Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/net-misc
diff options
context:
space:
mode:
authorMike Gilbert <floppym@gentoo.org>2022-05-10 13:31:44 -0400
committerMike Gilbert <floppym@gentoo.org>2022-05-10 13:31:44 -0400
commit05be256e7a3d80ab9855a183cdcb3fb260ecd6be (patch)
treeac581e3c546cb0bfeb3b2ab6c540783df6b25546 /net-misc
parentnet-misc/openssh: use seccomp sandbox on x32 (diff)
downloadgentoo-05be256e7a3d80ab9855a183cdcb3fb260ecd6be.tar.gz
gentoo-05be256e7a3d80ab9855a183cdcb3fb260ecd6be.tar.bz2
gentoo-05be256e7a3d80ab9855a183cdcb3fb260ecd6be.zip
net-misc/openssh: drop 8.8_p1-r4
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Diffstat (limited to 'net-misc')
-rw-r--r--net-misc/openssh/Manifest4
-rw-r--r--net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch447
-rw-r--r--net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch198
-rw-r--r--net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch63
-rw-r--r--net-misc/openssh/openssh-8.8_p1-r4.ebuild491
5 files changed, 0 insertions, 1203 deletions
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
index 3142cc61e56b..029c76bb16d1 100644
--- a/net-misc/openssh/Manifest
+++ b/net-misc/openssh/Manifest
@@ -1,7 +1,3 @@
-DIST openssh-8.8p1+x509-13.2.3.diff.gz 1071138 BLAKE2B dfbe53ccfdfe0a3da9bac927c5bb0ccfeb20f1ba69cef2ffb52999e6f6b0a3282e28a888aab40096fe9eed819f4c9b27592a8771d786580b8fa4f507f6b02557 SHA512 e55e9cdcde1b02b2799600083db8c3b85d207b251b99b4efabe8614bedf1daae28e5ed10cbe1f6a2e5ba766fe1eaf41be9e90fefdaae1352808c504fc0f4e7e6
-DIST openssh-8.8p1-sctp-1.2.patch.xz 6744 BLAKE2B 9f99e0abfbfbda2cc1c7c2a465d044c900da862e5a38f01260f388ac089b2e66c5ea7664d71d18b924552ae177e5893cdcbfbccc20eeb3aaeae00b3d552379e3 SHA512 5290c5ef08a418dcc9260812d8e75ce266e22e2258514f11da6fb178e0ae2ef16046523f72a50f74ae7b98e7eb52d16143befc8ce2919041382d314aa05adda0
-DIST openssh-8.8p1.tar.gz 1815060 BLAKE2B 3a054ce19781aceca5ab1a0839d7435d88aff4481e8c74b91ffd2046dc8b6f03d6bf584ecda066c0496acf43cea9ab4085f26a29e34e20736e752f204b8c76c3 SHA512 d44cd04445f9c8963513b0d5a7e8348985114ff2471e119a6e344498719ef40f09c61c354888a3be9dabcb5870e5cbe5d3aafbb861dfa1d82a4952f3d233a8df
-DIST openssh-8.8p1.tar.gz.asc 833 BLAKE2B ffe78af226b9c8395e60ca54bcb626cc933ee069f9f0f17f408ca1493cb346aa3fb878efeaccc646f8fa7bf1c40d6d61a81e37342ccf56ae601403bf9d59f4d6 SHA512 165e025305902f884d04d4444fa3143e4ea1a25a1c65aafe05e113537b3d3e50f7cd5f818bc2ca3404699372ca78f69c46b7452faf2d3998c448a5b80a411ae4
DIST openssh-8.9p1+x509-13.3.1.diff.gz 1113333 BLAKE2B 01fc34ed5c5c64a97db99f8f5a98f5917519474b4c22a2372f76a9c36d5dfc4efe1d03fcc43ed3d1602177f7e674a58676b9d04444d7bb66bc1c096136fd2ed0 SHA512 4fea3cf0dd0f6e0b9e28c16fb88f2a125c3ec7f86111d33e040664ab4976e697b137ffe80d02c979e2eb55a5c004f597299cfec22e730b80279665de61cb1f13
DIST openssh-8.9p1-sctp-1.2.patch.xz 6752 BLAKE2B 8f87a4e604ce412f45432ae29b6ccb5a10f6bd6ddc3c688b85d75c2126387dc5d4ed2b2396691db016cc0dee3e71a557611bcf34066dee075d62c9e69e887f14 SHA512 88a36e2d87bb8b6136885094729d001953e15799e06885ff1c489300458b6e412520f7a78c48dfd24df46e58f2561051212d7948f8af63082edcb85c33b4d32b
DIST openssh-8.9p1.tar.gz 1820282 BLAKE2B 02934da7f7a2954141888e63e81e38fad4fb8558ddd1032de44f69684802c62771fdd7e9e470e0715059635999c8f9d2ab95f6351217e236573ead83a867f59b SHA512 04bd38ea6fe4be31acc8c4e83de7d3dda66fb7207be2e4ba25d3b8118d13d098a283769da9e8ce1fc4fba7edf739c14efcc6c9137132919261a7f882314b0f6b
diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch
deleted file mode 100644
index 49c05917779a..000000000000
--- a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch
+++ /dev/null
@@ -1,447 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:12:46.412119817 -0700
-+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:26:11.116026151 -0700
-@@ -3,9 +3,9 @@
- --- a/Makefile.in
- +++ b/Makefile.in
- @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@
-- CFLAGS_NOPIE=@CFLAGS_NOPIE@
-- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-- PICFLAG=@PICFLAG@
-+ LD=@LD@
-+ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
-+ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
- -LIBS=@LIBS@
- +LIBS=@LIBS@ -lpthread
- K5LIBS=@K5LIBS@
-@@ -803,8 +803,8 @@
- ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
- {
- struct session_state *state;
--- const struct sshcipher *none = cipher_by_name("none");
--+ struct sshcipher *none = cipher_by_name("none");
-+- const struct sshcipher *none = cipher_none();
-++ struct sshcipher *none = cipher_none();
- int r;
-
- if (none == NULL) {
-@@ -894,24 +894,24 @@
- intptr = &options->compression;
- multistate_ptr = multistate_compression;
- @@ -2272,6 +2278,7 @@ initialize_options(Options * options)
-- options->revoked_host_keys = NULL;
- options->fingerprint_hash = -1;
- options->update_hostkeys = -1;
-+ options->known_hosts_command = NULL;
- + options->disable_multithreaded = -1;
-- options->hostbased_accepted_algos = NULL;
-- options->pubkey_accepted_algos = NULL;
-- options->known_hosts_command = NULL;
-+ }
-+
-+ /*
- @@ -2467,6 +2474,10 @@ fill_default_options(Options * options)
-+ options->update_hostkeys = 0;
- if (options->sk_provider == NULL)
- options->sk_provider = xstrdup("$SSH_SK_PROVIDER");
-- #endif
- + if (options->update_hostkeys == -1)
- + options->update_hostkeys = 0;
