* [gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2014-01-18 14:32 Anthony G. Basile
0 siblings, 0 replies; 5+ messages in thread
From: Anthony G. Basile @ 2014-01-18 14:32 UTC (permalink / raw
To: gentoo-commits
commit: 6dc19a9c6adfda6958c56115287872a3ec4fedfd
Author: layman <layman <AT> localhost>
AuthorDate: Wed Jan 15 15:09:16 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat Jan 18 14:31:54 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=6dc19a9c
net-misc/openssh: working on it
---
.../openssh/files/openssh-4.7_p1-GSSAPI-dns.patch | 127 +++++++++
.../openssh-5.9_p1-sshd-gssapi-multihomed.patch | 184 ++++++++++++
.../openssh/files/openssh-6.3_p1-x509-glue.patch | 16 ++
.../files/openssh-6.3_p1-x509-hpn14v2-glue.patch | 51 ++++
.../openssh/files/openssh-6.4_p1-x509-glue.patch | 30 ++
net-misc/openssh/files/sshd.confd | 21 ++
net-misc/openssh/files/sshd.pam_include.2 | 4 +
net-misc/openssh/files/sshd.rc6.4 | 87 ++++++
net-misc/openssh/files/sshd.service | 11 +
net-misc/openssh/files/sshd.socket | 10 +
net-misc/openssh/files/sshd_at.service | 8 +
net-misc/openssh/metadata.xml | 33 +++
net-misc/openssh/openssh-6.4_p1-r99.ebuild | 307 +++++++++++++++++++++
13 files changed, 889 insertions(+)
diff --git a/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch
new file mode 100644
index 0000000..c81ae5c
--- /dev/null
+++ b/net-misc/openssh/files/openssh-4.7_p1-GSSAPI-dns.patch
@@ -0,0 +1,127 @@
+http://bugs.gentoo.org/165444
+https://bugzilla.mindrot.org/show_bug.cgi?id=1008
+
+Index: readconf.c
+===================================================================
+RCS file: /cvs/openssh/readconf.c,v
+retrieving revision 1.135
+diff -u -r1.135 readconf.c
+--- readconf.c 5 Aug 2006 02:39:40 -0000 1.135
++++ readconf.c 19 Aug 2006 11:59:52 -0000
+@@ -126,6 +126,7 @@
+ oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ oAddressFamily, oGssAuthentication, oGssDelegateCreds,
++ oGssTrustDns,
+ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+ oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
+ oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+@@ -163,9 +164,11 @@
+ #if defined(GSSAPI)
+ { "gssapiauthentication", oGssAuthentication },
+ { "gssapidelegatecredentials", oGssDelegateCreds },
++ { "gssapitrustdns", oGssTrustDns },
+ #else
+ { "gssapiauthentication", oUnsupported },
+ { "gssapidelegatecredentials", oUnsupported },
++ { "gssapitrustdns", oUnsupported },
+ #endif
+ { "fallbacktorsh", oDeprecated },
+ { "usersh", oDeprecated },
+@@ -444,6 +447,10 @@
+ intptr = &options->gss_deleg_creds;
+ goto parse_flag;
+
++ case oGssTrustDns:
++ intptr = &options->gss_trust_dns;
++ goto parse_flag;
++
+ case oBatchMode:
+ intptr = &options->batch_mode;
+ goto parse_flag;
+@@ -1010,6 +1017,7 @@
+ options->challenge_response_authentication = -1;
+ options->gss_authentication = -1;
+ options->gss_deleg_creds = -1;
++ options->gss_trust_dns = -1;
+ options->password_authentication = -1;
+ options->kbd_interactive_authentication = -1;
+ options->kbd_interactive_devices = NULL;
+@@ -1100,6 +1108,8 @@
+ options->gss_authentication = 0;
+ if (options->gss_deleg_creds == -1)
+ options->gss_deleg_creds = 0;
++ if (options->gss_trust_dns == -1)
++ options->gss_trust_dns = 0;
+ if (options->password_authentication == -1)
+ options->password_authentication = 1;
+ if (options->kbd_interactive_authentication == -1)
+Index: readconf.h
+===================================================================
+RCS file: /cvs/openssh/readconf.h,v
+retrieving revision 1.63
+diff -u -r1.63 readconf.h
+--- readconf.h 5 Aug 2006 02:39:40 -0000 1.63
++++ readconf.h 19 Aug 2006 11:59:52 -0000
+@@ -45,6 +45,7 @@
+ /* Try S/Key or TIS, authentication. */
+ int gss_authentication; /* Try GSS authentication */
+ int gss_deleg_creds; /* Delegate GSS credentials */
++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
+ int password_authentication; /* Try password
+ * authentication. */
+ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
+Index: ssh_config.5
+===================================================================
+RCS file: /cvs/openssh/ssh_config.5,v
+retrieving revision 1.97
+diff -u -r1.97 ssh_config.5
+--- ssh_config.5 5 Aug 2006 01:34:51 -0000 1.97
++++ ssh_config.5 19 Aug 2006 11:59:53 -0000
+@@ -483,7 +483,16 @@
+ Forward (delegate) credentials to the server.
+ The default is
+ .Dq no .
+-Note that this option applies to protocol version 2 only.
++Note that this option applies to protocol version 2 connections using GSSAPI.
++.It Cm GSSAPITrustDns
++Set to
++.Dq yes to indicate that the DNS is trusted to securely canonicalize
++the name of the host being connected to. If
++.Dq no, the hostname entered on the
++command line will be passed untouched to the GSSAPI library.
++The default is
++.Dq no .
++This option only applies to protocol version 2 connections using GSSAPI.
+ .It Cm HashKnownHosts
+ Indicates that
+ .Xr ssh 1
+Index: sshconnect2.c
+===================================================================
+RCS file: /cvs/openssh/sshconnect2.c,v
+retrieving revision 1.151
+diff -u -r1.151 sshconnect2.c
+--- sshconnect2.c 18 Aug 2006 14:33:34 -0000 1.151
++++ sshconnect2.c 19 Aug 2006 11:59:53 -0000
+@@ -499,6 +499,12 @@
+ static u_int mech = 0;
+ OM_uint32 min;
+ int ok = 0;
++ const char *gss_host;
++
++ if (options.gss_trust_dns)
++ gss_host = get_canonical_hostname(1);
++ else
++ gss_host = authctxt->host;
+
+ /* Try one GSSAPI method at a time, rather than sending them all at
+ * once. */
+@@ -511,7 +517,7 @@
+ /* My DER encoding requires length<128 */
+ if (gss_supported->elements[mech].length < 128 &&
+ ssh_gssapi_check_mechanism(&gssctxt,
+- &gss_supported->elements[mech], authctxt->host)) {
++ &gss_supported->elements[mech], gss_host)) {
+ ok = 1; /* Mechanism works */
+ } else {
+ mech++;
diff --git a/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch
new file mode 100644
index 0000000..6377d03
--- /dev/null
+++ b/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch
@@ -0,0 +1,184 @@
+Index: gss-serv.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/gss-serv.c,v
+retrieving revision 1.22
+diff -u -p -r1.22 gss-serv.c
+--- gss-serv.c 8 May 2008 12:02:23 -0000 1.22
++++ gss-serv.c 11 Jan 2010 05:38:29 -0000
+@@ -41,9 +41,12 @@
+ #include "channels.h"
+ #include "session.h"
+ #include "misc.h"
++#include "servconf.h"
+
+ #include "ssh-gss.h"
+
++extern ServerOptions options;
++
+ static ssh_gssapi_client gssapi_client =
+ { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
+ GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
+@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
+ char lname[MAXHOSTNAMELEN];
+ gss_OID_set oidset;
+
+- gss_create_empty_oid_set(&status, &oidset);
+- gss_add_oid_set_member(&status, ctx->oid, &oidset);
+-
+- if (gethostname(lname, MAXHOSTNAMELEN)) {
+- gss_release_oid_set(&status, &oidset);
+- return (-1);
+- }
++ if (options.gss_strict_acceptor) {
++ gss_create_empty_oid_set(&status, &oidset);
++ gss_add_oid_set_member(&status, ctx->oid, &oidset);
++
++ if (gethostname(lname, MAXHOSTNAMELEN)) {
++ gss_release_oid_set(&status, &oidset);
++ return (-1);
++ }
++
++ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
++ gss_release_oid_set(&status, &oidset);
++ return (ctx->major);
++ }
++
++ if ((ctx->major = gss_acquire_cred(&ctx->minor,
++ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
++ NULL, NULL)))
++ ssh_gssapi_error(ctx);
+
+- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+ gss_release_oid_set(&status, &oidset);
+ return (ctx->major);
++ } else {
++ ctx->name = GSS_C_NO_NAME;
++ ctx->creds = GSS_C_NO_CREDENTIAL;
+ }
+-
+- if ((ctx->major = gss_acquire_cred(&ctx->minor,
+- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
+- ssh_gssapi_error(ctx);
+-
+- gss_release_oid_set(&status, &oidset);
+- return (ctx->major);
++ return GSS_S_COMPLETE;
+ }
+
+ /* Privileged */
+Index: servconf.c
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
+retrieving revision 1.201
+diff -u -p -r1.201 servconf.c
+--- servconf.c 10 Jan 2010 03:51:17 -0000 1.201
++++ servconf.c 11 Jan 2010 05:34:56 -0000
+@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions
+ options->kerberos_get_afs_token = -1;
+ options->gss_authentication=-1;
+ options->gss_cleanup_creds = -1;
++ options->gss_strict_acceptor = -1;
+ options->password_authentication = -1;
+ options->kbd_interactive_authentication = -1;
+ options->challenge_response_authentication = -1;
+@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption
+ options->gss_authentication = 0;
+ if (options->gss_cleanup_creds == -1)
+ options->gss_cleanup_creds = 1;
++ if (options->gss_strict_acceptor == -1)
++ options->gss_strict_acceptor = 0;
+ if (options->password_authentication == -1)
+ options->password_authentication = 1;
+ if (options->kbd_interactive_authentication == -1)
+@@ -277,7 +280,8 @@ typedef enum {
+ sBanner, sUseDNS, sHostbasedAuthentication,
+ sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
+ sClientAliveCountMax, sAuthorizedKeysFile,
+- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
++ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
++ sAcceptEnv, sPermitTunnel,
+ sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+ sUsePrivilegeSeparation, sAllowAgentForwarding,
+ sZeroKnowledgePasswordAuthentication, sHostCertificate,
+@@ -327,9 +331,11 @@ static struct {
+ #ifdef GSSAPI
+ { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+ { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
++ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+ #else
+ { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+ { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
++ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+ #endif
+ { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
+ { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
+@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions
+
+ case sGssCleanupCreds:
+ intptr = &options->gss_cleanup_creds;
++ goto parse_flag;
++
++ case sGssStrictAcceptor:
++ intptr = &options->gss_strict_acceptor;
+ goto parse_flag;
+
+ case sPasswordAuthentication:
+Index: servconf.h
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/servconf.h,v
+retrieving revision 1.89
+diff -u -p -r1.89 servconf.h
+--- servconf.h 9 Jan 2010 23:04:13 -0000 1.89
++++ servconf.h 11 Jan 2010 05:32:28 -0000
+@@ -92,6 +92,7 @@ typedef struct {
+ * authenticated with Kerberos. */
+ int gss_authentication; /* If true, permit GSSAPI authentication */
+ int gss_cleanup_creds; /* If true, destroy cred cache on logout */
++ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
+ int password_authentication; /* If true, permit password
+ * authentication. */
+ int kbd_interactive_authentication; /* If true, permit */
+Index: sshd_config
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/sshd_config,v
+retrieving revision 1.81
+diff -u -p -r1.81 sshd_config
+--- sshd_config 8 Oct 2009 14:03:41 -0000 1.81
++++ sshd_config 11 Jan 2010 05:32:28 -0000
+@@ -69,6 +69,7 @@
+ # GSSAPI options
+ #GSSAPIAuthentication no
+ #GSSAPICleanupCredentials yes
++#GSSAPIStrictAcceptorCheck yes
+
+ # Set this to 'yes' to enable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will
+Index: sshd_config.5
+===================================================================
+RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
+retrieving revision 1.116
+diff -u -p -r1.116 sshd_config.5
+--- sshd_config.5 9 Jan 2010 23:04:13 -0000 1.116
++++ sshd_config.5 11 Jan 2010 05:37:20 -0000
+@@ -386,6 +386,21 @@ on logout.
+ The default is
+ .Dq yes .
+ Note that this option applies to protocol version 2 only.
++.It Cm GSSAPIStrictAcceptorCheck
++Determines whether to be strict about the identity of the GSSAPI acceptor
++a client authenticates against.
++If set to
++.Dq yes
++then the client must authenticate against the
++.Pa host
++service on the current hostname.
++If set to
++.Dq no
++then the client may authenticate against any service key stored in the
++machine's default store.
++This facility is provided to assist with operation on multi homed machines.
++The default is
++.Dq yes .
+ .It Cm HostbasedAuthentication
+ Specifies whether rhosts or /etc/hosts.equiv authentication together
+ with successful public key client host authentication is allowed
diff --git a/net-misc/openssh/files/openssh-6.3_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.3_p1-x509-glue.patch
new file mode 100644
index 0000000..f70d44a
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.3_p1-x509-glue.patch
@@ -0,0 +1,16 @@
+make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch
+
+--- openssh-6.3p1+x509-7.6.diff
++++ openssh-6.3p1+x509-7.6.diff
+@@ -14784,10 +14784,9 @@
+ .It Cm ChallengeResponseAuthentication
+ Specifies whether challenge-response authentication is allowed (e.g. via
+ PAM or though authentication styles supported in
+-@@ -490,6 +567,16 @@
++@@ -490,5 +567,15 @@
+ The default is
+ .Dq yes .
+- Note that this option applies to protocol version 2 only.
+ +.It Cm HostbasedAlgorithms
+ +Specifies the protocol version 2 algorithms used in
+ +.Dq hostbased
diff --git a/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch b/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch
new file mode 100644
index 0000000..c3647d5
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.3_p1-x509-hpn14v2-glue.patch
@@ -0,0 +1,51 @@
+--- openssh-6.3p1/Makefile.in
++++ openssh-6.3p1/Makefile.in
+@@ -45,7 +45,7 @@
+ CC=@CC@
+ LD=@LD@
+ CFLAGS=@CFLAGS@
+-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
++CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
+ LIBS=@LIBS@
+ K5LIBS=@K5LIBS@
+ GSSLIBS=@GSSLIBS@
+@@ -53,6 +53,7 @@
+ SSHDLIBS=@SSHDLIBS@
+ LIBEDIT=@LIBEDIT@
+ LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@
++CPPFLAGS+=@LDAP_CPPFLAGS@
+ AR=@AR@
+ AWK=@AWK@
+ RANLIB=@RANLIB@
+--- openssh-6.3p1/sshconnect.c
++++ openssh-6.3p1/sshconnect.c
+@@ -465,7 +465,7 @@
+ {
+ /* Send our own protocol version identification. */
+ if (compat20) {
+- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n",
++ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+ } else {
+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
+--- openssh-6.3p1/sshd.c
++++ openssh-6.3p1/sshd.c
+@@ -472,8 +472,8 @@
+ comment = "";
+ }
+
+- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s",
+- major, minor, SSH_VERSION, comment,
++ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
++ major, minor, SSH_VERSION,
+ *options.version_addendum == '\0' ? "" : " ",
+ options.version_addendum, newline);
+
+--- openssh-6.3p1/version.h
++++ openssh-6.3p1/version.h
+@@ -3,4 +3,5 @@
+ #define SSH_VERSION "OpenSSH_6.3"
+
+ #define SSH_PORTABLE "p1"
++#define SSH_X509 " PKIX"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
diff --git a/net-misc/openssh/files/openssh-6.4_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.4_p1-x509-glue.patch
new file mode 100644
index 0000000..6aed19b
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.4_p1-x509-glue.patch
@@ -0,0 +1,30 @@
+Make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch and remove
+redundant README.x509v3 directory.
+
+--- openssh-6.4p1+x509-7.7.diff.orig 2013-11-09 14:51:13.400696545 -0800
++++ openssh-6.4p1+x509-7.7.diff 2013-11-09 14:51:05.798786189 -0800
+@@ -6809,9 +6809,9 @@
+
+ -$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
+ +$OpenBSD$
+-diff -ruN openssh-6.4p1/README.x509v3/README.x509v3 openssh-6.4p1+x509-7.7/README.x509v3/README.x509v3
+---- openssh-6.4p1/README.x509v3/README.x509v3 1970-01-01 02:00:00.000000000 +0200
+-+++ openssh-6.4p1+x509-7.7/README.x509v3/README.x509v3 2013-05-17 18:50:02.156263192 +0300
++diff -ruN openssh-6.4p1/README.x509v3 openssh-6.4p1+x509-7.7/README.x509v3
++--- openssh-6.4p1/README.x509v3 1970-01-01 02:00:00.000000000 +0200
+++++ openssh-6.4p1+x509-7.7/README.x509v3 2013-05-17 18:50:02.156263192 +0300
+ @@ -0,0 +1,615 @@
+ + Roumen Petrov
+ + Sofia, Bulgaria
+@@ -14793,10 +14793,9 @@
+ .It Cm ChallengeResponseAuthentication
+ Specifies whether challenge-response authentication is allowed (e.g. via
+ PAM or though authentication styles supported in
+-@@ -490,6 +567,16 @@
++@@ -490,5 +567,15 @@
+ The default is
+ .Dq yes .
+- Note that this option applies to protocol version 2 only.
+ +.It Cm HostbasedAlgorithms
+ +Specifies the protocol version 2 algorithms used in
+ +.Dq hostbased
diff --git a/net-misc/openssh/files/sshd.confd b/net-misc/openssh/files/sshd.confd
new file mode 100644
index 0000000..28952b4
--- /dev/null
+++ b/net-misc/openssh/files/sshd.confd
@@ -0,0 +1,21 @@
+# /etc/conf.d/sshd: config file for /etc/init.d/sshd
+
+# Where is your sshd_config file stored?
