mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-22 06:51:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

net-misc/openssh: Sync with Gentoo's latest ebuild

Browse Source 
In particular, this fixes CVE-2017-15906.
This commit is contained in:
David Michael 2017-11-17 15:56:48 -05:00
parent 3d2366730f
commit f9a93cbcc6
23 changed files with 239 additions and 1247 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest vendored
View File

@ -1,4 +1,4 @@
DIST openssh-7.4_p1-sctp.patch.xz 8220 SHA256 18fa77f79ccae8b9a76bc877e9602113d91953bd487b6cc8284bfd1217438a23 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4 WHIRLPOOL 0f0ea1d36523b35d3be33d22fb84daa05fd14c464d69c19695235f81d26326bc53d6804bf34d0cc0c2584f412bfdac361d2b018032447d1033a4ff4fd9458a09 DIST openssh-7.6_p1-sctp.patch.xz 6996 SHA256 ca61f0b015d2f7131620a2a4901800b70026755a52a7b882d437cd9813c2652d SHA512 8445a9a8ae8e8baa67c8f386117877ba3f39f33c9cdaff341c8d5fb4ce9dfe22f26d5aedc2b0d4aab67864994ec5a6a487d18b728bd5d5c6efe14175eb9c8151 WHIRLPOOL 27125d4a7d45f0bc67f424598542cf97e123824bce7911732891531b6a0aa37b7598f636e1643a6114626c2ccc622a50928ffcdb4357c7dc3d9c3d8c161d9626
DIST openssh-7.4p1+x509-9.3.diff.gz 446572 SHA256 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee SHA512 7ebc8d1f6ec36d652bbb6fb13d6d86f7db1abf8710af7b56c52fad9a18d73c9028a3307daabfdda26483a3bd9196120f6d18b6fb2c89b597b0a9ad0554161dfc WHIRLPOOL f878346a3154b7dbb01de41830d5857064af96d3a709aed40a112fe9aaadbe4801e5c3a22a1d2c8437b74a890596211be37e26d691ff611981d7375d262598c1 DIST openssh-7.6p1+x509-11.0.diff.gz 440219 SHA256 bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e SHA512 add86ecdaa696d997f869e6878aaaef285590cc5eddf301be651944bbc6c80af6a891bad6f6aaa4b6e9919ad865a27dc6f45a6e0b923ca52c04f06523fa3197a WHIRLPOOL 1b324f72a6cb0c895b3994d59f3505ff2a4a0529829cea07344a33a68ee4d43c22ba534a55454792618cd9f766cd40fa5af73cc054ee3a08bccdb6e8d0073b29
DIST openssh-7.4p1.tar.gz 1511780 SHA256 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1 SHA512 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292 WHIRLPOOL 4ed9a277287d1f5c2fd371b53394d6dde36b25adf92d4b6b5b486a9d448648f2ecfbb721ae39ba8a129913c1148aa4db1e99f7960a7c69fa215dfa7b3b126029 DIST openssh-7.6p1.tar.gz 1489788 SHA256 a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 SHA512 de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72 WHIRLPOOL 537b94555c7b36b2f7ef2ecd89e6671028f7cff9be758e631690ecd068510d59d6518077bf951e779e3c8a39706adb1682c6d5305edd6fc611ec19ce7953c751
DIST openssh-lpk-7.4p1-0.3.14.patch.xz 17076 SHA256 3a5e4104507d259ad15391136322ea5d067d7932199bbafde5cb478daf3595ad SHA512 1c91de291816ee0bb29ed3a2ffc42fb6fb4ba27a8616f8bd50accdf31d1fecc9b4fb3de6fb1ea6e722b69eb8cab68030ade87e126a4112667d14f3c2ef07d6cd WHIRLPOOL ea27224da952c6fe46b974a0e73d01e872a963e7e7cc7e9887a423357fb4ff82f4513ce48b6bbf7136afa8447bc6d93daa817cf5b2e24cb39dba15cbcff6d2cc DIST openssh-lpk-7.6p1-0.3.14.patch.xz 17044 SHA256 fd877cf084d4eb682c503b6e5f363b0564da2b50561367558a50ab239adf4017 SHA512 e9a2b18fd6a58354198b6e48199059d055451a5f09c99bf7293d0d54137a59c581a9cb3bd906f31589e03d8450fb017b9015e18c67b7b6ae840e336039436974 WHIRLPOOL 8410dc9dad24d8b3065ba85e7a7a66322b4d37eac0ef68e72143afa3aba2706e91c324798236b9d3e320e6903d27a7e426621bde92ded89ce26a16535e8c3d3c

11
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.1_p1-hpn-x509-glue.patch vendored
View File

@ -1,11 +0,0 @@
--- openssh-7.0p1-hpnssh14v5/0002-add-support-for-the-NONE-cipher.patch.orig 2015-08-24 11:17:05.379280954 -0700
+++ openssh-7.0p1-hpnssh14v5/0002-add-support-for-the-NONE-cipher.patch 2015-08-24 11:19:30.788424050 -0700
@@ -80,7 +80,7 @@
+ else
+ fatal("Pre-authentication none cipher requests are not allowed.");
+ }
- debug("kex: %s %s %s %s",
+ debug("kex: %s cipher: %s MAC: %s compression: %s",
ctos ? "client->server" : "server->client",
newkeys->enc.name,
diff --git a/myproposal.h b/myproposal.h

106
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.2_p1-GSSAPI-dns.patch vendored
View File

@ -1,106 +0,0 @@
http://bugs.gentoo.org/165444
https://bugzilla.mindrot.org/show_bug.cgi?id=1008
--- openssh-7.2p1/readconf.c
+++ openssh-7.2p1/readconf.c
@@ -148,6 +148,7 @@
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -194,9 +195,11 @@
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
+ { "gssapitrustdns", oGssTrustDns },
#else
{ "gssapiauthentication", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported },
+ { "gssapitrustdns", oUnsupported },
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
@@ -930,6 +933,10 @@
intptr = &options->gss_deleg_creds;
goto parse_flag;
+ case oGssTrustDns:
+ intptr = &options->gss_trust_dns;
+ goto parse_flag;
+
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1649,6 +1656,7 @@
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1779,6 +1787,8 @@
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
+ if (options->gss_trust_dns == -1)
+ options->gss_trust_dns = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
--- openssh-7.2p1/readconf.h
+++ openssh-7.2p1/readconf.h
@@ -46,6 +46,7 @@
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
--- openssh-7.2p1/ssh_config.5
+++ openssh-7.2p1/ssh_config.5
@@ -830,6 +830,16 @@
Forward (delegate) credentials to the server.
The default is
.Dq no .
+Note that this option applies to protocol version 2 connections using GSSAPI.
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no, the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
--- openssh-7.2p1/sshconnect2.c
+++ openssh-7.2p1/sshconnect2.c
@@ -656,6 +656,12 @@
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
+ const char *gss_host;
+
+ if (options.gss_trust_dns)
+ gss_host = get_canonical_hostname(1);
+ else
+ gss_host = authctxt->host;
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -668,7 +674,7 @@
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], authctxt->host)) {
+ &gss_supported->elements[mech], gss_host)) {
ok = 1; /* Mechanism works */
} else {
mech++;