- + if (options->disable_multithreaded == -1)
- + options->disable_multithreaded = 0;
-
-- /* Expand KEX name lists */
-- all_cipher = cipher_alg_list(',', 0);
-+ /* expand KEX and etc. name lists */
-+ { char *all;
- diff --git a/readconf.h b/readconf.h
- index 2fba866e..7f8f0227 100644
- --- a/readconf.h
-@@ -950,9 +950,9 @@
- /* Portable-specific options */
- sUsePAM,
- + sDisableMTAES,
-- /* Standard Options */
-- sPort, sHostKeyFile, sLoginGraceTime,
-- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
-+ /* X.509 Standard Options */
-+ sHostbasedAlgorithms,
-+ sPubkeyAlgorithms,
- @@ -662,6 +666,7 @@ static struct {
- { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
- { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 11:12:46.412119817 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 14:17:59.366248683 -0700
-@@ -157,6 +157,36 @@
- + Allan Jude provided the code for the NoneMac and buffer normalization.
- + This work was financed, in part, by Cisco System, Inc., the National
- + Library of Medicine, and the National Science Foundation.
-+diff --git a/auth2.c b/auth2.c
-+--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700
-++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700
-+@@ -229,16 +229,17 @@
-+ double delay;
-+
-+ digest_alg = ssh_digest_maxbytes();
-+- len = ssh_digest_bytes(digest_alg);
-+- hash = xmalloc(len);
-++ if (len = ssh_digest_bytes(digest_alg) > 0) {
-++ hash = xmalloc(len);
-+
-+- (void)snprintf(b, sizeof b, "%llu%s",
-+- (unsigned long long)options.timing_secret, user);
-+- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-+- fatal_f("ssh_digest_memory");
-+- /* 0-4.2 ms of delay */
-+- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-+- freezero(hash, len);
-++ (void)snprintf(b, sizeof b, "%llu%s",
-++ (unsigned long long)options.timing_secret, user);
-++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0)
-++ fatal_f("ssh_digest_memory");
-++ /* 0-4.2 ms of delay */
-++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000;
-++ freezero(hash, len);
-++ }
-+ debug3_f("user specific delay %0.3lfms", delay/1000);
-+ return MIN_FAIL_DELAY_SECONDS + delay;
-+ }
- diff --git a/channels.c b/channels.c
- index b60d56c4..0e363c15 100644
- --- a/channels.c
-@@ -209,14 +239,14 @@
- static void
- channel_pre_open(struct ssh *ssh, Channel *c,
- fd_set *readset, fd_set *writeset)
--@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
-+@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c)
-
- if (c->type == SSH_CHANNEL_OPEN &&
- !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- - ((c->local_window_max - c->local_window >
- - c->local_maxpacket*3) ||
--+ ((ssh_packet_is_interactive(ssh) &&
--+ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
-++ ((ssh_packet_is_interactive(ssh) &&
-++ c->local_window_max - c->local_window > c->local_maxpacket*3) ||
- c->local_window < c->local_window_max/2) &&
- c->local_consumed > 0) {
- + u_int addition = 0;
-@@ -235,9 +265,8 @@
- (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
- - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
- + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 ||
-- (r = sshpkt_send(ssh)) != 0) {
-- fatal_fr(r, "channel %i", c->self);
-- }
-+ (r = sshpkt_send(ssh)) != 0)
-+ fatal_fr(r, "channel %d", c->self);
- - debug2("channel %d: window %d sent adjust %d", c->self,
- - c->local_window, c->local_consumed);
- - c->local_window += c->local_consumed;
-@@ -337,70 +366,92 @@
- index 70f492f8..5503af1d 100644
- --- a/clientloop.c
- +++ b/clientloop.c
--@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
-+@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan)
- sock = x11_connect_display(ssh);
- if (sock < 0)
- return NULL;
- - c = channel_new(ssh, "x11",
- - SSH_CHANNEL_X11_OPEN, sock, sock, -1,
--- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
--+ c = channel_new(ssh, "x11",
--+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
--+ /* again is this really necessary for X11? */
--+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
--+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-+- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11",
-+- CHANNEL_NONBLOCK_SET);
-++ c = channel_new(ssh, "x11",
-++ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-++ /* again is this really necessary for X11? */
-++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
-++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET);
- c->force_drain = 1;
- return c;
- }
--@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
-+@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
- return NULL;
- }
- c = channel_new(ssh, "authentication agent connection",
- - SSH_CHANNEL_OPEN, sock, sock, -1,
- - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
--- "authentication agent connection", 1);
--+ SSH_CHANNEL_OPEN, sock, sock, -1,
--+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
--+ CHAN_TCP_PACKET_DEFAULT, 0,
--+ "authentication agent connection", 1);
-+- "authentication agent connection", CHANNEL_NONBLOCK_SET);
-++ SSH_CHANNEL_OPEN, sock, sock, -1,
-++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size,
-++ CHAN_TCP_PACKET_DEFAULT, 0,
-++ "authentication agent connection", CHANNEL_NONBLOCK_SET);
- c->force_drain = 1;
- return c;
- }