+
+SSHD_CONFDIR="/etc/ssh"
+
+
+# Any random options you want to pass to sshd.
+# See the sshd(8) manpage for more info.
+
+SSHD_OPTS=""
+
+
+# Pid file to use (needs to be absolute path).
+
+#SSHD_PIDFILE="/var/run/sshd.pid"
+
+
+# Path to the sshd binary (needs to be absolute path).
+
+#SSHD_BINARY="/usr/sbin/sshd"
diff --git a/net-misc/openssh/files/sshd.pam_include.2 b/net-misc/openssh/files/sshd.pam_include.2
new file mode 100644
index 0000000..b801aaa
--- /dev/null
+++ b/net-misc/openssh/files/sshd.pam_include.2
@@ -0,0 +1,4 @@
+auth include system-remote-login
+account include system-remote-login
+password include system-remote-login
+session include system-remote-login
diff --git a/net-misc/openssh/files/sshd.rc6.4 b/net-misc/openssh/files/sshd.rc6.4
new file mode 100755
index 0000000..1b872bc
--- /dev/null
+++ b/net-misc/openssh/files/sshd.rc6.4
@@ -0,0 +1,87 @@
+#!/sbin/runscript
+# Copyright 1999-2013 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/files/sshd.rc6.4,v 1.3 2013/04/24 03:13:03 vapier Exp $
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+
+SSHD_CONFDIR=${SSHD_CONFDIR:-/etc/ssh}
+SSHD_CONFIG=${SSHD_CONFIG:-${SSHD_CONFDIR}/sshd_config}
+SSHD_PIDFILE=${SSHD_PIDFILE:-/var/run/${SVCNAME}.pid}
+SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd}
+
+depend() {
+ use logger dns
+ if [ "${rc_need+set}" = "set" ]; then
+ : # Do nothing, the user has explicitly set rc_need
+ else
+ warn_addr=''
+ for x in $(awk '/^ListenAddress/{ print $2 }' "$SSHD_CONFIG" 2>/dev/null) ; do
+ case "$x" in
+ 0.0.0.0|0.0.0.0:*) ;;
+ ::|\[::\]*) ;;
+ *) warn_addr="${warn_addr} $x" ;;
+ esac
+ done
+ unset x
+ if [ "${warn_addr:+set}" = "set" ]; then
+ need net
+ ewarn "You are binding an interface in ListenAddress statement in your sshd_config!"
+ ewarn "You must add rc_need=\"net.FOO\" to your /etc/conf.d/sshd"
+ ewarn "where FOO is the interface(s) providing the following address(es):"
+ ewarn "${warn_addr}"
+ fi
+ unset warn_addr
+ fi
+}
+
+checkconfig() {
+ if [ ! -d /var/empty ] ; then
+ mkdir -p /var/empty || return 1
+ fi
+
+ if [ ! -e "${SSHD_CONFDIR}"/sshd_config ] ; then
+ eerror "You need an ${SSHD_CONFDIR}/sshd_config file to run sshd"
+ eerror "There is a sample file in /usr/share/doc/openssh"
+ return 1
+ fi
+
+ ssh-keygen -A || return 1
+
+ [ "${SSHD_PIDFILE}" != "/var/run/sshd.pid" ] \
+ && SSHD_OPTS="${SSHD_OPTS} -o PidFile=${SSHD_PIDFILE}"
+ [ "${SSHD_CONFDIR}" != "/etc/ssh" ] \
+ && SSHD_OPTS="${SSHD_OPTS} -f ${SSHD_CONFDIR}/sshd_config"
+
+ "${SSHD_BINARY}" -t ${SSHD_OPTS} || return 1
+}
+
+start() {
+ checkconfig || return 1
+
+ ebegin "Starting ${SVCNAME}"
+ start-stop-daemon --start --exec "${SSHD_BINARY}" \
+ --pidfile "${SSHD_PIDFILE}" \
+ -- ${SSHD_OPTS}
+ eend $?
+}
+
+stop() {
+ if [ "${RC_CMD}" = "restart" ] ; then
+ checkconfig || return 1
+ fi
+
+ ebegin "Stopping ${SVCNAME}"
+ start-stop-daemon --stop --exec "${SSHD_BINARY}" \
+ --pidfile "${SSHD_PIDFILE}" --quiet
+ eend $?
+}
+
+reload() {
+ checkconfig || return 1
+ ebegin "Reloading ${SVCNAME}"
+ start-stop-daemon --signal HUP \
+ --exec "${SSHD_BINARY}" --pidfile "${SSHD_PIDFILE}"
+ eend $?
+}
diff --git a/net-misc/openssh/files/sshd.service b/net-misc/openssh/files/sshd.service
new file mode 100644
index 0000000..b5e96b3
--- /dev/null
+++ b/net-misc/openssh/files/sshd.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=OpenSSH server daemon
+After=syslog.target network.target auditd.service
+
+[Service]
+ExecStartPre=/usr/bin/ssh-keygen -A
+ExecStart=/usr/sbin/sshd -D -e
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-misc/openssh/files/sshd.socket b/net-misc/openssh/files/sshd.socket
new file mode 100644
index 0000000..94b9533
--- /dev/null
+++ b/net-misc/openssh/files/sshd.socket
@@ -0,0 +1,10 @@
+[Unit]
+Description=OpenSSH Server Socket
+Conflicts=sshd.service
+
+[Socket]
+ListenStream=22
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
diff --git a/net-misc/openssh/files/sshd_at.service b/net-misc/openssh/files/sshd_at.service
new file mode 100644
index 0000000..2645ad0
--- /dev/null
+++ b/net-misc/openssh/files/sshd_at.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=OpenSSH per-connection server daemon
+After=syslog.target auditd.service
+
+[Service]
+ExecStart=-/usr/sbin/sshd -i -e
+StandardInput=socket
+StandardError=syslog
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
new file mode 100644
index 0000000..5765fa2
--- /dev/null
+++ b/net-misc/openssh/metadata.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <herd>base-system</herd>
+ <maintainer restrict="net-misc/openssh[ldap]">
+ <email>robbat2@gentoo.org</email>
+ <description>LPK issues. Only assign if it's a direct LPK issue. Do not directly assign for anything else.</description>
+ </maintainer>
+ <longdescription>
+OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that
+increasing numbers of people on the Internet are coming to rely on. Many users of telnet,
+rlogin, ftp, and other such programs might not realize that their password is transmitted
+across the Internet unencrypted, but it is. OpenSSH encrypts all traffic (including passwords)
+to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks.
+Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety
+of authentication methods.
+
+The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which
+replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of
+the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keysign, ssh-keyscan,
+ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and 2.0.
+</longdescription>
+ <use>
+ <flag name="bindist">Disable EC/RC5 algorithms in OpenSSL for patent reasons.</flag>
+ <flag name="hpn">Enable high performance ssh</flag>
+ <flag name="ldap">Add support for storing SSH public keys in LDAP</flag>
+ <flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
+ <flag name="X509">Adds support for X.509 certificate authentication</flag>
+ </use>
+ <upstream>
+ <remote-id type="cpe">cpe:/a:openssh:openssh</remote-id>
+ </upstream>
+</pkgmetadata>
diff --git a/net-misc/openssh/openssh-6.4_p1-r99.ebuild b/net-misc/openssh/openssh-6.4_p1-r99.ebuild
new file mode 100644
index 0000000..a2467d1
--- /dev/null
+++ b/net-misc/openssh/openssh-6.4_p1-r99.ebuild
@@ -0,0 +1,307 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.4_p1-r1.ebuild,v 1.6 2014/01/02 12:06:49 polynomial-c Exp $
+
+EAPI="4"
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+HPN_PATCH="${PN}-6.3p1-hpnssh14v2.diff.gz"
+LDAP_PATCH="${PN}-lpk-6.3p1-0.3.14.patch.gz"
+X509_VER="7.7" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+ ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
+ ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+ ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+ "
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
+IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldap ldns libedit pam selinux skey static tcpd X X509"
+
+LIB_DEPEND="selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+ skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+ libedit? ( dev-libs/libedit[static-libs(+)] )
+ >=dev-libs/openssl-0.9.6d:0[bindist=]
+ dev-libs/openssl[static-libs(+)]
+ >=sys-libs/zlib-1.2.3[static-libs(+)]
+ tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )"
+RDEPEND="
+ !static? (
+ ${LIB_DEPEND//\[static-libs(+)]}
+ ldns? (
+ !bindist? ( net-libs/ldns[ecdsa,ssl] )
+ bindist? ( net-libs/ldns[-ecdsa,ssl] )
+ )
+ )
+ pam? ( virtual/pam )
+ kerberos? ( virtual/krb5 )
+ ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+ static? (
+ ${LIB_DEPEND}
+ ldns? (
+ !bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] )
+ bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] )
+ )
+ )
+ virtual/pkgconfig
+ virtual/os-headers
+ sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+ pam? ( >=sys-auth/pambase-20081028 )
+ userland_GNU? ( virtual/shadow )
+ X? ( x11-apps/xauth )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+ # this sucks, but i'd rather have people unable to `emerge -u openssh`
+ # than not be able to log in to their server any more
+ maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+ local fail="
+ $(use X509 && maybe_fail X509 X509_PATCH)
+ $(use ldap && maybe_fail ldap LDAP_PATCH)
+ $(use hpn && maybe_fail hpn HPN_PATCH)
+ "
+ fail=$(echo ${fail})
+ if [[ -n ${fail} ]] ; then
+ eerror "Sorry, but this version does not yet support features"
+ eerror "that you requested: ${fail}"
+ eerror "Please mask ${PF} for now and check back later:"
+ eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+ die "booooo"
+ fi
+}
+
+save_version() {
+ # version.h patch conflict avoidence
+ mv version.h version.h.$1
+ cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+ sed -i \
+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+ pathnames.h || die
+ # keep this as we need it to avoid the conflict between LPK and HPN changing
+ # this file.
+ cp version.h version.h.pristine
+
+ # don't break .ssh/authorized_keys2 for fun
+ sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+ epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361
+ if use X509 ; then
+ pushd .. >/dev/null
+ epatch "${FILESDIR}"/${PN}-6.4_p1-x509-glue.patch
+ popd >/dev/null
+ epatch "${WORKDIR}"/${X509_PATCH%.*}
+ epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
+ save_version X509
+ fi
+ if ! use X509 ; then
+ if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+ epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+ save_version LPK
+ fi
+ else
+ use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
+ fi
+ epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+ if [[ -n ${HPN_PATCH} ]] && use hpn; then
+ epatch "${WORKDIR}"/${HPN_PATCH%.*}
+ save_version HPN
+ fi
+
+ tc-export PKG_CONFIG
+ local sed_args=(
+ -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+ # Disable PATH reset, trust what portage gives us #254615
+ -e 's:^PATH=/:#PATH=/:'
+ # Disable fortify flags ... our gcc does this for us
+ -e 's:-D_FORTIFY_SOURCE=2::'
+ )
+ sed -i "${sed_args[@]}" configure{,.ac} || die
+
+ epatch_user #473004
+
+ # Now we can build a sane merged version.h
+ (
+ sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+ macros=()
+ for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
+ printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+ ) > version.h
+
+ eautoreconf
+}
+
+static_use_with() {
+ local flag=$1
+ if use static && use ${flag} ; then
+ ewarn "Disabling '${flag}' support because of USE='static'"
+ # rebuild args so that we invert the first one (USE flag)
+ # but otherwise leave everything else working so we can
+ # just leverage use_with
+ shift
+ [[ -z $1 ]] && flag="${flag} ${flag}"
+ set -- !${flag} "$@"
+ fi
+ use_with "$@"
+}
+
+src_configure() {
+ local myconf
+ addwrite /dev/ptmx
+ addpredict /etc/skey/skeykeys #skey configure code triggers this
+
+ use static && append-ldflags -static
+
+ # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
+ if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
+ myconf="${myconf} --disable-utmp --disable-wtmp --disable-wtmpx"
+ append-ldflags -lutil
+ fi
+
+ econf \
+ --with-ldflags="${LDFLAGS}" \
+ --disable-strip \
+ --with-pid-dir="${EPREFIX}"/var/run \
+ --sysconfdir="${EPREFIX}"/etc/ssh \
+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc \
+ --datadir="${EPREFIX}"/usr/share/openssh \
+ --with-privsep-path="${EPREFIX}"/var/empty \
+ --with-privsep-user=sshd \
+ --with-md5-passwords \
+ --with-ssl-engine \
+ $(static_use_with pam) \
+ $(static_use_with kerberos kerberos5 /usr) \
+ ${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \
+ $(use_with ldns) \
+ $(use_with libedit) \
+ $(use_with selinux) \
+ $(use_with skey) \
+ $(use_with tcpd tcp-wrappers) \
+ ${myconf}
+}
+
+src_install() {
+ emake install-nokeys DESTDIR="${D}"
+ fperms 600 /etc/ssh/sshd_config
+ dobin contrib/ssh-copy-id
+ newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+ newconfd "${FILESDIR}"/sshd.confd sshd
+ keepdir /var/empty
+
+ # not all openssl installs support ecc, or are functional #352645
+ if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then
+ elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support"
+ sed -i 's:&& gen_key ecdsa::' "${ED}"/etc/init.d/sshd || die
+ fi
+
+ newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+ if use pam ; then
+ sed -i \
+ -e "/^#UsePAM /s:.*:UsePAM yes:" \
+ -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+ -e "/^#PrintMotd /s:.*:PrintMotd no:" \
+ -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+ "${ED}"/etc/ssh/sshd_config || die "sed of configuration file failed"
+ fi
+
+ # Gentoo tweaks to default config files
+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+ # Allow client to pass locale environment variables #367017
+ AcceptEnv LANG LC_*
+ EOF
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+ # Send locale environment variables #367017
+ SendEnv LANG LC_*
+ EOF
+
+ # This instruction is from the HPN webpage,
+ # Used for the server logging functionality
+ if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+ keepdir /var/empty/dev
+ fi
+
+ if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+ insinto /etc/openldap/schema/
+ newins openssh-lpk_openldap.schema openssh-lpk.schema
+ fi
+
+ doman contrib/ssh-copy-id.1
+ dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+
+ diropts -m 0700
+ dodir /etc/skel/.ssh
+
+ systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+ systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+ local t tests skipped failed passed shell
+ tests="interop-tests compat-tests"
+ skipped=""
+ shell=$(egetshell ${UID})
+ if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+ elog "Running the full OpenSSH testsuite"
+ elog "requires a usable shell for the 'portage'"
+ elog "user, so we will run a subset only."
+ skipped="${skipped} tests"
+ else
+ tests="${tests} tests"
+ fi
+ # It will also attempt to write to the homedir .ssh
+ local sshhome=${T}/homedir
+ mkdir -p "${sshhome}"/.ssh
+ for t in ${tests} ; do
+ # Some tests read from stdin ...
+ HOMEDIR="${sshhome}" \
+ emake -k -j1 ${t} </dev/null \
+ && passed="${passed}${t} " \
+ || failed="${failed}${t} "
+ done
+ einfo "Passed tests: ${passed}"
+ ewarn "Skipped tests: ${skipped}"
+ if [[ -n ${failed} ]] ; then
+ ewarn "Failed tests: ${failed}"
+ die "Some tests failed: ${failed}"
+ else
+ einfo "Failed tests: ${failed}"
+ return 0
+ fi
+}
+
+pkg_preinst() {
+ enewgroup sshd 22
+ enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+ if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+ elog "Starting with openssh-5.8p1, the server will default to a newer key"
+ elog "algorithm (ECDSA). You are encouraged to manually update your stored"
+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
+ fi
+ ewarn "Remember to merge your config files in /etc/ssh/ and then"
+ ewarn "reload sshd: '/etc/init.d/sshd reload'."
+ # This instruction is from the HPN webpage,
+ # Used for the server logging functionality
+ if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+ echo
+ einfo "For the HPN server logging patch, you must ensure that"
+ einfo "your syslog application also listens at /var/empty/dev/log."
+ fi
+}
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2014-01-22 23:00 Anthony G. Basile
0 siblings, 0 replies; 5+ messages in thread
From: Anthony G. Basile @ 2014-01-22 23:00 UTC (permalink / raw
To: gentoo-commits
commit: 18bbfa3f87143fe74e3812a8ed85f210e1563530
Author: layman <layman <AT> localhost>
AuthorDate: Wed Jan 22 18:02:12 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Wed Jan 22 23:00:06 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=18bbfa3f
net-misc/openssh: fix exit(0) and header assumptions
---
.../openssh/files/openssh-6.3_p1-x509-glue.patch | 16 -
.../openssh/files/openssh-6.4p1-avoid-exit.patch | 499 +++++++++++++++++++++
.../openssh-6.4p1-fix-typo-construct_utmpx.patch | 21 +
.../files/openssh-6.4p1-missing-sys_param_h.patch | 67 +++
net-misc/openssh/openssh-6.4_p1-r99.ebuild | 4 +
5 files changed, 591 insertions(+), 16 deletions(-)
diff --git a/net-misc/openssh/files/openssh-6.3_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.3_p1-x509-glue.patch
deleted file mode 100644
index f70d44a..0000000
--- a/net-misc/openssh/files/openssh-6.3_p1-x509-glue.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch
-
---- openssh-6.3p1+x509-7.6.diff
-+++ openssh-6.3p1+x509-7.6.diff
-@@ -14784,10 +14784,9 @@
- .It Cm ChallengeResponseAuthentication
- Specifies whether challenge-response authentication is allowed (e.g. via
- PAM or though authentication styles supported in
--@@ -490,6 +567,16 @@
-+@@ -490,5 +567,15 @@
- The default is
- .Dq yes .
-- Note that this option applies to protocol version 2 only.
