diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/Manifest b/sdk_container/src/third_party/portage-stable/net-misc/openssh/Manifest index 84b8056e36..0445960d52 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/Manifest +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/Manifest @@ -1,5 +1,9 @@ DIST openssh-10.0p1.tar.gz 1972675 BLAKE2B 4ce353adf75aade8f4b2a223ad13e2f92cd23d1e60b4ee52bad0eaf036571229438cd9760dfa99c0e10fa09a8ac47b2bfb04eb183fb7b9287ac564ec75316a75 SHA512 2daa1fcf95793b23810142077e68ddfabdf3732b207ef4f033a027f72d733d0e9bcdb6f757e7f3a5934b972de05bfaae3baae381cfc7a400cd8ab4d4e277a0ed DIST openssh-10.0p1.tar.gz.asc 833 BLAKE2B 105fd1238c9923719fb7fcbafa55806e2e5053095422b95193438d4c536d1f3bae04a1fc674fe1fee8bc14abaa5ea41c4d25134f4fe677cdf1d761c009246f0c SHA512 6ab9deb4233ff159e55a18c9fc07d5ff8a41723dad74aa3d803e1476b585f5662aba34f8a7a1f5fe1d248f3ff3cd663f2c2fb8e399c6a4723b6215b0eb423d13 +DIST openssh-10.1p1.tar.gz 1972831 BLAKE2B 08864c9302935cde87eec9d736a90b0bcf23220349bf77cc177459715c567b6178722e9e5d8eea3d55eddb49fef09c187e0895e72236aede397e67674e10cd31 SHA512 9b88ac5b84461a0d4f6022b4dee294964487ea36d5ba5cb9c35d2edcba49a687c609ea30f272ebf924270a025cf2cd82677d0917e5d37334534cd5bee93452d9 +DIST openssh-10.1p1.tar.gz.asc 833 BLAKE2B c9df62728276464926ac7d28d54dd23a42bef150a9f64bfec14278d0e1817a876ee76b3329aca863997107bb8d4d43a694643f730249d9940d967b4c2a18fed3 SHA512 a4082bf8526d60094b5a3207995793c44448833b1cdd7ec91f04554fd8bddc1df3b45ee9ffe42de3bfc72d4968808834e289159e3c96f031e09a78da844641ae +DIST openssh-10.2p1.tar.gz 1974519 BLAKE2B 8c031b10b1642e21b46f7d1db84ba42692e378a54af3d8e5b5c8706c3a0a06d442a02ed8803063121e7ff325ea275cad4432b9eaa6a7f47a4d7cfad504953ab6 SHA512 66f3dd646179e71aaf41c33b6f14a207dc873d71d24f11c130a89dee317ee45398b818e5b94887b5913240964a38630d7bca3e481e0f1eff2e41d9e1cfdbdfc5 +DIST openssh-10.2p1.tar.gz.asc 833 BLAKE2B 34e1a697e9565f5d4e8139537e76e123512285662576f6f2b513ba129d5e42310c1997e70d7c69b2c4fe1c85f9323ef686b8f83f12a73c5a4f229ff855efd7c6 SHA512 f1f71700b1b0b2117aed505488b98b7ebb51ce26e53184b08df0b07aa2c5a1e54dc4d3cbcbe871b5ad849a2a0e22b02af318ff22a68c980ab53b04be03c9bf3c DIST openssh-9.8p1.tar.gz 1910393 BLAKE2B 3bf983c4ef5358054ed0104cd51d3e0069fbc2b80d8522d0df644d5508ec1d26a67bf061b1b5698d1cdf0d2cbba16b4cdca12a4ce30da24429094576a075e192 SHA512 95dec2f18e58eb47994f3de4430253e0665e185564b65088ca5f4108870e05feddef8cda8d3c0a4b75f18b98cc2c024df0e27de53b48c1a16da8da483cb8292a DIST openssh-9.8p1.tar.gz.asc 833 BLAKE2B 5291e8c03ab9a75acb44285cd7fc010f4a33551f142499624165dac708fc05a6d077df81555aa41037b45f6301e4e5db3161a7a23404473f8a233a877fc55cc3 SHA512 4df1f1be2c6ab7f3aebaedd0a773b0e8c8929abb30cd3415873ad55d012cfa113f792e888e5e772dd468c394aeb7e35d62893a514dbc0ab1a03acd79918657f7 DIST openssh-9.9p2.tar.gz 1944499 BLAKE2B 1b5bc09482b3a807ccfee52c86c6be3c363acf0c8e774862e0ae64f76bfeb4ce7cf29b3ed2f99c04c89bb4977da0cf50a7a175b15bf1d9925de1e03c66f8306d SHA512 4c6d839aa3189cd5254c745f2bd51cd3f468b02f8e427b8d7a16b9ad017888a41178d2746dc51fb2d3fec5be00e54b9ab7c32c472ca7dec57a1dea4fc9840278 diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0001-upstream-fix-out-of-bounds-read.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0001-upstream-fix-out-of-bounds-read.patch new file mode 100644 index 0000000000..7cbeb90f3b --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0001-upstream-fix-out-of-bounds-read.patch @@ -0,0 +1,41 @@ +https://github.com/openssh/openssh-portable/commit/4b1f172fe91c253d09d75650981a3e0c87651fa3 + +From 4b1f172fe91c253d09d75650981a3e0c87651fa3 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Wed, 30 Apr 2025 05:23:15 +0000 +Subject: [PATCH] upstream: fix a out-of-bounds read if the known_hosts file is + +truncated after the hostname. + +Reported by the OpenAI Security Research Team + +ok deraadt@ + +OpenBSD-Commit-ID: c0b516d7c80c4779a403826f73bcd8adbbc54ebd +--- + hostfile.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/hostfile.c b/hostfile.c +index c5669c70373..a4a5a9a5e3a 100644 +--- a/hostfile.c ++++ b/hostfile.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: hostfile.c,v 1.95 2023/02/21 06:48:18 dtucker Exp $ */ ++/* $OpenBSD: hostfile.c,v 1.96 2025/04/30 05:23:15 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -810,6 +810,12 @@ hostkeys_foreach_file(const char *path, FILE *f, hostkeys_foreach_fn *callback, + /* Find the end of the host name portion. */ + for (cp2 = cp; *cp2 && *cp2 != ' ' && *cp2 != '\t'; cp2++) + ; ++ if (*cp2 == '\0') { ++ verbose_f("truncated line at %s:%lu", path, linenum); ++ if ((options & HKF_WANT_MATCH) == 0) ++ goto bad; ++ continue; ++ } + lineinfo.hosts = cp; + *cp2++ = '\0'; + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0002-upstream-fix-mistracking-of-MaxStartups.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0002-upstream-fix-mistracking-of-MaxStartups.patch new file mode 100644 index 0000000000..17a9b84281 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.0_p2/0002-upstream-fix-mistracking-of-MaxStartups.patch @@ -0,0 +1,94 @@ +https://github.com/openssh/openssh-portable/commit/78af391990b210ae0797c37c30719232cda61fef + +From 78af391990b210ae0797c37c30719232cda61fef Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Fri, 4 Jul 2025 09:51:01 +0000 +Subject: [PATCH] upstream: Fix mistracking of MaxStartups process exits in + some + +situations. At worst, this can cause all MaxStartups slots to fill and sshd +to refuse new connections. + +Diagnosis by xnor; ok dtucker@ + +OpenBSD-Commit-ID: 10273033055552557196730f898ed6308b36a78d +--- + sshd.c | 28 ++++++++++++++++------------ + 1 file changed, 16 insertions(+), 12 deletions(-) + +diff --git a/sshd.c b/sshd.c +index 4a93e29e4c0..d721a5de36a 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -289,8 +289,10 @@ child_finish(struct early_child *child) + { + if (children_active == 0) + fatal_f("internal error: children_active underflow"); +- if (child->pipefd != -1) ++ if (child->pipefd != -1) { ++ srclimit_done(child->pipefd); + close(child->pipefd); ++ } + sshbuf_free(child->config); + sshbuf_free(child->keys); + free(child->id); +@@ -311,6 +313,7 @@ child_close(struct early_child *child, int force_final, int quiet) + if (!quiet) + debug_f("enter%s", force_final ? " (forcing)" : ""); + if (child->pipefd != -1) { ++ srclimit_done(child->pipefd); + close(child->pipefd); + child->pipefd = -1; + } +@@ -1039,7 +1042,6 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s, + if (ret <= 0) { + if (children[i].early) + listening--; +- srclimit_done(children[i].pipefd); + child_close(&(children[i]), 0, 0); + continue; + } +@@ -1078,23 +1080,19 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s, + } + /* FALLTHROUGH */ + case 0: +- /* child exited preauth */ ++ /* child closed pipe */ + if (children[i].early) + listening--; +- srclimit_done(children[i].pipefd); ++ debug3_f("child %lu for %s closed pipe", ++ (long)children[i].pid, children[i].id); + child_close(&(children[i]), 0, 0); + break; + case 1: + if (children[i].config) { + error_f("startup pipe %d (fd=%d)" +- " early read", i, children[i].pipefd); +- if (children[i].early) +- listening--; +- if (children[i].pid > 0) +- kill(children[i].pid, SIGTERM); +- srclimit_done(children[i].pipefd); +- child_close(&(children[i]), 0, 0); +- break; ++ " early read", ++ i, children[i].pipefd); ++ goto problem_child; + } + if (children[i].early && c == '\0') { + /* child has finished preliminaries */ +@@ -1114,6 +1112,12 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s, + "child %ld for %s in state %d", + (int)c, (long)children[i].pid, + children[i].id, children[i].early); ++ problem_child: ++ if (children[i].early) ++ listening--; ++ if (children[i].pid > 0) ++ kill(children[i].pid, SIGTERM); ++ child_close(&(children[i]), 0, 0); + } + break; + } + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0001-upstream-don-t-reuse-c-isatty-for-signalling-that-th.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0001-upstream-don-t-reuse-c-isatty-for-signalling-that-th.patch new file mode 100644 index 0000000000..6ba29a219c --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0001-upstream-don-t-reuse-c-isatty-for-signalling-that-th.patch @@ -0,0 +1,76 @@ +From 979cbc2c1e0c9cd2f60d45d8d1da69519ec425cf Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 7 Oct 2025 08:02:32 +0000 +Subject: [PATCH 1/6] upstream: don't reuse c->isatty for signalling that the + remote channel + +has a tty attached as this causes side effects, e.g. in channel_handle_rfd(). +bz3872 + +ok markus@ + +OpenBSD-Commit-ID: 4cd8a9f641498ca6089442e59bad0fd3dcbe85f8 +--- + channels.c | 9 +++++---- + channels.h | 3 ++- + 2 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/channels.c b/channels.c +index f1d7bcf34..80014ff34 100644 +--- a/channels.c ++++ b/channels.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: channels.c,v 1.451 2025/09/25 06:33:19 djm Exp $ */ ++/* $OpenBSD: channels.c,v 1.452 2025/10/07 08:02:32 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -362,7 +362,7 @@ channel_classify(struct ssh *ssh, Channel *c) + { + struct ssh_channels *sc = ssh->chanctxt; + const char *type = c->xctype == NULL ? c->ctype : c->xctype; +- const char *classifier = c->isatty ? ++ const char *classifier = (c->isatty || c->remote_has_tty) ? + sc->bulk_classifier_tty : sc->bulk_classifier_notty; + + c->bulk = type != NULL && match_pattern_list(type, classifier, 0) == 1; +@@ -566,7 +566,7 @@ channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd, + void + channel_set_tty(struct ssh *ssh, Channel *c) + { +- c->isatty = 1; ++ c->remote_has_tty = 1; + channel_classify(ssh, c); + } + +@@ -1078,7 +1078,8 @@ channel_format_status(const Channel *c) + c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan, + c->have_ctl_child_id ? "c" : "nc", c->ctl_child_id, + c->io_want, c->io_ready, +- c->isatty ? "T" : "", c->bulk ? "B" : "I"); ++ c->isatty ? "T" : (c->remote_has_tty ? "RT" : ""), ++ c->bulk ? "B" : "I"); + return ret; + } + +diff --git a/channels.h b/channels.h +index df7c7f364..7456541f8 100644 +--- a/channels.h ++++ b/channels.h +@@ -1,4 +1,4 @@ +-/* $OpenBSD: channels.h,v 1.161 2025/09/25 06:33:19 djm Exp $ */ ++/* $OpenBSD: channels.h,v 1.162 2025/10/07 08:02:32 djm Exp $ */ + + /* + * Author: Tatu Ylonen +@@ -145,6 +145,7 @@ struct Channel { + int ctl_chan; /* control channel (multiplexed connections) */ + uint32_t ctl_child_id; /* child session for mux controllers */ + int have_ctl_child_id;/* non-zero if ctl_child_id is valid */ ++ int remote_has_tty; /* remote side has a tty */ + int isatty; /* rfd is a tty */ + #ifdef _AIX + int wfd_isatty; /* wfd is a tty */ +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0002-Add-clock_gettime-compat-shim.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0002-Add-clock_gettime-compat-shim.patch new file mode 100644 index 0000000000..1c23ababba --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0002-Add-clock_gettime-compat-shim.patch @@ -0,0 +1,69 @@ +From 28a2788d609efe363b403432b08511c801d13667 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Tue, 7 Oct 2025 20:04:40 +1100 +Subject: [PATCH 2/6] Add clock_gettime compat shim. + +This fixes the build on macOS prior to 10.12 Sierra, since it does not +have it. Found and tested by Sevan Janiyan. +--- + openbsd-compat/bsd-misc.c | 24 ++++++++++++++++++++++++ + openbsd-compat/bsd-misc.h | 8 ++++++++ + 2 files changed, 32 insertions(+) + +diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c +index 983cd3fe6..2c196ec23 100644 +--- a/openbsd-compat/bsd-misc.c ++++ b/openbsd-compat/bsd-misc.c +@@ -494,6 +494,30 @@ localtime_r(const time_t *timep, struct tm *result) + } + #endif + ++#ifndef HAVE_CLOCK_GETTIME ++int ++clock_gettime(clockid_t clockid, struct timespec *ts) ++{ ++ struct timeval tv; ++ ++ if (clockid != CLOCK_REALTIME) { ++ errno = ENOSYS; ++ return -1; ++ } ++ if (ts == NULL) { ++ errno = EFAULT; ++ return -1; ++ } ++ ++ if (gettimeofday(&tv, NULL) == -1) ++ return -1; ++ ++ ts->tv_sec = tv.tv_sec; ++ ts->tv_nsec = (long)tv.tv_usec * 1000; ++ return 0; ++} ++#endif ++ + #ifdef ASAN_OPTIONS + const char *__asan_default_options(void) { + return ASAN_OPTIONS; +diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h +index 2ad89cd83..8495f471c 100644 +--- a/openbsd-compat/bsd-misc.h ++++ b/openbsd-compat/bsd-misc.h +@@ -202,6 +202,14 @@ int flock(int, int); + struct tm *localtime_r(const time_t *, struct tm *); + #endif + ++#ifndef HAVE_CLOCK_GETTIME ++typedef int clockid_t; ++#ifndef CLOCK_REALTIME ++# define CLOCK_REALTIME 0 ++#endif ++int clock_gettime(clockid_t, struct timespec *); ++#endif ++ + #ifndef HAVE_REALPATH + #define realpath(x, y) (sftp_realpath((x), (y))) + #endif +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0003-Don-t-copy-native-host-keys-for-hostbased-test.