[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/, net-misc/openssh/files/ - gentoo-commits

From:	Lars Wendler <polynomial-c@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/, net-misc/openssh/files/
Date:	Wed, 28 Sep 2016 08:40:24
Message-Id:	`1475052011.c938f8ceb36e6791d096ae9df9819f6b3be5315c.polynomial-c@gentoo`

1

commit:     c938f8ceb36e6791d096ae9df9819f6b3be5315c

2

Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>

3

AuthorDate: Wed Sep 28 08:27:46 2016 +0000

4

Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>

5

CommitDate: Wed Sep 28 08:40:11 2016 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c938f8ce

7

8

net-misc/openssh: Sec-revbump to fix remote pre-auth crash (bug #595342).

9

10

Package-Manager: portage-2.3.1

11

Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

12

13

 .../files/openssh-7.3_p1-NEWKEYS_null_deref.patch  |  29 ++

14

 net-misc/openssh/openssh-7.3_p1-r6.ebuild          | 351 +++++++++++++++++++++

15

 2 files changed, 380 insertions(+)

16

17

diff --git a/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch b/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch

18

new file mode 100644

19

index 00000000..784cd2a

20

--- /dev/null

21

+++ b/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch

22

@@ -0,0 +1,29 @@

23

+https://bugs.gentoo.org/595342

24

+

25

+Backport of

26

+https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737

27

+

28

+--- openssh-7.3p1/kex.c

29

++++ openssh-7.3p1/kex.c

30

+@@ -419,6 +419,8 @@

31

+ 	ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);

32

+ 	if ((r = sshpkt_get_end(ssh)) != 0)

33

+ 		return r;

34

++	if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)

35

++		return r;

36

+ 	kex->done = 1;

37

+ 	sshbuf_reset(kex->peer);

38

+ 	/* sshbuf_reset(kex->my); */

39

+--- openssh-7.3p1/packet.c

40

++++ openssh-7.3p1/packet.c

41

+@@ -1919,9 +1919,7 @@

42

+ 			return r;

43

+ 		return SSH_ERR_PROTOCOL_ERROR;

44

+ 	}

45

+-	if (*typep == SSH2_MSG_NEWKEYS)

46

+-		r = ssh_set_newkeys(ssh, MODE_IN);

47

+-	else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)

48

++	if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)

49

+ 		r = ssh_packet_enable_delayed_compress(ssh);

50

+ 	else

51

+ 		r = 0;

52

53

diff --git a/net-misc/openssh/openssh-7.3_p1-r6.ebuild b/net-misc/openssh/openssh-7.3_p1-r6.ebuild

54

new file mode 100644

55

index 00000000..1a8bb12

56

--- /dev/null

57

+++ b/net-misc/openssh/openssh-7.3_p1-r6.ebuild

58

@@ -0,0 +1,351 @@

59

+# Copyright 1999-2016 Gentoo Foundation

60

+# Distributed under the terms of the GNU General Public License v2

61

+# $Id$

62

+

63

+EAPI="5"

64

+

65

+inherit eutils user flag-o-matic multilib autotools pam systemd versionator

66

+

67

+# Make it more portable between straight releases

68

+# and _p? releases.

69

+PARCH=${P/_}

70

+HPN_PV="${PV}"

71

+HPN_VER="14.10"

72

+

73

+HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10-r1.patch"

74

+SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"

75

+LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"

76

+X509_VER="9.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"

77

+

78

+DESCRIPTION="Port of OpenBSD's free SSH release"

79

+HOMEPAGE="http://www.openssh.org/"

80

+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz

81

+	${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}

82

+	${HPN_PATCH:+hpn? (

83

+		mirror://gentoo/${HPN_PATCH}.xz

84

+		http://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz

85

+	)}

86

+	${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}

87

+	${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}

88

+	"

89

+

90

+LICENSE="BSD GPL-2"

91

+SLOT="0"

92

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"

93

+# Probably want to drop ssl defaulting to on in a future version.