- +.It Cm HostbasedAlgorithms
- +Specifies the protocol version 2 algorithms used in
- +.Dq hostbased
diff --git a/net-misc/openssh/files/openssh-6.4p1-avoid-exit.patch b/net-misc/openssh/files/openssh-6.4p1-avoid-exit.patch
new file mode 100644
index 0000000..4c02aeb
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.4p1-avoid-exit.patch
@@ -0,0 +1,499 @@
+diff -Nuar openssh-6.4p1.orig/configure.ac openssh-6.4p1/configure.ac
+--- openssh-6.4p1.orig/configure.ac 2014-01-22 17:05:13.463582250 +0000
++++ openssh-6.4p1/configure.ac 2014-01-22 17:13:08.102608790 +0000
+@@ -223,7 +223,7 @@
+ [AC_LANG_PROGRAM([[
+ #include <stdlib.h>
+ __attribute__((__unused__)) static void foo(void){return;}]],
+- [[ exit(0); ]])],
++ [[ return 0; ]])],
+ [ AC_MSG_RESULT([yes]) ],
+ [ AC_MSG_RESULT([no])
+ AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
+@@ -410,7 +410,7 @@
+ [AC_LANG_PROGRAM([[
+ #define testmacro foo
+ #define testmacro bar]],
+- [[ exit(0); ]])],
++ [[ return 0; ]])],
+ [ AC_MSG_RESULT([yes]) ],
+ [ AC_MSG_RESULT([no])
+ CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
+@@ -526,9 +526,9 @@
+ AC_MSG_CHECKING([if we have working getaddrinfo])
+ AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
+ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+- exit(0);
++ return 0;
+ else
+- exit(1);
++ return 1;
+ }
+ ]])],
+ [AC_MSG_RESULT([working])],
+@@ -1016,7 +1016,7 @@
+ esac
+
+ AC_MSG_CHECKING([compiler and flags for sanity])
+-AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
++AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ return 0; ]])],
+ [ AC_MSG_RESULT([yes]) ],
+ [
+ AC_MSG_RESULT([no])
+@@ -1048,9 +1048,9 @@
+ strncpy(buf,"/etc", 32);
+ s = dirname(buf);
+ if (!s || strncmp(s, "/", 32) != 0) {
+- exit(1);
++ return 1;
+ } else {
+- exit(0);
++ return 0;
+ }
+ }
+ ]])],
+@@ -1140,19 +1140,19 @@
+ int a=0, b=0, c=0, d=0, n, v;
+ n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
+ if (n != 3 && n != 4)
+- exit(1);
++ return 1;
+ v = a*1000000 + b*10000 + c*100 + d;
+ fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
+
+ /* 1.1.4 is OK */
+ if (a == 1 && b == 1 && c >= 4)
+- exit(0);
++ return 0;
+
+ /* 1.2.3 and up are OK */
+ if (v >= 1020300)
+- exit(0);
++ return 0;
+
+- exit(2);
++ return 2;
+ ]])],
+ AC_MSG_RESULT([no]),
+ [ AC_MSG_RESULT([yes])
+@@ -1254,7 +1254,7 @@
+ #include <dirent.h>]],
+ [[
+ struct dirent d;
+- exit(sizeof(d.d_name)<=sizeof(char));
++ return (sizeof(d.d_name)<=sizeof(char));
+ ]])],
+ [AC_MSG_RESULT([yes])],
+ [
+@@ -1300,7 +1300,7 @@
+ #include <skey.h>
+ ]], [[
+ char *ff = skey_keyinfo(""); ff="";
+- exit(0);
++ return 0;
+ ]])],
+ [AC_MSG_RESULT([yes])],
+ [
+@@ -1405,7 +1405,7 @@
+ #include <stdlib.h>
+ #include <stdint.h>
+ #include <ldns/ldns.h>
+-int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
++int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; return 0; }
+ ]])
+ ],
+ [AC_MSG_RESULT(yes)],
+@@ -1462,7 +1462,7 @@
+ [[
+ int i = H_SETSIZE;
+ el_init("", NULL, NULL, NULL);
+- exit(0);
++ return 0;
+ ]])],
+ [ AC_MSG_RESULT([yes]) ],
+ [ AC_MSG_RESULT([no])
+@@ -1757,9 +1757,9 @@
+ errno=0;
+ setresuid(0,0,0);
+ if (errno==ENOSYS)
+- exit(1);
++ return 1;
+ else
+- exit(0);
++ return 0;
+ ]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_DEFINE([BROKEN_SETRESUID], [1],
+@@ -1780,9 +1780,9 @@
+ errno=0;
+ setresgid(0,0,0);
+ if (errno==ENOSYS)
+- exit(1);
++ return 1;
+ else
+- exit(0);
++ return 0;
+ ]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_DEFINE([BROKEN_SETRESGID], [1],
+@@ -1824,7 +1824,7 @@
+ [[
+ char b[5];
+ snprintf(b,5,"123456789");
+- exit(b[4]!='\0');
++ return (b[4]!='\0');
+ ]])],
+ [AC_MSG_RESULT([yes])],
+ [
+@@ -1857,7 +1857,7 @@
+ }
+ ]], [[
+ char x[1];
+- exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
++ return (x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
+ ]])],
+ [AC_MSG_RESULT([yes])],
+ [
+@@ -1909,9 +1909,9 @@
+ ]], [[
+ char template[]="conftest.mkstemp-test";
+ if (mkstemp(template) == -1)
+- exit(1);
++ return 1;
+ unlink(template);
+- exit(0);
++ return 0;
+ ]])],
+ [
+ AC_MSG_RESULT([no])
+@@ -1942,22 +1942,22 @@
+
+ pid = fork();
+ if (pid < 0) { /* failed */
+- exit(1);
++ return 1;
+ } else if (pid > 0) { /* parent */
+ waitpid(pid, &status, 0);
+ if (WIFEXITED(status))
+- exit(WEXITSTATUS(status));
++ return (WEXITSTATUS(status));
+ else
+- exit(2);
++ return 2;
+ } else { /* child */
+ close(0); close(1); close(2);
+ setsid();
+ openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
+ fd = open("/dev/tty", O_RDWR | O_NOCTTY);
+ if (fd >= 0)
+- exit(3); /* Acquired ctty: broken */
++ return 3; /* Acquired ctty: broken */
+ else
+- exit(0); /* Did not acquire ctty: OK */
++ return 0; /* Did not acquire ctty: OK */
+ }
+ ]])],
+ [
+@@ -1998,7 +1998,7 @@
+ err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
+ if (err != 0) {
+ fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
+- exit(1);
++ return 1;
+ }
+
+ for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
+@@ -2015,7 +2015,7 @@
+ else
+ fprintf(stderr, "getnameinfo failed: %s\n",
+ gai_strerror(err));
+- exit(2);
++ return 2;
+ }
+
+ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+@@ -2023,10 +2023,10 @@
+ perror("socket");
+ if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+ if (errno == EBADF)
+- exit(3);
++ return 3;
+ }
+ }
+- exit(0);
++ return 0;
+ ]])],
+ [
+ AC_MSG_RESULT([yes])
+@@ -2066,7 +2066,7 @@
+ err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
+ if (err != 0) {
+ fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
+- exit(1);
++ return 1;
+ }
+
+ for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
+@@ -2079,10 +2079,10 @@
+
+ if (ai->ai_family == AF_INET && err != 0) {
+ perror("getnameinfo");
+- exit(2);
++ return 2;
+ }
+ }
+- exit(0);
++ return 0;
+ ]])],
+ [
+ AC_MSG_RESULT([yes])
+@@ -2103,7 +2103,7 @@
+ if test "x$check_for_conflicting_getspnam" = "x1"; then
+ AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]],
+- [[ exit(0); ]])],
++ [[ return 0; ]])],
+ [
+ AC_MSG_RESULT([no])
+ ],
+@@ -2191,12 +2191,12 @@
+
+ fd = fopen(DATA,"w");
+ if(fd == NULL)
+- exit(1);
++ return 1;
+
+ if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
+- exit(1);
++ return 1;
+
+- exit(0);
++ return 0;
+ ]])],
+ [
+ ssl_header_ver=`cat conftest.sslincver`
+@@ -2226,12 +2226,12 @@
+
+ fd = fopen(DATA,"w");
+ if(fd == NULL)
+- exit(1);
++ return 1;
+
+ if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0)
+- exit(1);
++ return 1;
+
+- exit(0);
++ return 0;
+ ]])],
+ [
+ ssl_library_ver=`cat conftest.ssllibver`
+@@ -2261,7 +2261,7 @@
+ #include <string.h>
+ #include <openssl/opensslv.h>
+ ]], [[
+- exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
++ return (SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
+ ]])],
+ [
+ AC_MSG_RESULT([yes])
+@@ -2339,7 +2339,7 @@
+ #include <string.h>
+ #include <openssl/evp.h>
+ ]], [[
+- exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
++ return (EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
+ ]])],
+ [
+ AC_MSG_RESULT([no])
+@@ -2358,7 +2358,7 @@
+ #include <string.h>
+ #include <openssl/evp.h>
+ ]], [[
+- exit(EVP_aes_128_ctr() == NULL ||
++ return (EVP_aes_128_ctr() == NULL ||
+ EVP_aes_192_cbc() == NULL ||
+ EVP_aes_256_cbc() == NULL);
+ ]])],
+@@ -2379,7 +2379,7 @@
+ #include <string.h>
+ #include <openssl/evp.h>
+ ]], [[
+- exit(EVP_aes_128_gcm() == NULL ||
++ return (EVP_aes_128_gcm() == NULL ||
+ EVP_aes_256_gcm() == NULL ||
+ EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
+ EVP_CTRL_GCM_IV_GEN == 0 ||
+@@ -2410,7 +2410,7 @@
+ #include <openssl/evp.h>
+ ]], [[
+ if(EVP_DigestUpdate(NULL, NULL,0))
+- exit(0);
++ return 0;
+ ]])],
+ [
+ AC_MSG_RESULT([yes])
+@@ -2505,7 +2505,7 @@
+ #include <string.h>
+ #include <openssl/rand.h>
+ ]], [[
+- exit(RAND_status() == 1 ? 0 : 1);
++ return (RAND_status() == 1 ? 0 : 1);
+ ]])],
+ [
+ OPENSSL_SEEDS_ITSELF=yes
+@@ -2702,7 +2702,7 @@
+ [[ int i = $seccomp_audit_arch;
+ errno = 0;
+ prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
+- exit(errno == EFAULT ? 0 : 1); ]])],
++ return (errno == EFAULT ? 0 : 1); ]])],
+ [ AC_MSG_RESULT([yes]) ], [
+ AC_MSG_RESULT([no])
+ # Disable seccomp filter as a target
+@@ -2756,7 +2756,7 @@
+ tv.tv_sec = 1;
+ tv.tv_usec = 0;
+ r = select(fd+1, &fds, NULL, NULL, &tv);
+- exit (r == -1 ? 1 : 0);
++ return (r == -1 ? 1 : 0);
+ ]])],
+ [AC_MSG_RESULT([yes])
+ select_works_with_rlimit=yes],
+@@ -2782,7 +2782,7 @@
+
+ rl_zero.rlim_cur = rl_zero.rlim_max = 0;
+ r = setrlimit(RLIMIT_NOFILE, &rl_zero);
+- exit (r == -1 ? 1 : 0);
++ return (r == -1 ? 1 : 0);
+ ]])],
+ [AC_MSG_RESULT([yes])
+ rlimit_nofile_zero_works=yes],
+@@ -2801,7 +2801,7 @@
+ struct rlimit rl_zero;
+
+ rl_zero.rlim_cur = rl_zero.rlim_max = 0;
+- exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
++ return (setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
+ ]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no])
+@@ -2925,7 +2925,7 @@
+ long long i, llmin, llmax = 0;
+
+ if((f = fopen(DATA,"w")) == NULL)
+- exit(1);
++ return 1;
+
+ #if defined(LLONG_MIN) && defined(LLONG_MAX)
+ fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
+@@ -2944,16 +2944,16 @@
+ || llmax - 1 > llmax || llmin == llmax || llmin == 0
+ || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
+ fprintf(f, "unknown unknown\n");
+- exit(2);
++ return 2;
+ }
+
+ if (fprint_ll(f, llmin) < 0)
+- exit(3);
++ return 3;
+ if (fprint_ll(f, llmax) < 0)
+- exit(4);
++ return 4;
+ if (fclose(f) < 0)
+- exit(5);
+- exit(0);
++ return 5;
++ return 0;
+ ]])],
+ [
+ llong_min=`$AWK '{print $1}' conftest.llminmax`
+@@ -3337,11 +3337,11 @@
+ strcpy(expected_out, "9223372036854775807");
+ snprintf(buf, mazsize, "%lld", num);
+ if(strcmp(buf, expected_out) != 0)
+- exit(1);
+- exit(0);
++ return 1;
++ return 0;
+ }
+ #else
+-main() { exit(0); }
++main() { return 0; }
+ #endif
+ ]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
+ AC_MSG_WARN([cross compiling: Assuming working snprintf()])
+@@ -3425,11 +3425,11 @@
+ ]], [[
+ #ifdef msg_accrights
+ #error "msg_accrights is a macro"
+-exit(1);
++return 1;
+ #endif
+ struct msghdr m;
+ m.msg_accrights = 0;
+-exit(0);
++return 0;
+ ]])],
+ [ ac_cv_have_accrights_in_msghdr="yes" ],
+ [ ac_cv_have_accrights_in_msghdr="no" ]
+@@ -3486,11 +3486,11 @@
+ ]], [[
+ #ifdef msg_control
+ #error "msg_control is a macro"
+-exit(1);
++return 1;
+ #endif
+ struct msghdr m;
+ m.msg_control = 0;
+-exit(0);
++return 0;
+ ]])],
+ [ ac_cv_have_control_in_msghdr="yes" ],
+ [ ac_cv_have_control_in_msghdr="no" ]
+@@ -3912,22 +3912,22 @@
+
+ fd = fopen(DATA,"w");
+ if(fd == NULL)
+- exit(1);
++ return 1;
+
+ #if defined (_PATH_MAILDIR)
+ if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
+- exit(1);
++ return 1;
+ #elif defined (MAILDIR)
+ if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
+- exit(1);
++ return 1;
+ #elif defined (_PATH_MAIL)
+ if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
+- exit(1);
++ return 1;
+ #else
+- exit (2);
++ return 2;
+ #endif
+
+- exit(0);
++ return 0;
+ ]])],
+ [
+ maildir_what=`awk -F: '{print $1}' conftest.maildir`
+@@ -4162,12 +4162,12 @@
+
+ fd = fopen(DATA,"w");
+ if(fd == NULL)
+- exit(1);
++ return 1;
+
+ if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
+- exit(1);
++ return 1;
+
+- exit(0);
++ return 0;
+ ]])],
+ [ user_path=`cat conftest.stdpath` ],
+ [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
diff --git a/net-misc/openssh/files/openssh-6.4p1-fix-typo-construct_utmpx.patch b/net-misc/openssh/files/openssh-6.4p1-fix-typo-construct_utmpx.patch
new file mode 100644
index 0000000..a3361ca
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.4p1-fix-typo-construct_utmpx.patch
@@ -0,0 +1,21 @@
+diff -Naur openssh-6.4p1.orig/loginrec.c openssh-6.4p1/loginrec.c
+--- openssh-6.4p1.orig/loginrec.c 2014-01-22 17:33:12.380676129 +0000
++++ openssh-6.4p1/loginrec.c 2014-01-22 17:55:40.957751536 +0000
+@@ -785,12 +785,12 @@
+ /* this is just a 128-bit IPv6 address */
+ if (li->hostaddr.sa.sa_family == AF_INET6) {
+ sa6 = ((struct sockaddr_in6 *)&li->hostaddr.sa);
+- memcpy(ut->ut_addr_v6, sa6->sin6_addr.s6_addr, 16);
++ memcpy(utx->ut_addr_v6, sa6->sin6_addr.s6_addr, 16);
+ if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) {
+- ut->ut_addr_v6[0] = ut->ut_addr_v6[3];
+- ut->ut_addr_v6[1] = 0;
+- ut->ut_addr_v6[2] = 0;
+- ut->ut_addr_v6[3] = 0;
++ utx->ut_addr_v6[0] = utx->ut_addr_v6[3];
++ utx->ut_addr_v6[1] = 0;
++ utx->ut_addr_v6[2] = 0;
++ utx->ut_addr_v6[3] = 0;
+ }
+ }
+ # endif
diff --git a/net-misc/openssh/files/openssh-6.4p1-missing-sys_param_h.patch b/net-misc/openssh/files/openssh-6.4p1-missing-sys_param_h.patch
new file mode 100644
index 0000000..22b6ffa
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.4p1-missing-sys_param_h.patch
@@ -0,0 +1,67 @@
+diff -Naur openssh-6.4p1.orig/channels.c openssh-6.4p1/channels.c
+--- openssh-6.4p1.orig/channels.c 2014-01-22 17:14:19.508612783 +0000
++++ openssh-6.4p1/channels.c 2014-01-22 17:18:18.176626129 +0000
+@@ -61,6 +61,7 @@
+ #include <termios.h>
+ #include <unistd.h>
+ #include <stdarg.h>
++#include <sys/param.h>
+
+ #include "openbsd-compat/sys-queue.h"
+ #include "xmalloc.h"
+diff -Naur openssh-6.4p1.orig/loginrec.c openssh-6.4p1/loginrec.c
+--- openssh-6.4p1.orig/loginrec.c 2013-06-01 22:07:32.000000000 +0000
++++ openssh-6.4p1/loginrec.c 2014-01-22 17:30:57.322668577 +0000
+@@ -162,6 +162,7 @@
+ #include <stdarg.h>
+ #include <string.h>
+ #include <time.h>
++#include <sys/time.h>
+ #include <unistd.h>
+
+ #include "xmalloc.h"
+diff -Naur openssh-6.4p1.orig/sshconnect.c openssh-6.4p1/sshconnect.c
+--- openssh-6.4p1.orig/sshconnect.c 2014-01-22 17:16:53.809621411 +0000
++++ openssh-6.4p1/sshconnect.c 2014-01-22 17:17:19.535622850 +0000
+@@ -40,6 +40,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <sys/param.h>
+
+ #include "xmalloc.h"
+ #include "key.h"
+diff -Naur openssh-6.4p1.orig/sshd.c openssh-6.4p1/sshd.c
+--- openssh-6.4p1.orig/sshd.c 2014-01-22 17:14:19.517612784 +0000
++++ openssh-6.4p1/sshd.c 2014-01-22 17:18:54.560628163 +0000
+@@ -83,6 +83,8 @@
+ #include <prot.h>
+ #endif
+
++#include <sys/param.h>
++
+ #include "xmalloc.h"
+ #include "ssh.h"
+ #include "ssh1.h"
+diff -Naur openssh-6.4p1.orig/ssh-keyscan.c openssh-6.4p1/ssh-keyscan.c
+--- openssh-6.4p1.orig/ssh-keyscan.c 2013-06-01 21:31:19.000000000 +0000
++++ openssh-6.4p1/ssh-keyscan.c 2014-01-22 17:59:37.756764777 +0000
+@@ -29,6 +29,7 @@
+ #include <signal.h>
+ #include <string.h>
+ #include <unistd.h>
++#include <sys/param.h>
+
+ #include "xmalloc.h"
+ #include "ssh.h"
+diff -Naur openssh-6.4p1.orig/ssh-pkcs11-helper.c openssh-6.4p1/ssh-pkcs11-helper.c
+--- openssh-6.4p1.orig/ssh-pkcs11-helper.c 2013-06-01 21:31:19.000000000 +0000
++++ openssh-6.4p1/ssh-pkcs11-helper.c 2014-01-22 18:00:04.653766281 +0000
+@@ -28,6 +28,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <errno.h>
++#include <sys/param.h>
+
+ #include "xmalloc.h"
+ #include "buffer.h"
diff --git a/net-misc/openssh/openssh-6.4_p1-r99.ebuild b/net-misc/openssh/openssh-6.4_p1-r99.ebuild
index a2467d1..aafd19d 100644
--- a/net-misc/openssh/openssh-6.4_p1-r99.ebuild
+++ b/net-misc/openssh/openssh-6.4_p1-r99.ebuild
@@ -131,6 +131,10 @@ src_prepare() {
)
sed -i "${sed_args[@]}" configure{,.ac} || die
+ epatch "${FILESDIR}"/${PN}-6.4p1-avoid-exit.patch
+ epatch "${FILESDIR}"/${PN}-6.4p1-missing-sys_param_h.patch
+ epatch "${FILESDIR}"/${PN}-6.4p1-fix-typo-construct_utmpx.patch
+
epatch_user #473004
# Now we can build a sane merged version.h
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2014-03-21 16:44 Anthony G. Basile
0 siblings, 0 replies; 5+ messages in thread
From: Anthony G. Basile @ 2014-03-21 16:44 UTC (permalink / raw
To: gentoo-commits
commit: c28b27ab2f2d2ed00e42b95086675c06603f1bf7
Author: layman <layman <AT> localhost>
AuthorDate: Fri Mar 21 16:41:30 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Fri Mar 21 16:44:33 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=c28b27ab
net-misc/openssh: bump to 6.6_p1
---
.../files/openssh-6.5_p1-hpn-cipher-align.patch | 114 ++++++++
.../openssh-6.6_p1-openssl-ignore-status.patch | 17 ++
.../openssh/files/openssh-6.6_p1-x509-glue.patch | 16 ++
.../openssh-6.6_p1-x509-hpn14v4-glue-p2.patch | 26 ++
net-misc/openssh/openssh-6.6_p1-r99.ebuild | 316 +++++++++++++++++++++
5 files changed, 489 insertions(+)
diff --git a/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch b/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch
new file mode 100644
index 0000000..cfb060f
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch
@@ -0,0 +1,114 @@
+https://bugs.gentoo.org/498632
+
+make sure we do not use unaligned loads/stores as some arches really hate that.
