mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-21 22:41:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

net-misc/openssh: Sync with Gentoo's latest ebuild

Browse Source 
In particular, this fixes CVE-2017-15906.
This commit is contained in:
David Michael 2017-11-17 15:56:48 -05:00
parent 3d2366730f
commit f9a93cbcc6
23 changed files with 239 additions and 1247 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/Manifest vendored
View File

@ -1,4 +1,4 @@
DIST openssh-7.4_p1-sctp.patch.xz 8220 SHA256 18fa77f79ccae8b9a76bc877e9602113d91953bd487b6cc8284bfd1217438a23 SHA512 0c199e3b26949482125aeaa88216b2458292589e3eac8908d9134d13a1cae891094fcb0f752ed3009b3126cc72277b460205f39140c251792eb1b545271c3bd4 WHIRLPOOL 0f0ea1d36523b35d3be33d22fb84daa05fd14c464d69c19695235f81d26326bc53d6804bf34d0cc0c2584f412bfdac361d2b018032447d1033a4ff4fd9458a09
DIST openssh-7.4p1+x509-9.3.diff.gz 446572 SHA256 1d3fd23b3d02a3baad50890bf5498ef01af6dab6375da0aeb00a0d59fd3ac9ee SHA512 7ebc8d1f6ec36d652bbb6fb13d6d86f7db1abf8710af7b56c52fad9a18d73c9028a3307daabfdda26483a3bd9196120f6d18b6fb2c89b597b0a9ad0554161dfc WHIRLPOOL f878346a3154b7dbb01de41830d5857064af96d3a709aed40a112fe9aaadbe4801e5c3a22a1d2c8437b74a890596211be37e26d691ff611981d7375d262598c1
DIST openssh-7.4p1.tar.gz 1511780 SHA256 1b1fc4a14e2024293181924ed24872e6f2e06293f3e8926a376b8aec481f19d1 SHA512 4f3256f461f01366c5d5e0e45285eec65016e2643b3284b407f48f53d81087bf2c1caf7d5f7530d307a15c91c64de91446e1cba948e8fc68f82098290fe3b292 WHIRLPOOL 4ed9a277287d1f5c2fd371b53394d6dde36b25adf92d4b6b5b486a9d448648f2ecfbb721ae39ba8a129913c1148aa4db1e99f7960a7c69fa215dfa7b3b126029
DIST openssh-lpk-7.4p1-0.3.14.patch.xz 17076 SHA256 3a5e4104507d259ad15391136322ea5d067d7932199bbafde5cb478daf3595ad SHA512 1c91de291816ee0bb29ed3a2ffc42fb6fb4ba27a8616f8bd50accdf31d1fecc9b4fb3de6fb1ea6e722b69eb8cab68030ade87e126a4112667d14f3c2ef07d6cd WHIRLPOOL ea27224da952c6fe46b974a0e73d01e872a963e7e7cc7e9887a423357fb4ff82f4513ce48b6bbf7136afa8447bc6d93daa817cf5b2e24cb39dba15cbcff6d2cc
DIST openssh-7.6_p1-sctp.patch.xz 6996 SHA256 ca61f0b015d2f7131620a2a4901800b70026755a52a7b882d437cd9813c2652d SHA512 8445a9a8ae8e8baa67c8f386117877ba3f39f33c9cdaff341c8d5fb4ce9dfe22f26d5aedc2b0d4aab67864994ec5a6a487d18b728bd5d5c6efe14175eb9c8151 WHIRLPOOL 27125d4a7d45f0bc67f424598542cf97e123824bce7911732891531b6a0aa37b7598f636e1643a6114626c2ccc622a50928ffcdb4357c7dc3d9c3d8c161d9626
DIST openssh-7.6p1+x509-11.0.diff.gz 440219 SHA256 bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e SHA512 add86ecdaa696d997f869e6878aaaef285590cc5eddf301be651944bbc6c80af6a891bad6f6aaa4b6e9919ad865a27dc6f45a6e0b923ca52c04f06523fa3197a WHIRLPOOL 1b324f72a6cb0c895b3994d59f3505ff2a4a0529829cea07344a33a68ee4d43c22ba534a55454792618cd9f766cd40fa5af73cc054ee3a08bccdb6e8d0073b29
DIST openssh-7.6p1.tar.gz 1489788 SHA256 a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723 SHA512 de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72 WHIRLPOOL 537b94555c7b36b2f7ef2ecd89e6671028f7cff9be758e631690ecd068510d59d6518077bf951e779e3c8a39706adb1682c6d5305edd6fc611ec19ce7953c751
DIST openssh-lpk-7.6p1-0.3.14.patch.xz 17044 SHA256 fd877cf084d4eb682c503b6e5f363b0564da2b50561367558a50ab239adf4017 SHA512 e9a2b18fd6a58354198b6e48199059d055451a5f09c99bf7293d0d54137a59c581a9cb3bd906f31589e03d8450fb017b9015e18c67b7b6ae840e336039436974 WHIRLPOOL 8410dc9dad24d8b3065ba85e7a7a66322b4d37eac0ef68e72143afa3aba2706e91c324798236b9d3e320e6903d27a7e426621bde92ded89ce26a16535e8c3d3c

11
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.1_p1-hpn-x509-glue.patch vendored
View File

@ -1,11 +0,0 @@
--- openssh-7.0p1-hpnssh14v5/0002-add-support-for-the-NONE-cipher.patch.orig 2015-08-24 11:17:05.379280954 -0700
+++ openssh-7.0p1-hpnssh14v5/0002-add-support-for-the-NONE-cipher.patch 2015-08-24 11:19:30.788424050 -0700
@@ -80,7 +80,7 @@
+ else
+ fatal("Pre-authentication none cipher requests are not allowed.");
+ }
- debug("kex: %s %s %s %s",
+ debug("kex: %s cipher: %s MAC: %s compression: %s",
ctos ? "client->server" : "server->client",
newkeys->enc.name,
diff --git a/myproposal.h b/myproposal.h

106
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.2_p1-GSSAPI-dns.patch vendored
View File

@ -1,106 +0,0 @@
http://bugs.gentoo.org/165444
https://bugzilla.mindrot.org/show_bug.cgi?id=1008
--- openssh-7.2p1/readconf.c
+++ openssh-7.2p1/readconf.c
@@ -148,6 +148,7 @@
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -194,9 +195,11 @@
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
+ { "gssapitrustdns", oGssTrustDns },
#else
{ "gssapiauthentication", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported },
+ { "gssapitrustdns", oUnsupported },
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
@@ -930,6 +933,10 @@
intptr = &options->gss_deleg_creds;
goto parse_flag;
+ case oGssTrustDns:
+ intptr = &options->gss_trust_dns;
+ goto parse_flag;
+
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1649,6 +1656,7 @@
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1779,6 +1787,8 @@
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
+ if (options->gss_trust_dns == -1)
+ options->gss_trust_dns = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
--- openssh-7.2p1/readconf.h
+++ openssh-7.2p1/readconf.h
@@ -46,6 +46,7 @@
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
--- openssh-7.2p1/ssh_config.5
+++ openssh-7.2p1/ssh_config.5
@@ -830,6 +830,16 @@
Forward (delegate) credentials to the server.
The default is
.Dq no .
+Note that this option applies to protocol version 2 connections using GSSAPI.
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no, the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
--- openssh-7.2p1/sshconnect2.c
+++ openssh-7.2p1/sshconnect2.c
@@ -656,6 +656,12 @@
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
+ const char *gss_host;
+
+ if (options.gss_trust_dns)
+ gss_host = get_canonical_hostname(1);
+ else
+ gss_host = authctxt->host;
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -668,7 +674,7 @@
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], authctxt->host)) {
+ &gss_supported->elements[mech], gss_host)) {
ok = 1; /* Mechanism works */
} else {
mech++;

