mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2026-05-14 16:46:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

net-misc/openssh: Sync with Gentoo

Browse Source 
It's from Gentoo commit f13a2db1cf80aa63267e3be699996c1da9bc4efc.

Signed-off-by: Flatcar Buildbot <buildbot@flatcar-linux.org>
This commit is contained in:
Flatcar Buildbot 2026-03-09 07:30:42 +00:00 committed by Krzesimir Nowak
parent 3f0f7ed91e
commit ae1a39fa66
23 changed files with 551 additions and 1271 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
sdk_container/src/third_party/portage-stable/net-misc/openssh/Manifest vendored
View File

@ -4,7 +4,9 @@ DIST openssh-10.1p1.tar.gz 1972831 BLAKE2B 08864c9302935cde87eec9d736a90b0bcf232
DIST openssh-10.1p1.tar.gz.asc 833 BLAKE2B c9df62728276464926ac7d28d54dd23a42bef150a9f64bfec14278d0e1817a876ee76b3329aca863997107bb8d4d43a694643f730249d9940d967b4c2a18fed3 SHA512 a4082bf8526d60094b5a3207995793c44448833b1cdd7ec91f04554fd8bddc1df3b45ee9ffe42de3bfc72d4968808834e289159e3c96f031e09a78da844641ae
DIST openssh-10.2p1.tar.gz 1974519 BLAKE2B 8c031b10b1642e21b46f7d1db84ba42692e378a54af3d8e5b5c8706c3a0a06d442a02ed8803063121e7ff325ea275cad4432b9eaa6a7f47a4d7cfad504953ab6 SHA512 66f3dd646179e71aaf41c33b6f14a207dc873d71d24f11c130a89dee317ee45398b818e5b94887b5913240964a38630d7bca3e481e0f1eff2e41d9e1cfdbdfc5
DIST openssh-10.2p1.tar.gz.asc 833 BLAKE2B 34e1a697e9565f5d4e8139537e76e123512285662576f6f2b513ba129d5e42310c1997e70d7c69b2c4fe1c85f9323ef686b8f83f12a73c5a4f229ff855efd7c6 SHA512 f1f71700b1b0b2117aed505488b98b7ebb51ce26e53184b08df0b07aa2c5a1e54dc4d3cbcbe871b5ad849a2a0e22b02af318ff22a68c980ab53b04be03c9bf3c
DIST openssh-9.8_p1-backports.tar.gz 5879 BLAKE2B 98f2864977f512cb658d129cc89385df25b57fb4ec5ac0cb5e2655ff7f8bffa795194a2177a78339999b0d25c9aea708469b322b9d7c814165e570fb5a66ee9b SHA512 541a629b3ce7d20df29b649478f7a4348bed876045cc2b3c95b6544cce87850cd05c1d405e85ce713fb137b7768402d2b0052a6478b781c30a2567ffebcd4322
DIST openssh-9.8p1.tar.gz 1910393 BLAKE2B 3bf983c4ef5358054ed0104cd51d3e0069fbc2b80d8522d0df644d5508ec1d26a67bf061b1b5698d1cdf0d2cbba16b4cdca12a4ce30da24429094576a075e192 SHA512 95dec2f18e58eb47994f3de4430253e0665e185564b65088ca5f4108870e05feddef8cda8d3c0a4b75f18b98cc2c024df0e27de53b48c1a16da8da483cb8292a
DIST openssh-9.8p1.tar.gz.asc 833 BLAKE2B 5291e8c03ab9a75acb44285cd7fc010f4a33551f142499624165dac708fc05a6d077df81555aa41037b45f6301e4e5db3161a7a23404473f8a233a877fc55cc3 SHA512 4df1f1be2c6ab7f3aebaedd0a773b0e8c8929abb30cd3415873ad55d012cfa113f792e888e5e772dd468c394aeb7e35d62893a514dbc0ab1a03acd79918657f7
DIST openssh-9.9_p2-backports.tar.gz 7994 BLAKE2B d2410b0cb2eb2056a4f1e5fabd6b0fe5a6ac8924159424fec6b3de3d7a5e3e8f1ed346522c52f9ce47fafb4001ad3be1d2f5493100a1b49f2c488dd63bbcb48b SHA512 8348aeb4e85a7763cf10d56fe7e5437206270dc4abb8ade65f86ad86b23be60f68c9aa7f83e021723c447d7746bdbfa82d4598481b4527b77f74872fa0783384
DIST openssh-9.9p2.tar.gz 1944499 BLAKE2B 1b5bc09482b3a807ccfee52c86c6be3c363acf0c8e774862e0ae64f76bfeb4ce7cf29b3ed2f99c04c89bb4977da0cf50a7a175b15bf1d9925de1e03c66f8306d SHA512 4c6d839aa3189cd5254c745f2bd51cd3f468b02f8e427b8d7a16b9ad017888a41178d2746dc51fb2d3fec5be00e54b9ab7c32c472ca7dec57a1dea4fc9840278
DIST openssh-9.9p2.tar.gz.asc 833 BLAKE2B 21d9ef3da2b54be47420327f1c724e38eef951ea11d646de81ac3ee2abf3d81f218424432cf5ac7d60cdae72e2190001f923dbdf5bed57f4a105ee1895261c9d SHA512 e7f9bc74d27e5cf8cbf4f5831fddd1d8ad00b03e51e7deb7f95ef17c5017ab7ce0116f4770374aaf6bd3a5f6013dab651a7651b21fa303d05ad6d14b537ab955

36
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0001-Fix-detection-of-setres-id-on-GNU-Hurd.patch vendored
View File

@ -1,36 +0,0 @@
From 20950a7c047ca08f9317d27866c06587ed51a338 Mon Sep 17 00:00:00 2001
Message-ID: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Tue, 26 Mar 2024 22:15:08 +0100
Subject: [PATCH 1/7] Fix detection of setres*id on GNU/Hurd
Like Linux, proper _SOURCE macros need to be set to get declarations of
various standard functions, notably setres*id. Now that Debian is using
-Werror=implicit-function-declaration this is really required. While at
it, define other _SOURCE macros like on GNU/Linux, since GNU/Hurd uses
the same glibc.
---
configure.ac | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/configure.ac b/configure.ac
index 5a865f8e1..2eede34c3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1348,6 +1348,13 @@ EOD
AC_DEFINE([BROKEN_SETVBUF], [1],
[LynxOS has broken setvbuf() implementation])
;;
+*-*-gnu*)
+ dnl GNU Hurd. Needs to be after the linux and the other *-gnu entries.
+ dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
+ dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE
+ dnl _GNU_SOURCE is needed for setres*id prototypes.
+ CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE"
+ ;;
esac
AC_MSG_CHECKING([compiler and flags for sanity])
--
2.51.0

30
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0002-Add-9.8-branch-to-ci-status-page.patch vendored
View File

@ -1,30 +0,0 @@
From 34f7a962f992a43e33b5b6e2dd71f1582433d551 Mon Sep 17 00:00:00 2001
Message-ID: <34f7a962f992a43e33b5b6e2dd71f1582433d551.1758727870.git.sam@gentoo.org>
In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
From: Darren Tucker <dtucker@dtucker.net>
Date: Thu, 4 Jul 2024 20:12:26 +1000
Subject: [PATCH 2/7] Add 9.8 branch to ci-status page.
---
.github/ci-status.md | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/.github/ci-status.md b/.github/ci-status.md
index fbf7c5fd6..4fa73894c 100644
--- a/.github/ci-status.md
+++ b/.github/ci-status.md
@@ -6,6 +6,10 @@ master :
[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
[![Coverity Status](https://scan.coverity.com/projects/21341/badge.svg)](https://scan.coverity.com/projects/openssh-portable)
+9.8 :
+[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_8)
+[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_8)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_8)
+
9.7 :
[![C/C++ CI](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_7)
[![C/C++ CI self-hosted](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml/badge.svg?branch=V_9_7)](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_7)
--
2.51.0

29
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0003-Cast-to-sockaddr-in-systemd-interface.patch vendored
View File