+
+--- a/cipher-ctr-mt.c
++++ b/cipher-ctr-mt.c
+@@ -58,8 +58,16 @@
+ /* Collect thread stats and print at cancellation when in debug mode */
+ /* #define CIPHER_THREAD_STATS */
+
+-/* Use single-byte XOR instead of 8-byte XOR */
+-/* #define CIPHER_BYTE_XOR */
++/* Can the system do unaligned loads natively? */
++#if defined(__aarch64__) || \
++ defined(__i386__) || \
++ defined(__powerpc__) || \
++ defined(__x86_64__)
++# define CIPHER_UNALIGNED_OK
++#endif
++#if defined(__SIZEOF_INT128__)
++# define CIPHER_INT128_OK
++#endif
+ /*-------------------- END TUNABLES --------------------*/
+
+
+@@ -285,8 +293,20 @@ thread_loop(void *x)
+
+ static int
+ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
+- u_int len)
++ size_t len)
+ {
++ typedef union {
++#ifdef CIPHER_INT128_OK
++ __uint128_t *u128;
++#endif
++ uint64_t *u64;
++ uint32_t *u32;
++ uint8_t *u8;
++ const uint8_t *cu8;
++ uintptr_t u;
++ } ptrs_t;
++ ptrs_t destp, srcp, bufp;
++ uintptr_t align;
+ struct ssh_aes_ctr_ctx *c;
+ struct kq *q, *oldq;
+ int ridx;
+@@ -301,35 +321,41 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
+ ridx = c->ridx;
+
+ /* src already padded to block multiple */
++ srcp.cu8 = src;
++ destp.u8 = dest;
+ while (len > 0) {
+ buf = q->keys[ridx];
++ bufp.u8 = buf;
+
+-#ifdef CIPHER_BYTE_XOR
+- dest[0] = src[0] ^ buf[0];
+- dest[1] = src[1] ^ buf[1];
+- dest[2] = src[2] ^ buf[2];
+- dest[3] = src[3] ^ buf[3];
+- dest[4] = src[4] ^ buf[4];
+- dest[5] = src[5] ^ buf[5];
+- dest[6] = src[6] ^ buf[6];
+- dest[7] = src[7] ^ buf[7];
+- dest[8] = src[8] ^ buf[8];
+- dest[9] = src[9] ^ buf[9];
+- dest[10] = src[10] ^ buf[10];
+- dest[11] = src[11] ^ buf[11];
+- dest[12] = src[12] ^ buf[12];
+- dest[13] = src[13] ^ buf[13];
+- dest[14] = src[14] ^ buf[14];
+- dest[15] = src[15] ^ buf[15];
+-#else
+- *(uint64_t *)dest = *(uint64_t *)src ^ *(uint64_t *)buf;
+- *(uint64_t *)(dest + 8) = *(uint64_t *)(src + 8) ^
+- *(uint64_t *)(buf + 8);
+-#endif
++ /* figure out the alignment on the fly */
++#ifdef CIPHER_UNALIGNED_OK
++ align = 0;
++#else
++ align = destp.u | srcp.u | bufp.u;
++#endif
++
++#ifdef CIPHER_INT128_OK
++ if ((align & 0xf) == 0) {
++ destp.u128[0] = srcp.u128[0] ^ bufp.u128[0];
++ } else
++#endif
++ if ((align & 0x7) == 0) {
++ destp.u64[0] = srcp.u64[0] ^ bufp.u64[0];
++ destp.u64[1] = srcp.u64[1] ^ bufp.u64[1];
++ } else if ((align & 0x3) == 0) {
++ destp.u32[0] = srcp.u32[0] ^ bufp.u32[0];
++ destp.u32[1] = srcp.u32[1] ^ bufp.u32[1];
++ destp.u32[2] = srcp.u32[2] ^ bufp.u32[2];
++ destp.u32[3] = srcp.u32[3] ^ bufp.u32[3];
++ } else {
++ size_t i;
++ for (i = 0; i < AES_BLOCK_SIZE; ++i)
++ dest[i] = src[i] ^ buf[i];
++ }
+
+- dest += 16;
+- src += 16;
+- len -= 16;
++ destp.u += AES_BLOCK_SIZE;
++ srcp.u += AES_BLOCK_SIZE;
++ len -= AES_BLOCK_SIZE;
+ ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE);
+
+ /* Increment read index, switch queues on rollover */
diff --git a/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch
new file mode 100644
index 0000000..6db6b97
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch
@@ -0,0 +1,17 @@
+the last nibble of the openssl version represents the status. that is,
+whether it is a beta or release. when it comes to version checks in
+openssh, this component does not matter, so ignore it.
+
+https://bugzilla.mindrot.org/show_bug.cgi?id=2212
+
+--- a/entropy.c
++++ b/entropy.c
+@@ -216,7 +216,7 @@ seed_rng(void)
+ * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
+ * within a patch series.
+ */
+- u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L;
++ u_long version_mask = SSLeay() >= 0x1000000f ? ~0xfffffL : ~0xff0L;
+ if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||
+ (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12))
+ fatal("OpenSSL version mismatch. Built against %lx, you "
diff --git a/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch
new file mode 100644
index 0000000..0ba3e45
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch
@@ -0,0 +1,16 @@
+Make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch.
+
+--- openssh-6.6p1+x509-7.9.diff
++++ openssh-6.6p1+x509-7.9.diff
+@@ -15473,10 +15473,9 @@
+ .It Cm ChallengeResponseAuthentication
+ Specifies whether challenge-response authentication is allowed (e.g. via
+ PAM or though authentication styles supported in
+-@@ -499,6 +576,16 @@
++@@ -499,5 +576,15 @@
+ The default is
+ .Dq yes .
+- Note that this option applies to protocol version 2 only.
+ +.It Cm HostbasedAlgorithms
+ +Specifies the protocol version 2 algorithms used in
+ +.Dq hostbased
diff --git a/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch b/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch
new file mode 100644
index 0000000..a69830e
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch
@@ -0,0 +1,26 @@
+make the hpn patch apply when the x509 patch has also been applied
+
+--- openssh-6.6p1-hpnssh14v4.diff
++++ openssh-6.6p1-hpnssh14v4.diff
+@@ -1742,18 +1742,14 @@
+ if (options->ip_qos_interactive == -1)
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
+ if (options->ip_qos_bulk == -1)
+-@@ -345,9 +393,10 @@
++@@ -345,6 +393,7 @@
+ sUsePrivilegeSeparation, sAllowAgentForwarding,
+ sHostCertificate,
+ sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+-+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
+++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled,
+ sKexAlgorithms, sIPQoS, sVersionAddendum,
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
+-- sAuthenticationMethods, sHostKeyAgent,
+-+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent,
+- sDeprecated, sUnsupported
+- } ServerOpCodes;
+-
++ sAuthenticationMethods, sHostKeyAgent,
+ @@ -468,6 +517,10 @@
+ { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
+ { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
diff --git a/net-misc/openssh/openssh-6.6_p1-r99.ebuild b/net-misc/openssh/openssh-6.6_p1-r99.ebuild
new file mode 100644
index 0000000..3232115
--- /dev/null
+++ b/net-misc/openssh/openssh-6.6_p1-r99.ebuild
@@ -0,0 +1,316 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.6_p1-r1.ebuild,v 1.2 2014/03/20 20:58:31 vapier Exp $
+
+EAPI="4"
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+#HPN_PATCH="${PN}-6.6p1-hpnssh14v4.diff.gz"
+HPN_PATCH="${PN}-6.6p1-hpnssh14v4.diff.xz"
+LDAP_PATCH="${PN}-lpk-6.5p1-0.3.14.patch.gz"
+X509_VER="7.9" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+ ${HPN_PATCH:+hpn? ( http://dev.gentoo.org/~polynomial-c/${HPN_PATCH} )}
+ ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+ ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+ "
+ #${HPN_PATCH:+hpn? ( mirror://sourceforge/hpnssh/${HPN_PATCH} )}
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="amd64 arm ~mips x86"
+IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldap ldns libedit pam selinux skey static tcpd X X509"
+
+LIB_DEPEND="selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+ skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+ libedit? ( dev-libs/libedit[static-libs(+)] )
+ >=dev-libs/openssl-0.9.6d:0[bindist=]
+ dev-libs/openssl[static-libs(+)]
+ >=sys-libs/zlib-1.2.3[static-libs(+)]
+ tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )"
+RDEPEND="
+ !static? (
+ ${LIB_DEPEND//\[static-libs(+)]}
+ ldns? (
+ !bindist? ( net-libs/ldns[ecdsa,ssl] )
+ bindist? ( net-libs/ldns[-ecdsa,ssl] )
+ )
+ )
+ pam? ( virtual/pam )
+ kerberos? ( virtual/krb5 )
+ ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+ static? (
+ ${LIB_DEPEND}
+ ldns? (
+ !bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] )
+ bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] )
+ )
+ )
+ virtual/pkgconfig
+ virtual/os-headers
+ sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+ pam? ( >=sys-auth/pambase-20081028 )
+ userland_GNU? ( virtual/shadow )
+ X? ( x11-apps/xauth )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+ # this sucks, but i'd rather have people unable to `emerge -u openssh`
+ # than not be able to log in to their server any more
+ maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+ local fail="
+ $(use X509 && maybe_fail X509 X509_PATCH)
+ $(use ldap && maybe_fail ldap LDAP_PATCH)
+ $(use hpn && maybe_fail hpn HPN_PATCH)
+ "
+ fail=$(echo ${fail})
+ if [[ -n ${fail} ]] ; then
+ eerror "Sorry, but this version does not yet support features"
+ eerror "that you requested: ${fail}"
+ eerror "Please mask ${PF} for now and check back later:"
+ eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+ die "booooo"
+ fi
+}
+
+save_version() {
+ # version.h patch conflict avoidence
+ mv version.h version.h.$1
+ cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+ sed -i \
+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+ pathnames.h || die
+ # keep this as we need it to avoid the conflict between LPK and HPN changing
+ # this file.
+ cp version.h version.h.pristine
+
+ # don't break .ssh/authorized_keys2 for fun
+ sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+ epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361
+ if use X509 ; then
+ pushd .. >/dev/null
+ epatch "${FILESDIR}"/${PN}-6.6_p1-x509-glue.patch
+ use hpn && epatch "${FILESDIR}"/${PN}-6.6_p1-x509-hpn14v4-glue-p2.patch
+ popd >/dev/null
+ epatch "${WORKDIR}"/${X509_PATCH%.*}
+ epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
+ save_version X509
+ fi
+ if ! use X509 ; then
+ if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+ epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+ save_version LPK
+ fi
+ else
+ use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
+ fi
+ epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+ epatch "${FILESDIR}"/${PN}-6.6_p1-openssl-ignore-status.patch
+ if [[ -n ${HPN_PATCH} ]] && use hpn; then
+ epatch "${WORKDIR}"/${HPN_PATCH%.*}
+ epatch "${FILESDIR}"/${PN}-6.5_p1-hpn-cipher-align.patch #498632
+ save_version HPN
+ fi
+
+ tc-export PKG_CONFIG
+ local sed_args=(
+ -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+ # Disable PATH reset, trust what portage gives us #254615
+ -e 's:^PATH=/:#PATH=/:'
+ # Disable fortify flags ... our gcc does this for us
+ -e 's:-D_FORTIFY_SOURCE=2::'
+ )
+ sed -i "${sed_args[@]}" configure{,.ac} || die
+
+ epatch "${FILESDIR}"/${PN}-6.4p1-avoid-exit.patch
+ epatch "${FILESDIR}"/${PN}-6.4p1-missing-sys_param_h.patch
+ epatch "${FILESDIR}"/${PN}-6.4p1-fix-typo-construct_utmpx.patch
+
+ epatch_user #473004
+
+ # Now we can build a sane merged version.h
+ (
+ sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+ macros=()
+ for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
+ printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+ ) > version.h
+
+ eautoreconf
+}
+
+static_use_with() {
+ local flag=$1
+ if use static && use ${flag} ; then
+ ewarn "Disabling '${flag}' support because of USE='static'"
+ # rebuild args so that we invert the first one (USE flag)
+ # but otherwise leave everything else working so we can
+ # just leverage use_with
+ shift
+ [[ -z $1 ]] && flag="${flag} ${flag}"
+ set -- !${flag} "$@"
+ fi
+ use_with "$@"
+}
+
+src_configure() {
+ local myconf
+ addwrite /dev/ptmx
+ addpredict /etc/skey/skeykeys #skey configure code triggers this
+
+ use static && append-ldflags -static
+
+ # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
+ if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
+ myconf="${myconf} --disable-utmp --disable-wtmp --disable-wtmpx"
+ append-ldflags -lutil
+ fi
+
+ econf \
+ --with-ldflags="${LDFLAGS}" \
+ --disable-strip \
+ --with-pid-dir="${EPREFIX}"/var/run \
+ --sysconfdir="${EPREFIX}"/etc/ssh \
+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc \
+ --datadir="${EPREFIX}"/usr/share/openssh \
+ --with-privsep-path="${EPREFIX}"/var/empty \
+ --with-privsep-user=sshd \
+ --with-md5-passwords \
+ --with-ssl-engine \
+ $(static_use_with pam) \
+ $(static_use_with kerberos kerberos5 /usr) \
+ ${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \
+ $(use_with ldns) \
+ $(use_with libedit) \
+ $(use_with selinux) \
+ $(use_with skey) \
+ $(use_with tcpd tcp-wrappers) \
+ ${myconf}
+}
+
+src_install() {
+ emake install-nokeys DESTDIR="${D}"
+ fperms 600 /etc/ssh/sshd_config
+ dobin contrib/ssh-copy-id
+ newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+ newconfd "${FILESDIR}"/sshd.confd sshd
+ keepdir /var/empty
+
+ # not all openssl installs support ecc, or are functional #352645
+ if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then
+ elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support"
+ sed -i 's:&& gen_key ecdsa::' "${ED}"/etc/init.d/sshd || die
+ fi
+
+ newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+ if use pam ; then
+ sed -i \
+ -e "/^#UsePAM /s:.*:UsePAM yes:" \
+ -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+ -e "/^#PrintMotd /s:.*:PrintMotd no:" \
+ -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+ "${ED}"/etc/ssh/sshd_config || die "sed of configuration file failed"
+ fi
+
+ # Gentoo tweaks to default config files
+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+ # Allow client to pass locale environment variables #367017
+ AcceptEnv LANG LC_*
+ EOF
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+ # Send locale environment variables #367017
+ SendEnv LANG LC_*
+ EOF
+
+ # This instruction is from the HPN webpage,
+ # Used for the server logging functionality
+ if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+ keepdir /var/empty/dev
+ fi
+
+ if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+ insinto /etc/openldap/schema/
+ newins openssh-lpk_openldap.schema openssh-lpk.schema
+ fi
+
+ doman contrib/ssh-copy-id.1
+ dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+
+ diropts -m 0700
+ dodir /etc/skel/.ssh
+
+ systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+ systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+ local t tests skipped failed passed shell
+ tests="interop-tests compat-tests"
+ skipped=""
+ shell=$(egetshell ${UID})
+ if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+ elog "Running the full OpenSSH testsuite"
+ elog "requires a usable shell for the 'portage'"
+ elog "user, so we will run a subset only."