74
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.2_p1-sctp-x509-glue.patch vendored
View File

@ -1,74 +0,0 @@
--- openssh-7.2_p1-sctp.patch
+++ openssh-7.2_p1-sctp.patch
@@ -195,14 +195,6 @@
.Op Fl c Ar cipher
.Op Fl F Ar ssh_config
.Op Fl i Ar identity_file
-@@ -181,6 +181,7 @@ For full details of the options listed below, and their possible values, see
- .It ServerAliveCountMax
- .It StrictHostKeyChecking
- .It TCPKeepAlive
-+.It Transport
- .It UpdateHostKeys
- .It UsePrivilegedPort
- .It User
@@ -222,6 +223,8 @@ and
to print debugging messages about their progress.
This is helpful in
@@ -477,19 +469,11 @@
.Sh SYNOPSIS
.Nm ssh
.Bk -words
--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
+-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy
++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Op Fl D Oo Ar bind_address : Oc Ns Ar port
-@@ -536,6 +536,7 @@ For full details of the options listed below, and their possible values, see
- .It StreamLocalBindUnlink
- .It StrictHostKeyChecking
- .It TCPKeepAlive
-+.It Transport
- .It Tunnel
- .It TunnelDevice
- .It UpdateHostKeys
@@ -770,6 +771,8 @@ controls.
.Pp
.It Fl y
@@ -501,7 +485,7 @@
index f9ff91f..d0d92ce 100644
--- a/ssh.c
+++ b/ssh.c
-@@ -195,12 +195,17 @@ extern int muxserver_sock;
+@@ -195,11 +195,16 @@ extern int muxserver_sock;
extern u_int muxclient_command;
/* Prints a help message to the user. This function never returns. */
@@ -515,18 +499,17 @@
usage(void)
{
fprintf(stderr,
--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
-+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
+-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
" [-F configfile] [-I pkcs11] [-i identity_file] [-L address]\n"
- " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n"
@@ -605,7 +610,7 @@ main(int ac, char **av)
- argv0 = av[0];
+ # define ENGCONFIG ""
+ #endif
- again:
-- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
-+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
- "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
+- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"
++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT
+ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
@@ -845,6 +850,11 @@ main(int ac, char **av)

351
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-GSSAPI-dns.patch vendored
View File

