1 |
commit: 54169cefe0925095a46bcead1b4b875a62873e3e |
2 |
Author: Quentin Retornaz <gentoo <AT> retornaz <DOT> com> |
3 |
AuthorDate: Sat Jan 30 15:09:05 2021 +0000 |
4 |
Commit: Quentin Retornaz <gentoo <AT> retornaz <DOT> com> |
5 |
CommitDate: Sat Jan 30 15:09:05 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=54169cef |
7 |
|
8 |
net-misc/openssh: add missing patches |
9 |
|
10 |
Package-Manager: Portage-3.0.13, Repoman-3.0.2 |
11 |
Signed-off-by: Quentin Retornaz <gentoo <AT> retornaz.com> |
12 |
|
13 |
.../openssh-6.7_p1-openssl-ignore-status.patch | 17 + |
14 |
...penssh-7.5_p1-disable-conch-interop-tests.patch | 20 ++ |
15 |
.../files/openssh-7.9_p1-include-stdlib.patch | 48 +++ |
16 |
...mget-shmat-shmdt-in-preauth-privsep-child.patch | 31 ++ |
17 |
.../files/openssh-8.0_p1-fix-putty-tests.patch | 57 ++++ |
18 |
.../files/openssh-8.0_p1-hpn-14.20-X509-glue.patch | 111 +++++++ |
19 |
.../openssh/files/openssh-8.0_p1-hpn-version.patch | 13 + |
20 |
.../openssh/files/openssh-8.1_p1-GSSAPI-dns.patch | 359 +++++++++++++++++++++ |
21 |
.../files/openssh-8.1_p1-X509-12.3-tests.patch | 11 + |
22 |
.../files/openssh-8.1_p1-X509-glue-12.3.patch | 35 ++ |
23 |
.../files/openssh-8.1_p1-hpn-14.20-glue.patch | 105 ++++++ |
24 |
.../files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch | 19 ++ |
25 |
.../openssh/files/openssh-8.1_p1-tests-2020.patch | 26 ++ |
26 |
13 files changed, 852 insertions(+) |
27 |
|
28 |
diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch |
29 |
new file mode 100644 |
30 |
index 0000000..fa33af3 |
31 |
--- /dev/null |
32 |
+++ b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch |
33 |
@@ -0,0 +1,17 @@ |
34 |
+the last nibble of the openssl version represents the status. that is, |
35 |
+whether it is a beta or release. when it comes to version checks in |
36 |
+openssh, this component does not matter, so ignore it. |
37 |
+ |
38 |
+https://bugzilla.mindrot.org/show_bug.cgi?id=2212 |
39 |
+ |
40 |
+--- a/openbsd-compat/openssl-compat.c |
41 |
++++ b/openbsd-compat/openssl-compat.c |
42 |
+@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver) |
43 |
+ * For versions >= 1.0.0, major,minor,status must match and library |
44 |
+ * fix version must be equal to or newer than the header. |
45 |
+ */ |
46 |
+- mask = 0xfff0000fL; /* major,minor,status */ |
47 |
++ mask = 0xfff00000L; /* major,minor,status */ |
48 |
+ hfix = (headerver & 0x000ff000) >> 12; |
49 |
+ lfix = (libver & 0x000ff000) >> 12; |
50 |
+ if ( (headerver & mask) == (libver & mask) && lfix >= hfix) |
51 |
|
52 |
diff --git a/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch |
53 |
new file mode 100644 |
54 |
index 0000000..a5647ce |
55 |
--- /dev/null |
56 |
+++ b/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch |
57 |
@@ -0,0 +1,20 @@ |
58 |
+Disable conch interop tests which are failing when called |
59 |
+via portage for yet unknown reason and because using conch |
60 |
+seems to be flaky (test is failing when using Python2 but |
61 |
+passing when using Python3). |
62 |
+ |
63 |
+Bug: https://bugs.gentoo.org/605446 |
64 |
+ |
65 |
+--- a/regress/conch-ciphers.sh |
66 |
++++ b/regress/conch-ciphers.sh |
67 |
+@@ -3,6 +3,10 @@ |
68 |
+ |
69 |
+ tid="conch ciphers" |
70 |
+ |
71 |
++# https://bugs.gentoo.org/605446 |
72 |
++echo "conch interop tests skipped due to Gentoo bug #605446" |
73 |
++exit 0 |
74 |
++ |
75 |
+ if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then |
76 |
+ echo "conch interop tests not enabled" |
77 |
+ exit 0 |
78 |
|
79 |
diff --git a/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch b/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch |
80 |
new file mode 100644 |
81 |
index 0000000..c5697c2 |
82 |
--- /dev/null |
83 |
+++ b/net-misc/openssh/files/openssh-7.9_p1-include-stdlib.patch |
84 |
@@ -0,0 +1,48 @@ |
85 |
+diff --git a/auth-options.c b/auth-options.c |
86 |
+index b05d6d6f..d1f42f04 100644 |
87 |
+--- a/auth-options.c |
88 |
++++ b/auth-options.c |
89 |
+@@ -26,6 +26,7 @@ |
90 |
+ #include <stdarg.h> |
91 |
+ #include <ctype.h> |
92 |
+ #include <limits.h> |
93 |
++#include <stdlib.h> |
94 |
+ |
95 |
+ #include "openbsd-compat/sys-queue.h" |
96 |
+ |
97 |
+diff --git a/hmac.c b/hmac.c |
98 |
+index 1c879640..a29f32c5 100644 |
99 |
+--- a/hmac.c |
100 |
++++ b/hmac.c |
101 |
+@@ -19,6 +19,7 @@ |
102 |
+ |
103 |
+ #include <sys/types.h> |
104 |
+ #include <string.h> |
105 |
++#include <stdlib.h> |
106 |
+ |
107 |
+ #include "sshbuf.h" |
108 |
+ #include "digest.h" |
109 |
+diff --git a/krl.c b/krl.c |
110 |
+index 8e2d5d5d..c32e147a 100644 |
111 |
+--- a/krl.c |
112 |
++++ b/krl.c |
113 |
+@@ -28,6 +28,7 @@ |
114 |
+ #include <string.h> |
115 |
+ #include <time.h> |
116 |
+ #include <unistd.h> |
117 |
++#include <stdlib.h> |
118 |
+ |
119 |
+ #include "sshbuf.h" |
120 |
+ #include "ssherr.h" |
121 |
+diff --git a/mac.c b/mac.c |
122 |
+index 51dc11d7..3d11eba6 100644 |
123 |
+--- a/mac.c |
124 |
++++ b/mac.c |
125 |
+@@ -29,6 +29,7 @@ |
126 |
+ |
127 |
+ #include <string.h> |
128 |
+ #include <stdio.h> |
129 |
++#include <stdlib.h> |
130 |
+ |
131 |
+ #include "digest.h" |
132 |
+ #include "hmac.h" |
133 |
|
134 |
diff --git a/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch |
135 |
new file mode 100644 |
136 |
index 0000000..fe3be24 |
137 |
--- /dev/null |
138 |
+++ b/net-misc/openssh/files/openssh-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch |
139 |
@@ -0,0 +1,31 @@ |
140 |
+From 3ef92a657444f172b61f92d5da66d94fa8265602 Mon Sep 17 00:00:00 2001 |
141 |
+From: Lonnie Abelbeck <lonnie@××××××××.com> |
142 |
+Date: Tue, 1 Oct 2019 09:05:09 -0500 |
143 |
+Subject: [PATCH] Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child. |
144 |
+ |
145 |
+New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt |
146 |
+in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox. |
147 |
+--- |
148 |
+ sandbox-seccomp-filter.c | 9 +++++++++ |
149 |
+ 1 file changed, 9 insertions(+) |
150 |
+ |
151 |
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c |
152 |
+index 840c5232b..39dc289e3 100644 |
153 |
+--- a/sandbox-seccomp-filter.c |
154 |
++++ b/sandbox-seccomp-filter.c |
155 |
+@@ -168,6 +168,15 @@ static const struct sock_filter preauth_insns[] = { |
156 |
+ #ifdef __NR_stat64 |
157 |
+ SC_DENY(__NR_stat64, EACCES), |
158 |
+ #endif |
159 |
++#ifdef __NR_shmget |
160 |
++ SC_DENY(__NR_shmget, EACCES), |
161 |
++#endif |
162 |
++#ifdef __NR_shmat |
163 |
++ SC_DENY(__NR_shmat, EACCES), |
164 |
++#endif |
165 |
++#ifdef __NR_shmdt |
166 |
++ SC_DENY(__NR_shmdt, EACCES), |
167 |
++#endif |
168 |
+ |
169 |
+ /* Syscalls to permit */ |
170 |
+ #ifdef __NR_brk |
171 |
|
172 |
diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch |
173 |
new file mode 100644 |
174 |
index 0000000..4310aa1 |
175 |
--- /dev/null |
176 |
+++ b/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch |
177 |
@@ -0,0 +1,57 @@ |
178 |
+Make sure that host keys are already accepted before |
179 |
+running tests. |
180 |
+ |
181 |
+https://bugs.gentoo.org/493866 |
182 |
+ |
183 |
+--- a/regress/putty-ciphers.sh |
184 |
++++ b/regress/putty-ciphers.sh |
185 |
+@@ -10,11 +10,17 @@ fi |
186 |
+ |
187 |
+ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do |
188 |
+ verbose "$tid: cipher $c" |
189 |
++ rm -f ${COPY} |
190 |
+ cp ${OBJ}/.putty/sessions/localhost_proxy \ |
191 |
+ ${OBJ}/.putty/sessions/cipher_$c |
192 |
+ echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c |
193 |
+ |
194 |
+- rm -f ${COPY} |
195 |
++ env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \ |
196 |
++ -i ${OBJ}/putty.rsa2 "exit" |
197 |
++ if [ $? -ne 0 ]; then |
198 |
++ fail "failed to pre-cache host key" |
199 |
++ fi |
200 |
++ |
201 |
+ env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \ |
202 |
+ cat ${DATA} > ${COPY} |
203 |
+ if [ $? -ne 0 ]; then |
204 |
+--- a/regress/putty-kex.sh |
205 |
++++ b/regress/putty-kex.sh |
206 |
+@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do |
207 |
+ ${OBJ}/.putty/sessions/kex_$k |
208 |
+ echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k |
209 |
+ |
210 |
++ env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \ |
211 |
++ -i ${OBJ}/putty.rsa2 "exit" |
212 |
++ if [ $? -ne 0 ]; then |
213 |
++ fail "failed to pre-cache host key" |
214 |
++ fi |
215 |
++ |
216 |
+ env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true |
217 |
+ if [ $? -ne 0 ]; then |
218 |
+ fail "KEX $k failed" |
219 |
+--- a/regress/putty-transfer.sh |
220 |
++++ b/regress/putty-transfer.sh |
221 |
+@@ -14,6 +14,13 @@ for c in 0 1 ; do |
222 |
+ cp ${OBJ}/.putty/sessions/localhost_proxy \ |
223 |
+ ${OBJ}/.putty/sessions/compression_$c |
224 |
+ echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k |
225 |
++ |
226 |
++ env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \ |
227 |
++ -i ${OBJ}/putty.rsa2 "exit" |
228 |
++ if [ $? -ne 0 ]; then |
229 |
++ fail "failed to pre-cache host key" |
230 |
++ fi |
231 |
++ |
232 |
+ env HOME=$PWD ${PLINK} -load compression_$c -batch \ |
233 |
+ -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY} |
234 |
+ if [ $? -ne 0 ]; then |
235 |
|
236 |
diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch |
237 |
new file mode 100644 |
238 |
index 0000000..167adfc |
239 |
--- /dev/null |
240 |
+++ b/net-misc/openssh/files/openssh-8.0_p1-hpn-14.20-X509-glue.patch |
241 |
@@ -0,0 +1,111 @@ |
242 |
+diff -ur a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff |
243 |
+--- a/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-04 15:49:15.746095444 -0800 |
244 |
++++ b/openssh-8_1_P1-hpn-AES-CTR-14.20.diff 2020-02-04 15:49:54.181853707 -0800 |
245 |
+@@ -4,8 +4,8 @@ |
246 |
+ +++ b/Makefile.in |
247 |
+ @@ -42,7 +42,7 @@ CC=@CC@ |
248 |
+ LD=@LD@ |
249 |
+- CFLAGS=@CFLAGS@ |
250 |
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
251 |
++ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) |
252 |
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ |
253 |
+ -LIBS=@LIBS@ |
254 |
+ +LIBS=@LIBS@ -lpthread |
255 |
+ K5LIBS=@K5LIBS@ |
256 |
+@@ -803,8 +803,8 @@ |
257 |
+ ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) |
258 |
+ { |
259 |
+ struct session_state *state; |
260 |
+-- const struct sshcipher *none = cipher_by_name("none"); |
261 |
+-+ struct sshcipher *none = cipher_by_name("none"); |
262 |
++- const struct sshcipher *none = cipher_none(); |
263 |
+++ struct sshcipher *none = cipher_none(); |
264 |
+ int r; |
265 |
+ |
266 |
+ if (none == NULL) { |
267 |
+@@ -948,9 +948,9 @@ |
268 |
+ /* Portable-specific options */ |
269 |
+ sUsePAM, |
270 |
+ + sDisableMTAES, |
271 |
+- /* Standard Options */ |
272 |
+- sPort, sHostKeyFile, sLoginGraceTime, |
273 |
+- sPermitRootLogin, sLogFacility, sLogLevel, |
274 |
++ /* X.509 Standard Options */ |
275 |
++ sHostbasedAlgorithms, |
276 |
++ sPubkeyAlgorithms, |
277 |
+ @@ -643,6 +647,7 @@ static struct { |
278 |
+ { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
279 |
+ { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
280 |
+diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff |
281 |
+--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:41:42.512910357 -0800 |
282 |
++++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:56:40.323299499 -0800 |
283 |
+@@ -382,7 +382,7 @@ |
284 |
+ @@ -884,6 +884,10 @@ kex_choose_conf(struct ssh *ssh) |
285 |
+ int nenc, nmac, ncomp; |
286 |
+ u_int mode, ctos, need, dh_need, authlen; |
287 |
+- int r, first_kex_follows; |
288 |
++ int r, first_kex_follows = 0; |
289 |
+ + int auth_flag; |
290 |
+ + |
291 |
+ + auth_flag = packet_authentication_state(ssh); |
292 |
+@@ -391,8 +391,8 @@ |
293 |
+ debug2("local %s KEXINIT proposal", kex->server ? "server" : "client"); |
294 |
+ if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0) |
295 |
+ @@ -954,6 +958,14 @@ kex_choose_conf(struct ssh *ssh) |
296 |
+- peer[ncomp] = NULL; |
297 |
+- goto out; |
298 |
++ else |
299 |
++ fatal("Pre-authentication none cipher requests are not allowed."); |
300 |
+ } |
301 |
+ + debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name); |
302 |
+ + if (strcmp(newkeys->enc.name, "none") == 0) { |
303 |
+@@ -1169,15 +1169,3 @@ |
304 |
+ # Example of overriding settings on a per-user basis |
305 |
+ #Match User anoncvs |
306 |
+ # X11Forwarding no |
307 |
+-diff --git a/version.h b/version.h |
308 |
+-index 6b3fadf8..ec1d2e27 100644 |
309 |
+---- a/version.h |
310 |
+-+++ b/version.h |
311 |
+-@@ -3,4 +3,6 @@ |
312 |
+- #define SSH_VERSION "OpenSSH_8.1" |
313 |
+- |
314 |
+- #define SSH_PORTABLE "p1" |
315 |
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
316 |
+-+#define SSH_HPN "-hpn14v20" |
317 |
+-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN |
318 |
+-+ |
319 |
+diff -ur a/openssh-8_1_P1-hpn-PeakTput-14.20.diff b/openssh-8_1_P1-hpn-PeakTput-14.20.diff |
320 |
+--- a/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-04 15:41:42.512910357 -0800 |
321 |
++++ b/openssh-8_1_P1-hpn-PeakTput-14.20.diff 2020-02-04 16:02:42.203023609 -0800 |
322 |
+@@ -12,9 +12,9 @@ |
323 |
+ static long stalled; /* how long we have been stalled */ |
324 |
+ static int bytes_per_second; /* current speed in bytes per second */ |
325 |
+ @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update) |
326 |
++ off_t bytes_left; |
327 |
+ int cur_speed; |
328 |
+- int hours, minutes, seconds; |
329 |
+- int file_len; |
330 |
++ int len; |
331 |
+ + off_t delta_pos; |
332 |
+ |
333 |
+ if ((!force_update && !alarm_fired && !win_resized) || !can_output()) |
334 |
+@@ -33,12 +33,12 @@ |
335 |
+ @@ -166,7 +173,7 @@ refresh_progress_meter(int force_update) |
336 |
+ |
337 |
+ /* filename */ |
338 |
+- buf[0] = '\0'; |
339 |
+-- file_len = win_size - 36; |
340 |
+-+ file_len = win_size - 45; |
341 |
+- if (file_len > 0) { |
342 |
+- buf[0] = '\r'; |
343 |
+- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s", |
344 |
++ if (win_size > 36) { |
345 |
++- int file_len = win_size - 36; |
346 |
+++ int file_len = win_size - 45; |
347 |
++ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ", |
348 |
++ file_len, file); |
349 |
++ } |
350 |
+ @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update) |
351 |
+ (off_t)bytes_per_second); |
352 |
+ strlcat(buf, "/s ", win_size); |
353 |
|
354 |
diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch |
355 |
new file mode 100644 |
356 |
index 0000000..37905ce |
357 |
--- /dev/null |
358 |
+++ b/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch |
359 |
@@ -0,0 +1,13 @@ |
360 |
+diff --git a/kex.c b/kex.c |
361 |
+index 34808b5c..88d7ccac 100644 |
362 |
+--- a/kex.c |
363 |
++++ b/kex.c |
364 |
+@@ -1126,7 +1126,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, |
365 |
+ if (version_addendum != NULL && *version_addendum == '\0') |
366 |
+ version_addendum = NULL; |
367 |
+ if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", |
368 |
+- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, |
369 |
++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, |
370 |
+ version_addendum == NULL ? "" : " ", |
371 |
+ version_addendum == NULL ? "" : version_addendum)) != 0) { |
372 |
