Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Patrick McLean <chutzpah@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/files/, net-misc/openssh/
Date: Wed, 30 Sep 2020 20:58:02
Message-Id: 1601499370.9b824f616093a8dc1a79eafba1e4c50d62c0ee1d.chutzpah@gentoo
1 commit: 9b824f616093a8dc1a79eafba1e4c50d62c0ee1d
2 Author: Patrick McLean <patrick.mclean <AT> sony <DOT> com>
3 AuthorDate: Wed Sep 30 20:56:10 2020 +0000
4 Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org>
5 CommitDate: Wed Sep 30 20:56:10 2020 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b824f61
7
8 net-misc/openssh-8.4_p1: Version bump (no X509 support yet)
9
10 Will revbump once the X509 patch gets updated.
11
12 Copyright: Sony Interactive Entertainment Inc.
13 Package-Manager: Portage-3.0.8, Repoman-3.0.1
14 Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org>
15
16 net-misc/openssh/Manifest | 5 +
17 .../files/openssh-8.4_p1-hpn-14.22-glue.patch | 94 ++++
18 .../files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch | 18 +
19 net-misc/openssh/openssh-8.4_p1.ebuild | 508 +++++++++++++++++++++
20 4 files changed, 625 insertions(+)
21
22 diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
23 index 6bc6b039349..8683815ce7d 100644
24 --- a/net-misc/openssh/Manifest
25 +++ b/net-misc/openssh/Manifest
26 @@ -8,6 +8,11 @@ DIST openssh-8.2p1.tar.gz 1701197 BLAKE2B 8b95cdebc87e8d14f655ed13c12b91b122adf4
27 DIST openssh-8.3p1+x509-12.5.1.diff.gz 803054 BLAKE2B ec88959b4e3328e70d6f136f3d5bebced2e555de3ea40f55c535ca8a30a0eed84d177ad966e5bda46e1fc61d42141b13e96d068f5abfd069ae81b131dfb5a66c SHA512 28166a1a1aeff0c65f36263c0009e82cda81fc8f4efe3d11fabd0312d199a4f935476cf7074fbce68787d2fec0fd42f00fef383bf856a5767ce9d0ca6bbc8ef0
28 DIST openssh-8.3p1-sctp-1.2.patch.xz 7668 BLAKE2B abbc65253d842c09a04811bdbafc175c5226996cdd190812b47ce9646853cd5c1b21d733e719b481cce9c7f4dc00894b6d6be732e311850963df23b9dc55a0e6 SHA512 4e0cc1707663f902dfbf331a431325da78759cc757a4aaae33e0c7f64f21830ec805168d8ae4d47a65a20c235fa534679e288f922df2b24655b7d1ee9a3bf014
29 DIST openssh-8.3p1.tar.gz 1706358 BLAKE2B 0b53d92caa4a0f4cb40eee671ac889753d320b7c8e44df159a81dd8163c3663f07fa648f5dc506fb27d31893acf9701b997598c50bf204acf54172d72825a4d8 SHA512 b5232f7c85bf59ae2ff9d17b030117012e257e3b8c0d5ac60bb139a85b1fbf298b40f2e04203a2e13ca7273053ed668b9dedd54d3a67a7cb8e8e58c0228c5f40
30 +DIST openssh-8.4p1-sctp-1.2.patch.xz 7668 BLAKE2B 2e22d2a90723cea9ef958bd989b8c431fcb08b4dc5bfd3ebbf463ca9546dc37acdc185c35ddf3adbb90bde9b3902bf36524a456061a9bcbdef7a76ece79e2ff4 SHA512 90da34b7b86e52df9e0191c99c9d645a4d4671958adebeed46e1149102d4ba8c729eadb79d84fad9feac64aafa0541d2f1f4db8cdfe0af5ba893aac072ef2380
31 +DIST openssh-8.4p1.tar.gz 1742201 BLAKE2B 4b1e60d4962095df045c3a31bbf8af725b1c07324c4aa1f6b9a3ddb7e695c98e9aa01655b268f6fd6a400f511b23be91f6b89d07b14a6a2d92f873efb4d9c146 SHA512 d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
32 DIST openssh-8_1_P1-hpn-AES-CTR-14.20.diff 29935 BLAKE2B 79101c43601e41306c957481c0680a63357d93bededdf12a32229d50acd9c1f46a386cbb91282e9e7d7bb26a9f276f5a675fd2de7662b7cbd073322b172d3bca SHA512 94f011b7e654630e968a378375aa54fa1fde087b4426d0f2225813262e6667a1073814d6a83e9005f97b371c536e462e614bfe726b092ffed8229791592ca221