@ -1,351 +0,0 @@
http://bugs.gentoo.org/165444
https://bugzilla.mindrot.org/show_bug.cgi?id=1008
--- a/readconf.c
+++ b/readconf.c
@@ -148,6 +148,7 @@
oClearAllForwardings, oNoHostAuthenticationForLocalhost,
oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ oGssTrustDns,
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
@@ -194,9 +195,11 @@
#if defined(GSSAPI)
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
+ { "gssapitrustdns", oGssTrustDns },
#else
{ "gssapiauthentication", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported },
+ { "gssapitrustdns", oUnsupported },
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
@@ -930,6 +933,10 @@
intptr = &options->gss_deleg_creds;
goto parse_flag;
+ case oGssTrustDns:
+ intptr = &options->gss_trust_dns;
+ goto parse_flag;
+
case oBatchMode:
intptr = &options->batch_mode;
goto parse_flag;
@@ -1649,6 +1656,7 @@
options->challenge_response_authentication = -1;
options->gss_authentication = -1;
options->gss_deleg_creds = -1;
+ options->gss_trust_dns = -1;
options->password_authentication = -1;
options->kbd_interactive_authentication = -1;
options->kbd_interactive_devices = NULL;
@@ -1779,6 +1787,8 @@
options->gss_authentication = 0;
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
+ if (options->gss_trust_dns == -1)
+ options->gss_trust_dns = 0;
if (options->password_authentication == -1)
options->password_authentication = 1;
if (options->kbd_interactive_authentication == -1)
--- a/readconf.h
+++ b/readconf.h
@@ -46,6 +46,7 @@
/* Try S/Key or TIS, authentication. */
int gss_authentication; /* Try GSS authentication */
int gss_deleg_creds; /* Delegate GSS credentials */
+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
int password_authentication; /* Try password
* authentication. */
int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -830,6 +830,16 @@
Forward (delegate) credentials to the server.
The default is
.Dq no .
+Note that this option applies to protocol version 2 connections using GSSAPI.
+.It Cm GSSAPITrustDns
+Set to
+.Dq yes to indicate that the DNS is trusted to securely canonicalize
+the name of the host being connected to. If
+.Dq no, the hostname entered on the
+command line will be passed untouched to the GSSAPI library.
+The default is
+.Dq no .
+This option only applies to protocol version 2 connections using GSSAPI.
.It Cm HashKnownHosts
Indicates that
.Xr ssh 1
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -656,6 +656,13 @@
static u_int mech = 0;
OM_uint32 min;
int ok = 0;
+ const char *gss_host;
+
+ if (options.gss_trust_dns) {
+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
+ gss_host = auth_get_canonical_hostname(active_state, 1);
+ } else
+ gss_host = authctxt->host;
/* Try one GSSAPI method at a time, rather than sending them all at
* once. */
@@ -668,7 +674,7 @@
/* My DER encoding requires length<128 */
if (gss_supported->elements[mech].length < 128 &&
ssh_gssapi_check_mechanism(&gssctxt,
- &gss_supported->elements[mech], authctxt->host)) {
+ &gss_supported->elements[mech], gss_host)) {
ok = 1; /* Mechanism works */
} else {
mech++;
need to move these two funcs back to canohost so they're available to clients
and the server. auth.c is only used in the server.
--- a/auth.c
+++ b/auth.c
@@ -784,117 +784,3 @@ fakepw(void)
return (&fake);
}
-
-/*
- * Returns the remote DNS hostname as a string. The returned string must not
- * be freed. NB. this will usually trigger a DNS query the first time it is
- * called.
- * This function does additional checks on the hostname to mitigate some
- * attacks on legacy rhosts-style authentication.
- * XXX is RhostsRSAAuthentication vulnerable to these?
- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
- */
-
-static char *
-remote_hostname(struct ssh *ssh)
-{
- struct sockaddr_storage from;
- socklen_t fromlen;
- struct addrinfo hints, *ai, *aitop;
- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
- const char *ntop = ssh_remote_ipaddr(ssh);
-
- /* Get IP address of client. */
- fromlen = sizeof(from);
- memset(&from, 0, sizeof(from));
- if (getpeername(ssh_packet_get_connection_in(ssh),
- (struct sockaddr *)&from, &fromlen) < 0) {
- debug("getpeername failed: %.100s", strerror(errno));
- return strdup(ntop);
- }
-
- ipv64_normalise_mapped(&from, &fromlen);
- if (from.ss_family == AF_INET6)
- fromlen = sizeof(struct sockaddr_in6);
-
- debug3("Trying to reverse map address %.100s.", ntop);
- /* Map the IP address to a host name. */
- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
- NULL, 0, NI_NAMEREQD) != 0) {
- /* Host name not found. Use ip address. */
- return strdup(ntop);
- }
-
- /*
- * if reverse lookup result looks like a numeric hostname,
- * someone is trying to trick us by PTR record like following:
- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
- */
- memset(&hints, 0, sizeof(hints));
- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
- hints.ai_flags = AI_NUMERICHOST;
- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
- name, ntop);
- freeaddrinfo(ai);
- return strdup(ntop);
- }
-
- /* Names are stored in lowercase. */
- lowercase(name);
-
- /*
- * Map it back to an IP address and check that the given
- * address actually is an address of this host. This is
- * necessary because anyone with access to a name server can
- * define arbitrary names for an IP address. Mapping from
- * name to IP address can be trusted better (but can still be
- * fooled if the intruder has access to the name server of
- * the domain).
- */
- memset(&hints, 0, sizeof(hints));
- hints.ai_family = from.ss_family;
- hints.ai_socktype = SOCK_STREAM;
- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
- logit("reverse mapping checking getaddrinfo for %.700s "
- "[%s] failed.", name, ntop);
- return strdup(ntop);
- }
- /* Look for the address from the list of addresses. */
- for (ai = aitop; ai; ai = ai->ai_next) {
- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
- (strcmp(ntop, ntop2) == 0))
- break;
- }
- freeaddrinfo(aitop);
- /* If we reached the end of the list, the address was not there. */
- if (ai == NULL) {
- /* Address not found for the host name. */
- logit("Address %.100s maps to %.600s, but this does not "
- "map back to the address.", ntop, name);
- return strdup(ntop);
- }
- return strdup(name);
-}
-
-/*
- * Return the canonical name of the host in the other side of the current
- * connection. The host name is cached, so it is efficient to call this
- * several times.
- */
-
-const char *
-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-{
- static char *dnsname;
-
- if (!use_dns)
- return ssh_remote_ipaddr(ssh);
- else if (dnsname != NULL)
- return dnsname;
- else {
- dnsname = remote_hostname(ssh);
- return dnsname;
- }
-}
--- a/canohost.c
+++ b/canohost.c
@@ -202,3 +202,117 @@ get_local_port(int sock)
{
return get_sock_port(sock, 1);
}
+
+/*
+ * Returns the remote DNS hostname as a string. The returned string must not
+ * be freed. NB. this will usually trigger a DNS query the first time it is
+ * called.
+ * This function does additional checks on the hostname to mitigate some
+ * attacks on legacy rhosts-style authentication.
+ * XXX is RhostsRSAAuthentication vulnerable to these?
+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
+ */
+
+static char *
+remote_hostname(struct ssh *ssh)
+{
+ struct sockaddr_storage from;
+ socklen_t fromlen;
+ struct addrinfo hints, *ai, *aitop;
+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
+ const char *ntop = ssh_remote_ipaddr(ssh);
+
+ /* Get IP address of client. */
+ fromlen = sizeof(from);
+ memset(&from, 0, sizeof(from));
+ if (getpeername(ssh_packet_get_connection_in(ssh),
+ (struct sockaddr *)&from, &fromlen) < 0) {
+ debug("getpeername failed: %.100s", strerror(errno));
+ return strdup(ntop);
+ }
+
+ ipv64_normalise_mapped(&from, &fromlen);
+ if (from.ss_family == AF_INET6)
+ fromlen = sizeof(struct sockaddr_in6);
+
+ debug3("Trying to reverse map address %.100s.", ntop);
+ /* Map the IP address to a host name. */
+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+ NULL, 0, NI_NAMEREQD) != 0) {
+ /* Host name not found. Use ip address. */
+ return strdup(ntop);
+ }
+
+ /*
+ * if reverse lookup result looks like a numeric hostname,
+ * someone is trying to trick us by PTR record like following:
+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
+ */
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
+ hints.ai_flags = AI_NUMERICHOST;
+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
+ name, ntop);
+ freeaddrinfo(ai);
+ return strdup(ntop);
+ }
+
+ /* Names are stored in lowercase. */
+ lowercase(name);
+
+ /*
+ * Map it back to an IP address and check that the given
+ * address actually is an address of this host. This is
+ * necessary because anyone with access to a name server can
+ * define arbitrary names for an IP address. Mapping from
+ * name to IP address can be trusted better (but can still be
+ * fooled if the intruder has access to the name server of
+ * the domain).
+ */
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = from.ss_family;
+ hints.ai_socktype = SOCK_STREAM;
+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
+ logit("reverse mapping checking getaddrinfo for %.700s "
+ "[%s] failed.", name, ntop);
+ return strdup(ntop);
+ }
+ /* Look for the address from the list of addresses. */
+ for (ai = aitop; ai; ai = ai->ai_next) {
+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
+ (strcmp(ntop, ntop2) == 0))
+ break;
+ }
+ freeaddrinfo(aitop);
+ /* If we reached the end of the list, the address was not there. */
+ if (ai == NULL) {
+ /* Address not found for the host name. */
+ logit("Address %.100s maps to %.600s, but this does not "
+ "map back to the address.", ntop, name);
+ return strdup(ntop);
+ }
+ return strdup(name);
+}
+
+/*
+ * Return the canonical name of the host in the other side of the current
+ * connection. The host name is cached, so it is efficient to call this
+ * several times.
+ */
+
+const char *
+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
+{
+ static char *dnsname;
+
+ if (!use_dns)
+ return ssh_remote_ipaddr(ssh);
+ else if (dnsname != NULL)
+ return dnsname;
+ else {
+ dnsname = remote_hostname(ssh);
+ return dnsname;
+ }
+}

29
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch vendored
View File

@ -1,29 +0,0 @@
https://bugs.gentoo.org/595342
Backport of
https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737
--- openssh-7.3p1/kex.c
+++ openssh-7.3p1/kex.c
@@ -419,6 +419,8 @@
ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
if ((r = sshpkt_get_end(ssh)) != 0)
return r;
+ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
+ return r;
kex->done = 1;
sshbuf_reset(kex->peer);
/* sshbuf_reset(kex->my); */
--- openssh-7.3p1/packet.c
+++ openssh-7.3p1/packet.c
@@ -1919,9 +1919,7 @@
return r;
return SSH_ERR_PROTOCOL_ERROR;
}
- if (*typep == SSH2_MSG_NEWKEYS)
- r = ssh_set_newkeys(ssh, MODE_IN);
- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
+ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
r = ssh_packet_enable_delayed_compress(ssh);
else
r = 0;

32
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-Unregister-the-KEXINIT-handler-after-receive.patch vendored
View File