74
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.2_p1-sctp-x509-glue.patch vendored
View File

@ -1,74 +0,0 @@
--- openssh-7.2_p1-sctp.patch
+++ openssh-7.2_p1-sctp.patch
@@ -195,14 +195,6 @@
.Op Fl c Ar cipher
.Op Fl F Ar ssh_config
.Op Fl i Ar identity_file
-@@ -181,6 +181,7 @@ For full details of the options listed below, and their possible values, see
- .It ServerAliveCountMax
- .It StrictHostKeyChecking
- .It TCPKeepAlive
-+.It Transport
- .It UpdateHostKeys
- .It UsePrivilegedPort
- .It User
@@ -222,6 +223,8 @@ and
to print debugging messages about their progress.
This is helpful in
@@ -477,19 +469,11 @@
.Sh SYNOPSIS
.Nm ssh
.Bk -words
--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
+-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy
++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Op Fl D Oo Ar bind_address : Oc Ns Ar port
-@@ -536,6 +536,7 @@ For full details of the options listed below, and their possible values, see
- .It StreamLocalBindUnlink
- .It StrictHostKeyChecking
- .It TCPKeepAlive
-+.It Transport
- .It Tunnel
- .It TunnelDevice
- .It UpdateHostKeys
@@ -770,6 +771,8 @@ controls.
.Pp
.It Fl y
@@ -501,7 +485,7 @@
index f9ff91f..d0d92ce 100644
--- a/ssh.c
+++ b/ssh.c
-@@ -195,12 +195,17 @@ extern int muxserver_sock;
+@@ -195,11 +195,16 @@ extern int muxserver_sock;
extern u_int muxclient_command;
/* Prints a help message to the user. This function never returns. */
@@ -515,18 +499,17 @@
usage(void)
{
fprintf(stderr,
--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
-+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
+-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
" [-F configfile] [-I pkcs11] [-i identity_file] [-L address]\n"
- " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
@@ -605,7 +610,7 @@ main(int ac, char **av)
- argv0 = av[0];
+ # define ENGCONFIG ""
+ #endif
- again:
-- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
-+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
- "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
+- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"
++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT
+ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
@@ -845,6 +850,11 @@ main(int ac, char **av)