33 DIST openssh-8_1_P1-hpn-DynWinNoneSwitch-14.20.diff 42696 BLAKE2B d8ac7fa1a4e4d1877acdedeaee80172da469b5a62d0aaa43d6ed46c578e7893577b9d563835d89ca2044867fc561ad3f562bf504c025cf4c78421cf3d24397e9 SHA512 768db7cca8839df4441afcb08457d13d32625b31859da527c3d7f1a92d17a4ec81d6987db00879c394bbe59589e57b10bfd98899a167ffed65ab367b1fd08739
34 DIST openssh-8_1_P1-hpn-PeakTput-14.20.diff 2012 BLAKE2B e42c43128f1d82b4de1517e6a9219947da03cecb607f1bc45f0728547f17601a6ce2ec819b6434890efd19ceaf4d20cb98183596ab5ee79e104a52cda7db9cdc SHA512 238f9419efd3be80bd700f6ae7e210e522d747c363c4e670364f5191f144ae3aa8d1b1539c0bf87b3de36743aa73e8101c53c0ef1c6472d209569be389e7814d
35 +DIST openssh-8_3_P1-hpn-AES-CTR-14.22.diff 29963 BLAKE2B 19b82f4ff820f52dafaa5b3f09f8a0a67f318771c1c7276b9d37e4a6412052c9c53347f880f2d78981af3830432704b9ad74b375241965326530ae23ec8d74a2 SHA512 49f2778831dc768850870a1755da9cdd7d3bc83fa87069070f5a1d357ce9bdadeb2506c8ff3c6b055708da12a70e9ede7ed0e8a29fcab441abb55c9d483663be
36 +DIST openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 42783 BLAKE2B 10940c35ae6bdc33e58bc9abd9cd7a551d4ca76a175400acb872906805bd04d384f57e81049b183d7d892ce1b5f7a138e197366369fe12e5c9dc1349850b0582 SHA512 c09162b96e0ffadc59c6076507bc843e6f8f2fb372140b84181f5fb2894225b1e05a831d85ba689c35c322b5a99302b9db77c324f978f1a46a16b185b3cb28dd
37 +DIST openssh-8_3_P1-hpn-PeakTput-14.22.diff 2012 BLAKE2B 701f46da022e7ecf35b57f41bf5682a37be453c175928d3ff3df09292275e6021f6108a20c02eec9d636e85ee5a8e05b7233ada180edf1209a3dc4b139d58858 SHA512 026f65c62e4c05b69661094d41bf338df608e2a9b23ef95588062e3bd68729733dae32adab783609a6eca810ccdcbddee25e7649a534c9a283a03282f73438bb
38
39 diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch
40 new file mode 100644
41 index 00000000000..884063c60f1
42 --- /dev/null
43 +++ b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-glue.patch
44 @@ -0,0 +1,94 @@
45 +diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
46 +--- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:15:17.780747192 -0700
47 ++++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 13:34:03.576552219 -0700
48 +@@ -409,18 +409,10 @@
49 + index e7abb341..c23276d4 100644
50 + --- a/packet.c
51 + +++ b/packet.c
52 +-@@ -961,6 +961,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
53 ++@@ -961,6 +961,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
54 + return 0;
55 + }
56 +
57 +-+/* this supports the forced rekeying required for the NONE cipher */
58 +-+int rekey_requested = 0;
59 +-+void
60 +-+packet_request_rekeying(void)
61 +-+{
62 +-+ rekey_requested = 1;
63 +-+}
64 +-+
65 + +/* used to determine if pre or post auth when rekeying for aes-ctr
66 + + * and none cipher switch */
67 + +int
68 +@@ -434,20 +426,6 @@
69 + #define MAX_PACKETS (1U<<31)
70 + static int
71 + ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
72 +-@@ -987,6 +1005,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
73 +- if (state->p_send.packets == 0 && state->p_read.packets == 0)
74 +- return 0;
75 +-
76 +-+ /* used to force rekeying when called for by the none
77 +-+ * cipher switch methods -cjr */
78 +-+ if (rekey_requested == 1) {
79 +-+ rekey_requested = 0;
80 +-+ return 1;
81 +-+ }
82 +-+
83 +- /* Time-based rekeying */
84 +- if (state->rekey_interval != 0 &&
85 +- (int64_t)state->rekey_time + state->rekey_interval <= monotime())
86 + diff --git a/packet.h b/packet.h
87 + index c2544bd9..ebd85c88 100644
88 + --- a/packet.h
89 +@@ -481,9 +459,9 @@
90 + oLocalCommand, oPermitLocalCommand, oRemoteCommand,
91 + + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
92 + + oNoneEnabled, oNoneSwitch,
93 ++ oDisableMTAES,
94 + oVisualHostKey,
95 + oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
96 +- oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
97 + @@ -294,6 +297,8 @@ static struct {
98 + { "kexalgorithms", oKexAlgorithms },
99 + { "ipqos", oIPQoS },
100 +@@ -615,9 +593,9 @@
101 + int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */
102 + SyslogFacility log_facility; /* Facility for system logging. */
103 + @@ -114,7 +118,10 @@ typedef struct {
104 +-
105 + int enable_ssh_keysign;
106 + int64_t rekey_limit;
107 ++ int disable_multithreaded; /*disable multithreaded aes-ctr*/
108 + + int none_switch; /* Use none cipher */
109 + + int none_enabled; /* Allow none to be used */
110 + int rekey_interval;
111 +@@ -700,9 +678,9 @@
112 + + options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
113 + + }
114 + +
115 ++ if (options->disable_multithreaded == -1)
116 ++ options->disable_multithreaded = 0;
117 + if (options->ip_qos_interactive == -1)
118 +- options->ip_qos_interactive = IPTOS_DSCP_AF21;
119 +- if (options->ip_qos_bulk == -1)
120 + @@ -519,6 +565,8 @@ typedef enum {
121 + sPasswordAuthentication, sKbdInteractiveAuthentication,
122 + sListenAddress, sAddressFamily,
123 +@@ -1081,11 +1059,11 @@
124 + xxx_host = host;
125 + xxx_hostaddr = hostaddr;
126 +
127 +-@@ -435,6 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
128 ++@@ -435,7 +446,28 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
129 ++ }
130 ++ }
131 ++ #endif
132 +
133 +- if (!authctxt.success)
134 +- fatal("Authentication failed.");
135 +-+
136 + + /*
137 + + * If the user wants to use the none cipher, do it post authentication
138 + + * and only if the right conditions are met -- both of the NONE commands
139
140 diff --git a/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch
141 new file mode 100644
142 index 00000000000..52ec42e37fd
143 --- /dev/null
144 +++ b/net-misc/openssh/files/openssh-8.4_p1-hpn-14.22-sctp-glue.patch
145 @@ -0,0 +1,18 @@
146 +diff -ur a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff
147 +--- a/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:34.168386903 -0700
148 ++++ b/openssh-8_3_P1-hpn-DynWinNoneSwitch-14.22.diff 2020-09-28 16:42:43.806325434 -0700
149 +@@ -1171,14 +1171,3 @@
150 + # Example of overriding settings on a per-user basis
151 + #Match User anoncvs
152 + # X11Forwarding no
153 +-diff --git a/version.h b/version.h
154 +-index a2eca3ec..ff654fc3 100644
155 +---- a/version.h
156 +-+++ b/version.h
157 +-@@ -3,4 +3,5 @@
158 +- #define SSH_VERSION "OpenSSH_8.3"
159 +-
160 +- #define SSH_PORTABLE "p1"
161 +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
162 +-+#define SSH_HPN "-hpn14v22"
163 +-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
164
165 diff --git a/net-misc/openssh/openssh-8.4_p1.ebuild b/net-misc/openssh/openssh-8.4_p1.ebuild
166 new file mode 100644
167 index 00000000000..04544b8f1fd
168 --- /dev/null
169 +++ b/net-misc/openssh/openssh-8.4_p1.ebuild
170 @@ -0,0 +1,508 @@
171 +# Copyright 1999-2020 Gentoo Authors
172 +# Distributed under the terms of the GNU General Public License v2
173 +
174 +EAPI=7
175 +
176 +inherit user-info flag-o-matic multilib autotools pam systemd toolchain-funcs
177 +
178 +# Make it more portable between straight releases
179 +# and _p? releases.
180 +PARCH=${P/_}
181 +
182 +# PV to USE for HPN patches
183 +#HPN_PV="${PV^^}"
184 +HPN_PV="8.3_P1"
185 +
186 +HPN_VER="14.22"
187 +HPN_PATCHES=(
188 + ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
189 + ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
190 + ${PN}-${HPN_PV/./_}-hpn-PeakTput-${HPN_VER}.diff
191 +)
192 +
193 +SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
194 +#X509_VER="12.5.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
195 +
196 +DESCRIPTION="Port of OpenBSD's free SSH release"
197 +HOMEPAGE="https://www.openssh.com/"
198 +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
199 + ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~chutzpah/dist/openssh/${SCTP_PATCH} )}
200 + ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/project/hpnssh/Patches/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
201 + ${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
202 +"
203 +S="${WORKDIR}/${PARCH}"
204 +
205 +LICENSE="BSD GPL-2"
206 +SLOT="0"
207 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
208 +# Probably want to drop ssl defaulting to on in a future version.
209 +IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie +scp sctp security-key selinux +ssl static test X X509 xmss"
210 +
211 +RESTRICT="!test? ( test )"
212 +
213 +REQUIRED_USE="
214 + ldns? ( ssl )
215 + pie? ( !static )
216 + static? ( !kerberos !pam )
217 + X509? ( !sctp !security-key ssl !xmss )
218 + xmss? ( || ( ssl libressl ) )
219 + test? ( ssl )
220 +"
221 +
222 +LIB_DEPEND="
223 + audit? ( sys-process/audit[static-libs(+)] )
224 + ldns? (
225 + net-libs/ldns[static-libs(+)]
226 + !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
227 + bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
228 + )
229 + libedit? ( dev-libs/libedit:=[static-libs(+)] )
230 + sctp? ( net-misc/lksctp-tools[static-libs(+)] )
231 + security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] )
232 + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
233 + ssl? (
234 + !libressl? (
235 + || (
236 + (
237 + >=dev-libs/openssl-1.0.1:0[bindist=]
238 + <dev-libs/openssl-1.1.0:0[bindist=]
239 + )
240 + >=dev-libs/openssl-1.1.0g:0[bindist=]
241 + )
242 + dev-libs/openssl:0=[static-libs(+)]
243 + )
244 + libressl? ( dev-libs/libressl:0=[static-libs(+)] )
245 + )
246 + virtual/libcrypt:=[static-libs(+)]
247 + >=sys-libs/zlib-1.2.3:=[static-libs(+)]
248 +"
249 +RDEPEND="
250 + acct-group/sshd
251 + acct-user/sshd
252 + !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
253 + pam? ( sys-libs/pam )
254 + kerberos? ( virtual/krb5 )
255 +"
256 +DEPEND="${RDEPEND}
257 + virtual/os-headers
258 + kernel_linux? ( >=sys-kernel/linux-headers-5.1 )
259 + static? ( ${LIB_DEPEND} )
260 +"
261 +RDEPEND="${RDEPEND}
262 + pam? ( >=sys-auth/pambase-20081028 )
263 + userland_GNU? ( !prefix? ( sys-apps/shadow ) )
264 + X? ( x11-apps/xauth )
265 +"
266 +BDEPEND="
267 + virtual/pkgconfig
268 + sys-devel/autoconf
269 +"
270 +
271 +pkg_pretend() {
272 + # this sucks, but i'd rather have people unable to `emerge -u openssh`
273 + # than not be able to log in to their server any more
274 + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
275 + local fail="
276 + $(use hpn && maybe_fail hpn HPN_VER)
277 + $(use sctp && maybe_fail sctp SCTP_PATCH)
278 + $(use X509 && maybe_fail X509 X509_PATCH)
279 + "
280 + fail=$(echo ${fail})
281 + if [[ -n ${fail} ]] ; then
282 + eerror "Sorry, but this version does not yet support features"
283 + eerror "that you requested: ${fail}"
284 + eerror "Please mask ${PF} for now and check back later:"
285 + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
286 + die "booooo"
287 + fi
288 +
289 + # Make sure people who are using tcp wrappers are notified of its removal. #531156
290 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then
291 + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
292 + ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please."
293 + fi
294 +}
295 +
296 +src_prepare() {
297 + sed -i \
298 + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX}/usr/bin/xauth:" \
299 + pathnames.h || die
300 +
301 + # don't break .ssh/authorized_keys2 for fun
302 + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
303 +
304 + eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
305 + eapply "${FILESDIR}"/${PN}-8.2_p1-GSSAPI-dns.patch #165444 integrated into gsskex
306 + eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
307 + eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
308 + eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
309 + eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
310 +
311 + # workaround for https://bugs.gentoo.org/734984
312 + use X509 || eapply "${FILESDIR}"/${PN}-8.3_p1-sha2-include.patch
313 +
314 + [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
315 +
316 + local PATCHSET_VERSION_MACROS=()
317 +
318 + if use X509 ; then
319 + pushd "${WORKDIR}" &>/dev/null || die
320 + eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
321 + popd &>/dev/null || die
322 +
323 + eapply "${WORKDIR}"/${X509_PATCH%.*}
324 +
325 + # We need to patch package version or any X.509 sshd will reject our ssh client
326 + # with "userauth_pubkey: could not parse key: string is too large [preauth]"
327 + # error
328 + einfo "Patching package version for X.509 patch set ..."
329 + sed -i \
330 + -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
331 + "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
332 +
333 + einfo "Patching version.h to expose X.509 patch set ..."
334 + sed -i \
335 + -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
336 + "${S}"/version.h || die "Failed to sed-in X.509 patch version"
337 + PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
338 + fi
339 +
340 + if use sctp ; then
341 + eapply "${WORKDIR}"/${SCTP_PATCH%.*}
342 +
343 + einfo "Patching version.h to expose SCTP patch set ..."
344 + sed -i \
345 + -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
346 + "${S}"/version.h || die "Failed to sed-in SCTP patch version"
347 + PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
348 +
349 + einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
350 + sed -i \
351 + -e "/\t\tcfgparse \\\/d" \
352 + "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
353 + fi
354 +
355 + if use hpn ; then
356 + local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
357 + mkdir "${hpn_patchdir}" || die
358 + cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die
359 + pushd "${hpn_patchdir}" &>/dev/null || die
360 + eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch
361 + if use X509; then
362 + # einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
363 + # # X509 and AES-CTR-MT don't get along, let's just drop it
364 + # rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
365 +
366 + eapply "${FILESDIR}"/${PN}-8.2_p1-hpn-${HPN_VER}-X509-glue.patch
367 + fi
368 + use sctp && eapply "${FILESDIR}"/${PN}-8.4_p1-hpn-${HPN_VER}-sctp-glue.patch
369 + popd &>/dev/null || die
370 +
371 + eapply "${hpn_patchdir}"
372 +
373 + use X509 || eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
374 +
375 + einfo "Patching Makefile.in for HPN patch set ..."
376 + sed -i \
377 + -e "/^LIBS=/ s/\$/ -lpthread/" \
378 + "${S}"/Makefile.in || die "Failed to patch Makefile.in"
379 +
380 + einfo "Patching version.h to expose HPN patch set ..."
381 + sed -i \
382 + -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
383 + "${S}"/version.h || die "Failed to sed-in HPN patch version"
384 + PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
385 +
386 + if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
387 + einfo "Disabling known non-working MT AES cipher per default ..."
388 +
389 + cat > "${T}"/disable_mtaes.conf <<- EOF
390 +
391 + # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
392 + # and therefore disabled per default.
393 + DisableMTAES yes
394 + EOF
395 + sed -i \
396 + -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
397 + "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
398 +
399 + sed -i \
400 + -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
401 + "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
402 + fi
403 + fi
404 +
405 + if use X509 || use sctp || use hpn ; then
406 + einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
407 + sed -i \
408 + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
409 + "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
410 +
411 + einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
412 + sed -i \
413 + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
414 + "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
415 +
416 + einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
417 + sed -i \
418 + -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
419 + "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
420 + fi
421 +
422 + sed -i \
423 + -e "/#UseLogin no/d" \
424 + "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
425 +
426 + eapply_user #473004
427 +
428 + # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox
429 + sed -e '/\t\tpercent \\/ d' \
430 + -i regress/Makefile || die
431 +
432 + tc-export PKG_CONFIG
433 + local sed_args=(
434 + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
435 + # Disable PATH reset, trust what portage gives us #254615
436 + -e 's:^PATH=/:#PATH=/:'
437 + # Disable fortify flags ... our gcc does this for us
438 + -e 's:-D_FORTIFY_SOURCE=2::'
439 + )
440 +
441 + # The -ftrapv flag ICEs on hppa #505182
442 + use hppa && sed_args+=(
443 + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
444 + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
445 + )
446 + # _XOPEN_SOURCE causes header conflicts on Solaris
447 + [[ ${CHOST} == *-solaris* ]] && sed_args+=(
448 + -e 's/-D_XOPEN_SOURCE//'
449 + )
450 + sed -i "${sed_args[@]}" configure{.ac,} || die
451 +
452 + eautoreconf
453 +}
454 +
455 +src_configure() {
456 + addwrite /dev/ptmx
457 +
458 + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
459 + use static && append-ldflags -static
460 + use xmss && append-cflags -DWITH_XMSS
461 +
462 + if [[ ${CHOST} == *-solaris* ]] ; then
463 + # Solaris' glob.h doesn't have things like GLOB_TILDE, configure
464 + # doesn't check for this, so force the replacement to be put in
465 + # place
466 + append-cppflags -DBROKEN_GLOB
467 + fi
468 +
469 + local myconf=(
470 + --with-ldflags="${LDFLAGS}"
471 + --disable-strip
472 + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
473 + --sysconfdir="${EPREFIX}"/etc/ssh
474 + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc
475 + --datadir="${EPREFIX}"/usr/share/openssh
476 + --with-privsep-path="${EPREFIX}"/var/empty
477 + --with-privsep-user=sshd
478 + $(use_with audit audit linux)
479 + $(use_with kerberos kerberos5 "${EPREFIX}"/usr)
480 + # We apply the sctp patch conditionally, so can't pass --without-sctp
481 + # unconditionally else we get unknown flag warnings.
482 + $(use sctp && use_with sctp)
483 + $(use_with ldns ldns "${EPREFIX}"/usr)
484 + $(use_with libedit)
485 + $(use_with pam)
486 + $(use_with pie)
487 + $(use_with selinux)
488 + $(usex X509 '' "$(use_with security-key security-key-builtin)")
489 + $(use_with ssl openssl)
490 + $(use_with ssl md5-passwords)
491 + $(use_with ssl ssl-engine)
492 + $(use_with !elibc_Cygwin hardening) #659210
493 + )
494 +
495 + # stackprotect is broken on musl x86 and ppc
496 + use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
497 +
498 + # The seccomp sandbox is broken on x32, so use the older method for now. #553748
499 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
500 +
501 + econf "${myconf[@]}"
502 +}
503 +
504 +src_test() {
505 + local t skipped=() failed=() passed=()
506 + local tests=( interop-tests compat-tests )
507 +
508 + local shell=$(egetshell "${UID}")
509 + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
510 + elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
511 + elog "user, so we will run a subset only."
512 + skipped+=( tests )
513 + else
514 + tests+=( tests )
515 + fi
516 +
517 + # It will also attempt to write to the homedir .ssh.
518 + local sshhome=${T}/homedir
519 + mkdir -p "${sshhome}"/.ssh
520 + for t in "${tests[@]}" ; do
521 + # Some tests read from stdin ...
522 + HOMEDIR="${sshhome}" HOME="${sshhome}" TMPDIR="${T}" \
523 + SUDO="" SSH_SK_PROVIDER="" \
524 + TEST_SSH_UNSAFE_PERMISSIONS=1 \
525 + emake -k -j1 ${t} </dev/null \
526 + && passed+=( "${t}" ) \
527 + || failed+=( "${t}" )
528 + done
529 +
530 + einfo "Passed tests: ${passed[*]}"
531 + [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
532 + [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
533 +}
534 +
535 +# Gentoo tweaks to default config files.
536 +tweak_ssh_configs() {
537 + local locale_vars=(
538 + # These are language variables that POSIX defines.
539 + # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
540 + LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
541 +
542 + # These are the GNU extensions.
543 + # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
544 + LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
545 + )
546 +
547 + # First the server config.
548 + cat <<-EOF >> "${ED}"/etc/ssh/sshd_config
549 +
550 + # Allow client to pass locale environment variables. #367017
551 + AcceptEnv ${locale_vars[*]}
552 +
553 + # Allow client to pass COLORTERM to match TERM. #658540
554 + AcceptEnv COLORTERM
555 + EOF
556 +
557 + # Then the client config.
558 + cat <<-EOF >> "${ED}"/etc/ssh/ssh_config
559 +
560 + # Send locale environment variables. #367017
561 + SendEnv ${locale_vars[*]}
562 +
563 + # Send COLORTERM to match TERM. #658540
564 + SendEnv COLORTERM
565 + EOF
566 +
567 + if use pam ; then
568 + sed -i \
569 + -e "/^#UsePAM /s:.*:UsePAM yes:" \
570 + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
571 + -e "/^#PrintMotd /s:.*:PrintMotd no:" \
572 + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
573 + "${ED}"/etc/ssh/sshd_config || die
574 + fi
575 +
576 + if use livecd ; then
577 + sed -i \
578 + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
579 + "${ED}"/etc/ssh/sshd_config || die
580 + fi
581 +}
582 +
583 +src_install() {
584 + emake install-nokeys DESTDIR="${D}"
585 + fperms 600 /etc/ssh/sshd_config
586 + dobin contrib/ssh-copy-id
587 + newinitd "${FILESDIR}"/sshd-r1.initd sshd
588 + newconfd "${FILESDIR}"/sshd-r1.confd sshd
589 +
590 + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
591 +
592 + tweak_ssh_configs
593 +
594 + doman contrib/ssh-copy-id.1
595 + dodoc CREDITS OVERVIEW README* TODO sshd_config
596 + use hpn && dodoc HPN-README
597 + use X509 || dodoc ChangeLog
598 +
599 + diropts -m 0700
600 + dodir /etc/skel/.ssh
601 +
602 + # https://bugs.gentoo.org/733802
603 + if ! use scp; then
604 + rm "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
605 + || die "failed to remove scp"
606 + fi
607 +
608 + keepdir /var/empty
609 +
610 + systemd_dounit "${FILESDIR}"/sshd.{service,socket}
611 + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
612 +}
613 +
614 +pkg_preinst() {
615 + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then
616 + show_ssl_warning=1
617 + fi
618 +}
619 +
620 +pkg_postinst() {
621 + local old_ver
622 + for old_ver in ${REPLACING_VERSIONS}; do
623 + if ver_test "${old_ver}" -lt "5.8_p1"; then
624 + elog "Starting with openssh-5.8p1, the server will default to a newer key"
625 + elog "algorithm (ECDSA). You are encouraged to manually update your stored"
626 + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
627 + fi
628 + if ver_test "${old_ver}" -lt "7.0_p1"; then
629 + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
630 + elog "Make sure to update any configs that you might have. Note that xinetd might"
631 + elog "be an alternative for you as it supports USE=tcpd."
632 + fi
633 + if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518
634 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
635 + elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
636 + elog "adding to your sshd_config or ~/.ssh/config files:"
637 + elog " PubkeyAcceptedKeyTypes=+ssh-dss"
638 + elog "You should however generate new keys using rsa or ed25519."
639 +
640 + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
641 + elog "to 'prohibit-password'. That means password auth for root users no longer works"
642 + elog "out of the box. If you need this, please update your sshd_config explicitly."
643 + fi
644 + if ver_test "${old_ver}" -lt "7.6_p1"; then
645 + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
646 + elog "Furthermore, rsa keys with less than 1024 bits will be refused."
647 + fi
648 + if ver_test "${old_ver}" -lt "7.7_p1"; then
649 + elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
650 + elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
651 + elog "if you need to authenticate against LDAP."
652 + elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
653 + fi
654 + if ver_test "${old_ver}" -lt "8.2_p1"; then
655 + ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you"
656 + ewarn "will not be able to establish new sessions. Restarting sshd over a ssh"
657 + ewarn "connection is generally safe."
658 + fi
659 + done
660 +
661 + if [[ -n ${show_ssl_warning} ]]; then
662 + elog "Be aware that by disabling openssl support in openssh, the server and clients"
663 + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
664 + elog "and update all clients/servers that utilize them."
665 + fi
666 +
667 + if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
668 + elog ""
669 + elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
670 + elog "and therefore disabled at runtime per default."
671 + elog "Make sure your sshd_config is up to date and contains"
672 + elog ""
673 + elog " DisableMTAES yes"
674 + elog ""
675 + elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
676 + elog ""
677 + fi
678 +}
Report Message
Find on MARC Find on Google Groups