@ -1,32 +0,0 @@
https://bugs.gentoo.org/597360
From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
From: "markus@openbsd.org" <markus@openbsd.org>
Date: Mon, 10 Oct 2016 19:28:48 +0000
Subject: [PATCH] upstream commit
Unregister the KEXINIT handler after message has been
received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
allocation of up to 128MB -- until the connection is closed. Reported by
shilei-c at 360.cn
Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
---
kex.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kex.c b/kex.c
index 3f97f8c00919..6a94bc535bd7 100644
--- a/kex.c
+++ b/kex.c
@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
if (kex == NULL)
return SSH_ERR_INVALID_ARGUMENT;
+ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
ptr = sshpkt_ptr(ssh, &dlen);
if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
return r;
--
2.11.0.rc2

34
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-fix-ssh1-with-no-ssh1-host-key.patch vendored
View File

@ -1,34 +0,0 @@
https://bugs.gentoo.org/592122
From e600348a7afd6325cc5cd783cb424065cbc20434 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Wed, 3 Aug 2016 04:23:55 +0000
Subject: [PATCH] upstream commit
Fix bug introduced in rev 1.467 which causes
"buffer_get_bignum_ret: incomplete message" errors when built with WITH_SSH1
and run such that no Protocol 1 ephemeral host key is generated (eg "Protocol
2", no SSH1 host key supplied). Reported by rainer.laatsch at t-online.de,
ok deraadt@
Upstream-ID: aa6b132da5c325523aed7989cc5a320497c919dc
---
sshd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sshd.c b/sshd.c
index 799c7711f49c..9fc829a91bc8 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1071,7 +1071,7 @@ send_rexec_state(int fd, struct sshbuf *conf)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
} else
#endif
- if ((r = sshbuf_put_u32(m, 1)) != 0)
+ if ((r = sshbuf_put_u32(m, 0)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
--
2.11.0.rc2

39
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-12-x509-9.2-glue.patch vendored
View File

@ -1,39 +0,0 @@
--- a/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
+++ b/0003-Add-support-for-the-multi-threaded-AES-CTR-cipher.patch
@@ -1155,7 +1155,7 @@
@@ -44,7 +44,7 @@
LD=@LD@
CFLAGS=@CFLAGS@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
--- a/0004-support-dynamically-sized-receive-buffers.patch
+++ b/0004-support-dynamically-sized-receive-buffers.patch
@@ -2144,9 +2144,9 @@
@@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1)
/* Send our own protocol version identification. */
if (compat20) {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509);
} else {
xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
@@ -2163,9 +2163,9 @@
@@ -432,7 +432,7 @@
}
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-- major, minor, SSH_VERSION,
-+ major, minor, SSH_RELEASE,
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+- major, minor, SSH_VERSION, comment,
++ major, minor, SSH_RELEASE, comment,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);

245
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-cipher-ctr-mt-no-deadlocks.patch vendored
View File