351
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch vendored
View File

@ -1,351 +0,0 @@
http://bugs.gentoo.org/165444
https://bugzilla.mindrot.org/show_bug.cgi?id=1008
--- a/readconf.c
+++ b/readconf.c
@@ -148,6 +148,7 @@
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -194,9 +195,11 @@
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
+ { "gssapitrustdns", oGssTrustDns },
#else
{ "gssapiauthentication", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported },
+ { "gssapitrustdns", oUnsupported },
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
@@ -930,6 +933,10 @@
intptr = &options->gss_deleg_creds;
goto parse_flag;
+ case oGssTrustDns:
+ intptr = &options->gss_trust_dns;
+ goto parse_flag;
+
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1649,6 +1656,7 @@
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1779,6 +1787,8 @@
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
+ if (options->gss_trust_dns == -1)
+ options->gss_trust_dns = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
--- a/readconf.h
+++ b/readconf.h
@@ -46,6 +46,7 @@
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -830,6 +830,16 @@
Forward (delegate) credentials to the server.
The default is
.Dq no .
+Note that this option applies to protocol version 2 connections using GSSAPI.
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no, the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -656,6 +656,13 @@
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
+ const char *gss_host;
+
+ if (options.gss_trust_dns) {
+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
+ gss_host = auth_get_canonical_hostname(active_state, 1);
+ } else
+ gss_host = authctxt->host;
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -668,7 +674,7 @@
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], authctxt->host)) {
+ &gss_supported->elements[mech], gss_host)) {
ok = 1; /* Mechanism works */
} else {
mech++;
need to move these two funcs back to canohost so they're available to clients
and the server. auth.c is only used in the server.
--- a/auth.c
+++ b/auth.c
@@ -784,117 +784,3 @@ fakepw(void)
return (&fake);
}
-
-/*
- * Returns the remote DNS hostname as a string. The returned string must not
- * be freed. NB. this will usually trigger a DNS query the first time it is
- * called.
- * This function does additional checks on the hostname to mitigate some
- * attacks on legacy rhosts-style authentication.
- * XXX is RhostsRSAAuthentication vulnerable to these?
- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
- */
-
-static char *
-remote_hostname(struct ssh *ssh)
-{
- struct sockaddr_storage from;
- socklen_t fromlen;
- struct addrinfo hints, *ai, *aitop;
- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
- const char *ntop = ssh_remote_ipaddr(ssh);
-
- /* Get IP address of client. */
- fromlen = sizeof(from);
- memset(&from, 0, sizeof(from));
- if (getpeername(ssh_packet_get_connection_in(ssh),
- (struct sockaddr *)&from, &fromlen) < 0) {
- debug("getpeername failed: %.100s", strerror(errno));
- return strdup(ntop);
- }
-
- ipv64_normalise_mapped(&from, &fromlen);
- if (from.ss_family == AF_INET6)
- fromlen = sizeof(struct sockaddr_in6);
-
- debug3("Trying to reverse map address %.100s.", ntop);
- /* Map the IP address to a host name. */
- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
- NULL, 0, NI_NAMEREQD) != 0) {
- /* Host name not found. Use ip address. */
- return strdup(ntop);
- }
-
- /*
- * if reverse lookup result looks like a numeric hostname,
- * someone is trying to trick us by PTR record like following:
- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
- */
- memset(&hints, 0, sizeof(hints));
- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
- hints.ai_flags = AI_NUMERICHOST;
- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
- name, ntop);
- freeaddrinfo(ai);
- return strdup(ntop);
- }
-
- /* Names are stored in lowercase. */
- lowercase(name);
-
- /*
- * Map it back to an IP address and check that the given
- * address actually is an address of this host. This is
- * necessary because anyone with access to a name server can
- * define arbitrary names for an IP address. Mapping from
- * name to IP address can be trusted better (but can still be
- * fooled if the intruder has access to the name server of
- * the domain).
- */
- memset(&hints, 0, sizeof(hints));
- hints.ai_family = from.ss_family;
- hints.ai_socktype = SOCK_STREAM;
- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
- logit("reverse mapping checking getaddrinfo for %.700s "
- "[%s] failed.", name, ntop);
- return strdup(ntop);
- }
- /* Look for the address from the list of addresses. */
- for (ai = aitop; ai; ai = ai->ai_next) {
- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
- (strcmp(ntop, ntop2) == 0))
- break;
- }
- freeaddrinfo(aitop);
- /* If we reached the end of the list, the address was not there. */
- if (ai == NULL) {
- /* Address not found for the host name. */
- logit("Address %.100s maps to %.600s, but this does not "
- "map back to the address.", ntop, name);
- return strdup(ntop);
- }
- return strdup(name);
-}
-
-/*
- * Return the canonical name of the host in the other side of the current
- * connection. The host name is cached, so it is efficient to call this
- * several times.
- */
-
-const char *
-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-{
- static char *dnsname;
-
- if (!use_dns)
- return ssh_remote_ipaddr(ssh);
- else if (dnsname != NULL)
- return dnsname;
- else {
- dnsname = remote_hostname(ssh);
- return dnsname;
- }
-}
--- a/canohost.c
+++ b/canohost.c
@@ -202,3 +202,117 @@ get_local_port(int sock)
{
return get_sock_port(sock, 1);
}
+
+/*
+ * Returns the remote DNS hostname as a string. The returned string must not
+ * be freed. NB. this will usually trigger a DNS query the first time it is
+ * called.
+ * This function does additional checks on the hostname to mitigate some
+ * attacks on legacy rhosts-style authentication.
+ * XXX is RhostsRSAAuthentication vulnerable to these?
+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+ */
+
+static char *
+remote_hostname(struct ssh *ssh)
+{
+ struct sockaddr_storage from;
+ socklen_t fromlen;
+ struct addrinfo hints, *ai, *aitop;
+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+ const char *ntop = ssh_remote_ipaddr(ssh);
+
+ /* Get IP address of client. */
+ fromlen = sizeof(from);
+ memset(&from, 0, sizeof(from));
+ if (getpeername(ssh_packet_get_connection_in(ssh),
+ (struct sockaddr *)&from, &fromlen) < 0) {
+ debug("getpeername failed: %.100s", strerror(errno));
+ return strdup(ntop);
+ }
+
+ ipv64_normalise_mapped(&from, &fromlen);
+ if (from.ss_family == AF_INET6)
+ fromlen = sizeof(struct sockaddr_in6);
+
+ debug3("Trying to reverse map address %.100s.", ntop);
+ /* Map the IP address to a host name. */
+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+ NULL, 0, NI_NAMEREQD) != 0) {
+ /* Host name not found. Use ip address. */
+ return strdup(ntop);
+ }
+
+ /*
+ * if reverse lookup result looks like a numeric hostname,
+ * someone is trying to trick us by PTR record like following:
+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
+ */
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+ hints.ai_flags = AI_NUMERICHOST;
+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+ name, ntop);
+ freeaddrinfo(ai);
+ return strdup(ntop);
+ }
+
+ /* Names are stored in lowercase. */
+ lowercase(name);
+
+ /*
+ * Map it back to an IP address and check that the given
+ * address actually is an address of this host. This is
+ * necessary because anyone with access to a name server can
+ * define arbitrary names for an IP address. Mapping from
+ * name to IP address can be trusted better (but can still be
+ * fooled if the intruder has access to the name server of
+ * the domain).
+ */
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = from.ss_family;
+ hints.ai_socktype = SOCK_STREAM;
+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+ logit("reverse mapping checking getaddrinfo for %.700s "
+ "[%s] failed.", name, ntop);
+ return strdup(ntop);
+ }
+ /* Look for the address from the list of addresses. */
+ for (ai = aitop; ai; ai = ai->ai_next) {
+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+ (strcmp(ntop, ntop2) == 0))
+ break;
+ }
+ freeaddrinfo(aitop);
+ /* If we reached the end of the list, the address was not there. */
+ if (ai == NULL) {
+ /* Address not found for the host name. */
+ logit("Address %.100s maps to %.600s, but this does not "
+ "map back to the address.", ntop, name);
+ return strdup(ntop);
+ }
+ return strdup(name);
+}
+
+/*
+ * Return the canonical name of the host in the other side of the current
+ * connection. The host name is cached, so it is efficient to call this
+ * several times.
+ */
+
+const char *
+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
+{
+ static char *dnsname;
+
+ if (!use_dns)
+ return ssh_remote_ipaddr(ssh);
+ else if (dnsname != NULL)
+ return dnsname;
+ else {
+ dnsname = remote_hostname(ssh);
+ return dnsname;
+ }
+}

29
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch vendored
View File

@ -1,29 +0,0 @@
https://bugs.gentoo.org/595342
Backport of
https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737
--- openssh-7.3p1/kex.c
+++ openssh-7.3p1/kex.c
@@ -419,6 +419,8 @@
ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
if ((r = sshpkt_get_end(ssh)) != 0)
return r;
+ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
+ return r;
kex->done = 1;
sshbuf_reset(kex->peer);
/* sshbuf_reset(kex->my); */
--- openssh-7.3p1/packet.c
+++ openssh-7.3p1/packet.c
@@ -1919,9 +1919,7 @@
return r;
return SSH_ERR_PROTOCOL_ERROR;
}
- if (*typep == SSH2_MSG_NEWKEYS)
- r = ssh_set_newkeys(ssh, MODE_IN);
- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
+ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
r = ssh_packet_enable_delayed_compress(ssh);
else
r = 0;

32
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch vendored
View File

@ -1,32 +0,0 @@
https://bugs.gentoo.org/597360
From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
From: "markus@openbsd.org" <markus@openbsd.org>
Date: Mon, 10 Oct 2016 19:28:48 +0000
Subject: [PATCH] upstream commit
Unregister the KEXINIT handler after message has been
received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
allocation of up to 128MB -- until the connection is closed. Reported by
shilei-c at 360.cn
Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
---
kex.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kex.c b/kex.c
index 3f97f8c00919..6a94bc535bd7 100644
--- a/kex.c
+++ b/kex.c
@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
if (kex == NULL)
return SSH_ERR_INVALID_ARGUMENT;
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
ptr = sshpkt_ptr(ssh, &dlen);
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
return r;
--
2.11.0.rc2