--@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
-+@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode,
- }
- debug("Tunnel forwarding using interface %s", ifname);
-
- - c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
--- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
--+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-+- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun",
-+- CHANNEL_NONBLOCK_SET);
-++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1,
- + options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size,
--+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
-++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET);
- c->datagram = 1;
-
--+
--+
- #if defined(SSH_TUN_FILTER)
-- if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
-- channel_register_filter(ssh, c->self, sys_tun_infilter,
- diff --git a/compat.c b/compat.c
- index 69befa96..90b5f338 100644
- --- a/compat.c
- +++ b/compat.c
--@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version)
-- debug_f("match: %s pat %s compat 0x%08x",
-+@@ -43,7 +43,7 @@ compat_datafellows(const char *version)
-+ static u_int
-+ compat_datafellows(const char *version)
-+ {
-+- int i;
-++ int i, bugs = 0;
-+ static struct {
-+ char *pat;
-+ int bugs;
-+@@ -147,11 +147,26 @@
-+ if (match_pattern_list(version, check[i].pat, 0) == 1) {
-+ debug("match: %s pat %s compat 0x%08x",
- version, check[i].pat, check[i].bugs);
-- ssh->compat = check[i].bugs;
- + /* Check to see if the remote side is OpenSSH and not HPN */
--+ /* TODO: need to use new method to test for this */
- + if (strstr(version, "OpenSSH") != NULL) {
- + if (strstr(version, "hpn") == NULL) {
--+ ssh->compat |= SSH_BUG_LARGEWINDOW;
-++ bugs |= SSH_BUG_LARGEWINDOW;
- + debug("Remote is NON-HPN aware");
- + }
- + }
-- return;
-+- return check[i].bugs;
-++ bugs |= check[i].bugs;
- }
- }
-+- debug("no match: %s", version);
-+- return 0;
-++ /* Check to see if the remote side is OpenSSH and not HPN */
-++ if (strstr(version, "OpenSSH") != NULL) {
-++ if (strstr(version, "hpn") == NULL) {
-++ bugs |= SSH_BUG_LARGEWINDOW;
-++ debug("Remote is NON-HPN aware");
-++ }
-++ }
-++ if (bugs == 0)
-++ debug("no match: %s", version);
-++ return bugs;
-+ }
-+
-+ char *
- diff --git a/compat.h b/compat.h
- index c197fafc..ea2e17a7 100644
- --- a/compat.h
-@@ -459,7 +510,7 @@
- @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh)
- int nenc, nmac, ncomp;
- u_int mode, ctos, need, dh_need, authlen;
-- int r, first_kex_follows;
-+ int r, first_kex_follows = 0;
- + int auth_flag = 0;
- +
- + auth_flag = packet_authentication_state(ssh);
-@@ -553,7 +604,7 @@
- #define MAX_PACKETS (1U<<31)
- static int
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
-+@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
- struct session_state *state = ssh->state;
- int len, r, ms_remain;
- fd_set *setp;
-@@ -1035,19 +1086,6 @@
-
- /* Minimum amount of data to read at a time */
- #define MIN_READ_SIZE 512
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..36a6e519 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device)
-- freezero(pin, strlen(pin));
-- error_r(r, "Unable to load resident keys");
-- return -1;
--- }
--+ }
-- if (nkeys == 0)
-- logit("No keys to download");
-- if (pin != NULL)
- diff --git a/ssh.c b/ssh.c
- index 53330da5..27b9770e 100644
- --- a/ssh.c
-@@ -1093,7 +1131,7 @@
- + else
- + options.hpn_buffer_size = 2 * 1024 * 1024;
- +
--+ if (ssh->compat & SSH_BUG_LARGEWINDOW) {
-++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) {
- + debug("HPN to Non-HPN Connection");
- + } else {
- + int sock, socksize;
-@@ -1157,14 +1195,14 @@
- }
- @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh)
- window, packetmax, CHAN_EXTENDED_WRITE,
-- "client-session", /*nonblock*/0);
-+ "client-session", CHANNEL_NONBLOCK_STDIO);
-
- + if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) {
- + c->dynamic_window = 1;
- + debug("Enabled Dynamic Window Scaling");
- + }
- +
-- debug3_f("channel_new: %d", c->self);
-+ debug2_f("channel %d", c->self);
-
- channel_send_open(ssh, c->self);
- @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo)
-@@ -1335,7 +1373,29 @@
- /* Bind the socket to the desired port. */
- if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
- error("Bind to port %s on %s failed: %.200s.",
--@@ -1727,6 +1734,19 @@ main(int ac, char **av)
-+@@ -1625,13 +1632,14 @@
-+ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg),
-+ sshbuf_len(server_cfg)) != 0)
-+ fatal_f("ssh_digest_update");
-+- len = ssh_digest_bytes(digest_alg);
-+- hash = xmalloc(len);
-+- if (ssh_digest_final(ctx, hash, len) != 0)
-+- fatal_f("ssh_digest_final");
-+- options.timing_secret = PEEK_U64(hash);
-+- freezero(hash, len);
-+- ssh_digest_free(ctx);
-++ if ((len = ssh_digest_bytes(digest_alg)) > 0) {
-++ hash = xmalloc(len);
-++ if (ssh_digest_final(ctx, hash, len) != 0)
-++ fatal_f("ssh_digest_final");
-++ options.timing_secret = PEEK_U64(hash);
-++ freezero(hash, len);
-++ ssh_digest_free(ctx);
-++ }
-+ ctx = NULL;
-+ return;
-+ }
-+@@ -1727,6 +1735,19 @@ main(int ac, char **av)
- fatal("AuthorizedPrincipalsCommand set without "
- "AuthorizedPrincipalsCommandUser");
-
-@@ -1355,7 +1415,7 @@
- /*
- * Check whether there is any path through configured auth methods.