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0003-Don-t-copy-native-host-keys-for-hostbased-test.patch new file mode 100644 index 0000000000..e863233a29 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0003-Don-t-copy-native-host-keys-for-hostbased-test.patch @@ -0,0 +1,27 @@ +From aefeee5bedcf117aa9278014eda5f099b5898a10 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Tue, 7 Oct 2025 20:10:56 +1100 +Subject: [PATCH 3/6] Don't copy native host keys for hostbased test. + +Some github runners (notably macos-14) seem to have host keys where +public and private do not match, so generate our own keys for testing +purposes. +--- + .github/run_test.sh | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/.github/run_test.sh b/.github/run_test.sh +index aac9ce579..33c90ac29 100755 +--- a/.github/run_test.sh ++++ b/.github/run_test.sh +@@ -13,7 +13,6 @@ if [ ! -z "$SUDO" ] && [ ! -z "$TEST_SSH_HOSTBASED_AUTH" ]; then + hostname | $SUDO tee $sshconf/shosts.equiv >/dev/null + echo "EnableSSHKeysign yes" | $SUDO tee $sshconf/ssh_config >/dev/null + $SUDO mkdir -p $sshconf +- $SUDO cp -p /etc/ssh/ssh_host*key* $sshconf + $SUDO make install + for key in $sshconf/ssh_host*key*.pub; do + echo `hostname` `cat $key` | \ +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0004-Only-set-PAM_RHOST-if-the-remote-host-is-not-UNKNOWN.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0004-Only-set-PAM_RHOST-if-the-remote-host-is-not-UNKNOWN.patch new file mode 100644 index 0000000000..001280ab9c --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0004-Only-set-PAM_RHOST-if-the-remote-host-is-not-UNKNOWN.patch @@ -0,0 +1,32 @@ +From acb690b499e0ec2ce37869c26133615762f53cab Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Mon, 20 Mar 2023 20:22:14 +0100 +Subject: [PATCH 4/6] Only set PAM_RHOST if the remote host is not "UNKNOWN" + +When using sshd's -i option with stdio that is not a AF_INET/AF_INET6 +socket, auth_get_canonical_hostname() returns "UNKNOWN" which is then +set as the value of PAM_RHOST, causing pam to try to do a reverse DNS +query of "UNKNOWN", which times out multiple times, causing a +substantial slowdown when logging in. + +To fix this, let's only set PAM_RHOST if the hostname is not "UNKNOWN". +--- + auth-pam.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/auth-pam.c b/auth-pam.c +index 5dee7601b..5591f094e 100644 +--- a/auth-pam.c ++++ b/auth-pam.c +@@ -758,7 +758,7 @@ sshpam_init(struct ssh *ssh, Authctxt *authctxt) + sshpam_laddr = get_local_ipaddr( + ssh_packet_get_connection_in(ssh)); + } +- if (sshpam_rhost != NULL) { ++ if (sshpam_rhost != NULL && strcmp(sshpam_rhost, "UNKNOWN") != 0) { + debug("PAM: setting PAM_RHOST to \"%s\"", sshpam_rhost); + sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, + sshpam_rhost); +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0005-Add-fcntl.h-to-includes.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0005-Add-fcntl.h-to-includes.patch new file mode 100644 index 0000000000..0874978ee8 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0005-Add-fcntl.h-to-includes.patch @@ -0,0 +1,29 @@ +From 9f0dd9505db695aab1148a977e2668666ad4d177 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Tue, 7 Oct 2025 20:25:07 +1100 +Subject: [PATCH 5/6] Add fcntl.h to includes. + +From FreeBSD via bz#3874: "This was previously included due to nested +includes in Heimdal's headers. Without this, the build fails with an +error due to redefining AT_FDCWD." +--- + includes.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/includes.h b/includes.h +index 8f933568d..96cddbc26 100644 +--- a/includes.h ++++ b/includes.h +@@ -34,6 +34,9 @@ + #ifdef HAVE_ENDIAN_H + # include + #endif ++#ifdef HAVE_FCNTL_H ++# include ++#endif + #ifdef HAVE_TTYENT_H + # include + #endif +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0006-Use-calloc-for-sshkeys-if-mmap-is-not-supported.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0006-Use-calloc-for-sshkeys-if-mmap-is-not-supported.patch new file mode 100644 index 0000000000..4a952738d5 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/10.1_p1/0006-Use-calloc-for-sshkeys-if-mmap-is-not-supported.patch @@ -0,0 +1,68 @@ +From fabf4cd14108a60d9486f38ae58694d615592bc9 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Tue, 7 Oct 2025 21:07:05 +1100 +Subject: [PATCH 6/6] Use calloc for sshkeys if mmap is not supported. + +Based on Github PR#597 from Mike Frysinger, any bugs added by me. +--- + configure.ac | 2 ++ + sshkey.c | 8 ++++++++ + 2 files changed, 10 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 3eb6d4697..98f2e3e1c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -536,6 +536,7 @@ AC_CHECK_HEADERS([ \ + nlist.h \ + poll.h \ + stdint.h \ ++ sys/mmap.h \ + sys/stat.h \ + sys/time.h \ + sys/un.h \ +@@ -2103,6 +2104,7 @@ AC_CHECK_FUNCS([ \ + memmove \ + memset_s \ + mkdtemp \ ++ mmap \ + ngetaddrinfo \ + nlist \ + nsleep \ +diff --git a/sshkey.c b/sshkey.c +index e17e929e0..206b72921 100644 +--- a/sshkey.c ++++ b/sshkey.c +@@ -723,6 +723,7 @@ sshkey_sk_cleanup(struct sshkey *k) + static int + sshkey_prekey_alloc(u_char **prekeyp, size_t len) + { ++#if defined(HAVE_MMAP) && defined(MAP_ANON) && defined(MAP_PRIVATE) + u_char *prekey; + + *prekeyp = NULL; +@@ -734,14 +735,21 @@ sshkey_prekey_alloc(u_char **prekeyp, size_t len) + #endif + *prekeyp = prekey; + return 0; ++#else ++ *prekeyp = calloc(1, len); ++#endif /* HAVE_MMAP et al */ + } + + static void + sshkey_prekey_free(void *prekey, size_t len) + { ++#if defined(HAVE_MMAP) && defined(MAP_ANON) && defined(MAP_PRIVATE) + if (prekey == NULL) + return; + munmap(prekey, len); ++#else ++ free(prekey); ++#endif /* HAVE_MMAP et al */ + } + + static void +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0001-Fix-detection-of-setres-id-on-GNU-Hurd.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0001-Fix-detection-of-setres-id-on-GNU-Hurd.patch new file mode 100644 index 0000000000..1001988825 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0001-Fix-detection-of-setres-id-on-GNU-Hurd.patch @@ -0,0 +1,36 @@ +From 20950a7c047ca08f9317d27866c06587ed51a338 Mon Sep 17 00:00:00 2001 +Message-ID: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +From: Samuel Thibault +Date: Tue, 26 Mar 2024 22:15:08 +0100 +Subject: [PATCH 1/7] Fix detection of setres*id on GNU/Hurd + +Like Linux, proper _SOURCE macros need to be set to get declarations of +various standard functions, notably setres*id. Now that Debian is using +-Werror=implicit-function-declaration this is really required. While at +it, define other _SOURCE macros like on GNU/Linux, since GNU/Hurd uses +the same glibc. +--- + configure.ac | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 5a865f8e1..2eede34c3 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1348,6 +1348,13 @@ EOD + AC_DEFINE([BROKEN_SETVBUF], [1], + [LynxOS has broken setvbuf() implementation]) + ;; ++*-*-gnu*) ++ dnl GNU Hurd. Needs to be after the linux and the other *-gnu entries. ++ dnl Target SUSv3/POSIX.1-2001 plus BSD specifics. ++ dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE ++ dnl _GNU_SOURCE is needed for setres*id prototypes. ++ CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE" ++ ;; + esac + + AC_MSG_CHECKING([compiler and flags for sanity]) +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0002-Add-9.8-branch-to-ci-status-page.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0002-Add-9.8-branch-to-ci-status-page.patch new file mode 100644 index 0000000000..cc74ec2d30 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0002-Add-9.8-branch-to-ci-status-page.patch @@ -0,0 +1,30 @@ +From 34f7a962f992a43e33b5b6e2dd71f1582433d551 Mon Sep 17 00:00:00 2001 +Message-ID: <34f7a962f992a43e33b5b6e2dd71f1582433d551.1758727870.git.sam@gentoo.org> +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +From: Darren Tucker +Date: Thu, 4 Jul 2024 20:12:26 +1000 +Subject: [PATCH 2/7] Add 9.8 branch to ci-status page. + +--- + .github/ci-status.md | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/.github/ci-status.md b/.github/ci-status.md +index fbf7c5fd6..4fa73894c 100644 +--- a/.github/ci-status.md ++++ b/.github/ci-status.md +@@ -6,6 +6,10 @@ master : + [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh) + [![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable) + ++9.8 : ++[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_8) ++[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_8) ++ + 9.7 : + [![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_7) + [![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_7) +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0003-Cast-to-sockaddr-in-systemd-interface.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0003-Cast-to-sockaddr-in-systemd-interface.patch new file mode 100644 index 0000000000..aa7d593abf --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0003-Cast-to-sockaddr-in-systemd-interface.patch @@ -0,0 +1,29 @@ +From b35a64dd7d5278af859ff8cca1fbe42d2c308ac0 Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +From: Darren Tucker +Date: Sun, 7 Jul 2024 18:46:19 +1000 +Subject: [PATCH 3/7] Cast to sockaddr * in systemd interface. + +Fixes build with musl libx. bz#3707. +--- + openbsd-compat/port-linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c +index 4c024c6d2..8adfec5a7 100644 +--- a/openbsd-compat/port-linux.c ++++ b/openbsd-compat/port-linux.c +@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...) + error_f("socket \"%s\": %s", path, strerror(errno)); + goto out; + } +- if (connect(fd, &addr, sizeof(addr)) != 0) { ++ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) { + error_f("socket \"%s\" connect: %s", path, strerror(errno)); + goto out; + } +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0004-upstream-correct-keyword-from-Yatao-Su-via-GHPR509.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0004-upstream-correct-keyword-from-Yatao-Su-via-GHPR509.patch new file mode 100644 index 0000000000..7d236829a5 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0004-upstream-correct-keyword-from-Yatao-Su-via-GHPR509.patch @@ -0,0 +1,29 @@ +From c21fc9d953f6d858ea0a9d7da38359d2eb397ed0 Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +From: "djm@openbsd.org" +Date: Wed, 10 Jul 2024 21:58:34 +0000 +Subject: [PATCH 4/7] upstream: correct keyword; from Yatao Su via GHPR509 + +OpenBSD-Commit-ID: 81c778c76dea7ef407603caa157eb0c381c52ad2 +--- + sshd_config.5 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sshd_config.5 b/sshd_config.5 +index 1ab0f41d9..ce872de52 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -1586,7 +1586,7 @@ accumulated. + .Pp + Penalties are enabled by default with the default settings listed below + but may disabled using the +-.Cm off ++.Cm no + keyword. + The defaults may be overridden by specifying one or more of the keywords below, + separated by whitespace. +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0005-support-sntrup761x25519-sha512-alias.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0005-support-sntrup761x25519-sha512-alias.patch new file mode 100644 index 0000000000..d61a90605d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0005-support-sntrup761x25519-sha512-alias.patch @@ -0,0 +1,250 @@ +From 26f73db15e0eee558a11b42a9d794d78c87dd11e Mon Sep 17 00:00:00 2001 +Message-ID: <26f73db15e0eee558a11b42a9d794d78c87dd11e.1758727870.git.sam@gentoo.org> +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +From: Damien Miller +Date: Mon, 11 Aug 2025 16:40:24 +1000 +Subject: [PATCH 5/7] support sntrup761x25519-sha512 alias + +OpenSSH 9.8 supports the sntrup761x25519-sha512@openssh.com +key agreement algorithm. As part of standardisation, this algorithm +has been assigned the name sntrup761x25519-sha512. + +This commit enables the existing algorithm under this new name. +--- + configure | 3 +++ + kex-names.c | 2 ++ + kex.h | 1 + + moduli.0 | 2 +- + myproposal.h | 1 + + scp.0 | 2 +- + sftp-server.0 | 2 +- + sftp.0 | 2 +- + ssh-add.0 | 2 +- + ssh-agent.0 | 2 +- + ssh-keygen.0 | 2 +- + ssh-keyscan.0 | 2 +- + ssh-keysign.0 | 2 +- + ssh-pkcs11-helper.0 | 2 +- + ssh-sk-helper.0 | 2 +- + ssh.0 | 2 +- + ssh_config.0 | 2 +- + sshd.0 | 2 +- + sshd_config.0 | 6 +++--- + 19 files changed, 24 insertions(+), 17 deletions(-) + +diff --git a/configure b/configure +index 07d19fd30..32e38c4cb 100755 +--- a/configure ++++ b/configure +@@ -13317,6 +13317,9 @@ EOD + printf "%s\n" "#define BROKEN_SETVBUF 1" >>confdefs.h + + ;; ++*-*-gnu*) ++ CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE" ++ ;; + esac + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking compiler and flags for sanity" >&5 +diff --git a/kex-names.c b/kex-names.c +index 339eb1c23..1869b8ee1 100644 +--- a/kex-names.c ++++ b/kex-names.c +@@ -77,6 +77,8 @@ static const struct kexalg kexalgs[] = { + { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, + { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, + #ifdef USE_SNTRUP761X25519 ++ { KEX_SNTRUP761X25519_SHA512_IANA, KEX_KEM_SNTRUP761X25519_SHA512, 0, ++ SSH_DIGEST_SHA512 }, + { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, + SSH_DIGEST_SHA512 }, + #endif +diff --git a/kex.h b/kex.h +index 34665eb20..ed22b929f 100644 +--- a/kex.h ++++ b/kex.h +@@ -63,6 +63,7 @@ + #define KEX_CURVE25519_SHA256 "curve25519-sha256" + #define KEX_CURVE25519_SHA256_OLD "curve25519-sha256@libssh.org" + #define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512@openssh.com" ++#define KEX_SNTRUP761X25519_SHA512_IANA "sntrup761x25519-sha512" + + #define COMP_NONE 0 + /* pre-auth compression (COMP_ZLIB) is only supported in the client */ +diff --git a/moduli.0 b/moduli.0 +index 057a018ef..90700a16f 100644 +--- a/moduli.0 ++++ b/moduli.0 +@@ -71,4 +71,4 @@ STANDARDS + M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for + the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006. + +-OpenBSD 7.5 April 16, 2022 OpenBSD 7.5 ++OpenBSD 7.7 April 16, 2022 OpenBSD 7.7 +diff --git a/myproposal.h b/myproposal.h +index ee6e9f741..0528cd783 100644 +--- a/myproposal.h ++++ b/myproposal.h +@@ -25,6 +25,7 @@ + */ + + #define KEX_SERVER_KEX \ ++ "sntrup761x25519-sha512," \ + "sntrup761x25519-sha512@openssh.com," \ + "curve25519-sha256," \ + "curve25519-sha256@libssh.org," \ +diff --git a/scp.0 b/scp.0 +index e098ddf55..85d5f83d5 100644 +--- a/scp.0 ++++ b/scp.0 +@@ -229,4 +229,4 @@ CAVEATS + requires careful quoting of any characters that have special meaning to + the remote shell, such as quote characters. + +-OpenBSD 7.5 December 16, 2022 OpenBSD 7.5 ++OpenBSD 7.7 December 16, 2022 OpenBSD 7.7 +diff --git a/sftp-server.0 b/sftp-server.0 +index 23fdda399..273b69908 100644 +--- a/sftp-server.0 ++++ b/sftp-server.0 +@@ -95,4 +95,4 @@ HISTORY + AUTHORS + Markus Friedl + +-OpenBSD 7.5 July 27, 2021 OpenBSD 7.5 ++OpenBSD 7.7 July 27, 2021 OpenBSD 7.7 +diff --git a/sftp.0 b/sftp.0 +index c6a9e60c4..0476733c1 100644 +--- a/sftp.0 ++++ b/sftp.0 +@@ -435,4 +435,4 @@ SEE ALSO + T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- + filexfer-00.txt, January 2001, work in progress material. + +-OpenBSD 7.5 December 16, 2022 OpenBSD 7.5 ++OpenBSD 7.7 December 16, 2022 OpenBSD 7.7 +diff --git a/ssh-add.0 b/ssh-add.0 +index 30eed6672..20f1a88e2 100644 +--- a/ssh-add.0 ++++ b/ssh-add.0 +@@ -206,4 +206,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/ssh-agent.0 b/ssh-agent.0 +index 2e4ef7b6e..238fa54e2 100644 +--- a/ssh-agent.0 ++++ b/ssh-agent.0 +@@ -137,4 +137,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.5 August 10, 2023 OpenBSD 7.5 ++OpenBSD 7.7 August 10, 2023 OpenBSD 7.7 +diff --git a/ssh-keygen.0 b/ssh-keygen.0 +index a731a7fa8..13b032f46 100644 +--- a/ssh-keygen.0 ++++ b/ssh-keygen.0 +@@ -904,4 +904,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 +index 110399094..cf0962c82 100644 +--- a/ssh-keyscan.0 ++++ b/ssh-keyscan.0 +@@ -120,4 +120,4 @@ AUTHORS + Davison added support for protocol version + 2. + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/ssh-keysign.0 b/ssh-keysign.0 +index 577955d1b..ff3305809 100644 +--- a/ssh-keysign.0 ++++ b/ssh-keysign.0 +@@ -47,4 +47,4 @@ HISTORY + AUTHORS + Markus Friedl + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0 +index 564587259..4b1cb8d7d 100644 +--- a/ssh-pkcs11-helper.0 ++++ b/ssh-pkcs11-helper.0 +@@ -32,4 +32,4 @@ HISTORY + AUTHORS + Markus Friedl + +-OpenBSD 7.5 April 29, 2022 OpenBSD 7.5 ++OpenBSD 7.7 April 29, 2022 OpenBSD 7.7 +diff --git a/ssh-sk-helper.0 b/ssh-sk-helper.0 +index ea2117abd..4abc5e8a0 100644 +--- a/ssh-sk-helper.0 ++++ b/ssh-sk-helper.0 +@@ -31,4 +31,4 @@ HISTORY + AUTHORS + Damien Miller + +-OpenBSD 7.5 April 29, 2022 OpenBSD 7.5 ++OpenBSD 7.7 April 29, 2022 OpenBSD 7.7 +diff --git a/ssh.0 b/ssh.0 +index 78863b1b0..9c34e3e6e 100644 +--- a/ssh.0 ++++ b/ssh.0 +@@ -1016,4 +1016,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.5 June 27, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 27, 2024 OpenBSD 7.7 +diff --git a/ssh_config.0 b/ssh_config.0 +index ef6c0936a..f9a82781b 100644 +--- a/ssh_config.0 ++++ b/ssh_config.0 +@@ -1428,4 +1428,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/sshd.0 b/sshd.0 +index c7de2d311..eac127dcf 100644 +--- a/sshd.0 ++++ b/sshd.0 +@@ -682,4 +682,4 @@ AUTHORS + versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support + for privilege separation. + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/sshd_config.0 b/sshd_config.0 +index 6883dda4b..ca030fcca 100644 +--- a/sshd_config.0 ++++ b/sshd_config.0 +@@ -950,8 +950,8 @@ DESCRIPTION + accumulated. + + Penalties are enabled by default with the default settings listed +- below but may disabled using the off keyword. The defaults may +- be overridden by specifying one or more of the keywords below, ++ below but may disabled using the no keyword. The defaults may be ++ overridden by specifying one or more of the keywords below, + separated by whitespace. All keywords accept arguments, e.g. + "crash:2m". + +@@ -1390,4 +1390,4 @@ AUTHORS + versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support + for privilege separation. + +-OpenBSD 7.5 June 24, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 24, 2024 OpenBSD 7.7 +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0006-back-out-unrelated-manpages-changes.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0006-back-out-unrelated-manpages-changes.patch new file mode 100644 index 0000000000..f5ca5ebacf --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0006-back-out-unrelated-manpages-changes.patch @@ -0,0 +1,206 @@ +From d1460a177431d034248b62b36240f634482e48de Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +From: Damien Miller +Date: Wed, 13 Aug 2025 09:19:53 +1000 +Subject: [PATCH 6/7] back out unrelated manpages changes + +spotted by Colin Wilson +--- + configure | 3 --- + moduli.0 | 2 +- + scp.0 | 2 +- + sftp-server.0 | 2 +- + sftp.0 | 2 +- + ssh-add.0 | 2 +- + ssh-agent.0 | 2 +- + ssh-keygen.0 | 2 +- + ssh-keyscan.0 | 2 +- + ssh-keysign.0 | 2 +- + ssh-pkcs11-helper.0 | 2 +- + ssh-sk-helper.0 | 2 +- + ssh.0 | 2 +- + ssh_config.0 | 2 +- + sshd.0 | 2 +- + sshd_config.0 | 6 +++--- + 16 files changed, 17 insertions(+), 20 deletions(-) + +diff --git a/configure b/configure +index 32e38c4cb..07d19fd30 100755 +--- a/configure ++++ b/configure +@@ -13317,9 +13317,6 @@ EOD + printf "%s\n" "#define BROKEN_SETVBUF 1" >>confdefs.h + + ;; +-*-*-gnu*) +- CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE" +- ;; + esac + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking compiler and flags for sanity" >&5 +diff --git a/moduli.0 b/moduli.0 +index 90700a16f..057a018ef 100644 +--- a/moduli.0 ++++ b/moduli.0 +@@ -71,4 +71,4 @@ STANDARDS + M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for + the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006. + +-OpenBSD 7.7 April 16, 2022 OpenBSD 7.7 ++OpenBSD 7.5 April 16, 2022 OpenBSD 7.5 +diff --git a/scp.0 b/scp.0 +index 85d5f83d5..e098ddf55 100644 +--- a/scp.0 ++++ b/scp.0 +@@ -229,4 +229,4 @@ CAVEATS + requires careful quoting of any characters that have special meaning to + the remote shell, such as quote characters. + +-OpenBSD 7.7 December 16, 2022 OpenBSD 7.7 ++OpenBSD 7.5 December 16, 2022 OpenBSD 7.5 +diff --git a/sftp-server.0 b/sftp-server.0 +index 273b69908..23fdda399 100644 +--- a/sftp-server.0 ++++ b/sftp-server.0 +@@ -95,4 +95,4 @@ HISTORY + AUTHORS + Markus Friedl + +-OpenBSD 7.7 July 27, 2021 OpenBSD 7.7 ++OpenBSD 7.5 July 27, 2021 OpenBSD 7.5 +diff --git a/sftp.0 b/sftp.0 +index 0476733c1..c6a9e60c4 100644 +--- a/sftp.0 ++++ b/sftp.0 +@@ -435,4 +435,4 @@ SEE ALSO + T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- + filexfer-00.txt, January 2001, work in progress material. + +-OpenBSD 7.7 December 16, 2022 OpenBSD 7.7 ++OpenBSD 7.5 December 16, 2022 OpenBSD 7.5 +diff --git a/ssh-add.0 b/ssh-add.0 +index 20f1a88e2..30eed6672 100644 +--- a/ssh-add.0 ++++ b/ssh-add.0 +@@ -206,4 +206,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/ssh-agent.0 b/ssh-agent.0 +index 238fa54e2..2e4ef7b6e 100644 +--- a/ssh-agent.0 ++++ b/ssh-agent.0 +@@ -137,4 +137,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.7 August 10, 2023 OpenBSD 7.7 ++OpenBSD 7.5 August 10, 2023 OpenBSD 7.5 +diff --git a/ssh-keygen.0 b/ssh-keygen.0 +index 13b032f46..a731a7fa8 100644 +--- a/ssh-keygen.0 ++++ b/ssh-keygen.0 +@@ -904,4 +904,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 +index cf0962c82..110399094 100644 +--- a/ssh-keyscan.0 ++++ b/ssh-keyscan.0 +@@ -120,4 +120,4 @@ AUTHORS + Davison added support for protocol version + 2. + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/ssh-keysign.0 b/ssh-keysign.0 +index ff3305809..577955d1b 100644 +--- a/ssh-keysign.0 ++++ b/ssh-keysign.0 +@@ -47,4 +47,4 @@ HISTORY + AUTHORS + Markus Friedl + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0 +index 4b1cb8d7d..564587259 100644 +--- a/ssh-pkcs11-helper.0 ++++ b/ssh-pkcs11-helper.0 +@@ -32,4 +32,4 @@ HISTORY + AUTHORS + Markus Friedl + +-OpenBSD 7.7 April 29, 2022 OpenBSD 7.7 ++OpenBSD 7.5 April 29, 2022 OpenBSD 7.5 +diff --git a/ssh-sk-helper.0 b/ssh-sk-helper.0 +index 4abc5e8a0..ea2117abd 100644 +--- a/ssh-sk-helper.0 ++++ b/ssh-sk-helper.0 +@@ -31,4 +31,4 @@ HISTORY + AUTHORS + Damien Miller + +-OpenBSD 7.7 April 29, 2022 OpenBSD 7.7 ++OpenBSD 7.5 April 29, 2022 OpenBSD 7.5 +diff --git a/ssh.0 b/ssh.0 +index 9c34e3e6e..78863b1b0 100644 +--- a/ssh.0 ++++ b/ssh.0 +@@ -1016,4 +1016,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.7 June 27, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 27, 2024 OpenBSD 7.5 +diff --git a/ssh_config.0 b/ssh_config.0 +index f9a82781b..ef6c0936a 100644 +--- a/ssh_config.0 ++++ b/ssh_config.0 +@@ -1428,4 +1428,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/sshd.0 b/sshd.0 +index eac127dcf..c7de2d311 100644 +--- a/sshd.0 ++++ b/sshd.0 +@@ -682,4 +682,4 @@ AUTHORS + versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support + for privilege separation. + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/sshd_config.0 b/sshd_config.0 +index ca030fcca..6883dda4b 100644 +--- a/sshd_config.0 ++++ b/sshd_config.0 +@@ -950,8 +950,8 @@ DESCRIPTION + accumulated. + + Penalties are enabled by default with the default settings listed +- below but may disabled using the no keyword. The defaults may be +- overridden by specifying one or more of the keywords below, ++ below but may disabled using the off keyword. The defaults may ++ be overridden by specifying one or more of the keywords below, + separated by whitespace. All keywords accept arguments, e.g. + "crash:2m". + +@@ -1390,4 +1390,4 @@ AUTHORS + versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support + for privilege separation. + +-OpenBSD 7.7 June 24, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 24, 2024 OpenBSD 7.5 +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0007-mention-sntrup761x25519-sha512-in-manpages.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0007-mention-sntrup761x25519-sha512-in-manpages.patch new file mode 100644 index 0000000000..d9a7a0143d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0007-mention-sntrup761x25519-sha512-in-manpages.patch @@ -0,0 +1,48 @@ +From a38b48e77ccfe9528dd4a8516c114950fa7a111d Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org> +From: Damien Miller +Date: Wed, 13 Aug 2025 09:16:34 +1000 +Subject: [PATCH 7/7] mention sntrup761x25519-sha512 in manpages + +Spotted by Colin Watson +--- + ssh_config.5 | 1 + + sshd_config.5 | 3 +++ + 2 files changed, 4 insertions(+) + +diff --git a/ssh_config.5 b/ssh_config.5 +index 2e1902283..9473f4692 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -1281,6 +1281,7 @@ default set. + .Pp + The default is: + .Bd -literal -offset indent ++sntrup761x25519-sha512, + sntrup761x25519-sha512@openssh.com, + curve25519-sha256,curve25519-sha256@libssh.org, + ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +diff --git a/sshd_config.5 b/sshd_config.5 +index ce872de52..3c727f4d3 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -1050,11 +1050,14 @@ ecdh-sha2-nistp384 + .It + ecdh-sha2-nistp521 + .It ++sntrup761x25519-sha512 ++.It + sntrup761x25519-sha512@openssh.com + .El + .Pp + The default is: + .Bd -literal -offset indent ++sntrup761x25519-sha512, + sntrup761x25519-sha512@openssh.com, + curve25519-sha256,curve25519-sha256@libssh.org, + ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0001-fix-utmpx-ifdef.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0001-fix-utmpx-ifdef.patch deleted file mode 100644 index 80597517dd..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0001-fix-utmpx-ifdef.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 27996b32a8b0fe908effc469e5c7d496e40c6671 Mon Sep 17 00:00:00 2001 -Message-ID: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -From: Christoph Ostarek -Date: Wed, 3 Jul 2024 12:46:59 +0200 -Subject: [PATCH 1/8] fix utmpx ifdef - -02e16ad95fb1f56ab004b01a10aab89f7103c55d did a copy-paste for -utmpx, but forgot to change the ifdef appropriately - -(cherry picked from commit c7fda601186ff28128cfe3eab9c9c0622de096e1) ---- - loginrec.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/loginrec.c b/loginrec.c -index 7460bb2c0..45f13dee8 100644 ---- a/loginrec.c -+++ b/loginrec.c -@@ -723,7 +723,7 @@ set_utmpx_time(struct logininfo *li, struct utmpx *utx) - void - construct_utmpx(struct logininfo *li, struct utmpx *utx) - { --# ifdef HAVE_ADDR_V6_IN_UTMP -+# ifdef HAVE_ADDR_V6_IN_UTMPX - struct sockaddr_in6 *sa6; - # endif - memset(utx, '\0', sizeof(*utx)); -@@ -769,7 +769,7 @@ construct_utmpx(struct logininfo *li, struct utmpx *utx) - if (li->hostaddr.sa.sa_family == AF_INET) - utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr; - # endif --# ifdef HAVE_ADDR_V6_IN_UTMP -+# ifdef HAVE_ADDR_V6_IN_UTMPX - /* this is just a 128-bit IPv6 address */ - if (li->hostaddr.sa.sa_family == AF_INET6) { - sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa); --- -2.47.0 - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0002-build-construct_utmp-when-USE_BTMP-is-set.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0002-build-construct_utmp-when-USE_BTMP-is-set.patch deleted file mode 100644 index 814851b17c..