34
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch vendored
View File

@ -1,34 +0,0 @@
https://bugs.gentoo.org/592122
From e600348a7afd6325cc5cd783cb424065cbc20434 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Wed, 3 Aug 2016 04:23:55 +0000
Subject: [PATCH] upstream commit
Fix bug introduced in rev 1.467 which causes
"buffer_get_bignum_ret: incomplete message" errors when built with WITH_SSH1
and run such that no Protocol 1 ephemeral host key is generated (eg "Protocol
2", no SSH1 host key supplied). Reported by rainer.laatsch at t-online.de,
ok deraadt@
Upstream-ID: aa6b132da5c325523aed7989cc5a320497c919dc
---
sshd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sshd.c b/sshd.c
index 799c7711f49c..9fc829a91bc8 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
} else
#endif
- if ((r = sshbuf_put_u32(m, 1)) != 0)
+ if ((r = sshbuf_put_u32(m, 0)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
--
2.11.0.rc2

39
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch vendored
View File

@ -1,39 +0,0 @@
--- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
+++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
@@ -1155,7 +1155,7 @@
@@ -44,7 +44,7 @@
LD=@LD@
CFLAGS=@CFLAGS@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
--- a/0004-support-dynamically-sized-receive-buffers.patch
+++ b/0004-support-dynamically-sized-receive-buffers.patch
@@ -2144,9 +2144,9 @@
@@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1)
/* Send our own protocol version identification. */
if (compat20) {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509);
} else {
xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
@@ -2163,9 +2163,9 @@
@@ -432,7 +432,7 @@
}
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-- major, minor, SSH_VERSION,
-+ major, minor, SSH_RELEASE,
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+- major, minor, SSH_VERSION, comment,
++ major, minor, SSH_RELEASE, comment,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);

245
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch vendored
View File

@ -1,245 +0,0 @@
diff --git a/cipher-ctr-mt.c b/cipher-ctr-mt.c
index fdc9b2f..300cd90 100644
--- a/cipher-ctr-mt.c
+++ b/cipher-ctr-mt.c
@@ -127,7 +127,7 @@ struct kq {
u_char keys[KQLEN][AES_BLOCK_SIZE];
u_char ctr[AES_BLOCK_SIZE];
u_char pad0[CACHELINE_LEN];
- volatile int qstate;
+ int qstate;
pthread_mutex_t lock;
pthread_cond_t cond;
u_char pad1[CACHELINE_LEN];
@@ -141,6 +141,11 @@ struct ssh_aes_ctr_ctx
STATS_STRUCT(stats);
u_char aes_counter[AES_BLOCK_SIZE];
pthread_t tid[CIPHER_THREADS];
+ pthread_rwlock_t tid_lock;
+#ifdef __APPLE__
+ pthread_rwlock_t stop_lock;
+ int exit_flag;
+#endif /* __APPLE__ */
int state;
int qidx;
int ridx;
@@ -187,6 +192,57 @@ thread_loop_cleanup(void *x)
pthread_mutex_unlock((pthread_mutex_t *)x);
}
+#ifdef __APPLE__
+/* Check if we should exit, we are doing both cancel and exit condition
+ * since on OSX threads seem to occasionally fail to notice when they have
+ * been cancelled. We want to have a backup to make sure that we won't hang
+ * when the main process join()-s the cancelled thread.
+ */
+static void
+thread_loop_check_exit(struct ssh_aes_ctr_ctx *c)
+{
+ int exit_flag;
+
+ pthread_rwlock_rdlock(&c->stop_lock);
+ exit_flag = c->exit_flag;
+ pthread_rwlock_unlock(&c->stop_lock);
+
+ if (exit_flag)
+ pthread_exit(NULL);
+}
+#else
+# define thread_loop_check_exit(s)
+#endif /* __APPLE__ */
+
+/*
+ * Helper function to terminate the helper threads
+ */
+static void
+stop_and_join_pregen_threads(struct ssh_aes_ctr_ctx *c)
+{
+ int i;
+
+#ifdef __APPLE__
+ /* notify threads that they should exit */
+ pthread_rwlock_wrlock(&c->stop_lock);
+ c->exit_flag = TRUE;
+ pthread_rwlock_unlock(&c->stop_lock);
+#endif /* __APPLE__ */
+
+ /* Cancel pregen threads */
+ for (i = 0; i < CIPHER_THREADS; i++) {
+ pthread_cancel(c->tid[i]);
+ }
+ for (i = 0; i < NUMKQ; i++) {
+ pthread_mutex_lock(&c->q[i].lock);
+ pthread_cond_broadcast(&c->q[i].cond);
+ pthread_mutex_unlock(&c->q[i].lock);
+ }
+ for (i = 0; i < CIPHER_THREADS; i++) {
+ pthread_join(c->tid[i], NULL);
+ }
+}
+
/*
* The life of a pregen thread:
* Find empty keystream queues and fill them using their counter.
@@ -201,6 +257,7 @@ thread_loop(void *x)
struct kq *q;
int i;
int qidx;
+ pthread_t first_tid;
/* Threads stats on cancellation */
STATS_INIT(stats);
@@ -211,11 +268,15 @@ thread_loop(void *x)
/* Thread local copy of AES key */
memcpy(&key, &c->aes_ctx, sizeof(key));
+ pthread_rwlock_rdlock(&c->tid_lock);
+ first_tid = c->tid[0];
+ pthread_rwlock_unlock(&c->tid_lock);
+
/*
* Handle the special case of startup, one thread must fill
* the first KQ then mark it as draining. Lock held throughout.
*/
- if (pthread_equal(pthread_self(), c->tid[0])) {
+ if (pthread_equal(pthread_self(), first_tid)) {
q = &c->q[0];
pthread_mutex_lock(&q->lock);
if (q->qstate == KQINIT) {
@@ -245,12 +306,16 @@ thread_loop(void *x)
/* Check if I was cancelled, also checked in cond_wait */
pthread_testcancel();
+ /* Check if we should exit as well */
+ thread_loop_check_exit(c);
+
/* Lock queue and block if its draining */
q = &c->q[qidx];
pthread_mutex_lock(&q->lock);
pthread_cleanup_push(thread_loop_cleanup, &q->lock);
while (q->qstate == KQDRAINING || q->qstate == KQINIT) {
STATS_WAIT(stats);
+ thread_loop_check_exit(c);
pthread_cond_wait(&q->cond, &q->lock);
}
pthread_cleanup_pop(0);
@@ -268,6 +333,7 @@ thread_loop(void *x)
* can see that it's being filled.
*/
q->qstate = KQFILLING;
+ pthread_cond_broadcast(&q->cond);
pthread_mutex_unlock(&q->lock);
for (i = 0; i < KQLEN; i++) {
AES_encrypt(q->ctr, q->keys[i], &key);
@@ -279,7 +345,7 @@ thread_loop(void *x)
ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
q->qstate = KQFULL;
STATS_FILL(stats);
- pthread_cond_signal(&q->cond);
+ pthread_cond_broadcast(&q->cond);
pthread_mutex_unlock(&q->lock);
}
@@ -371,6 +437,7 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
pthread_cond_wait(&q->cond, &q->lock);
}
q->qstate = KQDRAINING;
+ pthread_cond_broadcast(&q->cond);
pthread_mutex_unlock(&q->lock);
/* Mark consumed queue empty and signal producers */
@@ -397,6 +464,11 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
c = xmalloc(sizeof(*c));
+ pthread_rwlock_init(&c->tid_lock, NULL);
+#ifdef __APPLE__
+ pthread_rwlock_init(&c->stop_lock, NULL);
+ c->exit_flag = FALSE;
+#endif /* __APPLE__ */
c->state = HAVE_NONE;
for (i = 0; i < NUMKQ; i++) {
@@ -409,11 +481,14 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
}
if (c->state == (HAVE_KEY | HAVE_IV)) {
- /* Cancel pregen threads */
- for (i = 0; i < CIPHER_THREADS; i++)
- pthread_cancel(c->tid[i]);
- for (i = 0; i < CIPHER_THREADS; i++)
- pthread_join(c->tid[i], NULL);
+ /* tell the pregen threads to exit */
+ stop_and_join_pregen_threads(c);
+
+#ifdef __APPLE__
+ /* reset the exit flag */
+ c->exit_flag = FALSE;
+#endif /* __APPLE__ */
+
/* Start over getting key & iv */
c->state = HAVE_NONE;
}
@@ -444,10 +519,12 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
/* Start threads */
for (i = 0; i < CIPHER_THREADS; i++) {
debug("spawned a thread");
+ pthread_rwlock_wrlock(&c->tid_lock);
pthread_create(&c->tid[i], NULL, thread_loop, c);
+ pthread_rwlock_unlock(&c->tid_lock);
}
pthread_mutex_lock(&c->q[0].lock);
- while (c->q[0].qstate != KQDRAINING)
+ while (c->q[0].qstate == KQINIT)
pthread_cond_wait(&c->q[0].cond, &c->q[0].lock);
pthread_mutex_unlock(&c->q[0].lock);
}
@@ -461,15 +538,10 @@ void
ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx)
{
struct ssh_aes_ctr_ctx *c;
- int i;
+
c = EVP_CIPHER_CTX_get_app_data(ctx);
- /* destroy threads */
- for (i = 0; i < CIPHER_THREADS; i++) {
- pthread_cancel(c->tid[i]);
- }
- for (i = 0; i < CIPHER_THREADS; i++) {
- pthread_join(c->tid[i], NULL);
- }
+
+ stop_and_join_pregen_threads(c);
}
void
@@ -481,7 +553,9 @@ ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx)
/* reconstruct threads */
for (i = 0; i < CIPHER_THREADS; i++) {
debug("spawned a thread");
+ pthread_rwlock_wrlock(&c->tid_lock);
pthread_create(&c->tid[i], NULL, thread_loop, c);
+ pthread_rwlock_unlock(&c->tid_lock);
}
}
@@ -489,18 +563,13 @@ static int
ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
{
struct ssh_aes_ctr_ctx *c;
- int i;
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
#ifdef CIPHER_THREAD_STATS
debug("main thread: %u drains, %u waits", c->stats.drains,
c->stats.waits);
#endif
- /* Cancel pregen threads */
- for (i = 0; i < CIPHER_THREADS; i++)
- pthread_cancel(c->tid[i]);
- for (i = 0; i < CIPHER_THREADS; i++)
- pthread_join(c->tid[i], NULL);
+ stop_and_join_pregen_threads(c);
memset(c, 0, sizeof(*c));
free(c);

