From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (unknown [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 6BD8C1381FA for ; Sun, 25 May 2014 00:42:25 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A0F13E0850; Sun, 25 May 2014 00:42:24 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 22D8DE0850 for ; Sun, 25 May 2014 00:42:24 +0000 (UTC) Received: from spoonbill.gentoo.org (unknown [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 1E85233FD72 for ; Sun, 25 May 2014 00:42:23 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id AF021181A9 for ; Sun, 25 May 2014 00:42:21 +0000 (UTC) From: "Anthony G. Basile" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Anthony G. Basile" Message-ID: <1400978665.7a0b15d0ae44c5d039c28da66f7120ff21df5943.blueness@gentoo> Subject: [gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/files/, net-misc/openssh/ X-VCS-Repository: proj/hardened-dev X-VCS-Files: net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch net-misc/openssh/files/openssh-6.6.1_p1.patch net-misc/openssh/openssh-6.4_p1-r99.ebuild net-misc/openssh/openssh-6.6.1_p1-r99.ebuild X-VCS-Directories: net-misc/openssh/files/ net-misc/openssh/ X-VCS-Committer: blueness X-VCS-Committer-Name: Anthony G. Basile X-VCS-Revision: 7a0b15d0ae44c5d039c28da66f7120ff21df5943 X-VCS-Branch: musl Date: Sun, 25 May 2014 00:42:21 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 67498ee7-5574-4e88-88c8-3fdfda114b38 X-Archives-Hash: 3ede2be4e0681a729efc95a5192678fb commit: 7a0b15d0ae44c5d039c28da66f7120ff21df5943 Author: layman localhost> AuthorDate: Sat May 24 20:37:41 2014 +0000 Commit: Anthony G. Basile gentoo org> CommitDate: Sun May 25 00:44:25 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=7a0b15d0 net-misc/openssh: bump to 6.6.1_p1 Package-Manager: portage-2.2.10 --- .../openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch | 26 ++++ net-misc/openssh/files/openssh-6.6.1_p1.patch | 167 +++++++++++++++++++++ ...4_p1-r99.ebuild => openssh-6.6.1_p1-r99.ebuild} | 30 ++-- 3 files changed, 214 insertions(+), 9 deletions(-) diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch new file mode 100644 index 0000000..c76015d --- /dev/null +++ b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch @@ -0,0 +1,26 @@ +make the hpn patch apply when the x509 patch has also been applied + +--- openssh-6.6.1p1-hpnssh14v4.diff ++++ openssh-6.6.1p1-hpnssh14v4.diff +@@ -1742,18 +1742,14 @@ + if (options->ip_qos_interactive == -1) + options->ip_qos_interactive = IPTOS_LOWDELAY; + if (options->ip_qos_bulk == -1) +-@@ -345,9 +393,10 @@ ++@@ -345,6 +393,7 @@ + sUsePrivilegeSeparation, sAllowAgentForwarding, + sHostCertificate, + sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, +-+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, +++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled, + sKexAlgorithms, sIPQoS, sVersionAddendum, + sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, +-- sAuthenticationMethods, sHostKeyAgent, +-+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent, +- sDeprecated, sUnsupported +- } ServerOpCodes; +- ++ sAuthenticationMethods, sHostKeyAgent, + @@ -468,6 +517,10 @@ + { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, + { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, diff --git a/net-misc/openssh/files/openssh-6.6.1_p1.patch b/net-misc/openssh/files/openssh-6.6.1_p1.patch new file mode 100644 index 0000000..b11f6fb --- /dev/null +++ b/net-misc/openssh/files/openssh-6.6.1_p1.patch @@ -0,0 +1,167 @@ +Hi, + +So I screwed up when writing the support for the curve25519 KEX method +that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left +leading zero bytes where they should have been skipped. The impact of +this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a +peer that implements curve25519-sha256 at libssh.org properly about 0.2% +of the time (one in every 512ish connections). + +We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256 +key exchange for previous versions, but I'd recommend distributors +of OpenSSH apply this patch so the affected code doesn't become +too entrenched in LTS releases. + +The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as +to distinguish itself from the incorrect versions so the compatibility +code to disable the affected KEX isn't activated. + +I've committed this on the 6.6 branch too. + +Apologies for the hassle. + +-d + +Index: version.h +=================================================================== +RCS file: /var/cvs/openssh/version.h,v +retrieving revision 1.82 +diff -u -p -r1.82 version.h +--- version.h 27 Feb 2014 23:01:54 -0000 1.82 ++++ version.h 20 Apr 2014 03:35:15 -0000 +@@ -1,6 +1,6 @@ + /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ + +-#define SSH_VERSION "OpenSSH_6.6" ++#define SSH_VERSION "OpenSSH_6.6.1" + + #define SSH_PORTABLE "p1" + #define SSH_RELEASE SSH_VERSION SSH_PORTABLE +Index: compat.c +=================================================================== +RCS file: /var/cvs/openssh/compat.c,v +retrieving revision 1.82 +retrieving revision 1.85 +diff -u -p -r1.82 -r1.85 +--- compat.c 31 Dec 2013 01:25:41 -0000 1.82 ++++ compat.c 20 Apr 2014 03:33:59 -0000 1.85 +@@ -95,6 +95,9 @@ compat_datafellows(const char *version) + { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, + { "OpenSSH_4*", 0 }, + { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, ++ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, ++ { "OpenSSH_6.5*," ++ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, + { "OpenSSH*", SSH_NEW_OPENSSH }, + { "*MindTerm*", 0 }, + { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| +@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop + return cipher_prop; + } + +- + char * + compat_pkalg_proposal(char *pkalg_prop) + { +@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop) + if (*pkalg_prop == '\0') + fatal("No supported PK algorithms found"); + return pkalg_prop; ++} ++ ++char * ++compat_kex_proposal(char *kex_prop) ++{ ++ if (!(datafellows & SSH_BUG_CURVE25519PAD)) ++ return kex_prop; ++ debug2("%s: original KEX proposal: %s", __func__, kex_prop); ++ kex_prop = filter_proposal(kex_prop, "curve25519-sha256 at libssh.org"); ++ debug2("%s: compat KEX proposal: %s", __func__, kex_prop); ++ if (*kex_prop == '\0') ++ fatal("No supported key exchange algorithms found"); ++ return kex_prop; + } + +Index: compat.h +=================================================================== +RCS file: /var/cvs/openssh/compat.h,v +retrieving revision 1.42 +retrieving revision 1.43 +diff -u -p -r1.42 -r1.43 +--- compat.h 31 Dec 2013 01:25:41 -0000 1.42 ++++ compat.h 20 Apr 2014 03:25:31 -0000 1.43 +@@ -59,6 +59,7 @@ + #define SSH_BUG_RFWD_ADDR 0x02000000 + #define SSH_NEW_OPENSSH 0x04000000 + #define SSH_BUG_DYNAMIC_RPORT 0x08000000 ++#define SSH_BUG_CURVE25519PAD 0x10000000 + + void enable_compat13(void); + void enable_compat20(void); +@@ -66,6 +67,7 @@ void compat_datafellows(const char * + int proto_spec(const char *); + char *compat_cipher_proposal(char *); + char *compat_pkalg_proposal(char *); ++char *compat_kex_proposal(char *); + + extern int compat13; + extern int compat20; +Index: sshd.c +=================================================================== +RCS file: /var/cvs/openssh/sshd.c,v +retrieving revision 1.448 +retrieving revision 1.453 +diff -u -p -r1.448 -r1.453 +--- sshd.c 26 Feb 2014 23:20:08 -0000 1.448 ++++ sshd.c 20 Apr 2014 03:28:41 -0000 1.453 +@@ -2462,6 +2438,9 @@ do_ssh2_kex(void) + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; + ++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( ++ myproposal[PROPOSAL_KEX_ALGS]); ++ + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); +Index: sshconnect2.c +=================================================================== +RCS file: /var/cvs/openssh/sshconnect2.c,v +retrieving revision 1.197 +retrieving revision 1.199 +diff -u -p -r1.197 -r1.199 +--- sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197 ++++ sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199 +@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho + } + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; ++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( ++ myproposal[PROPOSAL_KEX_ALGS]); + + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, +Index: bufaux.c +=================================================================== +RCS file: /var/cvs/openssh/bufaux.c,v +retrieving revision 1.62 +retrieving revision 1.63 +diff -u -p -r1.62 -r1.63 +--- bufaux.c 4 Feb 2014 00:20:15 -0000 1.62 ++++ bufaux.c 20 Apr 2014 03:24:50 -0000 1.63 +@@ -1,4 +1,4 @@ +-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ ++/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b + + if (l > 8 * 1024) + fatal("%s: length %u too long", __func__, l); ++ /* Skip leading zero bytes */ ++ for (; l > 0 && *s == 0; l--, s++) ++ ; + p = buf = xmalloc(l + 1); + /* + * If most significant bit is set then prepend a zero byte to diff --git a/net-misc/openssh/openssh-6.4_p1-r99.ebuild b/net-misc/openssh/openssh-6.6.1_p1-r99.ebuild similarity index 89% rename from net-misc/openssh/openssh-6.4_p1-r99.ebuild rename to net-misc/openssh/openssh-6.6.1_p1-r99.ebuild index 6d71913..6dd6a08 100644 --- a/net-misc/openssh/openssh-6.4_p1-r99.ebuild +++ b/net-misc/openssh/openssh-6.6.1_p1-r99.ebuild @@ -1,29 +1,31 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.4_p1-r1.ebuild,v 1.6 2014/01/02 12:06:49 polynomial-c Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.6.1_p1-r99.ebuild,v 1.2 2014/03/20 20:58:31 vapier Exp $ EAPI="4" inherit eutils user flag-o-matic multilib autotools pam systemd versionator # Make it more portable between straight releases # and _p? releases. -PARCH=${P/_} +PARCH=${P/.1_} -HPN_PATCH="${PN}-6.3p1-hpnssh14v2.diff.gz" -LDAP_PATCH="${PN}-lpk-6.3p1-0.3.14.patch.gz" -X509_VER="7.7" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" +#HPN_PATCH="${PN}-6.6p1-hpnssh14v4.diff.gz" +HPN_PATCH="${PN}-6.6.1p1-hpnssh14v4.diff.xz" +LDAP_PATCH="${PN}-lpk-6.5p1-0.3.14.patch.gz" +X509_VER="7.9" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" DESCRIPTION="Port of OpenBSD's free SSH release" HOMEPAGE="http://www.openssh.org/" SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz - ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )} + ${HPN_PATCH:+hpn? ( http://dev.gentoo.org/~polynomial-c/${HPN_PATCH} )} ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )} ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )} " + #${HPN_PATCH:+hpn? ( mirror://sourceforge/hpnssh/${HPN_PATCH} )} LICENSE="BSD GPL-2" SLOT="0" -KEYWORDS="amd64 arm ~mips x86" +KEYWORDS="~amd64 ~arm ~mips ~x86" IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldap ldns libedit pam selinux skey static tcpd X X509" LIB_DEPEND="selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) @@ -98,10 +100,13 @@ src_prepare() { # don't break .ssh/authorized_keys2 for fun sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + epatch "${FILESDIR}"/${P}.patch #508604 + epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361 if use X509 ; then pushd .. >/dev/null - epatch "${FILESDIR}"/${PN}-6.4_p1-x509-glue.patch + epatch "${FILESDIR}"/${PN}-6.6_p1-x509-glue.patch + use hpn && epatch "${FILESDIR}"/${PN}-6.6.1_p1-x509-hpn14v4-glue-p2.patch popd >/dev/null epatch "${WORKDIR}"/${X509_PATCH%.*} epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch @@ -116,8 +121,10 @@ src_prepare() { use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP" fi epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex + epatch "${FILESDIR}"/${PN}-6.6_p1-openssl-ignore-status.patch if [[ -n ${HPN_PATCH} ]] && use hpn; then epatch "${WORKDIR}"/${HPN_PATCH%.*} + epatch "${FILESDIR}"/${PN}-6.5_p1-hpn-cipher-align.patch #498632 save_version HPN fi @@ -129,7 +136,12 @@ src_prepare() { # Disable fortify flags ... our gcc does this for us -e 's:-D_FORTIFY_SOURCE=2::' ) - sed -i "${sed_args[@]}" configure{,.ac} || die + # The -ftrapv flag ICEs on hppa #505182 + use hppa && sed_args+=( + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:' + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die epatch "${FILESDIR}"/${PN}-6.4p1-avoid-exit.patch epatch "${FILESDIR}"/${PN}-6.4p1-missing-sys_param_h.patch