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0002-build-construct_utmp-when-USE_BTMP-is-set.patch +++ /dev/null @@ -1,40 +0,0 @@ -From c606840894ca805472ddbd4ebad4b0a6f231ccb5 Mon Sep 17 00:00:00 2001 -Message-ID: -In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -From: Damien Miller -Date: Wed, 25 Sep 2024 11:13:05 +1000 -Subject: [PATCH 2/8] build construct_utmp() when USE_BTMP is set - -Fixes compile error on Void Linux/Musl - -(cherry picked from commit 2c12ae8cf9b0b7549ae097c4123abeda0ee63e5b) ---- - loginrec.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/loginrec.c b/loginrec.c -index 45f13dee8..7b1818b86 100644 ---- a/loginrec.c -+++ b/loginrec.c -@@ -614,7 +614,7 @@ line_abbrevname(char *dst, const char *src, int dstsize) - ** into account. - **/ - --#if defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN) -+#if defined(USE_BTMP) || defined(USE_UTMP) || defined (USE_WTMP) || defined (USE_LOGIN) - - /* build the utmp structure */ - void -@@ -698,7 +698,7 @@ construct_utmp(struct logininfo *li, - } - # endif - } --#endif /* USE_UTMP || USE_WTMP || USE_LOGIN */ -+#endif /* USE_BTMP || USE_UTMP || USE_WTMP || USE_LOGIN */ - - /** - ** utmpx utility functions --- -2.47.0 - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0003-gss-serv.c-needs-sys-param.h.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0003-gss-serv.c-needs-sys-param.h.patch deleted file mode 100644 index cac3a4140f..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0003-gss-serv.c-needs-sys-param.h.patch +++ /dev/null @@ -1,30 +0,0 @@ -From d1e0cfefc3a0f2d371f280d270e9ebc2188950c6 Mon Sep 17 00:00:00 2001 -Message-ID: -In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -From: Damien Miller -Date: Wed, 25 Sep 2024 11:15:45 +1000 -Subject: [PATCH 3/8] gss-serv.c needs sys/param.h - -From Void Linux - -(cherry picked from commit ff2cd1dd5711ff88efdf26662d6189d980439a1f) ---- - gss-serv.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/gss-serv.c b/gss-serv.c -index 00e3d118b..025a118f8 100644 ---- a/gss-serv.c -+++ b/gss-serv.c -@@ -29,6 +29,7 @@ - #ifdef GSSAPI - - #include -+#include - - #include - #include --- -2.47.0 - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0004-upstream-fix-regression-introduced-when-I-switched-t.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0004-upstream-fix-regression-introduced-when-I-switched-t.patch deleted file mode 100644 index 40583d31ca..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0004-upstream-fix-regression-introduced-when-I-switched-t.patch +++ /dev/null @@ -1,296 +0,0 @@ -From dda58ae078f4cba21c3b874e81f1d28121636985 Mon Sep 17 00:00:00 2001 -Message-ID: -In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -From: "djm@openbsd.org" -Date: Wed, 25 Sep 2024 01:24:04 +0000 -Subject: [PATCH 4/8] upstream: fix regression introduced when I switched the - "Match" - -criteria tokeniser to a more shell-like one. Apparently the old tokeniser -(accidentally?) allowed "Match criteria=argument" as well as the "Match -criteria argument" syntax that we tested for. - -People were using this syntax so this adds back support for -"Match criteria=argument" - -bz3739 ok dtucker - -OpenBSD-Commit-ID: d1eebedb8c902002b75b75debfe1eeea1801f58a -(cherry picked from commit 66878e12a207fa9746dee3e2bdcca29b704cf035) ---- - misc.c | 23 +++++++++++++++++++++- - misc.h | 3 ++- - readconf.c | 28 ++++++++++++++++++++++----- - servconf.c | 57 ++++++++++++++++++++++++++++++++++++++++-------------- - 4 files changed, 89 insertions(+), 22 deletions(-) - -diff --git a/misc.c b/misc.c -index afdf5142e..1b4b55c50 100644 ---- a/misc.c -+++ b/misc.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: misc.c,v 1.196 2024/06/06 17:15:25 djm Exp $ */ -+/* $OpenBSD: misc.c,v 1.197 2024/09/25 01:24:04 djm Exp $ */ - /* - * Copyright (c) 2000 Markus Friedl. All rights reserved. - * Copyright (c) 2005-2020 Damien Miller. All rights reserved. -@@ -107,6 +107,27 @@ rtrim(char *s) - } - } - -+/* -+ * returns pointer to character after 'prefix' in 's' or otherwise NULL -+ * if the prefix is not present. -+ */ -+const char * -+strprefix(const char *s, const char *prefix, int ignorecase) -+{ -+ size_t prefixlen; -+ -+ if ((prefixlen = strlen(prefix)) == 0) -+ return s; -+ if (ignorecase) { -+ if (strncasecmp(s, prefix, prefixlen) != 0) -+ return NULL; -+ } else { -+ if (strncmp(s, prefix, prefixlen) != 0) -+ return NULL; -+ } -+ return s + prefixlen; -+} -+ - /* set/unset filedescriptor to non-blocking */ - int - set_nonblock(int fd) -diff --git a/misc.h b/misc.h -index 113403896..efecdf1ad 100644 ---- a/misc.h -+++ b/misc.h -@@ -1,4 +1,4 @@ --/* $OpenBSD: misc.h,v 1.109 2024/06/06 17:15:25 djm Exp $ */ -+/* $OpenBSD: misc.h,v 1.110 2024/09/25 01:24:04 djm Exp $ */ - - /* - * Author: Tatu Ylonen -@@ -56,6 +56,7 @@ struct ForwardOptions { - char *chop(char *); - void rtrim(char *); - void skip_space(char **); -+const char *strprefix(const char *, const char *, int); - char *strdelim(char **); - char *strdelimw(char **); - int set_nonblock(int); -diff --git a/readconf.c b/readconf.c -index 3d9cc6dbb..de42fb6ff 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: readconf.c,v 1.390 2024/09/15 00:57:36 djm Exp $ */ -+/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */ - /* - * Author: Tatu Ylonen - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - struct passwd *pw, const char *host_arg, const char *original_host, - int final_pass, int *want_final_pass, const char *filename, int linenum) - { -- char *arg, *oattrib, *attrib, *cmd, *host, *criteria; -+ char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria; - const char *ruser; - int r, this_result, result = 1, attributes = 0, negate; - -@@ -731,7 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - - debug2("checking match for '%s' host %s originally %s", - full_line, host, original_host); -- while ((oattrib = attrib = argv_next(acp, avp)) != NULL) { -+ while ((oattrib = argv_next(acp, avp)) != NULL) { -+ attrib = xstrdup(oattrib); - /* Terminate on comment */ - if (*attrib == '#') { - argv_consume(acp); -@@ -777,9 +778,23 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - this_result ? "" : "not ", oattrib); - continue; - } -+ -+ /* Keep this list in sync with below */ -+ if (strprefix(attrib, "host=", 1) != NULL || -+ strprefix(attrib, "originalhost=", 1) != NULL || -+ strprefix(attrib, "user=", 1) != NULL || -+ strprefix(attrib, "localuser=", 1) != NULL || -+ strprefix(attrib, "localnetwork=", 1) != NULL || -+ strprefix(attrib, "tagged=", 1) != NULL || -+ strprefix(attrib, "exec=", 1) != NULL) { -+ arg = strchr(attrib, '='); -+ *(arg++) = '\0'; -+ } else { -+ arg = argv_next(acp, avp); -+ } -+ - /* All other criteria require an argument */ -- if ((arg = argv_next(acp, avp)) == NULL || -- *arg == '\0' || *arg == '#') { -+ if (arg == NULL || *arg == '\0' || *arg == '#') { - error("Missing Match criteria for %s", attrib); - result = -1; - goto out; -@@ -856,6 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - criteria == NULL ? "" : criteria, - criteria == NULL ? "" : "\""); - free(criteria); -+ free(attrib); -+ attrib = NULL; - } - if (attributes == 0) { - error("One or more attributes required for Match"); -@@ -865,6 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - out: - if (result != -1) - debug2("match %sfound", result ? "" : "not "); -+ free(attrib); - free(host); - return result; - } -diff --git a/servconf.c b/servconf.c -index 89b8413e8..dd774f468 100644 ---- a/servconf.c -+++ b/servconf.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: servconf.c,v 1.418 2024/09/15 03:09:44 djm Exp $ */ -+/* $OpenBSD: servconf.c,v 1.419 2024/09/25 01:24:04 djm Exp $ */ - /* - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland - * All rights reserved -@@ -1033,7 +1033,7 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, - int line, struct connection_info *ci) - { - int result = 1, attributes = 0, port; -- char *arg, *attrib; -+ char *arg, *attrib = NULL, *oattrib; - - if (ci == NULL) - debug3("checking syntax for 'Match %s'", full_line); -@@ -1047,7 +1047,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, - ci->laddress ? ci->laddress : "(null)", ci->lport); - } - -- while ((attrib = argv_next(acp, avp)) != NULL) { -+ while ((oattrib = argv_next(acp, avp)) != NULL) { -+ attrib = xstrdup(oattrib); - /* Terminate on comment */ - if (*attrib == '#') { - argv_consume(acp); /* mark all arguments consumed */ -@@ -1062,11 +1063,13 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, - *arg != '\0' && *arg != '#')) { - error("'all' cannot be combined with other " - "Match attributes"); -- return -1; -+ result = -1; -+ goto out; - } - if (arg != NULL && *arg == '#') - argv_consume(acp); /* consume remaining args */ -- return 1; -+ result = 1; -+ goto out; - } - /* Criterion "invalid-user" also has no argument */ - if (strcasecmp(attrib, "invalid-user") == 0) { -@@ -1078,11 +1081,26 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, - debug("matched invalid-user at line %d", line); - continue; - } -+ -+ /* Keep this list in sync with below */ -+ if (strprefix(attrib, "user=", 1) != NULL || -+ strprefix(attrib, "group=", 1) != NULL || -+ strprefix(attrib, "host=", 1) != NULL || -+ strprefix(attrib, "address=", 1) != NULL || -+ strprefix(attrib, "localaddress=", 1) != NULL || -+ strprefix(attrib, "localport=", 1) != NULL || -+ strprefix(attrib, "rdomain=", 1) != NULL) { -+ arg = strchr(attrib, '='); -+ *(arg++) = '\0'; -+ } else { -+ arg = argv_next(acp, avp); -+ } -+ - /* All other criteria require an argument */ -- if ((arg = argv_next(acp, avp)) == NULL || -- *arg == '\0' || *arg == '#') { -+ if (arg == NULL || *arg == '\0' || *arg == '#') { - error("Missing Match criteria for %s", attrib); -- return -1; -+ result = -1; -+ goto out; - } - if (strcasecmp(attrib, "user") == 0) { - if (ci == NULL || (ci->test && ci->user == NULL)) { -@@ -1105,7 +1123,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, - match_test_missing_fatal("Group", "user"); - switch (match_cfg_line_group(arg, line, ci->user)) { - case -1: -- return -1; -+ result = -1; -+ goto out; - case 0: - result = 0; - } -@@ -1141,7 +1160,8 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, - result = 0; - break; - case -2: -- return -1; -+ result = -1; -+ goto out; - } - } else if (strcasecmp(attrib, "localaddress") == 0){ - if (ci == NULL || (ci->test && ci->laddress == NULL)) { -@@ -1166,13 +1186,15 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, - result = 0; - break; - case -2: -- return -1; -+ result = -1; -+ goto out; - } - } else if (strcasecmp(attrib, "localport") == 0) { - if ((port = a2port(arg)) == -1) { - error("Invalid LocalPort '%s' on Match line", - arg); -- return -1; -+ result = -1; -+ goto out; - } - if (ci == NULL || (ci->test && ci->lport == -1)) { - result = 0; -@@ -1200,16 +1222,21 @@ match_cfg_line(const char *full_line, int *acp, char ***avp, - debug("user %.100s matched 'RDomain %.100s' at " - "line %d", ci->rdomain, arg, line); - } else { -- error("Unsupported Match attribute %s", attrib); -- return -1; -+ error("Unsupported Match attribute %s", oattrib); -+ result = -1; -+ goto out; - } -+ free(attrib); -+ attrib = NULL; - } - if (attributes == 0) { - error("One or more attributes required for Match"); - return -1; - } -- if (ci != NULL) -+ out: -+ if (ci != NULL && result != -1) - debug3("match %sfound", result ? "" : "not "); -+ free(attrib); - return result; - } - --- -2.47.0 - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0005-upstream-fix-previous-change-to-ssh_config-Match-whi.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0005-upstream-fix-previous-change-to-ssh_config-Match-whi.patch deleted file mode 100644 index 7495780afd..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0005-upstream-fix-previous-change-to-ssh_config-Match-whi.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 3e95023995e1d0249febab2b804f51b7673e07de Mon Sep 17 00:00:00 2001 -Message-ID: <3e95023995e1d0249febab2b804f51b7673e07de.1730162536.git.sam@gentoo.org> -In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -From: "djm@openbsd.org" -Date: Thu, 26 Sep 2024 23:55:08 +0000 -Subject: [PATCH 5/8] upstream: fix previous change to ssh_config Match, which - broken on - -negated Matches; spotted by phessler@ ok deraadt@ - -OpenBSD-Commit-ID: b1c6acec66cd5bd1252feff1d02ad7129ced37c7 -(cherry picked from commit 19bcb2d90c6caf14abf386b644fb24eb7afab889) ---- - readconf.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/readconf.c b/readconf.c -index de42fb6ff..9f5592698 100644 ---- a/readconf.c -+++ b/readconf.