Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Quentin Retornaz <gentoo@××××××××.com>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/proj/libressl:master commit in: net-misc/openssh/files/
Date: Sat, 30 Jan 2021 15:10:49
Message-Id: 1612019345.54169cefe0925095a46bcead1b4b875a62873e3e.quentin@gentoo
1 commit: 54169cefe0925095a46bcead1b4b875a62873e3e
2 Author: Quentin Retornaz <gentoo <AT> retornaz <DOT> com>
3 AuthorDate: Sat Jan 30 15:09:05 2021 +0000
4 Commit: Quentin Retornaz <gentoo <AT> retornaz <DOT> com>
5 CommitDate: Sat Jan 30 15:09:05 2021 +0000
6 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=54169cef
7
8 net-misc/openssh: add missing patches
9
10 Package-Manager: Portage-3.0.13, Repoman-3.0.2
11 Signed-off-by: Quentin Retornaz <gentoo <AT> retornaz.com>
12
13 .../openssh-6.7_p1-openssl-ignore-status.patch | 17 +
14 ...penssh-7.5_p1-disable-conch-interop-tests.patch | 20 ++
15 .../files/openssh-7.9_p1-include-stdlib.patch | 48 +++
16 ...mget-shmat-shmdt-in-preauth-privsep-child.patch | 31 ++
17 .../files/openssh-8.0_p1-fix-putty-tests.patch | 57 ++++
18 .../files/openssh-8.0_p1-hpn-14.20-X509-glue.patch | 111 +++++++
19 .../openssh/files/openssh-8.0_p1-hpn-version.patch | 13 +
20 .../openssh/files/openssh-8.1_p1-GSSAPI-dns.patch | 359 +++++++++++++++++++++
21 .../files/openssh-8.1_p1-X509-12.3-tests.patch | 11 +
22 .../files/openssh-8.1_p1-X509-glue-12.3.patch | 35 ++
23 .../files/openssh-8.1_p1-hpn-14.20-glue.patch | 105 ++++++
24 .../files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch | 19 ++
25 .../openssh/files/openssh-8.1_p1-tests-2020.patch | 26 ++
26 13 files changed, 852 insertions(+)
27
28 diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
29 new file mode 100644
30 index 0000000..fa33af3
31 --- /dev/null
32 +++ b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
33 @@ -0,0 +1,17 @@
34 +the last nibble of the openssl version represents the status. that is,
35 +whether it is a beta or release. when it comes to version checks in
36 +openssh, this component does not matter, so ignore it.
37 +
38 +https://bugzilla.mindrot.org/show_bug.cgi?id=2212
39 +
40 +--- a/openbsd-compat/openssl-compat.c
41 ++++ b/openbsd-compat/openssl-compat.c
42 +@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
43 + * For versions >= 1.0.0, major,minor,status must match and library
44 + * fix version must be equal to or newer than the header.
45 + */
46 +- mask = 0xfff0000fL; /* major,minor,status */
47 ++ mask = 0xfff00000L; /* major,minor,status */
48 + hfix = (headerver & 0x000ff000) >> 12;
49 + lfix = (libver & 0x000ff000) >> 12;
50 + if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
51
52 diff --git a/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch
53 new file mode 100644
54 index 0000000..a5647ce
55 --- /dev/null
56 +++ b/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch
57 @@ -0,0 +1,20 @@
58 +Disable conch interop tests which are failing when called
59 +via portage for yet unknown reason and because using conch
60 +seems to be flaky (test is failing when using Python2 but
61 +passing when using Python3).
62 +
63 +Bug: https://bugs.gentoo.org/605446
64 +
65 +--- a/regress/conch-ciphers.sh
66 ++++ b/regress/conch-ciphers.sh
67 +@@ -3,6 +3,10 @@
68 +
69 + tid="conch ciphers"
70 +
71 ++# https://bugs.gentoo.org/605446
72 ++echo "conch interop tests skipped due to Gentoo bug #605446"
73 ++exit 0
74 ++
75 + if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
76 + echo "conch interop tests not enabled"
77 + exit 0
78
79 diff --git a/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch b/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch
80 new file mode 100644
81 index 0000000..c5697c2
82 --- /dev/null
83 +++ b/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch
84 @@ -0,0 +1,48 @@
85 +diff --git a/auth-options.c b/auth-options.c
86 +index b05d6d6f..d1f42f04 100644
87 +--- a/auth-options.c
88 ++++ b/auth-options.c
89 +@@ -26,6 +26,7 @@
90 + #include <stdarg.h>
91 + #include <ctype.h>
92 + #include <limits.h>
93 ++#include <stdlib.h>
94 +
95 + #include "openbsd-compat/sys-queue.h"
96 +
97 +diff --git a/hmac.c b/hmac.c
98 +index 1c879640..a29f32c5 100644
99 +--- a/hmac.c
100 ++++ b/hmac.c
101 +@@ -19,6 +19,7 @@
102 +
103 + #include <sys/types.h>
104 + #include <string.h>
105 ++#include <stdlib.h>
106 +
107 + #include "sshbuf.h"
108 + #include "digest.h"
109 +diff --git a/krl.c b/krl.c
110 +index 8e2d5d5d..c32e147a 100644
111 +--- a/krl.c
112 ++++ b/krl.c
113 +@@ -28,6 +28,7 @@
114 + #include <string.h>
115 + #include <time.h>
116 + #include <unistd.h>
117 ++#include <stdlib.h>
118 +
119 + #include "sshbuf.h"
120 + #include "ssherr.h"
121 +diff --git a/mac.c b/mac.c
122 +index 51dc11d7..3d11eba6 100644
123 +--- a/mac.c
124 ++++ b/mac.c
125 +@@ -29,6 +29,7 @@
126 +
127 + #include <string.h>
128 + #include <stdio.h>
129 ++#include <stdlib.h>
130 +
131 + #include "digest.h"
132 + #include "hmac.h"
133
134 diff --git a/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
135 new file mode 100644
136 index 0000000..fe3be24
137 --- /dev/null
138 +++ b/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
139 @@ -0,0 +1,31 @@
140 +From 3ef92a657444f172b61f92d5da66d94fa8265602 Mon Sep 17 00:00:00 2001
141 +From: Lonnie Abelbeck <lonnie@××××××××.com>
142 +Date: Tue, 1 Oct 2019 09:05:09 -0500
143 +Subject: [PATCH] Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child.
144 +
145 +New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt
146 +in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox.
147 +---
148 + sandbox-seccomp-filter.c | 9 +++++++++
149 + 1 file changed, 9 insertions(+)
150 +
151 +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
152 +index 840c5232b..39dc289e3 100644
153 +--- a/sandbox-seccomp-filter.c
154 ++++ b/sandbox-seccomp-filter.c
155 +@@ -168,6 +168,15 @@ static const struct sock_filter preauth_insns[] = {
156 + #ifdef __NR_stat64
157 + SC_DENY(__NR_stat64, EACCES),
158 + #endif
159 ++#ifdef __NR_shmget
160 ++ SC_DENY(__NR_shmget, EACCES),
161 ++#endif
162 ++#ifdef __NR_shmat
163 ++ SC_DENY(__NR_shmat, EACCES),
164 ++#endif
165 ++#ifdef __NR_shmdt
166 ++ SC_DENY(__NR_shmdt, EACCES),
167 ++#endif
168 +
169 + /* Syscalls to permit */
170 + #ifdef __NR_brk
171
172 diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch
173 new file mode 100644
174 index 0000000..4310aa1
175 --- /dev/null
176 +++ b/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch
177 @@ -0,0 +1,57 @@
178 +Make sure that host keys are already accepted before
179 +running tests.
180 +
181 +https://bugs.gentoo.org/493866
182 +
183 +--- a/regress/putty-ciphers.sh
184 ++++ b/regress/putty-ciphers.sh
185 +@@ -10,11 +10,17 @@ fi
186 +
187 + for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do
188 + verbose "$tid: cipher $c"
189 ++ rm -f ${COPY}
190 + cp ${OBJ}/.putty/sessions/localhost_proxy \
191 + ${OBJ}/.putty/sessions/cipher_$c
192 + echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
193 +
194 +- rm -f ${COPY}
195 ++ env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \
196 ++ -i ${OBJ}/putty.rsa2 "exit"
197 ++ if [ $? -ne 0 ]; then
198 ++ fail "failed to pre-cache host key"
199 ++ fi
200 ++
201 + env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
202 + cat ${DATA} > ${COPY}
203 + if [ $? -ne 0 ]; then
204 +--- a/regress/putty-kex.sh
205 ++++ b/regress/putty-kex.sh
206 +@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do
207 + ${OBJ}/.putty/sessions/kex_$k
208 + echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
209 +
210 ++ env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \
211 ++ -i ${OBJ}/putty.rsa2 "exit"
212 ++ if [ $? -ne 0 ]; then
213 ++ fail "failed to pre-cache host key"
214 ++ fi
215 ++
216 + env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
217 + if [ $? -ne 0 ]; then
218 + fail "KEX $k failed"
219 +--- a/regress/putty-transfer.sh
220 ++++ b/regress/putty-transfer.sh
221 +@@ -14,6 +14,13 @@ for c in 0 1 ; do
222 + cp ${OBJ}/.putty/sessions/localhost_proxy \
223 + ${OBJ}/.putty/sessions/compression_$c
224 + echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
225 ++
226 ++ env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \
227 ++ -i ${OBJ}/putty.rsa2 "exit"
228 ++ if [ $? -ne 0 ]; then
229 ++ fail "failed to pre-cache host key"
230 ++ fi
231 ++
232 + env HOME=$PWD ${PLINK} -load compression_$c -batch \
233 + -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY}
234 + if [ $? -ne 0 ]; then
235
236 diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch
237 new file mode 100644
238 index 0000000..167adfc
239 --- /dev/null
240 +++ b/net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch
241 @@ -0,0 +1,111 @@
242 +diff -ur a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff
243 +--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-04 15:49:15.746095444 -0800
244 ++++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-04 15:49:54.181853707 -0800
245 +@@ -4,8 +4,8 @@
246 + +++ b/Makefile.in
247 + @@ -42,7 +42,7 @@ CC=@CC@
248 + LD=@LD@
249 +- CFLAGS=@CFLAGS@
250 +- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
251 ++ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA)
252 ++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@
253 + -LIBS=@LIBS@
254 + +LIBS=@LIBS@ -lpthread
255 + K5LIBS=@K5LIBS@
256 +@@ -803,8 +803,8 @@
257 + ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out)
258 + {
259 + struct session_state *state;
260 +-- const struct sshcipher *none = cipher_by_name("none");
261 +-+ struct sshcipher *none = cipher_by_name("none");
262 ++- const struct sshcipher *none = cipher_none();
263 +++ struct sshcipher *none = cipher_none();
264 + int r;
265 +
266 + if (none == NULL) {
267 +@@ -948,9 +948,9 @@
268 + /* Portable-specific options */
269 + sUsePAM,
270 + + sDisableMTAES,
271 +- /* Standard Options */
272 +- sPort, sHostKeyFile, sLoginGraceTime,
273 +- sPermitRootLogin, sLogFacility, sLogLevel,
274 ++ /* X.509 Standard Options */
275 ++ sHostbasedAlgorithms,
276 ++ sPubkeyAlgorithms,
277 + @@ -643,6 +647,7 @@ static struct {
278 + { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
279 + { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
280 +diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
281 +--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:41:42.512910357 -0800
282 ++++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:56:40.323299499 -0800
283 +@@ -382,7 +382,7 @@
284 + @@ -884,6 +884,10 @@ kex_choose_conf(struct ssh *ssh)
285 + int nenc, nmac, ncomp;
286 + u_int mode, ctos, need, dh_need, authlen;
287 +- int r, first_kex_follows;
288 ++ int r, first_kex_follows = 0;
289 + + int auth_flag;
290 + +
291 + + auth_flag = packet_authentication_state(ssh);
292 +@@ -391,8 +391,8 @@
293 + debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
294 + if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
295 + @@ -954,6 +958,14 @@ kex_choose_conf(struct ssh *ssh)
296 +- peer[ncomp] = NULL;
297 +- goto out;
298 ++ else
299 ++ fatal("Pre-authentication none cipher requests are not allowed.");
300 + }
301 + + debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
302 + + if (strcmp(newkeys->enc.name, "none") == 0) {
303 +@@ -1169,15 +1169,3 @@
304 + # Example of overriding settings on a per-user basis
305 + #Match User anoncvs
306 + # X11Forwarding no
307 +-diff --git a/version.h b/version.h
308 +-index 6b3fadf8..ec1d2e27 100644
309 +---- a/version.h
310 +-+++ b/version.h
311 +-@@ -3,4 +3,6 @@
312 +- #define SSH_VERSION "OpenSSH_8.1"
313 +-
314 +- #define SSH_PORTABLE "p1"
315 +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
316 +-+#define SSH_HPN "-hpn14v20"
317 +-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
318 +-+
319 +diff -ur a/openssh-8_1_P1-hpn-PeakTput-14.20.diff b/openssh-8_1_P1-hpn-PeakTput-14.20.diff
320 +--- a/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-04 15:41:42.512910357 -0800
321 ++++ b/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-04 16:02:42.203023609 -0800
322 +@@ -12,9 +12,9 @@
323 + static long stalled; /* how long we have been stalled */
324 + static int bytes_per_second; /* current speed in bytes per second */
325 + @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update)
326 ++ off_t bytes_left;
327 + int cur_speed;
328 +- int hours, minutes, seconds;
329 +- int file_len;
330 ++ int len;
331 + + off_t delta_pos;
332 +
333 + if ((!force_update && !alarm_fired && !win_resized) || !can_output())
334 +@@ -33,12 +33,12 @@
335 + @@ -166,7 +173,7 @@ refresh_progress_meter(int force_update)
336 +
337 + /* filename */
338 +- buf[0] = '\0';
339 +-- file_len = win_size - 36;
340 +-+ file_len = win_size - 45;
341 +- if (file_len > 0) {
342 +- buf[0] = '\r';
343 +- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s",
344 ++ if (win_size > 36) {
345 ++- int file_len = win_size - 36;
346 +++ int file_len = win_size - 45;
347 ++ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ",
348 ++ file_len, file);
349 ++ }
350 + @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update)
351 + (off_t)bytes_per_second);
352 + strlcat(buf, "/s ", win_size);
353
354 diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
355 new file mode 100644
356 index 0000000..37905ce
357 --- /dev/null
358 +++ b/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch
359 @@ -0,0 +1,13 @@
360 +diff --git a/kex.c b/kex.c
361 +index 34808b5c..88d7ccac 100644
362 +--- a/kex.c
363 ++++ b/kex.c
364 +@@ -1126,7 +1126,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
365 + if (version_addendum != NULL && *version_addendum == '\0')
366 + version_addendum = NULL;
367 + if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
368 +- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
369 ++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
370 + version_addendum == NULL ? "" : " ",
371 + version_addendum == NULL ? "" : version_addendum)) != 0) {
372 + error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
373
374 diff --git a/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch
375 new file mode 100644
376 index 0000000..6aba6f2
377 --- /dev/null
378 +++ b/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch
379 @@ -0,0 +1,359 @@
380 +diff --git a/auth.c b/auth.c
381 +index ca450f4e..2994a4e4 100644
382 +--- a/auth.c
383 ++++ b/auth.c
384 +@@ -723,120 +723,6 @@ fakepw(void)
385 + return (&fake);
386 + }
387 +
388 +-/*
389 +- * Returns the remote DNS hostname as a string. The returned string must not
390 +- * be freed. NB. this will usually trigger a DNS query the first time it is
391 +- * called.
392 +- * This function does additional checks on the hostname to mitigate some
393 +- * attacks on legacy rhosts-style authentication.
394 +- * XXX is RhostsRSAAuthentication vulnerable to these?
395 +- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
396 +- */
397 +-
398 +-static char *
399 +-remote_hostname(struct ssh *ssh)
400 +-{
401 +- struct sockaddr_storage from;
402 +- socklen_t fromlen;
403 +- struct addrinfo hints, *ai, *aitop;
404 +- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
405 +- const char *ntop = ssh_remote_ipaddr(ssh);
406 +-
407 +- /* Get IP address of client. */
408 +- fromlen = sizeof(from);
409 +- memset(&from, 0, sizeof(from));
410 +- if (getpeername(ssh_packet_get_connection_in(ssh),
411 +- (struct sockaddr *)&from, &fromlen) == -1) {
412 +- debug("getpeername failed: %.100s", strerror(errno));
413 +- return strdup(ntop);
414 +- }
415 +-
416 +- ipv64_normalise_mapped(&from, &fromlen);
417 +- if (from.ss_family == AF_INET6)
418 +- fromlen = sizeof(struct sockaddr_in6);
419 +-
420 +- debug3("Trying to reverse map address %.100s.", ntop);
421 +- /* Map the IP address to a host name. */
422 +- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
423 +- NULL, 0, NI_NAMEREQD) != 0) {
424 +- /* Host name not found. Use ip address. */
425 +- return strdup(ntop);
426 +- }
427 +-
428 +- /*
429 +- * if reverse lookup result looks like a numeric hostname,
430 +- * someone is trying to trick us by PTR record like following:
431 +- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
432 +- */
433 +- memset(&hints, 0, sizeof(hints));
434 +- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
435 +- hints.ai_flags = AI_NUMERICHOST;
436 +- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
437 +- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
438 +- name, ntop);
439 +- freeaddrinfo(ai);
440 +- return strdup(ntop);
441 +- }
442 +-
443 +- /* Names are stored in lowercase. */
444 +- lowercase(name);
445 +-
446 +- /*
447 +- * Map it back to an IP address and check that the given
448 +- * address actually is an address of this host. This is
449 +- * necessary because anyone with access to a name server can
450 +- * define arbitrary names for an IP address. Mapping from
451 +- * name to IP address can be trusted better (but can still be
452 +- * fooled if the intruder has access to the name server of
453 +- * the domain).
454 +- */
455 +- memset(&hints, 0, sizeof(hints));
456 +- hints.ai_family = from.ss_family;
457 +- hints.ai_socktype = SOCK_STREAM;
458 +- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
459 +- logit("reverse mapping checking getaddrinfo for %.700s "
460 +- "[%s] failed.", name, ntop);
461 +- return strdup(ntop);
462 +- }
463 +- /* Look for the address from the list of addresses. */
464 +- for (ai = aitop; ai; ai = ai->ai_next) {
465 +- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
466 +- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
467 +- (strcmp(ntop, ntop2) == 0))
468 +- break;
469 +- }
470 +- freeaddrinfo(aitop);
471 +- /* If we reached the end of the list, the address was not there. */
472 +- if (ai == NULL) {
473 +- /* Address not found for the host name. */
474 +- logit("Address %.100s maps to %.600s, but this does not "
475 +- "map back to the address.", ntop, name);
476 +- return strdup(ntop);
477 +- }
478 +- return strdup(name);
479 +-}
480 +-
481 +-/*
482 +- * Return the canonical name of the host in the other side of the current
483 +- * connection. The host name is cached, so it is efficient to call this
484 +- * several times.
485 +- */
486 +-
487 +-const char *
488 +-auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
489 +-{
490 +- static char *dnsname;
491 +-
492 +- if (!use_dns)
493 +- return ssh_remote_ipaddr(ssh);
494 +- else if (dnsname != NULL)
495 +- return dnsname;
496 +- else {
497 +- dnsname = remote_hostname(ssh);
498 +- return dnsname;
499 +- }
500 +-}
501 +-
502 + /*
503 + * Runs command in a subprocess with a minimal environment.
504 + * Returns pid on success, 0 on failure.
505 +diff --git a/canohost.c b/canohost.c
506 +index abea9c6e..4f4524d2 100644
507 +--- a/canohost.c
508 ++++ b/canohost.c
509 +@@ -202,3 +202,117 @@ get_local_port(int sock)
510 + {
511 + return get_sock_port(sock, 1);
512 + }
513 ++
514 ++/*
515 ++ * Returns the remote DNS hostname as a string. The returned string must not
516 ++ * be freed. NB. this will usually trigger a DNS query the first time it is
517 ++ * called.
518 ++ * This function does additional checks on the hostname to mitigate some
519 ++ * attacks on legacy rhosts-style authentication.
520 ++ * XXX is RhostsRSAAuthentication vulnerable to these?
521 ++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
522 ++ */
523 ++
524 ++static char *
525 ++remote_hostname(struct ssh *ssh)
526 ++{
527 ++ struct sockaddr_storage from;
528 ++ socklen_t fromlen;
529 ++ struct addrinfo hints, *ai, *aitop;
530 ++ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
531 ++ const char *ntop = ssh_remote_ipaddr(ssh);
532 ++
533 ++ /* Get IP address of client. */
534 ++ fromlen = sizeof(from);
535 ++ memset(&from, 0, sizeof(from));
536 ++ if (getpeername(ssh_packet_get_connection_in(ssh),
537 ++ (struct sockaddr *)&from, &fromlen) < 0) {
538 ++ debug("getpeername failed: %.100s", strerror(errno));
539 ++ return strdup(ntop);
540 ++ }
541 ++
542 ++ ipv64_normalise_mapped(&from, &fromlen);
543 ++ if (from.ss_family == AF_INET6)
544 ++ fromlen = sizeof(struct sockaddr_in6);
545 ++
546 ++ debug3("Trying to reverse map address %.100s.", ntop);
547 ++ /* Map the IP address to a host name. */
548 ++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
549 ++ NULL, 0, NI_NAMEREQD) != 0) {
550 ++ /* Host name not found. Use ip address. */
551 ++ return strdup(ntop);
552 ++ }
553 ++
554 ++ /*
555 ++ * if reverse lookup result looks like a numeric hostname,
556 ++ * someone is trying to trick us by PTR record like following:
557 ++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
558 ++ */
559 ++ memset(&hints, 0, sizeof(hints));
560 ++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
561 ++ hints.ai_flags = AI_NUMERICHOST;
562 ++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
563 ++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
564 ++ name, ntop);
565 ++ freeaddrinfo(ai);
566 ++ return strdup(ntop);
567 ++ }
568 ++
569 ++ /* Names are stored in lowercase. */
570 ++ lowercase(name);
571 ++
572 ++ /*
573 ++ * Map it back to an IP address and check that the given
574 ++ * address actually is an address of this host. This is
575 ++ * necessary because anyone with access to a name server can
576 ++ * define arbitrary names for an IP address. Mapping from
577 ++ * name to IP address can be trusted better (but can still be
578 ++ * fooled if the intruder has access to the name server of
579 ++ * the domain).
580 ++ */
581 ++ memset(&hints, 0, sizeof(hints));
582 ++ hints.ai_family = from.ss_family;
583 ++ hints.ai_socktype = SOCK_STREAM;
584 ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
585 ++ logit("reverse mapping checking getaddrinfo for %.700s "
586 ++ "[%s] failed.", name, ntop);
587 ++ return strdup(ntop);
588 ++ }
589 ++ /* Look for the address from the list of addresses. */
590 ++ for (ai = aitop; ai; ai = ai->ai_next) {
591 ++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
592 ++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
593 ++ (strcmp(ntop, ntop2) == 0))
594 ++ break;
595 ++ }
596 ++ freeaddrinfo(aitop);
597 ++ /* If we reached the end of the list, the address was not there. */
598 ++ if (ai == NULL) {
599 ++ /* Address not found for the host name. */
600 ++ logit("Address %.100s maps to %.600s, but this does not "
601 ++ "map back to the address.", ntop, name);
602 ++ return strdup(ntop);
603 ++ }
604 ++ return strdup(name);
605 ++}
606 ++
607 ++/*
608 ++ * Return the canonical name of the host in the other side of the current
609 ++ * connection. The host name is cached, so it is efficient to call this
610 ++ * several times.
611 ++ */
612 ++
613 ++const char *
614 ++auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
615 ++{
616 ++ static char *dnsname;
617 ++
618 ++ if (!use_dns)
619 ++ return ssh_remote_ipaddr(ssh);
620 ++ else if (dnsname != NULL)
621 ++ return dnsname;
622 ++ else {
623 ++ dnsname = remote_hostname(ssh);
624 ++ return dnsname;
625 ++ }
626 ++}
627 +diff --git a/readconf.c b/readconf.c
628 +index f78b4d6f..747287f7 100644
629 +--- a/readconf.c
630 ++++ b/readconf.c
631 +@@ -162,6 +162,7 @@ typedef enum {
632 + oClearAllForwardings, oNoHostAuthenticationForLocalhost,
633 + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
634 + oAddressFamily, oGssAuthentication, oGssDelegateCreds,
635 ++ oGssTrustDns,
636 + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
637 + oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
638 + oHashKnownHosts,
639 +@@ -203,9 +204,11 @@ static struct {
640 + #if defined(GSSAPI)
641 + { "gssapiauthentication", oGssAuthentication },
642 + { "gssapidelegatecredentials", oGssDelegateCreds },
643 ++ { "gssapitrustdns", oGssTrustDns },
644 + # else
645 + { "gssapiauthentication", oUnsupported },
646 + { "gssapidelegatecredentials", oUnsupported },
647 ++ { "gssapitrustdns", oUnsupported },
648 + #endif
649 + #ifdef ENABLE_PKCS11
650 + { "pkcs11provider", oPKCS11Provider },
651 +@@ -992,6 +995,10 @@ parse_time:
652 + intptr = &options->gss_deleg_creds;
653 + goto parse_flag;
654 +
655 ++ case oGssTrustDns:
656 ++ intptr = &options->gss_trust_dns;
657 ++ goto parse_flag;
658 ++
659 + case oBatchMode:
660 + intptr = &options->batch_mode;
661 + goto parse_flag;
662 +@@ -1864,6 +1871,7 @@ initialize_options(Options * options)
663 + options->challenge_response_authentication = -1;
664 + options->gss_authentication = -1;
665 + options->gss_deleg_creds = -1;
666 ++ options->gss_trust_dns = -1;
667 + options->password_authentication = -1;
668 + options->kbd_interactive_authentication = -1;
669 + options->kbd_interactive_devices = NULL;
670 +@@ -2011,6 +2019,8 @@ fill_default_options(Options * options)
671 + options->gss_authentication = 0;
672 + if (options->gss_deleg_creds == -1)
673 + options->gss_deleg_creds = 0;
674 ++ if (options->gss_trust_dns == -1)
675 ++ options->gss_trust_dns = 0;
676 + if (options->password_authentication == -1)
677 + options->password_authentication = 1;
678 + if (options->kbd_interactive_authentication == -1)
679 +diff --git a/readconf.h b/readconf.h
680 +index 8e36bf32..c9e4718d 100644
681 +--- a/readconf.h
682 ++++ b/readconf.h
683 +@@ -41,6 +41,7 @@ typedef struct {
684 + /* Try S/Key or TIS, authentication. */
685 + int gss_authentication; /* Try GSS authentication */
686 + int gss_deleg_creds; /* Delegate GSS credentials */
687 ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
688 + int password_authentication; /* Try password
689 + * authentication. */
690 + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
691 +diff --git a/ssh_config.5 b/ssh_config.5
692 +index 02a87892..95de538b 100644
693 +--- a/ssh_config.5
694 ++++ b/ssh_config.5
695 +@@ -762,6 +762,16 @@ The default is
696 + Forward (delegate) credentials to the server.
697 + The default is
698 + .Cm no .
699 ++Note that this option applies to protocol version 2 connections using GSSAPI.
700 ++.It Cm GSSAPITrustDns
701 ++Set to
702 ++.Dq yes to indicate that the DNS is trusted to securely canonicalize
703 ++the name of the host being connected to. If
704 ++.Dq no, the hostname entered on the
705 ++command line will be passed untouched to the GSSAPI library.
706 ++The default is
707 ++.Dq no .
708 ++This option only applies to protocol version 2 connections using GSSAPI.
709 + .It Cm HashKnownHosts
710 + Indicates that
711 + .Xr ssh 1
712 +diff --git a/sshconnect2.c b/sshconnect2.c
713 +index 87fa70a4..a6ffdc96 100644
714 +--- a/sshconnect2.c
715 ++++ b/sshconnect2.c
716 +@@ -697,6 +697,13 @@ userauth_gssapi(struct ssh *ssh)
717 + OM_uint32 min;
718 + int r, ok = 0;
719 + gss_OID mech = NULL;
720 ++ const char *gss_host;
721 ++
722 ++ if (options.gss_trust_dns) {
723 ++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
724 ++ gss_host = auth_get_canonical_hostname(ssh, 1);
725 ++ } else
726 ++ gss_host = authctxt->host;
727 +
728 + /* Try one GSSAPI method at a time, rather than sending them all at
729 + * once. */
730 +@@ -711,7 +718,7 @@ userauth_gssapi(struct ssh *ssh)
731 + elements[authctxt->mech_tried];
732 + /* My DER encoding requires length<128 */
733 + if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
734 +- mech, authctxt->host)) {
735 ++ mech, gss_host)) {
736 + ok = 1; /* Mechanism works */
737 + } else {
738 + authctxt->mech_tried++;
739
740 diff --git a/net-misc/openssh/files/openssh-8.1_p1-X509-12.3-tests.patch b/net-misc/openssh/files/openssh-8.1_p1-X509-12.3-tests.patch
741 new file mode 100644
742 index 0000000..67a93fe
743 --- /dev/null
744 +++ b/net-misc/openssh/files/openssh-8.1_p1-X509-12.3-tests.patch
745 @@ -0,0 +1,11 @@
746 +--- a/openbsd-compat/regress/Makefile.in 2019-06-17 10:59:01.210601434 -0700
747 ++++ b/openbsd-compat/regress/Makefile.in 2019-06-17 10:59:18.753485852 -0700
748 +@@ -7,7 +7,7 @@
749 + CC=@CC@
750 + LD=@LD@
751 + CFLAGS=@CFLAGS@
752 +-CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
753 ++CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
754 + EXEEXT=@EXEEXT@
755 + LIBCOMPAT=../libopenbsd-compat.a
756 + LIBS=@LIBS@
757
758 diff --git a/net-misc/openssh/files/openssh-8.1_p1-X509-glue-12.3.patch b/net-misc/openssh/files/openssh-8.1_p1-X509-glue-12.3.patch
759 new file mode 100644
760 index 0000000..48cce79
761 --- /dev/null
762 +++ b/net-misc/openssh/files/openssh-8.1_p1-X509-glue-12.3.patch
763 @@ -0,0 +1,35 @@
764 +Only in b: .openssh-8.1p1+x509-12.3.diff.un~
765 +diff -ur a/openssh-8.1p1+x509-12.3.diff b/openssh-8.1p1+x509-12.3.diff
766 +--- a/openssh-8.1p1+x509-12.3.diff 2019-10-14 11:33:45.796485604 -0700
767 ++++ b/openssh-8.1p1+x509-12.3.diff 2019-10-14 11:39:44.960312587 -0700
768 +@@ -35343,12 +35343,11 @@
769 +
770 + install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
771 + install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
772 +-@@ -339,6 +360,8 @@
773 ++@@ -339,6 +360,7 @@
774 + $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
775 + $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
776 + $(MKDIR_P) $(DESTDIR)$(libexecdir)
777 + + $(MKDIR_P) $(DESTDIR)$(sshcadir)
778 +-+ $(MKDIR_P) $(DESTDIR)$(piddir)
779 + $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
780 + $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
781 + $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
782 +@@ -83536,16 +83535,6 @@
783 + + return mbtowc(NULL, s, n);
784 + +}
785 + +#endif
786 +-diff -ruN openssh-8.1p1/version.h openssh-8.1p1+x509-12.3/version.h
787 +---- openssh-8.1p1/version.h 2019-10-09 03:31:03.000000000 +0300
788 +-+++ openssh-8.1p1+x509-12.3/version.h 2019-10-13 09:07:00.000000000 +0300
789 +-@@ -2,5 +2,4 @@
790 +-
791 +- #define SSH_VERSION "OpenSSH_8.1"
792 +-
793 +--#define SSH_PORTABLE "p1"
794 +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
795 +-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1"
796 + diff -ruN openssh-8.1p1/version.m4 openssh-8.1p1+x509-12.3/version.m4
797 + --- openssh-8.1p1/version.m4 1970-01-01 02:00:00.000000000 +0200
798 + +++ openssh-8.1p1+x509-12.3/version.m4 2019-10-13 09:07:00.000000000 +0300
799
800 diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch
801 new file mode 100644
802 index 0000000..90fa248
803 --- /dev/null
804 +++ b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch
805 @@ -0,0 +1,105 @@
806 +diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
807 +--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800
808 ++++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:16:14.646567224 -0800
809 +@@ -409,18 +409,10 @@
810 + index 817da43b..b2bcf78f 100644
811 + --- a/packet.c
812 + +++ b/packet.c
813 +-@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
814 ++@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
815 + return 0;
816 + }
817 +
818 +-+/* this supports the forced rekeying required for the NONE cipher */
819 +-+int rekey_requested = 0;
820 +-+void
821 +-+packet_request_rekeying(void)
822 +-+{
823 +-+ rekey_requested = 1;
824 +-+}
825 +-+
826 + +/* used to determine if pre or post auth when rekeying for aes-ctr
827 + + * and none cipher switch */
828 + +int
829 +@@ -434,20 +426,6 @@
830 + #define MAX_PACKETS (1U<<31)
831 + static int
832 + ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
833 +-@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
834 +- if (state->p_send.packets == 0 && state->p_read.packets == 0)
835 +- return 0;
836 +-
837 +-+ /* used to force rekeying when called for by the none
838 +-+ * cipher switch methods -cjr */
839 +-+ if (rekey_requested == 1) {
840 +-+ rekey_requested = 0;
841 +-+ return 1;
842 +-+ }
843 +-+
844 +- /* Time-based rekeying */
845 +- if (state->rekey_interval != 0 &&
846 +- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
847 + diff --git a/packet.h b/packet.h
848 + index 8ccfd2e0..1ad9bc06 100644
849 + --- a/packet.h
850 +@@ -476,9 +454,9 @@
851 + /* Format of the configuration file:
852 +
853 + @@ -167,6 +168,8 @@ typedef enum {
854 +- oHashKnownHosts,
855 + oTunnel, oTunnelDevice,
856 + oLocalCommand, oPermitLocalCommand, oRemoteCommand,
857 ++ oDisableMTAES,
858 + + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
859 + + oNoneEnabled, oNoneSwitch,
860 + oVisualHostKey,
861 +@@ -615,9 +593,9 @@
862 + int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
863 + SyslogFacility log_facility; /* Facility for system logging. */
864 + @@ -112,7 +116,10 @@ typedef struct {
865 +-
866 + int enable_ssh_keysign;
867 + int64_t rekey_limit;
868 ++ int disable_multithreaded; /*disable multithreaded aes-ctr*/
869 + + int none_switch; /* Use none cipher */
870 + + int none_enabled; /* Allow none to be used */
871 + int rekey_interval;
872 +@@ -700,9 +678,9 @@
873 + + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
874 + + }
875 + +
876 ++ if (options->disable_multithreaded == -1)
877 ++ options->disable_multithreaded = 0;
878 + if (options->ip_qos_interactive == -1)
879 +- options->ip_qos_interactive = IPTOS_DSCP_AF21;
880 +- if (options->ip_qos_bulk == -1)
881 + @@ -486,6 +532,8 @@ typedef enum {
882 + sPasswordAuthentication, sKbdInteractiveAuthentication,
883 + sListenAddress, sAddressFamily,
884 +@@ -1079,11 +1057,11 @@
885 + xxx_host = host;
886 + xxx_hostaddr = hostaddr;
887 +
888 +-@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
889 ++@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
890 +
891 + if (!authctxt.success)
892 + fatal("Authentication failed.");
893 +-+
894 ++
895 + + /*
896 + + * If the user wants to use the none cipher, do it post authentication
897 + + * and only if the right conditions are met -- both of the NONE commands
898 +@@ -1105,9 +1083,9 @@
899 + + }
900 + + }
901 + +
902 +- debug("Authentication succeeded (%s).", authctxt.method->name);
903 +- }
904 +-
905 ++ #ifdef WITH_OPENSSL
906 ++ if (options.disable_multithreaded == 0) {
907 ++ /* if we are using aes-ctr there can be issues in either a fork or sandbox
908 + diff --git a/sshd.c b/sshd.c
909 + index 11571c01..23a06022 100644
910 + --- a/sshd.c
911
912 diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch
913 new file mode 100644
914 index 0000000..3f5c7a4
915 --- /dev/null
916 +++ b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch
917 @@ -0,0 +1,19 @@
918 +diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff
919 +--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800
920 ++++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 16:36:51.394069720 -0800
921 +@@ -1191,15 +1191,3 @@
922 + # Example of overriding settings on a per-user basis
923 + #Match User anoncvs
924 + # X11Forwarding no
925 +-diff --git a/version.h b/version.h
926 +-index 6b3fadf8..ec1d2e27 100644
927 +---- a/version.h
928 +-+++ b/version.h
929 +-@@ -3,4 +3,6 @@
930 +- #define SSH_VERSION "OpenSSH_8.1"
931 +-
932 +- #define SSH_PORTABLE "p1"
933 +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
934 +-+#define SSH_HPN "-hpn14v20"
935 +-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
936 +-+
937
938 diff --git a/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch b/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch
939 new file mode 100644
940 index 0000000..505e34d
941 --- /dev/null
942 +++ b/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch
943 @@ -0,0 +1,26 @@
944 +diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
945 +index 86ea6250..844adabc 100644
946 +--- a/regress/cert-hostkey.sh
947 ++++ b/regress/cert-hostkey.sh
948 +@@ -252,7 +252,7 @@ test_one() {
949 + test_one "user-certificate" failure "-n $HOSTS"
950 + test_one "empty principals" success "-h"
951 + test_one "wrong principals" failure "-h -n foo"
952 +-test_one "cert not yet valid" failure "-h -V20200101:20300101"
953 ++test_one "cert not yet valid" failure "-h -V20300101:20320101"
954 + test_one "cert expired" failure "-h -V19800101:19900101"
955 + test_one "cert valid interval" success "-h -V-1w:+2w"
956 + test_one "cert has constraints" failure "-h -Oforce-command=false"
957 +diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
958 +index 38c14a69..5cd02fc3 100644
959 +--- a/regress/cert-userkey.sh
960 ++++ b/regress/cert-userkey.sh
961 +@@ -338,7 +338,7 @@ test_one() {
962 + test_one "correct principal" success "-n ${USER}"
963 + test_one "host-certificate" failure "-n ${USER} -h"
964 + test_one "wrong principals" failure "-n foo"
965 +-test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
966 ++test_one "cert not yet valid" failure "-n ${USER} -V20300101:20320101"
967 + test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
968 + test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
969 + test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
Report Message
Find on MARC Find on Google Groups