94

+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"

95

+REQUIRED_USE="ldns? ( ssl )

96

+	pie? ( !static )

97

+	ssh1? ( ssl )

98

+	static? ( !kerberos !pam )

99

+	X509? ( !ldap ssl )

100

+	test? ( ssl )"

101

+

102

+LIB_DEPEND="

103

+	ldns? (

104

+		net-libs/ldns[static-libs(+)]

105

+		!bindist? ( net-libs/ldns[ecdsa,ssl] )

106

+		bindist? ( net-libs/ldns[-ecdsa,ssl] )

107

+	)

108

+	libedit? ( dev-libs/libedit[static-libs(+)] )

109

+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )

110

+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )

111

+	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )

112

+	ssl? (

113

+		!libressl? (

114

+			>=dev-libs/openssl-0.9.8f:0[bindist=]

115

+			dev-libs/openssl:0[static-libs(+)]

116

+		)

117

+		libressl? ( dev-libs/libressl[static-libs(+)] )

118

+	)

119

+	>=sys-libs/zlib-1.2.3[static-libs(+)]"

120

+RDEPEND="

121

+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )

122

+	pam? ( virtual/pam )

123

+	kerberos? ( virtual/krb5 )

124

+	ldap? ( net-nds/openldap )"

125

+DEPEND="${RDEPEND}

126

+	static? ( ${LIB_DEPEND} )

127

+	virtual/pkgconfig

128

+	virtual/os-headers

129

+	sys-devel/autoconf"

130

+RDEPEND="${RDEPEND}

131

+	pam? ( >=sys-auth/pambase-20081028 )

132

+	userland_GNU? ( virtual/shadow )

133

+	X? ( x11-apps/xauth )"

134

+

135

+S=${WORKDIR}/${PARCH}

136

+

137

+pkg_setup() {

138

+	# this sucks, but i'd rather have people unable to `emerge -u openssh`

139

+	# than not be able to log in to their server any more

140

+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }

141

+	local fail="

142

+		$(use X509 && maybe_fail X509 X509_PATCH)

143

+		$(use ldap && maybe_fail ldap LDAP_PATCH)

144

+		$(use hpn && maybe_fail hpn HPN_PATCH)

145

+	"

146

+	fail=$(echo ${fail})

147

+	if [[ -n ${fail} ]] ; then

148

+		eerror "Sorry, but this version does not yet support features"

149

+		eerror "that you requested:	 ${fail}"

150

+		eerror "Please mask ${PF} for now and check back later:"

151

+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"

152

+		die "booooo"

153

+	fi

154

+

155

+	# Make sure people who are using tcp wrappers are notified of its removal. #531156

156

+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then

157

+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"

158

+		ewarn "you're trying to use it.  Update your ${EROOT}etc/hosts.{allow,deny} please."

159

+	fi

160

+}

161

+

162

+save_version() {

163

+	# version.h patch conflict avoidence

164

+	mv version.h version.h.$1

165

+	cp -f version.h.pristine version.h

166

+}

167

+

168

+src_prepare() {

169

+	sed -i \

170

+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \

171

+		pathnames.h || die

172

+	# keep this as we need it to avoid the conflict between LPK and HPN changing

173

+	# this file.

174

+	cp version.h version.h.pristine

175

+

176

+	# don't break .ssh/authorized_keys2 for fun

177

+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die

178

+

179

+	if use X509 ; then

180

+		pushd .. >/dev/null

181

+		if use hpn ; then

182

+			pushd "${WORKDIR}" >/dev/null

183

+			epatch "${FILESDIR}"/${P}-hpn-x509-9.2-glue.patch

184

+			popd >/dev/null

185

+		fi

186

+		epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch

187

+		sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} || die

188

+		popd >/dev/null

189

+		epatch "${WORKDIR}"/${X509_PATCH%.*}

190

+		epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch

191

+		save_version X509

192

+	else

193

+		# bug #592122, fixed by X509 patch

194

+		epatch "${FILESDIR}"/${P}-fix-ssh1-with-no-ssh1-host-key.patch

195

+	fi

196

+	if use ldap ; then

197

+		epatch "${WORKDIR}"/${LDAP_PATCH%.*}

198

+		save_version LPK

199

+	fi

200

+

201

+	epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex

202

+	epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch

203

+	epatch "${WORKDIR}"/${SCTP_PATCH%.*}

204

+

205

+	if use hpn ; then

206

+		#EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \

207

+		#	EPATCH_MULTI_MSG="Applying HPN patchset ..." \

208

+		#	epatch "${WORKDIR}"/${HPN_PATCH%.*.*}

209

+		epatch "${WORKDIR}"/${HPN_PATCH}

210

+		epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch

211

+		save_version HPN

212

+	fi

213

+

214

+	tc-export PKG_CONFIG

215

+	local sed_args=(

216

+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"

217

+		# Disable PATH reset, trust what portage gives us #254615

218

+		-e 's:^PATH=/:#PATH=/:'

219

+		# Disable fortify flags ... our gcc does this for us

220

+		-e 's:-D_FORTIFY_SOURCE=2::'

221

+	)

222

+	# The -ftrapv flag ICEs on hppa #505182

223

+	use hppa && sed_args+=(

224

+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'

225

+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'

226

+	)

227

+	sed -i "${sed_args[@]}" configure{.ac,} || die

228

+

229

+	# 7.3 added seccomp support to MIPS, but failed to handled the N32

230

+	# case.  This patch is temporary until upstream fixes.  See

231

+	# Gentoo bug #591392 or upstream #2590.

232

+	[[ ${CHOST} == mips64*-linux-* && ${ABI} == "n32" ]] \

233

+		&& epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch

234

+

235

+	epatch "${FILESDIR}"/${P}-NEWKEYS_null_deref.patch # 595342

236

+

237

+	epatch_user #473004

238

+

239

+	# Now we can build a sane merged version.h

240

+	(

241

+		sed '/^#define SSH_RELEASE/d' version.h.* | sort -u

242

+		macros=()

243

+		for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done

244

+		printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"

245

+	) > version.h

246

+

247

+	eautoreconf

248

+}

249

+

250

+src_configure() {

251

+	addwrite /dev/ptmx

252

+

253

+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG

254

+	use static && append-ldflags -static

255

+

256

+	local myconf=(

257

+		--with-ldflags="${LDFLAGS}"

258

+		--disable-strip

259

+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run

260

+		--sysconfdir="${EPREFIX}"/etc/ssh

261

+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc

262

+		--datadir="${EPREFIX}"/usr/share/openssh

263

+		--with-privsep-path="${EPREFIX}"/var/empty

264

+		--with-privsep-user=sshd

265

+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)

266

+		# We apply the ldap patch conditionally, so can't pass --without-ldap

267

+		# unconditionally else we get unknown flag warnings.

268

+		$(use ldap && use_with ldap)

269

+		$(use_with ldns)

270

+		$(use_with libedit)

271

+		$(use_with pam)

272

+		$(use_with pie)

273

+		$(use_with sctp)

274

+		$(use_with selinux)

275

+		$(use_with skey)

276

+		$(use_with ssh1)

277

+		$(use_with ssl openssl)

278

+		$(use_with ssl md5-passwords)

279

+		$(use_with ssl ssl-engine)

280

+	)

281

+

282

+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748

283

+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )

284

+

285

+	econf "${myconf[@]}"

286

+}

287

+

288

+src_install() {

289

+	emake install-nokeys DESTDIR="${D}"

290

+	fperms 600 /etc/ssh/sshd_config

291

+	dobin contrib/ssh-copy-id

292

+	newinitd "${FILESDIR}"/sshd.rc6.4 sshd

293

+	newconfd "${FILESDIR}"/sshd.confd sshd

294

+	keepdir /var/empty

295

+

296

+	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd

297

+	if use pam ; then

298

+		sed -i \

299

+			-e "/^#UsePAM /s:.*:UsePAM yes:" \

300

+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \

301

+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \

302

+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \

303

+			"${ED}"/etc/ssh/sshd_config || die

304

+	fi

305

+

306

+	# Gentoo tweaks to default config files

307

+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config

308

+

309

+	# Allow client to pass locale environment variables #367017

310

+	AcceptEnv LANG LC_*

311

+	EOF

312

+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config

313

+

314

+	# Send locale environment variables #367017

315

+	SendEnv LANG LC_*

316

+	EOF

317

+

318

+	if use livecd ; then

319

+		sed -i \

320

+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \

321

+			"${ED}"/etc/ssh/sshd_config || die

322

+	fi

323

+

324

+	if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then

325

+		insinto /etc/openldap/schema/

326

+		newins openssh-lpk_openldap.schema openssh-lpk.schema

327

+	fi

328

+

329

+	doman contrib/ssh-copy-id.1

330

+	dodoc CREDITS OVERVIEW README* TODO sshd_config

331

+	use X509 || dodoc ChangeLog

332

+

333

+	diropts -m 0700

334

+	dodir /etc/skel/.ssh

335

+

336

+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}

337

+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'

338

+}

339

+

340

+src_test() {

341

+	local t tests skipped failed passed shell

342

+	tests="interop-tests compat-tests"

343

+	skipped=""

344

+	shell=$(egetshell ${UID})

345

+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then

346

+		elog "Running the full OpenSSH testsuite"

347

+		elog "requires a usable shell for the 'portage'"

348

+		elog "user, so we will run a subset only."

349

+		skipped="${skipped} tests"

350

+	else

351

+		tests="${tests} tests"

352

+	fi

353

+	# It will also attempt to write to the homedir .ssh

354

+	local sshhome=${T}/homedir

355

+	mkdir -p "${sshhome}"/.ssh

356

+	for t in ${tests} ; do

357

+		# Some tests read from stdin ...

358

+		HOMEDIR="${sshhome}" HOME="${sshhome}" \

359

+		emake -k -j1 ${t} </dev/null \

360

+			&& passed="${passed}${t} " \

361

+			|| failed="${failed}${t} "

362

+	done

363

+	einfo "Passed tests: ${passed}"

364

+	ewarn "Skipped tests: ${skipped}"

365

+	if [[ -n ${failed} ]] ; then

366

+		ewarn "Failed tests: ${failed}"

367

+		die "Some tests failed: ${failed}"

368

+	else

369

+		einfo "Failed tests: ${failed}"

370

+		return 0

371

+	fi

372

+}

373

+

374

+pkg_preinst() {

375

+	enewgroup sshd 22

376

+	enewuser sshd 22 -1 /var/empty sshd

377

+}

378

+

379

+pkg_postinst() {

380

+	if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then

381

+		elog "Starting with openssh-5.8p1, the server will default to a newer key"

382

+		elog "algorithm (ECDSA).  You are encouraged to manually update your stored"

383

+		elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."

384

+	fi

385

+	if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then

386

+		elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."

387

+	fi

388

+	if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then

389

+		elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."

390

+		elog "Make sure to update any configs that you might have.  Note that xinetd might"

391

+		elog "be an alternative for you as it supports USE=tcpd."

392

+	fi

393

+	if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518

394

+		elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"

395

+		elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"

396

+		elog "adding to your sshd_config or ~/.ssh/config files:"

397

+		elog "	PubkeyAcceptedKeyTypes=+ssh-dss"

398

+		elog "You should however generate new keys using rsa or ed25519."

399

+

400

+		elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"

401

+		elog "to 'prohibit-password'.  That means password auth for root users no longer works"

402

+		elog "out of the box.  If you need this, please update your sshd_config explicitly."

403

+	fi

404

+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then

405

+		elog "Be aware that by disabling openssl support in openssh, the server and clients"

406

+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"

407

+		elog "and update all clients/servers that utilize them."

408

+	fi

409

+}

1	commit: c938f8ceb36e6791d096ae9df9819f6b3be5315c
2	Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
3	AuthorDate: Wed Sep 28 08:27:46 2016 +0000
4	Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
5	CommitDate: Wed Sep 28 08:40:11 2016 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c938f8ce
7
8	net-misc/openssh: Sec-revbump to fix remote pre-auth crash (bug #595342).
9
10	Package-Manager: portage-2.3.1
11	Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
12
13	.../files/openssh-7.3_p1-NEWKEYS_null_deref.patch \| 29 ++
14	net-misc/openssh/openssh-7.3_p1-r6.ebuild \| 351 +++++++++++++++++++++
15	2 files changed, 380 insertions(+)
16
17	diff --git a/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch b/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch
18	new file mode 100644
19	index 00000000..784cd2a
20	--- /dev/null
21	+++ b/net-misc/openssh/files/openssh-7.3_p1-NEWKEYS_null_deref.patch
22	@@ -0,0 +1,29 @@
23	+https://bugs.gentoo.org/595342
24	+
25	+Backport of
26	+https://anongit.mindrot.org/openssh.git/patch/?id=28652bca29046f62c7045e933e6b931de1d16737
27	+
28	+--- openssh-7.3p1/kex.c
29	++++ openssh-7.3p1/kex.c
30	+@@ -419,6 +419,8 @@
31	+ ssh_dispatch_set(ssh, SSH2_MSG_NEWKEYS, &kex_protocol_error);
32	+ if ((r = sshpkt_get_end(ssh)) != 0)
33	+ return r;
34	++ if ((r = ssh_set_newkeys(ssh, MODE_IN)) != 0)
35	++ return r;
36	+ kex->done = 1;
37	+ sshbuf_reset(kex->peer);
38	+ /* sshbuf_reset(kex->my); */
39	+--- openssh-7.3p1/packet.c
40	++++ openssh-7.3p1/packet.c
41	+@@ -1919,9 +1919,7 @@
42	+ return r;
43	+ return SSH_ERR_PROTOCOL_ERROR;
44	+ }
45	+- if (*typep == SSH2_MSG_NEWKEYS)
46	+- r = ssh_set_newkeys(ssh, MODE_IN);
47	+- else if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
48	++ if (*typep == SSH2_MSG_USERAUTH_SUCCESS && !state->server_side)
49	+ r = ssh_packet_enable_delayed_compress(ssh);
50	+ else
51	+ r = 0;
52
53	diff --git a/net-misc/openssh/openssh-7.3_p1-r6.ebuild b/net-misc/openssh/openssh-7.3_p1-r6.ebuild
54	new file mode 100644
55	index 00000000..1a8bb12
56	--- /dev/null
57	+++ b/net-misc/openssh/openssh-7.3_p1-r6.ebuild
58	@@ -0,0 +1,351 @@
59	+# Copyright 1999-2016 Gentoo Foundation
60	+# Distributed under the terms of the GNU General Public License v2
61	+# $Id$
62	+
63	+EAPI="5"
64	+
65	+inherit eutils user flag-o-matic multilib autotools pam systemd versionator
66	+
67	+# Make it more portable between straight releases
68	+# and _p? releases.
69	+PARCH=${P/_}
70	+HPN_PV="${PV}"
71	+HPN_VER="14.10"
72	+
73	+HPN_PATCH="${PN}-${HPN_PV}-hpn-14.10-r1.patch"
74	+SCTP_PATCH="${PN}-7.3_p1-sctp.patch.xz"
75	+LDAP_PATCH="${PN}-lpk-7.3p1-0.3.14.patch.xz"
76	+X509_VER="9.2" X509_PATCH="${PN}-${PV/_}+x509-${X509_VER}.diff.gz"
77	+
78	+DESCRIPTION="Port of OpenBSD's free SSH release"
79	+HOMEPAGE="http://www.openssh.org/"
80	+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
81	+ ${SCTP_PATCH:+mirror://gentoo/${SCTP_PATCH}}
82	+ ${HPN_PATCH:+hpn? (
83	+ mirror://gentoo/${HPN_PATCH}.xz
84	+ http://dev.gentoo.org/~chutzpah/${HPN_PATCH}.xz
85	+ )}
86	+ ${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
87	+ ${X509_PATCH:+X509? ( http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
88	+ "
89	+
90	+LICENSE="BSD GPL-2"
91	+SLOT="0"
92	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
93	+# Probably want to drop ssl defaulting to on in a future version.
94	+IUSE="bindist debug ${HPN_PATCH:++}hpn kerberos kernel_linux ldap ldns libedit libressl livecd pam +pie sctp selinux skey ssh1 +ssl static test X X509"
95	+REQUIRED_USE="ldns? ( ssl )
96	+ pie? ( !static )
97	+ ssh1? ( ssl )
98	+ static? ( !kerberos !pam )
99	+ X509? ( !ldap ssl )
100	+ test? ( ssl )"
101	+
102	+LIB_DEPEND="
103	+ ldns? (
104	+ net-libs/ldns[static-libs(+)]
105	+ !bindist? ( net-libs/ldns[ecdsa,ssl] )
106	+ bindist? ( net-libs/ldns[-ecdsa,ssl] )
107	+ )
108	+ libedit? ( dev-libs/libedit[static-libs(+)] )
109	+ sctp? ( net-misc/lksctp-tools[static-libs(+)] )
110	+ selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
111	+ skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
112	+ ssl? (
113	+ !libressl? (
114	+ >=dev-libs/openssl-0.9.8f:0[bindist=]
115	+ dev-libs/openssl:0[static-libs(+)]
116	+ )
117	+ libressl? ( dev-libs/libressl[static-libs(+)] )
118	+ )
119	+ >=sys-libs/zlib-1.2.3[static-libs(+)]"
120	+RDEPEND="
121	+ !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
122	+ pam? ( virtual/pam )
123	+ kerberos? ( virtual/krb5 )
124	+ ldap? ( net-nds/openldap )"
125	+DEPEND="${RDEPEND}
126	+ static? ( ${LIB_DEPEND} )
127	+ virtual/pkgconfig
128	+ virtual/os-headers
129	+ sys-devel/autoconf"
130	+RDEPEND="${RDEPEND}
131	+ pam? ( >=sys-auth/pambase-20081028 )
132	+ userland_GNU? ( virtual/shadow )
133	+ X? ( x11-apps/xauth )"
134	+
135	+S=${WORKDIR}/${PARCH}
136	+
137	+pkg_setup() {
138	+ # this sucks, but i'd rather have people unable to `emerge -u openssh`
139	+ # than not be able to log in to their server any more
140	+ maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
141	+ local fail="
142	+ $(use X509 && maybe_fail X509 X509_PATCH)
143	+ $(use ldap && maybe_fail ldap LDAP_PATCH)
144	+ $(use hpn && maybe_fail hpn HPN_PATCH)
145	+ "
146	+ fail=$(echo ${fail})
147	+ if [[ -n ${fail} ]] ; then
148	+ eerror "Sorry, but this version does not yet support features"
149	+ eerror "that you requested: ${fail}"
150	+ eerror "Please mask ${PF} for now and check back later:"
151	+ eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
152	+ die "booooo"
153	+ fi
154	+
155	+ # Make sure people who are using tcp wrappers are notified of its removal. #531156
156	+ if grep -qs '^ sshd :' "${EROOT}"/etc/hosts.{allow,deny} ; then
157	+ ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
158	+ ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
159	+ fi
160	+}
161	+
162	+save_version() {
163	+ # version.h patch conflict avoidence
164	+ mv version.h version.h.$1
165	+ cp -f version.h.pristine version.h
166	+}
167	+
168	+src_prepare() {
169	+ sed -i \
170	+ -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
171	+ pathnames.h \|\| die
172	+ # keep this as we need it to avoid the conflict between LPK and HPN changing
173	+ # this file.
174	+ cp version.h version.h.pristine
175	+
176	+ # don't break .ssh/authorized_keys2 for fun
177	+ sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config \|\| die
178	+
179	+ if use X509 ; then
180	+ pushd .. >/dev/null
181	+ if use hpn ; then
182	+ pushd "${WORKDIR}" >/dev/null
183	+ epatch "${FILESDIR}"/${P}-hpn-x509-9.2-glue.patch
184	+ popd >/dev/null
185	+ fi
186	+ epatch "${FILESDIR}"/${PN}-7.3_p1-sctp-x509-glue.patch
187	+ sed -i 's:PKIX_VERSION:SSH_X509:g' "${WORKDIR}"/${X509_PATCH%.*} \|\| die
188	+ popd >/dev/null
189	+ epatch "${WORKDIR}"/${X509_PATCH%.*}
190	+ epatch "${FILESDIR}"/${P}-x509-9.2-warnings.patch
191	+ save_version X509
192	+ else
193	+ # bug #592122, fixed by X509 patch
194	+ epatch "${FILESDIR}"/${P}-fix-ssh1-with-no-ssh1-host-key.patch
195	+ fi
196	+ if use ldap ; then
197	+ epatch "${WORKDIR}"/${LDAP_PATCH%.*}
198	+ save_version LPK
199	+ fi
200	+
201	+ epatch "${FILESDIR}"/${PN}-7.3_p1-GSSAPI-dns.patch #165444 integrated into gsskex
202	+ epatch "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
203	+ epatch "${WORKDIR}"/${SCTP_PATCH%.*}
204	+
205	+ if use hpn ; then
206	+ #EPATCH_FORCE="yes" EPATCH_SUFFIX="patch" \
207	+ # EPATCH_MULTI_MSG="Applying HPN patchset ..." \
208	+ # epatch "${WORKDIR}"/${HPN_PATCH%..}
209	+ epatch "${WORKDIR}"/${HPN_PATCH}
210	+ epatch "${FILESDIR}"/${P}-hpn-cipher-ctr-mt-no-deadlocks.patch
211	+ save_version HPN
212	+ fi
213	+
214	+ tc-export PKG_CONFIG
215	+ local sed_args=(
216	+ -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
217	+ # Disable PATH reset, trust what portage gives us #254615
218	+ -e 's:^PATH=/:#PATH=/:'
219	+ # Disable fortify flags ... our gcc does this for us
220	+ -e 's:-D_FORTIFY_SOURCE=2::'
221	+ )
222	+ # The -ftrapv flag ICEs on hppa #505182
223	+ use hppa && sed_args+=(
224	+ -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
225	+ -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
226	+ )
227	+ sed -i "${sed_args[@]}" configure{.ac,} \|\| die
228	+
229	+ # 7.3 added seccomp support to MIPS, but failed to handled the N32
230	+ # case. This patch is temporary until upstream fixes. See
231	+ # Gentoo bug #591392 or upstream #2590.
232	+ [[ ${CHOST} == mips64-linux- && ${ABI} == "n32" ]] \
233	+ && epatch "${FILESDIR}"/${PN}-7.3-mips-seccomp-n32.patch
234	+
235	+ epatch "${FILESDIR}"/${P}-NEWKEYS_null_deref.patch # 595342
236	+
237	+ epatch_user #473004
238	+
239	+ # Now we can build a sane merged version.h
240	+ (
241	+ sed '/^#define SSH_RELEASE/d' version.h.* \| sort -u
242	+ macros=()
243	+ for p in HPN LPK X509 ; do [ -e version.h.${p} ] && macros+=( SSH_${p} ) ; done
244	+ printf '#define SSH_RELEASE SSH_VERSION SSH_PORTABLE %s\n' "${macros}"
245	+ ) > version.h
246	+
247	+ eautoreconf
248	+}
249	+
250	+src_configure() {
251	+ addwrite /dev/ptmx
252	+
253	+ use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
254	+ use static && append-ldflags -static
255	+
256	+ local myconf=(
257	+ --with-ldflags="${LDFLAGS}"
258	+ --disable-strip
259	+ --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
260	+ --sysconfdir="${EPREFIX}"/etc/ssh
261	+ --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
262	+ --datadir="${EPREFIX}"/usr/share/openssh
263	+ --with-privsep-path="${EPREFIX}"/var/empty
264	+ --with-privsep-user=sshd
265	+ $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
266	+ # We apply the ldap patch conditionally, so can't pass --without-ldap
267	+ # unconditionally else we get unknown flag warnings.
268	+ $(use ldap && use_with ldap)
269	+ $(use_with ldns)
270	+ $(use_with libedit)
271	+ $(use_with pam)
272	+ $(use_with pie)
273	+ $(use_with sctp)
274	+ $(use_with selinux)
275	+ $(use_with skey)
276	+ $(use_with ssh1)
277	+ $(use_with ssl openssl)
278	+ $(use_with ssl md5-passwords)
279	+ $(use_with ssl ssl-engine)
280	+ )
281	+
282	+ # The seccomp sandbox is broken on x32, so use the older method for now. #553748
283	+ use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
284	+
285	+ econf "${myconf[@]}"
286	+}
287	+
288	+src_install() {
289	+ emake install-nokeys DESTDIR="${D}"
290	+ fperms 600 /etc/ssh/sshd_config
291	+ dobin contrib/ssh-copy-id
292	+ newinitd "${FILESDIR}"/sshd.rc6.4 sshd
293	+ newconfd "${FILESDIR}"/sshd.confd sshd
294	+ keepdir /var/empty
295	+
296	+ newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
297	+ if use pam ; then
298	+ sed -i \
299	+ -e "/^#UsePAM /s:.*:UsePAM yes:" \
300	+ -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
301	+ -e "/^#PrintMotd /s:.*:PrintMotd no:" \
302	+ -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
303	+ "${ED}"/etc/ssh/sshd_config \|\| die
304	+ fi
305	+
306	+ # Gentoo tweaks to default config files
307	+ cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
308	+
309	+ # Allow client to pass locale environment variables #367017
310	+ AcceptEnv LANG LC_*
311	+ EOF
312	+ cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
313	+
314	+ # Send locale environment variables #367017
315	+ SendEnv LANG LC_*
316	+ EOF
317	+
318	+ if use livecd ; then
319	+ sed -i \
320	+ -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
321	+ "${ED}"/etc/ssh/sshd_config \|\| die
322	+ fi
323	+
324	+ if ! use X509 && [[ -n ${LDAP_PATCH} ]] && use ldap ; then
325	+ insinto /etc/openldap/schema/
326	+ newins openssh-lpk_openldap.schema openssh-lpk.schema
327	+ fi
328	+
329	+ doman contrib/ssh-copy-id.1
330	+ dodoc CREDITS OVERVIEW README* TODO sshd_config
331	+ use X509 \|\| dodoc ChangeLog
332	+
333	+ diropts -m 0700
334	+ dodir /etc/skel/.ssh
335	+
336	+ systemd_dounit "${FILESDIR}"/sshd.{service,socket}
337	+ systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
338	+}
339	+
340	+src_test() {
341	+ local t tests skipped failed passed shell
342	+ tests="interop-tests compat-tests"
343	+ skipped=""
344	+ shell=$(egetshell ${UID})
345	+ if [[ ${shell} == /nologin ]] \|\| [[ ${shell} == /false ]] ; then
346	+ elog "Running the full OpenSSH testsuite"
347	+ elog "requires a usable shell for the 'portage'"
348	+ elog "user, so we will run a subset only."
349	+ skipped="${skipped} tests"
350	+ else
351	+ tests="${tests} tests"
352	+ fi
353	+ # It will also attempt to write to the homedir .ssh
354	+ local sshhome=${T}/homedir
355	+ mkdir -p "${sshhome}"/.ssh
356	+ for t in ${tests} ; do
357	+ # Some tests read from stdin ...
358	+ HOMEDIR="${sshhome}" HOME="${sshhome}" \
359	+ emake -k -j1 ${t} </dev/null \
360	+ && passed="${passed}${t} " \
361	+ \|\| failed="${failed}${t} "
362	+ done
363	+ einfo "Passed tests: ${passed}"
364	+ ewarn "Skipped tests: ${skipped}"
365	+ if [[ -n ${failed} ]] ; then
366	+ ewarn "Failed tests: ${failed}"
367	+ die "Some tests failed: ${failed}"
368	+ else
369	+ einfo "Failed tests: ${failed}"
370	+ return 0
371	+ fi
372	+}
373	+
374	+pkg_preinst() {
375	+ enewgroup sshd 22
376	+ enewuser sshd 22 -1 /var/empty sshd
377	+}
378	+
379	+pkg_postinst() {
380	+ if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
381	+ elog "Starting with openssh-5.8p1, the server will default to a newer key"
382	+ elog "algorithm (ECDSA). You are encouraged to manually update your stored"
383	+ elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
384	+ fi
385	+ if has_version "<${CATEGORY}/${PN}-6.9_p1" ; then
386	+ elog "Starting with openssh-6.9p1, ssh1 support is disabled by default."
387	+ fi
388	+ if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
389	+ elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
390	+ elog "Make sure to update any configs that you might have. Note that xinetd might"
391	+ elog "be an alternative for you as it supports USE=tcpd."
392	+ fi
393	+ if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
394	+ elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
395	+ elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
396	+ elog "adding to your sshd_config or ~/.ssh/config files:"
397	+ elog " PubkeyAcceptedKeyTypes=+ssh-dss"
398	+ elog "You should however generate new keys using rsa or ed25519."
399	+
400	+ elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
401	+ elog "to 'prohibit-password'. That means password auth for root users no longer works"
402	+ elog "out of the box. If you need this, please update your sshd_config explicitly."
403	+ fi
404	+ if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
405	+ elog "Be aware that by disabling openssl support in openssh, the server and clients"
406	+ elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
407	+ elog "and update all clients/servers that utilize them."
408	+ fi
409	+}

Gentoo Archives: gentoo-commits