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: readconf.c,v 1.391 2024/09/25 01:24:04 djm Exp $ */ -+/* $OpenBSD: readconf.c,v 1.392 2024/09/26 23:55:08 djm Exp $ */ - /* - * Author: Tatu Ylonen - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -@@ -710,7 +710,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - struct passwd *pw, const char *host_arg, const char *original_host, - int final_pass, int *want_final_pass, const char *filename, int linenum) - { -- char *arg, *oattrib, *attrib = NULL, *cmd, *host, *criteria; -+ char *arg, *oattrib = NULL, *attrib = NULL, *cmd, *host, *criteria; - const char *ruser; - int r, this_result, result = 1, attributes = 0, negate; - -@@ -731,8 +731,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - - debug2("checking match for '%s' host %s originally %s", - full_line, host, original_host); -- while ((oattrib = argv_next(acp, avp)) != NULL) { -- attrib = xstrdup(oattrib); -+ while ((attrib = argv_next(acp, avp)) != NULL) { -+ attrib = oattrib = xstrdup(attrib); - /* Terminate on comment */ - if (*attrib == '#') { - argv_consume(acp); -@@ -871,8 +871,8 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - criteria == NULL ? "" : criteria, - criteria == NULL ? "" : "\""); - free(criteria); -- free(attrib); -- attrib = NULL; -+ free(oattrib); -+ oattrib = attrib = NULL; - } - if (attributes == 0) { - error("One or more attributes required for Match"); -@@ -882,7 +882,7 @@ match_cfg_line(Options *options, const char *full_line, int *acp, char ***avp, - out: - if (result != -1) - debug2("match %sfound", result ? "" : "not "); -- free(attrib); -+ free(oattrib); - free(host); - return result; - } --- -2.47.0 - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0006-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-syste.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0006-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-syste.patch deleted file mode 100644 index 7719f89aee..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0006-upstream-fix-ML-KEM768x25519-KEX-on-big-endian-syste.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 3c10bf179b0029e0412e4b0fecf2e31d53b4ef08 Mon Sep 17 00:00:00 2001 -Message-ID: <3c10bf179b0029e0412e4b0fecf2e31d53b4ef08.1730162536.git.sam@gentoo.org> -In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -From: "djm@openbsd.org" -Date: Sun, 27 Oct 2024 02:06:01 +0000 -Subject: [PATCH 6/8] upstream: fix ML-KEM768x25519 KEX on big-endian systems; - spotted by - -jsg@ feedback/ok deraadt@ - -OpenBSD-Commit-ID: 26d81a430811672bc762687166986cad40d28cc0 -(cherry picked from commit 11f348196b3fb51c3d8d1f4f36db9d73f03149ed) ---- - libcrux_mlkem768_sha3.h | 8 +++++--- - mlkem768.sh | 17 ++++++++++++----- - 2 files changed, 17 insertions(+), 8 deletions(-) - -diff --git a/libcrux_mlkem768_sha3.h b/libcrux_mlkem768_sha3.h -index a82d60e83..b8ac1436f 100644 ---- a/libcrux_mlkem768_sha3.h -+++ b/libcrux_mlkem768_sha3.h -@@ -1,4 +1,5 @@ --/* $OpenBSD: libcrux_mlkem768_sha3.h,v 1.1 2024/09/02 12:13:56 djm Exp $ */ -+/* $OpenBSD: libcrux_mlkem768_sha3.h,v 1.2 2024/10/27 02:06:01 djm Exp $ */ -+ - /* Extracted from libcrux revision 84c5d87b3092c59294345aa269ceefe0eb97cc35 */ - - /* -@@ -160,18 +161,19 @@ static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok, - // CORE STUFF (conversions, endianness, ...) - - static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) { -+ v = htole64(v); - memcpy(buf, &v, sizeof(v)); - } - static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) { - uint64_t v; - memcpy(&v, buf, sizeof(v)); -- return v; -+ return le64toh(v); - } - - static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) { - uint32_t v; - memcpy(&v, buf, sizeof(v)); -- return v; -+ return le32toh(v); - } - - static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) { -diff --git a/mlkem768.sh b/mlkem768.sh -index 2fdc28312..3d12b2ed8 100644 ---- a/mlkem768.sh -+++ b/mlkem768.sh -@@ -1,9 +1,10 @@ - #!/bin/sh --# $OpenBSD: mlkem768.sh,v 1.2 2024/09/04 05:11:33 djm Exp $ -+# $OpenBSD: mlkem768.sh,v 1.3 2024/10/27 02:06:01 djm Exp $ - # Placed in the Public Domain. - # - --WANT_LIBCRUX_REVISION="origin/main" -+#WANT_LIBCRUX_REVISION="origin/main" -+WANT_LIBCRUX_REVISION="84c5d87b3092c59294345aa269ceefe0eb97cc35" - - FILES=" - libcrux/libcrux-ml-kem/cg/eurydice_glue.h -@@ -47,6 +48,7 @@ echo '#define KRML_NOINLINE __attribute__((noinline, unused))' - echo '#define KRML_HOST_EPRINTF(...)' - echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")' - echo -+ - for i in $FILES; do - echo "/* from $i */" - # Changes to all files: -@@ -56,11 +58,16 @@ for i in $FILES; do - -e 's/[ ]*$//' \ - $i | \ - case "$i" in -- # XXX per-file handling goes here. -+ */libcrux-ml-kem/cg/eurydice_glue.h) -+ # Replace endian functions with versions that work. -+ perl -0777 -pe 's/(static inline void core_num__u64_9__to_le_bytes.*\n)([^}]*\n)/\1 v = htole64(v);\n\2/' | -+ perl -0777 -pe 's/(static inline uint64_t core_num__u64_9__from_le_bytes.*?)return v;/\1return le64toh(v);/s' | -+ perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s' -+ ;; - # Default: pass through. - *) -- cat -- ;; -+ cat -+ ;; - esac - echo - done --- -2.47.0 - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0007-upstream-explicitly-include-endian.h.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0007-upstream-explicitly-include-endian.h.patch deleted file mode 100644 index d92d81f8d4..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0007-upstream-explicitly-include-endian.h.patch +++ /dev/null @@ -1,37 +0,0 @@ -From f87403aba3e7926ab47f4c9a821300a705b070f2 Mon Sep 17 00:00:00 2001 -Message-ID: -In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -From: "djm@openbsd.org" -Date: Sun, 27 Oct 2024 02:06:59 +0000 -Subject: [PATCH 7/8] upstream: explicitly include endian.h - -OpenBSD-Commit-ID: 13511fdef7535bdbc35b644c90090013da43a318 -(cherry picked from commit fe8d28a7ebbaa35cfc04a21263627f05c237e460) ---- - kexmlkem768x25519.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/kexmlkem768x25519.c b/kexmlkem768x25519.c -index 679446e97..2b5d39608 100644 ---- a/kexmlkem768x25519.c -+++ b/kexmlkem768x25519.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: kexmlkem768x25519.c,v 1.1 2024/09/02 12:13:56 djm Exp $ */ -+/* $OpenBSD: kexmlkem768x25519.c,v 1.2 2024/10/27 02:06:59 djm Exp $ */ - /* - * Copyright (c) 2023 Markus Friedl. All rights reserved. - * -@@ -34,6 +34,9 @@ - #include - #include - #include -+#ifdef HAVE_ENDIAN_H -+# include -+#endif - - #include "sshkey.h" - #include "kex.h" --- -2.47.0 - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0008-htole64-etc-for-systems-without-endian.h.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0008-htole64-etc-for-systems-without-endian.h.patch deleted file mode 100644 index 9799a82ea1..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p1/0008-htole64-etc-for-systems-without-endian.h.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 88e0d4645af6e4d4fb1b0dd320b83dd83ca6e73c Mon Sep 17 00:00:00 2001 -Message-ID: <88e0d4645af6e4d4fb1b0dd320b83dd83ca6e73c.1730162536.git.sam@gentoo.org> -In-Reply-To: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -References: <27996b32a8b0fe908effc469e5c7d496e40c6671.1730162536.git.sam@gentoo.org> -From: Damien Miller -Date: Sun, 27 Oct 2024 13:28:11 +1100 -Subject: [PATCH 8/8] htole64() etc for systems without endian.h - -(cherry picked from commit 33c5f384ae03a5d1a0bd46ca0fac3c62e4eaf784) ---- - configure.ac | 1 - - defines.h | 26 ++++++++++++++++++++++++++ - 2 files changed, 26 insertions(+), 1 deletion(-) - -diff --git a/configure.ac b/configure.ac -index 591d5a388..9053a9a2b 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -2013,7 +2013,6 @@ AC_CHECK_FUNCS([ \ - strtoll \ - strtoul \ - strtoull \ -- swap32 \ - sysconf \ - tcgetpgrp \ - timegm \ -diff --git a/defines.h b/defines.h -index ed860e78b..b02f2942a 100644 ---- a/defines.h -+++ b/defines.h -@@ -646,6 +646,32 @@ struct winsize { - # endif /* WORDS_BIGENDIAN */ - #endif /* BYTE_ORDER */ - -+#ifndef HAVE_ENDIAN_H -+# define openssh_swap32(v) \ -+ (uint32_t)(((uint32_t)(v) & 0xff) << 24 | \ -+ ((uint32_t)(v) & 0xff00) << 8 | \ -+ ((uint32_t)(v) & 0xff0000) >> 8 | \ -+ ((uint32_t)(v) & 0xff000000) >> 24) -+# define openssh_swap64(v) \ -+ (__uint64_t)((((__uint64_t)(v) & 0xff) << 56) | \ -+ ((__uint64_t)(v) & 0xff00ULL) << 40 | \ -+ ((__uint64_t)(v) & 0xff0000ULL) << 24 | \ -+ ((__uint64_t)(v) & 0xff000000ULL) << 8 | \ -+ ((__uint64_t)(v) & 0xff00000000ULL) >> 8 | \ -+ ((__uint64_t)(v) & 0xff0000000000ULL) >> 24 | \ -+ ((__uint64_t)(v) & 0xff000000000000ULL) >> 40 | \ -+ ((__uint64_t)(v) & 0xff00000000000000ULL) >> 56) -+# ifdef WORDS_BIGENDIAN -+# define le32toh(v) (openssh_swap32(v)) -+# define le64toh(v) (openssh_swap64(v)) -+# define htole64(v) (openssh_swap64(v)) -+# else -+# define le32toh(v) ((uint32_t)v) -+# define le64toh(v) ((uint64_t)v) -+# define htole64(v) ((uint64_t)v) -+# endif -+#endif -+ - /* Function replacement / compatibility hacks */ - - #if !defined(HAVE_GETADDRINFO) && (defined(HAVE_OGETADDRINFO) || defined(HAVE_NGETADDRINFO)) --- -2.47.0 - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0001-Check-for-le32toh-le64toh-htole64-individually.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0001-Check-for-le32toh-le64toh-htole64-individually.patch new file mode 100644 index 0000000000..ae9ca600d6 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0001-Check-for-le32toh-le64toh-htole64-individually.patch @@ -0,0 +1,87 @@ +From 4b8d141ec165aa29a48316768089cb03aed3aada Mon Sep 17 00:00:00 2001 +Message-ID: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: Darren Tucker +Date: Wed, 26 Feb 2025 18:16:03 +1100 +Subject: [PATCH 01/10] Check for le32toh, le64toh, htole64 individually. + +It appears that at least some versions of endian.h in glibc do not have +the latter two, so check for and replace each one individually. +bz#3794, ok djm@ +--- + configure.ac | 12 ++++++++++++ + defines.h | 28 +++++++++++++++++++++------- + 2 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 9053a9a2b..57a8d1007 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -536,6 +536,18 @@ AC_CHECK_HEADERS([ \ + wchar.h \ + ]) + ++AC_CHECK_DECLS([le32toh, le64toh, htole64], [], [], [ ++#ifdef HAVE_SYS_TYPES_H ++# include ++#endif ++#ifdef HAVE_STDINT_H ++# include ++#endif ++#ifdef HAVE_ENDIAN_H ++# include ++#endif ++]) ++ + # On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h] + # to be included first. + AC_CHECK_HEADERS([sys/audit.h], [], [], [ +diff --git a/defines.h b/defines.h +index c1c21aba6..090f49f55 100644 +--- a/defines.h ++++ b/defines.h +@@ -646,7 +646,9 @@ struct winsize { + # endif /* WORDS_BIGENDIAN */ + #endif /* BYTE_ORDER */ + +-#ifndef HAVE_ENDIAN_H ++#if (defined(HAVE_DECL_LE32TOH) && HAVE_DECL_LE32TOH == 0) || \ ++ (defined(HAVE_DECL_LE64TOH) && HAVE_DECL_LE64TOH == 0) || \ ++ (defined(HAVE_DECL_HTOLE64) && HAVE_DECL_HTOLE64 == 0) + # define openssh_swap32(v) \ + (uint32_t)(((uint32_t)(v) & 0xff) << 24 | \ + ((uint32_t)(v) & 0xff00) << 8 | \ +@@ -662,13 +664,25 @@ struct winsize { + ((uint64_t)(v) & 0xff000000000000ULL) >> 40 | \ + ((uint64_t)(v) & 0xff00000000000000ULL) >> 56) + # ifdef WORDS_BIGENDIAN +-# define le32toh(v) (openssh_swap32(v)) +-# define le64toh(v) (openssh_swap64(v)) +-# define htole64(v) (openssh_swap64(v)) ++# if defined(HAVE_DECL_LE32TOH) && HAVE_DECL_LE32TOH == 0 ++# define le32toh(v) (openssh_swap32(v)) ++# endif ++# if defined(HAVE_DECL_LE64TOH) && HAVE_DECL_LE64TOH == 0 ++# define le64toh(v) (openssh_swap64(v)) ++# endif ++# if defined(HAVE_DECL_HTOLE64) && HAVE_DECL_HTOLE64 == 0 ++# define htole64(v) (openssh_swap64(v)) ++# endif + # else +-# define le32toh(v) ((uint32_t)v) +-# define le64toh(v) ((uint64_t)v) +-# define htole64(v) ((uint64_t)v) ++# if defined(HAVE_DECL_LE32TOH) && HAVE_DECL_LE32TOH == 0 ++# define le32toh(v) ((uint32_t)v) ++# endif ++# if defined(HAVE_DECL_LE64TOH) && HAVE_DECL_LE64TOH == 0 ++# define le64toh(v) ((uint64_t)v) ++# endif ++# if defined(HAVE_DECL_HTOLE64) && HAVE_DECL_HTOLE64 == 0 ++# define htole64(v) ((uint64_t)v) ++# endif + # endif + #endif + +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0002-Update-autoconf-files-for-endian.h-change.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0002-Update-autoconf-files-for-endian.h-change.patch new file mode 100644 index 0000000000..778ffba81c --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0002-Update-autoconf-files-for-endian.h-change.patch @@ -0,0 +1,118 @@ +From de4bcb51c893d81a741d4fac37c10107738a952f Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: Darren Tucker +Date: Wed, 26 Feb 2025 18:25:33 +1100 +Subject: [PATCH 02/10] Update autoconf files for endian.h change. + +--- + config.h.in | 12 +++++++++++ + configure | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 72 insertions(+) + +diff --git a/config.h.in b/config.h.in +index 14bee6087..c841417f4 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -363,10 +363,22 @@ + don't. */ + #undef HAVE_DECL_HOWMANY + ++/* Define to 1 if you have the declaration of `htole64', and to 0 if you ++ don't. */ ++#undef HAVE_DECL_HTOLE64 ++ + /* Define to 1 if you have the declaration of `h_errno', and to 0 if you + don't. */ + #undef HAVE_DECL_H_ERRNO + ++/* Define to 1 if you have the declaration of `le32toh', and to 0 if you ++ don't. */ ++#undef HAVE_DECL_LE32TOH ++ ++/* Define to 1 if you have the declaration of `le64toh', and to 0 if you ++ don't. */ ++#undef HAVE_DECL_LE64TOH ++ + /* Define to 1 if you have the declaration of `loginfailed', and to 0 if you + don't. */ + #undef HAVE_DECL_LOGINFAILED +diff --git a/configure b/configure +index b4d33b7cd..ec1de26c2 100755 +--- a/configure ++++ b/configure +@@ -11325,6 +11325,65 @@ then : + fi + + ++ac_fn_check_decl "$LINENO" "le32toh" "ac_cv_have_decl_le32toh" " ++#ifdef HAVE_SYS_TYPES_H ++# include ++#endif ++#ifdef HAVE_STDINT_H ++# include ++#endif ++#ifdef HAVE_ENDIAN_H ++# include ++#endif ++ ++" "$ac_c_undeclared_builtin_options" "CFLAGS" ++if test "x$ac_cv_have_decl_le32toh" = xyes ++then : ++ ac_have_decl=1 ++else $as_nop ++ ac_have_decl=0 ++fi ++printf "%s\n" "#define HAVE_DECL_LE32TOH $ac_have_decl" >>confdefs.h ++ac_fn_check_decl "$LINENO" "le64toh" "ac_cv_have_decl_le64toh" " ++#ifdef HAVE_SYS_TYPES_H ++# include ++#endif ++#ifdef HAVE_STDINT_H ++# include ++#endif ++#ifdef HAVE_ENDIAN_H ++# include ++#endif ++ ++" "$ac_c_undeclared_builtin_options" "CFLAGS" ++if test "x$ac_cv_have_decl_le64toh" = xyes ++then : ++ ac_have_decl=1 ++else $as_nop ++ ac_have_decl=0 ++fi ++printf "%s\n" "#define HAVE_DECL_LE64TOH $ac_have_decl" >>confdefs.h ++ac_fn_check_decl "$LINENO" "htole64" "ac_cv_have_decl_htole64" " ++#ifdef HAVE_SYS_TYPES_H ++# include ++#endif ++#ifdef HAVE_STDINT_H ++# include ++#endif ++#ifdef HAVE_ENDIAN_H ++# include ++#endif ++ ++" "$ac_c_undeclared_builtin_options" "CFLAGS" ++if test "x$ac_cv_have_decl_htole64" = xyes ++then : ++ ac_have_decl=1 ++else $as_nop ++ ac_have_decl=0 ++fi ++printf "%s\n" "#define HAVE_DECL_HTOLE64 $ac_have_decl" >>confdefs.h ++ ++ + # On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h] + # to be included first. + ac_fn_c_check_header_compile "$LINENO" "sys/audit.h" "ac_cv_header_sys_audit_h" " +@@ -27710,3 +27769,4 @@ if test "$AUDIT_MODULE" = "bsm" ; then + echo "WARNING: BSM audit support is currently considered EXPERIMENTAL." + echo "See the Solaris section in README.platform for details." + fi ++ +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0003-Rebuild-config-files-if-Makefile-changes.