- * Unfortunately it is not possible to verify this generally before
--@@ -2166,6 +2186,9 @@ main(int ac, char **av)
-+@@ -2166,6 +2187,9 @@ main(int ac, char **av)
- rdomain == NULL ? "" : "\"");
- free(laddr);
-
-@@ -1365,7 +1425,7 @@
- /*
- * We don't want to listen forever unless the other side
- * successfully authenticates itself. So we set up an alarm which is
--@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh)
-+@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh)
- struct kex *kex;
- int r;
-
-@@ -1405,14 +1465,3 @@
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b4fa372..332fb486 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION "OpenSSH_8.5"
--
-- #define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn15v2"
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff
---- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:12:16.778011216 -0700
-+++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:13:11.573211934 -0700
-@@ -12,9 +12,9 @@
- static long stalled; /* how long we have been stalled */
- static int bytes_per_second; /* current speed in bytes per second */
- @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
-+ off_t bytes_left;
- int cur_speed;
-- int hours, minutes, seconds;
-- int file_len;
-+ int len;
- + off_t delta_pos;
-
- if ((!force_update && !alarm_fired && !win_resized) || !can_output())
-@@ -30,15 +30,17 @@
- if (bytes_left > 0)
- elapsed = now - last_update;
- else {
--@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
--
-+@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update)
-+ buf[1] = '\0';
-+
- /* filename */
-- buf[0] = '\0';
--- file_len = win_size - 36;
--+ file_len = win_size - 45;
-- if (file_len > 0) {
-- buf[0] = '\r';
-- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
-+- if (win_size > 36) {
-++ if (win_size > 45) {
-+- int file_len = win_size - 36;
-++ int file_len = win_size - 45;
-+ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
-+ file_len, file);
-+ }
- @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
- (off_t)bytes_per_second);
- strlcat(buf, "/s ", win_size);
-@@ -63,15 +65,3 @@
- }
-
- /*ARGSUSED*/
--diff --git a/ssh-keygen.c b/ssh-keygen.c
--index cfb5f115..986ff59b 100644
----- a/ssh-keygen.c
--+++ b/ssh-keygen.c
--@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device)
--
-- if (skprovider == NULL)
-- fatal("Cannot download keys without provider");
---
-- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN);
-- if (!quiet) {
-- printf("You may need to touch your authenticator "
diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch
deleted file mode 100644
index 309e57e88643..000000000000
--- a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-glue.patch
+++ /dev/null
@@ -1,198 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff
---- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:49:32.351767063 -0700
-+++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-20 11:58:08.746214945 -0700
-@@ -1026,9 +1026,9 @@
- + }
- +#endif
- +
-- debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
--
-+ if (ssh_packet_connection_is_on_socket(ssh)) {
-+ verbose("Authenticated to %s ([%s]:%d) using \"%s\".", host,
-+ ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
- diff --git a/sshd.c b/sshd.c
- index 6277e6d6..bf3d6e4a 100644
- --- a/sshd.c
-diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 11:49:32.351767063 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-20 12:04:45.008038085 -0700
-@@ -536,18 +536,10 @@
- if (state->rekey_limit)
- *max_blocks = MINIMUM(*max_blocks,
- state->rekey_limit / enc->block_size);
--@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
-+@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
- return 0;
- }
-
--+/* this supports the forced rekeying required for the NONE cipher */
--+int rekey_requested = 0;
--+void
--+packet_request_rekeying(void)
--+{
--+ rekey_requested = 1;
--+}
--+
- +/* used to determine if pre or post auth when rekeying for aes-ctr
- + * and none cipher switch */
- +int
-@@ -561,20 +553,6 @@
- #define MAX_PACKETS (1U<<31)
- static int
- ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
--@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
-- if (state->p_send.packets == 0 && state->p_read.packets == 0)
-- return 0;
--
--+ /* used to force rekeying when called for by the none
--+ * cipher switch methods -cjr */
--+ if (rekey_requested == 1) {
--+ rekey_requested = 0;
--+ return 1;
--+ }
--+
-- /* Time-based rekeying */
-- if (state->rekey_interval != 0 &&
-- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
- @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)
- struct session_state *state = ssh->state;
- int len, r, ms_remain;
-@@ -598,12 +576,11 @@
- };
-
- typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,
--@@ -155,6 +158,10 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
-+@@ -155,6 +158,9 @@ int ssh_packet_inc_alive_timeouts(struct ssh *);
- int ssh_packet_set_maxsize(struct ssh *, u_int);
- u_int ssh_packet_get_maxsize(struct ssh *);
-
- +/* for forced packet rekeying post auth */
--+void packet_request_rekeying(void);
- +int packet_authentication_state(const struct ssh *);
- +
- int ssh_packet_get_state(struct ssh *, struct sshbuf *);
-@@ -627,9 +604,9 @@
- oLocalCommand, oPermitLocalCommand, oRemoteCommand,
- + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
- + oNoneEnabled, oNoneMacEnabled, oNoneSwitch,
-+ oDisableMTAES,
- oVisualHostKey,
- oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
-- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
- @@ -297,6 +300,9 @@ static struct {
- { "kexalgorithms", oKexAlgorithms },
- { "ipqos", oIPQoS },
-@@ -637,9 +614,9 @@
- + { "noneenabled", oNoneEnabled },
- + { "nonemacenabled", oNoneMacEnabled },
- + { "noneswitch", oNoneSwitch },
-- { "proxyusefdpass", oProxyUseFdpass },
-- { "canonicaldomains", oCanonicalDomains },
-- { "canonicalizefallbacklocal", oCanonicalizeFallbackLocal },
-+ { "sessiontype", oSessionType },
-+ { "stdinnull", oStdinNull },
-+ { "forkafterauthentication", oForkAfterAuthentication },
- @@ -317,6 +323,11 @@ static struct {
- { "securitykeyprovider", oSecurityKeyProvider },
- { "knownhostscommand", oKnownHostsCommand },
-@@ -717,9 +694,9 @@
- + options->hpn_buffer_size = -1;
- + options->tcp_rcv_buf_poll = -1;
- + options->tcp_rcv_buf = -1;
-- options->proxy_use_fdpass = -1;
-- options->ignored_unknown = NULL;
-- options->num_canonical_domains = 0;
-+ options->session_type = -1;
-+ options->stdin_null = -1;
-+ options->fork_after_authentication = -1;
- @@ -2426,6 +2484,41 @@ fill_default_options(Options * options)
- options->server_alive_interval = 0;
- if (options->server_alive_count_max == -1)
-@@ -778,9 +755,9 @@
- int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
- SyslogFacility log_facility; /* Facility for system logging. */
- @@ -120,7 +124,11 @@ typedef struct {
--
- int enable_ssh_keysign;
- int64_t rekey_limit;
-+ int disable_multithreaded; /*disable multithreaded aes-ctr*/
- + int none_switch; /* Use none cipher */
- + int none_enabled; /* Allow none cipher to be used */
- + int nonemac_enabled; /* Allow none MAC to be used */
-@@ -842,9 +819,9 @@
- /* Portable-specific options */
- if (options->use_pam == -1)
- @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)
-- }
-- if (options->permit_tun == -1)
- options->permit_tun = SSH_TUNMODE_NO;
-+ if (options->disable_multithreaded == -1)
-+ options->disable_multithreaded = 0;
- + if (options->none_enabled == -1)
- + options->none_enabled = 0;
- + if (options->nonemac_enabled == -1)
-@@ -1047,17 +1024,17 @@
- Note that
- diff --git a/sftp.c b/sftp.c
- index fb3c08d1..89bebbb2 100644
----- a/sftp.c
--+++ b/sftp.c
--@@ -71,7 +71,7 @@ typedef void EditLine;
-- #include "sftp-client.h"
--
-- #define DEFAULT_COPY_BUFLEN 32768 /* Size of buffer for up/download */
---#define DEFAULT_NUM_REQUESTS 64 /* # concurrent outstanding requests */
--+#define DEFAULT_NUM_REQUESTS 256 /* # concurrent outstanding requests */
-+--- a/sftp-client.c
-++++ b/sftp-client.c
-+@@ -65,7 +65,7 @@ typedef void EditLine;
-+ #define DEFAULT_COPY_BUFLEN 32768
-+
-+ /* Default number of concurrent outstanding requests */
-+-#define DEFAULT_NUM_REQUESTS 64
-++#define DEFAULT_NUM_REQUESTS 256
-
-- /* File to read commands from */
-- FILE* infile;
-+ /* Minimum amount of data to read at a time */
-+ #define MIN_READ_SIZE 512
- diff --git a/ssh-keygen.c b/ssh-keygen.c
- index cfb5f115..36a6e519 100644
- --- a/ssh-keygen.c
-@@ -1330,9 +1307,9 @@
- + }
- + }
- +
-- debug("Authentication succeeded (%s).", authctxt.method->name);
-- }
-
-+ #ifdef WITH_OPENSSL
-+ if (options.disable_multithreaded == 0) {
- diff --git a/sshd.c b/sshd.c
- index 6277e6d6..d66fa41a 100644
- --- a/sshd.c
-@@ -1359,8 +1336,8 @@
- if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) {
- error("Bind to port %s on %s failed: %.200s.",
- @@ -1727,6 +1734,19 @@ main(int ac, char **av)
-- /* Fill in default values for those options not explicitly set. */
-- fill_default_server_options(&options);
-+ fatal("AuthorizedPrincipalsCommand set without "
-+ "AuthorizedPrincipalsCommandUser");
-
- + if (options.none_enabled == 1) {
- + char *old_ciphers = options.ciphers;
-@@ -1375,9 +1352,9 @@
- + }
- + }
- +
-- /* challenge-response is implemented via keyboard interactive */
-- if (options.challenge_response_authentication)
-- options.kbd_interactive_authentication = 1;
-+ /*
-+ * Check whether there is any path through configured auth methods.