@ -1,245 +0,0 @@
diff --git a/cipher-ctr-mt.c b/cipher-ctr-mt.c
index fdc9b2f..300cd90 100644
--- a/cipher-ctr-mt.c
+++ b/cipher-ctr-mt.c
@@ -127,7 +127,7 @@ struct kq {
u_char keys[KQLEN][AES_BLOCK_SIZE];
u_char ctr[AES_BLOCK_SIZE];
u_char pad0[CACHELINE_LEN];
- volatile int qstate;
+ int qstate;
pthread_mutex_t lock;
pthread_cond_t cond;
u_char pad1[CACHELINE_LEN];
@@ -141,6 +141,11 @@ struct ssh_aes_ctr_ctx
STATS_STRUCT(stats);
u_char aes_counter[AES_BLOCK_SIZE];
pthread_t tid[CIPHER_THREADS];
+ pthread_rwlock_t tid_lock;
+#ifdef __APPLE__
+ pthread_rwlock_t stop_lock;
+ int exit_flag;
+#endif /* __APPLE__ */
int state;
int qidx;
int ridx;
@@ -187,6 +192,57 @@ thread_loop_cleanup(void *x)
pthread_mutex_unlock((pthread_mutex_t *)x);
}
+#ifdef __APPLE__
+/* Check if we should exit, we are doing both cancel and exit condition
+ * since on OSX threads seem to occasionally fail to notice when they have
+ * been cancelled. We want to have a backup to make sure that we won't hang
+ * when the main process join()-s the cancelled thread.
+ */
+static void
+thread_loop_check_exit(struct ssh_aes_ctr_ctx *c)
+{
+ int exit_flag;
+
+ pthread_rwlock_rdlock(&c->stop_lock);
+ exit_flag = c->exit_flag;
+ pthread_rwlock_unlock(&c->stop_lock);
+
+ if (exit_flag)
+ pthread_exit(NULL);
+}
+#else
+# define thread_loop_check_exit(s)
+#endif /* __APPLE__ */
+
+/*
+ * Helper function to terminate the helper threads
+ */
+static void
+stop_and_join_pregen_threads(struct ssh_aes_ctr_ctx *c)
+{
+ int i;
+
+#ifdef __APPLE__
+ /* notify threads that they should exit */
+ pthread_rwlock_wrlock(&c->stop_lock);
+ c->exit_flag = TRUE;
+ pthread_rwlock_unlock(&c->stop_lock);
+#endif /* __APPLE__ */
+
+ /* Cancel pregen threads */
+ for (i = 0; i < CIPHER_THREADS; i++) {
+ pthread_cancel(c->tid[i]);
+ }
+ for (i = 0; i < NUMKQ; i++) {
+ pthread_mutex_lock(&c->q[i].lock);
+ pthread_cond_broadcast(&c->q[i].cond);
+ pthread_mutex_unlock(&c->q[i].lock);
+ }
+ for (i = 0; i < CIPHER_THREADS; i++) {
+ pthread_join(c->tid[i], NULL);
+ }
+}
+
/*
* The life of a pregen thread:
* Find empty keystream queues and fill them using their counter.
@@ -201,6 +257,7 @@ thread_loop(void *x)
struct kq *q;
int i;
int qidx;
+ pthread_t first_tid;
/* Threads stats on cancellation */
STATS_INIT(stats);
@@ -211,11 +268,15 @@ thread_loop(void *x)
/* Thread local copy of AES key */
memcpy(&key, &c->aes_ctx, sizeof(key));
+ pthread_rwlock_rdlock(&c->tid_lock);
+ first_tid = c->tid[0];
+ pthread_rwlock_unlock(&c->tid_lock);
+
/*
* Handle the special case of startup, one thread must fill
* the first KQ then mark it as draining. Lock held throughout.
*/
- if (pthread_equal(pthread_self(), c->tid[0])) {
+ if (pthread_equal(pthread_self(), first_tid)) {
q = &c->q[0];
pthread_mutex_lock(&q->lock);
if (q->qstate == KQINIT) {
@@ -245,12 +306,16 @@ thread_loop(void *x)
/* Check if I was cancelled, also checked in cond_wait */
pthread_testcancel();
+ /* Check if we should exit as well */
+ thread_loop_check_exit(c);
+
/* Lock queue and block if its draining */
q = &c->q[qidx];
pthread_mutex_lock(&q->lock);
pthread_cleanup_push(thread_loop_cleanup, &q->lock);
while (q->qstate == KQDRAINING || q->qstate == KQINIT) {
STATS_WAIT(stats);
+ thread_loop_check_exit(c);
pthread_cond_wait(&q->cond, &q->lock);
}
pthread_cleanup_pop(0);
@@ -268,6 +333,7 @@ thread_loop(void *x)
* can see that it's being filled.
*/
q->qstate = KQFILLING;
+ pthread_cond_broadcast(&q->cond);
pthread_mutex_unlock(&q->lock);
for (i = 0; i < KQLEN; i++) {
AES_encrypt(q->ctr, q->keys[i], &key);
@@ -279,7 +345,7 @@ thread_loop(void *x)
ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
q->qstate = KQFULL;
STATS_FILL(stats);
- pthread_cond_signal(&q->cond);
+ pthread_cond_broadcast(&q->cond);
pthread_mutex_unlock(&q->lock);
}
@@ -371,6 +437,7 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
pthread_cond_wait(&q->cond, &q->lock);
}
q->qstate = KQDRAINING;
+ pthread_cond_broadcast(&q->cond);
pthread_mutex_unlock(&q->lock);
/* Mark consumed queue empty and signal producers */
@@ -397,6 +464,11 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
c = xmalloc(sizeof(*c));
+ pthread_rwlock_init(&c->tid_lock, NULL);
+#ifdef __APPLE__
+ pthread_rwlock_init(&c->stop_lock, NULL);
+ c->exit_flag = FALSE;
+#endif /* __APPLE__ */
c->state = HAVE_NONE;
for (i = 0; i < NUMKQ; i++) {
@@ -409,11 +481,14 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
}
if (c->state == (HAVE_KEY | HAVE_IV)) {
- /* Cancel pregen threads */
- for (i = 0; i < CIPHER_THREADS; i++)
- pthread_cancel(c->tid[i]);
- for (i = 0; i < CIPHER_THREADS; i++)
- pthread_join(c->tid[i], NULL);
+ /* tell the pregen threads to exit */
+ stop_and_join_pregen_threads(c);
+
+#ifdef __APPLE__
+ /* reset the exit flag */
+ c->exit_flag = FALSE;
+#endif /* __APPLE__ */
+
/* Start over getting key & iv */
c->state = HAVE_NONE;
}
@@ -444,10 +519,12 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
/* Start threads */
for (i = 0; i < CIPHER_THREADS; i++) {
debug("spawned a thread");
+ pthread_rwlock_wrlock(&c->tid_lock);
pthread_create(&c->tid[i], NULL, thread_loop, c);
+ pthread_rwlock_unlock(&c->tid_lock);
}
pthread_mutex_lock(&c->q[0].lock);
- while (c->q[0].qstate != KQDRAINING)
+ while (c->q[0].qstate == KQINIT)
pthread_cond_wait(&c->q[0].cond, &c->q[0].lock);
pthread_mutex_unlock(&c->q[0].lock);
}
@@ -461,15 +538,10 @@ void
ssh_aes_ctr_thread_destroy(EVP_CIPHER_CTX *ctx)
{
struct ssh_aes_ctr_ctx *c;
- int i;
+
c = EVP_CIPHER_CTX_get_app_data(ctx);
- /* destroy threads */
- for (i = 0; i < CIPHER_THREADS; i++) {
- pthread_cancel(c->tid[i]);
- }
- for (i = 0; i < CIPHER_THREADS; i++) {
- pthread_join(c->tid[i], NULL);
- }
+
+ stop_and_join_pregen_threads(c);
}
void
@@ -481,7 +553,9 @@ ssh_aes_ctr_thread_reconstruction(EVP_CIPHER_CTX *ctx)
/* reconstruct threads */
for (i = 0; i < CIPHER_THREADS; i++) {
debug("spawned a thread");
+ pthread_rwlock_wrlock(&c->tid_lock);
pthread_create(&c->tid[i], NULL, thread_loop, c);
+ pthread_rwlock_unlock(&c->tid_lock);
}
}
@@ -489,18 +563,13 @@ static int
ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
{
struct ssh_aes_ctr_ctx *c;
- int i;
if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
#ifdef CIPHER_THREAD_STATS
debug("main thread: %u drains, %u waits", c->stats.drains,
c->stats.waits);
#endif
- /* Cancel pregen threads */
- for (i = 0; i < CIPHER_THREADS; i++)
- pthread_cancel(c->tid[i]);
- for (i = 0; i < CIPHER_THREADS; i++)
- pthread_join(c->tid[i], NULL);
+ stop_and_join_pregen_threads(c);
memset(c, 0, sizeof(*c));
free(c);

41
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-9.2-glue.patch vendored
View File

@ -1,41 +0,0 @@
--- a/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:00:21.561121417 -0700
+++ b/openssh-7.3_p1-hpn-14.10-r1.patch 2016-09-19 15:22:51.337118439 -0700
@@ -1155,7 +1155,7 @@
@@ -44,7 +44,7 @@
LD=@LD@
CFLAGS=@CFLAGS@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -2144,12 +2144,12 @@
/* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL && !privileged)
return sock;
-@@ -527,10 +555,10 @@
+@@ -555,10 +583,10 @@
/* Send our own protocol version identification. */
if (compat20) {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, SSH_X509);
} else {
xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
- PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
@@ -2163,9 +2163,9 @@
@@ -432,7 +432,7 @@
}
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-- major, minor, SSH_VERSION,
-+ major, minor, SSH_RELEASE,
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+- major, minor, SSH_VERSION, comment,
++ major, minor, SSH_RELEASE, comment,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);

33
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-hpn-x509-glue.patch vendored
View File

@ -1,33 +0,0 @@
--- a/openssh-7.3_p1-hpn-14.10.patch 12:11:41.120750207 -0700
+++ b/openssh-7.3_p1-hpn-14.10.patch 14:00:44.311487904 -0700
@@ -141,7 +141,7 @@
@@ -44,7 +44,7 @@ CC=@CC@
LD=@LD@
CFLAGS=@CFLAGS@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
+LIBS=@LIBS@ -lpthread
K5LIBS=@K5LIBS@
@@ -2098,7 +2098,7 @@
@@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1)
/* Send our own protocol version identification. */
if (compat20) {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n",
- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
} else {
@@ -2196,9 +2196,9 @@
@@ -431,7 +431,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
}
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-- major, minor, SSH_VERSION,
-+ major, minor, SSH_RELEASE,
+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+- major, minor, SSH_VERSION, comment,
++ major, minor, SSH_RELEASE, comment,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum, newline);

67
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-sctp-x509-glue.patch vendored
View File