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0003-Rebuild-config-files-if-Makefile-changes.patch new file mode 100644 index 0000000000..ad90441cef --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0003-Rebuild-config-files-if-Makefile-changes.patch @@ -0,0 +1,30 @@ +From ef95df4089f0dba640671ca6acfb876a78794b83 Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: Darren Tucker +Date: Sat, 1 Mar 2025 10:28:59 +1100 +Subject: [PATCH 03/10] Rebuild config files if Makefile changes. + +This ensures paths are updated if they are changed by re-running configure. +Patch from rapier at psc.edu. +--- + Makefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.in b/Makefile.in +index 4243006b0..fc7a1a354 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -267,7 +267,7 @@ $(MANPAGES): $(MANPAGES_IN) + $(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \ + fi + +-$(CONFIGFILES): $(CONFIGFILES_IN) ++$(CONFIGFILES): $(CONFIGFILES_IN) Makefile + conffile=`echo $@ | sed 's/.out$$//'`; \ + $(FIXPATHSCMD) $(srcdir)/$${conffile} > $@ + +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0004-include-__builtin_popcount-replacement-function.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0004-include-__builtin_popcount-replacement-function.patch new file mode 100644 index 0000000000..6d0c87adb8 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0004-include-__builtin_popcount-replacement-function.patch @@ -0,0 +1,92 @@ +From 3b4adf2018ae8fdd48623b6b5ede182319a76b8f Mon Sep 17 00:00:00 2001 +Message-ID: <3b4adf2018ae8fdd48623b6b5ede182319a76b8f.1758727915.git.sam@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: Damien Miller +Date: Sun, 2 Mar 2025 22:06:53 +1100 +Subject: [PATCH 04/10] include __builtin_popcount replacement function + +Some systems/compilers lack __builtin_popcount(), so replace it as +necessary. Reported by Dennis Clarke; ok dtucker@ +--- + configure.ac | 13 +++++++++++++ + libcrux_mlkem768_sha3.h | 8 ++++++-- + mlkem768.sh | 10 +++++++++- + 3 files changed, 28 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 57a8d1007..dbe189066 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2041,6 +2041,19 @@ AC_CHECK_FUNCS([ \ + warn \ + ]) + ++AC_MSG_CHECKING([whether compiler supports __builtin_popcount]) ++AC_LINK_IFELSE([AC_LANG_PROGRAM([[ ++ #include ++ ]], ++ [[ int x = 123, y; ++ y = __builtin_popcount(123); ++ exit(y == 6 ? 0 : -1); ]])], ++ [ AC_MSG_RESULT([yes]) ], [ ++ AC_MSG_RESULT([no]) ++ AC_DEFINE([MISSING_BUILTIN_POPCOUNT], [1], [Define if your compiler lacks __builtin_popcount]) ++ ] ++) ++ + AC_CHECK_DECLS([bzero, memmem]) + + dnl Wide character support. +diff --git a/libcrux_mlkem768_sha3.h b/libcrux_mlkem768_sha3.h +index b8ac1436f..885e82baf 100644 +--- a/libcrux_mlkem768_sha3.h ++++ b/libcrux_mlkem768_sha3.h +@@ -177,10 +177,14 @@ static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) { + } + + static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) { +-#ifdef _MSC_VER ++#if defined(_MSC_VER) + return __popcnt(x0); +-#else ++#elif !defined(MISSING_BUILTIN_POPCOUNT) + return __builtin_popcount(x0); ++#else ++ const uint8_t v[16] = { 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4 }; ++ return v[x0 & 0xf] + v[(x0 >> 4) & 0xf]; ++ + #endif + } + +diff --git a/mlkem768.sh b/mlkem768.sh +index 3d12b2ed8..cbc3d14da 100644 +--- a/mlkem768.sh ++++ b/mlkem768.sh +@@ -49,6 +49,11 @@ echo '#define KRML_HOST_EPRINTF(...)' + echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")' + echo + ++__builtin_popcount_replacement=' ++ const uint8_t v[16] = { 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4 }; ++ return v[x0 & 0xf] + v[(x0 >> 4) & 0xf]; ++' ++ + for i in $FILES; do + echo "/* from $i */" + # Changes to all files: +@@ -62,7 +67,10 @@ for i in $FILES; do + # Replace endian functions with versions that work. + perl -0777 -pe 's/(static inline void core_num__u64_9__to_le_bytes.*\n)([^}]*\n)/\1 v = htole64(v);\n\2/' | + perl -0777 -pe 's/(static inline uint64_t core_num__u64_9__from_le_bytes.*?)return v;/\1return le64toh(v);/s' | +- perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s' ++ perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s' | ++ # Compat for popcount. ++ perl -0777 -pe 's/\#ifdef (_MSC_VER)(.*?return __popcnt\(x0\);)/\#if defined(\1)\2/s' | ++ perl -0777 -pe "s/\\#else(\\n\\s+return __builtin_popcount\\(x0\\);)/\\#elif !defined(MISSING_BUILTIN_POPCOUNT)\\1\\n#else$__builtin_popcount_replacement/s" + ;; + # Default: pass through. + *) +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0005-upstream-fix-PerSourcePenalty-incorrectly-using-cras.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0005-upstream-fix-PerSourcePenalty-incorrectly-using-cras.patch new file mode 100644 index 0000000000..a2c7e98087 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0005-upstream-fix-PerSourcePenalty-incorrectly-using-cras.patch @@ -0,0 +1,32 @@ +From d58ae05bb7838e1fdae967752f06b0b2471a63f5 Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: "djm@openbsd.org" +Date: Sun, 2 Mar 2025 22:44:00 +0000 +Subject: [PATCH 05/10] upstream: fix PerSourcePenalty incorrectly using + "crash" penalty when + +LoginGraceTime was exceeded. Reported by irwin AT princeton.edu via bz3797 + +OpenBSD-Commit-ID: 1ba3e490a5a9451359618c550d995380af454d25 +--- + srclimit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/srclimit.c b/srclimit.c +index 33116fa52..c63a462e2 100644 +--- a/srclimit.c ++++ b/srclimit.c +@@ -386,7 +386,7 @@ srclimit_penalise(struct xaddr *addr, int penalty_type) + reason = "penalty: connection prohibited by RefuseConnection"; + break; + case SRCLIMIT_PENALTY_GRACE_EXCEEDED: +- penalty_secs = penalty_cfg.penalty_crash; ++ penalty_secs = penalty_cfg.penalty_grace; + reason = "penalty: exceeded LoginGraceTime"; + break; + default: +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0006-regenerate-configure-config.h.in.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0006-regenerate-configure-config.h.in.patch new file mode 100644 index 0000000000..8ba648a421 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0006-regenerate-configure-config.h.in.patch @@ -0,0 +1,80 @@ +From 7d5b6c7ec3c597a6d57f64d0db925142bccd38a3 Mon Sep 17 00:00:00 2001 +Message-ID: <7d5b6c7ec3c597a6d57f64d0db925142bccd38a3.1758727915.git.sam@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: Damien Miller +Date: Mon, 3 Mar 2025 14:21:12 +1100 +Subject: [PATCH 06/10] regenerate configure, config.h.in + +--- + config.h.in | 3 +++ + configure | 35 ++++++++++++++++++++++++++++++++++- + 2 files changed, 37 insertions(+), 1 deletion(-) + +diff --git a/config.h.in b/config.h.in +index c841417f4..57f63355b 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -1748,6 +1748,9 @@ + /* Set this to your mail directory if you do not have _PATH_MAILDIR */ + #undef MAIL_DIRECTORY + ++/* Define if your compiler lacks __builtin_popcount */ ++#undef MISSING_BUILTIN_POPCOUNT ++ + /* Need setpgrp to for controlling tty */ + #undef NEED_SETPGRP + +diff --git a/configure b/configure +index ec1de26c2..a18079da2 100755 +--- a/configure ++++ b/configure +@@ -16785,6 +16785,40 @@ then : + fi + + ++{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether compiler supports __builtin_popcount" >&5 ++printf %s "checking whether compiler supports __builtin_popcount... " >&6; } ++cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++ ++ #include ++ ++int ++main (void) ++{ ++ int x = 123, y; ++ y = __builtin_popcount(123); ++ exit(y == 6 ? 0 : -1); ++ ; ++ return 0; ++} ++_ACEOF ++if ac_fn_c_try_link "$LINENO" ++then : ++ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++printf "%s\n" "yes" >&6; } ++else $as_nop ++ ++ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++printf "%s\n" "no" >&6; } ++ ++printf "%s\n" "#define MISSING_BUILTIN_POPCOUNT 1" >>confdefs.h ++ ++ ++ ++fi ++rm -f core conftest.err conftest.$ac_objext conftest.beam \ ++ conftest$ac_exeext conftest.$ac_ext ++ + ac_fn_check_decl "$LINENO" "bzero" "ac_cv_have_decl_bzero" "$ac_includes_default" "$ac_c_undeclared_builtin_options" "CFLAGS" + if test "x$ac_cv_have_decl_bzero" = xyes + then : +@@ -27769,4 +27803,3 @@ if test "$AUDIT_MODULE" = "bsm" ; then + echo "WARNING: BSM audit support is currently considered EXPERIMENTAL." + echo "See the Solaris section in README.platform for details." + fi +- +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0007-upstream-Prime-caches-for-DNS-names-needed-for-tests.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0007-upstream-Prime-caches-for-DNS-names-needed-for-tests.patch new file mode 100644 index 0000000000..45ae5eb784 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0007-upstream-Prime-caches-for-DNS-names-needed-for-tests.patch @@ -0,0 +1,44 @@ +From be8026caf9da985638c762c353c397c0922be233 Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: "dtucker@openbsd.org" +Date: Tue, 11 Mar 2025 11:46:44 +0000 +Subject: [PATCH 07/10] upstream: Prime caches for DNS names needed for tests. + +When running the SSHFP tests, particularly on an ephemeral VM, the first +query or two can fail for some reason, presumably because something isn't +fully initialized or something. To work around this, issue queries for the +names we'll need before we need them. + +OpenBSD-Regress-ID: 900841133540e7dead253407db5a874a6ed09eca +--- + regress/sshfp-connect.sh | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/regress/sshfp-connect.sh b/regress/sshfp-connect.sh +index f78646922..3c73a35d0 100644 +--- a/regress/sshfp-connect.sh ++++ b/regress/sshfp-connect.sh +@@ -1,4 +1,4 @@ +-# $OpenBSD: sshfp-connect.sh,v 1.4 2021/09/01 00:50:27 dtucker Exp $ ++# $OpenBSD: sshfp-connect.sh,v 1.5 2025/03/11 11:46:44 dtucker Exp $ + # Placed in the Public Domain. + + # This test requires external setup and thus is skipped unless +@@ -29,6 +29,12 @@ if ! $SSH -Q key-plain | grep ssh-rsa >/dev/null; then + elif [ -z "${TEST_SSH_SSHFP_DOMAIN}" ]; then + skip "TEST_SSH_SSHFP_DOMAIN not set." + else ++ # Prime any DNS caches and resolvers. ++ for i in sshtest sshtest-sha1 sshtest-sha256; do ++ host -t sshfp ${i}.${TEST_SSH_SSHFP_DOMAIN} >/dev/null 2>&1 ++ host -t sshfp ${i}-bad.${TEST_SSH_SSHFP_DOMAIN} >/dev/null 2>&1 ++ done ++ + # Set RSA host key to match fingerprints above. + mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig + $SUDO cp $SRC/rsa_openssh.prv $OBJ/host.ssh-rsa +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0008-MacOS-12-runners-are-deprecated-replace-with-15.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0008-MacOS-12-runners-are-deprecated-replace-with-15.patch new file mode 100644 index 0000000000..f66f88bba7 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0008-MacOS-12-runners-are-deprecated-replace-with-15.patch @@ -0,0 +1,41 @@ +From aab12549a939d07f638df486f910544c6b11b972 Mon Sep 17 00:00:00 2001 +Message-ID: +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: Darren Tucker +Date: Thu, 17 Oct 2024 19:18:23 +1100 +Subject: [PATCH 08/10] MacOS 12 runners are deprecated, replace with 15. + +--- + .github/workflows/c-cpp.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml +index c179f73d1..c49aa5ee8 100644 +--- a/.github/workflows/c-cpp.yml ++++ b/.github/workflows/c-cpp.yml +@@ -17,9 +17,9 @@ jobs: + target: + - ubuntu-20.04 + - ubuntu-22.04 +- - macos-12 + - macos-13 + - macos-14 ++ - macos-15 + - windows-2019 + - windows-2022 + config: [default] +@@ -100,9 +100,9 @@ jobs: + - { target: ubuntu-22.04, config: selinux } + - { target: ubuntu-22.04, config: kitchensink } + - { target: ubuntu-22.04, config: without-openssl } +- - { target: macos-12, config: pam } + - { target: macos-13, config: pam } + - { target: macos-14, config: pam } ++ - { target: macos-15, config: pam } + runs-on: ${{ matrix.target }} + steps: + - name: set cygwin git params +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0009-upstream-Remove-redundant-field-of-definition-check.