* [gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/, net-misc/openssh/files/
@ 2014-12-11 14:29 Anthony G. Basile
0 siblings, 0 replies; only message in thread
From: Anthony G. Basile @ 2014-12-11 14:29 UTC (permalink / raw
To: gentoo-commits
commit: c84c8147dc01677b7fffde06a97af0753e88a207
Author: Felix Janda <felix.janda <AT> posteo <DOT> de>
AuthorDate: Wed Dec 10 22:37:47 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Thu Dec 11 14:28:48 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=c84c8147
net-misc/openssh: bump to 6.7_p1
Signed-off-by: Anthony G. Basile <blueness <AT> gentoo.org>
---
.../openssh-6.7_p1-openssl-ignore-status.patch | 17 +
.../files/openssh-6.7_p1-sctp-x509-glue.patch | 42 ++
.../openssh-6.7_p1-sshd-gssapi-multihomed.patch | 162 ++++++++
.../openssh/files/openssh-6.7_p1-x509-glue.patch | 46 +++
.../openssh/files/openssh-6.7p1-avoid-exit.patch | 441 +++++++++++++++++++++
net-misc/openssh/openssh-6.7_p1-r99.ebuild | 326 +++++++++++++++
6 files changed, 1034 insertions(+)
diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
new file mode 100644
index 0000000..fa33af3
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
@@ -0,0 +1,17 @@
+the last nibble of the openssl version represents the status. that is,
+whether it is a beta or release. when it comes to version checks in
+openssh, this component does not matter, so ignore it.
+
+https://bugzilla.mindrot.org/show_bug.cgi?id=2212
+
+--- a/openbsd-compat/openssl-compat.c
++++ b/openbsd-compat/openssl-compat.c
+@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
+ * For versions >= 1.0.0, major,minor,status must match and library
+ * fix version must be equal to or newer than the header.
+ */
+- mask = 0xfff0000fL; /* major,minor,status */
++ mask = 0xfff00000L; /* major,minor,status */
+ hfix = (headerver & 0x000ff000) >> 12;
+ lfix = (libver & 0x000ff000) >> 12;
+ if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
diff --git a/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch
new file mode 100644
index 0000000..bd0b7ce
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch
@@ -0,0 +1,42 @@
+--- openssh-6.7_p1-sctp.patch.orig 2014-11-24 10:34:31.817538707 -0800
++++ openssh-6.7_p1-sctp.patch 2014-11-24 10:38:52.744990154 -0800
+@@ -195,14 +195,6 @@
+ .Op Fl c Ar cipher
+ .Op Fl F Ar ssh_config
+ .Op Fl i Ar identity_file
+-@@ -178,6 +178,7 @@ For full details of the options listed b
+- .It ServerAliveCountMax
+- .It StrictHostKeyChecking
+- .It TCPKeepAlive
+-+.It Transport
+- .It UsePrivilegedPort
+- .It User
+- .It UserKnownHostsFile
+ @@ -218,6 +219,8 @@ and
+ to print debugging messages about their progress.
+ This is helpful in
+@@ -482,14 +474,6 @@
+ .Op Fl b Ar bind_address
+ .Op Fl c Ar cipher_spec
+ .Op Fl D Oo Ar bind_address : Oc Ns Ar port
+-@@ -473,6 +473,7 @@ For full details of the options listed b
+- .It StreamLocalBindUnlink
+- .It StrictHostKeyChecking
+- .It TCPKeepAlive
+-+.It Transport
+- .It Tunnel
+- .It TunnelDevice
+- .It UsePrivilegedPort
+ @@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte
+ controls.