+ skipped="${skipped} tests"
+ else
+ tests="${tests} tests"
+ fi
+ # It will also attempt to write to the homedir .ssh
+ local sshhome=${T}/homedir
+ mkdir -p "${sshhome}"/.ssh
+ for t in ${tests} ; do
+ # Some tests read from stdin ...
+ HOMEDIR="${sshhome}" \
+ emake -k -j1 ${t} </dev/null \
+ && passed="${passed}${t} " \
+ || failed="${failed}${t} "
+ done
+ einfo "Passed tests: ${passed}"
+ ewarn "Skipped tests: ${skipped}"
+ if [[ -n ${failed} ]] ; then
+ ewarn "Failed tests: ${failed}"
+ die "Some tests failed: ${failed}"
+ else
+ einfo "Failed tests: ${failed}"
+ return 0
+ fi
+}
+
+pkg_preinst() {
+ enewgroup sshd 22
+ enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+ if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+ elog "Starting with openssh-5.8p1, the server will default to a newer key"
+ elog "algorithm (ECDSA). You are encouraged to manually update your stored"
+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
+ fi
+ ewarn "Remember to merge your config files in /etc/ssh/ and then"
+ ewarn "reload sshd: '/etc/init.d/sshd reload'."
+ # This instruction is from the HPN webpage,
+ # Used for the server logging functionality
+ if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+ echo
+ einfo "For the HPN server logging patch, you must ensure that"
+ einfo "your syslog application also listens at /var/empty/dev/log."
+ fi
+}
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2014-05-25 0:42 Anthony G. Basile
0 siblings, 0 replies; 5+ messages in thread
From: Anthony G. Basile @ 2014-05-25 0:42 UTC (permalink / raw
To: gentoo-commits
commit: 7a0b15d0ae44c5d039c28da66f7120ff21df5943
Author: layman <layman <AT> localhost>
AuthorDate: Sat May 24 20:37:41 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun May 25 00:44:25 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=7a0b15d0
net-misc/openssh: bump to 6.6.1_p1
Package-Manager: portage-2.2.10
---
.../openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch | 26 ++++
net-misc/openssh/files/openssh-6.6.1_p1.patch | 167 +++++++++++++++++++++
...4_p1-r99.ebuild => openssh-6.6.1_p1-r99.ebuild} | 30 ++--
3 files changed, 214 insertions(+), 9 deletions(-)
diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch
new file mode 100644
index 0000000..c76015d
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch
@@ -0,0 +1,26 @@
+make the hpn patch apply when the x509 patch has also been applied
+
+--- openssh-6.6.1p1-hpnssh14v4.diff
++++ openssh-6.6.1p1-hpnssh14v4.diff
+@@ -1742,18 +1742,14 @@
+ if (options->ip_qos_interactive == -1)
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
+ if (options->ip_qos_bulk == -1)
+-@@ -345,9 +393,10 @@
++@@ -345,6 +393,7 @@
+ sUsePrivilegeSeparation, sAllowAgentForwarding,
+ sHostCertificate,
+ sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+-+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
+++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled,
+ sKexAlgorithms, sIPQoS, sVersionAddendum,
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
+-- sAuthenticationMethods, sHostKeyAgent,
+-+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent,
+- sDeprecated, sUnsupported
+- } ServerOpCodes;
+-
++ sAuthenticationMethods, sHostKeyAgent,
+ @@ -468,6 +517,10 @@
+ { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
+ { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
diff --git a/net-misc/openssh/files/openssh-6.6.1_p1.patch b/net-misc/openssh/files/openssh-6.6.1_p1.patch
new file mode 100644
index 0000000..b11f6fb
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.6.1_p1.patch
@@ -0,0 +1,167 @@
+Hi,
+
+So I screwed up when writing the support for the curve25519 KEX method
+that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
+leading zero bytes where they should have been skipped. The impact of
+this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
+peer that implements curve25519-sha256 at libssh.org properly about 0.2%
+of the time (one in every 512ish connections).
+
+We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
+key exchange for previous versions, but I'd recommend distributors
+of OpenSSH apply this patch so the affected code doesn't become
+too entrenched in LTS releases.
+
+The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
+to distinguish itself from the incorrect versions so the compatibility
+code to disable the affected KEX isn't activated.
+
+I've committed this on the 6.6 branch too.
+
+Apologies for the hassle.
+
+-d
+
+Index: version.h
+===================================================================
+RCS file: /var/cvs/openssh/version.h,v
+retrieving revision 1.82
+diff -u -p -r1.82 version.h
+--- version.h 27 Feb 2014 23:01:54 -0000 1.82
++++ version.h 20 Apr 2014 03:35:15 -0000
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
+
+-#define SSH_VERSION "OpenSSH_6.6"
++#define SSH_VERSION "OpenSSH_6.6.1"
+
+ #define SSH_PORTABLE "p1"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+Index: compat.c
+===================================================================
+RCS file: /var/cvs/openssh/compat.c,v
+retrieving revision 1.82
+retrieving revision 1.85
+diff -u -p -r1.82 -r1.85
+--- compat.c 31 Dec 2013 01:25:41 -0000 1.82
++++ compat.c 20 Apr 2014 03:33:59 -0000 1.85
+@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
+ { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
+ { "OpenSSH_4*", 0 },
+ { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
++ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
++ { "OpenSSH_6.5*,"
++ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
+ { "OpenSSH*", SSH_NEW_OPENSSH },
+ { "*MindTerm*", 0 },
+ { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop
+ return cipher_prop;
+ }
+
+-
+ char *
+ compat_pkalg_proposal(char *pkalg_prop)
+ {
+@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop)
+ if (*pkalg_prop == '\0')
+ fatal("No supported PK algorithms found");
+ return pkalg_prop;
++}
++
++char *
++compat_kex_proposal(char *kex_prop)
++{
++ if (!(datafellows & SSH_BUG_CURVE25519PAD))
++ return kex_prop;
++ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
++ kex_prop = filter_proposal(kex_prop, "curve25519-sha256 at libssh.org");
++ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
++ if (*kex_prop == '\0')
++ fatal("No supported key exchange algorithms found");
++ return kex_prop;
+ }
+
+Index: compat.h
+===================================================================
+RCS file: /var/cvs/openssh/compat.h,v
+retrieving revision 1.42
+retrieving revision 1.43
+diff -u -p -r1.42 -r1.43
+--- compat.h 31 Dec 2013 01:25:41 -0000 1.42
++++ compat.h 20 Apr 2014 03:25:31 -0000 1.43
+@@ -59,6 +59,7 @@
+ #define SSH_BUG_RFWD_ADDR 0x02000000
+ #define SSH_NEW_OPENSSH 0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT 0x08000000
++#define SSH_BUG_CURVE25519PAD 0x10000000
+
+ void enable_compat13(void);
+ void enable_compat20(void);
+@@ -66,6 +67,7 @@ void compat_datafellows(const char *
+ int proto_spec(const char *);
+ char *compat_cipher_proposal(char *);
+ char *compat_pkalg_proposal(char *);
++char *compat_kex_proposal(char *);
+
+ extern int compat13;
+ extern int compat20;
+Index: sshd.c
+===================================================================
+RCS file: /var/cvs/openssh/sshd.c,v
+retrieving revision 1.448
+retrieving revision 1.453
+diff -u -p -r1.448 -r1.453
+--- sshd.c 26 Feb 2014 23:20:08 -0000 1.448
++++ sshd.c 20 Apr 2014 03:28:41 -0000 1.453
+@@ -2462,6 +2438,9 @@ do_ssh2_kex(void)
+ if (options.kex_algorithms != NULL)
+ myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ myproposal[PROPOSAL_KEX_ALGS]);
++
+ if (options.rekey_limit || options.rekey_interval)
+ packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+ (time_t)options.rekey_interval);
+Index: sshconnect2.c
+===================================================================
+RCS file: /var/cvs/openssh/sshconnect2.c,v
+retrieving revision 1.197
+retrieving revision 1.199
+diff -u -p -r1.197 -r1.199
+--- sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197
++++ sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199
+@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho
+ }
+ if (options.kex_algorithms != NULL)
+ myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ myproposal[PROPOSAL_KEX_ALGS]);
+
+ if (options.rekey_limit || options.rekey_interval)
+ packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+Index: bufaux.c
+===================================================================
+RCS file: /var/cvs/openssh/bufaux.c,v
+retrieving revision 1.62
+retrieving revision 1.63
+diff -u -p -r1.62 -r1.63
+--- bufaux.c 4 Feb 2014 00:20:15 -0000 1.62
++++ bufaux.c 20 Apr 2014 03:24:50 -0000 1.63
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
++/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <ylo at cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
+@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b
+
+ if (l > 8 * 1024)
+ fatal("%s: length %u too long", __func__, l);
++ /* Skip leading zero bytes */
++ for (; l > 0 && *s == 0; l--, s++)
++ ;
+ p = buf = xmalloc(l + 1);
+ /*
+ * If most significant bit is set then prepend a zero byte to
diff --git a/net-misc/openssh/openssh-6.4_p1-r99.ebuild b/net-misc/openssh/openssh-6.6.1_p1-r99.ebuild
similarity index 89%
rename from net-misc/openssh/openssh-6.4_p1-r99.ebuild
rename to net-misc/openssh/openssh-6.6.1_p1-r99.ebuild
index 6d71913..6dd6a08 100644
--- a/net-misc/openssh/openssh-6.4_p1-r99.ebuild
+++ b/net-misc/openssh/openssh-6.6.1_p1-r99.ebuild
@@ -1,29 +1,31 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.4_p1-r1.ebuild,v 1.6 2014/01/02 12:06:49 polynomial-c Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.6.1_p1-r99.ebuild,v 1.2 2014/03/20 20:58:31 vapier Exp $
EAPI="4"
inherit eutils user flag-o-matic multilib autotools pam systemd versionator
# Make it more portable between straight releases
# and _p? releases.
-PARCH=${P/_}
+PARCH=${P/.1_}
-HPN_PATCH="${PN}-6.3p1-hpnssh14v2.diff.gz"
-LDAP_PATCH="${PN}-lpk-6.3p1-0.3.14.patch.gz"
-X509_VER="7.7" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+#HPN_PATCH="${PN}-6.6p1-hpnssh14v4.diff.gz"
+HPN_PATCH="${PN}-6.6.1p1-hpnssh14v4.diff.xz"
+LDAP_PATCH="${PN}-lpk-6.5p1-0.3.14.patch.gz"
+X509_VER="7.9" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="http://www.openssh.org/"
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
- ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
+ ${HPN_PATCH:+hpn? ( http://dev.gentoo.org/~polynomial-c/${HPN_PATCH} )}
${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
"
+ #${HPN_PATCH:+hpn? ( mirror://sourceforge/hpnssh/${HPN_PATCH} )}
LICENSE="BSD GPL-2"
SLOT="0"
-KEYWORDS="amd64 arm ~mips x86"
+KEYWORDS="~amd64 ~arm ~mips ~x86"
IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldap ldns libedit pam selinux skey static tcpd X X509"
LIB_DEPEND="selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
@@ -98,10 +100,13 @@ src_prepare() {
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+ epatch "${FILESDIR}"/${P}.patch #508604
+
epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361
if use X509 ; then
pushd .. >/dev/null
- epatch "${FILESDIR}"/${PN}-6.4_p1-x509-glue.patch
+ epatch "${FILESDIR}"/${PN}-6.6_p1-x509-glue.patch
+ use hpn && epatch "${FILESDIR}"/${PN}-6.6.1_p1-x509-hpn14v4-glue-p2.patch
popd >/dev/null
epatch "${WORKDIR}"/${X509_PATCH%.*}
epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
@@ -116,8 +121,10 @@ src_prepare() {
use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
fi
epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+ epatch "${FILESDIR}"/${PN}-6.6_p1-openssl-ignore-status.patch
if [[ -n ${HPN_PATCH} ]] && use hpn; then
epatch "${WORKDIR}"/${HPN_PATCH%.*}
+ epatch "${FILESDIR}"/${PN}-6.5_p1-hpn-cipher-align.patch #498632
save_version HPN
fi
@@ -129,7 +136,12 @@ src_prepare() {
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
- sed -i "${sed_args[@]}" configure{,.ac} || die
+ # The -ftrapv flag ICEs on hppa #505182
+ use hppa && sed_args+=(
+ -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+ -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+ )
+ sed -i "${sed_args[@]}" configure{.ac,} || die
epatch "${FILESDIR}"/${PN}-6.4p1-avoid-exit.patch
epatch "${FILESDIR}"/${PN}-6.4p1-missing-sys_param_h.patch
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/files/, net-misc/openssh/
@ 2014-12-31 18:23 Anthony G. Basile
0 siblings, 0 replies; 5+ messages in thread
From: Anthony G. Basile @ 2014-12-31 18:23 UTC (permalink / raw
To: gentoo-commits
commit: 10c887587f0221a5ecd59b10fdc37f717629da74
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Wed Dec 31 18:23:51 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Wed Dec 31 18:23:51 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=10c88758
net-misc/openssh: makre 6.7_p1 stable on all arches
Package-Manager: portage-2.2.14
Manifest-Sign-Key: 0xF52D4BBA
---
.../openssh-5.9_p1-sshd-gssapi-multihomed.patch | 184 --------
.../openssh/files/openssh-6.4p1-avoid-exit.patch | 499 ---------------------
.../files/openssh-6.5_p1-hpn-cipher-align.patch | 114 -----
.../openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch | 26 --
net-misc/openssh/files/openssh-6.6.1_p1.patch | 167 -------
.../openssh-6.6_p1-openssl-ignore-status.patch | 17 -
.../openssh/files/openssh-6.6_p1-x509-glue.patch | 16 -
.../openssh-6.6_p1-x509-hpn14v4-glue-p2.patch | 26 --
net-misc/openssh/metadata.xml | 1 +
net-misc/openssh/openssh-6.6.1_p1-r99.ebuild | 323 -------------
net-misc/openssh/openssh-6.6_p1-r99.ebuild | 320 -------------
net-misc/openssh/openssh-6.7_p1-r99.ebuild | 2 +-
12 files changed, 2 insertions(+), 1693 deletions(-)
diff --git a/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch
deleted file mode 100644
index 6377d03..0000000
--- a/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch
+++ /dev/null
@@ -1,184 +0,0 @@
-Index: gss-serv.c
-===================================================================
-RCS file: /cvs/src/usr.bin/ssh/gss-serv.c,v
-retrieving revision 1.22
-diff -u -p -r1.22 gss-serv.c
---- gss-serv.c 8 May 2008 12:02:23 -0000 1.22
-+++ gss-serv.c 11 Jan 2010 05:38:29 -0000
-@@ -41,9 +41,12 @@
- #include "channels.h"
- #include "session.h"
- #include "misc.h"
-+#include "servconf.h"
-
- #include "ssh-gss.h"
-
-+extern ServerOptions options;
-+
- static ssh_gssapi_client gssapi_client =
- { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
-@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
- char lname[MAXHOSTNAMELEN];
- gss_OID_set oidset;
-
-- gss_create_empty_oid_set(&status, &oidset);
-- gss_add_oid_set_member(&status, ctx->oid, &oidset);
--
-- if (gethostname(lname, MAXHOSTNAMELEN)) {
-- gss_release_oid_set(&status, &oidset);
-- return (-1);
-- }
-+ if (options.gss_strict_acceptor) {
-+ gss_create_empty_oid_set(&status, &oidset);
-+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
-+
-+ if (gethostname(lname, MAXHOSTNAMELEN)) {
-+ gss_release_oid_set(&status, &oidset);
-+ return (-1);
-+ }
-+
-+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
-+ gss_release_oid_set(&status, &oidset);
-+ return (ctx->major);
-+ }
-+
-+ if ((ctx->major = gss_acquire_cred(&ctx->minor,
-+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
-+ NULL, NULL)))
-+ ssh_gssapi_error(ctx);
-
-- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
- gss_release_oid_set(&status, &oidset);
- return (ctx->major);
-+ } else {
-+ ctx->name = GSS_C_NO_NAME;
-+ ctx->creds = GSS_C_NO_CREDENTIAL;
- }
--
-- if ((ctx->major = gss_acquire_cred(&ctx->minor,
-- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
-- ssh_gssapi_error(ctx);
--
-- gss_release_oid_set(&status, &oidset);
-- return (ctx->major);
-+ return GSS_S_COMPLETE;
- }
-
- /* Privileged */
-Index: servconf.c
-===================================================================
-RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
-retrieving revision 1.201
-diff -u -p -r1.201 servconf.c
---- servconf.c 10 Jan 2010 03:51:17 -0000 1.201
-+++ servconf.c 11 Jan 2010 05:34:56 -0000
-@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions
- options->kerberos_get_afs_token = -1;
- options->gss_authentication=-1;
- options->gss_cleanup_creds = -1;
-+ options->gss_strict_acceptor = -1;
- options->password_authentication = -1;
- options->kbd_interactive_authentication = -1;
- options->challenge_response_authentication = -1;
-@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption
- options->gss_authentication = 0;
- if (options->gss_cleanup_creds == -1)
- options->gss_cleanup_creds = 1;
-+ if (options->gss_strict_acceptor == -1)
-+ options->gss_strict_acceptor = 0;
- if (options->password_authentication == -1)
- options->password_authentication = 1;
- if (options->kbd_interactive_authentication == -1)
-@@ -277,7 +280,8 @@ typedef enum {
- sBanner, sUseDNS, sHostbasedAuthentication,
- sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
- sClientAliveCountMax, sAuthorizedKeysFile,
-- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
-+ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
-+ sAcceptEnv, sPermitTunnel,
- sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
- sUsePrivilegeSeparation, sAllowAgentForwarding,
- sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -327,9 +331,11 @@ static struct {
- #ifdef GSSAPI
- { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
- { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
-+ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
- #else
- { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
- { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
-+ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
- #endif
- { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
- { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
-@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions
-
- case sGssCleanupCreds:
- intptr = &options->gss_cleanup_creds;
-+ goto parse_flag;
-+
-+ case sGssStrictAcceptor:
-+ intptr = &options->gss_strict_acceptor;
- goto parse_flag;
-
- case sPasswordAuthentication:
-Index: servconf.h
-===================================================================
-RCS file: /cvs/src/usr.bin/ssh/servconf.h,v
-retrieving revision 1.89
-diff -u -p -r1.89 servconf.h
---- servconf.h 9 Jan 2010 23:04:13 -0000 1.89
-+++ servconf.h 11 Jan 2010 05:32:28 -0000
-@@ -92,6 +92,7 @@ typedef struct {
- * authenticated with Kerberos. */
- int gss_authentication; /* If true, permit GSSAPI authentication */
- int gss_cleanup_creds; /* If true, destroy cred cache on logout */
-+ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
- int password_authentication; /* If true, permit password
- * authentication. */
- int kbd_interactive_authentication; /* If true, permit */
-Index: sshd_config
-===================================================================
-RCS file: /cvs/src/usr.bin/ssh/sshd_config,v
-retrieving revision 1.81
-diff -u -p -r1.81 sshd_config
---- sshd_config 8 Oct 2009 14:03:41 -0000 1.81
-+++ sshd_config 11 Jan 2010 05:32:28 -0000
-@@ -69,6 +69,7 @@
- # GSSAPI options
- #GSSAPIAuthentication no
- #GSSAPICleanupCredentials yes
-+#GSSAPIStrictAcceptorCheck yes
-
- # Set this to 'yes' to enable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will
-Index: sshd_config.5
-===================================================================
-RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
-retrieving revision 1.116
-diff -u -p -r1.116 sshd_config.5
---- sshd_config.5 9 Jan 2010 23:04:13 -0000 1.116
-+++ sshd_config.5 11 Jan 2010 05:37:20 -0000
-@@ -386,6 +386,21 @@ on logout.