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0009-upstream-Remove-redundant-field-of-definition-check.patch new file mode 100644 index 0000000000..0daf93d329 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0009-upstream-Remove-redundant-field-of-definition-check.patch @@ -0,0 +1,51 @@ +From 8e4bd6ebdbde0ff22e0c1c1f1a134ef255af7595 Mon Sep 17 00:00:00 2001 +Message-ID: <8e4bd6ebdbde0ff22e0c1c1f1a134ef255af7595.1758727915.git.sam@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: "tb@openbsd.org" +Date: Tue, 3 Dec 2024 15:53:51 +0000 +Subject: [PATCH 09/10] upstream: Remove redundant field of definition check + +This will allow us to get rid of EC_GROUP_method_of() in the near future. + +ok djm + +OpenBSD-Commit-ID: b4a3d2e00990cf5c2ec6881c21ddca67327c2df8 +--- + sshkey.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/sshkey.c b/sshkey.c +index 1db83788d..44be674d1 100644 +--- a/sshkey.c ++++ b/sshkey.c +@@ -2708,14 +2708,6 @@ sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) + * EC_POINT_oct2point then the caller will need to explicitly check. + */ + +- /* +- * We shouldn't ever hit this case because bignum_get_ecpoint() +- * refuses to load GF2m points. +- */ +- if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != +- NID_X9_62_prime_field) +- goto out; +- + /* Q != infinity */ + if (EC_POINT_is_at_infinity(group, public)) + goto out; +@@ -2815,11 +2807,6 @@ sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) + fprintf(stderr, "%s: BN_new failed\n", __func__); + goto out; + } +- if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != +- NID_X9_62_prime_field) { +- fprintf(stderr, "%s: group is not a prime field\n", __func__); +- goto out; +- } + if (EC_POINT_get_affine_coordinates_GFp(group, point, + x, y, NULL) != 1) { + fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0010-upstream-Check-if-dbclient-supports-SHA1-before-tryi.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0010-upstream-Check-if-dbclient-supports-SHA1-before-tryi.patch new file mode 100644 index 0000000000..11cd63dfe7 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0010-upstream-Check-if-dbclient-supports-SHA1-before-tryi.patch @@ -0,0 +1,64 @@ +From 3eeda15eb9d3b9f2fd762ba3493ba88abe6bbcd9 Mon Sep 17 00:00:00 2001 +Message-ID: <3eeda15eb9d3b9f2fd762ba3493ba88abe6bbcd9.1758727915.git.sam@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org> +From: "dtucker@openbsd.org" +Date: Tue, 11 Mar 2025 07:42:08 +0000 +Subject: [PATCH 10/10] upstream: Check if dbclient supports SHA1 before trying + SHA1-based + +KEX. + +Dropbear 2025.87 removed SHA1 support by default, which means +diffie-hellman-group14-sha1 is not available. Unfortunately there isn't a +flag to query supported KEX, so instead check MACs and if it doesn't have +SHA1 methods, assuming SHA1 based KEXes are likewise not available. Spotted +by anton@. + +OpenBSD-Regress-ID: acfa8e26c001cb18b9fb81a27271c3b51288d304 +--- + regress/dropbear-kex.sh | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/regress/dropbear-kex.sh b/regress/dropbear-kex.sh +index d9f1b32c0..72717fbb7 100644 +--- a/regress/dropbear-kex.sh ++++ b/regress/dropbear-kex.sh +@@ -1,4 +1,4 @@ +-# $OpenBSD: dropbear-kex.sh,v 1.3 2024/06/19 10:10:46 dtucker Exp $ ++# $OpenBSD: dropbear-kex.sh,v 1.4 2025/03/11 07:42:08 dtucker Exp $ + # Placed in the Public Domain. + + tid="dropbear kex" +@@ -10,8 +10,14 @@ fi + cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak + + kex="curve25519-sha256 curve25519-sha256@libssh.org" +-if $SSH -Q kex | grep 'diffie-hellman-group14-sha1'; then +- kex="$kex diffie-hellman-group14-sha256 diffie-hellman-group14-sha1" ++if $SSH -Q kex | grep 'diffie-hellman-group14-sha256' >/dev/null; then ++ kex="$kex diffie-hellman-group14-sha256" ++fi ++# There's no flag to query KEX, so if MACs does not contain SHA1, assume ++# there's also SHA1-based KEX methods either. ++if $SSH -Q kex | grep 'diffie-hellman-group14-sha1' >/dev/null && \ ++ $DBCLIENT -m help hst 2>&1 | grep -- '-sha1' >/dev/null ; then ++ kex="$kex diffie-hellman-group14-sha1" + fi + + for k in $kex; do +@@ -19,8 +25,9 @@ for k in $kex; do + rm -f ${COPY} + # dbclient doesn't have switch for kex, so force in server + (cat $OBJ/sshd_proxy.bak; echo "KexAlgorithms $k") >$OBJ/sshd_proxy +- env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/id_ed25519 2>$OBJ/dbclient.log \ +- -J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY} ++ env HOME=$OBJ \ ++ ${DBCLIENT} -y -i $OBJ/.dropbear/id_ed25519 2>$OBJ/dbclient.log \ ++ -J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" + fi +-- +2.51.0 + diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-9.8_p1-musl-connect.patch b/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-9.8_p1-musl-connect.patch deleted file mode 100644 index c0546e747a..0000000000 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/files/openssh-9.8_p1-musl-connect.patch +++ /dev/null @@ -1,14 +0,0 @@ -https://bugzilla.mindrot.org/show_bug.cgi?id=3707 -https://bugs.gentoo.org/935353 ---- a/openbsd-compat/port-linux.c -+++ b/openbsd-compat/port-linux.c -@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...) - error_f("socket \"%s\": %s", path, strerror(errno)); - goto out; - } -- if (connect(fd, &addr, sizeof(addr)) != 0) { -+ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) { - error_f("socket \"%s\" connect: %s", path, strerror(errno)); - goto out; - } - diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild similarity index 95% rename from sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2.ebuild rename to sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild index 86005039f3..9eee63dbdd 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2.ebuild +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.0_p2.ebuild @@ -11,7 +11,7 @@ inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs # Make it more portable between straight releases # and _p? releases. -PARCH=${P/_} +PARCH=${PN}-10.0p1 DESCRIPTION="Port of OpenBSD's free SSH release" HOMEPAGE="https://www.openssh.com/" @@ -19,19 +19,21 @@ SRC_URI=" mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) " -S="${WORKDIR}/${PARCH}" +if [[ ${PV} != 10.0_p2 ]] ; then + die "Please restore the old S/PATCHES. 10.0_p2 had a workaround that should be dropped." +fi +S="${WORKDIR}/${PN}-10.0p1" LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" # Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit debug kerberos ldns legacy-ciphers libedit livecd pam +pie security-key selinux +ssl static test xmss" +IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam security-key selinux +ssl static test xmss" RESTRICT="!test? ( test )" REQUIRED_USE=" ldns? ( ssl ) - pie? ( !static ) static? ( !kerberos !pam ) xmss? ( ssl ) test? ( ssl ) @@ -83,9 +85,8 @@ PATCHES=( "${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch" "${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch" # Backports from upstream release branch - #"${FILESDIR}/${PV}" + "${FILESDIR}/${PV}" # Our own backports - "${FILESDIR}/${PN}-9.9_p1-x-forwarding-slow.patch" ) pkg_pretend() { @@ -192,22 +193,25 @@ src_configure() { # Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086, # gcc PR104820, gcc PR104817, gcc PR110934)). # - # Furthermore, OSSH_CHECK_CFLAG_COMPILE does not use AC_CACHE_CHECK, - # so we cannot just disable -fzero-call-used-regs=used. + # Furthermore, OSSH_CHECK_CFLAG_COMPILE does not use AC_CACHE_CHECK + # util 10.1_p1, so we cannot just disable -fzero-call-used-regs=used. # # Therefore, just pass --without-hardening, given it doesn't negate # our already hardened toolchain defaults, and avoids adding flags # which are known-broken in both Clang and GCC and haven't been # proven reliable. --without-hardening + --without-pie + --without-stackprotect + + # wtmpdb not yet packaged + --without-wtmpdb $(use_with audit audit linux) $(use_with kerberos kerberos5 "${EPREFIX}"/usr) $(use_with ldns) - $(use_enable legacy-ciphers dsa-keys) $(use_with libedit) $(use_with pam) - $(use_with pie) $(use_with selinux) $(use_with security-key security-key-builtin) $(use_with ssl openssl) @@ -219,10 +223,6 @@ src_configure() { myconf+=( --disable-utmp --disable-wtmp ) fi - # Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all - # bug #869839 (https://github.com/llvm/llvm-project/issues/57692) - tc-is-clang && myconf+=( --without-hardening ) - econf "${myconf[@]}" } @@ -299,7 +299,7 @@ src_test() { if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" ewarn "user, so we will run a subset only." - tests+=( interop-tests ) + tests+=( interop-tests file-tests unit ) else tests+=( tests ) fi @@ -315,6 +315,8 @@ src_install() { dobin contrib/ssh-copy-id newinitd "${FILESDIR}"/sshd-r1.initd sshd newconfd "${FILESDIR}"/sshd-r1.confd sshd + exeinto /etc/user/init.d + newexe "${FILESDIR}"/ssh-agent.initd ssh-agent if use pam; then newpamd "${FILESDIR}"/sshd.pam_include.2 sshd diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.1_p1-r1.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.1_p1-r1.ebuild new file mode 100644 index 0000000000..9d9f389b16 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.1_p1-r1.ebuild @@ -0,0 +1,432 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Remember to check the upstream release/stable branches for patches +# to backport! See https://marc.info/?l=openssh-unix-dev&m=172723798122122&w=2. + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc +inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig eapi9-ver + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="https://www.openssh.com/" +SRC_URI=" + mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) +" +S="${WORKDIR}/${PARCH}" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam security-key selinux +ssl static test" + +RESTRICT="!test? ( test )" + +REQUIRED_USE=" + ldns? ( ssl ) + static? ( !kerberos !pam ) + test? ( ssl ) +" + +LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) + ldns? ( + net-libs/ldns[static-libs(+)] + net-libs/ldns[ecdsa(+),ssl(+)] + ) + libedit? ( dev-libs/libedit:=[static-libs(+)] ) + security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) + virtual/libcrypt:=[static-libs(+)] + >=sys-libs/zlib-1.2.3:=[static-libs(+)] +" +RDEPEND=" + acct-group/sshd + acct-user/sshd + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( sys-libs/pam ) + kerberos? ( virtual/krb5 ) +" +DEPEND=" + ${RDEPEND} + virtual/os-headers + kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) + static? ( ${LIB_DEPEND} ) +" +RDEPEND=" + ${RDEPEND} + !net-misc/openssh-contrib + pam? ( >=sys-auth/pambase-20081028 ) + !prefix? ( sys-apps/shadow ) +" +BDEPEND=" + dev-build/autoconf + virtual/pkgconfig + verify-sig? ( sec-keys/openpgp-keys-openssh ) +" + +PATCHES=( + "${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch" + "${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch" + # Backports from upstream release branch + "${FILESDIR}/${PV}" + # Our own backports +) + +pkg_pretend() { + local i enabled_eol_flags disabled_eol_flags + for i in hpn sctp X509; do + if has_version "net-misc/openssh[${i}]"; then + enabled_eol_flags+="${i}," + disabled_eol_flags+="-${i}," + fi + done + + if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then + # Skip for binary packages entirely because of environment saving, bug #907892 + [[ ${MERGE_TYPE} == binary ]] && return + + ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore." + ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality," + ewarn "since these USE flags required third-party patches that often trigger bugs" + ewarn "and are of questionable provenance." + ewarn + ewarn "If you must continue relying on this functionality, switch to" + ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your" + ewarn "world file first: 'emerge --deselect net-misc/openssh'" + ewarn + ewarn "In order to prevent loss of SSH remote login access, we will abort the build." + ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib" + ewarn "variant, when re-emerging you will have to set" + ewarn + ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + + die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." + fi +} + +src_prepare() { + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + [[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) + + default + + # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox + sed -e '/\t\tpercent \\/ d' \ + -i regress/Makefile || die + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + if [[ ${CHOST} == *-solaris* ]] ; then + # Solaris' glob.h doesn't have things like GLOB_TILDE, configure + # doesn't check for this, so force the replacement to be put in + # place + append-cppflags -DBROKEN_GLOB + fi + + # use replacement, RPF_ECHO_ON doesn't exist here + [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + # optional at runtime; guarantee a known path + --with-xauth="${EPREFIX}"/usr/bin/xauth + + # --with-hardening adds the following in addition to flags we + # already set in our toolchain: + # * -ftrapv (which is broken with GCC anyway), + # * -ftrivial-auto-var-init=zero (which is nice, but not the end of + # the world to not have) + # * -fzero-call-used-regs=used (history of miscompilations with + # Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086, + # gcc PR104820, gcc PR104817, gcc PR110934)). + # + # Furthermore, OSSH_CHECK_CFLAG_COMPILE did not use AC_CACHE_CHECK + # until 10.1_p1, so we couldn't disable -fzero-call-used-regs=used. + # + # Therefore, just pass --without-hardening, given it doesn't negate + # our already hardened toolchain defaults, and avoids adding flags + # which are known-broken in both Clang and GCC and haven't been + # proven reliable. + --without-hardening + --without-pie + --without-stackprotect + + # wtmpdb not yet packaged + --without-wtmpdb + + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with selinux) + $(use_with security-key security-key-builtin) + $(use_with ssl openssl) + $(use_with ssl ssl-engine) + ) + + if use elibc_musl; then + # musl defines bogus values for UTMP_FILE and WTMP_FILE (bug #753230) + myconf+=( --disable-utmp --disable-wtmp ) + fi + + econf "${myconf[@]}" +} + +create_config_dropins() { + local locale_vars=( + # These are language variables that POSIX defines. + # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 + LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME + + # These are the GNU extensions. + # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html + LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE + ) + + mkdir -p "${WORKDIR}"/etc/ssh/ssh{,d}_config.d || die + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die + # Send locale environment variables (bug #367017) + SendEnv ${locale_vars[*]} + + # Send COLORTERM to match TERM (bug #658540) + SendEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die + RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die + # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ + ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die + # Allow client to pass locale environment variables (bug #367017) + AcceptEnv ${locale_vars[*]} + + # Allow client to pass COLORTERM to match TERM (bug #658540) + AcceptEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die + # override default of no subsystems + Subsystem sftp ${EPREFIX}/usr/$(get_libdir)/misc/sftp-server + EOF + + if use pam ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die + UsePAM yes + # This interferes with PAM. + PasswordAuthentication no + # PAM can do its own handling of MOTD. + PrintMotd no + PrintLastLog no + EOF + fi + + if use livecd ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die + # Allow root login with password on livecds. + PermitRootLogin Yes + EOF + fi +} + +src_compile() { + default + create_config_dropins +} + +src_test() { + local tests=( compat-tests ) + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + ewarn "user, so we will run a subset only." + tests+=( interop-tests file-tests unit ) + else + tests+=( tests ) + fi + + local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 + mkdir -p "${HOME}"/.ssh || die + emake -j1 "${tests[@]}" /dev/null 2>&1; then + ewarn "The ebuild will now attempt to restart OpenSSH to avoid" + ewarn "bricking the running instance. See bug #709748." + ebegin "Attempting to restart openssh via 'systemctl try-restart sshd'" + systemctl try-restart sshd + eend $? + elif [[ -d /run/openrc ]]; then + # We don't check for sshd -t here because the OpenRC init script + # has a stop_pre() which does checkconfig, i.e. we defer to it + # to give nicer output for a failed sanity check. + ewarn "The ebuild will now attempt to restart OpenSSH to avoid" + ewarn "bricking the running instance. See bug #709748." + ebegin "Attempting to restart openssh via 'rc-service -q --ifstarted --nodeps sshd restart'" + rc-service -q --ifstarted --nodeps sshd restart + eend $? + fi +} diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.2_p1.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.2_p1.ebuild new file mode 100644 index 0000000000..52c568cdd3 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.2_p1.ebuild @@ -0,0 +1,432 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Remember to check the upstream release/stable branches for patches +# to backport! See https://marc.info/?l=openssh-unix-dev&m=172723798122122&w=2. + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc +inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig eapi9-ver + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="https://www.openssh.com/" +SRC_URI=" + mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) +" +S="${WORKDIR}/${PARCH}" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam security-key selinux +ssl static test" + +RESTRICT="!test? ( test )" + +REQUIRED_USE=" + ldns? ( ssl ) + static? ( !kerberos !pam ) + test? ( ssl ) +" + +LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) + ldns? ( + net-libs/ldns[static-libs(+)] + net-libs/ldns[ecdsa(+),ssl(+)] + ) + libedit? ( dev-libs/libedit:=[static-libs(+)] ) + security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) + virtual/libcrypt:=[static-libs(+)] + >=sys-libs/zlib-1.2.3:=[static-libs(+)] +" +RDEPEND=" + acct-group/sshd + acct-user/sshd + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( sys-libs/pam ) + kerberos? ( virtual/krb5 ) +" +DEPEND=" + ${RDEPEND} + virtual/os-headers + kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) + static? ( ${LIB_DEPEND} ) +" +RDEPEND=" + ${RDEPEND} + !net-misc/openssh-contrib + pam? ( >=sys-auth/pambase-20081028 ) + !prefix? ( sys-apps/shadow ) +" +BDEPEND=" + dev-build/autoconf + virtual/pkgconfig + verify-sig? ( sec-keys/openpgp-keys-openssh ) +" + +PATCHES=( + "${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch" + "${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch" + # Backports from upstream release branch + #"${FILESDIR}/${PV}" + # Our own backports +) + +pkg_pretend() { + local i enabled_eol_flags disabled_eol_flags + for i in hpn sctp X509; do + if has_version "net-misc/openssh[${i}]"; then + enabled_eol_flags+="${i}," + disabled_eol_flags+="-${i}," + fi + done + + if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then + # Skip for binary packages entirely because of environment saving, bug #907892 + [[ ${MERGE_TYPE} == binary ]] && return + + ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore." + ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality," + ewarn "since these USE flags required third-party patches that often trigger bugs" + ewarn "and are of questionable provenance." + ewarn + ewarn "If you must continue relying on this functionality, switch to" + ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your" + ewarn "world file first: 'emerge --deselect net-misc/openssh'" + ewarn + ewarn "In order to prevent loss of SSH remote login access, we will abort the build." + ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib" + ewarn "variant, when re-emerging you will have to set" + ewarn + ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + + die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." + fi +} + +src_prepare() { + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + [[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) + + default + + # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox + sed -e '/\t\tpercent \\/ d' \ + -i regress/Makefile || die + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + + if [[ ${CHOST} == *-solaris* ]] ; then + # Solaris' glob.h doesn't have things like GLOB_TILDE, configure + # doesn't check for this, so force the replacement to be put in + # place + append-cppflags -DBROKEN_GLOB + fi + + # use replacement, RPF_ECHO_ON doesn't exist here + [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + # optional at runtime; guarantee a known path + --with-xauth="${EPREFIX}"/usr/bin/xauth + + # --with-hardening adds the following in addition to flags we + # already set in our toolchain: + # * -ftrapv (which is broken with GCC anyway), + # * -ftrivial-auto-var-init=zero (which is nice, but not the end of + # the world to not have) + # * -fzero-call-used-regs=used (history of miscompilations with + # Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086, + # gcc PR104820, gcc PR104817, gcc PR110934)). + # + # Furthermore, OSSH_CHECK_CFLAG_COMPILE did not use AC_CACHE_CHECK + # until 10.1_p1, so we couldn't disable -fzero-call-used-regs=used. + # + # Therefore, just pass --without-hardening, given it doesn't negate + # our already hardened toolchain defaults, and avoids adding flags + # which are known-broken in both Clang and GCC and haven't been + # proven reliable. + --without-hardening + --without-pie + --without-stackprotect + + # wtmpdb not yet packaged + --without-wtmpdb + + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + $(use_with ldns) + $(use_with libedit) + $(use_with pam) + $(use_with selinux) + $(use_with security-key security-key-builtin) + $(use_with ssl openssl) + $(use_with ssl ssl-engine) + ) + + if use elibc_musl; then + # musl defines bogus values for UTMP_FILE and WTMP_FILE (bug #753230) + myconf+=( --disable-utmp --disable-wtmp ) + fi + + econf "${myconf[@]}" +} + +create_config_dropins() { + local locale_vars=( + # These are language variables that POSIX defines. + # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 + LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME + + # These are the GNU extensions. + # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html + LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE + ) + + mkdir -p "${WORKDIR}"/etc/ssh/ssh{,d}_config.d || die + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die + # Send locale environment variables (bug #367017) + SendEnv ${locale_vars[*]} + + # Send COLORTERM to match TERM (bug #658540) + SendEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die + RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die + # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ + ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die + # Allow client to pass locale environment variables (bug #367017) + AcceptEnv ${locale_vars[*]} + + # Allow client to pass COLORTERM to match TERM (bug #658540) + AcceptEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die + # override default of no subsystems + Subsystem sftp ${EPREFIX}/usr/$(get_libdir)/misc/sftp-server + EOF + + if use pam ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die + UsePAM yes + # This interferes with PAM. + PasswordAuthentication no + # PAM can do its own handling of MOTD. + PrintMotd no + PrintLastLog no + EOF + fi + + if use livecd ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die + # Allow root login with password on livecds. + PermitRootLogin Yes + EOF + fi +} + +src_compile() { + default + create_config_dropins +} + +src_test() { + local tests=( compat-tests ) + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + ewarn "user, so we will run a subset only." + tests+=( interop-tests file-tests unit ) + else + tests+=( tests ) + fi + + local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 + mkdir -p "${HOME}"/.ssh || die + emake -j1 "${tests[@]}" /dev/null 2>&1; then + ewarn "The ebuild will now attempt to restart OpenSSH to avoid" + ewarn "bricking the running instance. See bug #709748." + ebegin "Attempting to restart openssh via 'systemctl try-restart sshd'" + systemctl try-restart sshd + eend $? + elif [[ -d /run/openrc ]]; then + # We don't check for sshd -t here because the OpenRC init script + # has a stop_pre() which does checkconfig, i.e. we defer to it + # to give nicer output for a failed sanity check. + ewarn "The ebuild will now attempt to restart OpenSSH to avoid" + ewarn "bricking the running instance. See bug #709748." + ebegin "Attempting to restart openssh via 'rc-service -q --ifstarted --nodeps sshd restart'" + rc-service -q --ifstarted --nodeps sshd restart + eend $? + fi +} diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r3.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r4.ebuild similarity index 99% rename from sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r3.ebuild rename to sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r4.ebuild index a2850bed23..6063b9758c 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r3.ebuild +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r4.ebuild @@ -79,8 +79,9 @@ PATCHES=( "${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch" "${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch" "${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch" - "${FILESDIR}/${PN}-9.8_p1-musl-connect.patch" "${FILESDIR}/${PN}-9.8_p1-inetd.patch" + # Backports from upstream release branch + "${FILESDIR}/${PV}" ) pkg_pretend() { diff --git a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r3.ebuild b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r4.ebuild similarity index 99% rename from sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r3.ebuild rename to sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r4.ebuild index 358011e40e..2c2aa6bbe8 100644 --- a/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r3.ebuild +++ b/sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r4.ebuild @@ -83,7 +83,7 @@ PATCHES=( "${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch" "${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch" # Backports from upstream release branch - #"${FILESDIR}/${PV}" + "${FILESDIR}/${PV}" # Our own backports "${FILESDIR}/${PN}-9.9_p1-x-forwarding-slow.patch" )