+ .It Fl y
+@@ -527,7 +511,7 @@
+- again:
++
+ - while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx"
+ + while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT
+- "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
++ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
+ switch (opt) {
+ case '1':
+ @@ -732,6 +738,11 @@ main(int ac, char **av)
diff --git a/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch
new file mode 100644
index 0000000..96818e4
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch
@@ -0,0 +1,162 @@
+https://bugs.gentoo.org/378361
+https://bugzilla.mindrot.org/show_bug.cgi?id=928
+
+--- a/gss-serv.c
++++ b/gss-serv.c
+@@ -41,9 +41,12 @@
+ #include "channels.h"
+ #include "session.h"
+ #include "misc.h"
++#include "servconf.h"
+
+ #include "ssh-gss.h"
+
++extern ServerOptions options;
++
+ static ssh_gssapi_client gssapi_client =
+ { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
+ GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
+@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
+ char lname[NI_MAXHOST];
+ gss_OID_set oidset;
+
+- gss_create_empty_oid_set(&status, &oidset);
+- gss_add_oid_set_member(&status, ctx->oid, &oidset);
+-
+- if (gethostname(lname, sizeof(lname))) {
+- gss_release_oid_set(&status, &oidset);
+- return (-1);
+- }
++ if (options.gss_strict_acceptor) {
++ gss_create_empty_oid_set(&status, &oidset);
++ gss_add_oid_set_member(&status, ctx->oid, &oidset);
++
++ if (gethostname(lname, MAXHOSTNAMELEN)) {
++ gss_release_oid_set(&status, &oidset);
++ return (-1);
++ }
++
++ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
++ gss_release_oid_set(&status, &oidset);
++ return (ctx->major);
++ }
++
++ if ((ctx->major = gss_acquire_cred(&ctx->minor,
++ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
++ NULL, NULL)))
++ ssh_gssapi_error(ctx);
+
+- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+ gss_release_oid_set(&status, &oidset);
+ return (ctx->major);
++ } else {
++ ctx->name = GSS_C_NO_NAME;
++ ctx->creds = GSS_C_NO_CREDENTIAL;
+ }
+-
+- if ((ctx->major = gss_acquire_cred(&ctx->minor,
+- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
+- ssh_gssapi_error(ctx);
+-
+- gss_release_oid_set(&status, &oidset);
+- return (ctx->major);
++ return GSS_S_COMPLETE;
+ }
+
+ /* Privileged */
+--- a/servconf.c
++++ b/servconf.c
+@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions
+ options->kerberos_get_afs_token = -1;
+ options->gss_authentication=-1;
+ options->gss_cleanup_creds = -1;
++ options->gss_strict_acceptor = -1;
+ options->password_authentication = -1;
+ options->kbd_interactive_authentication = -1;
+ options->challenge_response_authentication = -1;
+@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption
+ options->gss_authentication = 0;
+ if (options->gss_cleanup_creds == -1)
+ options->gss_cleanup_creds = 1;
++ if (options->gss_strict_acceptor == -1)
++ options->gss_strict_acceptor = 0;
+ if (options->password_authentication == -1)
+ options->password_authentication = 1;
+ if (options->kbd_interactive_authentication == -1)
+@@ -277,7 +280,8 @@ typedef enum {
+ sBanner, sUseDNS, sHostbasedAuthentication,
+ sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
+ sClientAliveCountMax, sAuthorizedKeysFile,
+- sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
++ sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
++ sAcceptEnv, sPermitTunnel,
+ sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
+ sUsePrivilegeSeparation, sAllowAgentForwarding,
+ sZeroKnowledgePasswordAuthentication, sHostCertificate,
+@@ -327,9 +331,11 @@ static struct {
+ #ifdef GSSAPI
+ { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+ { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
++ { "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+ #else
+ { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+ { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
++ { "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+ #endif
+ { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
+ { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
+@@ -850,6 +856,10 @@ process_server_config_line(ServerOptions
+
+ case sGssCleanupCreds:
+ intptr = &options->gss_cleanup_creds;
++ goto parse_flag;
++
++ case sGssStrictAcceptor:
++ intptr = &options->gss_strict_acceptor;
+ goto parse_flag;
+
+ case sPasswordAuthentication:
+--- a/servconf.h
++++ b/servconf.h
+@@ -92,6 +92,7 @@ typedef struct {
+ * authenticated with Kerberos. */
+ int gss_authentication; /* If true, permit GSSAPI authentication */
+ int gss_cleanup_creds; /* If true, destroy cred cache on logout */
++ int gss_strict_acceptor; /* If true, restrict the GSSAPI acceptor name */
+ int password_authentication; /* If true, permit password
+ * authentication. */
+ int kbd_interactive_authentication; /* If true, permit */
+--- a/sshd_config
++++ b/sshd_config
+@@ -69,6 +69,7 @@
+ # GSSAPI options
+ #GSSAPIAuthentication no
+ #GSSAPICleanupCredentials yes
++#GSSAPIStrictAcceptorCheck yes
+
+ # Set this to 'yes' to enable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -386,6 +386,21 @@ on logout.
+ The default is
+ .Dq yes .
+ Note that this option applies to protocol version 2 only.
++.It Cm GSSAPIStrictAcceptorCheck
++Determines whether to be strict about the identity of the GSSAPI acceptor
++a client authenticates against.
++If set to
++.Dq yes
++then the client must authenticate against the
++.Pa host
++service on the current hostname.
++If set to
++.Dq no
++then the client may authenticate against any service key stored in the
++machine's default store.
++This facility is provided to assist with operation on multi homed machines.
++The default is
++.Dq yes .