+ error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); |
373 |
|
374 |
diff --git a/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch |
375 |
new file mode 100644 |
376 |
index 0000000..6aba6f2 |
377 |
--- /dev/null |
378 |
+++ b/net-misc/openssh/files/openssh-8.1_p1-GSSAPI-dns.patch |
379 |
@@ -0,0 +1,359 @@ |
380 |
+diff --git a/auth.c b/auth.c |
381 |
+index ca450f4e..2994a4e4 100644 |
382 |
+--- a/auth.c |
383 |
++++ b/auth.c |
384 |
+@@ -723,120 +723,6 @@ fakepw(void) |
385 |
+ return (&fake); |
386 |
+ } |
387 |
+ |
388 |
+-/* |
389 |
+- * Returns the remote DNS hostname as a string. The returned string must not |
390 |
+- * be freed. NB. this will usually trigger a DNS query the first time it is |
391 |
+- * called. |
392 |
+- * This function does additional checks on the hostname to mitigate some |
393 |
+- * attacks on legacy rhosts-style authentication. |
394 |
+- * XXX is RhostsRSAAuthentication vulnerable to these? |
395 |
+- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) |
396 |
+- */ |
397 |
+- |
398 |
+-static char * |
399 |
+-remote_hostname(struct ssh *ssh) |
400 |
+-{ |
401 |
+- struct sockaddr_storage from; |
402 |
+- socklen_t fromlen; |
403 |
+- struct addrinfo hints, *ai, *aitop; |
404 |
+- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; |
405 |
+- const char *ntop = ssh_remote_ipaddr(ssh); |
406 |
+- |
407 |
+- /* Get IP address of client. */ |
408 |
+- fromlen = sizeof(from); |
409 |
+- memset(&from, 0, sizeof(from)); |
410 |
+- if (getpeername(ssh_packet_get_connection_in(ssh), |
411 |
+- (struct sockaddr *)&from, &fromlen) == -1) { |
412 |
+- debug("getpeername failed: %.100s", strerror(errno)); |
413 |
+- return strdup(ntop); |
414 |
+- } |
415 |
+- |
416 |
+- ipv64_normalise_mapped(&from, &fromlen); |
417 |
+- if (from.ss_family == AF_INET6) |
418 |
+- fromlen = sizeof(struct sockaddr_in6); |
419 |
+- |
420 |
+- debug3("Trying to reverse map address %.100s.", ntop); |
421 |
+- /* Map the IP address to a host name. */ |
422 |
+- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), |
423 |
+- NULL, 0, NI_NAMEREQD) != 0) { |
424 |
+- /* Host name not found. Use ip address. */ |
425 |
+- return strdup(ntop); |
426 |
+- } |
427 |
+- |
428 |
+- /* |
429 |
+- * if reverse lookup result looks like a numeric hostname, |
430 |
+- * someone is trying to trick us by PTR record like following: |
431 |
+- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 |
432 |
+- */ |
433 |
+- memset(&hints, 0, sizeof(hints)); |
434 |
+- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ |
435 |
+- hints.ai_flags = AI_NUMERICHOST; |
436 |
+- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { |
437 |
+- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", |
438 |
+- name, ntop); |
439 |
+- freeaddrinfo(ai); |
440 |
+- return strdup(ntop); |
441 |
+- } |
442 |
+- |
443 |
+- /* Names are stored in lowercase. */ |
444 |
+- lowercase(name); |
445 |
+- |
446 |
+- /* |
447 |
+- * Map it back to an IP address and check that the given |
448 |
+- * address actually is an address of this host. This is |
449 |
+- * necessary because anyone with access to a name server can |
450 |
+- * define arbitrary names for an IP address. Mapping from |
451 |
+- * name to IP address can be trusted better (but can still be |
452 |
+- * fooled if the intruder has access to the name server of |
453 |
+- * the domain). |
454 |
+- */ |
455 |
+- memset(&hints, 0, sizeof(hints)); |
456 |
+- hints.ai_family = from.ss_family; |
457 |
+- hints.ai_socktype = SOCK_STREAM; |
458 |
+- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { |
459 |
+- logit("reverse mapping checking getaddrinfo for %.700s " |
460 |
+- "[%s] failed.", name, ntop); |
461 |
+- return strdup(ntop); |
462 |
+- } |
463 |
+- /* Look for the address from the list of addresses. */ |
464 |
+- for (ai = aitop; ai; ai = ai->ai_next) { |
465 |
+- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, |
466 |
+- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && |
467 |
+- (strcmp(ntop, ntop2) == 0)) |
468 |
+- break; |
469 |
+- } |
470 |
+- freeaddrinfo(aitop); |
471 |
+- /* If we reached the end of the list, the address was not there. */ |
472 |
+- if (ai == NULL) { |
473 |
+- /* Address not found for the host name. */ |
474 |
+- logit("Address %.100s maps to %.600s, but this does not " |
475 |
+- "map back to the address.", ntop, name); |
476 |
+- return strdup(ntop); |
477 |
+- } |
478 |
+- return strdup(name); |
479 |
+-} |
480 |
+- |
481 |
+-/* |
482 |
+- * Return the canonical name of the host in the other side of the current |
483 |
+- * connection. The host name is cached, so it is efficient to call this |
484 |
+- * several times. |
485 |
+- */ |
486 |
+- |
487 |
+-const char * |
488 |
+-auth_get_canonical_hostname(struct ssh *ssh, int use_dns) |
489 |
+-{ |
490 |
+- static char *dnsname; |
491 |
+- |
492 |
+- if (!use_dns) |
493 |
+- return ssh_remote_ipaddr(ssh); |
494 |
+- else if (dnsname != NULL) |
495 |
+- return dnsname; |
496 |
+- else { |
497 |
+- dnsname = remote_hostname(ssh); |
498 |
+- return dnsname; |
499 |
+- } |
500 |
+-} |
501 |
+- |
502 |
+ /* |
503 |
+ * Runs command in a subprocess with a minimal environment. |
504 |
+ * Returns pid on success, 0 on failure. |
505 |
+diff --git a/canohost.c b/canohost.c |
506 |
+index abea9c6e..4f4524d2 100644 |
507 |
+--- a/canohost.c |
508 |
++++ b/canohost.c |
509 |
+@@ -202,3 +202,117 @@ get_local_port(int sock) |
510 |
+ { |
511 |
+ return get_sock_port(sock, 1); |
512 |
+ } |
513 |
++ |
514 |
++/* |
515 |
++ * Returns the remote DNS hostname as a string. The returned string must not |
516 |
++ * be freed. NB. this will usually trigger a DNS query the first time it is |
517 |
++ * called. |
518 |
++ * This function does additional checks on the hostname to mitigate some |
519 |
++ * attacks on legacy rhosts-style authentication. |
520 |
++ * XXX is RhostsRSAAuthentication vulnerable to these? |
521 |
++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) |
522 |
++ */ |
523 |
++ |
524 |
++static char * |
525 |
++remote_hostname(struct ssh *ssh) |
526 |
++{ |
527 |
++ struct sockaddr_storage from; |
528 |
++ socklen_t fromlen; |
529 |
++ struct addrinfo hints, *ai, *aitop; |
530 |
++ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; |
531 |
++ const char *ntop = ssh_remote_ipaddr(ssh); |
532 |
++ |
533 |
++ /* Get IP address of client. */ |
534 |
++ fromlen = sizeof(from); |
535 |
++ memset(&from, 0, sizeof(from)); |
536 |
++ if (getpeername(ssh_packet_get_connection_in(ssh), |
537 |
++ (struct sockaddr *)&from, &fromlen) < 0) { |
538 |
++ debug("getpeername failed: %.100s", strerror(errno)); |
539 |
++ return strdup(ntop); |
540 |
++ } |
541 |
++ |
542 |
++ ipv64_normalise_mapped(&from, &fromlen); |
543 |
++ if (from.ss_family == AF_INET6) |
544 |
++ fromlen = sizeof(struct sockaddr_in6); |
545 |
++ |
546 |
++ debug3("Trying to reverse map address %.100s.", ntop); |
547 |
++ /* Map the IP address to a host name. */ |
548 |
++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), |
549 |
++ NULL, 0, NI_NAMEREQD) != 0) { |
550 |
++ /* Host name not found. Use ip address. */ |
551 |
++ return strdup(ntop); |
552 |
++ } |
553 |
++ |
554 |
++ /* |
555 |
++ * if reverse lookup result looks like a numeric hostname, |
556 |
++ * someone is trying to trick us by PTR record like following: |
557 |
++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 |
558 |
++ */ |
559 |
++ memset(&hints, 0, sizeof(hints)); |
560 |
++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ |
561 |
++ hints.ai_flags = AI_NUMERICHOST; |
562 |
++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { |
563 |
++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", |
564 |
++ name, ntop); |
565 |
++ freeaddrinfo(ai); |
566 |
++ return strdup(ntop); |
567 |
++ } |
568 |
++ |
569 |
++ /* Names are stored in lowercase. */ |
570 |
++ lowercase(name); |
571 |
++ |
572 |
++ /* |
573 |
++ * Map it back to an IP address and check that the given |
574 |
++ * address actually is an address of this host. This is |
575 |
++ * necessary because anyone with access to a name server can |
576 |
++ * define arbitrary names for an IP address. Mapping from |
577 |
++ * name to IP address can be trusted better (but can still be |
578 |
++ * fooled if the intruder has access to the name server of |
579 |
++ * the domain). |
580 |
++ */ |
581 |
++ memset(&hints, 0, sizeof(hints)); |
582 |
++ hints.ai_family = from.ss_family; |
583 |
++ hints.ai_socktype = SOCK_STREAM; |
584 |
++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { |
585 |
++ logit("reverse mapping checking getaddrinfo for %.700s " |
586 |
++ "[%s] failed.", name, ntop); |
587 |
++ return strdup(ntop); |
588 |
++ } |
589 |
++ /* Look for the address from the list of addresses. */ |
590 |
++ for (ai = aitop; ai; ai = ai->ai_next) { |
591 |
++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, |
592 |
++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && |
593 |
++ (strcmp(ntop, ntop2) == 0)) |
594 |
++ break; |
595 |
++ } |
596 |
++ freeaddrinfo(aitop); |
597 |
++ /* If we reached the end of the list, the address was not there. */ |
598 |
++ if (ai == NULL) { |
599 |
++ /* Address not found for the host name. */ |
600 |
++ logit("Address %.100s maps to %.600s, but this does not " |
601 |
++ "map back to the address.", ntop, name); |
602 |
++ return strdup(ntop); |
603 |
++ } |
604 |
++ return strdup(name); |
605 |
++} |
606 |
++ |
607 |
++/* |
608 |
++ * Return the canonical name of the host in the other side of the current |
609 |
++ * connection. The host name is cached, so it is efficient to call this |
610 |
++ * several times. |
611 |
++ */ |
612 |
++ |
613 |
++const char * |
614 |
++auth_get_canonical_hostname(struct ssh *ssh, int use_dns) |
615 |
++{ |
616 |
++ static char *dnsname; |
617 |
++ |
618 |
++ if (!use_dns) |
619 |
++ return ssh_remote_ipaddr(ssh); |
620 |
++ else if (dnsname != NULL) |
621 |
++ return dnsname; |
622 |
++ else { |
623 |
++ dnsname = remote_hostname(ssh); |
624 |
++ return dnsname; |
625 |
++ } |
626 |
++} |
627 |
+diff --git a/readconf.c b/readconf.c |
628 |
+index f78b4d6f..747287f7 100644 |
629 |
+--- a/readconf.c |
630 |
++++ b/readconf.c |
631 |
+@@ -162,6 +162,7 @@ typedef enum { |
632 |
+ oClearAllForwardings, oNoHostAuthenticationForLocalhost, |
633 |
+ oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, |
634 |
+ oAddressFamily, oGssAuthentication, oGssDelegateCreds, |
635 |
++ oGssTrustDns, |
636 |
+ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
637 |
+ oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, |
638 |
+ oHashKnownHosts, |
639 |
+@@ -203,9 +204,11 @@ static struct { |
640 |
+ #if defined(GSSAPI) |
641 |
+ { "gssapiauthentication", oGssAuthentication }, |
642 |
+ { "gssapidelegatecredentials", oGssDelegateCreds }, |
643 |
++ { "gssapitrustdns", oGssTrustDns }, |
644 |
+ # else |
645 |
+ { "gssapiauthentication", oUnsupported }, |
646 |
+ { "gssapidelegatecredentials", oUnsupported }, |
647 |
++ { "gssapitrustdns", oUnsupported }, |
648 |
+ #endif |
649 |
+ #ifdef ENABLE_PKCS11 |
650 |
+ { "pkcs11provider", oPKCS11Provider }, |
651 |
+@@ -992,6 +995,10 @@ parse_time: |
652 |
+ intptr = &options->gss_deleg_creds; |
653 |
+ goto parse_flag; |
654 |
+ |
655 |
++ case oGssTrustDns: |
656 |
++ intptr = &options->gss_trust_dns; |
657 |
++ goto parse_flag; |
658 |
++ |
659 |
+ case oBatchMode: |
660 |
+ intptr = &options->batch_mode; |
661 |
+ goto parse_flag; |
662 |
+@@ -1864,6 +1871,7 @@ initialize_options(Options * options) |
663 |
+ options->challenge_response_authentication = -1; |
664 |
+ options->gss_authentication = -1; |
665 |
+ options->gss_deleg_creds = -1; |
666 |
++ options->gss_trust_dns = -1; |
667 |
+ options->password_authentication = -1; |
668 |
+ options->kbd_interactive_authentication = -1; |
669 |
+ options->kbd_interactive_devices = NULL; |
670 |
+@@ -2011,6 +2019,8 @@ fill_default_options(Options * options) |
671 |
+ options->gss_authentication = 0; |
672 |
+ if (options->gss_deleg_creds == -1) |
673 |
+ options->gss_deleg_creds = 0; |
674 |
++ if (options->gss_trust_dns == -1) |
675 |
++ options->gss_trust_dns = 0; |
676 |
+ if (options->password_authentication == -1) |
677 |
+ options->password_authentication = 1; |
678 |
+ if (options->kbd_interactive_authentication == -1) |
679 |
+diff --git a/readconf.h b/readconf.h |
680 |
+index 8e36bf32..c9e4718d 100644 |
681 |
+--- a/readconf.h |
682 |
++++ b/readconf.h |
683 |
+@@ -41,6 +41,7 @@ typedef struct { |
684 |
+ /* Try S/Key or TIS, authentication. */ |
685 |
+ int gss_authentication; /* Try GSS authentication */ |
686 |
+ int gss_deleg_creds; /* Delegate GSS credentials */ |
687 |
++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ |
688 |
+ int password_authentication; /* Try password |
689 |
+ * authentication. */ |
690 |
+ int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ |
691 |
+diff --git a/ssh_config.5 b/ssh_config.5 |
692 |
+index 02a87892..95de538b 100644 |
693 |
+--- a/ssh_config.5 |
694 |
++++ b/ssh_config.5 |
695 |
+@@ -762,6 +762,16 @@ The default is |
696 |
+ Forward (delegate) credentials to the server. |
697 |
+ The default is |
698 |
+ .Cm no . |
699 |
++Note that this option applies to protocol version 2 connections using GSSAPI. |
700 |
++.It Cm GSSAPITrustDns |
701 |
++Set to |
702 |
++.Dq yes to indicate that the DNS is trusted to securely canonicalize |
703 |
++the name of the host being connected to. If |
704 |
++.Dq no, the hostname entered on the |
705 |
++command line will be passed untouched to the GSSAPI library. |
706 |
++The default is |
707 |
++.Dq no . |
708 |
++This option only applies to protocol version 2 connections using GSSAPI. |
709 |
+ .It Cm HashKnownHosts |
710 |
+ Indicates that |
711 |
+ .Xr ssh 1 |
712 |
+diff --git a/sshconnect2.c b/sshconnect2.c |
713 |
+index 87fa70a4..a6ffdc96 100644 |
714 |
+--- a/sshconnect2.c |
715 |
++++ b/sshconnect2.c |
716 |
+@@ -697,6 +697,13 @@ userauth_gssapi(struct ssh *ssh) |
717 |
+ OM_uint32 min; |
718 |
+ int r, ok = 0; |
719 |
+ gss_OID mech = NULL; |
720 |
++ const char *gss_host; |
721 |
++ |
722 |
++ if (options.gss_trust_dns) { |
723 |
++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); |
724 |
++ gss_host = auth_get_canonical_hostname(ssh, 1); |
725 |
++ } else |
726 |
++ gss_host = authctxt->host; |
727 |
+ |
728 |
+ /* Try one GSSAPI method at a time, rather than sending them all at |
729 |
+ * once. */ |
730 |
+@@ -711,7 +718,7 @@ userauth_gssapi(struct ssh *ssh) |
731 |
+ elements[authctxt->mech_tried]; |
732 |
+ /* My DER encoding requires length<128 */ |
733 |
+ if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, |
734 |
+- mech, authctxt->host)) { |
735 |
++ mech, gss_host)) { |
736 |
+ ok = 1; /* Mechanism works */ |
737 |
+ } else { |
738 |
+ authctxt->mech_tried++; |
739 |
|
740 |
diff --git a/net-misc/openssh/files/openssh-8.1_p1-X509-12.3-tests.patch b/net-misc/openssh/files/openssh-8.1_p1-X509-12.3-tests.patch |
741 |
new file mode 100644 |
742 |
index 0000000..67a93fe |
743 |
--- /dev/null |
744 |
+++ b/net-misc/openssh/files/openssh-8.1_p1-X509-12.3-tests.patch |
745 |
@@ -0,0 +1,11 @@ |
746 |
+--- a/openbsd-compat/regress/Makefile.in 2019-06-17 10:59:01.210601434 -0700 |
747 |
++++ b/openbsd-compat/regress/Makefile.in 2019-06-17 10:59:18.753485852 -0700 |
748 |
+@@ -7,7 +7,7 @@ |
749 |
+ CC=@CC@ |
750 |
+ LD=@LD@ |
751 |
+ CFLAGS=@CFLAGS@ |
752 |
+-CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ |
753 |
++CPPFLAGS=-I. -I.. -I../.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ |
754 |
+ EXEEXT=@EXEEXT@ |
755 |
+ LIBCOMPAT=../libopenbsd-compat.a |
756 |
+ LIBS=@LIBS@ |
757 |
|
758 |
diff --git a/net-misc/openssh/files/openssh-8.1_p1-X509-glue-12.3.patch b/net-misc/openssh/files/openssh-8.1_p1-X509-glue-12.3.patch |
759 |
new file mode 100644 |
760 |
index 0000000..48cce79 |
761 |
--- /dev/null |
762 |
+++ b/net-misc/openssh/files/openssh-8.1_p1-X509-glue-12.3.patch |
763 |
@@ -0,0 +1,35 @@ |
764 |
+Only in b: .openssh-8.1p1+x509-12.3.diff.un~ |
765 |
+diff -ur a/openssh-8.1p1+x509-12.3.diff b/openssh-8.1p1+x509-12.3.diff |
766 |
+--- a/openssh-8.1p1+x509-12.3.diff 2019-10-14 11:33:45.796485604 -0700 |
767 |
++++ b/openssh-8.1p1+x509-12.3.diff 2019-10-14 11:39:44.960312587 -0700 |
768 |
+@@ -35343,12 +35343,11 @@ |
769 |
+ |
770 |
+ install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config |
771 |
+ install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf |
772 |
+-@@ -339,6 +360,8 @@ |
773 |
++@@ -339,6 +360,7 @@ |
774 |
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 |
775 |
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 |
776 |
+ $(MKDIR_P) $(DESTDIR)$(libexecdir) |
777 |
+ + $(MKDIR_P) $(DESTDIR)$(sshcadir) |
778 |
+-+ $(MKDIR_P) $(DESTDIR)$(piddir) |
779 |
+ $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) |
780 |
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) |
781 |
+ $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) |
782 |
+@@ -83536,16 +83535,6 @@ |
783 |
+ + return mbtowc(NULL, s, n); |
784 |
+ +} |
785 |
+ +#endif |
786 |
+-diff -ruN openssh-8.1p1/version.h openssh-8.1p1+x509-12.3/version.h |
787 |
+---- openssh-8.1p1/version.h 2019-10-09 03:31:03.000000000 +0300 |
788 |
+-+++ openssh-8.1p1+x509-12.3/version.h 2019-10-13 09:07:00.000000000 +0300 |
789 |
+-@@ -2,5 +2,4 @@ |
790 |
+- |
791 |
+- #define SSH_VERSION "OpenSSH_8.1" |
792 |
+- |
793 |
+--#define SSH_PORTABLE "p1" |
794 |
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
795 |
+-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" |
796 |
+ diff -ruN openssh-8.1p1/version.m4 openssh-8.1p1+x509-12.3/version.m4 |
797 |
+ --- openssh-8.1p1/version.m4 1970-01-01 02:00:00.000000000 +0200 |
798 |
+ +++ openssh-8.1p1+x509-12.3/version.m4 2019-10-13 09:07:00.000000000 +0300 |
799 |
|
800 |
diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch |
801 |
new file mode 100644 |
802 |
index 0000000..90fa248 |
803 |
--- /dev/null |
804 |
+++ b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-glue.patch |
805 |
@@ -0,0 +1,105 @@ |
806 |
+diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff |
807 |
+--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800 |
808 |
++++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 15:16:14.646567224 -0800 |
809 |
+@@ -409,18 +409,10 @@ |
810 |
+ index 817da43b..b2bcf78f 100644 |
811 |
+ --- a/packet.c |
812 |
+ +++ b/packet.c |
813 |
+-@@ -925,6 +925,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) |
814 |
++@@ -925,6 +925,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) |
815 |
+ return 0; |
816 |
+ } |
817 |
+ |
818 |
+-+/* this supports the forced rekeying required for the NONE cipher */ |
819 |
+-+int rekey_requested = 0; |
820 |
+-+void |
821 |
+-+packet_request_rekeying(void) |
822 |
+-+{ |
823 |
+-+ rekey_requested = 1; |
824 |
+-+} |
825 |
+-+ |
826 |
+ +/* used to determine if pre or post auth when rekeying for aes-ctr |
827 |
+ + * and none cipher switch */ |
828 |
+ +int |
829 |
+@@ -434,20 +426,6 @@ |
830 |
+ #define MAX_PACKETS (1U<<31) |
831 |
+ static int |
832 |
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
833 |
+-@@ -951,6 +969,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
834 |
+- if (state->p_send.packets == 0 && state->p_read.packets == 0) |
835 |
+- return 0; |
836 |
+- |
837 |
+-+ /* used to force rekeying when called for by the none |
838 |
+-+ * cipher switch methods -cjr */ |
839 |
+-+ if (rekey_requested == 1) { |
840 |
+-+ rekey_requested = 0; |
841 |
+-+ return 1; |
842 |
+-+ } |
843 |
+-+ |
844 |
+- /* Time-based rekeying */ |
845 |
+- if (state->rekey_interval != 0 && |
846 |
+- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) |
847 |
+ diff --git a/packet.h b/packet.h |
848 |
+ index 8ccfd2e0..1ad9bc06 100644 |
849 |
+ --- a/packet.h |
850 |
+@@ -476,9 +454,9 @@ |
851 |
+ /* Format of the configuration file: |
852 |
+ |
853 |
+ @@ -167,6 +168,8 @@ typedef enum { |
854 |
+- oHashKnownHosts, |
855 |
+ oTunnel, oTunnelDevice, |
856 |
+ oLocalCommand, oPermitLocalCommand, oRemoteCommand, |
857 |
++ oDisableMTAES, |
858 |
+ + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, |
859 |
+ + oNoneEnabled, oNoneSwitch, |
860 |
+ oVisualHostKey, |
861 |
+@@ -615,9 +593,9 @@ |
862 |
+ int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ |
863 |
+ SyslogFacility log_facility; /* Facility for system logging. */ |
864 |
+ @@ -112,7 +116,10 @@ typedef struct { |
865 |
+- |
866 |
+ int enable_ssh_keysign; |
867 |
+ int64_t rekey_limit; |
868 |
++ int disable_multithreaded; /*disable multithreaded aes-ctr*/ |
869 |
+ + int none_switch; /* Use none cipher */ |
870 |
+ + int none_enabled; /* Allow none to be used */ |
871 |
+ int rekey_interval; |
872 |
+@@ -700,9 +678,9 @@ |
873 |
+ + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT; |
874 |
+ + } |
875 |
+ + |
876 |
++ if (options->disable_multithreaded == -1) |
877 |
++ options->disable_multithreaded = 0; |
878 |
+ if (options->ip_qos_interactive == -1) |
879 |
+- options->ip_qos_interactive = IPTOS_DSCP_AF21; |
880 |
+- if (options->ip_qos_bulk == -1) |
881 |
+ @@ -486,6 +532,8 @@ typedef enum { |
882 |
+ sPasswordAuthentication, sKbdInteractiveAuthentication, |
883 |
+ sListenAddress, sAddressFamily, |
884 |
+@@ -1079,11 +1057,11 @@ |
885 |
+ xxx_host = host; |
886 |
+ xxx_hostaddr = hostaddr; |
887 |
+ |
888 |
+-@@ -422,6 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, |
889 |
++@@ -422,7 +433,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, |
890 |
+ |
891 |
+ if (!authctxt.success) |
892 |
+ fatal("Authentication failed."); |
893 |
+-+ |
894 |
++ |
895 |
+ + /* |
896 |
+ + * If the user wants to use the none cipher, do it post authentication |
897 |
+ + * and only if the right conditions are met -- both of the NONE commands |
898 |
+@@ -1105,9 +1083,9 @@ |
899 |
+ + } |
900 |
+ + } |
901 |
+ + |
902 |
+- debug("Authentication succeeded (%s).", authctxt.method->name); |
903 |
+- } |
904 |
+- |
905 |
++ #ifdef WITH_OPENSSL |
906 |
++ if (options.disable_multithreaded == 0) { |
907 |
++ /* if we are using aes-ctr there can be issues in either a fork or sandbox |
908 |
+ diff --git a/sshd.c b/sshd.c |
909 |
+ index 11571c01..23a06022 100644 |
910 |
+ --- a/sshd.c |
911 |
|
912 |
diff --git a/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch |
913 |
new file mode 100644 |
914 |
index 0000000..3f5c7a4 |
915 |
--- /dev/null |
916 |
+++ b/net-misc/openssh/files/openssh-8.1_p1-hpn-14.20-sctp-glue.patch |
917 |
@@ -0,0 +1,19 @@ |
918 |
+diff -ur a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff |
919 |
+--- a/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 14:55:30.408567718 -0800 |
920 |
++++ b/openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 2020-02-04 16:36:51.394069720 -0800 |
921 |
+@@ -1191,15 +1191,3 @@ |
922 |
+ # Example of overriding settings on a per-user basis |
923 |
+ #Match User anoncvs |
924 |
+ # X11Forwarding no |
925 |
+-diff --git a/version.h b/version.h |
926 |
+-index 6b3fadf8..ec1d2e27 100644 |
927 |
+---- a/version.h |
928 |
+-+++ b/version.h |
929 |
+-@@ -3,4 +3,6 @@ |
930 |
+- #define SSH_VERSION "OpenSSH_8.1" |
931 |
+- |
932 |
+- #define SSH_PORTABLE "p1" |
933 |
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
934 |
+-+#define SSH_HPN "-hpn14v20" |
935 |
+-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN |
936 |
+-+ |
937 |
|
938 |
diff --git a/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch b/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch |
939 |
new file mode 100644 |
940 |
index 0000000..505e34d |
941 |
--- /dev/null |
942 |
+++ b/net-misc/openssh/files/openssh-8.1_p1-tests-2020.patch |
943 |
@@ -0,0 +1,26 @@ |
944 |
+diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh |
945 |
+index 86ea6250..844adabc 100644 |
946 |
+--- a/regress/cert-hostkey.sh |
947 |
++++ b/regress/cert-hostkey.sh |
948 |
+@@ -252,7 +252,7 @@ test_one() { |
949 |
+ test_one "user-certificate" failure "-n $HOSTS" |
950 |
+ test_one "empty principals" success "-h" |
951 |
+ test_one "wrong principals" failure "-h -n foo" |
952 |
+-test_one "cert not yet valid" failure "-h -V20200101:20300101" |
953 |
++test_one "cert not yet valid" failure "-h -V20300101:20320101" |
954 |
+ test_one "cert expired" failure "-h -V19800101:19900101" |
955 |
+ test_one "cert valid interval" success "-h -V-1w:+2w" |
956 |
+ test_one "cert has constraints" failure "-h -Oforce-command=false" |
957 |
+diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh |
958 |
+index 38c14a69..5cd02fc3 100644 |
959 |
+--- a/regress/cert-userkey.sh |
960 |
++++ b/regress/cert-userkey.sh |
961 |
+@@ -338,7 +338,7 @@ test_one() { |
962 |
+ test_one "correct principal" success "-n ${USER}" |
963 |
+ test_one "host-certificate" failure "-n ${USER} -h" |
964 |
+ test_one "wrong principals" failure "-n foo" |
965 |
+-test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101" |
966 |
++test_one "cert not yet valid" failure "-n ${USER} -V20300101:20320101" |
967 |
+ test_one "cert expired" failure "-n ${USER} -V19800101:19900101" |
968 |
+ test_one "cert valid interval" success "-n ${USER} -V-1w:+2w" |
969 |
+ test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8" |