@ -1,67 +0,0 @@
--- a/openssh-7.3_p1-sctp.patch 2016-08-03 13:10:15.733228732 -0700
+++ b/openssh-7.3_p1-sctp.patch 2016-08-03 13:25:53.274630002 -0700
@@ -226,14 +226,6 @@
.Op Fl c Ar cipher
.Op Fl F Ar ssh_config
.Op Fl i Ar identity_file
-@@ -183,6 +183,7 @@ For full details of the options listed below, and their possible values, see
- .It ServerAliveCountMax
- .It StrictHostKeyChecking
- .It TCPKeepAlive
-+.It Transport
- .It UpdateHostKeys
- .It UsePrivilegedPort
- .It User
@@ -224,6 +225,8 @@ and
to print debugging messages about their progress.
This is helpful in
@@ -493,19 +485,11 @@
.Sh SYNOPSIS
.Nm ssh
.Bk -words
--.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy
-+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz
+-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy
++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz
.Op Fl b Ar bind_address
.Op Fl c Ar cipher_spec
.Op Fl D Oo Ar bind_address : Oc Ns Ar port
-@@ -558,6 +558,7 @@ For full details of the options listed below, and their possible values, see
- .It StreamLocalBindUnlink
- .It StrictHostKeyChecking
- .It TCPKeepAlive
-+.It Transport
- .It Tunnel
- .It TunnelDevice
- .It UpdateHostKeys
@@ -795,6 +796,8 @@ controls.
.Pp
.It Fl y
@@ -533,18 +517,18 @@
usage(void)
{
fprintf(stderr,
--"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
-+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
+-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n"
++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n"
" [-D [bind_address:]port] [-E log_file] [-e escape_char]\n"
- " [-F configfile] [-I pkcs11] [-i identity_file]\n"
- " [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]\n"
+ " [-F configfile]\n"
+ #ifdef USE_OPENSSL_ENGINE
@@ -608,7 +613,7 @@ main(int ac, char **av)
- argv0 = av[0];
+ # define ENGCONFIG ""
+ #endif
- again:
-- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
-+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
- "ACD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
+- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx"
++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT
+ "ACD:E:F:" ENGCONFIG "I:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
switch (opt) {
case '1':
@@ -857,6 +862,11 @@ main(int ac, char **av)

109
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.3_p1-x509-9.2-warnings.patch vendored
View File

@ -1,109 +0,0 @@
diff --git a/kex.c b/kex.c
index 143227a..c9b84c2 100644
--- a/kex.c
+++ b/kex.c
@@ -345,9 +345,9 @@ kex_reset_dispatch(struct ssh *ssh)
static int
kex_send_ext_info(struct ssh *ssh)
{
+#ifdef EXPERIMENTAL_RSA_SHA2_256
int r;
-#ifdef EXPERIMENTAL_RSA_SHA2_256
/* IMPORTANT NOTE:
* Do not offer rsa-sha2-* until is resolved misconfiguration issue
* with allowed public key algorithms!
diff --git a/key-eng.c b/key-eng.c
index 9bc50fd..bc0d03d 100644
--- a/key-eng.c
+++ b/key-eng.c
@@ -786,7 +786,6 @@ ssh_engines_shutdown() {
while (buffer_len(&eng_list) > 0) {
u_int k = 0;
char *s;
- ENGINE *e;
s = buffer_get_cstring_ret(&eng_list, &k);
ssh_engine_reset(s);
diff --git a/monitor.c b/monitor.c
index 345d3df..0de30ad 100644
--- a/monitor.c
+++ b/monitor.c
@@ -707,7 +707,7 @@ mm_answer_sign(int sock, Buffer *m)
(r = sshbuf_get_string(m, &p, &datlen)) != 0 ||
(r = sshbuf_get_cstring(m, &alg, &alglen)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
- if (keyid > INT_MAX)
+ if (keyid32 > INT_MAX)
fatal("%s: invalid key ID", __func__);
keyid = keyid32; /*save cast*/
diff --git a/readconf.c b/readconf.c
index beb38a0..1cbda7e 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1459,7 +1459,9 @@ parse_int:
case oHostKeyAlgorithms:
charptr = &options->hostkeyalgorithms;
+# if 0
parse_keytypes:
+# endif
arg = strdelim(&s);
if (!arg || *arg == '\0')
fatal("%.200s line %d: Missing argument.",
diff --git a/servconf.c b/servconf.c
index a540138..e77a344 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1574,7 +1573,9 @@ parse_string:
case sHostKeyAlgorithms:
charptr = &options->hostkeyalgorithms;
+# if 0
parse_keytypes:
+#endif
arg = strdelim(&cp);
if (!arg || *arg == '\0')
fatal("%s line %d: Missing argument.",
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index 50f04b7..3f9a7bf 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -273,21 +273,18 @@ pkcs11_dsa_finish(DSA *dsa)
}
#ifdef OPENSSL_HAS_ECC
+#ifdef HAVE_EC_KEY_METHOD_NEW
/* openssl callback for freeing an EC key */
static void
pkcs11_ec_finish(EC_KEY *ec)
{
struct pkcs11_key *k11;
-#ifdef HAVE_EC_KEY_METHOD_NEW
k11 = EC_KEY_get_ex_data(ec, ssh_pkcs11_ec_ctx_index);
EC_KEY_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL);
-#else
- k11 = ECDSA_get_ex_data(ec, ssh_pkcs11_ec_ctx_index);
- ECDSA_set_ex_data(ec, ssh_pkcs11_ec_ctx_index, NULL);
-#endif
pkcs11_key_free(k11);
}
+#endif /*def HAVE_EC_KEY_METHOD_NEW*/
#endif /*def OPENSSL_HAS_ECC*/
diff --git a/sshconnect.c b/sshconnect.c
index fd2a70e..0960be1 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -605,7 +605,7 @@ send_client_banner(int connection_out, int minor1)
{
/* Send our own protocol version identification. */
if (compat20) {
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%d]\r\n",
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, SSH_X509);
} else {
xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",

29
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-test-bashism.patch vendored
View File

@ -1,29 +0,0 @@
https://lists.mindrot.org/pipermail/openssh-unix-dev/2016-December/035604.html
From dca2985bff146f756b0019b17f08c35f28841a04 Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Mon, 19 Dec 2016 15:59:00 -0500
Subject: [PATCH] regress/allow-deny-users.sh: fix bashism in test
The test command uses = for string compares, not ==. Using some POSIX
shells will reject this statement with an error about an unknown operator.
---
regress/allow-deny-users.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/regress/allow-deny-users.sh b/regress/allow-deny-users.sh
index 32a269afa97c..86805e19322b 100644
--- a/regress/allow-deny-users.sh
+++ b/regress/allow-deny-users.sh
@@ -4,7 +4,7 @@
tid="AllowUsers/DenyUsers"
me="$LOGNAME"
-if [ "x$me" == "x" ]; then
+if [ "x$me" = "x" ]; then
me=`whoami`
fi
other="nobody"
--
2.11.0.rc2

6
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.4_p1-GSSAPI-dns.patch → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.5_p1-GSSAPI-dns.patch vendored
View File