+ .It Cm HostbasedAuthentication
+ Specifies whether rhosts or /etc/hosts.equiv authentication together
+ with successful public key client host authentication is allowed
diff --git a/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch b/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch
new file mode 100644
index 0000000..71b9c51
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.7_p1-x509-glue.patch
@@ -0,0 +1,46 @@
+--- openssh-6.7p1.orig/sshd_config.5 2014-11-24 10:24:29.356244415 -0800
++++ openssh-6.7p1/sshd_config.5 2014-11-24 10:23:49.415029039 -0800
+@@ -610,21 +610,6 @@
+ The default is
+ .Dq yes .
+ Note that this option applies to protocol version 2 only.
+-.It Cm GSSAPIStrictAcceptorCheck
+-Determines whether to be strict about the identity of the GSSAPI acceptor
+-a client authenticates against.
+-If set to
+-.Dq yes
+-then the client must authenticate against the
+-.Pa host
+-service on the current hostname.
+-If set to
+-.Dq no
+-then the client may authenticate against any service key stored in the
+-machine's default store.
+-This facility is provided to assist with operation on multi homed machines.
+-The default is
+-.Dq yes .
+ .It Cm HostbasedAuthentication
+ Specifies whether rhosts or /etc/hosts.equiv authentication together
+ with successful public key client host authentication is allowed
+@@ -651,6 +636,21 @@
+ attempting to resolve the name from the TCP connection itself.
+ The default is
+ .Dq no .
++.It Cm GSSAPIStrictAcceptorCheck
++Determines whether to be strict about the identity of the GSSAPI acceptor
++a client authenticates against.
++If set to
++.Dq yes
++then the client must authenticate against the
++.Pa host
++service on the current hostname.
++If set to
++.Dq no
++then the client may authenticate against any service key stored in the
++machine's default store.
++This facility is provided to assist with operation on multi homed machines.
++The default is
++.Dq yes .
+ .It Cm HostCertificate
+ Specifies a file containing a public host certificate.
+ The certificate's public key must match a private host key already specified
diff --git a/net-misc/openssh/files/openssh-6.7p1-avoid-exit.patch b/net-misc/openssh/files/openssh-6.7p1-avoid-exit.patch
new file mode 100644
index 0000000..4998a94
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.7p1-avoid-exit.patch
@@ -0,0 +1,441 @@
+diff -ur a/openssh-6.7p1/configure.ac b/openssh-6.7p1/configure.ac
+--- a/openssh-6.7p1/configure.ac 2014-08-26 21:32:01.000000000 -0100
++++ b/openssh-6.7p1/configure.ac 2014-12-08 20:55:47.281836604 -0100
+@@ -252,7 +252,7 @@
+ [AC_LANG_PROGRAM([[
+ #include <stdlib.h>
+ __attribute__((__unused__)) static void foo(void){return;}]],
+- [[ exit(0); ]])],
++ [[ return 0; ]])],
+ [ AC_MSG_RESULT([yes]) ],
+ [ AC_MSG_RESULT([no])
+ AC_DEFINE(NO_ATTRIBUTE_ON_RETURN_TYPE, 1,
+@@ -442,7 +442,7 @@
+ [AC_LANG_PROGRAM([[
+ #define testmacro foo
+ #define testmacro bar]],
+- [[ exit(0); ]])],
++ [[ return 0; ]])],
+ [ AC_MSG_RESULT([yes]) ],
+ [ AC_MSG_RESULT([no])
+ CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
+@@ -562,9 +562,9 @@
+ AC_MSG_CHECKING([if we have working getaddrinfo])
+ AC_RUN_IFELSE([AC_LANG_SOURCE([[ #include <mach-o/dyld.h>
+ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+- exit(0);
++ return 0;
+ else
+- exit(1);
++ return 1;
+ }
+ ]])],
+ [AC_MSG_RESULT([working])],
+@@ -1067,7 +1067,7 @@
+ esac
+
+ AC_MSG_CHECKING([compiler and flags for sanity])
+-AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
++AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ return 0; ]])],
+ [ AC_MSG_RESULT([yes]) ],
+ [
+ AC_MSG_RESULT([no])
+@@ -1099,9 +1099,9 @@
+ strncpy(buf,"/etc", 32);
+ s = dirname(buf);
+ if (!s || strncmp(s, "/", 32) != 0) {
+- exit(1);
++ return 1;
+ } else {
+- exit(0);
++ return 0;
+ }
+ }
+ ]])],
+@@ -1191,19 +1191,19 @@
+ int a=0, b=0, c=0, d=0, n, v;
+ n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
+ if (n != 3 && n != 4)
+- exit(1);
++ return 1;
+ v = a*1000000 + b*10000 + c*100 + d;
+ fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
+
+ /* 1.1.4 is OK */
+ if (a == 1 && b == 1 && c >= 4)
+- exit(0);
++ return 0;
+
+ /* 1.2.3 and up are OK */
+ if (v >= 1020300)
+- exit(0);
++ return 0;
+
+- exit(2);
++ return 2;
+ ]])],
+ AC_MSG_RESULT([no]),
+ [ AC_MSG_RESULT([yes])
+@@ -1308,7 +1308,7 @@
+ #include <dirent.h>]],
+ [[
+ struct dirent d;
+- exit(sizeof(d.d_name)<=sizeof(char));
++ return sizeof(d.d_name)<=sizeof(char);
+ ]])],
+ [AC_MSG_RESULT([yes])],
+ [
+@@ -1354,7 +1354,7 @@
+ #include <skey.h>
+ ]], [[
+ char *ff = skey_keyinfo(""); ff="";
+- exit(0);
++ return 0;
+ ]])],
+ [AC_MSG_RESULT([yes])],
+ [
+@@ -1403,7 +1403,7 @@
+ #include <stdlib.h>
+ #include <stdint.h>
+ #include <ldns/ldns.h>
+-int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; exit(0); }
++int main() { ldns_status status = ldns_verify_trusted(NULL, NULL, NULL, NULL); status=LDNS_STATUS_OK; return 0; }
+ ]])
+ ],
+ [AC_MSG_RESULT(yes)],
+@@ -1460,7 +1460,7 @@
+ [[
+ int i = H_SETSIZE;
+ el_init("", NULL, NULL, NULL);
+- exit(0);
++ return 0;
+ ]])],
+ [ AC_MSG_RESULT([yes]) ],
+ [ AC_MSG_RESULT([no])
+@@ -1808,9 +1808,9 @@
+ errno=0;
+ setresuid(0,0,0);
+ if (errno==ENOSYS)
+- exit(1);
++ return 1;
+ else
+- exit(0);
++ return 0;
+ ]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_DEFINE([BROKEN_SETRESUID], [1],
+@@ -1831,9 +1831,9 @@
+ errno=0;
+ setresgid(0,0,0);
+ if (errno==ENOSYS)
+- exit(1);
++ return 1;
+ else
+- exit(0);
++ return 0;
+ ]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_DEFINE([BROKEN_SETRESGID], [1],
+@@ -1875,7 +1875,7 @@
+ [[
+ char b[5];
+ snprintf(b,5,"123456789");
+- exit(b[4]!='\0');
++ return b[4]!='\0';
+ ]])],
+ [AC_MSG_RESULT([yes])],
+ [
+@@ -1966,9 +1966,9 @@
+ ]], [[
+ char template[]="conftest.mkstemp-test";
+ if (mkstemp(template) == -1)
+- exit(1);
++ return 1;
+ unlink(template);
+- exit(0);
++ return 0;
+ ]])],
+ [
+ AC_MSG_RESULT([no])
+@@ -1999,22 +1999,22 @@
+
+ pid = fork();
+ if (pid < 0) { /* failed */
+- exit(1);
++ return 1;
+ } else if (pid > 0) { /* parent */
+ waitpid(pid, &status, 0);
+ if (WIFEXITED(status))
+- exit(WEXITSTATUS(status));
++ return WEXITSTATUS(status);
+ else
+- exit(2);
++ return 2;
+ } else { /* child */
+ close(0); close(1); close(2);
+ setsid();
+ openpty(&ptyfd, &ttyfd, NULL, NULL, NULL);
+ fd = open("/dev/tty", O_RDWR | O_NOCTTY);
+ if (fd >= 0)
+- exit(3); /* Acquired ctty: broken */
++ return 3; /* Acquired ctty: broken */
+ else
+- exit(0); /* Did not acquire ctty: OK */
++ return 0; /* Did not acquire ctty: OK */
+ }
+ ]])],
+ [
+@@ -2055,7 +2055,7 @@
+ err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
+ if (err != 0) {
+ fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
+- exit(1);
++ return 1;
+ }
+
+ for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
+@@ -2072,7 +2072,7 @@
+ else
+ fprintf(stderr, "getnameinfo failed: %s\n",
+ gai_strerror(err));
+- exit(2);
++ return 2;
+ }
+
+ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+@@ -2080,10 +2080,10 @@
+ perror("socket");
+ if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+ if (errno == EBADF)
+- exit(3);
++ return 3;
+ }
+ }
+- exit(0);
++ return 0;
+ ]])],
+ [
+ AC_MSG_RESULT([yes])
+@@ -2123,7 +2123,7 @@
+ err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
+ if (err != 0) {
+ fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
+- exit(1);
++ return 1;
+ }
+
+ for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
+@@ -2136,10 +2136,10 @@
+
+ if (ai->ai_family == AF_INET && err != 0) {
+ perror("getnameinfo");
+- exit(2);
++ return 2;
+ }
+ }
+- exit(0);
++ return 0;
+ ]])],
+ [
+ AC_MSG_RESULT([yes])
+@@ -2248,12 +2248,12 @@
+
+ fd = fopen(DATA,"w");
+ if(fd == NULL)
+- exit(1);
++ return 1;
+
+ if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
+- exit(1);
++ return 1;
+
+- exit(0);
++ return 0;
+ ]])],
+ [
+ ssl_header_ver=`cat conftest.sslincver`
+@@ -2283,13 +2283,13 @@
+
+ fd = fopen(DATA,"w");
+ if(fd == NULL)
+- exit(1);
++ return 1;
+
+ if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
+ SSLeay_version(SSLEAY_VERSION))) <0)
+- exit(1);
++ return 1;
+
+- exit(0);
++ return 0;
+ ]])],
+ [
+ ssl_library_ver=`cat conftest.ssllibver`
+@@ -2330,7 +2330,7 @@
+ #include <string.h>
+ #include <openssl/opensslv.h>
+ ]], [[
+- exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
++ return SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1;
+ ]])],
+ [
+ AC_MSG_RESULT([yes])
+@@ -2419,7 +2419,7 @@
+ #include <string.h>
+ #include <openssl/evp.h>
+ ]], [[
+- exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
++ return EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL;
+ ]])],
+ [
+ AC_MSG_RESULT([no])
+@@ -2490,7 +2490,7 @@
+ #include <openssl/evp.h>
+ ]], [[
+ if(EVP_DigestUpdate(NULL, NULL,0))
+- exit(0);
++ return 0;
+ ]])],
+ [
+ AC_MSG_RESULT([yes])
+@@ -2604,7 +2604,7 @@
+ ]],[[
+ EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
+ const EVP_MD *m = EVP_sha512(); /* We need this too */
+- exit(e == NULL || m == NULL);
++ return e == NULL || m == NULL;
+ ]])],
+ [ AC_MSG_RESULT([yes])
+ enable_nistp521=1 ],
+@@ -2677,7 +2677,7 @@
+ #include <string.h>
+ #include <openssl/rand.h>
+ ]], [[
+- exit(RAND_status() == 1 ? 0 : 1);
++ return RAND_status() == 1 ? 0 : 1;
+ ]])],
+ [
+ OPENSSL_SEEDS_ITSELF=yes
+@@ -2985,7 +2985,7 @@
+ struct rlimit rl_zero;
+
+ rl_zero.rlim_cur = rl_zero.rlim_max = 0;
+- exit(setrlimit(RLIMIT_FSIZE, &rl_zero) != 0);
++ return setrlimit(RLIMIT_FSIZE, &rl_zero) != 0;
+ ]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no])
+@@ -3119,7 +3119,7 @@
+ long long i, llmin, llmax = 0;
+
+ if((f = fopen(DATA,"w")) == NULL)
+- exit(1);
++ return 1;
+
+ #if defined(LLONG_MIN) && defined(LLONG_MAX)
+ fprintf(stderr, "Using system header for LLONG_MIN and LLONG_MAX\n");
+@@ -3138,16 +3138,16 @@
+ || llmax - 1 > llmax || llmin == llmax || llmin == 0
+ || llmax == 0 || llmax < LONG_MAX || llmin > LONG_MIN) {
+ fprintf(f, "unknown unknown\n");
+- exit(2);
++ return 2;
+ }
+
+ if (fprint_ll(f, llmin) < 0)
+- exit(3);
++ return 3;
+ if (fprint_ll(f, llmax) < 0)
+- exit(4);
++ return 4;
+ if (fclose(f) < 0)
+- exit(5);
+- exit(0);
++ return 5;
++ return 0;
+ ]])],
+ [
+ llong_min=`$AWK '{print $1}' conftest.llminmax`
+@@ -3553,8 +3553,8 @@
+ strcpy(expected_out, "9223372036854775807");
+ snprintf(buf, mazsize, "%lld", num);
+ if(strcmp(buf, expected_out) != 0)
+- exit(1);
+- exit(0);
++ return 1;
++ return 0;
+ }
+ #else
+ main() { exit(0); }
+@@ -3641,11 +3641,11 @@
+ ]], [[
+ #ifdef msg_accrights
+ #error "msg_accrights is a macro"
+-exit(1);
++return 1;
+ #endif
+ struct msghdr m;
+ m.msg_accrights = 0;
+-exit(0);
++return 0;
+ ]])],
+ [ ac_cv_have_accrights_in_msghdr="yes" ],
+ [ ac_cv_have_accrights_in_msghdr="no" ]
+@@ -3702,11 +3702,11 @@
+ ]], [[
+ #ifdef msg_control
+ #error "msg_control is a macro"
+-exit(1);
++return 1;
+ #endif
+ struct msghdr m;
+ m.msg_control = 0;
+-exit(0);
++return 0;
+ ]])],
+ [ ac_cv_have_control_in_msghdr="yes" ],
+ [ ac_cv_have_control_in_msghdr="no" ]
+@@ -4128,22 +4128,22 @@
+
+ fd = fopen(DATA,"w");
+ if(fd == NULL)
+- exit(1);
++ return 1;
+
+ #if defined (_PATH_MAILDIR)
+ if ((rc = fprintf(fd ,"_PATH_MAILDIR:%s\n", _PATH_MAILDIR)) <0)
+- exit(1);
++ return 1;
+ #elif defined (MAILDIR)
+ if ((rc = fprintf(fd ,"MAILDIR:%s\n", MAILDIR)) <0)
+- exit(1);
++ return 1;
+ #elif defined (_PATH_MAIL)
+ if ((rc = fprintf(fd ,"_PATH_MAIL:%s\n", _PATH_MAIL)) <0)
+- exit(1);
++ return 1;
+ #else
+ exit (2);
+ #endif
+
+- exit(0);
++ return 0;
+ ]])],
+ [
+ maildir_what=`awk -F: '{print $1}' conftest.maildir`
+@@ -4378,12 +4378,12 @@
+
+ fd = fopen(DATA,"w");
+ if(fd == NULL)
+- exit(1);
++ return 1;
+
+ if ((rc = fprintf(fd,"%s", _PATH_STDPATH)) < 0)
+- exit(1);
++ return 1;
+
+- exit(0);
++ return 0;
+ ]])],
+ [ user_path=`cat conftest.stdpath` ],
+ [ user_path="/usr/bin:/bin:/usr/sbin:/sbin" ],
diff --git a/net-misc/openssh/openssh-6.7_p1-r99.ebuild b/net-misc/openssh/openssh-6.7_p1-r99.ebuild
new file mode 100644
index 0000000..7a3bfed
--- /dev/null
+++ b/net-misc/openssh/openssh-6.7_p1-r99.ebuild
@@ -0,0 +1,326 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.7_p1-r3.ebuild,v 1.1 2014/11/25 22:35:45 chutzpah Exp $
+
+EAPI="4"
+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
+
+# Make it more portable between straight releases
+# and _p? releases.
+PARCH=${P/_}
+
+HPN_PATCH="${PN}-6.7p1-hpnssh14v5.tar.xz"
+LDAP_PATCH="${PN}-lpk-6.7p1-0.3.14.patch.xz"
+X509_VER="8.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+
+DESCRIPTION="Port of OpenBSD's free SSH release"
+HOMEPAGE="http://www.openssh.org/"
+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
+ mirror://gentoo/${P}-sctp.patch.xz
+ ${HPN_PATCH:+hpn? (
+ mirror://gentoo/${HPN_PATCH}
+ http://dev.gentoo.org/~vapier/dist/${HPN_PATCH}
+ mirror://sourceforge/hpnssh/${HPN_PATCH}
+ )}
+ ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
+ ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
+ "
+
+LICENSE="BSD GPL-2"
+SLOT="0"
+KEYWORDS="amd64 ~arm ~mips ~ppc ~x86"
+IUSE="bindist ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit pam +pie sctp selinux skey static X X509"
+REQUIRED_USE="pie? ( !static )"
+
+LIB_DEPEND="sctp? ( net-misc/lksctp-tools[static-libs(+)] )
+ selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
+ skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
+ libedit? ( dev-libs/libedit[static-libs(+)] )
+ >=dev-libs/openssl-0.9.6d:0[bindist=]
+ dev-libs/openssl[static-libs(+)]
+ >=sys-libs/zlib-1.2.3[static-libs(+)]"
+RDEPEND="
+ !static? (
+ ${LIB_DEPEND//\[static-libs(+)]}
+ ldns? (
+ !bindist? ( net-libs/ldns[ecdsa,ssl] )
+ bindist? ( net-libs/ldns[-ecdsa,ssl] )
+ )
+ )
+ pam? ( virtual/pam )
+ kerberos? ( virtual/krb5 )
+ ldap? ( net-nds/openldap )"
+DEPEND="${RDEPEND}
+ static? (
+ ${LIB_DEPEND}
+ ldns? (
+ !bindist? ( net-libs/ldns[ecdsa,ssl,static-libs(+)] )
+ bindist? ( net-libs/ldns[-ecdsa,ssl,static-libs(+)] )
+ )
+ )
+ virtual/pkgconfig
+ virtual/os-headers
+ sys-devel/autoconf"
+RDEPEND="${RDEPEND}
+ pam? ( >=sys-auth/pambase-20081028 )
+ userland_GNU? ( virtual/shadow )
+ X? ( x11-apps/xauth )"
+
+S=${WORKDIR}/${PARCH}
+
+pkg_setup() {
+ # this sucks, but i'd rather have people unable to `emerge -u openssh`
+ # than not be able to log in to their server any more
+ maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
+ local fail="
+ $(use X509 && maybe_fail X509 X509_PATCH)
+ $(use ldap && maybe_fail ldap LDAP_PATCH)
+ $(use hpn && maybe_fail hpn HPN_PATCH)
+ "
+ fail=$(echo ${fail})
+ if [[ -n ${fail} ]] ; then
+ eerror "Sorry, but this version does not yet support features"
+ eerror "that you requested: ${fail}"
+ eerror "Please mask ${PF} for now and check back later:"
+ eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
+ die "booooo"
+ fi
+}
+
+save_version() {
+ # version.h patch conflict avoidence
+ mv version.h version.h.$1
+ cp -f version.h.pristine version.h
+}
+
+src_prepare() {
+ sed -i \
+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
+ pathnames.h || die
+ # keep this as we need it to avoid the conflict between LPK and HPN changing
+ # this file.
