diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest index a66d2cabe9..178acced05 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest @@ -1,4 +1,4 @@ -DIST openssh-7.2_p1-sctp.patch.xz 8088 SHA256 b9cc21336e23d44548e87964da9ff85ac83ce84693162abb172afb46be4a666e SHA512 b287684337a101a26ab8df6894b679b063cdaa7dfc7b78fcc0ce8350c27526f150a6463c515019beb0af2ff005cc109d2913998f95f828e553b835a4df8b64df WHIRLPOOL 16646a896f746946af84961974be08418b951c80249dce2fd4ae533a4d66e79d4372fd979aeda9c51aff51b86edf4178af18379e948195696a6fa114e2757306 -DIST openssh-7.2p2+x509-8.9.diff.gz 449308 SHA256 bd77fcd285d10a86fb2934e90776fe39e4cd2da043384ec2ca45296a60669589 SHA512 c7ed07aae72fd4f967ab5717831c51ad639ca59633c3768f6930bab0947f5429391e3911a7570288a1c688c8c21747f3cb722538ae96de6b50a021010e1506fa WHIRLPOOL 7c1328e471b0e5e9576117ec563b66fea142886b0666b6d51ac9b8ec09286ba7a965b62796c32206e855e484180797a2c31d500c27289f3bc8c7db2d3af95e6f -DIST openssh-7.2p2.tar.gz 1499808 SHA256 a72781d1a043876a224ff1b0032daa4094d87565a68528759c1c2cab5482548c SHA512 44f62b3a7bc50a0735d496a5aedeefb71550d8c10ad8f22b94e29fcc8084842db96e8c4ca41fced17af69e1aab09ed1182a12ad8650d9a46fd8743a0344df95b WHIRLPOOL 95e16af6d1d82f4a660b56854b8e9da947b89e47775c06fe277a612cd1a7cabe7454087eb45034aedfb9b08096ce4aa427b9a37f43f70ccf1073664bdec13386 -DIST openssh-lpk-7.2p2-0.3.14.patch.xz 17692 SHA256 2cd4108d60112bd97402f9c27aac2c24d334a37afe0933ad9c6377a257a68aee SHA512 e6a25f8f0106fadcb799300452d6f22034d3fc69bd1c95a3365884873861f41b1e9d49f2c5223dde6fcd00562c652ba466bc8c48833ce5ab353af3a041f75b15 WHIRLPOOL 237343b320772a1588b64c4135758af840199214129d7e8cfa9798f976c32902ca5493ee0c33b16003854fea243556997bc688640a9872b82c06f72c86f2586d +DIST openssh-7.3_p1-sctp.patch.xz 9968 SHA256 18c3db45ed1e5495db29626938d8432aee509e88057494f052cfc09d40824c7f SHA512 f249b76898af0c6f1f65f2a1cfb422648aa712818d0dc051b85a171f26bdddf7980fff5de7761161aa41c309e528b3801b4234f5cdd9f79f8eef173ae83f1e3c WHIRLPOOL 1d92b969154b77d8ce9e3a6d0302aa17ec95e2d5ea4de72c0fb5680a8ee12f518ee5b1c47f22ad5d1a923a74c43829ed36cf478fe75fe400de967ab48d93dc99 +DIST openssh-7.3p1+x509-9.2.diff.gz 588078 SHA256 45f054cbb2b77ac8cc7ab01439e34083382137d47b840ca274555b7e2cf7098b SHA512 fab0da148b0833a651e8a7c36f344aacecef6fa92f8f1cb6302272d98c1ab018831f5850dcaa8f54a39f9ada9b7d5b0a0ea01defc3c6f603bbe211f6bff6a841 WHIRLPOOL 53f63d879f563909c57d23ced273e23eda1eace2a2ddfd54edf5f2ef15218cc7e5d927e54714b6850db541f361c459de50d79b0a4516b43ce4cba8eb66b49485 +DIST openssh-7.3p1.tar.gz 1522617 SHA256 3ffb989a6dcaa69594c3b550d4855a5a2e1718ccdde7f5e36387b424220fbecc SHA512 7ba2d6140f38bd359ebf32ef17626e0ae1c00c3a38c01877b7c6b0317d030f10a8f82a0a51fc3b6273619de9ed73e24b8cf107b1e968f927053a3bedf97ff801 WHIRLPOOL f852026638d173d455f74e3fce16673fc4b10f32d954d5bb8c7c65df8d1ca7efd0938177dd9fb6e1f7354383f21c7bca8a2f01e89793e32f8ca68c30456a611c +DIST openssh-lpk-7.3p1-0.3.14.patch.xz 17800 SHA256 cf1f60235cb8b0e561cd36cbf9e4f437e16fd748c2616d3f511c128c02deb76c SHA512 e9a73c5f13e41f6e11c744fdbcdb2e399c394479f79249e901cb3c101efb06f23d51d3ba4869db872184fa034a5910fc93a730fe906266c8d7409e39ad5b1ecd WHIRLPOOL bbdeadbed8f901148713bd9e4a082a4be2992c3151f995febd8be89bbb85d91185e1f0413b5a94a9340f2f404d18c9cee2aa6e032adaee0306aa1c624f6cc09c diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.1_p2-x509-hpn14v10-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.1_p2-x509-hpn14v10-glue.patch deleted file mode 100644 index 512456975b..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.1_p2-x509-hpn14v10-glue.patch +++ /dev/null @@ -1,51 +0,0 @@ ---- openssh-7.1p2/Makefile.in -+++ openssh-7.1p2/Makefile.in -@@ -45,7 +45,7 @@ - CC=@CC@ - LD=@LD@ - CFLAGS=@CFLAGS@ --CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ -+CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ - LIBS=@LIBS@ - K5LIBS=@K5LIBS@ - GSSLIBS=@GSSLIBS@ -@@ -53,6 +53,7 @@ - SSHDLIBS=@SSHDLIBS@ - LIBEDIT=@LIBEDIT@ - LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@ -+CPPFLAGS+=@LDAP_CPPFLAGS@ - AR=@AR@ - AWK=@AWK@ - RANLIB=@RANLIB@ ---- openssh-7.1p2/sshconnect.c -+++ openssh-7.1p2/sshconnect.c -@@ -465,7 +465,7 @@ - { - /* Send our own protocol version identification. */ - if (compat20) { -- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n", -+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); - } else { - xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", ---- openssh-7.1p2/sshd.c -+++ openssh-7.1p2/sshd.c -@@ -472,8 +472,8 @@ - comment = ""; - } - -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", -- major, minor, SSH_VERSION, comment, -+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", -+ major, minor, SSH_VERSION, - *options.version_addendum == '\0' ? "" : " ", - options.version_addendum, newline); - ---- openssh-7.1p2/version.h -+++ openssh-7.1p2/version.h -@@ -3,4 +3,5 @@ - #define SSH_VERSION "OpenSSH_7.1" - - #define SSH_PORTABLE "p2" -+#define SSH_X509 " PKIX" - #define SSH_RELEASE SSH_VERSION SSH_PORTABLE diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch new file mode 100644 index 0000000000..7eaadaf11c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3-mips-seccomp-n32.patch @@ -0,0 +1,21 @@ +https://bugs.gentoo.org/591392 +https://bugzilla.mindrot.org/show_bug.cgi?id=2590 + +7.3 added seccomp support to MIPS, but failed to handled the N32 +case. This patch is temporary until upstream fixes. + +--- openssh-7.3p1/configure.ac ++++ openssh-7.3p1/configure.ac +@@ -816,10 +816,10 @@ main() { if (NSVersionOfRunTimeLibrary(" + seccomp_audit_arch=AUDIT_ARCH_MIPSEL + ;; + mips64-*) +- seccomp_audit_arch=AUDIT_ARCH_MIPS64 ++ seccomp_audit_arch=AUDIT_ARCH_MIPS64N32 + ;; + mips64el-*) +- seccomp_audit_arch=AUDIT_ARCH_MIPSEL64 ++ seccomp_audit_arch=AUDIT_ARCH_MIPSEL64N32 + ;; + esac + if test "x$seccomp_audit_arch" != "x" ; then diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch new file mode 100644 index 0000000000..806b36d0ca --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch @@ -0,0 +1,351 @@ +http://bugs.gentoo.org/165444 +https://bugzilla.mindrot.org/show_bug.cgi?id=1008 + +--- a/readconf.c ++++ b/readconf.c +@@ -148,6 +148,7 @@ + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -194,9 +195,11 @@ + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + #else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + { "fallbacktorsh", oDeprecated }, + { "usersh", oDeprecated }, +@@ -930,6 +933,10 @@ + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1649,6 +1656,7 @@ + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -1779,6 +1787,8 @@ + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +--- a/readconf.h ++++ b/readconf.h +@@ -46,6 +46,7 @@ + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -830,6 +830,16 @@ + Forward (delegate) credentials to the server. + The default is + .Dq no . ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -656,6 +656,13 @@ + static u_int mech = 0; + OM_uint32 min; + int ok = 0; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) { ++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); ++ gss_host = auth_get_canonical_hostname(active_state, 1); ++ } else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -668,7 +674,7 @@ + /* My DER encoding requires length<128 */ + if (gss_supported->elements[mech].length < 128 && + ssh_gssapi_check_mechanism(&gssctxt, +- &gss_supported->elements[mech], authctxt->host)) { ++ &gss_supported->elements[mech], gss_host)) { + ok = 1; /* Mechanism works */ + } else { + mech++; + +need to move these two funcs back to canohost so they're available to clients +and the server. auth.c is only used in the server. + +--- a/auth.c ++++ b/auth.c +@@ -784,117 +784,3 @@ fakepw(void) + + return (&fake); + } +- +-/* +- * Returns the remote DNS hostname as a string. The returned string must not +- * be freed. NB. this will usually trigger a DNS query the first time it is +- * called. +- * This function does additional checks on the hostname to mitigate some +- * attacks on legacy rhosts-style authentication. +- * XXX is RhostsRSAAuthentication vulnerable to these? +- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) +- */ +- +-static char * +-remote_hostname(struct ssh *ssh) +-{ +- struct sockaddr_storage from; +- socklen_t fromlen; +- struct addrinfo hints, *ai, *aitop; +- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; +- const char *ntop = ssh_remote_ipaddr(ssh); +- +- /* Get IP address of client. */ +- fromlen = sizeof(from); +- memset(&from, 0, sizeof(from)); +- if (getpeername(ssh_packet_get_connection_in(ssh), +- (struct sockaddr *)&from, &fromlen) < 0) { +- debug("getpeername failed: %.100s", strerror(errno)); +- return strdup(ntop); +- } +- +- ipv64_normalise_mapped(&from, &fromlen); +- if (from.ss_family == AF_INET6) +- fromlen = sizeof(struct sockaddr_in6); +- +- debug3("Trying to reverse map address %.100s.", ntop); +- /* Map the IP address to a host name. */ +- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), +- NULL, 0, NI_NAMEREQD) != 0) { +- /* Host name not found. Use ip address. */ +- return strdup(ntop); +- } +- +- /* +- * if reverse lookup result looks like a numeric hostname, +- * someone is trying to trick us by PTR record like following: +- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ +- hints.ai_flags = AI_NUMERICHOST; +- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { +- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", +- name, ntop); +- freeaddrinfo(ai); +- return strdup(ntop); +- } +- +- /* Names are stored in lowercase. */ +- lowercase(name); +- +- /* +- * Map it back to an IP address and check that the given +- * address actually is an address of this host. This is +- * necessary because anyone with access to a name server can +- * define arbitrary names for an IP address. Mapping from +- * name to IP address can be trusted better (but can still be +- * fooled if the intruder has access to the name server of +- * the domain). +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_family = from.ss_family; +- hints.ai_socktype = SOCK_STREAM; +- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { +- logit("reverse mapping checking getaddrinfo for %.700s " +- "[%s] failed.", name, ntop); +- return strdup(ntop); +- } +- /* Look for the address from the list of addresses. */ +- for (ai = aitop; ai; ai = ai->ai_next) { +- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, +- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && +- (strcmp(ntop, ntop2) == 0)) +- break; +- } +- freeaddrinfo(aitop); +- /* If we reached the end of the list, the address was not there. */ +- if (ai == NULL) { +- /* Address not found for the host name. */ +- logit("Address %.100s maps to %.600s, but this does not " +- "map back to the address.", ntop, name); +- return strdup(ntop); +- } +- return strdup(name); +-} +- +-/* +- * Return the canonical name of the host in the other side of the current +- * connection. The host name is cached, so it is efficient to call this +- * several times. +- */ +- +-const char * +-auth_get_canonical_hostname(struct ssh *ssh, int use_dns) +-{ +- static char *dnsname; +- +- if (!use_dns) +- return ssh_remote_ipaddr(ssh); +- else if (dnsname != NULL) +- return dnsname; +- else { +- dnsname = remote_hostname(ssh); +- return dnsname; +- } +-} +--- a/canohost.c ++++ b/canohost.c +@@ -202,3 +202,117 @@ get_local_port(int sock) + { + return get_sock_port(sock, 1); + } ++ ++/* ++ * Returns the remote DNS hostname as a string. The returned string must not ++ * be freed. NB. this will usually trigger a DNS query the first time it is ++ * called. ++ * This function does additional checks on the hostname to mitigate some ++ * attacks on legacy rhosts-style authentication. ++ * XXX is RhostsRSAAuthentication vulnerable to these? ++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) ++ */ ++ ++static char * ++remote_hostname(struct ssh *ssh) ++{ ++ struct sockaddr_storage from; ++ socklen_t fromlen; ++ struct addrinfo hints, *ai, *aitop; ++ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; ++ const char *ntop = ssh_remote_ipaddr(ssh); ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getpeername(ssh_packet_get_connection_in(ssh), ++ (struct sockaddr *)&from, &fromlen) < 0) { ++ debug("getpeername failed: %.100s", strerror(errno)); ++ return strdup(ntop); ++ } ++ ++ ipv64_normalise_mapped(&from, &fromlen); ++ if (from.ss_family == AF_INET6) ++ fromlen = sizeof(struct sockaddr_in6); ++ ++ debug3("Trying to reverse map address %.100s.", ntop); ++ /* Map the IP address to a host name. */ ++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), ++ NULL, 0, NI_NAMEREQD) != 0) { ++ /* Host name not found. Use ip address. */ ++ return strdup(ntop); ++ } ++ ++ /* ++ * if reverse lookup result looks like a numeric hostname, ++ * someone is trying to trick us by PTR record like following: ++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ ++ hints.ai_flags = AI_NUMERICHOST; ++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { ++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", ++ name, ntop); ++ freeaddrinfo(ai); ++ return strdup(ntop); ++ } ++ ++ /* Names are stored in lowercase. */ ++ lowercase(name); ++ ++ /* ++ * Map it back to an IP address and check that the given ++ * address actually is an address of this host. This is ++ * necessary because anyone with access to a name server can ++ * define arbitrary names for an IP address. Mapping from ++ * name to IP address can be trusted better (but can still be ++ * fooled if the intruder has access to the name server of ++ * the domain). ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = from.ss_family; ++ hints.ai_socktype = SOCK_STREAM; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { ++ logit("reverse mapping checking getaddrinfo for %.700s " ++ "[%s] failed.", name, ntop); ++ return strdup(ntop); ++ } ++ /* Look for the address from the list of addresses. */ ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, ++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && ++ (strcmp(ntop, ntop2) == 0)) ++ break; ++ } ++ freeaddrinfo(aitop); ++ /* If we reached the end of the list, the address was not there. */ ++ if (ai == NULL) { ++ /* Address not found for the host name. */ ++ logit("Address %.100s maps to %.600s, but this does not " ++ "map back to the address.", ntop, name); ++ return strdup(ntop); ++ } ++ return strdup(name); ++} ++ ++/* ++ * Return the canonical name of the host in the other side of the current ++ * connection. The host name is cached, so it is efficient to call this ++ * several times. ++ */ ++ ++const char * ++auth_get_canonical_hostname(struct ssh *ssh, int use_dns) ++{ ++ static char *dnsname; ++ ++ if (!use_dns) ++ return ssh_remote_ipaddr(ssh); ++ else if (dnsname != NULL) ++ return dnsname; ++ else { ++ dnsname = remote_hostname(ssh); ++ return dnsname; ++ } ++} diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch new file mode 100644 index 0000000000..784cd2aa7e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch @@ -0,0 +1,29 @@ +https://bugs.gentoo.org/595342 + +Backport of +https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737 + +--- openssh-7.3p1/kex.c ++++ openssh-7.3p1/kex.c +@@ -419,6 +419,8 @@ + ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error); + if ((r = sshpkt_get_end(ssh)) != 0) + return r; ++ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0) ++ return r; + kex->done = 1; + sshbuf_reset(kex->peer); + /* sshbuf_reset(kex->my); */ +--- openssh-7.3p1/packet.c ++++ openssh-7.3p1/packet.c +@@ -1919,9 +1919,7 @@ + return r; + return SSH_ERR_PROTOCOL_ERROR; + } +- if (*typep == SSH2_MSG_NEWKEYS) +- r = ssh_set_newkeys(ssh, MODE_IN); +- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) ++ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side) + r = ssh_packet_enable_delayed_compress(ssh); + else + r = 0; diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch new file mode 100644 index 0000000000..8603601ca7 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch @@ -0,0 +1,32 @@ +https://bugs.gentoo.org/597360 + +From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001 +From: "markus@openbsd.org" +Date: Mon, 10 Oct 2016 19:28:48 +0000 +Subject: [PATCH] upstream commit + +Unregister the KEXINIT handler after message has been +received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause +allocation of up to 128MB -- until the connection is closed. Reported by +shilei-c at 360.cn + +Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05 +--- + kex.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kex.c b/kex.c +index 3f97f8c00919..6a94bc535bd7 100644 +--- a/kex.c ++++ b/kex.c +@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt) + if (kex == NULL) + return SSH_ERR_INVALID_ARGUMENT; + ++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL); + ptr = sshpkt_ptr(ssh, &dlen); + if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0) + return r; +-- +2.11.0.rc2 + diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.2_p1-fix-krb5-config.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-krb5-config.patch similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.2_p1-fix-krb5-config.patch rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-krb5-config.patch diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch new file mode 100644 index 0000000000..7fb0d8069b --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch @@ -0,0 +1,34 @@ +https://bugs.gentoo.org/592122 + +From e600348a7afd6325cc5cd783cb424065cbc20434 Mon Sep 17 00:00:00 2001 +From: "dtucker@openbsd.org" +Date: Wed, 3 Aug 2016 04:23:55 +0000 +Subject: [PATCH] upstream commit + +Fix bug introduced in rev 1.467 which causes +"buffer_get_bignum_ret: incomplete message" errors when built with WITH_SSH1 +and run such that no Protocol 1 ephemeral host key is generated (eg "Protocol +2", no SSH1 host key supplied). Reported by rainer.laatsch at t-online.de, +ok deraadt@ + +Upstream-ID: aa6b132da5c325523aed7989cc5a320497c919dc +--- + sshd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sshd.c b/sshd.c +index 799c7711f49c..9fc829a91bc8 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + } else + #endif +- if ((r = sshbuf_put_u32(m, 1)) != 0) ++ if ((r = sshbuf_put_u32(m, 0)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + + #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) +-- +2.11.0.rc2 + diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch new file mode 100644 index 0000000000..0602307128 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch @@ -0,0 +1,39 @@ +--- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch ++++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch +@@ -1155,7 +1155,7 @@ + @@ -44,7 +44,7 @@ + LD=@LD@ + CFLAGS=@CFLAGS@ +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ + -LIBS=@LIBS@ + +LIBS=@LIBS@ -lpthread + K5LIBS=@K5LIBS@ +--- a/0004-support-dynamically-sized-receive-buffers.patch ++++ b/0004-support-dynamically-sized-receive-buffers.patch +@@ -2144,9 +2144,9 @@ + @@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1) + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", ++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509); +++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", + - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); +@@ -2163,9 +2163,9 @@ + @@ -432,7 +432,7 @@ + } + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", +-- major, minor, SSH_VERSION, +-+ major, minor, SSH_RELEASE, ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", ++- major, minor, SSH_VERSION, comment, +++ major, minor, SSH_RELEASE, comment, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch new file mode 100644 index 0000000000..9cc7b61a6a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch @@ -0,0 +1,245 @@ +diff --git a/cipher-ctr-mt.c b/cipher-ctr-mt.c +index fdc9b2f..300cd90 100644 +--- a/cipher-ctr-mt.c ++++ b/cipher-ctr-mt.c +@@ -127,7 +127,7 @@ struct kq { + u_char keys[KQLEN][AES_BLOCK_SIZE]; + u_char ctr[AES_BLOCK_SIZE]; + u_char pad0[CACHELINE_LEN]; +- volatile int qstate; ++ int qstate; + pthread_mutex_t lock; + pthread_cond_t cond; + u_char pad1[CACHELINE_LEN]; +@@ -141,6 +141,11 @@ struct ssh_aes_ctr_ctx + STATS_STRUCT(stats); + u_char aes_counter[AES_BLOCK_SIZE]; + pthread_t tid[CIPHER_THREADS]; ++ pthread_rwlock_t tid_lock; ++#ifdef __APPLE__ ++ pthread_rwlock_t stop_lock; ++ int exit_flag; ++#endif /* __APPLE__ */ + int state; + int qidx; + int ridx; +@@ -187,6 +192,57 @@ thread_loop_cleanup(void *x) + pthread_mutex_unlock((pthread_mutex_t *)x); + } + ++#ifdef __APPLE__ ++/* Check if we should exit, we are doing both cancel and exit condition ++ * since on OSX threads seem to occasionally fail to notice when they have ++ * been cancelled. We want to have a backup to make sure that we won't hang ++ * when the main process join()-s the cancelled thread. ++ */ ++static void ++thread_loop_check_exit(struct ssh_aes_ctr_ctx *c) ++{ ++ int exit_flag; ++ ++ pthread_rwlock_rdlock(&c->stop_lock); ++ exit_flag = c->exit_flag; ++ pthread_rwlock_unlock(&c->stop_lock); ++ ++ if (exit_flag) ++ pthread_exit(NULL); ++} ++#else ++# define thread_loop_check_exit(s) ++#endif /* __APPLE__ */ ++ ++/* ++ * Helper function to terminate the helper threads ++ */ ++static void ++stop_and_join_pregen_threads(struct ssh_aes_ctr_ctx *c) ++{ ++ int i; ++ ++#ifdef __APPLE__ ++ /* notify threads that they should exit */ ++ pthread_rwlock_wrlock(&c->stop_lock); ++ c->exit_flag = TRUE; ++ pthread_rwlock_unlock(&c->stop_lock); ++#endif /* __APPLE__ */ ++ ++ /* Cancel pregen threads */ ++ for (i = 0; i < CIPHER_THREADS; i++) { ++ pthread_cancel(c->tid[i]); ++ } ++ for (i = 0; i < NUMKQ; i++) { ++ pthread_mutex_lock(&c->q[i].lock); ++ pthread_cond_broadcast(&c->q[i].cond); ++ pthread_mutex_unlock(&c->q[i].lock); ++ } ++ for (i = 0; i < CIPHER_THREADS; i++) { ++ pthread_join(c->tid[i], NULL); ++ } ++} ++ + /* + * The life of a pregen thread: + * Find empty keystream queues and fill them using their counter. +@@ -201,6 +257,7 @@ thread_loop(void *x) + struct kq *q; + int i; + int qidx; ++ pthread_t first_tid; + + /* Threads stats on cancellation */ + STATS_INIT(stats); +@@ -211,11 +268,15 @@ thread_loop(void *x) + /* Thread local copy of AES key */ + memcpy(&key, &c->aes_ctx, sizeof(key)); + ++ pthread_rwlock_rdlock(&c->tid_lock); ++ first_tid = c->tid[0]; ++ pthread_rwlock_unlock(&c->tid_lock); ++ + /* + * Handle the special case of startup, one thread must fill + * the first KQ then mark it as draining. Lock held throughout. + */ +- if (pthread_equal(pthread_self(), c->tid[0])) { ++ if (pthread_equal(pthread_self(), first_tid)) { + q = &c->q[0]; + pthread_mutex_lock(&q->lock); + if (q->qstate == KQINIT) { +@@ -245,12 +306,16 @@ thread_loop(void *x) + /* Check if I was cancelled, also checked in cond_wait */ + pthread_testcancel(); + ++ /* Check if we should exit as well */ ++ thread_loop_check_exit(c); ++ + /* Lock queue and block if its draining */ + q = &c->q[qidx]; + pthread_mutex_lock(&q->lock); + pthread_cleanup_push(thread_loop_cleanup, &q->lock); + while (q->qstate == KQDRAINING || q->qstate == KQINIT) { + STATS_WAIT(stats); ++ thread_loop_check_exit(c); + pthread_cond_wait(&q->cond, &q->lock); + } + pthread_cleanup_pop(0); +@@ -268,6 +333,7 @@ thread_loop(void *x) + * can see that it's being filled. + */ + q->qstate = KQFILLING; ++ pthread_cond_broadcast(&q->cond); + pthread_mutex_unlock(&q->lock); + for (i = 0; i < KQLEN; i++) { + AES_encrypt(q->ctr, q->keys[i], &key); +@@ -279,7 +345,7 @@ thread_loop(void *x) + ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE); + q->qstate = KQFULL; + STATS_FILL(stats); +- pthread_cond_signal(&q->cond); ++ pthread_cond_broadcast(&q->cond); + pthread_mutex_unlock(&q->lock); + } + +@@ -371,6 +437,7 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, + pthread_cond_wait(&q->cond, &q->lock); + } + q->qstate = KQDRAINING; ++ pthread_cond_broadcast(&q->cond); + pthread_mutex_unlock(&q->lock); + + /* Mark consumed queue empty and signal producers */ +@@ -397,6 +464,11 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) { + c = xmalloc(sizeof(*c)); ++ pthread_rwlock_init(&c->tid_lock, NULL); ++#ifdef __APPLE__ ++ pthread_rwlock_init(&c->stop_lock, NULL); ++ c->exit_flag = FALSE; ++#endif /* __APPLE__ */ + + c->state = HAVE_NONE; + for (i = 0; i < NUMKQ; i++) { +@@ -409,11 +481,14 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + } + + if (c->state == (HAVE_KEY | HAVE_IV)) { +- /* Cancel pregen threads */ +- for (i = 0; i < CIPHER_THREADS; i++) +- pthread_cancel(c->tid[i]); +- for (i = 0; i < CIPHER_THREADS; i++) +- pthread_join(c->tid[i], NULL); ++ /* tell the pregen threads to exit */ ++ stop_and_join_pregen_threads(c); ++ ++#ifdef __APPLE__ ++ /* reset the exit flag */ ++ c->exit_flag = FALSE; ++#endif /* __APPLE__ */ ++ + /* Start over getting key & iv */ + c->state = HAVE_NONE; + } +@@ -444,10 +519,12 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, + /* Start threads */ + for (i = 0; i < CIPHER_THREADS; i++) { + debug("spawned a thread"); ++ pthread_rwlock_wrlock(&c->tid_lock); + pthread_create(&c->tid[i], NULL, thread_loop, c); ++ pthread_rwlock_unlock(&c->tid_lock); + } + pthread_mutex_lock(&c->q[0].lock); +- while (c->q[0].qstate != KQDRAINING) ++ while (c->q[0].qstate == KQINIT) + pthread_cond_wait(&c->q[0].cond, &c->q[0].lock); + pthread_mutex_unlock(&c->q[0].lock); + } +@@ -461,15 +538,10 @@ void + ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx) + { + struct ssh_aes_ctr_ctx *c; +- int i; ++ + c = EVP_CIPHER_CTX_get_app_data(ctx); +- /* destroy threads */ +- for (i = 0; i < CIPHER_THREADS; i++) { +- pthread_cancel(c->tid[i]); +- } +- for (i = 0; i < CIPHER_THREADS; i++) { +- pthread_join(c->tid[i], NULL); +- } ++ ++ stop_and_join_pregen_threads(c); + } + + void +@@ -481,7 +553,9 @@ ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx) + /* reconstruct threads */ + for (i = 0; i < CIPHER_THREADS; i++) { + debug("spawned a thread"); ++ pthread_rwlock_wrlock(&c->tid_lock); + pthread_create(&c->tid[i], NULL, thread_loop, c); ++ pthread_rwlock_unlock(&c->tid_lock); + } + } + +@@ -489,18 +563,13 @@ static int + ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx) + { + struct ssh_aes_ctr_ctx *c; +- int i; + + if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { + #ifdef CIPHER_THREAD_STATS + debug("main thread: %u drains, %u waits", c->stats.drains, + c->stats.waits); + #endif +- /* Cancel pregen threads */ +- for (i = 0; i < CIPHER_THREADS; i++) +- pthread_cancel(c->tid[i]); +- for (i = 0; i < CIPHER_THREADS; i++) +- pthread_join(c->tid[i], NULL); ++ stop_and_join_pregen_threads(c); + + memset(c, 0, sizeof(*c)); + free(c); diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch new file mode 100644 index 0000000000..f077c0517f --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch @@ -0,0 +1,41 @@ +--- a/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:00:21.561121417 -0700 ++++ b/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:22:51.337118439 -0700 +@@ -1155,7 +1155,7 @@ + @@ -44,7 +44,7 @@ + LD=@LD@ + CFLAGS=@CFLAGS@ +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ + -LIBS=@LIBS@ + +LIBS=@LIBS@ -lpthread + K5LIBS=@K5LIBS@ +@@ -2144,12 +2144,12 @@ + /* Bind the socket to an alternative local IP address */ + if (options.bind_address == NULL && !privileged) + return sock; +-@@ -527,10 +555,10 @@ ++@@ -555,10 +583,10 @@ + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", ++- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509); +++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", + - PROTOCOL_MAJOR_1, minor1, SSH_VERSION); +@@ -2163,9 +2163,9 @@ + @@ -432,7 +432,7 @@ + } + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", +-- major, minor, SSH_VERSION, +-+ major, minor, SSH_RELEASE, ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", ++- major, minor, SSH_VERSION, comment, +++ major, minor, SSH_RELEASE, comment, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch new file mode 100644 index 0000000000..d458e9efd7 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch @@ -0,0 +1,33 @@ +--- a/openssh-7.3_p1-hpn-14.10.patch 12:11:41.120750207 -0700 ++++ b/openssh-7.3_p1-hpn-14.10.patch 14:00:44.311487904 -0700 +@@ -141,7 +141,7 @@ + @@ -44,7 +44,7 @@ CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ + -LIBS=@LIBS@ + +LIBS=@LIBS@ -lpthread + K5LIBS=@K5LIBS@ +@@ -2098,7 +2098,7 @@ + @@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1) + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n", + - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); + + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE); + } else { +@@ -2196,9 +2196,9 @@ + @@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in, int sock_out) + } + +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", +-- major, minor, SSH_VERSION, +-+ major, minor, SSH_RELEASE, ++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", ++- major, minor, SSH_VERSION, comment, +++ major, minor, SSH_RELEASE, comment, + *options.version_addendum == '\0' ? "" : " ", + options.version_addendum, newline); + diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch new file mode 100644 index 0000000000..2def6993e6 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch @@ -0,0 +1,67 @@ +--- a/openssh-7.3_p1-sctp.patch 2016-08-03 13:10:15.733228732 -0700 ++++ b/openssh-7.3_p1-sctp.patch 2016-08-03 13:25:53.274630002 -0700 +@@ -226,14 +226,6 @@ + .Op Fl c Ar cipher + .Op Fl F Ar ssh_config + .Op Fl i Ar identity_file +-@@ -183,6 +183,7 @@ For full details of the options listed below, and their possible values, see +- .It ServerAliveCountMax +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It UpdateHostKeys +- .It UsePrivilegedPort +- .It User + @@ -224,6 +225,8 @@ and + to print debugging messages about their progress. + This is helpful in +@@ -493,19 +485,11 @@ + .Sh SYNOPSIS + .Nm ssh + .Bk -words +--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy +-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz ++-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy +++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz + .Op Fl b Ar bind_address + .Op Fl c Ar cipher_spec + .Op Fl D Oo Ar bind_address : Oc Ns Ar port +-@@ -558,6 +558,7 @@ For full details of the options listed below, and their possible values, see +- .It StreamLocalBindUnlink +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It Tunnel +- .It TunnelDevice +- .It UpdateHostKeys + @@ -795,6 +796,8 @@ controls. + .Pp + .It Fl y +@@ -533,18 +517,18 @@ + usage(void) + { + fprintf(stderr, +--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" +-+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" ++-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" +++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" + " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" +- " [-F configfile] [-I pkcs11] [-i identity_file]\n" +- " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n" ++ " [-F configfile]\n" ++ #ifdef USE_OPENSSL_ENGINE + @@ -608,7 +613,7 @@ main(int ac, char **av) +- argv0 = av[0]; ++ # define ENGCONFIG "" ++ #endif + +- again: +-- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" +-+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT +- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { ++- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" +++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT ++ "ACD:E:F:" ENGCONFIG "I:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { + switch (opt) { + case '1': + @@ -857,6 +862,11 @@ main(int ac, char **av) diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch new file mode 100644 index 0000000000..528dc6f22a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch @@ -0,0 +1,109 @@ +diff --git a/kex.c b/kex.c +index 143227a..c9b84c2 100644 +--- a/kex.c ++++ b/kex.c +@@ -345,9 +345,9 @@ kex_reset_dispatch(struct ssh *ssh) + static int + kex_send_ext_info(struct ssh *ssh) + { ++#ifdef EXPERIMENTAL_RSA_SHA2_256 + int r; + +-#ifdef EXPERIMENTAL_RSA_SHA2_256 + /* IMPORTANT NOTE: + * Do not offer rsa-sha2-* until is resolved misconfiguration issue + * with allowed public key algorithms! +diff --git a/key-eng.c b/key-eng.c +index 9bc50fd..bc0d03d 100644 +--- a/key-eng.c ++++ b/key-eng.c +@@ -786,7 +786,6 @@ ssh_engines_shutdown() { + while (buffer_len(&eng_list) > 0) { + u_int k = 0; + char *s; +- ENGINE *e; + + s = buffer_get_cstring_ret(&eng_list, &k); + ssh_engine_reset(s); +diff --git a/monitor.c b/monitor.c +index 345d3df..0de30ad 100644 +--- a/monitor.c ++++ b/monitor.c +@@ -707,7 +707,7 @@ mm_answer_sign(int sock, Buffer *m) + (r = sshbuf_get_string(m, &p, &datlen)) != 0 || + (r = sshbuf_get_cstring(m, &alg, &alglen)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); +- if (keyid > INT_MAX) ++ if (keyid32 > INT_MAX) + fatal("%s: invalid key ID", __func__); + + keyid = keyid32; /*save cast*/ +diff --git a/readconf.c b/readconf.c +index beb38a0..1cbda7e 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -1459,7 +1459,9 @@ parse_int: + + case oHostKeyAlgorithms: + charptr = &options->hostkeyalgorithms; ++# if 0 + parse_keytypes: ++# endif + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing argument.", +diff --git a/servconf.c b/servconf.c +index a540138..e77a344 100644 +--- a/servconf.c ++++ b/servconf.c +@@ -1574,7 +1573,9 @@ parse_string: + + case sHostKeyAlgorithms: + charptr = &options->hostkeyalgorithms; ++# if 0 + parse_keytypes: ++#endif + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", +diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c +index 50f04b7..3f9a7bf 100644 +--- a/ssh-pkcs11.c ++++ b/ssh-pkcs11.c +@@ -273,21 +273,18 @@ pkcs11_dsa_finish(DSA *dsa) + } + + #ifdef OPENSSL_HAS_ECC ++#ifdef HAVE_EC_KEY_METHOD_NEW + /* openssl callback for freeing an EC key */ + static void + pkcs11_ec_finish(EC_KEY *ec) + { + struct pkcs11_key *k11; + +-#ifdef HAVE_EC_KEY_METHOD_NEW + k11 = EC_KEY_get_ex_data(ec, ssh_pkcs11_ec_ctx_index); + EC_KEY_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL); +-#else +- k11 = ECDSA_get_ex_data(ec, ssh_pkcs11_ec_ctx_index); +- ECDSA_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL); +-#endif + pkcs11_key_free(k11); + } ++#endif /*def HAVE_EC_KEY_METHOD_NEW*/ + #endif /*def OPENSSL_HAS_ECC*/ + + +diff --git a/sshconnect.c b/sshconnect.c +index fd2a70e..0960be1 100644 +--- a/sshconnect.c ++++ b/sshconnect.c +@@ -605,7 +605,7 @@ send_client_banner(int connection_out, int minor1) + { + /* Send our own protocol version identification. */ + if (compat20) { +- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%d]\r\n", ++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n", + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509); + } else { + xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml index 82905cb317..29134fc060 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/metadata.xml @@ -28,7 +28,7 @@ ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and Enable high performance ssh Add support for storing SSH public keys in LDAP Use LDNS for DNSSEC/SSHFP validation. - Support for Stream Control Transmission Protocol + Enable root password logins for live-cd environment. Support the legacy/weak SSH1 protocol Enable additional crypto algorithms via OpenSSL Adds support for X.509 certificate authentication diff --git a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.2_p2-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.3_p1-r7.ebuild similarity index 79% rename from sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.2_p2-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.3_p1-r7.ebuild index cd9453a011..a9655a1fad 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.2_p2-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.3_p1-r7.ebuild @@ -9,18 +9,21 @@ inherit eutils user flag-o-matic multilib autotools pam systemd versionator # Make it more portable between straight releases # and _p? releases. PARCH=${P/_} +HPN_PV="${PV}" +HPN_VER="14.10" -#HPN_PATCH="${PARCH}-hpnssh14v10.tar.xz" -LDAP_PATCH="${PN}-lpk-7.2p2-0.3.14.patch.xz" -X509_VER="8.9" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" +HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10-r1.patch" +SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz" +LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz" +X509_VER="9.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" DESCRIPTION="Port of OpenBSD's free SSH release" HOMEPAGE="http://www.openssh.org/" SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - mirror://gentoo/${PN}-7.2_p1-sctp.patch.xz + ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}} ${HPN_PATCH:+hpn? ( - mirror://gentoo/${HPN_PATCH} - mirror://sourceforge/hpnssh/${HPN_PATCH} + mirror://gentoo/${HPN_PATCH}.xz + http://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz )} ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} @@ -28,17 +31,20 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux" +KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. -IUSE="debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl pam +pie sctp selinux skey ssh1 +ssl static X X509" +IUSE="debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" REQUIRED_USE="ldns? ( ssl ) pie? ( !static ) ssh1? ( ssl ) static? ( !kerberos !pam ) - X509? ( !ldap ssl )" + X509? ( !ldap ssl ) + test? ( ssl )" LIB_DEPEND=" - ldns? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] ) + ldns? ( + net-libs/ldns[ecdsa,ssl,static-libs(+)] + ) libedit? ( dev-libs/libedit[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) @@ -113,27 +119,35 @@ src_prepare() { if use X509 ; then pushd .. >/dev/null if use hpn ; then - pushd ${HPN_PATCH%.*.*} >/dev/null - epatch "${FILESDIR}"/${PN}-7.1_p1-hpn-x509-glue.patch + pushd "${WORKDIR}" >/dev/null + epatch "${FILESDIR}"/${P}-hpn-x509-9.2-glue.patch popd >/dev/null fi - epatch "${FILESDIR}"/${PN}-7.2_p1-sctp-x509-glue.patch + epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch + sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} || die popd >/dev/null epatch "${WORKDIR}"/${X509_PATCH%.*} - #epatch "${FILESDIR}"/${PN}-7.1_p2-x509-hpn14v10-glue.patch - #save_version X509 + epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch + save_version X509 + else + # bug #592122, fixed by X509 patch + epatch "${FILESDIR}"/${P}-fix-ssh1-with-no-ssh1-host-key.patch fi if use ldap ; then epatch "${WORKDIR}"/${LDAP_PATCH%.*} save_version LPK fi - epatch "${FILESDIR}"/${PN}-7.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex + + epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch - epatch "${WORKDIR}"/${PN}-7.2_p1-sctp.patch + epatch "${WORKDIR}"/${SCTP_PATCH%.*} + if use hpn ; then - EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ - EPATCH_MULTI_MSG="Applying HPN patchset ..." \ - epatch "${WORKDIR}"/${HPN_PATCH%.*.*} + #EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ + # EPATCH_MULTI_MSG="Applying HPN patchset ..." \ + # epatch "${WORKDIR}"/${HPN_PATCH%.*.*} + epatch "${WORKDIR}"/${HPN_PATCH} + epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch save_version HPN fi @@ -152,7 +166,16 @@ src_prepare() { ) sed -i "${sed_args[@]}" configure{.ac,} || die - epatch "${FILESDIR}"/${PN}-7.2_p1-fix-krb5-config.patch + # 7.3 added seccomp support to MIPS, but failed to handled the N32 + # case. This patch is temporary until upstream fixes. See + # Gentoo bug #591392 or upstream #2590. + [[ ${CHOST} == mips64*-linux-* && ${ABI} == "n32" ]] \ + && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch + + epatch "${FILESDIR}"/${P}-NEWKEYS_null_deref.patch # 595342 + epatch "${FILESDIR}"/${P}-Unregister-the-KEXINIT-handler-after-receive.patch # 597360 + + epatch "${FILESDIR}"/${PN}-7.3_p1-fix-krb5-config.patch epatch_user #473004 @@ -233,13 +256,20 @@ src_install() { SendEnv LANG LC_* EOF + if use livecd ; then + sed -i \ + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \ + "${ED}"/etc/ssh/sshd_config || die + fi + if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then insinto /etc/openldap/schema/ newins openssh-lpk_openldap.schema openssh-lpk.schema fi doman contrib/ssh-copy-id.1 - dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + dodoc CREDITS OVERVIEW README* TODO sshd_config + use X509 || dodoc ChangeLog diropts -m 0700 dodir /etc/skel/.ssh @@ -266,7 +296,7 @@ src_test() { mkdir -p "${sshhome}"/.ssh for t in ${tests} ; do # Some tests read from stdin ... - HOMEDIR="${sshhome}" \ + HOMEDIR="${sshhome}" HOME="${sshhome}" \ emake -k -j1 ${t}