@ -1,29 +0,0 @@
From b35a64dd7d5278af859ff8cca1fbe42d2c308ac0 Mon Sep 17 00:00:00 2001
Message-ID: <b35a64dd7d5278af859ff8cca1fbe42d2c308ac0.1758727870.git.sam@gentoo.org>
In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
From: Darren Tucker <dtucker@dtucker.net>
Date: Sun, 7 Jul 2024 18:46:19 +1000
Subject: [PATCH 3/7] Cast to sockaddr * in systemd interface.
Fixes build with musl libx. bz#3707.
---
openbsd-compat/port-linux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index 4c024c6d2..8adfec5a7 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...)
error_f("socket \"%s\": %s", path, strerror(errno));
goto out;
}
- if (connect(fd, &addr, sizeof(addr)) != 0) {
+ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) {
error_f("socket \"%s\" connect: %s", path, strerror(errno));
goto out;
}
--
2.51.0

29
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0004-upstream-correct-keyword-from-Yatao-Su-via-GHPR509.patch vendored
View File

@ -1,29 +0,0 @@
From c21fc9d953f6d858ea0a9d7da38359d2eb397ed0 Mon Sep 17 00:00:00 2001
Message-ID: <c21fc9d953f6d858ea0a9d7da38359d2eb397ed0.1758727870.git.sam@gentoo.org>
In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 10 Jul 2024 21:58:34 +0000
Subject: [PATCH 4/7] upstream: correct keyword; from Yatao Su via GHPR509
OpenBSD-Commit-ID: 81c778c76dea7ef407603caa157eb0c381c52ad2
---
sshd_config.5 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sshd_config.5 b/sshd_config.5
index 1ab0f41d9..ce872de52 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1586,7 +1586,7 @@ accumulated.
.Pp
Penalties are enabled by default with the default settings listed below
but may disabled using the
-.Cm off
+.Cm no
keyword.
The defaults may be overridden by specifying one or more of the keywords below,
separated by whitespace.
--
2.51.0

250
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0005-support-sntrup761x25519-sha512-alias.patch vendored
View File

@ -1,250 +0,0 @@
From 26f73db15e0eee558a11b42a9d794d78c87dd11e Mon Sep 17 00:00:00 2001
Message-ID: <26f73db15e0eee558a11b42a9d794d78c87dd11e.1758727870.git.sam@gentoo.org>
In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
From: Damien Miller <djm@mindrot.org>
Date: Mon, 11 Aug 2025 16:40:24 +1000
Subject: [PATCH 5/7] support sntrup761x25519-sha512 alias
OpenSSH 9.8 supports the sntrup761x25519-sha512@openssh.com
key agreement algorithm. As part of standardisation, this algorithm
has been assigned the name sntrup761x25519-sha512.
This commit enables the existing algorithm under this new name.
---
configure | 3 +++
kex-names.c | 2 ++
kex.h | 1 +
moduli.0 | 2 +-
myproposal.h | 1 +
scp.0 | 2 +-
sftp-server.0 | 2 +-
sftp.0 | 2 +-
ssh-add.0 | 2 +-
ssh-agent.0 | 2 +-
ssh-keygen.0 | 2 +-
ssh-keyscan.0 | 2 +-
ssh-keysign.0 | 2 +-
ssh-pkcs11-helper.0 | 2 +-
ssh-sk-helper.0 | 2 +-
ssh.0 | 2 +-
ssh_config.0 | 2 +-
sshd.0 | 2 +-
sshd_config.0 | 6 +++---
19 files changed, 24 insertions(+), 17 deletions(-)
diff --git a/configure b/configure
index 07d19fd30..32e38c4cb 100755
--- a/configure
+++ b/configure
@@ -13317,6 +13317,9 @@ EOD
printf "%s\n" "#define BROKEN_SETVBUF 1" >>confdefs.h
;;
+*-*-gnu*)
+ CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE"
+ ;;
esac
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking compiler and flags for sanity" >&5
diff --git a/kex-names.c b/kex-names.c
index 339eb1c23..1869b8ee1 100644
--- a/kex-names.c
+++ b/kex-names.c
@@ -77,6 +77,8 @@ static const struct kexalg kexalgs[] = {
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
{ KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
#ifdef USE_SNTRUP761X25519
+ { KEX_SNTRUP761X25519_SHA512_IANA, KEX_KEM_SNTRUP761X25519_SHA512, 0,
+ SSH_DIGEST_SHA512 },
{ KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0,
SSH_DIGEST_SHA512 },
#endif
diff --git a/kex.h b/kex.h
index 34665eb20..ed22b929f 100644
--- a/kex.h
+++ b/kex.h
@@ -63,6 +63,7 @@
#define KEX_CURVE25519_SHA256 "curve25519-sha256"
#define KEX_CURVE25519_SHA256_OLD "curve25519-sha256@libssh.org"
#define KEX_SNTRUP761X25519_SHA512 "sntrup761x25519-sha512@openssh.com"
+#define KEX_SNTRUP761X25519_SHA512_IANA "sntrup761x25519-sha512"
#define COMP_NONE 0
/* pre-auth compression (COMP_ZLIB) is only supported in the client */
diff --git a/moduli.0 b/moduli.0
index 057a018ef..90700a16f 100644
--- a/moduli.0
+++ b/moduli.0
@@ -71,4 +71,4 @@ STANDARDS
M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for
the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006.
-OpenBSD 7.5 April 16, 2022 OpenBSD 7.5
+OpenBSD 7.7 April 16, 2022 OpenBSD 7.7
diff --git a/myproposal.h b/myproposal.h
index ee6e9f741..0528cd783 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -25,6 +25,7 @@
*/
#define KEX_SERVER_KEX \
+ "sntrup761x25519-sha512," \
"sntrup761x25519-sha512@openssh.com," \
"curve25519-sha256," \
"curve25519-sha256@libssh.org," \
diff --git a/scp.0 b/scp.0
index e098ddf55..85d5f83d5 100644
--- a/scp.0
+++ b/scp.0
@@ -229,4 +229,4 @@ CAVEATS
requires careful quoting of any characters that have special meaning to
the remote shell, such as quote characters.
-OpenBSD 7.5 December 16, 2022 OpenBSD 7.5
+OpenBSD 7.7 December 16, 2022 OpenBSD 7.7
diff --git a/sftp-server.0 b/sftp-server.0
index 23fdda399..273b69908 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -95,4 +95,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
-OpenBSD 7.5 July 27, 2021 OpenBSD 7.5
+OpenBSD 7.7 July 27, 2021 OpenBSD 7.7
diff --git a/sftp.0 b/sftp.0
index c6a9e60c4..0476733c1 100644
--- a/sftp.0
+++ b/sftp.0
@@ -435,4 +435,4 @@ SEE ALSO
T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
filexfer-00.txt, January 2001, work in progress material.
-OpenBSD 7.5 December 16, 2022 OpenBSD 7.5
+OpenBSD 7.7 December 16, 2022 OpenBSD 7.7
diff --git a/ssh-add.0 b/ssh-add.0
index 30eed6672..20f1a88e2 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -206,4 +206,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
+OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
diff --git a/ssh-agent.0 b/ssh-agent.0
index 2e4ef7b6e..238fa54e2 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -137,4 +137,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.5 August 10, 2023 OpenBSD 7.5
+OpenBSD 7.7 August 10, 2023 OpenBSD 7.7
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index a731a7fa8..13b032f46 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -904,4 +904,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
+OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index 110399094..cf0962c82 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -120,4 +120,4 @@ AUTHORS
Davison <wayned@users.sourceforge.net> added support for protocol version
2.
-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
+OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index 577955d1b..ff3305809 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -47,4 +47,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
+OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0
index 564587259..4b1cb8d7d 100644
--- a/ssh-pkcs11-helper.0
+++ b/ssh-pkcs11-helper.0
@@ -32,4 +32,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
-OpenBSD 7.5 April 29, 2022 OpenBSD 7.5
+OpenBSD 7.7 April 29, 2022 OpenBSD 7.7
diff --git a/ssh-sk-helper.0 b/ssh-sk-helper.0
index ea2117abd..4abc5e8a0 100644
--- a/ssh-sk-helper.0
+++ b/ssh-sk-helper.0
@@ -31,4 +31,4 @@ HISTORY
AUTHORS
Damien Miller <djm@openbsd.org>
-OpenBSD 7.5 April 29, 2022 OpenBSD 7.5
+OpenBSD 7.7 April 29, 2022 OpenBSD 7.7
diff --git a/ssh.0 b/ssh.0
index 78863b1b0..9c34e3e6e 100644
--- a/ssh.0
+++ b/ssh.0
@@ -1016,4 +1016,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.5 June 27, 2024 OpenBSD 7.5
+OpenBSD 7.7 June 27, 2024 OpenBSD 7.7
diff --git a/ssh_config.0 b/ssh_config.0
index ef6c0936a..f9a82781b 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -1428,4 +1428,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
+OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
diff --git a/sshd.0 b/sshd.0
index c7de2d311..eac127dcf 100644
--- a/sshd.0
+++ b/sshd.0
@@ -682,4 +682,4 @@ AUTHORS
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
+OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
diff --git a/sshd_config.0 b/sshd_config.0
index 6883dda4b..ca030fcca 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -950,8 +950,8 @@ DESCRIPTION
accumulated.
Penalties are enabled by default with the default settings listed
- below but may disabled using the off keyword. The defaults may
- be overridden by specifying one or more of the keywords below,
+ below but may disabled using the no keyword. The defaults may be
+ overridden by specifying one or more of the keywords below,
separated by whitespace. All keywords accept arguments, e.g.
"crash:2m".
@@ -1390,4 +1390,4 @@ AUTHORS
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
-OpenBSD 7.5 June 24, 2024 OpenBSD 7.5
+OpenBSD 7.7 June 24, 2024 OpenBSD 7.7
--
2.51.0

206
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0006-back-out-unrelated-manpages-changes.patch vendored
View File

@ -1,206 +0,0 @@
From d1460a177431d034248b62b36240f634482e48de Mon Sep 17 00:00:00 2001
Message-ID: <d1460a177431d034248b62b36240f634482e48de.1758727870.git.sam@gentoo.org>
In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
From: Damien Miller <djm@mindrot.org>
Date: Wed, 13 Aug 2025 09:19:53 +1000
Subject: [PATCH 6/7] back out unrelated manpages changes
spotted by Colin Wilson
---
configure | 3 ---
moduli.0 | 2 +-
scp.0 | 2 +-
sftp-server.0 | 2 +-
sftp.0 | 2 +-
ssh-add.0 | 2 +-
ssh-agent.0 | 2 +-
ssh-keygen.0 | 2 +-
ssh-keyscan.0 | 2 +-
ssh-keysign.0 | 2 +-
ssh-pkcs11-helper.0 | 2 +-
ssh-sk-helper.0 | 2 +-
ssh.0 | 2 +-
ssh_config.0 | 2 +-
sshd.0 | 2 +-
sshd_config.0 | 6 +++---
16 files changed, 17 insertions(+), 20 deletions(-)
diff --git a/configure b/configure
index 32e38c4cb..07d19fd30 100755
--- a/configure
+++ b/configure
@@ -13317,9 +13317,6 @@ EOD
printf "%s\n" "#define BROKEN_SETVBUF 1" >>confdefs.h
;;
-*-*-gnu*)
- CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE"
- ;;
esac
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking compiler and flags for sanity" >&5
diff --git a/moduli.0 b/moduli.0
index 90700a16f..057a018ef 100644
--- a/moduli.0
+++ b/moduli.0
@@ -71,4 +71,4 @@ STANDARDS
M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for
the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006.
-OpenBSD 7.7 April 16, 2022 OpenBSD 7.7
+OpenBSD 7.5 April 16, 2022 OpenBSD 7.5
diff --git a/scp.0 b/scp.0
index 85d5f83d5..e098ddf55 100644
--- a/scp.0
+++ b/scp.0
@@ -229,4 +229,4 @@ CAVEATS
requires careful quoting of any characters that have special meaning to
the remote shell, such as quote characters.
-OpenBSD 7.7 December 16, 2022 OpenBSD 7.7
+OpenBSD 7.5 December 16, 2022 OpenBSD 7.5
diff --git a/sftp-server.0 b/sftp-server.0
index 273b69908..23fdda399 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -95,4 +95,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
-OpenBSD 7.7 July 27, 2021 OpenBSD 7.7
+OpenBSD 7.5 July 27, 2021 OpenBSD 7.5
diff --git a/sftp.0 b/sftp.0
index 0476733c1..c6a9e60c4 100644
--- a/sftp.0
+++ b/sftp.0
@@ -435,4 +435,4 @@ SEE ALSO
T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
filexfer-00.txt, January 2001, work in progress material.
-OpenBSD 7.7 December 16, 2022 OpenBSD 7.7
+OpenBSD 7.5 December 16, 2022 OpenBSD 7.5
diff --git a/ssh-add.0 b/ssh-add.0
index 20f1a88e2..30eed6672 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -206,4 +206,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
+OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
diff --git a/ssh-agent.0 b/ssh-agent.0
index 238fa54e2..2e4ef7b6e 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -137,4 +137,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.7 August 10, 2023 OpenBSD 7.7
+OpenBSD 7.5 August 10, 2023 OpenBSD 7.5
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index 13b032f46..a731a7fa8 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -904,4 +904,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
+OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index cf0962c82..110399094 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -120,4 +120,4 @@ AUTHORS
Davison <wayned@users.sourceforge.net> added support for protocol version
2.
-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
+OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index ff3305809..577955d1b 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -47,4 +47,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
+OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0
index 4b1cb8d7d..564587259 100644
--- a/ssh-pkcs11-helper.0
+++ b/ssh-pkcs11-helper.0
@@ -32,4 +32,4 @@ HISTORY
AUTHORS
Markus Friedl <markus@openbsd.org>
-OpenBSD 7.7 April 29, 2022 OpenBSD 7.7
+OpenBSD 7.5 April 29, 2022 OpenBSD 7.5
diff --git a/ssh-sk-helper.0 b/ssh-sk-helper.0
index 4abc5e8a0..ea2117abd 100644
--- a/ssh-sk-helper.0
+++ b/ssh-sk-helper.0
@@ -31,4 +31,4 @@ HISTORY
AUTHORS
Damien Miller <djm@openbsd.org>
-OpenBSD 7.7 April 29, 2022 OpenBSD 7.7
+OpenBSD 7.5 April 29, 2022 OpenBSD 7.5
diff --git a/ssh.0 b/ssh.0
index 9c34e3e6e..78863b1b0 100644
--- a/ssh.0
+++ b/ssh.0
@@ -1016,4 +1016,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.7 June 27, 2024 OpenBSD 7.7
+OpenBSD 7.5 June 27, 2024 OpenBSD 7.5
diff --git a/ssh_config.0 b/ssh_config.0
index f9a82781b..ef6c0936a 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -1428,4 +1428,4 @@ AUTHORS
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
+OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
diff --git a/sshd.0 b/sshd.0
index eac127dcf..c7de2d311 100644
--- a/sshd.0
+++ b/sshd.0
@@ -682,4 +682,4 @@ AUTHORS
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7
+OpenBSD 7.5 June 17, 2024 OpenBSD 7.5
diff --git a/sshd_config.0 b/sshd_config.0
index ca030fcca..6883dda4b 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -950,8 +950,8 @@ DESCRIPTION
accumulated.
Penalties are enabled by default with the default settings listed
- below but may disabled using the no keyword. The defaults may be
- overridden by specifying one or more of the keywords below,
+ below but may disabled using the off keyword. The defaults may
+ be overridden by specifying one or more of the keywords below,
separated by whitespace. All keywords accept arguments, e.g.
"crash:2m".
@@ -1390,4 +1390,4 @@ AUTHORS
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
-OpenBSD 7.7 June 24, 2024 OpenBSD 7.7
+OpenBSD 7.5 June 24, 2024 OpenBSD 7.5
--
2.51.0

48
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.8_p1/0007-mention-sntrup761x25519-sha512-in-manpages.patch vendored
View File