- The default is
- .Dq yes .
- Note that this option applies to protocol version 2 only.
-+.It Cm GSSAPIStrictAcceptorCheck
-+Determines whether to be strict about the identity of the GSSAPI acceptor
-+a client authenticates against.
-+If set to
-+.Dq yes
-+then the client must authenticate against the
-+.Pa host
-+service on the current hostname.
-+If set to
-+.Dq no
-+then the client may authenticate against any service key stored in the
-+machine's default store.
-+This facility is provided to assist with operation on multi homed machines.
-+The default is
-+.Dq yes .
- .It Cm HostbasedAuthentication
- Specifies whether rhosts or /etc/hosts.equiv authentication together
- with successful public key client host authentication is allowed
diff --git a/net-misc/openssh/files/openssh-6.4p1-avoid-exit.patch b/net-misc/openssh/files/openssh-6.4p1-avoid-exit.patch
deleted file mode 100644
index 4c02aeb..0000000
--- a/net-misc/openssh/files/openssh-6.4p1-avoid-exit.patch
+++ /dev/null
@@ -1,499 +0,0 @@
-diff -Nuar openssh-6.4p1.orig/configure.ac openssh-6.4p1/configure.ac
---- openssh-6.4p1.orig/configure.ac 2014-01-22 17:05:13.463582250 +0000
-+++ openssh-6.4p1/configure.ac 2014-01-22 17:13:08.102608790 +0000
-@@ -223,7 +223,7 @@
- [AC_LANG_PROGRAM([[
- #include <stdlib.h>
- __attribute__((__unused__)) static void foo(void){return;}]],
-- [[ exit(0); ]])],
-+ [[ return 0; ]])],
- [ AC_MSG_RESULT([yes]) ],
- [ AC_MSG_RESULT([no])
- AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
-@@ -410,7 +410,7 @@
- [AC_LANG_PROGRAM([[
- #define testmacro foo
- #define testmacro bar]],
-- [[ exit(0); ]])],
-+ [[ return 0; ]])],
- [ AC_MSG_RESULT([yes]) ],
- [ AC_MSG_RESULT([no])
- CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
-@@ -526,9 +526,9 @@
- AC_MSG_CHECKING([if we have working getaddrinfo])
- AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
- main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
-- exit(0);
-+ return 0;
- else
-- exit(1);
-+ return 1;
- }
- ]])],
- [AC_MSG_RESULT([working])],
-@@ -1016,7 +1016,7 @@
- esac
-
- AC_MSG_CHECKING([compiler and flags for sanity])
--AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
-+AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ return 0; ]])],
- [ AC_MSG_RESULT([yes]) ],
- [
- AC_MSG_RESULT([no])
-@@ -1048,9 +1048,9 @@
- strncpy(buf,"/etc", 32);
- s = dirname(buf);
- if (!s || strncmp(s, "/", 32) != 0) {
-- exit(1);
-+ return 1;
- } else {
-- exit(0);
-+ return 0;
- }
- }
- ]])],
-@@ -1140,19 +1140,19 @@
- int a=0, b=0, c=0, d=0, n, v;
- n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
- if (n != 3 && n != 4)
-- exit(1);
-+ return 1;
- v = a*1000000 + b*10000 + c*100 + d;
- fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
-
- /* 1.1.4 is OK */
- if (a == 1 && b == 1 && c >= 4)
-- exit(0);
-+ return 0;
-
- /* 1.2.3 and up are OK */
- if (v >= 1020300)
-- exit(0);
-+ return 0;
-
-- exit(2);
-+ return 2;
- ]])],
- AC_MSG_RESULT([no]),
- [ AC_MSG_RESULT([yes])
-@@ -1254,7 +1254,7 @@
- #include <dirent.h>]],
- [[
- struct dirent d;
-- exit(sizeof(d.d_name)<=sizeof(char));
-+ return (sizeof(d.d_name)<=sizeof(char));
- ]])],
- [AC_MSG_RESULT([yes])],
- [
-@@ -1300,7 +1300,7 @@
- #include <skey.h>
- ]], [[
- char *ff = skey_keyinfo(""); ff="";
-- exit(0);
-+ return 0;
- ]])],
- [AC_MSG_RESULT([yes])],
- [
-@@ -1405,7 +1405,7 @@
- #include <stdlib.h>
- #include <stdint.h>
- #include <ldns/ldns.h>
--int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
-+int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; return 0; }
- ]])
- ],
- [AC_MSG_RESULT(yes)],
-@@ -1462,7 +1462,7 @@
- [[
- int i = H_SETSIZE;
- el_init("", NULL, NULL, NULL);
-- exit(0);
-+ return 0;
- ]])],
- [ AC_MSG_RESULT([yes]) ],
- [ AC_MSG_RESULT([no])
-@@ -1757,9 +1757,9 @@
- errno=0;
- setresuid(0,0,0);
- if (errno==ENOSYS)
-- exit(1);
-+ return 1;
- else
-- exit(0);
-+ return 0;
- ]])],
- [AC_MSG_RESULT([yes])],
- [AC_DEFINE([BROKEN_SETRESUID], [1],
-@@ -1780,9 +1780,9 @@
- errno=0;
- setresgid(0,0,0);
- if (errno==ENOSYS)
-- exit(1);
-+ return 1;
- else
-- exit(0);
-+ return 0;
- ]])],
- [AC_MSG_RESULT([yes])],
- [AC_DEFINE([BROKEN_SETRESGID], [1],
-@@ -1824,7 +1824,7 @@
- [[
- char b[5];
- snprintf(b,5,"123456789");
-- exit(b[4]!='\0');
-+ return (b[4]!='\0');
- ]])],
- [AC_MSG_RESULT([yes])],
- [
-@@ -1857,7 +1857,7 @@
- }
- ]], [[
- char x[1];
-- exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
-+ return (x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
- ]])],
- [AC_MSG_RESULT([yes])],
- [
-@@ -1909,9 +1909,9 @@
- ]], [[
- char template[]="conftest.mkstemp-test";
- if (mkstemp(template) == -1)
-- exit(1);
-+ return 1;
- unlink(template);
-- exit(0);
-+ return 0;
- ]])],
- [
- AC_MSG_RESULT([no])
-@@ -1942,22 +1942,22 @@
-
- pid = fork();
- if (pid < 0) { /* failed */
-- exit(1);
-+ return 1;
- } else if (pid > 0) { /* parent */
- waitpid(pid, &status, 0);
- if (WIFEXITED(status))
-- exit(WEXITSTATUS(status));
-+ return (WEXITSTATUS(status));
- else
-- exit(2);
-+ return 2;
- } else { /* child */
- close(0); close(1); close(2);
- setsid();
- openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
- fd = open("/dev/tty", O_RDWR | O_NOCTTY);
- if (fd >= 0)
-- exit(3); /* Acquired ctty: broken */
-+ return 3; /* Acquired ctty: broken */
- else
-- exit(0); /* Did not acquire ctty: OK */
-+ return 0; /* Did not acquire ctty: OK */
- }
- ]])],
- [
-@@ -1998,7 +1998,7 @@
- err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
- if (err != 0) {
- fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
-- exit(1);
-+ return 1;
- }
-
- for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
-@@ -2015,7 +2015,7 @@
- else
- fprintf(stderr, "getnameinfo failed: %s\n",
- gai_strerror(err));
-- exit(2);
-+ return 2;
- }
-
- sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
-@@ -2023,10 +2023,10 @@
- perror("socket");
- if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
- if (errno == EBADF)
-- exit(3);
-+ return 3;
- }
- }
-- exit(0);
-+ return 0;
- ]])],
- [
- AC_MSG_RESULT([yes])
-@@ -2066,7 +2066,7 @@
- err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
- if (err != 0) {
- fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
-- exit(1);
-+ return 1;
- }
-
- for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
-@@ -2079,10 +2079,10 @@
-
- if (ai->ai_family == AF_INET && err != 0) {
- perror("getnameinfo");
-- exit(2);
-+ return 2;
- }
- }
-- exit(0);
-+ return 0;
- ]])],
- [
- AC_MSG_RESULT([yes])
-@@ -2103,7 +2103,7 @@
- if test "x$check_for_conflicting_getspnam" = "x1"; then
- AC_MSG_CHECKING([for conflicting getspnam in shadow.h])
- AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include <shadow.h> ]],
-- [[ exit(0); ]])],
-+ [[ return 0; ]])],
- [
- AC_MSG_RESULT([no])
- ],
-@@ -2191,12 +2191,12 @@
-
- fd = fopen(DATA,"w");
- if(fd == NULL)
-- exit(1);
-+ return 1;
-
- if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
-- exit(1);
-+ return 1;
-
-- exit(0);
-+ return 0;
- ]])],
- [
- ssl_header_ver=`cat conftest.sslincver`
-@@ -2226,12 +2226,12 @@
-
- fd = fopen(DATA,"w");
- if(fd == NULL)
-- exit(1);
-+ return 1;
-
- if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0)
-- exit(1);
-+ return 1;
-
-- exit(0);
-+ return 0;
- ]])],
- [
- ssl_library_ver=`cat conftest.ssllibver`
-@@ -2261,7 +2261,7 @@
- #include <string.h>
- #include <openssl/opensslv.h>
- ]], [[
-- exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
-+ return (SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
- ]])],
- [
- AC_MSG_RESULT([yes])
-@@ -2339,7 +2339,7 @@
- #include <string.h>
- #include <openssl/evp.h>
- ]], [[
-- exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
-+ return (EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
- ]])],
- [
- AC_MSG_RESULT([no])
-@@ -2358,7 +2358,7 @@
- #include <string.h>
- #include <openssl/evp.h>
- ]], [[
-- exit(EVP_aes_128_ctr() == NULL ||
-+ return (EVP_aes_128_ctr() == NULL ||
- EVP_aes_192_cbc() == NULL ||
- EVP_aes_256_cbc() == NULL);
- ]])],
-@@ -2379,7 +2379,7 @@
- #include <string.h>
- #include <openssl/evp.h>
- ]], [[
-- exit(EVP_aes_128_gcm() == NULL ||
-+ return (EVP_aes_128_gcm() == NULL ||
- EVP_aes_256_gcm() == NULL ||
- EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
- EVP_CTRL_GCM_IV_GEN == 0 ||
-@@ -2410,7 +2410,7 @@
- #include <openssl/evp.h>
- ]], [[
- if(EVP_DigestUpdate(NULL, NULL,0))
-- exit(0);
-+ return 0;
- ]])],
- [
- AC_MSG_RESULT([yes])
-@@ -2505,7 +2505,7 @@
- #include <string.h>
- #include <openssl/rand.h>
- ]], [[
-- exit(RAND_status() == 1 ? 0 : 1);
-+ return (RAND_status() == 1 ? 0 : 1);
- ]])],
- [
- OPENSSL_SEEDS_ITSELF=yes
-@@ -2702,7 +2702,7 @@
- [[ int i = $seccomp_audit_arch;
- errno = 0;
- prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
-- exit(errno == EFAULT ? 0 : 1); ]])],
-+ return (errno == EFAULT ? 0 : 1); ]])],
- [ AC_MSG_RESULT([yes]) ], [
- AC_MSG_RESULT([no])
- # Disable seccomp filter as a target
-@@ -2756,7 +2756,7 @@
- tv.tv_sec = 1;
- tv.tv_usec = 0;
- r = select(fd+1, &fds, NULL, NULL, &tv);
-- exit (r == -1 ? 1 : 0);
-+ return (r == -1 ? 1 : 0);
- ]])],
- [AC_MSG_RESULT([yes])
- select_works_with_rlimit=yes],
-@@ -2782,7 +2782,7 @@
-
- rl_zero.rlim_cur = rl_zero.rlim_max = 0;
- r = setrlimit(RLIMIT_NOFILE, &rl_zero);
-- exit (r == -1 ? 1 : 0);
-+ return (r == -1 ? 1 : 0);
- ]])],
- [AC_MSG_RESULT([yes])
- rlimit_nofile_zero_works=yes],
-@@ -2801,7 +2801,7 @@
- struct rlimit rl_zero;
-
- rl_zero.rlim_cur = rl_zero.rlim_max = 0;
-- exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
-+ return (setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
- ]])],
- [AC_MSG_RESULT([yes])],
- [AC_MSG_RESULT([no])
-@@ -2925,7 +2925,7 @@
- long long i, llmin, llmax = 0;
-
- if((f = fopen(DATA,"w")) == NULL)
-- exit(1);
-+ return 1;
-
- #if defined(LLONG_MIN) && defined(LLONG_MAX)
- fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
-@@ -2944,16 +2944,16 @@
- || llmax - 1 > llmax || llmin == llmax || llmin == 0
- || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
- fprintf(f, "unknown unknown\n");
-- exit(2);
-+ return 2;
- }
-
- if (fprint_ll(f, llmin) < 0)
-- exit(3);
-+ return 3;
- if (fprint_ll(f, llmax) < 0)
-- exit(4);
-+ return 4;
- if (fclose(f) < 0)
-- exit(5);
-- exit(0);
-+ return 5;
-+ return 0;
- ]])],
- [
- llong_min=`$AWK '{print $1}' conftest.llminmax`
-@@ -3337,11 +3337,11 @@
- strcpy(expected_out, "9223372036854775807");
- snprintf(buf, mazsize, "%lld", num);
- if(strcmp(buf, expected_out) != 0)
-- exit(1);
-- exit(0);
-+ return 1;
-+ return 0;
- }
- #else
--main() { exit(0); }
-+main() { return 0; }
- #endif
- ]])], [ true ], [ AC_DEFINE([BROKEN_SNPRINTF]) ],
- AC_MSG_WARN([cross compiling: Assuming working snprintf()])
-@@ -3425,11 +3425,11 @@
- ]], [[
- #ifdef msg_accrights
- #error "msg_accrights is a macro"
--exit(1);
-+return 1;
- #endif
- struct msghdr m;
- m.msg_accrights = 0;
--exit(0);
-+return 0;
- ]])],
- [ ac_cv_have_accrights_in_msghdr="yes" ],
- [ ac_cv_have_accrights_in_msghdr="no" ]
-@@ -3486,11 +3486,11 @@
- ]], [[
- #ifdef msg_control
- #error "msg_control is a macro"
--exit(1);
-+return 1;
- #endif
- struct msghdr m;
- m.msg_control = 0;
--exit(0);
-+return 0;
- ]])],
- [ ac_cv_have_control_in_msghdr="yes" ],
- [ ac_cv_have_control_in_msghdr="no" ]
-@@ -3912,22 +3912,22 @@
-
- fd = fopen(DATA,"w");
- if(fd == NULL)
-- exit(1);
-+ return 1;
-
- #if defined (_PATH_MAILDIR)
- if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
-- exit(1);
-+ return 1;
- #elif defined (MAILDIR)
- if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
-- exit(1);
-+ return 1;
- #elif defined (_PATH_MAIL)
- if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
-- exit(1);
-+ return 1;
- #else
-- exit (2);
-+ return 2;
- #endif
-
-- exit(0);
-+ return 0;
- ]])],
- [
- maildir_what=`awk -F: '{print $1}' conftest.maildir`
-@@ -4162,12 +4162,12 @@
-
- fd = fopen(DATA,"w");
- if(fd == NULL)
-- exit(1);
-+ return 1;
-
- if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
-- exit(1);
-+ return 1;
-
-- exit(0);
-+ return 0;
- ]])],
- [ user_path=`cat conftest.stdpath` ],
- [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
diff --git a/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch b/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch
deleted file mode 100644
index cfb060f..0000000
--- a/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-https://bugs.gentoo.org/498632
-
-make sure we do not use unaligned loads/stores as some arches really hate that.