41
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch vendored
View File

@ -1,41 +0,0 @@
--- a/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:00:21.561121417 -0700
+++ b/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:22:51.337118439 -0700
@@ -1155,7 +1155,7 @@
@@ -44,7 +44,7 @@
LD=@LD@
CFLAGS=@CFLAGS@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -2144,12 +2144,12 @@
/* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL && !privileged)
return sock;
-@@ -527,10 +555,10 @@
+@@ -555,10 +583,10 @@
/* Send our own protocol version identification. */
if (compat20) {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509);
} else {
xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
@@ -2163,9 +2163,9 @@
@@ -432,7 +432,7 @@
}
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-- major, minor, SSH_VERSION,
-+ major, minor, SSH_RELEASE,
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+- major, minor, SSH_VERSION, comment,
++ major, minor, SSH_RELEASE, comment,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);

33
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch vendored
View File

@ -1,33 +0,0 @@
--- a/openssh-7.3_p1-hpn-14.10.patch 12:11:41.120750207 -0700
+++ b/openssh-7.3_p1-hpn-14.10.patch 14:00:44.311487904 -0700
@@ -141,7 +141,7 @@
@@ -44,7 +44,7 @@ CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -2098,7 +2098,7 @@
@@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1)
/* Send our own protocol version identification. */
if (compat20) {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
} else {
@@ -2196,9 +2196,9 @@
@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
}
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-- major, minor, SSH_VERSION,
-+ major, minor, SSH_RELEASE,
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+- major, minor, SSH_VERSION, comment,
++ major, minor, SSH_RELEASE, comment,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);

67
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch vendored
View File

@ -1,67 +0,0 @@
--- a/openssh-7.3_p1-sctp.patch 2016-08-03 13:10:15.733228732 -0700
+++ b/openssh-7.3_p1-sctp.patch 2016-08-03 13:25:53.274630002 -0700
@@ -226,14 +226,6 @@
.Op Fl c Ar cipher
.Op Fl F Ar ssh_config
.Op Fl i Ar identity_file
-@@ -183,6 +183,7 @@ For full details of the options listed below, and their possible values, see
- .It ServerAliveCountMax
- .It StrictHostKeyChecking
- .It TCPKeepAlive
-+.It Transport
- .It UpdateHostKeys
- .It UsePrivilegedPort
- .It User
@@ -224,6 +225,8 @@ and
to print debugging messages about their progress.
This is helpful in
@@ -493,19 +485,11 @@
.Sh SYNOPSIS
.Nm ssh
.Bk -words
--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
+-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy
++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Op Fl D Oo Ar bind_address : Oc Ns Ar port
-@@ -558,6 +558,7 @@ For full details of the options listed below, and their possible values, see
- .It StreamLocalBindUnlink
- .It StrictHostKeyChecking
- .It TCPKeepAlive
-+.It Transport
- .It Tunnel
- .It TunnelDevice
- .It UpdateHostKeys
@@ -795,6 +796,8 @@ controls.
.Pp
.It Fl y
@@ -533,18 +517,18 @@
usage(void)
{
fprintf(stderr,
--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
-+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
+-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
- " [-F configfile] [-I pkcs11] [-i identity_file]\n"
- " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
+ " [-F configfile]\n"
+ #ifdef USE_OPENSSL_ENGINE
@@ -608,7 +613,7 @@ main(int ac, char **av)
- argv0 = av[0];
+ # define ENGCONFIG ""
+ #endif
- again:
-- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
-+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
+- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"
++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT
+ "ACD:E:F:" ENGCONFIG "I:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
@@ -857,6 +862,11 @@ main(int ac, char **av)