@ -1,48 +0,0 @@
From a38b48e77ccfe9528dd4a8516c114950fa7a111d Mon Sep 17 00:00:00 2001
Message-ID: <a38b48e77ccfe9528dd4a8516c114950fa7a111d.1758727870.git.sam@gentoo.org>
In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git.sam@gentoo.org>
From: Damien Miller <djm@mindrot.org>
Date: Wed, 13 Aug 2025 09:16:34 +1000
Subject: [PATCH 7/7] mention sntrup761x25519-sha512 in manpages
Spotted by Colin Watson
---
ssh_config.5 | 1 +
sshd_config.5 | 3 +++
2 files changed, 4 insertions(+)
diff --git a/ssh_config.5 b/ssh_config.5
index 2e1902283..9473f4692 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -1281,6 +1281,7 @@ default set.
.Pp
The default is:
.Bd -literal -offset indent
+sntrup761x25519-sha512,
sntrup761x25519-sha512@openssh.com,
curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diff --git a/sshd_config.5 b/sshd_config.5
index ce872de52..3c727f4d3 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1050,11 +1050,14 @@ ecdh-sha2-nistp384
.It
ecdh-sha2-nistp521
.It
+sntrup761x25519-sha512
+.It
sntrup761x25519-sha512@openssh.com
.El
.Pp
The default is:
.Bd -literal -offset indent
+sntrup761x25519-sha512,
sntrup761x25519-sha512@openssh.com,
curve25519-sha256,curve25519-sha256@libssh.org,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
--
2.51.0

87
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0001-Check-for-le32toh-le64toh-htole64-individually.patch vendored
View File

@ -1,87 +0,0 @@
From 4b8d141ec165aa29a48316768089cb03aed3aada Mon Sep 17 00:00:00 2001
Message-ID: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: Darren Tucker <dtucker@dtucker.net>
Date: Wed, 26 Feb 2025 18:16:03 +1100
Subject: [PATCH 01/10] Check for le32toh, le64toh, htole64 individually.
It appears that at least some versions of endian.h in glibc do not have
the latter two, so check for and replace each one individually.
bz#3794, ok djm@
---
configure.ac | 12 ++++++++++++
defines.h | 28 +++++++++++++++++++++-------
2 files changed, 33 insertions(+), 7 deletions(-)
diff --git a/configure.ac b/configure.ac
index 9053a9a2b..57a8d1007 100644
--- a/configure.ac
+++ b/configure.ac
@@ -536,6 +536,18 @@ AC_CHECK_HEADERS([ \
wchar.h \
])
+AC_CHECK_DECLS([le32toh, le64toh, htole64], [], [], [
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_ENDIAN_H
+# include <endian.h>
+#endif
+])
+
# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
# to be included first.
AC_CHECK_HEADERS([sys/audit.h], [], [], [
diff --git a/defines.h b/defines.h
index c1c21aba6..090f49f55 100644
--- a/defines.h
+++ b/defines.h
@@ -646,7 +646,9 @@ struct winsize {
# endif /* WORDS_BIGENDIAN */
#endif /* BYTE_ORDER */
-#ifndef HAVE_ENDIAN_H
+#if (defined(HAVE_DECL_LE32TOH) && HAVE_DECL_LE32TOH == 0) || \
+ (defined(HAVE_DECL_LE64TOH) && HAVE_DECL_LE64TOH == 0) || \
+ (defined(HAVE_DECL_HTOLE64) && HAVE_DECL_HTOLE64 == 0)
# define openssh_swap32(v) \
(uint32_t)(((uint32_t)(v) & 0xff) << 24 | \
((uint32_t)(v) & 0xff00) << 8 | \
@@ -662,13 +664,25 @@ struct winsize {
((uint64_t)(v) & 0xff000000000000ULL) >> 40 | \
((uint64_t)(v) & 0xff00000000000000ULL) >> 56)
# ifdef WORDS_BIGENDIAN
-# define le32toh(v) (openssh_swap32(v))
-# define le64toh(v) (openssh_swap64(v))
-# define htole64(v) (openssh_swap64(v))
+# if defined(HAVE_DECL_LE32TOH) && HAVE_DECL_LE32TOH == 0
+# define le32toh(v) (openssh_swap32(v))
+# endif
+# if defined(HAVE_DECL_LE64TOH) && HAVE_DECL_LE64TOH == 0
+# define le64toh(v) (openssh_swap64(v))
+# endif
+# if defined(HAVE_DECL_HTOLE64) && HAVE_DECL_HTOLE64 == 0
+# define htole64(v) (openssh_swap64(v))
+# endif
# else
-# define le32toh(v) ((uint32_t)v)
-# define le64toh(v) ((uint64_t)v)
-# define htole64(v) ((uint64_t)v)
+# if defined(HAVE_DECL_LE32TOH) && HAVE_DECL_LE32TOH == 0
+# define le32toh(v) ((uint32_t)v)
+# endif
+# if defined(HAVE_DECL_LE64TOH) && HAVE_DECL_LE64TOH == 0
+# define le64toh(v) ((uint64_t)v)
+# endif
+# if defined(HAVE_DECL_HTOLE64) && HAVE_DECL_HTOLE64 == 0
+# define htole64(v) ((uint64_t)v)
+# endif
# endif
#endif
--
2.51.0

118
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0002-Update-autoconf-files-for-endian.h-change.patch vendored
View File

@ -1,118 +0,0 @@
From de4bcb51c893d81a741d4fac37c10107738a952f Mon Sep 17 00:00:00 2001
Message-ID: <de4bcb51c893d81a741d4fac37c10107738a952f.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: Darren Tucker <dtucker@dtucker.net>
Date: Wed, 26 Feb 2025 18:25:33 +1100
Subject: [PATCH 02/10] Update autoconf files for endian.h change.
---
config.h.in | 12 +++++++++++
configure | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 72 insertions(+)
diff --git a/config.h.in b/config.h.in
index 14bee6087..c841417f4 100644
--- a/config.h.in
+++ b/config.h.in
@@ -363,10 +363,22 @@
don't. */
#undef HAVE_DECL_HOWMANY
+/* Define to 1 if you have the declaration of `htole64', and to 0 if you
+ don't. */
+#undef HAVE_DECL_HTOLE64
+
/* Define to 1 if you have the declaration of `h_errno', and to 0 if you
don't. */
#undef HAVE_DECL_H_ERRNO
+/* Define to 1 if you have the declaration of `le32toh', and to 0 if you
+ don't. */
+#undef HAVE_DECL_LE32TOH
+
+/* Define to 1 if you have the declaration of `le64toh', and to 0 if you
+ don't. */
+#undef HAVE_DECL_LE64TOH
+
/* Define to 1 if you have the declaration of `loginfailed', and to 0 if you
don't. */
#undef HAVE_DECL_LOGINFAILED
diff --git a/configure b/configure
index b4d33b7cd..ec1de26c2 100755
--- a/configure
+++ b/configure
@@ -11325,6 +11325,65 @@ then :
fi
+ac_fn_check_decl "$LINENO" "le32toh" "ac_cv_have_decl_le32toh" "
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_ENDIAN_H
+# include <endian.h>
+#endif
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_le32toh" = xyes
+then :
+ ac_have_decl=1
+else $as_nop
+ ac_have_decl=0
+fi
+printf "%s\n" "#define HAVE_DECL_LE32TOH $ac_have_decl" >>confdefs.h
+ac_fn_check_decl "$LINENO" "le64toh" "ac_cv_have_decl_le64toh" "
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_ENDIAN_H
+# include <endian.h>
+#endif
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_le64toh" = xyes
+then :
+ ac_have_decl=1
+else $as_nop
+ ac_have_decl=0
+fi
+printf "%s\n" "#define HAVE_DECL_LE64TOH $ac_have_decl" >>confdefs.h
+ac_fn_check_decl "$LINENO" "htole64" "ac_cv_have_decl_htole64" "
+#ifdef HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#ifdef HAVE_ENDIAN_H
+# include <endian.h>
+#endif
+
+" "$ac_c_undeclared_builtin_options" "CFLAGS"
+if test "x$ac_cv_have_decl_htole64" = xyes
+then :
+ ac_have_decl=1
+else $as_nop
+ ac_have_decl=0
+fi
+printf "%s\n" "#define HAVE_DECL_HTOLE64 $ac_have_decl" >>confdefs.h
+
+
# On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h]
# to be included first.
ac_fn_c_check_header_compile "$LINENO" "sys/audit.h" "ac_cv_header_sys_audit_h" "
@@ -27710,3 +27769,4 @@ if test "$AUDIT_MODULE" = "bsm" ; then
echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
echo "See the Solaris section in README.platform for details."
fi
+
--
2.51.0