+ cp version.h version.h.pristine
+
+ # don't break .ssh/authorized_keys2 for fun
+ sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+
+ epatch "${FILESDIR}"/${PN}-6.7_p1-sshd-gssapi-multihomed.patch #378361
+ if use X509 ; then
+ pushd .. >/dev/null
+ epatch "${FILESDIR}"/${P}-x509-glue.patch
+ epatch "${FILESDIR}"/${P}-sctp-x509-glue.patch
+ popd >/dev/null
+ epatch "${WORKDIR}"/${X509_PATCH%.*}
+ epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
+ save_version X509
+ fi
+ if ! use X509 ; then
+ if [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+ epatch "${WORKDIR}"/${LDAP_PATCH%.*}
+ save_version LPK
+ fi
+ else
+ use ldap && ewarn "Sorry, X509 and LDAP conflict internally, disabling LDAP"
+ fi
+ epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
+ epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
+ epatch "${WORKDIR}"/${PN}-6.7_p1-sctp.patch
+ if [[ -n ${HPN_PATCH} ]] && use hpn; then
+ epatch "${WORKDIR}"/${HPN_PATCH%.*}/*
+ save_version HPN
+ fi
+
+ tc-export PKG_CONFIG
+ local sed_args=(
+ -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
+ # Disable PATH reset, trust what portage gives us #254615
+ -e 's:^PATH=/:#PATH=/:'
+ # Disable fortify flags ... our gcc does this for us
+ -e 's:-D_FORTIFY_SOURCE=2::'
+ )
+ # The -ftrapv flag ICEs on hppa #505182
+ use hppa && sed_args+=(
+ -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+ -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+ )
+ sed -i "${sed_args[@]}" configure{.ac,} || die
+
+ epatch "${FILESDIR}"/${PN}-6.7p1-avoid-exit.patch
+ epatch "${FILESDIR}"/${PN}-6.4p1-missing-sys_param_h.patch
+ epatch "${FILESDIR}"/${PN}-6.4p1-fix-typo-construct_utmpx.patch
+
+ epatch_user #473004
+
+ # Now we can build a sane merged version.h
+ (
+ sed '/^#define SSH_RELEASE/d' version.h.* | sort -u
+ macros=()
+ for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
+ printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
+ ) > version.h
+
+ eautoreconf
+}
+
+static_use_with() {
+ local flag=$1
+ if use static && use ${flag} ; then
+ ewarn "Disabling '${flag}' support because of USE='static'"
+ # rebuild args so that we invert the first one (USE flag)
+ # but otherwise leave everything else working so we can
+ # just leverage use_with
+ shift
+ [[ -z $1 ]] && flag="${flag} ${flag}"
+ set -- !${flag} "$@"
+ fi
+ use_with "$@"
+}
+
+src_configure() {
+ local myconf=()
+ addwrite /dev/ptmx
+ addpredict /etc/skey/skeykeys #skey configure code triggers this
+
+ use static && append-ldflags -static
+
+ # Special settings for Gentoo/FreeBSD 9.0 or later (see bug #391011)
+ if use elibc_FreeBSD && version_is_at_least 9.0 "$(uname -r|sed 's/\(.\..\).*/\1/')" ; then
+ myconf+=( --disable-utmp --disable-wtmp --disable-wtmpx )
+ append-ldflags -lutil
+ fi
+
+ econf \
+ --with-ldflags="${LDFLAGS}" \
+ --disable-strip \
+ --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run \
+ --sysconfdir="${EPREFIX}"/etc/ssh \
+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc \
+ --datadir="${EPREFIX}"/usr/share/openssh \
+ --with-privsep-path="${EPREFIX}"/var/empty \
+ --with-privsep-user=sshd \
+ --with-md5-passwords \
+ --with-ssl-engine \
+ $(static_use_with pam) \
+ $(static_use_with kerberos kerberos5 "${EPREFIX}"/usr) \
+ ${LDAP_PATCH:+$(use X509 || ( use ldap && use_with ldap ))} \
+ $(use_with ldns) \
+ $(use_with libedit) \
+ $(use_with pie) \
+ $(use_with sctp) \
+ $(use_with selinux) \
+ $(use_with skey) \
+ "${myconf[@]}"
+}
+
+src_install() {
+ emake install-nokeys DESTDIR="${D}"
+ fperms 600 /etc/ssh/sshd_config
+ dobin contrib/ssh-copy-id
+ newinitd "${FILESDIR}"/sshd.rc6.4 sshd
+ newconfd "${FILESDIR}"/sshd.confd sshd
+ keepdir /var/empty
+
+ # not all openssl installs support ecc, or are functional #352645
+ if ! grep -q '#define OPENSSL_HAS_ECC 1' config.h ; then
+ elog "dev-libs/openssl was built with 'bindist' - disabling ecdsa support"
+ sed -i 's:&& gen_key ecdsa::' "${ED}"/etc/init.d/sshd || die
+ fi
+
+ newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
+ if use pam ; then
+ sed -i \
+ -e "/^#UsePAM /s:.*:UsePAM yes:" \
+ -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
+ -e "/^#PrintMotd /s:.*:PrintMotd no:" \
+ -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
+ "${ED}"/etc/ssh/sshd_config || die "sed of configuration file failed"
+ fi
+
+ # Gentoo tweaks to default config files
+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
+
+ # Allow client to pass locale environment variables #367017
+ AcceptEnv LANG LC_*
+ EOF
+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
+
+ # Send locale environment variables #367017
+ SendEnv LANG LC_*
+ EOF
+
+ # This instruction is from the HPN webpage,
+ # Used for the server logging functionality
+ if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+ keepdir /var/empty/dev
+ fi
+
+ if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
+ insinto /etc/openldap/schema/
+ newins openssh-lpk_openldap.schema openssh-lpk.schema
+ fi
+
+ doman contrib/ssh-copy-id.1
+ dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config
+
+ diropts -m 0700
+ dodir /etc/skel/.ssh
+
+ systemd_dounit "${FILESDIR}"/sshd.{service,socket}
+ systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
+}
+
+src_test() {
+ local t tests skipped failed passed shell
+ tests="interop-tests compat-tests"
+ skipped=""
+ shell=$(egetshell ${UID})
+ if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
+ elog "Running the full OpenSSH testsuite"
+ elog "requires a usable shell for the 'portage'"
+ elog "user, so we will run a subset only."
+ skipped="${skipped} tests"
+ else
+ tests="${tests} tests"
+ fi
+ # It will also attempt to write to the homedir .ssh
+ local sshhome=${T}/homedir
+ mkdir -p "${sshhome}"/.ssh
+ for t in ${tests} ; do
+ # Some tests read from stdin ...
+ HOMEDIR="${sshhome}" \
+ emake -k -j1 ${t} </dev/null \
+ && passed="${passed}${t} " \
+ || failed="${failed}${t} "
+ done
+ einfo "Passed tests: ${passed}"
+ ewarn "Skipped tests: ${skipped}"
+ if [[ -n ${failed} ]] ; then
+ ewarn "Failed tests: ${failed}"
+ die "Some tests failed: ${failed}"
+ else
+ einfo "Failed tests: ${failed}"
+ return 0
+ fi
+}
+
+pkg_preinst() {
+ enewgroup sshd 22
+ enewuser sshd 22 -1 /var/empty sshd
+}
+
+pkg_postinst() {
+ if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
+ elog "Starting with openssh-5.8p1, the server will default to a newer key"
+ elog "algorithm (ECDSA). You are encouraged to manually update your stored"
+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
+ fi
+ ewarn "Remember to merge your config files in /etc/ssh/ and then"
+ ewarn "reload sshd: '/etc/init.d/sshd reload'."
+ # This instruction is from the HPN webpage,
+ # Used for the server logging functionality
+ if [[ -n ${HPN_PATCH} ]] && use hpn ; then
+ echo
+ einfo "For the HPN server logging patch, you must ensure that"
+ einfo "your syslog application also listens at /var/empty/dev/log."
+ fi
+}
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2014-12-11 14:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-12-11 14:29 [gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/, net-misc/openssh/files/ Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox