[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/, net-misc/openssh/files/ - gentoo-commits

From:	Patrick McLean <chutzpah@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/, net-misc/openssh/files/
Date:	Thu, 22 Apr 2021 03:23:24
Message-Id:	`1619061795.779d2265b9a8031318a2ab381048a1c78141edc9.chutzpah@gentoo`

1

commit:     779d2265b9a8031318a2ab381048a1c78141edc9

2

Author:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>

3

AuthorDate: Thu Apr 22 03:23:08 2021 +0000

4

Commit:     Patrick McLean <chutzpah <AT> gentoo <DOT> org>

5

CommitDate: Thu Apr 22 03:23:15 2021 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=779d2265

7

8

net-misc/openssh-8.6_p1: Version bump, no X509 patch for now

9

10

Package-Manager: Portage-3.0.18, Repoman-3.0.3

11

Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>

12

13

 net-misc/openssh/Manifest                          |   2 +

14

 .../files/openssh-8.6_p1-X509-glue-13.0.1.patch    |  73 +++

15

 .../files/openssh-8.6_p1-hpn-15.2-glue.patch       | 132 ++++++

16

 .../openssh/files/openssh-8.6_p1-hpn-version.patch |  13 +

17

 net-misc/openssh/openssh-8.6_p1.ebuild             | 518 +++++++++++++++++++++

18

 5 files changed, 738 insertions(+)

19

20

diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest

21

index 03ef9f4f735..95555068cf8 100644

22

--- a/net-misc/openssh/Manifest

23

+++ b/net-misc/openssh/Manifest

24

@@ -5,6 +5,8 @@ DIST openssh-8.5p1+x509-13.0.1.diff.gz 997005 BLAKE2B b6cdc9ba12dc642c7073463fb8

25

 DIST openssh-8.5p1+x509-13.0.diff.gz 996872 BLAKE2B 136937e4e65e5e73d1d1b596ae6188f359daa8e95aafd57fab8cf947b59fde573ff4e6259781d1a0fd89718d14469ca4aed01bae6f37cc16df109c673fa2c73c SHA512 2276b0ac577162f7f6a56115637636a6eaaa8b3cc06e5ef053ec06e00a7c3459efe8de8dbc5f55c9f6a192534e2f7c8c7064fcdbf56d28b628bb301c5072802c

26

 DIST openssh-8.5p1-sctp-1.2.patch.xz 7692 BLAKE2B 298bf5e2004fd864bdbb6d6f354d1fbcb7052a9caaf8e39863b840a7af8e31f87790f6aa10ae84df177d450bb34a43c4a3aa87d7472e2505d727757c016ce92b SHA512 84990f95e22c90dbc4d04d47ea88b761ff1d0101018661ff2376ac2a726b5fca43f1b5f5d926ccbe1c8d0143ac36b104616bd1a6b5dcdba4addf48a5dd196e2b

27

 DIST openssh-8.5p1.tar.gz 1779733 BLAKE2B f4e4bd39e2dd275d4811e06ca994f2239ad27c804b003c74cc26f9dffae28f1b4006fc618580f0dc9c45f0b7361c24728c23688b45f41cb8a15cf6206c3f15c3 SHA512 af9c34d89170a30fc92a63973e32c766ed4a6d254bb210e317c000d46913e78d0c60c7befe62d993d659be000b828b9d4d3832fc40df1c3d33850aaa6293846f

28

+DIST openssh-8.6p1-sctp-1.2.patch.xz 7696 BLAKE2B 37f9e943a1881af05d9cf2234433711dc45ca30c60af4c0ea38a1d361df02abb491fa114f3698285f582b40b838414c1a048c4f09aa4f7ae9499adb09201d2ac SHA512 ba8c4d38a3d90854e79dc18918fffde246d7609a3f1c3a35e06c0fbe33d3688ed29b0ec33556ae37d1654e1dc2133d892613ad8d1ecbdce9aaa5b9eb10dcbb7a

29

+DIST openssh-8.6p1.tar.gz 1786328 BLAKE2B 261a0f1a6235275894d487cce37537755c86835e3a34871462fe29bfe72b49cd9a6b6a547aea4bd554f0957e110c84458cc75a5f2560717fb04804d62228562a SHA512 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6

30

 DIST openssh-8_3_P1-hpn-AES-CTR-14.22.diff 29963 BLAKE2B 19b82f4ff820f52dafaa5b3f09f8a0a67f318771c1c7276b9d37e4a6412052c9c53347f880f2d78981af3830432704b9ad74b375241965326530ae23ec8d74a2 SHA512 49f2778831dc768850870a1755da9cdd7d3bc83fa87069070f5a1d357ce9bdadeb2506c8ff3c6b055708da12a70e9ede7ed0e8a29fcab441abb55c9d483663be

31

 DIST openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 42783 BLAKE2B 10940c35ae6bdc33e58bc9abd9cd7a551d4ca76a175400acb872906805bd04d384f57e81049b183d7d892ce1b5f7a138e197366369fe12e5c9dc1349850b0582 SHA512 c09162b96e0ffadc59c6076507bc843e6f8f2fb372140b84181f5fb2894225b1e05a831d85ba689c35c322b5a99302b9db77c324f978f1a46a16b185b3cb28dd

32

 DIST openssh-8_3_P1-hpn-PeakTput-14.22.diff 2012 BLAKE2B 701f46da022e7ecf35b57f41bf5682a37be453c175928d3ff3df09292275e6021f6108a20c02eec9d636e85ee5a8e05b7233ada180edf1209a3dc4b139d58858 SHA512 026f65c62e4c05b69661094d41bf338df608e2a9b23ef95588062e3bd68729733dae32adab783609a6eca810ccdcbddee25e7649a534c9a283a03282f73438bb

33

34

diff --git a/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.0.1.patch b/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.0.1.patch

35

new file mode 100644

36

index 00000000000..f9da7bbc345

37

--- /dev/null

38

+++ b/net-misc/openssh/files/openssh-8.6_p1-X509-glue-13.0.1.patch

39

@@ -0,0 +1,73 @@

40

+diff --exclude '*.un~' -ubr a/openssh-8.5p1+x509-13.0.1.diff b/openssh-8.5p1+x509-13.0.1.diff

41

+--- a/openssh-8.5p1+x509-13.0.1.diff	2021-04-19 14:21:08.076526576 -0700

42

++++ b/openssh-8.5p1+x509-13.0.1.diff	2021-04-19 14:21:23.160563489 -0700

43

+@@ -46675,12 +46675,11 @@

44

+

45

+  install-files:

46

+  	$(MKDIR_P) $(DESTDIR)$(bindir)

47

+-@@ -380,6 +364,8 @@

48

++@@ -380,6 +364,7 @@

49

+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5

50

+  	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8

51

+  	$(MKDIR_P) $(DESTDIR)$(libexecdir)

52

+ +	$(MKDIR_P) $(DESTDIR)$(sshcadir)

53

+-+	$(MKDIR_P) $(DESTDIR)$(piddir)

54

+  	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)

55

+  	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)

56

+  	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)

57

+@@ -63967,7 +63966,7 @@

58

+ -	echo "putty interop tests not enabled"

59

+ -	exit 0

60

+ -fi

61

+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }

62

+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }

63

+

64

+  for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do

65

+  	verbose "$tid: cipher $c"

66

+@@ -63982,7 +63981,7 @@

67

+ -	echo "putty interop tests not enabled"

68

+ -	exit 0

69

+ -fi

70

+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }

71

+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }

72

+

73

+  for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do

74

+  	verbose "$tid: kex $k"

75

+@@ -63997,7 +63996,7 @@

76

+ -	echo "putty interop tests not enabled"

77

+ -	exit 0

78

+ -fi

79

+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 1; }

80

+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1;  exit 0; }

81

+

82

+  if [ "`${SSH} -Q compression`" = "none" ]; then

83

+  	comp="0"

84

+@@ -64129,9 +64128,9 @@

85

+

86

+ +# cross-project configuration

87

+ +if test "$sshd_type" = "pkix" ; then

88

+-+  unset_arg=''

89

+++  unset_arg=

90

+ +else

91

+-+  unset_arg=none

92

+++  unset_arg=

93

+ +fi

94

+ +

95

+  cat > $OBJ/sshd_config.i << _EOF

96

+@@ -122247,16 +122246,6 @@

97

+ +int	 asnmprintf(char **, size_t, int *, const char *, ...)

98

+  	     __attribute__((format(printf, 4, 5)));

99

+  void	 msetlocale(void);

100

+-diff -ruN openssh-8.5p1/version.h openssh-8.5p1+x509-13.0.1/version.h

101

+---- openssh-8.5p1/version.h	2021-03-02 12:31:47.000000000 +0200

102

+-+++ openssh-8.5p1+x509-13.0.1/version.h	2021-03-15 20:07:00.000000000 +0200

103

+-@@ -2,5 +2,4 @@

104

+-

105

+- #define SSH_VERSION	"OpenSSH_8.5"

106

+-

107

+--#define SSH_PORTABLE	"p1"

108

+--#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE

109

+-+#define SSH_RELEASE	PACKAGE_STRING ", " SSH_VERSION "p1"

110

+ diff -ruN openssh-8.5p1/version.m4 openssh-8.5p1+x509-13.0.1/version.m4

111

+ --- openssh-8.5p1/version.m4	1970-01-01 02:00:00.000000000 +0200

112

+ +++ openssh-8.5p1+x509-13.0.1/version.m4	2021-03-15 20:07:00.000000000 +0200

113

114

diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch

115

new file mode 100644

116

index 00000000000..30c0252ccb5

117

--- /dev/null

118

+++ b/net-misc/openssh/files/openssh-8.6_p1-hpn-15.2-glue.patch

119

@@ -0,0 +1,132 @@

120

+diff --exclude '*.un~' -ubr a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff

121

+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-04-19 13:36:51.659996653 -0700

122

++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff	2021-04-19 13:42:23.302377465 -0700

123

+@@ -536,18 +536,10 @@

124

+  	if (state->rekey_limit)

125

+  		*max_blocks = MINIMUM(*max_blocks,

126

+  		    state->rekey_limit / enc->block_size);

127

+-@@ -954,6 +963,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)

128

++@@ -954,6 +963,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)

129

+  	return 0;

130

+  }

131

+

132

+-+/* this supports the forced rekeying required for the NONE cipher */

133

+-+int rekey_requested = 0;

134

+-+void

135

+-+packet_request_rekeying(void)

136

+-+{

137

+-+	rekey_requested = 1;

138

+-+}

139

+-+

140

+ +/* used to determine if pre or post auth when rekeying for aes-ctr

141

+ + * and none cipher switch */

142

+ +int

143

+@@ -561,20 +553,6 @@

144

+  #define MAX_PACKETS	(1U<<31)

145

+  static int

146

+  ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)

147

+-@@ -980,6 +1007,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)

148

+- 	if (state->p_send.packets == 0 && state->p_read.packets == 0)

149

+- 		return 0;

150

+-

151

+-+	/* used to force rekeying when called for by the none

152

+-+         * cipher switch methods -cjr */

153

+-+        if (rekey_requested == 1) {

154

+-+                rekey_requested = 0;

155

+-+                return 1;

156

+-+        }

157

+-+

158

+- 	/* Time-based rekeying */

159

+- 	if (state->rekey_interval != 0 &&

160

+- 	    (int64_t)state->rekey_time + state->rekey_interval <= monotime())

161

+ @@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p)

162

+  	struct session_state *state = ssh->state;

163

+  	int len, r, ms_remain;

164

+@@ -598,12 +576,11 @@

165

+  };

166

+

167

+  typedef int (ssh_packet_hook_fn)(struct ssh *, struct sshbuf *,

168

+-@@ -155,6 +158,10 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);

169

++@@ -155,6 +158,9 @@ int	 ssh_packet_inc_alive_timeouts(struct ssh *);

170

+  int	 ssh_packet_set_maxsize(struct ssh *, u_int);

171

+  u_int	 ssh_packet_get_maxsize(struct ssh *);

172

+

173

+ +/* for forced packet rekeying post auth */

174

+-+void	 packet_request_rekeying(void);

175

+ +int	 packet_authentication_state(const struct ssh *);

176

+ +

177

+  int	 ssh_packet_get_state(struct ssh *, struct sshbuf *);

178

+@@ -627,9 +604,9 @@

179

+  	oLocalCommand, oPermitLocalCommand, oRemoteCommand,

180

+ +	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,

181

+ +	oNoneEnabled, oNoneMacEnabled, oNoneSwitch,

182

++ 	oDisableMTAES,

183

+  	oVisualHostKey,

184

+  	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,

185

+- 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,

186

+ @@ -297,6 +300,9 @@ static struct {

187

+  	{ "kexalgorithms", oKexAlgorithms },

188

+  	{ "ipqos", oIPQoS },

189

+@@ -778,9 +755,9 @@

190

+  	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */

191

+  	SyslogFacility log_facility;	/* Facility for system logging. */

192

+ @@ -120,7 +124,11 @@ typedef struct {

193

+-

194

+  	int	enable_ssh_keysign;

195

+  	int64_t rekey_limit;

196

++ 	int     disable_multithreaded; /*disable multithreaded aes-ctr*/

197

+ +	int     none_switch;    /* Use none cipher */

198

+ +	int     none_enabled;   /* Allow none cipher to be used */

199

+ +  	int     nonemac_enabled;   /* Allow none MAC to be used */

200

+@@ -842,9 +819,9 @@

201

+  	/* Portable-specific options */

202

+  	if (options->use_pam == -1)

203

+ @@ -424,6 +434,49 @@ fill_default_server_options(ServerOptions *options)

204

+- 	}

205

+- 	if (options->permit_tun == -1)

206

+  		options->permit_tun = SSH_TUNMODE_NO;

207

++ 	if (options->disable_multithreaded == -1)

208

++ 		options->disable_multithreaded = 0;

209

+ +	if (options->none_enabled == -1)

210

+ +		options->none_enabled = 0;

211

+ +	if (options->nonemac_enabled == -1)

212

+@@ -1047,17 +1024,17 @@

213

+  Note that

214

+ diff --git a/sftp.c b/sftp.c

215

+ index fb3c08d1..89bebbb2 100644

216

+---- a/sftp.c

217

+-+++ b/sftp.c

218

+-@@ -71,7 +71,7 @@ typedef void EditLine;

219

+- #include "sftp-client.h"

220

+-

221

+- #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */

222

+--#define DEFAULT_NUM_REQUESTS	64	/* # concurrent outstanding requests */

223

+-+#define DEFAULT_NUM_REQUESTS	256	/* # concurrent outstanding requests */

224

++--- a/sftp-client.c

225

+++++ b/sftp-client.c

226

++@@ -65,7 +65,7 @@ typedef void EditLine;

227

++ #define DEFAULT_COPY_BUFLEN	32768

228

++

229

++ /* Default number of concurrent outstanding requests */

230

++-#define DEFAULT_NUM_REQUESTS	64

231

+++#define DEFAULT_NUM_REQUESTS	256

232

+

233

+- /* File to read commands from */

234

+- FILE* infile;

235

++ /* Minimum amount of data to read at a time */

236

++ #define MIN_READ_SIZE	512

237

+ diff --git a/ssh-keygen.c b/ssh-keygen.c

238

+ index cfb5f115..36a6e519 100644

239

+ --- a/ssh-keygen.c

240

+@@ -1330,9 +1307,9 @@

241

+ +		}

242

+ +	}

243

+ +

244

+- 	debug("Authentication succeeded (%s).", authctxt.method->name);

245

+- }

246

+

247

++ #ifdef WITH_OPENSSL

248

++ 	if (options.disable_multithreaded == 0) {

249

+ diff --git a/sshd.c b/sshd.c

250

+ index 6277e6d6..d66fa41a 100644

251

+ --- a/sshd.c

252

253

diff --git a/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch b/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch

254

new file mode 100644

255

index 00000000000..6dc290d6737

256

--- /dev/null

257

+++ b/net-misc/openssh/files/openssh-8.6_p1-hpn-version.patch

258

@@ -0,0 +1,13 @@

259

+diff --git a/kex.c b/kex.c

260

+index 34808b5c..88d7ccac 100644

261

+--- a/kex.c

262

++++ b/kex.c

263

+@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,

264

+ 	if (version_addendum != NULL && *version_addendum == '\0')

265

+ 		version_addendum = NULL;

266

+ 	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",

267

+-	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,

268

++	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,

269

+ 	    version_addendum == NULL ? "" : " ",

270

+ 	    version_addendum == NULL ? "" : version_addendum)) != 0) {

271

+ 		oerrno = errno;

272

273

diff --git a/net-misc/openssh/openssh-8.6_p1.ebuild b/net-misc/openssh/openssh-8.6_p1.ebuild

274

new file mode 100644

275

index 00000000000..88a3073e029

276

--- /dev/null

277

+++ b/net-misc/openssh/openssh-8.6_p1.ebuild

278

@@ -0,0 +1,518 @@

279

+# Copyright 1999-2021 Gentoo Authors

280

+# Distributed under the terms of the GNU General Public License v2

281

+

282

+EAPI=7

283

+

284

+inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs

285

+

286

+# Make it more portable between straight releases

287

+# and _p? releases.

288

+PARCH=${P/_}

289

+

290

+# PV to USE for HPN patches

291

+#HPN_PV="${PV^^}"

292

+HPN_PV="8.5_P1"

293

+

294

+HPN_VER="15.2"

295

+HPN_PATCHES=(

296

+	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff

297

+	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff

298

+	${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff

299

+)

300

+

301

+SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"

302

+#X509_VER="13.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"

303

+

304

+DESCRIPTION="Port of OpenBSD's free SSH release"

305

+HOMEPAGE="https://www.openssh.com/"

306

+SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz

307

+	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}

308

+	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}

309

+	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}

310

+"

311

+S="${WORKDIR}/${PARCH}"

312

+

313

+LICENSE="BSD GPL-2"

314

+SLOT="0"

315

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"

316

+# Probably want to drop ssl defaulting to on in a future version.

317

+IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"

318

+

319

+RESTRICT="!test? ( test )"

320

+

321

+REQUIRED_USE="

322

+	ldns? ( ssl )

323

+	pie? ( !static )

324

+	static? ( !kerberos !pam )

325

+	X509? ( !sctp !security-key ssl !xmss )

326

+	xmss? ( || ( ssl libressl ) )

327

+	test? ( ssl )

328

+"

329

+

330

+# tests currently fail with XMSS

331

+REQUIRED_USE="test? ( !xmss )"

332

+

333

+LIB_DEPEND="

334

+	audit? ( sys-process/audit[static-libs(+)] )

335

+	ldns? (

336

+		net-libs/ldns[static-libs(+)]

337

+		!bindist? ( net-libs/ldns[ecdsa,ssl(+)] )

338

+		bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )

339

+	)

340

+	libedit? ( dev-libs/libedit:=[static-libs(+)] )

341

+	sctp? ( net-misc/lksctp-tools[static-libs(+)] )

342

+	security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )

343

+	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )

344

+	ssl? (

345

+		!libressl? (

346

+			|| (

347

+				(

348

+					>=dev-libs/openssl-1.0.1:0[bindist=]

349

+					<dev-libs/openssl-1.1.0:0[bindist=]

350

+				)

351

+				>=dev-libs/openssl-1.1.0g:0[bindist=]

352

+			)

353

+			dev-libs/openssl:0=[static-libs(+)]

354

+		)

355

+		libressl? ( dev-libs/libressl:0=[static-libs(+)] )

356

+	)

357

+	virtual/libcrypt:=[static-libs(+)]

358

+	>=sys-libs/zlib-1.2.3:=[static-libs(+)]

359

+"

360

+RDEPEND="

361

+	acct-group/sshd

362

+	acct-user/sshd

363

+	!static? ( ${LIB_DEPEND//\[static-libs(+)]} )

364

+	pam? ( sys-libs/pam )

365

+	kerberos? ( virtual/krb5 )

366

+"

367

+DEPEND="${RDEPEND}

368

+	virtual/os-headers

369

+	kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) )

370

+	static? ( ${LIB_DEPEND} )

371

+"

372

+RDEPEND="${RDEPEND}

373

+	pam? ( >=sys-auth/pambase-20081028 )

374

+	userland_GNU? ( !prefix? ( sys-apps/shadow ) )

375

+	X? ( x11-apps/xauth )

376

+"

377

+BDEPEND="

378

+	virtual/pkgconfig

379

+	sys-devel/autoconf

380

+"

381

+

382

+pkg_pretend() {

383

+	# this sucks, but i'd rather have people unable to `emerge -u openssh`

384

+	# than not be able to log in to their server any more

385

+	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }

386

+	local fail="

387

+		$(use hpn && maybe_fail hpn HPN_VER)

388

+		$(use sctp && maybe_fail sctp SCTP_PATCH)

389

+		$(use X509 && maybe_fail X509 X509_PATCH)

390

+	"

391

+	fail=$(echo ${fail})

392

+	if [[ -n ${fail} ]] ; then

393

+		eerror "Sorry, but this version does not yet support features"

394

+		eerror "that you requested:	 ${fail}"

395

+		eerror "Please mask ${PF} for now and check back later:"

396

+		eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"

397

+		die "booooo"

398

+	fi

399

+

400

+	# Make sure people who are using tcp wrappers are notified of its removal. #531156

401

+	if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then

402

+		ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"

403

+		ewarn "you're trying to use it.  Update your ${EROOT}/etc/hosts.{allow,deny} please."

404

+	fi

405

+}

406

+

407

+src_prepare() {

408

+	sed -i \

409

+		-e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \

410

+		pathnames.h || die

411

+

412

+	# don't break .ssh/authorized_keys2 for fun

413

+	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die

414

+

415

+	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch

416

+	eapply "${FILESDIR}"/${PN}-8.5_p1-GSSAPI-dns.patch #165444 integrated into gsskex

417

+	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch

418

+	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch

419

+	eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch

420

+	eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch

421

+

422

+	# workaround for https://bugs.gentoo.org/734984

423

+	use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch

424

+

425

+	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches

426

+

427

+	local PATCHSET_VERSION_MACROS=()

428

+

429

+	if use X509 ; then

430

+		pushd "${WORKDIR}" &>/dev/null || die

431

+		eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"

432

+		popd &>/dev/null || die

433

+

434

+		eapply "${WORKDIR}"/${X509_PATCH%.*}

435

+

436

+		# We need to patch package version or any X.509 sshd will reject our ssh client

437

+		# with "userauth_pubkey: could not parse key: string is too large [preauth]"

438

+		# error

439

+		einfo "Patching package version for X.509 patch set ..."

440

+		sed -i \

441

+			-e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \

442

+			"${S}"/configure.ac || die "Failed to patch package version for X.509 patch"

443

+

444

+		einfo "Patching version.h to expose X.509 patch set ..."

445

+		sed -i \

446

+			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \

447

+			"${S}"/version.h || die "Failed to sed-in X.509 patch version"

448

+		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )

449

+	fi

450

+

451

+	if use sctp ; then

452

+		eapply "${WORKDIR}"/${SCTP_PATCH%.*}

453

+

454

+		einfo "Patching version.h to expose SCTP patch set ..."

455

+		sed -i \

456

+			-e "/^#define SSH_PORTABLE/a #define SSH_SCTP        \"-sctp-${SCTP_VER}\"" \

457

+			"${S}"/version.h || die "Failed to sed-in SCTP patch version"

458

+		PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )

459

+

460

+		einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."

461

+		sed -i \

462

+			-e "/\t\tcfgparse \\\/d" \

463

+			"${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"

464

+	fi

465

+

466

+	if use hpn ; then

467

+		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"

468

+		mkdir "${hpn_patchdir}" || die

469

+		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die

470

+		pushd "${hpn_patchdir}" &>/dev/null || die

471

+		eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch

472

+		use X509 && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-X509-glue.patch

473

+		use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch

474

+		popd &>/dev/null || die

475

+

476

+		eapply "${hpn_patchdir}"

477

+

478

+		use X509 || eapply "${FILESDIR}/openssh-8.6_p1-hpn-version.patch"

479

+

480

+		einfo "Patching Makefile.in for HPN patch set ..."

481

+		sed -i \

482

+			-e "/^LIBS=/ s/\$/ -lpthread/" \

483

+			"${S}"/Makefile.in || die "Failed to patch Makefile.in"

484

+

485

+		einfo "Patching version.h to expose HPN patch set ..."

486

+		sed -i \

487

+			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \

488

+			"${S}"/version.h || die "Failed to sed-in HPN patch version"

489

+		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )

490

+

491

+		if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then

492

+			einfo "Disabling known non-working MT AES cipher per default ..."

493

+

494

+			cat > "${T}"/disable_mtaes.conf <<- EOF

495

+

496

+			# HPN's Multi-Threaded AES CTR cipher is currently known to be broken

497

+			# and therefore disabled per default.

498

+			DisableMTAES yes

499

+			EOF

500

+			sed -i \

501

+				-e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \

502

+				"${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"

503

+

504

+			sed -i \

505

+				-e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \

506

+				"${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"

507

+		fi

508

+	fi

509

+

510

+	if use X509 || use sctp || use hpn ; then

511

+		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."

512

+		sed -i \

513

+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \

514

+			"${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"

515

+

516

+		einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."

517

+		sed -i \

518

+			-e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \

519

+			"${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"

520

+

521

+		einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."

522

+		sed -i \

523

+			-e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \

524

+			"${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"

525

+	fi

526

+

527

+	sed -i \

528

+		-e "/#UseLogin no/d" \

529

+		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"

530

+

531

+	eapply_user #473004

532

+

533

+	# These tests are currently incompatible with PORTAGE_TMPDIR/sandbox

534

+	sed -e '/\t\tpercent \\/ d' \

535

+		-i regress/Makefile || die

536

+

537

+	tc-export PKG_CONFIG

538

+	local sed_args=(

539

+		-e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"

540

+		# Disable PATH reset, trust what portage gives us #254615

541

+		-e 's:^PATH=/:#PATH=/:'

542

+		# Disable fortify flags ... our gcc does this for us

543

+		-e 's:-D_FORTIFY_SOURCE=2::'

544

+	)

545

+

546

+	# The -ftrapv flag ICEs on hppa #505182

547

+	use hppa && sed_args+=(

548

+		-e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'

549

+		-e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'

550

+	)

551

+	# _XOPEN_SOURCE causes header conflicts on Solaris

552

+	[[ ${CHOST} == *-solaris* ]] && sed_args+=(

553

+		-e 's/-D_XOPEN_SOURCE//'

554

+	)

555

+	sed -i "${sed_args[@]}" configure{.ac,} || die

556

+

557

+	eautoreconf

558

+}

559

+

560

+src_configure() {

561

+	addwrite /dev/ptmx

562

+

563

+	use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG

564

+	use static && append-ldflags -static

565

+	use xmss && append-cflags -DWITH_XMSS

566

+

567

+	if [[ ${CHOST} == *-solaris* ]] ; then

568

+		# Solaris' glob.h doesn't have things like GLOB_TILDE, configure

569

+		# doesn't check for this, so force the replacement to be put in

570

+		# place

571

+		append-cppflags -DBROKEN_GLOB

572

+	fi

573

+

574

+	# use replacement, RPF_ECHO_ON doesn't exist here

575

+	[[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no

576

+

577

+	local myconf=(

578

+		--with-ldflags="${LDFLAGS}"

579

+		--disable-strip

580

+		--with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run

581

+		--sysconfdir="${EPREFIX}"/etc/ssh

582

+		--libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc

583

+		--datadir="${EPREFIX}"/usr/share/openssh

584

+		--with-privsep-path="${EPREFIX}"/var/empty

585

+		--with-privsep-user=sshd

586

+		$(use_with audit audit linux)

587

+		$(use_with kerberos kerberos5 "${EPREFIX}"/usr)

588

+		# We apply the sctp patch conditionally, so can't pass --without-sctp

589

+		# unconditionally else we get unknown flag warnings.

590

+		$(use sctp && use_with sctp)

591

+		$(use_with ldns ldns "${EPREFIX}"/usr)

592

+		$(use_with libedit)

593

+		$(use_with pam)

594

+		$(use_with pie)

595

+		$(use_with selinux)

596

+		$(usex X509 '' "$(use_with security-key security-key-builtin)")

597

+		$(use_with ssl openssl)

598

+		$(use_with ssl md5-passwords)

599

+		$(use_with ssl ssl-engine)

600

+		$(use_with !elibc_Cygwin hardening) #659210

601

+	)

602

+

603

+	if use elibc_musl; then

604

+		# stackprotect is broken on musl x86 and ppc

605

+		if use x86 || use ppc; then

606

+			myconf+=( --without-stackprotect )

607

+		fi

608

+

609

+		# musl defines bogus values for UTMP_FILE and WTMP_FILE

610

+		# https://bugs.gentoo.org/753230

611

+		myconf+=( --disable-utmp --disable-wtmp )

612

+	fi

613

+

614

+	# The seccomp sandbox is broken on x32, so use the older method for now. #553748

615

+	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )

616

+

617

+	econf "${myconf[@]}"

618

+}

619

+

620

+src_test() {

621

+	local t skipped=() failed=() passed=()

622

+	local tests=( interop-tests compat-tests )

623

+

624

+	local shell=$(egetshell "${UID}")

625

+	if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then

626

+		elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"

627

+		elog "user, so we will run a subset only."

628

+		skipped+=( tests )

629

+	else

630

+		tests+=( tests )

631

+	fi

632

+

633

+	# It will also attempt to write to the homedir .ssh.

634

+	local sshhome=${T}/homedir

635

+	mkdir -p "${sshhome}"/.ssh

636

+	for t in "${tests[@]}" ; do

637

+		# Some tests read from stdin ...

638

+		HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \

639

+			SUDO="" SSH_SK_PROVIDER="" \

640

+			TEST_SSH_UNSAFE_PERMISSIONS=1 \

641

+			emake -k -j1 ${t} </dev/null \

642

+				&& passed+=( "${t}" ) \

643

+				|| failed+=( "${t}" )

644

+	done

645

+

646

+	einfo "Passed tests: ${passed[*]}"

647

+	[[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"

648

+	[[ ${#failed[@]}  -gt 0 ]] && die "Some tests failed: ${failed[*]}"

649

+}

650

+

651

+# Gentoo tweaks to default config files.

652

+tweak_ssh_configs() {

653

+	local locale_vars=(

654

+		# These are language variables that POSIX defines.

655

+		# http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02

656

+		LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME

657

+

658

+		# These are the GNU extensions.

659

+		# https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html

660

+		LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE

661

+	)

662

+

663

+	# First the server config.

664

+	cat <<-EOF >> "${ED}"/etc/ssh/sshd_config

665

+

666

+	# Allow client to pass locale environment variables. #367017

667

+	AcceptEnv ${locale_vars[*]}

668

+

669

+	# Allow client to pass COLORTERM to match TERM. #658540

670

+	AcceptEnv COLORTERM

671

+	EOF

672

+

673

+	# Then the client config.

674

+	cat <<-EOF >> "${ED}"/etc/ssh/ssh_config

675

+

676

+	# Send locale environment variables. #367017

677

+	SendEnv ${locale_vars[*]}

678

+

679

+	# Send COLORTERM to match TERM. #658540

680

+	SendEnv COLORTERM

681

+	EOF

682

+

683

+	if use pam ; then

684

+		sed -i \

685

+			-e "/^#UsePAM /s:.*:UsePAM yes:" \

686

+			-e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \

687

+			-e "/^#PrintMotd /s:.*:PrintMotd no:" \

688

+			-e "/^#PrintLastLog /s:.*:PrintLastLog no:" \

689

+			"${ED}"/etc/ssh/sshd_config || die

690

+	fi

691

+

692

+	if use livecd ; then

693

+		sed -i \

694

+			-e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \

695

+			"${ED}"/etc/ssh/sshd_config || die

696

+	fi

697

+}

698

+

699

+src_install() {

700

+	emake install-nokeys DESTDIR="${D}"

701

+	fperms 600 /etc/ssh/sshd_config

702

+	dobin contrib/ssh-copy-id

703

+	newinitd "${FILESDIR}"/sshd-r1.initd sshd

704

+	newconfd "${FILESDIR}"/sshd-r1.confd sshd

705

+

706

+	if use pam; then

707

+		newpamd "${FILESDIR}"/sshd.pam_include.2 sshd

708

+	fi

709

+

710

+	tweak_ssh_configs

711

+

712

+	doman contrib/ssh-copy-id.1

713

+	dodoc CREDITS OVERVIEW README* TODO sshd_config

714

+	use hpn && dodoc HPN-README

715

+	use X509 || dodoc ChangeLog

716

+

717

+	diropts -m 0700

718

+	dodir /etc/skel/.ssh

719

+

720

+	# https://bugs.gentoo.org/733802

721

+	if ! use scp; then

722

+		rm -f "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \

723

+			|| die "failed to remove scp"

724

+	fi

725

+

726

+	rmdir "${ED}"/var/empty || die

727

+

728

+	systemd_dounit "${FILESDIR}"/sshd.{service,socket}

729

+	systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'

730

+}

731

+

732

+pkg_preinst() {

733

+	if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then

734

+		show_ssl_warning=1

735

+	fi

736

+}

737

+

738

+pkg_postinst() {

739

+	local old_ver

740

+	for old_ver in ${REPLACING_VERSIONS}; do

741

+		if ver_test "${old_ver}" -lt "5.8_p1"; then

742

+			elog "Starting with openssh-5.8p1, the server will default to a newer key"

743

+			elog "algorithm (ECDSA).  You are encouraged to manually update your stored"

744

+			elog "keys list as servers update theirs.  See ssh-keyscan(1) for more info."

745

+		fi

746

+		if ver_test "${old_ver}" -lt "7.0_p1"; then

747

+			elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."

748

+			elog "Make sure to update any configs that you might have.  Note that xinetd might"

749

+			elog "be an alternative for you as it supports USE=tcpd."

750

+		fi

751

+		if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518

752

+			elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"

753

+			elog "weak sizes.  If you rely on these key types, you can re-enable the key types by"

754

+			elog "adding to your sshd_config or ~/.ssh/config files:"

755

+			elog "	PubkeyAcceptedKeyTypes=+ssh-dss"

756

+			elog "You should however generate new keys using rsa or ed25519."

757

+

758

+			elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"

759

+			elog "to 'prohibit-password'.  That means password auth for root users no longer works"

760

+			elog "out of the box.  If you need this, please update your sshd_config explicitly."

761

+		fi

762

+		if ver_test "${old_ver}" -lt "7.6_p1"; then

763

+			elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."

764

+			elog "Furthermore, rsa keys with less than 1024 bits will be refused."

765

+		fi

766

+		if ver_test "${old_ver}" -lt "7.7_p1"; then

767

+			elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."

768

+			elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"

769

+			elog "if you need to authenticate against LDAP."

770

+			elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."

771

+		fi

772

+		if ver_test "${old_ver}" -lt "8.2_p1"; then

773

+			ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"

774

+			ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"

775

+			ewarn "connection is generally safe."

776

+		fi

777

+	done

778

+

779

+	if [[ -n ${show_ssl_warning} ]]; then

780

+		elog "Be aware that by disabling openssl support in openssh, the server and clients"

781

+		elog "no longer support dss/rsa/ecdsa keys.  You will need to generate ed25519 keys"

782

+		elog "and update all clients/servers that utilize them."

783

+	fi

784

+

785

+	if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then

786

+		elog ""

787

+		elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"

788

+		elog "and therefore disabled at runtime per default."

789

+		elog "Make sure your sshd_config is up to date and contains"

790

+		elog ""

791

+		elog "  DisableMTAES yes"

792

+		elog ""

793

+		elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."

794

+		elog ""

795

+	fi

796

+}

Gentoo Archives: gentoo-commits