, so we couldn't disable -fzero-call-used-regs=used.
#
# Therefore, just pass --without-hardening, given it doesn't negate
# our already hardened toolchain defaults, and avoids adding flags
# which are known-broken in both Clang and GCC and haven't been
# proven reliable.
--without-hardening
--without-pie
--without-stackprotect
# wtmpdb not yet packaged
--without-wtmpdb
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
$(use_with ldns)
$(use_with libedit)
$(use_with pam)
$(use_with selinux)
$(use_with security-key security-key-builtin)
$(use_with ssl openssl)
$(use_with ssl ssl-engine)
)
if use elibc_musl; then
# musl defines bogus values for UTMP_FILE and WTMP_FILE (bug #753230)
myconf+=( --disable-utmp --disable-wtmp )
fi
econf "${myconf[@]}"
}
create_config_dropins() {
local locale_vars=(
# These are language variables that POSIX defines.
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
# These are the GNU extensions.
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
)
mkdir -p "${WORKDIR}"/etc/ssh/ssh{,d}_config.d || die
cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
# Send locale environment variables (bug #367017)
SendEnv ${locale_vars[*]}
# Send COLORTERM to match TERM (bug #658540)
SendEnv COLORTERM
EOF
cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die
RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
EOF
cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die
# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
EOF
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
# Allow client to pass locale environment variables (bug #367017)
AcceptEnv ${locale_vars[*]}
# Allow client to pass COLORTERM to match TERM (bug #658540)
AcceptEnv COLORTERM
EOF
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die
# override default of no subsystems
Subsystem sftp ${EPREFIX}/usr/$(get_libdir)/misc/sftp-server
EOF
if use pam ; then
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die
UsePAM yes
# This interferes with PAM.
PasswordAuthentication no
# PAM can do its own handling of MOTD.
PrintMotd no
PrintLastLog no
EOF
fi
if use livecd ; then
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die
# Allow root login with password on livecds.
PermitRootLogin Yes
EOF
fi
}
src_compile() {
default
create_config_dropins
}
src_test() {
local tests=( compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
ewarn "user, so we will run a subset only."
tests+=( interop-tests file-tests unit )
else
tests+=( tests )
fi
local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
mkdir -p "${HOME}"/.ssh || die
emake -j1 "${tests[@]}" </dev/null
}
src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newinitd "${FILESDIR}"/sshd-r1.initd sshd
newconfd "${FILESDIR}"/sshd-r1.confd sshd
exeinto /etc/user/init.d
newexe "${FILESDIR}"/ssh-agent.initd ssh-agent
if use pam; then
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
fi
doman contrib/ssh-copy-id.1
dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
rmdir "${ED}"/var/empty || die
systemd_dounit "${FILESDIR}"/sshd.socket
systemd_newunit "${FILESDIR}"/sshd.service.2 sshd.service
systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
# Install dropins with explicit mode, bug 906638, 915840
diropts -m0755
insopts -m0644
insinto /etc/ssh
doins -r "${WORKDIR}"/etc/ssh/ssh_config.d
doins "${WORKDIR}"/etc/ssh/ssh_revoked_hosts
diropts -m0700
insopts -m0600
doins -r "${WORKDIR}"/etc/ssh/sshd_config.d
}
pkg_preinst() {
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
show_ssl_warning=1
fi
}
pkg_postinst() {
# bug #139235
optfeature "x11 forwarding" x11-apps/xauth
if ver_replacing -lt "5.8_p1"; then
elog "Starting with openssh-5.8p1, the server will default to a newer key"
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
if ver_replacing -lt "7.0_p1"; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
elog "be an alternative for you as it supports USE=tcpd."
fi
if ver_replacing -lt "7.1_p1"; then #557388 #555518
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
elog "adding to your sshd_config or ~/.ssh/config files:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if ver_replacing -lt "7.6_p1"; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if ver_replacing -lt "7.7_p1"; then
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
elog "if you need to authenticate against LDAP."
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
fi
if ver_replacing -lt "8.2_p1"; then
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
ewarn "connection is generally safe."
fi
if ver_replacing -lt "9.2_p1-r1" && systemd_is_booted; then
ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
ewarn "set 'Restart=no' in your sshd unit file."
fi
if [[ -n ${show_ssl_warning} ]]; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
openssh_maybe_restart
}
openssh_maybe_restart() {
local ver
declare -a versions
read -ra versions <<<"${REPLACING_VERSIONS}"
for ver in "${versions[@]}"; do
# Exclude 9.8_p1 because it didn't have the safety check
[[ ${ver} == 9.8_p1 ]] && break
if [[ ${ver%_*} == "${PV%_*}" ]]; then
# No major version change has occurred
return
fi
done
if [[ ${ROOT} ]]; then
return
elif [[ -d /run/systemd/system ]] && sshd -t >/dev/null 2>&1; then
ewarn "The ebuild will now attempt to restart OpenSSH to avoid"
ewarn "bricking the running instance. See bug #709748."
ebegin "Attempting to restart openssh via 'systemctl try-restart sshd'"
systemctl try-restart sshd
eend $?
elif [[ -d /run/openrc ]]; then
# We don't check for sshd -t here because the OpenRC init script
# has a stop_pre() which does checkconfig, i.e. we defer to it
# to give nicer output for a failed sanity check.
ewarn "The ebuild will now attempt to restart OpenSSH to avoid"
ewarn "bricking the running instance. See bug #709748."
ebegin "Attempting to restart openssh via 'rc-service -q --ifstarted --nodeps sshd restart'"
rc-service -q --ifstarted --nodeps sshd restart
eend $?
fi
}

3
sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r3.ebuild → sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r4.ebuild vendored
View File

@ -79,8 +79,9 @@ PATCHES=(
"${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch"
"${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch"
"${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch"
"${FILESDIR}/${PN}-9.8_p1-musl-connect.patch"
"${FILESDIR}/${PN}-9.8_p1-inetd.patch"
# Backports from upstream release branch
"${FILESDIR}/${PV}"
)
pkg_pretend() {

2
sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r3.ebuild → sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r4.ebuild vendored
View File

@ -83,7 +83,7 @@ PATCHES=(
"${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch"
"${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch"
# Backports from upstream release branch
#"${FILESDIR}/${PV}"
"${FILESDIR}/${PV}"
# Our own backports
"${FILESDIR}/${PN}-9.9_p1-x-forwarding-slow.patch"
)