-+ * Unfortunately it is not possible to verify this generally before
- @@ -2166,6 +2186,9 @@ main(int ac, char **av)
- rdomain == NULL ? "" : "\"");
- free(laddr);
diff --git a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch b/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
deleted file mode 100644
index b6827623cd66..000000000000
--- a/net-misc/openssh/files/openssh-8.8_p1-X509-glue-13.2.3.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-diff -ur '--exclude=.*.un~' a/openssh-8.8p1+x509-13.2.3.diff b/openssh-8.8p1+x509-13.2.3.diff
---- a/openssh-8.8p1+x509-13.2.3.diff 2021-10-29 14:59:17.070546984 -0700
-+++ b/openssh-8.8p1+x509-13.2.3.diff 2021-10-29 14:59:55.086664489 -0700
-@@ -954,15 +954,16 @@
- char b[512];
- - size_t len = ssh_digest_bytes(SSH_DIGEST_SHA512);
- - u_char *hash = xmalloc(len);
-+- double delay;
- + int digest_alg;
- + size_t len;
- + u_char *hash;
-- double delay;
--
-++ double delay = 0;
-++
- + digest_alg = ssh_digest_maxbytes();
- + len = ssh_digest_bytes(digest_alg);
- + hash = xmalloc(len);
--+
-+
- (void)snprintf(b, sizeof b, "%llu%s",
- (unsigned long long)options.timing_secret, user);
- - if (ssh_digest_memory(SSH_DIGEST_SHA512, b, strlen(b), hash, len) != 0)
-@@ -51859,12 +51860,11 @@
-
- install-files:
- $(MKDIR_P) $(DESTDIR)$(bindir)
--@@ -391,6 +372,8 @@
-+@@ -391,6 +372,7 @@
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
- $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
- $(MKDIR_P) $(DESTDIR)$(libexecdir)
- + $(MKDIR_P) $(DESTDIR)$(sshcadir)
--+ $(MKDIR_P) $(DESTDIR)$(piddir)
- $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-@@ -71985,7 +71985,7 @@
- +if test "$sshd_type" = "pkix" ; then
- + unset_arg=''
- +else
--+ unset_arg=none
-++ unset_arg=
- +fi
- +
- cat > $OBJ/sshd_config.i << _EOF
-@@ -132360,16 +132360,6 @@
- +int asnmprintf(char **, size_t, int *, const char *, ...)
- __attribute__((format(printf, 4, 5)));
- void msetlocale(void);
--diff -ruN openssh-8.8p1/version.h openssh-8.8p1+x509-13.2.3/version.h
----- openssh-8.8p1/version.h 2021-09-26 17:03:19.000000000 +0300
--+++ openssh-8.8p1+x509-13.2.3/version.h 2021-10-23 16:27:00.000000000 +0300
--@@ -2,5 +2,4 @@
--
-- #define SSH_VERSION "OpenSSH_8.8"
--
---#define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
- diff -ruN openssh-8.8p1/version.m4 openssh-8.8p1+x509-13.2.3/version.m4
- --- openssh-8.8p1/version.m4 1970-01-01 02:00:00.000000000 +0200
- +++ openssh-8.8p1+x509-13.2.3/version.m4 2021-10-23 16:27:00.000000000 +0300
diff --git a/net-misc/openssh/openssh-8.8_p1-r4.ebuild b/net-misc/openssh/openssh-8.8_p1-r4.ebuild
deleted file mode 100644
index 561dc2dd6076..000000000000
--- a/net-misc/openssh/openssh-8.8_p1-r4.ebuild
+++ /dev/null
@@ -1,491 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit user-info flag-o-matic autotools pam systemd toolchain-funcs verify-sig
-
-# Make it more portable between straight releases
-# and _p? releases.
-PARCH=${P/_}
-
-# PV to USE for HPN patches
-#HPN_PV="${PV^^}"
-HPN_PV="8.5_P1"
-
-HPN_VER="15.2"
-HPN_PATCHES=(
- ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
- ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
- ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
-)
-
-SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
-X509_VER="13.2.3" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
-
-DESCRIPTION="Port of OpenBSD's free SSH release"
-HOMEPAGE="https://www.openssh.com/"
-SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
- ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
- ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
- ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
- verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc )
-"
-VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssh.org.asc
-S="${WORKDIR}/${PARCH}"
-
-LICENSE="BSD GPL-2"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-# Probably want to drop ssl defaulting to on in a future version.
-IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
-
-RESTRICT="!test? ( test )"
-
-REQUIRED_USE="
- hpn? ( ssl )
- ldns? ( ssl )
- pie? ( !static )
- static? ( !kerberos !pam )
- X509? ( !sctp ssl !xmss )
- xmss? ( ssl )
- test? ( ssl )
-"
-
-# tests currently fail with XMSS
-REQUIRED_USE+="test? ( !xmss )"
-
-LIB_DEPEND="
- audit? ( sys-process/audit[static-libs(+)] )
- ldns? (
- net-libs/ldns[static-libs(+)]
- net-libs/ldns[ecdsa(+),ssl(+)]
- )
- libedit? ( dev-libs/libedit:=[static-libs(+)] )
- sctp? ( net-misc/lksctp-tools[static-libs(+)] )
- security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
- selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
- ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] )
- virtual/libcrypt:=[static-libs(+)]
- >=sys-libs/zlib-1.2.3:=[static-libs(+)]
-"
-RDEPEND="
- acct-group/sshd
- acct-user/sshd
- !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
- pam? ( sys-libs/pam )
- kerberos? ( virtual/krb5 )
-"
-DEPEND="${RDEPEND}
- virtual/os-headers
- kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )
- static? ( ${LIB_DEPEND} )
-"
-RDEPEND="${RDEPEND}
- pam? ( >=sys-auth/pambase-20081028 )
- !prefix? ( sys-apps/shadow )
- X? ( x11-apps/xauth )
-"
-BDEPEND="
- virtual/pkgconfig
- sys-devel/autoconf
- verify-sig? ( sec-keys/openpgp-keys-openssh )
-"
-
-pkg_pretend() {
- # this sucks, but i'd rather have people unable to `emerge -u openssh`
- # than not be able to log in to their server any more
- local missing=()
- check_feature() { use "${1}" && [[ -z ${!2} ]] && missing+=( "${1}" ); }
- check_feature hpn HPN_VER
- check_feature sctp SCTP_PATCH
- check_feature X509 X509_PATCH
- if [[ ${#missing[@]} -ne 0 ]] ; then
- eerror "Sorry, but this version does not yet support features"
- eerror "that you requested: ${missing[*]}"
- eerror "Please mask ${PF} for now and check back later:"
- eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
- die "Missing requested third party patch."
- fi
-
- # Make sure people who are using tcp wrappers are notified of its removal. #531156
- if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
- ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
- ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
- fi
-}
-
-src_unpack() {
- default
-
- # We don't have signatures for HPN, X509, so we have to write this ourselves
- use verify-sig && verify-sig_verify_detached "${DISTDIR}"/${PARCH}.tar.gz{,.asc}
-}
-
-src_prepare() {
- sed -i \
- -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
- pathnames.h || die
-
- # don't break .ssh/authorized_keys2 for fun
- sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
-
- eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
- eapply "${FILESDIR}"/${PN}-8.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
- eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
- eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
- eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
- eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
-
- [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
-
- local PATCHSET_VERSION_MACROS=()
-
- if use X509 ; then
- pushd "${WORKDIR}" &>/dev/null || die
- eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
- popd &>/dev/null || die
-
- eapply "${WORKDIR}"/${X509_PATCH%.*}
-
- # We need to patch package version or any X.509 sshd will reject our ssh client
- # with "userauth_pubkey: could not parse key: string is too large [preauth]"
- # error
- einfo "Patching package version for X.509 patch set ..."
- sed -i \
- -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
- "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
-
- einfo "Patching version.h to expose X.509 patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
- "${S}"/version.h || die "Failed to sed-in X.509 patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
- fi
-
- if use sctp ; then
- eapply "${WORKDIR}"/${SCTP_PATCH%.*}
-
- einfo "Patching version.h to expose SCTP patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
- "${S}"/version.h || die "Failed to sed-in SCTP patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
-
- einfo "Disabling known failing test (cfgparse) caused by SCTP patch ..."
- sed -i \
- -e "/\t\tcfgparse \\\/d" \
- "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
- fi
-
- if use hpn ; then
- local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
- mkdir "${hpn_patchdir}" || die
- cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
- pushd "${hpn_patchdir}" &>/dev/null || die
- eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-glue.patch
- use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch
- use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch
- popd &>/dev/null || die
-
- eapply "${hpn_patchdir}"
-
- use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"
-
- einfo "Patching Makefile.in for HPN patch set ..."
- sed -i \
- -e "/^LIBS=/ s/\$/ -lpthread/" \
- "${S}"/Makefile.in || die "Failed to patch Makefile.in"
-
- einfo "Patching version.h to expose HPN patch set ..."
- sed -i \
- -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
- "${S}"/version.h || die "Failed to sed-in HPN patch version"
- PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
-
- if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
- einfo "Disabling known non-working MT AES cipher per default ..."
-
- cat > "${T}"/disable_mtaes.conf <<- EOF
-
- # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
- # and therefore disabled per default.
- DisableMTAES yes
- EOF
- sed -i \
- -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
- "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
-
- sed -i \
- -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
- "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
- fi
- fi
-
- if use X509 || use sctp || use hpn ; then
- einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
- sed -i \
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
- "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
-
- einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
- sed -i \
- -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
- "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
-
- einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
- sed -i \
- -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
- "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
- fi
-
- sed -i \
- -e "/#UseLogin no/d" \
- "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
-
- eapply_user #473004
-
- # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
- sed -e '/\t\tpercent \\/ d' \
- -i regress/Makefile || die
-
- tc-export PKG_CONFIG
- local sed_args=(
- -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
- # Disable PATH reset, trust what portage gives us #254615
- -e 's:^PATH=/:#PATH=/:'
- # Disable fortify flags ... our gcc does this for us
- -e 's:-D_FORTIFY_SOURCE=2::'
- )
-
- # The -ftrapv flag ICEs on hppa #505182
- use hppa && sed_args+=(
- -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
- -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
- )
- # _XOPEN_SOURCE causes header conflicts on Solaris
- [[ ${CHOST} == *-solaris* ]] && sed_args+=(
- -e 's/-D_XOPEN_SOURCE//'
- )
- sed -i "${sed_args[@]}" configure{.ac,} || die
-
- eautoreconf
-}
-
-src_configure() {
- addwrite /dev/ptmx
-
- use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
- use static && append-ldflags -static
- use xmss && append-cflags -DWITH_XMSS
-
- if [[ ${CHOST} == *-solaris* ]] ; then
- # Solaris' glob.h doesn't have things like GLOB_TILDE, configure
- # doesn't check for this, so force the replacement to be put in
- # place
- append-cppflags -DBROKEN_GLOB
- fi
-
- # use replacement, RPF_ECHO_ON doesn't exist here
- [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no
-
- local myconf=(
- --with-ldflags="${LDFLAGS}"
- --disable-strip
- --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
- --sysconfdir="${EPREFIX}"/etc/ssh
- --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
- --datadir="${EPREFIX}"/usr/share/openssh
- --with-privsep-path="${EPREFIX}"/var/empty
- --with-privsep-user=sshd
- $(use_with audit audit linux)
- $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
- # We apply the sctp patch conditionally, so can't pass --without-sctp
- # unconditionally else we get unknown flag warnings.
- $(use sctp && use_with sctp)
- $(use_with ldns)
- $(use_with libedit)
- $(use_with pam)
- $(use_with pie)
- $(use_with selinux)
- $(usex X509 '' "$(use_with security-key security-key-builtin)")
- $(use_with ssl openssl)
- $(use_with ssl md5-passwords)
- $(use_with ssl ssl-engine)
- $(use_with !elibc_Cygwin hardening) #659210
- )
-
- if use elibc_musl; then
- # musl defines bogus values for UTMP_FILE and WTMP_FILE
- # https://bugs.gentoo.org/753230
- myconf+=( --disable-utmp --disable-wtmp )
- fi
-
- # The seccomp sandbox is broken on x32, so use the older method for now. #553748
- use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
-
- econf "${myconf[@]}"
-}
-
-src_test() {
- local tests=( compat-tests )
- local shell=$(egetshell "${UID}")
- if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
- ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
- ewarn "user, so we will run a subset only."
- tests+=( interop-tests )
- else
- tests+=( tests )
- fi
-
- local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1
- mkdir -p "${HOME}"/.ssh || die
- emake -j1 "${tests[@]}" </dev/null
-}
-
-# Gentoo tweaks to default config files.
-tweak_ssh_configs() {
- local locale_vars=(
- # These are language variables that POSIX defines.
- # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
- LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
-
- # These are the GNU extensions.
- # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
- LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
- )
-
- # First the server config.
- cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
-
- # Allow client to pass locale environment variables. #367017
- AcceptEnv ${locale_vars[*]}
-
- # Allow client to pass COLORTERM to match TERM. #658540
- AcceptEnv COLORTERM
- EOF
-
- # Then the client config.
- cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
-
- # Send locale environment variables. #367017
- SendEnv ${locale_vars[*]}
-
- # Send COLORTERM to match TERM. #658540
- SendEnv COLORTERM
- EOF
-
- if use pam ; then
- sed -i \
- -e "/^#UsePAM /s:.*:UsePAM yes:" \
- -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
- -e "/^#PrintMotd /s:.*:PrintMotd no:" \
- -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
- "${ED}"/etc/ssh/sshd_config || die
- fi
-
- if use livecd ; then
- sed -i \
- -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
- "${ED}"/etc/ssh/sshd_config || die
- fi
-}
-
-src_install() {
- emake install-nokeys DESTDIR="${D}"
- fperms 600 /etc/ssh/sshd_config
- dobin contrib/ssh-copy-id
- newinitd "${FILESDIR}"/sshd-r1.initd sshd
- newconfd "${FILESDIR}"/sshd-r1.confd sshd
-
- if use pam; then
- newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
- fi
-
- tweak_ssh_configs
-
- doman contrib/ssh-copy-id.1
- dodoc CREDITS OVERVIEW README* TODO sshd_config
- use hpn && dodoc HPN-README
- use X509 || dodoc ChangeLog
-
- diropts -m 0700
- dodir /etc/skel/.ssh
-
- # https://bugs.gentoo.org/733802
- if ! use scp; then
- rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
- || die "failed to remove scp"
- fi
-
- rmdir "${ED}"/var/empty || die
-
- systemd_dounit "${FILESDIR}"/sshd.{service,socket}
- systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
-}
-
-pkg_preinst() {
- if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
- show_ssl_warning=1
- fi
-}
-
-pkg_postinst() {
- local old_ver
- for old_ver in ${REPLACING_VERSIONS}; do
- if ver_test "${old_ver}" -lt "5.8_p1"; then
- elog "Starting with openssh-5.8p1, the server will default to a newer key"
- elog "algorithm (ECDSA). You are encouraged to manually update your stored"
- elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
- fi
- if ver_test "${old_ver}" -lt "7.0_p1"; then
- elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
- elog "Make sure to update any configs that you might have. Note that xinetd might"
- elog "be an alternative for you as it supports USE=tcpd."
- fi
- if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
- elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
- elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
- elog "adding to your sshd_config or ~/.ssh/config files:"
- elog " PubkeyAcceptedKeyTypes=+ssh-dss"
- elog "You should however generate new keys using rsa or ed25519."
-
- elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
- elog "to 'prohibit-password'. That means password auth for root users no longer works"
- elog "out of the box. If you need this, please update your sshd_config explicitly."
- fi
- if ver_test "${old_ver}" -lt "7.6_p1"; then
- elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
- elog "Furthermore, rsa keys with less than 1024 bits will be refused."
- fi
- if ver_test "${old_ver}" -lt "7.7_p1"; then
- elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
- elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
- elog "if you need to authenticate against LDAP."
- elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
- fi
- if ver_test "${old_ver}" -lt "8.2_p1"; then
- ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
- ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
- ewarn "connection is generally safe."
- fi
- done
-
- if [[ -n ${show_ssl_warning} ]]; then
- elog "Be aware that by disabling openssl support in openssh, the server and clients"
- elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
- elog "and update all clients/servers that utilize them."
- fi
-
- if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
- elog ""
- elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
- elog "and therefore disabled at runtime per default."
- elog "Make sure your sshd_config is up to date and contains"
- elog ""
- elog " DisableMTAES yes"
- elog ""
- elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
- elog ""
- fi
-}