109
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch vendored
View File

@ -1,109 +0,0 @@
diff --git a/kex.c b/kex.c
index 143227a..c9b84c2 100644
--- a/kex.c
+++ b/kex.c
@@ -345,9 +345,9 @@ kex_reset_dispatch(struct ssh *ssh)
static int
kex_send_ext_info(struct ssh *ssh)
{
+#ifdef EXPERIMENTAL_RSA_SHA2_256
int r;
-#ifdef EXPERIMENTAL_RSA_SHA2_256
/* IMPORTANT NOTE:
* Do not offer rsa-sha2-* until is resolved misconfiguration issue
* with allowed public key algorithms!
diff --git a/key-eng.c b/key-eng.c
index 9bc50fd..bc0d03d 100644
--- a/key-eng.c
+++ b/key-eng.c
@@ -786,7 +786,6 @@ ssh_engines_shutdown() {
while (buffer_len(&eng_list) > 0) {
u_int k = 0;
char *s;
- ENGINE *e;
s = buffer_get_cstring_ret(&eng_list, &k);
ssh_engine_reset(s);
diff --git a/monitor.c b/monitor.c
index 345d3df..0de30ad 100644
--- a/monitor.c
+++ b/monitor.c
@@ -707,7 +707,7 @@ mm_answer_sign(int sock, Buffer *m)
(r = sshbuf_get_string(m, &p, &datlen)) != 0 ||
(r = sshbuf_get_cstring(m, &alg, &alglen)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
- if (keyid > INT_MAX)
+ if (keyid32 > INT_MAX)
fatal("%s: invalid key ID", __func__);
keyid = keyid32; /*save cast*/
diff --git a/readconf.c b/readconf.c
index beb38a0..1cbda7e 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1459,7 +1459,9 @@ parse_int:
case oHostKeyAlgorithms:
charptr = &options->hostkeyalgorithms;
+# if 0
parse_keytypes:
+# endif
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing argument.",
diff --git a/servconf.c b/servconf.c
index a540138..e77a344 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1574,7 +1573,9 @@ parse_string:
case sHostKeyAlgorithms:
charptr = &options->hostkeyalgorithms;
+# if 0
parse_keytypes:
+#endif
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: Missing argument.",
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index 50f04b7..3f9a7bf 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -273,21 +273,18 @@ pkcs11_dsa_finish(DSA *dsa)
}
#ifdef OPENSSL_HAS_ECC
+#ifdef HAVE_EC_KEY_METHOD_NEW
/* openssl callback for freeing an EC key */
static void
pkcs11_ec_finish(EC_KEY *ec)
{
struct pkcs11_key *k11;
-#ifdef HAVE_EC_KEY_METHOD_NEW
k11 = EC_KEY_get_ex_data(ec, ssh_pkcs11_ec_ctx_index);
EC_KEY_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL);
-#else
- k11 = ECDSA_get_ex_data(ec, ssh_pkcs11_ec_ctx_index);
- ECDSA_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL);
-#endif
pkcs11_key_free(k11);
}
+#endif /*def HAVE_EC_KEY_METHOD_NEW*/
#endif /*def OPENSSL_HAS_ECC*/
diff --git a/sshconnect.c b/sshconnect.c
index fd2a70e..0960be1 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -605,7 +605,7 @@ send_client_banner(int connection_out, int minor1)
{
/* Send our own protocol version identification. */
if (compat20) {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%d]\r\n",
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
} else {
xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",

29
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch vendored
View File

@ -1,29 +0,0 @@
https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-December/035604.html
From dca2985bff146f756b0019b17f08c35f28841a04 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Mon, 19 Dec 2016 15:59:00 -0500
Subject: [PATCH] regress/allow-deny-users.sh: fix bashism in test
The test command uses = for string compares, not ==. Using some POSIX
shells will reject this statement with an error about an unknown operator.
---
regress/allow-deny-users.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh
index 32a269afa97c..86805e19322b 100644
--- a/regress/allow-deny-users.sh
+++ b/regress/allow-deny-users.sh
@@ -4,7 +4,7 @@
tid="AllowUsers/DenyUsers"
me="$LOGNAME"
-if [ "x$me" == "x" ]; then
+if [ "x$me" = "x" ]; then
me=`whoami`
fi
other="nobody"
--
2.11.0.rc2

6
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch vendored
View File

@ -16,13 +16,13 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=1008
{ "gssapiauthentication", oGssAuthentication }, { "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds }, { "gssapidelegatecredentials", oGssDelegateCreds },
+ { "gssapitrustdns", oGssTrustDns }, + { "gssapitrustdns", oGssTrustDns },
#else # else
{ "gssapiauthentication", oUnsupported }, { "gssapiauthentication", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported }, { "gssapidelegatecredentials", oUnsupported },
+ { "gssapitrustdns", oUnsupported }, + { "gssapitrustdns", oUnsupported },
#endif #endif
{ "fallbacktorsh", oDeprecated }, #ifdef ENABLE_PKCS11
{ "usersh", oDeprecated }, { "smartcarddevice", oPKCS11Provider },
@@ -930,6 +933,10 @@ @@ -930,6 +933,10 @@
intptr = &options->gss_deleg_creds; intptr = &options->gss_deleg_creds;
goto parse_flag; goto parse_flag;

50
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.0-glue.patch vendored Normal file
View File

@ -0,0 +1,50 @@
--- a/openssh-7.6p1-hpnssh14v12/0004-support-dynamically-sized-receive-buffers.patch 2017-10-11 15:02:11.850912525 -0700
+++ b/openssh-7.6p1-hpnssh14v12/0004-support-dynamically-sized-receive-buffers.patch 2017-10-11 15:35:06.223424844 -0700
@@ -907,9 +907,9 @@
@@ -517,7 +544,7 @@ send_client_banner(int connection_out, int minor1)
{
/* Send our own protocol version identification. */
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION);
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION);
if (atomicio(vwrite, connection_out, client_version_string,
strlen(client_version_string)) != strlen(client_version_string))
fatal("write: %.100s", strerror(errno));
@@ -918,11 +918,11 @@
--- a/sshd.c
+++ b/sshd.c
@@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
- char remote_version[256]; /* Must be at least as big as buf. */
+ }
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+ xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, pkix_comment,
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, pkix_comment,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum);
@@ -982,13 +982,14 @@
index e093f623..83f0932d 100644
--- a/version.h
+++ b/version.h
-@@ -3,4 +3,5 @@
+@@ -3,3 +3,6 @@
#define SSH_VERSION "OpenSSH_7.6"
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
++#define SSH_PORTABLE "p1"
+#define SSH_HPN "-hpn14v12"
++#define SSH_X509 "-PKIXSSH-11.0"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
++#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" SSH_HPN
--
2.14.2

12
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-warnings.patch vendored Normal file
View File

@ -0,0 +1,12 @@
diff --git a/openbsd-compat/freezero.c b/openbsd-compat/freezero.c
index 3af8f4a7..7f6bc7fa 100644
--- a/openbsd-compat/freezero.c
+++ b/openbsd-compat/freezero.c
@@ -14,6 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+#include <string.h>
#include "includes.h"
#ifndef HAVE_FREEZERO

11
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-x509-11.0-libressl.patch vendored Normal file
View File

@ -0,0 +1,11 @@
--- a/openssh-7.6p1+x509-11.0.diff 2017-11-06 17:16:28.334140140 -0800
+++ b/openssh-7.6p1+x509-11.0.diff 2017-11-06 17:16:55.338223563 -0800
@@ -54732,7 +54732,7 @@
+int/*bool*/ ssh_x509store_addlocations(const X509StoreOptions *locations);
+
+typedef char SSHXSTOREPATH;
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+DECLARE_STACK_OF(SSHXSTOREPATH)
+# define sk_SSHXSTOREPATH_new_null() SKM_sk_new_null(SSHXSTOREPATH)
+# define sk_SSHXSTOREPATH_num(st) SKM_sk_num(SSHXSTOREPATH, (st))

21
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.confd vendored Normal file
View File

@ -0,0 +1,21 @@
# /etc/conf.d/sshd: config file for /etc/init.d/sshd
# Where is your sshd_config file stored?
SSHD_CONFDIR="/etc/ssh"
# Any random options you want to pass to sshd.
# See the sshd(8) manpage for more info.
SSHD_OPTS=""
# Pid file to use (needs to be absolute path).
#SSHD_PIDFILE="/var/run/sshd.pid"
# Path to the sshd binary (needs to be absolute path).
#SSHD_BINARY="/usr/sbin/sshd"

84
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.rc6.4 vendored Normal file
View File

@ -0,0 +1,84 @@
#!/sbin/openrc-run
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
extra_commands="checkconfig"
extra_started_commands="reload"
: ${SSHD_CONFDIR:=/etc/ssh}
: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
: ${SSHD_PIDFILE:=/var/run/${SVCNAME}.pid}
: ${SSHD_BINARY:=/usr/sbin/sshd}
depend() {
use logger dns
if [ "${rc_need+set}" = "set" ] ; then
: # Do nothing, the user has explicitly set rc_need
else
local x warn_addr
for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
case "${x}" in
0.0.0.0|0.0.0.0:*) ;;
::|\[::\]*) ;;
*) warn_addr="${warn_addr} ${x}" ;;
esac
done
if [ -n "${warn_addr}" ] ; then
need net
ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd"
ewarn "where FOO is the interface(s) providing the following address(es):"
ewarn "${warn_addr}"
fi
fi
}
checkconfig() {
if [ ! -d /var/empty ] ; then
mkdir -p /var/empty || return 1
fi
if [ ! -e "${SSHD_CONFIG}" ] ; then
eerror "You need an ${SSHD_CONFIG} file to run sshd"
eerror "There is a sample file in /usr/share/doc/openssh"
return 1
fi
ssh-keygen -A || return 1
[ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \
&& SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}"
[ "${SSHD_CONFIG}" != "/etc/ssh/sshd_config" ] \
&& SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFIG}"
"${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1
}
start() {
checkconfig || return 1
ebegin "Starting ${SVCNAME}"
start-stop-daemon --start --exec "${SSHD_BINARY}" \
--pidfile "${SSHD_PIDFILE}" \
-- ${SSHD_OPTS}
eend $?
}
stop() {
if [ "${RC_CMD}" = "restart" ] ; then
checkconfig || return 1
fi
ebegin "Stopping ${SVCNAME}"
start-stop-daemon --stop --exec "${SSHD_BINARY}" \
--pidfile "${SSHD_PIDFILE}" --quiet
eend $?
}
reload() {
checkconfig || return 1
ebegin "Reloading ${SVCNAME}"
start-stop-daemon --signal HUP \
--exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}"
eend $?
}

1
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket vendored
View File

@ -5,7 +5,6 @@ Conflicts=sshd.service
[Socket] [Socket]
ListenStream=22 ListenStream=22
Accept=yes Accept=yes
TriggerLimitBurst=0
[Install] [Install]
WantedBy=sockets.target WantedBy=sockets.target

93
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.4_p1-r1.ebuild → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.6_p1-r1.ebuild vendored
View File

@ -1,56 +1,58 @@
# Copyright 1999-2017 Gentoo Foundation # Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2 # Distributed under the terms of the GNU General Public License v2
EAPI="5" EAPI=6
inherit eutils user flag-o-matic multilib autotools pam systemd versionator inherit user flag-o-matic multilib autotools pam systemd versionator
# Make it more portable between straight releases # Make it more portable between straight releases
# and _p? releases. # and _p? releases.
PARCH=${P/_} PARCH=${P/_}
#HPN_PATCH= #"${PARCH}-hpnssh14v12.tar.xz" #HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz" SCTP_PATCH="${PN}-7.6_p1-sctp.patch.xz"
LDAP_PATCH="${PN}-lpk-7.4p1-0.3.14.patch.xz" LDAP_PATCH="${PN}-lpk-7.6p1-0.3.14.patch.xz"
X509_VER="9.3" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz" X509_VER="11.0" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release" DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="http://www.openssh.org/" HOMEPAGE="http://www.openssh.org/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}} ${SCTP_PATCH:+https://dev.gentoo.org/~polynomial-c/${SCTP_PATCH}}
${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )} ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} ${LDAP_PATCH:+ldap? ( https://dev.gentoo.org/~polynomial-c/${LDAP_PATCH} )}
${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
" "
LICENSE="BSD GPL-2" LICENSE="BSD GPL-2"
SLOT="0" SLOT="0"
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version. # Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509" IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
REQUIRED_USE="ldns? ( ssl ) REQUIRED_USE="ldns? ( ssl )
pie? ( !static ) pie? ( !static )
ssh1? ( ssl )
static? ( !kerberos !pam ) static? ( !kerberos !pam )
X509? ( !hpn !ldap !sctp ssl ) X509? ( !ldap !sctp ssl )
test? ( ssl )" test? ( ssl )"
LIB_DEPEND=" LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? ( ldns? (
net-libs/ldns[ecdsa,ssl,static-libs(+)] net-libs/ldns[static-libs(+)]
!bindist? ( net-libs/ldns[ecdsa,ssl] )
bindist? ( net-libs/ldns[-ecdsa,ssl] )
) )
libedit? ( dev-libs/libedit[static-libs(+)] ) libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] ) sctp? ( net-misc/lksctp-tools[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] ) skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
ssl? ( ssl? (
!libressl? ( !libressl? (
>=dev-libs/openssl-0.9.8f:0[-bindist(-)] >=dev-libs/openssl-1.0.1:0=[bindist=]
dev-libs/openssl:0[static-libs(+)] dev-libs/openssl:0=[static-libs(+)]
) )
libressl? ( dev-libs/libressl[static-libs(+)] ) libressl? ( dev-libs/libressl:0=[static-libs(+)] )
) )
>=sys-libs/zlib-1.2.3[static-libs(+)]" >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
RDEPEND=" RDEPEND="
!static? ( ${LIB_DEPEND//\[static-libs(+)]} ) !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( virtual/pam ) pam? ( virtual/pam )
@ -66,7 +68,7 @@ RDEPEND="${RDEPEND}
userland_GNU? ( virtual/shadow ) userland_GNU? ( virtual/shadow )
X? ( x11-apps/xauth )" X? ( x11-apps/xauth )"
S=${WORKDIR}/${PARCH} S="${WORKDIR}/${PARCH}"
pkg_pretend() { pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh` # this sucks, but i'd rather have people unable to `emerge -u openssh`
@ -107,30 +109,35 @@ src_prepare() {
# this file. # this file.
cp version.h version.h.pristine cp version.h version.h.pristine
eapply "${FILESDIR}/${P}-warnings.patch"
# don't break .ssh/authorized_keys2 for fun # don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
if use X509 ; then if use X509 ; then
epatch "${WORKDIR}"/${X509_PATCH%.*} if use hpn ; then
# We no longer allow X509 to be used with anything else. pushd "${WORKDIR}" >/dev/null
#save_version X509 eapply "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
eapply "${FILESDIR}"/${P}-x509-${X509_VER}-libressl.patch
popd >/dev/null
fi
save_version X509
eapply "${WORKDIR}"/${X509_PATCH%.*}
fi fi
if use ldap ; then if use ldap ; then
epatch "${WORKDIR}"/${LDAP_PATCH%.*} eapply "${WORKDIR}"/${LDAP_PATCH%.*}
save_version LPK save_version LPK
fi fi
epatch "${FILESDIR}"/${PN}-7.4_p1-GSSAPI-dns.patch #165444 integrated into gsskex eapply "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*} use X509 || eapply "${WORKDIR}"/${SCTP_PATCH%.*}
epatch "${FILESDIR}"/${P}-test-bashism.patch use abi_mips_n32 && eapply "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
if use hpn ; then if use hpn ; then
EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \ elog "Applying HPN patchset ..."
EPATCH_MULTI_MSG="Applying HPN patchset ..." \ eapply "${WORKDIR}"/${HPN_PATCH%.*.*}
epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
save_version HPN save_version HPN
fi fi
@ -153,14 +160,14 @@ src_prepare() {
) )
sed -i "${sed_args[@]}" configure{.ac,} || die sed -i "${sed_args[@]}" configure{.ac,} || die
epatch_user #473004 eapply_user #473004
# Now we can build a sane merged version.h # Now we can build a sane merged version.h
( (
sed '/^#define SSH_RELEASE/d' version.h.* | sort -u sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
macros=() macros=()
for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}" printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
) > version.h ) > version.h
eautoreconf eautoreconf
@ -181,6 +188,7 @@ src_configure() {
--datadir="${EPREFIX}"/usr/share/openssh --datadir="${EPREFIX}"/usr/share/openssh
--with-privsep-path="${EPREFIX}"/var/empty --with-privsep-path="${EPREFIX}"/var/empty
--with-privsep-user=sshd --with-privsep-user=sshd
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr) $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
# We apply the ldap patch conditionally, so can't pass --without-ldap # We apply the ldap patch conditionally, so can't pass --without-ldap
# unconditionally else we get unknown flag warnings. # unconditionally else we get unknown flag warnings.
@ -192,7 +200,6 @@ src_configure() {
$(use X509 || use_with sctp) $(use X509 || use_with sctp)
$(use_with selinux) $(use_with selinux)
$(use_with skey) $(use_with skey)
$(use_with ssh1)
$(use_with ssl openssl) $(use_with ssl openssl)
$(use_with ssl md5-passwords) $(use_with ssl md5-passwords)
$(use_with ssl ssl-engine) $(use_with ssl ssl-engine)
@ -208,7 +215,8 @@ src_install() {
emake install-nokeys DESTDIR="${D}" emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id dobin contrib/ssh-copy-id
keepdir /var/empty newinitd "${FILESDIR}"/sshd.rc6.4 sshd
newconfd "${FILESDIR}"/sshd.confd sshd
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
if use pam ; then if use pam ; then
@ -294,9 +302,6 @@ pkg_postinst() {
elog "algorithm (ECDSA). You are encouraged to manually update your stored" elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi fi
if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
fi
if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might" elog "Make sure to update any configs that you might have. Note that xinetd might"
@ -313,9 +318,19 @@ pkg_postinst() {
elog "to 'prohibit-password'. That means password auth for root users no longer works" elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly." elog "out of the box. If you need this, please update your sshd_config explicitly."
fi fi
if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
elog "Be aware that by disabling openssl support in openssh, the server and clients" elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them." elog "and update all clients/servers that utilize them."
fi fi
# remove this if aes-ctr-mt gets fixed
if use hpn; then
elog "The multithreaded AES-CTR cipher has been temporarily dropped from the HPN patch"
elog "set since it does not (yet) work with >=openssh-7.6p1."
fi
} }