@ -16,13 +16,13 @@ https://bugzilla.mindrot.org/show_bug.cgi?id=1008
{ "gssapiauthentication", oGssAuthentication },
{ "gssapidelegatecredentials", oGssDelegateCreds },
+ { "gssapitrustdns", oGssTrustDns },
#else
# else
{ "gssapiauthentication", oUnsupported },
{ "gssapidelegatecredentials", oUnsupported },
+ { "gssapitrustdns", oUnsupported },
#endif
{ "fallbacktorsh", oDeprecated },
{ "usersh", oDeprecated },
#ifdef ENABLE_PKCS11
{ "smartcarddevice", oPKCS11Provider },
@@ -930,6 +933,10 @@
intptr = &options->gss_deleg_creds;
goto parse_flag;

50
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-hpn-x509-11.0-glue.patch vendored Normal file
View File

@ -0,0 +1,50 @@
--- a/openssh-7.6p1-hpnssh14v12/0004-support-dynamically-sized-receive-buffers.patch 2017-10-11 15:02:11.850912525 -0700
+++ b/openssh-7.6p1-hpnssh14v12/0004-support-dynamically-sized-receive-buffers.patch 2017-10-11 15:35:06.223424844 -0700
@@ -907,9 +907,9 @@
@@ -517,7 +544,7 @@ send_client_banner(int connection_out, int minor1)
{
/* Send our own protocol version identification. */
- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX[%s]\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, PACKAGE_VERSION);
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, PACKAGE_VERSION);
if (atomicio(vwrite, connection_out, client_version_string,
strlen(client_version_string)) != strlen(client_version_string))
fatal("write: %.100s", strerror(errno));
@@ -918,11 +918,11 @@
--- a/sshd.c
+++ b/sshd.c
@@ -367,7 +367,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
- char remote_version[256]; /* Must be at least as big as buf. */
+ }
- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
+ xasprintf(&server_version_string, "SSH-%d.%d-%s%s%s%s\r\n",
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, pkix_comment,
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, pkix_comment,
*options.version_addendum == '\0' ? "" : " ",
options.version_addendum);
@@ -982,13 +982,14 @@
index e093f623..83f0932d 100644
--- a/version.h
+++ b/version.h
-@@ -3,4 +3,5 @@
+@@ -3,3 +3,6 @@
#define SSH_VERSION "OpenSSH_7.6"
- #define SSH_PORTABLE "p1"
--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+-#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
++#define SSH_PORTABLE "p1"
+#define SSH_HPN "-hpn14v12"
++#define SSH_X509 "-PKIXSSH-11.0"
-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
++#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" SSH_HPN
--
2.14.2

12
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-warnings.patch vendored Normal file
View File

@ -0,0 +1,12 @@
diff --git a/openbsd-compat/freezero.c b/openbsd-compat/freezero.c
index 3af8f4a7..7f6bc7fa 100644
--- a/openbsd-compat/freezero.c
+++ b/openbsd-compat/freezero.c
@@ -14,6 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+#include <string.h>
#include "includes.h"
#ifndef HAVE_FREEZERO

11
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/openssh-7.6_p1-x509-11.0-libressl.patch vendored Normal file
View File

@ -0,0 +1,11 @@
--- a/openssh-7.6p1+x509-11.0.diff 2017-11-06 17:16:28.334140140 -0800
+++ b/openssh-7.6p1+x509-11.0.diff 2017-11-06 17:16:55.338223563 -0800
@@ -54732,7 +54732,7 @@
+int/*bool*/ ssh_x509store_addlocations(const X509StoreOptions *locations);
+
+typedef char SSHXSTOREPATH;
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+DECLARE_STACK_OF(SSHXSTOREPATH)
+# define sk_SSHXSTOREPATH_new_null() SKM_sk_new_null(SSHXSTOREPATH)
+# define sk_SSHXSTOREPATH_num(st) SKM_sk_num(SSHXSTOREPATH, (st))

21
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.confd vendored Normal file
View File

@ -0,0 +1,21 @@
# /etc/conf.d/sshd: config file for /etc/init.d/sshd
# Where is your sshd_config file stored?
SSHD_CONFDIR="/etc/ssh"
# Any random options you want to pass to sshd.
# See the sshd(8) manpage for more info.
SSHD_OPTS=""
# Pid file to use (needs to be absolute path).
#SSHD_PIDFILE="/var/run/sshd.pid"
# Path to the sshd binary (needs to be absolute path).
#SSHD_BINARY="/usr/sbin/sshd"

84
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.rc6.4 vendored Normal file
View File

@ -0,0 +1,84 @@
#!/sbin/openrc-run
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
extra_commands="checkconfig"
extra_started_commands="reload"
: ${SSHD_CONFDIR:=/etc/ssh}
: ${SSHD_CONFIG:=${SSHD_CONFDIR}/sshd_config}
: ${SSHD_PIDFILE:=/var/run/${SVCNAME}.pid}
: ${SSHD_BINARY:=/usr/sbin/sshd}
depend() {
use logger dns
if [ "${rc_need+set}" = "set" ] ; then
: # Do nothing, the user has explicitly set rc_need
else
local x warn_addr
for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
case "${x}" in
0.0.0.0|0.0.0.0:*) ;;
::|\[::\]*) ;;
*) warn_addr="${warn_addr} ${x}" ;;
esac
done
if [ -n "${warn_addr}" ] ; then
need net
ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd"
ewarn "where FOO is the interface(s) providing the following address(es):"
ewarn "${warn_addr}"
fi
fi
}
checkconfig() {
if [ ! -d /var/empty ] ; then
mkdir -p /var/empty || return 1
fi
if [ ! -e "${SSHD_CONFIG}" ] ; then
eerror "You need an ${SSHD_CONFIG} file to run sshd"
eerror "There is a sample file in /usr/share/doc/openssh"
return 1
fi
ssh-keygen -A || return 1
[ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \
&& SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}"
[ "${SSHD_CONFIG}" != "/etc/ssh/sshd_config" ] \
&& SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFIG}"
"${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1
}
start() {
checkconfig || return 1
ebegin "Starting ${SVCNAME}"
start-stop-daemon --start --exec "${SSHD_BINARY}" \
--pidfile "${SSHD_PIDFILE}" \
-- ${SSHD_OPTS}
eend $?
}
stop() {
if [ "${RC_CMD}" = "restart" ] ; then
checkconfig || return 1
fi
ebegin "Stopping ${SVCNAME}"
start-stop-daemon --stop --exec "${SSHD_BINARY}" \
--pidfile "${SSHD_PIDFILE}" --quiet
eend $?
}
reload() {
checkconfig || return 1
ebegin "Reloading ${SVCNAME}"
start-stop-daemon --signal HUP \
--exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}"
eend $?
}

1
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/files/sshd.socket vendored
View File

@ -5,7 +5,6 @@ Conflicts=sshd.service
[Socket]
ListenStream=22
Accept=yes
TriggerLimitBurst=0
[Install]
WantedBy=sockets.target

93
sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.4_p1-r1.ebuild → sdk_container/src/third_party/coreos-overlay/net-misc/openssh/openssh-7.6_p1-r1.ebuild vendored
View File

@ -1,56 +1,58 @@
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI="5"
EAPI=6
inherit eutils user flag-o-matic multilib autotools pam systemd versionator
inherit user flag-o-matic multilib autotools pam systemd versionator
# Make it more portable between straight releases
# and _p? releases.
PARCH=${P/_}
#HPN_PATCH= #"${PARCH}-hpnssh14v12.tar.xz"
SCTP_PATCH="${PN}-7.4_p1-sctp.patch.xz"
LDAP_PATCH="${PN}-lpk-7.4p1-0.3.14.patch.xz"
X509_VER="9.3" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
#HPN_PATCH="${PARCH}-hpnssh14v12.tar.xz"
SCTP_PATCH="${PN}-7.6_p1-sctp.patch.xz"
LDAP_PATCH="${PN}-lpk-7.6p1-0.3.14.patch.xz"
X509_VER="11.0" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="http://www.openssh.org/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
${SCTP_PATCH:+https://dev.gentoo.org/~polynomial-c/${SCTP_PATCH}}
${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
${LDAP_PATCH:+ldap? ( https://dev.gentoo.org/~polynomial-c/${LDAP_PATCH} )}
${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
"
LICENSE="BSD GPL-2"
SLOT="0"
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
# Probably want to drop ssl defaulting to on in a future version.
IUSE="abi_mips_n32 debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
IUSE="abi_mips_n32 audit bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
REQUIRED_USE="ldns? ( ssl )
pie? ( !static )
ssh1? ( ssl )
static? ( !kerberos !pam )
X509? ( !hpn !ldap !sctp ssl )
X509? ( !ldap !sctp ssl )
test? ( ssl )"
LIB_DEPEND="
audit? ( sys-process/audit[static-libs(+)] )
ldns? (
net-libs/ldns[ecdsa,ssl,static-libs(+)]
net-libs/ldns[static-libs(+)]
!bindist? ( net-libs/ldns[ecdsa,ssl] )
bindist? ( net-libs/ldns[-ecdsa,ssl] )
)
libedit? ( dev-libs/libedit[static-libs(+)] )
libedit? ( dev-libs/libedit:=[static-libs(+)] )
sctp? ( net-misc/lksctp-tools[static-libs(+)] )
selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
ssl? (
!libressl? (
>=dev-libs/openssl-0.9.8f:0[-bindist(-)]
dev-libs/openssl:0[static-libs(+)]
>=dev-libs/openssl-1.0.1:0=[bindist=]
dev-libs/openssl:0=[static-libs(+)]
)
libressl? ( dev-libs/libressl[static-libs(+)] )
libressl? ( dev-libs/libressl:0=[static-libs(+)] )
)
>=sys-libs/zlib-1.2.3[static-libs(+)]"
>=sys-libs/zlib-1.2.3:=[static-libs(+)]"
RDEPEND="
!static? ( ${LIB_DEPEND//\[static-libs(+)]} )
pam? ( virtual/pam )
@ -66,7 +68,7 @@ RDEPEND="${RDEPEND}
userland_GNU? ( virtual/shadow )
X? ( x11-apps/xauth )"
S=${WORKDIR}/${PARCH}
S="${WORKDIR}/${PARCH}"
pkg_pretend() {
# this sucks, but i'd rather have people unable to `emerge -u openssh`
@ -107,30 +109,35 @@ src_prepare() {
# this file.
cp version.h version.h.pristine
eapply "${FILESDIR}/${P}-warnings.patch"
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
if use X509 ; then
epatch "${WORKDIR}"/${X509_PATCH%.*}
# We no longer allow X509 to be used with anything else.
#save_version X509
if use hpn ; then
pushd "${WORKDIR}" >/dev/null
eapply "${FILESDIR}"/${P}-hpn-x509-${X509_VER}-glue.patch
eapply "${FILESDIR}"/${P}-x509-${X509_VER}-libressl.patch
popd >/dev/null
fi
save_version X509
eapply "${WORKDIR}"/${X509_PATCH%.*}
fi
if use ldap ; then
epatch "${WORKDIR}"/${LDAP_PATCH%.*}
eapply "${WORKDIR}"/${LDAP_PATCH%.*}
save_version LPK
fi
epatch "${FILESDIR}"/${PN}-7.4_p1-GSSAPI-dns.patch #165444 integrated into gsskex
epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
use X509 || epatch "${WORKDIR}"/${SCTP_PATCH%.*}
epatch "${FILESDIR}"/${P}-test-bashism.patch
use abi_mips_n32 && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
eapply "${FILESDIR}"/${PN}-7.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex
eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
use X509 || eapply "${WORKDIR}"/${SCTP_PATCH%.*}
use abi_mips_n32 && eapply "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
if use hpn ; then
EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
EPATCH_MULTI_MSG="Applying HPN patchset ..." \
epatch "${WORKDIR}"/${HPN_PATCH%.*.*}
elog "Applying HPN patchset ..."
eapply "${WORKDIR}"/${HPN_PATCH%.*.*}
save_version HPN
fi
@ -153,14 +160,14 @@ src_prepare() {
)
sed -i "${sed_args[@]}" configure{.ac,} || die
epatch_user #473004
eapply_user #473004
# Now we can build a sane merged version.h
(
sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
macros=()
for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
for p in HPN LPK X509; do [[ -e version.h.${p} ]] && macros+=( SSH_${p} ) ; done
printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros[*]}"
) > version.h
eautoreconf
@ -181,6 +188,7 @@ src_configure() {
--datadir="${EPREFIX}"/usr/share/openssh
--with-privsep-path="${EPREFIX}"/var/empty
--with-privsep-user=sshd
$(use_with audit audit linux)
$(use_with kerberos kerberos5 "${EPREFIX}"/usr)
# We apply the ldap patch conditionally, so can't pass --without-ldap
# unconditionally else we get unknown flag warnings.
@ -192,7 +200,6 @@ src_configure() {
$(use X509 || use_with sctp)
$(use_with selinux)
$(use_with skey)
$(use_with ssh1)
$(use_with ssl openssl)
$(use_with ssl md5-passwords)
$(use_with ssl ssl-engine)
@ -208,7 +215,8 @@ src_install() {
emake install-nokeys DESTDIR="${D}"
fperms 600 /etc/ssh/sshd_config
dobin contrib/ssh-copy-id
keepdir /var/empty
newinitd "${FILESDIR}"/sshd.rc6.4 sshd
newconfd "${FILESDIR}"/sshd.confd sshd
newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
if use pam ; then
@ -294,9 +302,6 @@ pkg_postinst() {
elog "algorithm (ECDSA). You are encouraged to manually update your stored"
elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
fi
if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
fi
if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
elog "Make sure to update any configs that you might have. Note that xinetd might"
@ -313,9 +318,19 @@ pkg_postinst() {
elog "to 'prohibit-password'. That means password auth for root users no longer works"
elog "out of the box. If you need this, please update your sshd_config explicitly."
fi
if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
elog "Furthermore, rsa keys with less than 1024 bits will be refused."
fi
if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
elog "Be aware that by disabling openssl support in openssh, the server and clients"
elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
elog "and update all clients/servers that utilize them."
fi
# remove this if aes-ctr-mt gets fixed
if use hpn; then
elog "The multithreaded AES-CTR cipher has been temporarily dropped from the HPN patch"
elog "set since it does not (yet) work with >=openssh-7.6p1."
fi
}