30
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0003-Rebuild-config-files-if-Makefile-changes.patch vendored
View File

@ -1,30 +0,0 @@
From ef95df4089f0dba640671ca6acfb876a78794b83 Mon Sep 17 00:00:00 2001
Message-ID: <ef95df4089f0dba640671ca6acfb876a78794b83.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: Darren Tucker <dtucker@dtucker.net>
Date: Sat, 1 Mar 2025 10:28:59 +1100
Subject: [PATCH 03/10] Rebuild config files if Makefile changes.
This ensures paths are updated if they are changed by re-running configure.
Patch from rapier at psc.edu.
---
Makefile.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.in b/Makefile.in
index 4243006b0..fc7a1a354 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -267,7 +267,7 @@ $(MANPAGES): $(MANPAGES_IN)
$(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \
fi
-$(CONFIGFILES): $(CONFIGFILES_IN)
+$(CONFIGFILES): $(CONFIGFILES_IN) Makefile
conffile=`echo $@ | sed 's/.out$$//'`; \
$(FIXPATHSCMD) $(srcdir)/$${conffile} > $@
--
2.51.0

92
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0004-include-__builtin_popcount-replacement-function.patch vendored
View File

@ -1,92 +0,0 @@
From 3b4adf2018ae8fdd48623b6b5ede182319a76b8f Mon Sep 17 00:00:00 2001
Message-ID: <3b4adf2018ae8fdd48623b6b5ede182319a76b8f.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: Damien Miller <djm@mindrot.org>
Date: Sun, 2 Mar 2025 22:06:53 +1100
Subject: [PATCH 04/10] include __builtin_popcount replacement function
Some systems/compilers lack __builtin_popcount(), so replace it as
necessary. Reported by Dennis Clarke; ok dtucker@
---
configure.ac | 13 +++++++++++++
libcrux_mlkem768_sha3.h | 8 ++++++--
mlkem768.sh | 10 +++++++++-
3 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 57a8d1007..dbe189066 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2041,6 +2041,19 @@ AC_CHECK_FUNCS([ \
warn \
])
+AC_MSG_CHECKING([whether compiler supports __builtin_popcount])
+AC_LINK_IFELSE([AC_LANG_PROGRAM([[
+ #include <stdlib.h>
+ ]],
+ [[ int x = 123, y;
+ y = __builtin_popcount(123);
+ exit(y == 6 ? 0 : -1); ]])],
+ [ AC_MSG_RESULT([yes]) ], [
+ AC_MSG_RESULT([no])
+ AC_DEFINE([MISSING_BUILTIN_POPCOUNT], [1], [Define if your compiler lacks __builtin_popcount])
+ ]
+)
+
AC_CHECK_DECLS([bzero, memmem])
dnl Wide character support.
diff --git a/libcrux_mlkem768_sha3.h b/libcrux_mlkem768_sha3.h
index b8ac1436f..885e82baf 100644
--- a/libcrux_mlkem768_sha3.h
+++ b/libcrux_mlkem768_sha3.h
@@ -177,10 +177,14 @@ static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) {
}
static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) {
-#ifdef _MSC_VER
+#if defined(_MSC_VER)
return __popcnt(x0);
-#else
+#elif !defined(MISSING_BUILTIN_POPCOUNT)
return __builtin_popcount(x0);
+#else
+ const uint8_t v[16] = { 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4 };
+ return v[x0 & 0xf] + v[(x0 >> 4) & 0xf];
+
#endif
}
diff --git a/mlkem768.sh b/mlkem768.sh
index 3d12b2ed8..cbc3d14da 100644
--- a/mlkem768.sh
+++ b/mlkem768.sh
@@ -49,6 +49,11 @@ echo '#define KRML_HOST_EPRINTF(...)'
echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")'
echo
+__builtin_popcount_replacement='
+ const uint8_t v[16] = { 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4 };
+ return v[x0 & 0xf] + v[(x0 >> 4) & 0xf];
+'
+
for i in $FILES; do
echo "/* from $i */"
# Changes to all files:
@@ -62,7 +67,10 @@ for i in $FILES; do
# Replace endian functions with versions that work.
perl -0777 -pe 's/(static inline void core_num__u64_9__to_le_bytes.*\n)([^}]*\n)/\1 v = htole64(v);\n\2/' |
perl -0777 -pe 's/(static inline uint64_t core_num__u64_9__from_le_bytes.*?)return v;/\1return le64toh(v);/s' |
- perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s'
+ perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s' |
+ # Compat for popcount.
+ perl -0777 -pe 's/\#ifdef (_MSC_VER)(.*?return __popcnt\(x0\);)/\#if defined(\1)\2/s' |
+ perl -0777 -pe "s/\\#else(\\n\\s+return __builtin_popcount\\(x0\\);)/\\#elif !defined(MISSING_BUILTIN_POPCOUNT)\\1\\n#else$__builtin_popcount_replacement/s"
;;
# Default: pass through.
*)
--
2.51.0

32
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0005-upstream-fix-PerSourcePenalty-incorrectly-using-cras.patch vendored
View File

@ -1,32 +0,0 @@
From d58ae05bb7838e1fdae967752f06b0b2471a63f5 Mon Sep 17 00:00:00 2001
Message-ID: <d58ae05bb7838e1fdae967752f06b0b2471a63f5.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 2 Mar 2025 22:44:00 +0000
Subject: [PATCH 05/10] upstream: fix PerSourcePenalty incorrectly using
"crash" penalty when
LoginGraceTime was exceeded. Reported by irwin AT princeton.edu via bz3797
OpenBSD-Commit-ID: 1ba3e490a5a9451359618c550d995380af454d25
---
srclimit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/srclimit.c b/srclimit.c
index 33116fa52..c63a462e2 100644
--- a/srclimit.c
+++ b/srclimit.c
@@ -386,7 +386,7 @@ srclimit_penalise(struct xaddr *addr, int penalty_type)
reason = "penalty: connection prohibited by RefuseConnection";
break;
case SRCLIMIT_PENALTY_GRACE_EXCEEDED:
- penalty_secs = penalty_cfg.penalty_crash;
+ penalty_secs = penalty_cfg.penalty_grace;
reason = "penalty: exceeded LoginGraceTime";
break;
default:
--
2.51.0

80
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0006-regenerate-configure-config.h.in.patch vendored
View File

@ -1,80 +0,0 @@
From 7d5b6c7ec3c597a6d57f64d0db925142bccd38a3 Mon Sep 17 00:00:00 2001
Message-ID: <7d5b6c7ec3c597a6d57f64d0db925142bccd38a3.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: Damien Miller <djm@mindrot.org>
Date: Mon, 3 Mar 2025 14:21:12 +1100
Subject: [PATCH 06/10] regenerate configure, config.h.in
---
config.h.in | 3 +++
configure | 35 ++++++++++++++++++++++++++++++++++-
2 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/config.h.in b/config.h.in
index c841417f4..57f63355b 100644
--- a/config.h.in
+++ b/config.h.in
@@ -1748,6 +1748,9 @@
/* Set this to your mail directory if you do not have _PATH_MAILDIR */
#undef MAIL_DIRECTORY
+/* Define if your compiler lacks __builtin_popcount */
+#undef MISSING_BUILTIN_POPCOUNT
+
/* Need setpgrp to for controlling tty */
#undef NEED_SETPGRP
diff --git a/configure b/configure
index ec1de26c2..a18079da2 100755
--- a/configure
+++ b/configure
@@ -16785,6 +16785,40 @@ then :
fi
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether compiler supports __builtin_popcount" >&5
+printf %s "checking whether compiler supports __builtin_popcount... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+ #include <stdlib.h>
+
+int
+main (void)
+{
+ int x = 123, y;
+ y = __builtin_popcount(123);
+ exit(y == 6 ? 0 : -1);
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"
+then :
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+printf "%s\n" "yes" >&6; }
+else $as_nop
+
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
+printf "%s\n" "no" >&6; }
+
+printf "%s\n" "#define MISSING_BUILTIN_POPCOUNT 1" >>confdefs.h
+
+
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam \
+ conftest$ac_exeext conftest.$ac_ext
+
ac_fn_check_decl "$LINENO" "bzero" "ac_cv_have_decl_bzero" "$ac_includes_default" "$ac_c_undeclared_builtin_options" "CFLAGS"
if test "x$ac_cv_have_decl_bzero" = xyes
then :
@@ -27769,4 +27803,3 @@ if test "$AUDIT_MODULE" = "bsm" ; then
echo "WARNING: BSM audit support is currently considered EXPERIMENTAL."
echo "See the Solaris section in README.platform for details."
fi
-
--
2.51.0

44
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0007-upstream-Prime-caches-for-DNS-names-needed-for-tests.patch vendored
View File

@ -1,44 +0,0 @@
From be8026caf9da985638c762c353c397c0922be233 Mon Sep 17 00:00:00 2001
Message-ID: <be8026caf9da985638c762c353c397c0922be233.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Tue, 11 Mar 2025 11:46:44 +0000
Subject: [PATCH 07/10] upstream: Prime caches for DNS names needed for tests.
When running the SSHFP tests, particularly on an ephemeral VM, the first
query or two can fail for some reason, presumably because something isn't
fully initialized or something. To work around this, issue queries for the
names we'll need before we need them.
OpenBSD-Regress-ID: 900841133540e7dead253407db5a874a6ed09eca
---
regress/sshfp-connect.sh | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/regress/sshfp-connect.sh b/regress/sshfp-connect.sh
index f78646922..3c73a35d0 100644
--- a/regress/sshfp-connect.sh
+++ b/regress/sshfp-connect.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: sshfp-connect.sh,v 1.4 2021/09/01 00:50:27 dtucker Exp $
+# $OpenBSD: sshfp-connect.sh,v 1.5 2025/03/11 11:46:44 dtucker Exp $
# Placed in the Public Domain.
# This test requires external setup and thus is skipped unless
@@ -29,6 +29,12 @@ if ! $SSH -Q key-plain | grep ssh-rsa >/dev/null; then
elif [ -z "${TEST_SSH_SSHFP_DOMAIN}" ]; then
skip "TEST_SSH_SSHFP_DOMAIN not set."
else
+ # Prime any DNS caches and resolvers.
+ for i in sshtest sshtest-sha1 sshtest-sha256; do
+ host -t sshfp ${i}.${TEST_SSH_SSHFP_DOMAIN} >/dev/null 2>&1
+ host -t sshfp ${i}-bad.${TEST_SSH_SSHFP_DOMAIN} >/dev/null 2>&1
+ done
+
# Set RSA host key to match fingerprints above.
mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
$SUDO cp $SRC/rsa_openssh.prv $OBJ/host.ssh-rsa
--
2.51.0

41
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0008-MacOS-12-runners-are-deprecated-replace-with-15.patch vendored
View File

@ -1,41 +0,0 @@
From aab12549a939d07f638df486f910544c6b11b972 Mon Sep 17 00:00:00 2001
Message-ID: <aab12549a939d07f638df486f910544c6b11b972.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: Darren Tucker <dtucker@dtucker.net>
Date: Thu, 17 Oct 2024 19:18:23 +1100
Subject: [PATCH 08/10] MacOS 12 runners are deprecated, replace with 15.
---
.github/workflows/c-cpp.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml
index c179f73d1..c49aa5ee8 100644
--- a/.github/workflows/c-cpp.yml
+++ b/.github/workflows/c-cpp.yml
@@ -17,9 +17,9 @@ jobs:
target:
- ubuntu-20.04
- ubuntu-22.04
- - macos-12
- macos-13
- macos-14
+ - macos-15
- windows-2019
- windows-2022
config: [default]
@@ -100,9 +100,9 @@ jobs:
- { target: ubuntu-22.04, config: selinux }
- { target: ubuntu-22.04, config: kitchensink }
- { target: ubuntu-22.04, config: without-openssl }
- - { target: macos-12, config: pam }
- { target: macos-13, config: pam }
- { target: macos-14, config: pam }
+ - { target: macos-15, config: pam }
runs-on: ${{ matrix.target }}
steps:
- name: set cygwin git params
--
2.51.0

51
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0009-upstream-Remove-redundant-field-of-definition-check.patch vendored
View File

@ -1,51 +0,0 @@
From 8e4bd6ebdbde0ff22e0c1c1f1a134ef255af7595 Mon Sep 17 00:00:00 2001
Message-ID: <8e4bd6ebdbde0ff22e0c1c1f1a134ef255af7595.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: "tb@openbsd.org" <tb@openbsd.org>
Date: Tue, 3 Dec 2024 15:53:51 +0000
Subject: [PATCH 09/10] upstream: Remove redundant field of definition check
This will allow us to get rid of EC_GROUP_method_of() in the near future.
ok djm
OpenBSD-Commit-ID: b4a3d2e00990cf5c2ec6881c21ddca67327c2df8
---
sshkey.c | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/sshkey.c b/sshkey.c
index 1db83788d..44be674d1 100644
--- a/sshkey.c
+++ b/sshkey.c
@@ -2708,14 +2708,6 @@ sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
* EC_POINT_oct2point then the caller will need to explicitly check.
*/
- /*
- * We shouldn't ever hit this case because bignum_get_ecpoint()
- * refuses to load GF2m points.
- */
- if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
- NID_X9_62_prime_field)
- goto out;
-
/* Q != infinity */
if (EC_POINT_is_at_infinity(group, public))
goto out;
@@ -2815,11 +2807,6 @@ sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point)
fprintf(stderr, "%s: BN_new failed\n", __func__);
goto out;
}
- if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
- NID_X9_62_prime_field) {
- fprintf(stderr, "%s: group is not a prime field\n", __func__);
- goto out;
- }
if (EC_POINT_get_affine_coordinates_GFp(group, point,
x, y, NULL) != 1) {
fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n",
--
2.51.0

64
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/9.9_p2/0010-upstream-Check-if-dbclient-supports-SHA1-before-tryi.patch vendored
View File

@ -1,64 +0,0 @@
From 3eeda15eb9d3b9f2fd762ba3493ba88abe6bbcd9 Mon Sep 17 00:00:00 2001
Message-ID: <3eeda15eb9d3b9f2fd762ba3493ba88abe6bbcd9.1758727915.git.sam@gentoo.org>
In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git.sam@gentoo.org>
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Tue, 11 Mar 2025 07:42:08 +0000
Subject: [PATCH 10/10] upstream: Check if dbclient supports SHA1 before trying
SHA1-based
KEX.
Dropbear 2025.87 removed SHA1 support by default, which means
diffie-hellman-group14-sha1 is not available. Unfortunately there isn't a
flag to query supported KEX, so instead check MACs and if it doesn't have
SHA1 methods, assuming SHA1 based KEXes are likewise not available. Spotted
by anton@.
OpenBSD-Regress-ID: acfa8e26c001cb18b9fb81a27271c3b51288d304
---
regress/dropbear-kex.sh | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/regress/dropbear-kex.sh b/regress/dropbear-kex.sh
index d9f1b32c0..72717fbb7 100644
--- a/regress/dropbear-kex.sh
+++ b/regress/dropbear-kex.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: dropbear-kex.sh,v 1.3 2024/06/19 10:10:46 dtucker Exp $
+# $OpenBSD: dropbear-kex.sh,v 1.4 2025/03/11 07:42:08 dtucker Exp $
# Placed in the Public Domain.
tid="dropbear kex"
@@ -10,8 +10,14 @@ fi
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
kex="curve25519-sha256 curve25519-sha256@libssh.org"
-if $SSH -Q kex | grep 'diffie-hellman-group14-sha1'; then
- kex="$kex diffie-hellman-group14-sha256 diffie-hellman-group14-sha1"
+if $SSH -Q kex | grep 'diffie-hellman-group14-sha256' >/dev/null; then
+ kex="$kex diffie-hellman-group14-sha256"
+fi
+# There's no flag to query KEX, so if MACs does not contain SHA1, assume
+# there's also SHA1-based KEX methods either.
+if $SSH -Q kex | grep 'diffie-hellman-group14-sha1' >/dev/null && \
+ $DBCLIENT -m help hst 2>&1 | grep -- '-sha1' >/dev/null ; then
+ kex="$kex diffie-hellman-group14-sha1"
fi
for k in $kex; do
@@ -19,8 +25,9 @@ for k in $kex; do
rm -f ${COPY}
# dbclient doesn't have switch for kex, so force in server
(cat $OBJ/sshd_proxy.bak; echo "KexAlgorithms $k") >$OBJ/sshd_proxy
- env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/id_ed25519 2>$OBJ/dbclient.log \
- -J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY}
+ env HOME=$OBJ \
+ ${DBCLIENT} -y -i $OBJ/.dropbear/id_ed25519 2>$OBJ/dbclient.log \
+ -J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY}
if [ $? -ne 0 ]; then
fail "ssh cat $DATA failed"
fi
--
2.51.0

38
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/sshd-r2.confd vendored Normal file
View File

@ -0,0 +1,38 @@
# /etc/conf.d/sshd: config file for /etc/init.d/sshd
# Where is your sshd_config file stored?
SSHD_CONFDIR="${RC_PREFIX%/}/etc/ssh"
# Any random options you want to pass to sshd.
# See the sshd(8) manpage for more info.
SSHD_OPTS=""
# Wait one second (length chosen arbitrarily) to see if sshd actually
# creates a PID file, or if it crashes for some reason like not being
# able to bind to the address in ListenAddress.
#SSHD_SSD_OPTS="--wait 1000"
# Pid file to use (needs to be absolute path).
#SSHD_PIDFILE="${RC_PREFIX%/}/run/sshd.pid"
# Path to the sshd binary (needs to be absolute path).
#SSHD_BINARY="${RC_PREFIX%/}/usr/sbin/sshd"
# Path to the ssh-keygen binary (needs to be absolute path).
#SSHD_KEYGEN_BINARY="${RC_PREFIX%/}/usr/bin/ssh-keygen"
# May be needed if ListenAddress is used to ensure that the interface
# has been configured.
#rc_need="net.eth0"

68
sdk_container/src/third_party/portage-stable/net-misc/openssh/files/sshd-r2.initd vendored Normal file
View File

@ -0,0 +1,68 @@
#!/sbin/openrc-run
# Copyright 1999-2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
extra_commands="checkconfig"
extra_started_commands="reload"
: ${SSHD_CONFDIR:=${RC_PREFIX%/}/etc/ssh}
: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
: ${SSHD_PIDFILE:=${RC_PREFIX%/}/run/${SVCNAME}.pid}
: ${SSHD_BINARY:=${RC_PREFIX%/}/usr/sbin/sshd}
: ${SSHD_KEYGEN_BINARY:=${RC_PREFIX%/}/usr/bin/ssh-keygen}
command="${SSHD_BINARY}"
pidfile="${SSHD_PIDFILE}"
command_args="${SSHD_OPTS} -o PidFile=${pidfile} -f ${SSHD_CONFIG}"
# Wait one second (length chosen arbitrarily) to see if sshd actually
# creates a PID file, or if it crashes for some reason like not being
# able to bind to the address in ListenAddress (bug 617596).
: ${SSHD_SSD_OPTS:=--wait 1000}
start_stop_daemon_args="${SSHD_SSD_OPTS}"
depend() {
# Entropy can be used by ssh-keygen, among other things, but
# is not strictly required (bug 470020).
use logger dns entropy
}
checkconfig() {
checkpath --mode 0755 --directory "${RC_PREFIX%/}/var/empty"
if [ ! -e "${SSHD_CONFIG}" ] ; then
eerror "You need an ${SSHD_CONFIG} file to run sshd"
eerror "There is a sample file in /usr/share/doc/openssh"
return 1
fi
${SSHD_KEYGEN_BINARY} -A || return 2
"${command}" -t ${command_args} || return 3
}
start_pre() {
# Make sure that the user's config isn't busted before we try
# to start the daemon (this will produce better error messages
# than if we just try to start it blindly).
#
# We always need to call checkconfig because this function will
# also generate any missing host key and you can start a
# non-running service with "restart" argument.
checkconfig || return $?
}
stop_pre() {
# If this is a restart, check to make sure the user's config
# isn't busted before we stop the running daemon.
if [ "${RC_CMD}" = "restart" ] ; then
checkconfig || return $?
fi
}
reload() {
checkconfig || return $?
ebegin "Reloading ${SVCNAME}"
start-stop-daemon --signal HUP --pidfile "${pidfile}"
eend $?
}

437
sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-10.2_p1-r1.ebuild vendored Normal file
View File

@ -0,0 +1,437 @@
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
# Remember to check the upstream release/stable branches for patches
# to backport! See https://marc.info/?l=openssh-unix-dev&m=172723798122122&w=2.
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc
inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig eapi9-ver
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="https://www.openssh.com/"
SRC_URI="
mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
"
S="${WORKDIR}/${PARCH}"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 audit debug kerberos ldns libedit livecd pam security-key selinux +ssl static test"
RESTRICT="!test? ( test )"
REQUIRED_USE="
ldns? ( ssl )
static? ( !kerberos !pam )
test? ( ssl )
"
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[static-libs(+)]
net-libs/ldns[ecdsa(+),ssl(+)]
)
libedit? ( dev-libs/libedit:=[static-libs(+)] )
security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
virtual/libcrypt:=[static-libs(+)]
>=virtual/zlib-1.2.3:=[static-libs(+)]
"
RDEPEND="
acct-group/sshd
acct-user/sshd
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( sys-libs/pam )
kerberos? ( virtual/krb5 )
"
DEPEND="
${RDEPEND}
virtual/os-headers
kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
static? ( ${LIB_DEPEND} )
"
RDEPEND="
${RDEPEND}
!net-misc/openssh-contrib
pam? ( >=sys-auth/pambase-20081028 )
!prefix? ( sys-apps/shadow )
"
BDEPEND="
dev-build/autoconf
virtual/pkgconfig
verify-sig? ( sec-keys/openpgp-keys-openssh )
"
PATCHES=(
"${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch"
"${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch"
# Backports from upstream release branch
#"${FILESDIR}/${PV}"
# Our own backports
)
pkg_pretend() {
local i enabled_eol_flags disabled_eol_flags
for i in hpn sctp X509; do
if has_version "net-misc/openssh[${i}]"; then
enabled_eol_flags+="${i},"
disabled_eol_flags+="-${i},"
fi
done
if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then
# Skip for binary packages entirely because of environment saving, bug #907892
[[ ${MERGE_TYPE} == binary ]] && return
ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore."
ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality,"
ewarn "since these USE flags required third-party patches that often trigger bugs"
ewarn "and are of questionable provenance."
ewarn
ewarn "If you must continue relying on this functionality, switch to"
ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your"
ewarn "world file first: 'emerge --deselect net-misc/openssh'"
ewarn
ewarn "In order to prevent loss of SSH remote login access, we will abort the build."
ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib"
ewarn "variant, when re-emerging you will have to set"
ewarn
ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes"
fi
# Make sure people who are using tcp wrappers are notified of its removal. #531156
if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
fi
}
src_prepare() {
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
[[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches )
default
# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
sed -e '/\t\tpercent \\/ d' \
-i regress/Makefile || die
tc-export PKG_CONFIG
local sed_args=(
-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
# _XOPEN_SOURCE causes header conflicts on Solaris
[[ ${CHOST} == *-solaris* ]] && sed_args+=(
-e 's/-D_XOPEN_SOURCE//'
)
sed -i "${sed_args[@]}" configure{.ac,} || die
eautoreconf
}
src_configure() {
addwrite /dev/ptmx
use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
use static && append-ldflags -static
if [[ ${CHOST} == *-solaris* ]] ; then
# Solaris' glob.h doesn't have things like GLOB_TILDE, configure
# doesn't check for this, so force the replacement to be put in
# place
append-cppflags -DBROKEN_GLOB
fi
# use replacement, RPF_ECHO_ON doesn't exist here
[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
local myconf=(
--with-ldflags="${LDFLAGS}"
--disable-strip
--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
--sysconfdir="${EPREFIX}"/etc/ssh
--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
--datadir="${EPREFIX}"/usr/share/openssh
--with-privsep-path="${EPREFIX}"/var/empty
--with-privsep-user=sshd
# optional at runtime; guarantee a known path
--with-xauth="${EPREFIX}"/usr/bin/xauth
# --with-hardening adds the following in addition to flags we
# already set in our toolchain:
# * -ftrapv (which is broken with GCC anyway),
# * -ftrivial-auto-var-init=zero (which is nice, but not the end of
# the world to not have)
# * -fzero-call-used-regs=used (history of miscompilations with
# Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086,
# gcc PR104820, gcc PR104817, gcc PR110934)).
#
# Furthermore, OSSH_CHECK_CFLAG_COMPILE did not use AC_CACHE_CHECK
# until 10.1_p1, so we couldn't disable -fzero-call-used-regs=used.
#
# Therefore, just pass --without-hardening, given it doesn't negate
# our already hardened toolchain defaults, and avoids adding flags
# which are known-broken in both Clang and GCC and haven't been
# proven reliable.
--without-hardening
--without-pie
--without-stackprotect
# wtmpdb not yet packaged
--without-wtmpdb
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
$(use_with ldns)
$(use_with libedit)
$(use_with pam)
$(use_with selinux)
$(use_with security-key security-key-builtin)
$(use_with ssl openssl)
$(use_with ssl ssl-engine)
)
if use elibc_musl; then
# musl defines bogus values for UTMP_FILE and WTMP_FILE (bug #753230)
myconf+=( --disable-utmp --disable-wtmp )
fi
econf "${myconf[@]}"
}
create_config_dropins() {
local locale_vars=(
# These are language variables that POSIX defines.
# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
# These are the GNU extensions.
# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
)
mkdir -p "${WORKDIR}"/etc/ssh/ssh{,d}_config.d || die
cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die
# Send locale environment variables (bug #367017)
SendEnv ${locale_vars[*]}
# Send COLORTERM to match TERM (bug #658540)
SendEnv COLORTERM
EOF
cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die
RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts"
EOF
cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die
# https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
EOF
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die
# Allow client to pass locale environment variables (bug #367017)
AcceptEnv ${locale_vars[*]}
# Allow client to pass COLORTERM to match TERM (bug #658540)
AcceptEnv COLORTERM
EOF
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die
# override default of no subsystems
Subsystem sftp ${EPREFIX}/usr/$(get_libdir)/misc/sftp-server
EOF
if use pam ; then
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die
UsePAM yes
# This interferes with PAM.
PasswordAuthentication no
# PAM can do its own handling of MOTD.
PrintMotd no
PrintLastLog no
EOF
fi
if use livecd ; then
cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die
# Allow root login with password on livecds.
PermitRootLogin Yes
EOF
fi
}
src_compile() {
default
create_config_dropins
}
src_test() {
local tests=( compat-tests )
local shell=$(egetshell "${UID}")
if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
ewarn "user, so we will run a subset only."
tests+=( interop-tests file-tests unit )
else
tests+=( tests )
fi
local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
mkdir -p "${HOME}"/.ssh || die
emake -j1 "${tests[@]}" </dev/null
}
src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
newinitd "${FILESDIR}"/sshd-r2.initd sshd
newconfd "${FILESDIR}"/sshd-r2.confd sshd
exeinto /etc/user/init.d
newexe "${FILESDIR}"/ssh-agent.initd ssh-agent
if use pam; then
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
fi
doman contrib/ssh-copy-id.1
dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
rmdir "${ED}"/var/empty || die
systemd_dounit "${FILESDIR}"/sshd.socket
systemd_newunit "${FILESDIR}"/sshd.service.2 sshd.service
systemd_newunit "${FILESDIR}"/sshd_at.service.1 'sshd@.service'
# Install dropins with explicit mode, bug 906638, 915840
diropts -m0755
insopts -m0644
insinto /etc/ssh
doins -r "${WORKDIR}"/etc/ssh/ssh_config.d
doins "${WORKDIR}"/etc/ssh/ssh_revoked_hosts
diropts -m0700
insopts -m0600
doins -r "${WORKDIR}"/etc/ssh/sshd_config.d
}
pkg_preinst() {
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
show_ssl_warning=1
fi
}
pkg_postinst() {
# bug #139235
optfeature "x11 forwarding" x11-apps/xauth
if ver_replacing -lt "5.8_p1"; then
elog "Starting with openssh-5.8p1, the server will default to a newer key"
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
if ver_replacing -lt "7.0_p1"; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
elog "be an alternative for you as it supports USE=tcpd."
fi
if ver_replacing -lt "7.1_p1"; then #557388 #555518
elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
elog "adding to your sshd_config or ~/.ssh/config files:"
elog " PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if ver_replacing -lt "7.6_p1"; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if ver_replacing -lt "7.7_p1"; then
elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
elog "if you need to authenticate against LDAP."
elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
fi
if ver_replacing -lt "8.2_p1"; then
ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
ewarn "connection is generally safe."
fi
if ver_replacing -lt "9.2_p1-r1" && systemd_is_booted; then
ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to"
ewarn "'Restart=on-failure', which causes the service to automatically restart if it"
ewarn "terminates with an unclean exit code or signal. This feature is useful for most users,"
ewarn "but it can increase the vulnerability of the system in the event of a future exploit."
ewarn "If you have a web-facing setup or are concerned about security, it is recommended to"
ewarn "set 'Restart=no' in your sshd unit file."
fi
if ver_replacing -lt "10.2_p1-r1"; then
ewarn "The sshd init script no longer greps for ListenAddress in the sshd config."
ewarn "If you have configured the ListenAddress parameter, you may need to adjust"
ewarn "init script dependencies via rc_need in /etc/conf.d/sshd."
fi
if [[ -n ${show_ssl_warning} ]]; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
openssh_maybe_restart
}
openssh_maybe_restart() {
local ver
declare -a versions
read -ra versions <<<"${REPLACING_VERSIONS}"
for ver in "${versions[@]}"; do
# Exclude 9.8_p1 because it didn't have the safety check
[[ ${ver} == 9.8_p1 ]] && break
if [[ ${ver%_*} == "${PV%_*}" ]]; then
# No major version change has occurred
return
fi
done
if [[ ${ROOT} ]]; then
return
elif [[ -d /run/systemd/system ]] && sshd -t >/dev/null 2>&1; then
ewarn "The ebuild will now attempt to restart OpenSSH to avoid"
ewarn "bricking the running instance. See bug #709748."
ebegin "Attempting to restart openssh via 'systemctl try-restart sshd'"
systemctl try-restart sshd
eend $?
elif [[ -d /run/openrc ]]; then
# We don't check for sshd -t here because the OpenRC init script
# has a stop_pre() which does checkconfig, i.e. we defer to it
# to give nicer output for a failed sanity check.
ewarn "The ebuild will now attempt to restart OpenSSH to avoid"
ewarn "bricking the running instance. See bug #709748."
ebegin "Attempting to restart openssh via 'rc-service -q --ifstarted --nodeps sshd restart'"
rc-service -q --ifstarted --nodeps sshd restart
eend $?
fi
}

5
sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.8_p1-r4.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -15,6 +15,7 @@ HOMEPAGE="https://www.openssh.com/"
SRC_URI="
mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
https://dev.gentoo.org/~floppym/dist/${P}-backports.tar.gz
"
S="${WORKDIR}/${PARCH}"
@ -81,7 +82,7 @@ PATCHES=(
"${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch"
"${FILESDIR}/${PN}-9.8_p1-inetd.patch"
# Backports from upstream release branch
"${FILESDIR}/${PV}"
"${WORKDIR}/${P}-backports"
)
pkg_pretend() {

5
sdk_container/src/third_party/portage-stable/net-misc/openssh/openssh-9.9_p2-r4.ebuild vendored
View File

@ -1,4 +1,4 @@
# Copyright 1999-2025 Gentoo Authors
# Copyright 1999-2026 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
@ -18,6 +18,7 @@ HOMEPAGE="https://www.openssh.com/"
SRC_URI="
mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
https://dev.gentoo.org/~floppym/dist/${P}-backports.tar.gz
"
S="${WORKDIR}/${PARCH}"
@ -83,7 +84,7 @@ PATCHES=(
"${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch"
"${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch"
# Backports from upstream release branch
"${FILESDIR}/${PV}"
"${WORKDIR}/${P}-backports"
# Our own backports
"${FILESDIR}/${PN}-9.9_p1-x-forwarding-slow.patch"
)