-
---- a/cipher-ctr-mt.c
-+++ b/cipher-ctr-mt.c
-@@ -58,8 +58,16 @@
- /* Collect thread stats and print at cancellation when in debug mode */
- /* #define CIPHER_THREAD_STATS */
-
--/* Use single-byte XOR instead of 8-byte XOR */
--/* #define CIPHER_BYTE_XOR */
-+/* Can the system do unaligned loads natively? */
-+#if defined(__aarch64__) || \
-+ defined(__i386__) || \
-+ defined(__powerpc__) || \
-+ defined(__x86_64__)
-+# define CIPHER_UNALIGNED_OK
-+#endif
-+#if defined(__SIZEOF_INT128__)
-+# define CIPHER_INT128_OK
-+#endif
- /*-------------------- END TUNABLES --------------------*/
-
-
-@@ -285,8 +293,20 @@ thread_loop(void *x)
-
- static int
- ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
-- u_int len)
-+ size_t len)
- {
-+ typedef union {
-+#ifdef CIPHER_INT128_OK
-+ __uint128_t *u128;
-+#endif
-+ uint64_t *u64;
-+ uint32_t *u32;
-+ uint8_t *u8;
-+ const uint8_t *cu8;
-+ uintptr_t u;
-+ } ptrs_t;
-+ ptrs_t destp, srcp, bufp;
-+ uintptr_t align;
- struct ssh_aes_ctr_ctx *c;
- struct kq *q, *oldq;
- int ridx;
-@@ -301,35 +321,41 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
- ridx = c->ridx;
-
- /* src already padded to block multiple */
-+ srcp.cu8 = src;
-+ destp.u8 = dest;
- while (len > 0) {
- buf = q->keys[ridx];
-+ bufp.u8 = buf;
-
--#ifdef CIPHER_BYTE_XOR
-- dest[0] = src[0] ^ buf[0];
-- dest[1] = src[1] ^ buf[1];
-- dest[2] = src[2] ^ buf[2];
-- dest[3] = src[3] ^ buf[3];
-- dest[4] = src[4] ^ buf[4];
-- dest[5] = src[5] ^ buf[5];
-- dest[6] = src[6] ^ buf[6];
-- dest[7] = src[7] ^ buf[7];
-- dest[8] = src[8] ^ buf[8];
-- dest[9] = src[9] ^ buf[9];
-- dest[10] = src[10] ^ buf[10];
-- dest[11] = src[11] ^ buf[11];
-- dest[12] = src[12] ^ buf[12];
-- dest[13] = src[13] ^ buf[13];
-- dest[14] = src[14] ^ buf[14];
-- dest[15] = src[15] ^ buf[15];
--#else
-- *(uint64_t *)dest = *(uint64_t *)src ^ *(uint64_t *)buf;
-- *(uint64_t *)(dest + 8) = *(uint64_t *)(src + 8) ^
-- *(uint64_t *)(buf + 8);
--#endif
-+ /* figure out the alignment on the fly */
-+#ifdef CIPHER_UNALIGNED_OK
-+ align = 0;
-+#else
-+ align = destp.u | srcp.u | bufp.u;
-+#endif
-+
-+#ifdef CIPHER_INT128_OK
-+ if ((align & 0xf) == 0) {
-+ destp.u128[0] = srcp.u128[0] ^ bufp.u128[0];
-+ } else
-+#endif
-+ if ((align & 0x7) == 0) {
-+ destp.u64[0] = srcp.u64[0] ^ bufp.u64[0];
-+ destp.u64[1] = srcp.u64[1] ^ bufp.u64[1];
-+ } else if ((align & 0x3) == 0) {
-+ destp.u32[0] = srcp.u32[0] ^ bufp.u32[0];
-+ destp.u32[1] = srcp.u32[1] ^ bufp.u32[1];
-+ destp.u32[2] = srcp.u32[2] ^ bufp.u32[2];
-+ destp.u32[3] = srcp.u32[3] ^ bufp.u32[3];
-+ } else {
-+ size_t i;
-+ for (i = 0; i < AES_BLOCK_SIZE; ++i)
-+ dest[i] = src[i] ^ buf[i];
-+ }
-
-- dest += 16;
-- src += 16;
-- len -= 16;
-+ destp.u += AES_BLOCK_SIZE;
-+ srcp.u += AES_BLOCK_SIZE;
-+ len -= AES_BLOCK_SIZE;
- ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE);
-
- /* Increment read index, switch queues on rollover */
diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch
deleted file mode 100644
index c76015d..0000000
--- a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-make the hpn patch apply when the x509 patch has also been applied
-
---- openssh-6.6.1p1-hpnssh14v4.diff
-+++ openssh-6.6.1p1-hpnssh14v4.diff
-@@ -1742,18 +1742,14 @@
- if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_LOWDELAY;
- if (options->ip_qos_bulk == -1)
--@@ -345,9 +393,10 @@
-+@@ -345,6 +393,7 @@
- sUsePrivilegeSeparation, sAllowAgentForwarding,
- sHostCertificate,
- sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
--+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
-++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled,
- sKexAlgorithms, sIPQoS, sVersionAddendum,
- sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
--- sAuthenticationMethods, sHostKeyAgent,
--+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent,
-- sDeprecated, sUnsupported
-- } ServerOpCodes;
--
-+ sAuthenticationMethods, sHostKeyAgent,
- @@ -468,6 +517,10 @@
- { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
diff --git a/net-misc/openssh/files/openssh-6.6.1_p1.patch b/net-misc/openssh/files/openssh-6.6.1_p1.patch
deleted file mode 100644
index b11f6fb..0000000
--- a/net-misc/openssh/files/openssh-6.6.1_p1.patch
+++ /dev/null
@@ -1,167 +0,0 @@
-Hi,
-
-So I screwed up when writing the support for the curve25519 KEX method
-that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
-leading zero bytes where they should have been skipped. The impact of
-this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
-peer that implements curve25519-sha256 at libssh.org properly about 0.2%
-of the time (one in every 512ish connections).
-
-We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
-key exchange for previous versions, but I'd recommend distributors
-of OpenSSH apply this patch so the affected code doesn't become
-too entrenched in LTS releases.
-
-The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
-to distinguish itself from the incorrect versions so the compatibility
-code to disable the affected KEX isn't activated.
-
-I've committed this on the 6.6 branch too.
-
-Apologies for the hassle.
-
--d
-
-Index: version.h
-===================================================================
-RCS file: /var/cvs/openssh/version.h,v
-retrieving revision 1.82
-diff -u -p -r1.82 version.h
---- version.h 27 Feb 2014 23:01:54 -0000 1.82
-+++ version.h 20 Apr 2014 03:35:15 -0000
-@@ -1,6 +1,6 @@
- /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
-
--#define SSH_VERSION "OpenSSH_6.6"
-+#define SSH_VERSION "OpenSSH_6.6.1"
-
- #define SSH_PORTABLE "p1"
- #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
-Index: compat.c
-===================================================================
-RCS file: /var/cvs/openssh/compat.c,v
-retrieving revision 1.82
-retrieving revision 1.85
-diff -u -p -r1.82 -r1.85
---- compat.c 31 Dec 2013 01:25:41 -0000 1.82
-+++ compat.c 20 Apr 2014 03:33:59 -0000 1.85
-@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
- { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
- { "OpenSSH_4*", 0 },
- { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
-+ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
-+ { "OpenSSH_6.5*,"
-+ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
- { "OpenSSH*", SSH_NEW_OPENSSH },
- { "*MindTerm*", 0 },
- { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
-@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop
- return cipher_prop;
- }
-
--
- char *
- compat_pkalg_proposal(char *pkalg_prop)
- {
-@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop)
- if (*pkalg_prop == '\0')
- fatal("No supported PK algorithms found");
- return pkalg_prop;
-+}
-+
-+char *
-+compat_kex_proposal(char *kex_prop)
-+{
-+ if (!(datafellows & SSH_BUG_CURVE25519PAD))
-+ return kex_prop;
-+ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
-+ kex_prop = filter_proposal(kex_prop, "curve25519-sha256 at libssh.org");
-+ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
-+ if (*kex_prop == '\0')
-+ fatal("No supported key exchange algorithms found");
-+ return kex_prop;
- }
-
-Index: compat.h
-===================================================================
-RCS file: /var/cvs/openssh/compat.h,v
-retrieving revision 1.42
-retrieving revision 1.43
-diff -u -p -r1.42 -r1.43
---- compat.h 31 Dec 2013 01:25:41 -0000 1.42
-+++ compat.h 20 Apr 2014 03:25:31 -0000 1.43
-@@ -59,6 +59,7 @@
- #define SSH_BUG_RFWD_ADDR 0x02000000
- #define SSH_NEW_OPENSSH 0x04000000
- #define SSH_BUG_DYNAMIC_RPORT 0x08000000
-+#define SSH_BUG_CURVE25519PAD 0x10000000
-
- void enable_compat13(void);
- void enable_compat20(void);
-@@ -66,6 +67,7 @@ void compat_datafellows(const char *
- int proto_spec(const char *);
- char *compat_cipher_proposal(char *);
- char *compat_pkalg_proposal(char *);
-+char *compat_kex_proposal(char *);
-
- extern int compat13;
- extern int compat20;
-Index: sshd.c
-===================================================================
-RCS file: /var/cvs/openssh/sshd.c,v
-retrieving revision 1.448
-retrieving revision 1.453
-diff -u -p -r1.448 -r1.453
---- sshd.c 26 Feb 2014 23:20:08 -0000 1.448
-+++ sshd.c 20 Apr 2014 03:28:41 -0000 1.453
-@@ -2462,6 +2438,9 @@ do_ssh2_kex(void)
- if (options.kex_algorithms != NULL)
- myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
-
-+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-+ myproposal[PROPOSAL_KEX_ALGS]);
-+
- if (options.rekey_limit || options.rekey_interval)
- packet_set_rekey_limits((u_int32_t)options.rekey_limit,
- (time_t)options.rekey_interval);
-Index: sshconnect2.c
-===================================================================
-RCS file: /var/cvs/openssh/sshconnect2.c,v
-retrieving revision 1.197
-retrieving revision 1.199
-diff -u -p -r1.197 -r1.199
---- sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197
-+++ sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199
-@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho
- }
- if (options.kex_algorithms != NULL)
- myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
-+ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
-+ myproposal[PROPOSAL_KEX_ALGS]);
-
- if (options.rekey_limit || options.rekey_interval)
- packet_set_rekey_limits((u_int32_t)options.rekey_limit,
-Index: bufaux.c
-===================================================================
-RCS file: /var/cvs/openssh/bufaux.c,v
-retrieving revision 1.62
-retrieving revision 1.63
-diff -u -p -r1.62 -r1.63
---- bufaux.c 4 Feb 2014 00:20:15 -0000 1.62
-+++ bufaux.c 20 Apr 2014 03:24:50 -0000 1.63
-@@ -1,4 +1,4 @@
--/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
-+/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
- /*
- * Author: Tatu Ylonen <ylo at cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
-@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b
-
- if (l > 8 * 1024)
- fatal("%s: length %u too long", __func__, l);
-+ /* Skip leading zero bytes */
-+ for (; l > 0 && *s == 0; l--, s++)
-+ ;
- p = buf = xmalloc(l + 1);
- /*
- * If most significant bit is set then prepend a zero byte to
diff --git a/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch
deleted file mode 100644
index 6db6b97..0000000
--- a/net-misc/openssh/files/openssh-6.6_p1-openssl-ignore-status.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-the last nibble of the openssl version represents the status. that is,
-whether it is a beta or release. when it comes to version checks in
-openssh, this component does not matter, so ignore it.
-
-https://bugzilla.mindrot.org/show_bug.cgi?id=2212
-
---- a/entropy.c
-+++ b/entropy.c
-@@ -216,7 +216,7 @@ seed_rng(void)
- * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
- * within a patch series.
- */
-- u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L;
-+ u_long version_mask = SSLeay() >= 0x1000000f ? ~0xfffffL : ~0xff0L;
- if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||
- (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12))
- fatal("OpenSSL version mismatch. Built against %lx, you "
diff --git a/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch
deleted file mode 100644
index 0ba3e45..0000000
--- a/net-misc/openssh/files/openssh-6.6_p1-x509-glue.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-Make x509 apply after openssh-5.9_p1-sshd-gssapi-multihomed.patch.
-
---- openssh-6.6p1+x509-7.9.diff
-+++ openssh-6.6p1+x509-7.9.diff
-@@ -15473,10 +15473,9 @@
- .It Cm ChallengeResponseAuthentication
- Specifies whether challenge-response authentication is allowed (e.g. via
- PAM or though authentication styles supported in
--@@ -499,6 +576,16 @@
-+@@ -499,5 +576,15 @@
- The default is
- .Dq yes .
-- Note that this option applies to protocol version 2 only.
- +.It Cm HostbasedAlgorithms
- +Specifies the protocol version 2 algorithms used in
- +.Dq hostbased
diff --git a/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch b/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch
deleted file mode 100644
index a69830e..0000000
--- a/net-misc/openssh/files/openssh-6.6_p1-x509-hpn14v4-glue-p2.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-make the hpn patch apply when the x509 patch has also been applied
-
---- openssh-6.6p1-hpnssh14v4.diff
-+++ openssh-6.6p1-hpnssh14v4.diff
-@@ -1742,18 +1742,14 @@
- if (options->ip_qos_interactive == -1)
- options->ip_qos_interactive = IPTOS_LOWDELAY;
- if (options->ip_qos_bulk == -1)
--@@ -345,9 +393,10 @@
-+@@ -345,6 +393,7 @@
- sUsePrivilegeSeparation, sAllowAgentForwarding,
- sHostCertificate,
- sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
--+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
-++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled,
- sKexAlgorithms, sIPQoS, sVersionAddendum,
- sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
--- sAuthenticationMethods, sHostKeyAgent,
--+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent,
-- sDeprecated, sUnsupported
-- } ServerOpCodes;
--
-+ sAuthenticationMethods, sHostKeyAgent,
- @@ -468,6 +517,10 @@
- { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
- { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
diff --git a/net-misc/openssh/metadata.xml b/net-misc/openssh/metadata.xml
index 5765fa2..885648b 100644
--- a/net-misc/openssh/metadata.xml
+++ b/net-misc/openssh/metadata.xml
@@ -25,6 +25,7 @@ ssh-keygen and sftp-server. OpenSSH supports SSH protocol versions 1.3, 1.5, and
<flag name="hpn">Enable high performance ssh</flag>
<flag name="ldap">Add support for storing SSH public keys in LDAP</flag>
<flag name="ldns">Use LDNS for DNSSEC/SSHFP validation.</flag>
+ <flag name="sctp">Support for Stream Control Transmission Protocol</flag>
<flag name="X509">Adds support for X.509 certificate authentication</flag>
</use>
<upstream>
diff --git a/net-misc/openssh/openssh-6.6.1_p1-r99.ebuild b/net-misc/openssh/openssh-6.6.1_p1-r99.ebuild
deleted file mode 100644
index f12f244..0000000
--- a/net-misc/openssh/openssh-6.6.1_p1-r99.ebuild
+++ /dev/null
@@ -1,323 +0,0 @@
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.6.1_p1-r99.ebuild,v 1.2 2014/03/20 20:58:31 vapier Exp $
-
-EAPI="4"
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/.1_}
-
-#HPN_PATCH="${PN}-6.6p1-hpnssh14v4.diff.gz"
-HPN_PATCH="${PN}-6.6.1p1-hpnssh14v4.diff.xz"
-LDAP_PATCH="${PN}-lpk-6.5p1-0.3.14.patch.gz"
-X509_VER="7.9" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
- ${HPN_PATCH:+hpn? ( http://dev.gentoo.org/~polynomial-c/${HPN_PATCH} )}
- ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
- ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
- "
- #${HPN_PATCH:+hpn? ( mirror://sourceforge/hpnssh/${HPN_PATCH} )}
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~amd64 ~arm ~mips ~ppc ~x86"
-IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldap ldns libedit pam selinux skey static tcpd X X509"
-
-LIB_DEPEND="selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
- skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
- libedit? ( dev-libs/libedit[static-libs(+)] )
- >=dev-libs/openssl-0.9.6d:0[bindist=]
- dev-libs/openssl[static-libs(+)]
- >=sys-libs/zlib-1.2.3[static-libs(+)]
- tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )"
-RDEPEND="
- !static? (
- ${LIB_DEPEND//\[static-libs(+)]}
- ldns? (
- !bindist? ( net-libs/ldns[ecdsa,ssl] )
- bindist? ( net-libs/ldns[-ecdsa,ssl] )
- )
- )
- pam? ( virtual/pam )
- kerberos? ( virtual/krb5 )
- ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
- static? (
- ${LIB_DEPEND}
- ldns? (
- !bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] )
- bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] )
- )
- )
- virtual/pkgconfig
- virtual/os-headers
- sys-devel/autoconf"
-RDEPEND="${RDEPEND}
- pam? ( >=sys-auth/pambase-20081028 )
- userland_GNU? ( virtual/shadow )
- X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
- # this sucks, but i'd rather have people unable to `emerge -u openssh`
- # than not be able to log in to their server any more
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
- local fail="
- $(use X509 && maybe_fail X509 X509_PATCH)
- $(use ldap && maybe_fail ldap LDAP_PATCH)
- $(use hpn && maybe_fail hpn HPN_PATCH)
- "
- fail=$(echo ${fail})
- if [[ -n ${fail} ]] ; then
- eerror "Sorry, but this version does not yet support features"
- eerror "that you requested: ${fail}"
- eerror "Please mask ${PF} for now and check back later:"
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
- die "booooo"
- fi
-}
-
-save_version() {
- # version.h patch conflict avoidence
- mv version.h version.h.$1
- cp -f version.h.pristine version.h
-}
-
-src_prepare() {
- sed -i \
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
- pathnames.h || die
- # keep this as we need it to avoid the conflict between LPK and HPN changing
- # this file.
- cp version.h version.h.pristine
-
- # don't break .ssh/authorized_keys2 for fun
- sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
- epatch "${FILESDIR}"/${P}.patch #508604
-
- epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361
- if use X509 ; then
- pushd .. >/dev/null
- epatch "${FILESDIR}"/${PN}-6.6_p1-x509-glue.patch
- use hpn && epatch "${FILESDIR}"/${PN}-6.6.1_p1-x509-hpn14v4-glue-p2.patch
- popd >/dev/null
- epatch "${WORKDIR}"/${X509_PATCH%.*}
- epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
- save_version X509
- fi
- if ! use X509 ; then
- if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
- epatch "${WORKDIR}"/${LDAP_PATCH%.*}
- save_version LPK
- fi
- else
- use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
- fi
- epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
- epatch "${FILESDIR}"/${PN}-6.6_p1-openssl-ignore-status.patch
- if [[ -n ${HPN_PATCH} ]] && use hpn; then
- epatch "${WORKDIR}"/${HPN_PATCH%.*}
- epatch "${FILESDIR}"/${PN}-6.5_p1-hpn-cipher-align.patch #498632
- save_version HPN
- fi
-
- tc-export PKG_CONFIG
- local sed_args=(
- -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
- # Disable PATH reset, trust what portage gives us #254615
- -e 's:^PATH=/:#PATH=/:'
- # Disable fortify flags ... our gcc does this for us
- -e 's:-D_FORTIFY_SOURCE=2::'
- )
- # The -ftrapv flag ICEs on hppa #505182
- use hppa && sed_args+=(
- -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
- -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
- )
- sed -i "${sed_args[@]}" configure{.ac,} || die
-
- epatch "${FILESDIR}"/${PN}-6.4p1-avoid-exit.patch
- epatch "${FILESDIR}"/${PN}-6.4p1-missing-sys_param_h.patch
- epatch "${FILESDIR}"/${PN}-6.4p1-fix-typo-construct_utmpx.patch
-
- epatch_user #473004
-
- # Now we can build a sane merged version.h
- (
- sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
- macros=()
- for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
- printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
- ) > version.h
-
- eautoreconf
-}
-
-static_use_with() {
- local flag=$1
- if use static && use ${flag} ; then
- ewarn "Disabling '${flag}' support because of USE='static'"
- # rebuild args so that we invert the first one (USE flag)
- # but otherwise leave everything else working so we can
- # just leverage use_with
- shift
- [[ -z $1 ]] && flag="${flag} ${flag}"
- set -- !${flag} "$@"
- fi
- use_with "$@"
-}
-
-src_configure() {
- local myconf
- addwrite /dev/ptmx
- addpredict /etc/skey/skeykeys #skey configure code triggers this
-
- use static && append-ldflags -static
-
- # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
- if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
- myconf="${myconf} --disable-utmp --disable-wtmp --disable-wtmpx"
- append-ldflags -lutil
- fi
-
- econf \
- --with-ldflags="${LDFLAGS}" \
- --disable-strip \
- --with-pid-dir="${EPREFIX}"/var/run \
- --sysconfdir="${EPREFIX}"/etc/ssh \
- --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc \
- --datadir="${EPREFIX}"/usr/share/openssh \
- --with-privsep-path="${EPREFIX}"/var/empty \
- --with-privsep-user=sshd \
- --with-md5-passwords \
- --with-ssl-engine \
- $(static_use_with pam) \
- $(static_use_with kerberos kerberos5 /usr) \
- ${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \
- $(use_with ldns) \
- $(use_with libedit) \
- $(use_with selinux) \
- $(use_with skey) \
- $(use_with tcpd tcp-wrappers) \
- ${myconf}
-}
-
-src_install() {
- emake install-nokeys DESTDIR="${D}"
- fperms 600 /etc/ssh/sshd_config
- dobin contrib/ssh-copy-id
- newinitd "${FILESDIR}"/sshd.rc6.4 sshd
- newconfd "${FILESDIR}"/sshd.confd sshd
- keepdir /var/empty
-
- # not all openssl installs support ecc, or are functional #352645
- if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then
- elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support"
- sed -i 's:&& gen_key ecdsa::' "${ED}"/etc/init.d/sshd || die
- fi
-
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
- if use pam ; then
- sed -i \
- -e "/^#UsePAM /s:.*:UsePAM yes:" \
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
- "${ED}"/etc/ssh/sshd_config || die "sed of configuration file failed"
- fi
-
- # Gentoo tweaks to default config files
- cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
- # Allow client to pass locale environment variables #367017
- AcceptEnv LANG LC_*
- EOF
- cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
- # Send locale environment variables #367017
- SendEnv LANG LC_*
- EOF
-
- # This instruction is from the HPN webpage,
- # Used for the server logging functionality
- if [[ -n ${HPN_PATCH} ]] && use hpn ; then
- keepdir /var/empty/dev
- fi
-
- if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
- insinto /etc/openldap/schema/
- newins openssh-lpk_openldap.schema openssh-lpk.schema
- fi
-
- doman contrib/ssh-copy-id.1
- dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
- diropts -m 0700
- dodir /etc/skel/.ssh
-
- systemd_dounit "${FILESDIR}"/sshd.{service,socket}
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
- local t tests skipped failed passed shell
- tests="interop-tests compat-tests"
- skipped=""
- shell=$(egetshell ${UID})
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
- elog "Running the full OpenSSH testsuite"
- elog "requires a usable shell for the 'portage'"
- elog "user, so we will run a subset only."
- skipped="${skipped} tests"
- else
- tests="${tests} tests"
- fi
- # It will also attempt to write to the homedir .ssh
- local sshhome=${T}/homedir
- mkdir -p "${sshhome}"/.ssh
- for t in ${tests} ; do
- # Some tests read from stdin ...
- HOMEDIR="${sshhome}" \
- emake -k -j1 ${t} </dev/null \
- && passed="${passed}${t} " \
- || failed="${failed}${t} "
- done
- einfo "Passed tests: ${passed}"
- ewarn "Skipped tests: ${skipped}"
- if [[ -n ${failed} ]] ; then
- ewarn "Failed tests: ${failed}"
- die "Some tests failed: ${failed}"
- else
- einfo "Failed tests: ${failed}"
- return 0
- fi
-}
-
-pkg_preinst() {
- enewgroup sshd 22
- enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
- if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
- elog "Starting with openssh-5.8p1, the server will default to a newer key"
- elog "algorithm (ECDSA). You are encouraged to manually update your stored"
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
- fi
- ewarn "Remember to merge your config files in /etc/ssh/ and then"
- ewarn "reload sshd: '/etc/init.d/sshd reload'."
- # This instruction is from the HPN webpage,
- # Used for the server logging functionality
- if [[ -n ${HPN_PATCH} ]] && use hpn ; then
- echo
- einfo "For the HPN server logging patch, you must ensure that"
- einfo "your syslog application also listens at /var/empty/dev/log."
- fi
-}
diff --git a/net-misc/openssh/openssh-6.6_p1-r99.ebuild b/net-misc/openssh/openssh-6.6_p1-r99.ebuild
deleted file mode 100644
index 3d51e6e..0000000
--- a/net-misc/openssh/openssh-6.6_p1-r99.ebuild
+++ /dev/null
@@ -1,320 +0,0 @@
-# Copyright 1999-2014 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.6_p1-r1.ebuild,v 1.2 2014/03/20 20:58:31 vapier Exp $
-
-EAPI="4"
-inherit eutils user flag-o-matic multilib autotools pam systemd versionator
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-#HPN_PATCH="${PN}-6.6p1-hpnssh14v4.diff.gz"
-HPN_PATCH="${PN}-6.6p1-hpnssh14v4.diff.xz"
-LDAP_PATCH="${PN}-lpk-6.5p1-0.3.14.patch.gz"
-X509_VER="7.9" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="http://www.openssh.org/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
- ${HPN_PATCH:+hpn? ( http://dev.gentoo.org/~polynomial-c/${HPN_PATCH} )}
- ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
- ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
- "
- #${HPN_PATCH:+hpn? ( mirror://sourceforge/hpnssh/${HPN_PATCH} )}
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="amd64 arm ~mips ppc x86"
-IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldap ldns libedit pam selinux skey static tcpd X X509"
-
-LIB_DEPEND="selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
- skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
- libedit? ( dev-libs/libedit[static-libs(+)] )
- >=dev-libs/openssl-0.9.6d:0[bindist=]
- dev-libs/openssl[static-libs(+)]
- >=sys-libs/zlib-1.2.3[static-libs(+)]
- tcpd? ( >=sys-apps/tcp-wrappers-7.6[static-libs(+)] )"
-RDEPEND="
- !static? (
- ${LIB_DEPEND//\[static-libs(+)]}
- ldns? (
- !bindist? ( net-libs/ldns[ecdsa,ssl] )
- bindist? ( net-libs/ldns[-ecdsa,ssl] )
- )
- )
- pam? ( virtual/pam )
- kerberos? ( virtual/krb5 )
- ldap? ( net-nds/openldap )"
-DEPEND="${RDEPEND}
- static? (
- ${LIB_DEPEND}
- ldns? (
- !bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] )
- bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] )
- )
- )
- virtual/pkgconfig
- virtual/os-headers
- sys-devel/autoconf"
-RDEPEND="${RDEPEND}
- pam? ( >=sys-auth/pambase-20081028 )
- userland_GNU? ( virtual/shadow )
- X? ( x11-apps/xauth )"
-
-S=${WORKDIR}/${PARCH}
-
-pkg_setup() {
- # this sucks, but i'd rather have people unable to `emerge -u openssh`
- # than not be able to log in to their server any more
- maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
- local fail="
- $(use X509 && maybe_fail X509 X509_PATCH)
- $(use ldap && maybe_fail ldap LDAP_PATCH)
- $(use hpn && maybe_fail hpn HPN_PATCH)
- "
- fail=$(echo ${fail})
- if [[ -n ${fail} ]] ; then
- eerror "Sorry, but this version does not yet support features"
- eerror "that you requested: ${fail}"
- eerror "Please mask ${PF} for now and check back later:"
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
- die "booooo"
- fi
-}
-
-save_version() {
- # version.h patch conflict avoidence
- mv version.h version.h.$1
- cp -f version.h.pristine version.h
-}
-
-src_prepare() {
- sed -i \
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
- pathnames.h || die
- # keep this as we need it to avoid the conflict between LPK and HPN changing
- # this file.
- cp version.h version.h.pristine
-
- # don't break .ssh/authorized_keys2 for fun
- sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
- epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361
- if use X509 ; then
- pushd .. >/dev/null
- epatch "${FILESDIR}"/${PN}-6.6_p1-x509-glue.patch
- use hpn && epatch "${FILESDIR}"/${PN}-6.6_p1-x509-hpn14v4-glue-p2.patch
- popd >/dev/null
- epatch "${WORKDIR}"/${X509_PATCH%.*}
- epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
- save_version X509
- fi
- if ! use X509 ; then
- if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
- epatch "${WORKDIR}"/${LDAP_PATCH%.*}
- save_version LPK
- fi
- else
- use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
- fi
- epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
- epatch "${FILESDIR}"/${PN}-6.6_p1-openssl-ignore-status.patch
- if [[ -n ${HPN_PATCH} ]] && use hpn; then
- epatch "${WORKDIR}"/${HPN_PATCH%.*}
- epatch "${FILESDIR}"/${PN}-6.5_p1-hpn-cipher-align.patch #498632
- save_version HPN
- fi
-
- tc-export PKG_CONFIG
- local sed_args=(
- -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
- # Disable PATH reset, trust what portage gives us #254615
- -e 's:^PATH=/:#PATH=/:'
- # Disable fortify flags ... our gcc does this for us
- -e 's:-D_FORTIFY_SOURCE=2::'
- )
- sed -i "${sed_args[@]}" configure{,.ac} || die
-
- epatch "${FILESDIR}"/${PN}-6.4p1-avoid-exit.patch
- epatch "${FILESDIR}"/${PN}-6.4p1-missing-sys_param_h.patch
- epatch "${FILESDIR}"/${PN}-6.4p1-fix-typo-construct_utmpx.patch
-
- epatch_user #473004
-
- # Now we can build a sane merged version.h
- (
- sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
- macros=()
- for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
- printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
- ) > version.h
-
- eautoreconf
-}
-
-static_use_with() {
- local flag=$1
- if use static && use ${flag} ; then
- ewarn "Disabling '${flag}' support because of USE='static'"
- # rebuild args so that we invert the first one (USE flag)
- # but otherwise leave everything else working so we can
- # just leverage use_with
- shift
- [[ -z $1 ]] && flag="${flag} ${flag}"
- set -- !${flag} "$@"
- fi
- use_with "$@"
-}
-
-src_configure() {
- local myconf
- addwrite /dev/ptmx
- addpredict /etc/skey/skeykeys #skey configure code triggers this
-
- use static && append-ldflags -static
-
- # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
- if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
- myconf="${myconf} --disable-utmp --disable-wtmp --disable-wtmpx"
- append-ldflags -lutil
- fi
-
- # __stack_chk_fail_local
- use x86 && myconf="${myconf} --without-stackprotect"
- use ppc && myconf="${myconf} --without-stackprotect"
-
- econf \
- --with-ldflags="${LDFLAGS}" \
- --disable-strip \
- --with-pid-dir="${EPREFIX}"/var/run \
- --sysconfdir="${EPREFIX}"/etc/ssh \
- --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc \
- --datadir="${EPREFIX}"/usr/share/openssh \
- --with-privsep-path="${EPREFIX}"/var/empty \
- --with-privsep-user=sshd \
- --with-md5-passwords \
- --with-ssl-engine \
- $(static_use_with pam) \
- $(static_use_with kerberos kerberos5 /usr) \
- ${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \
- $(use_with ldns) \
- $(use_with libedit) \
- $(use_with selinux) \
- $(use_with skey) \
- $(use_with tcpd tcp-wrappers) \
- ${myconf}
-}
-
-src_install() {
- emake install-nokeys DESTDIR="${D}"
- fperms 600 /etc/ssh/sshd_config
- dobin contrib/ssh-copy-id
- newinitd "${FILESDIR}"/sshd.rc6.4 sshd
- newconfd "${FILESDIR}"/sshd.confd sshd
- keepdir /var/empty
-
- # not all openssl installs support ecc, or are functional #352645
- if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then
- elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support"
- sed -i 's:&& gen_key ecdsa::' "${ED}"/etc/init.d/sshd || die
- fi
-
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
- if use pam ; then
- sed -i \
- -e "/^#UsePAM /s:.*:UsePAM yes:" \
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
- "${ED}"/etc/ssh/sshd_config || die "sed of configuration file failed"
- fi
-
- # Gentoo tweaks to default config files
- cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
- # Allow client to pass locale environment variables #367017
- AcceptEnv LANG LC_*
- EOF
- cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
- # Send locale environment variables #367017
- SendEnv LANG LC_*
- EOF
-
- # This instruction is from the HPN webpage,
- # Used for the server logging functionality
- if [[ -n ${HPN_PATCH} ]] && use hpn ; then
- keepdir /var/empty/dev
- fi
-
- if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
- insinto /etc/openldap/schema/
- newins openssh-lpk_openldap.schema openssh-lpk.schema
- fi
-
- doman contrib/ssh-copy-id.1
- dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
-
- diropts -m 0700
- dodir /etc/skel/.ssh
-
- systemd_dounit "${FILESDIR}"/sshd.{service,socket}
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-src_test() {
- local t tests skipped failed passed shell
- tests="interop-tests compat-tests"
- skipped=""
- shell=$(egetshell ${UID})
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
- elog "Running the full OpenSSH testsuite"
- elog "requires a usable shell for the 'portage'"
- elog "user, so we will run a subset only."
- skipped="${skipped} tests"
- else
- tests="${tests} tests"
- fi
- # It will also attempt to write to the homedir .ssh
- local sshhome=${T}/homedir
- mkdir -p "${sshhome}"/.ssh
- for t in ${tests} ; do
- # Some tests read from stdin ...
- HOMEDIR="${sshhome}" \
- emake -k -j1 ${t} </dev/null \
- && passed="${passed}${t} " \
- || failed="${failed}${t} "
- done
- einfo "Passed tests: ${passed}"
- ewarn "Skipped tests: ${skipped}"
- if [[ -n ${failed} ]] ; then
- ewarn "Failed tests: ${failed}"
- die "Some tests failed: ${failed}"
- else
- einfo "Failed tests: ${failed}"
- return 0
- fi
-}
-
-pkg_preinst() {
- enewgroup sshd 22
- enewuser sshd 22 -1 /var/empty sshd
-}
-
-pkg_postinst() {
- if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
- elog "Starting with openssh-5.8p1, the server will default to a newer key"
- elog "algorithm (ECDSA). You are encouraged to manually update your stored"
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
- fi
- ewarn "Remember to merge your config files in /etc/ssh/ and then"
- ewarn "reload sshd: '/etc/init.d/sshd reload'."
- # This instruction is from the HPN webpage,
- # Used for the server logging functionality
- if [[ -n ${HPN_PATCH} ]] && use hpn ; then
- echo
- einfo "For the HPN server logging patch, you must ensure that"
- einfo "your syslog application also listens at /var/empty/dev/log."
- fi
-}
diff --git a/net-misc/openssh/openssh-6.7_p1-r99.ebuild b/net-misc/openssh/openssh-6.7_p1-r99.ebuild
index 7a3bfed..7edc50d 100644
--- a/net-misc/openssh/openssh-6.7_p1-r99.ebuild
+++ b/net-misc/openssh/openssh-6.7_p1-r99.ebuild
@@ -28,7 +28,7 @@ SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
LICENSE="BSD GPL-2"
SLOT="0"
-KEYWORDS="amd64 ~arm ~mips ~ppc ~x86"
+KEYWORDS="amd64 arm ~mips ppc x86"
IUSE="bindist ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey static X X509"
REQUIRED_USE="pie? ( !static )"
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-12-31 18:23 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-01-18 14:32 [gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/files/, net-misc/openssh/ Anthony G. Basile
-- strict thread matches above, loose matches on Subject: below --
2014-01-22 23:00 Anthony G. Basile
2014-03-21 16:44 Anthony G. Basile
2014-05-25 0:42 Anthony G. Basile
2014-12-31 18:23 Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox