Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh/, net-misc/openssh/files/
Date: Wed, 09 Oct 2019 16:18:18
Message-Id: 1570637849.0148cb4b99350b09cc7eaa229ad42d4b6009d0e9.whissi@gentoo
1 commit: 0148cb4b99350b09cc7eaa229ad42d4b6009d0e9
2 Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3 AuthorDate: Wed Oct 9 16:17:12 2019 +0000
4 Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5 CommitDate: Wed Oct 9 16:17:29 2019 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0148cb4b
7
8 net-misc/openssh: fix integer overflows
9
10 - Fix integer overflow in XMSS private key parsing
11 - Fix an unreachable integer overflow similar to the XMSS case
12 - Fix putty tests
13
14 Closes: https://bugs.gentoo.org/493866
15 Bug: https://bugs.gentoo.org/697046
16 Package-Manager: Portage-2.3.76, Repoman-2.3.17
17 Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
18
19 net-misc/openssh/Manifest | 1 +
20 ...integer-overflow-similar-to-the-XMSS-case.patch | 76 ++++
21 ...eger-overflow-in-XMSS-private-key-parsing.patch | 14 +
22 .../files/openssh-8.0_p1-fix-putty-tests.patch | 57 +++
23 net-misc/openssh/openssh-8.0_p1-r4.ebuild | 467 +++++++++++++++++++++
24 5 files changed, 615 insertions(+)
25
26 diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest
27 index d6d9347cc46..bd50ff4493c 100644
28 --- a/net-misc/openssh/Manifest
29 +++ b/net-misc/openssh/Manifest
30 @@ -13,6 +13,7 @@ DIST openssh-7.9p1-sctp-1.2.patch.xz 7360 BLAKE2B 60e209371ecac24d0b60e48459d4d4
31 DIST openssh-7.9p1.tar.gz 1565384 BLAKE2B de15795e03d33d4f9fe4792f6b14500123230b6c00c1e5bd7207bb6d6bf6df0b2e057c1b1de0fee709f58dd159203fdd69fe1473118a6baedebaa0c1c4c55b59 SHA512 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e
32 DIST openssh-7_8_P1-hpn-AES-CTR-14.16.diff 29231 BLAKE2B e25877c5e22f674e6db5a0bc107e5daa2509fe762fb14ce7bb2ce9a115e8177a93340c1d19247b6c2c854b7e1f9ae9af9fd932e5fa9c0a6b2ba438cd11a42991 SHA512 1867fb94c29a51294a71a3ec6a299757565a7cda5696118b0b346ed9c78f2c81bb1b888cff5e3418776b2fa277a8f070c5eb9327bb005453e2ffd72d35cdafa7
33 DIST openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 43356 BLAKE2B 776fa140d64a16c339b46a7c773258d2f4fe44e48b16abccad1a8757a51cb6362722fc5f42c39159af12849f5c88cf574de64815085c97157e16653f18d4909b SHA512 53f2752b7aa02719c8dfe0fe0ef16e874101ba2ba87924aa1122cd445ece218ca09c22abaa3377307f25d459579bc28d3854e2402c71b794db65d58cdd1ebc08
34 +DIST openssh-8.0p1+x509-12.1-gentoo.diff.gz 680853 BLAKE2B b24ee61d6328bf2de8384d6ecbfc5ae0be4719a3c7a2d714be3a144d327bba5038e7e36ffcc313af2a8a94960ce1f56387654d2d21920af51826af61957aa4cc SHA512 178728139473b277fe50a03f37be50b3f8e539cea8f5937ddfe710082944e799d845cdb5994f585c13564c4a89b80ccf75e87753102aebacdb4c590f0b8a1482
35 DIST openssh-8.0p1+x509-12.1.diff.gz 680389 BLAKE2B b1e353c496dd6dbd104c32bc5e9a3f055673a7876944d39c80f185cdb589d09b8d509754f04f2e051ceef2b39a3d810ba00b8894a4b67c7a6a0170a4ed0518a5 SHA512 831988d636a19e89a881616e07e38bc6ca44e90443b2bbf290fab3f120877e2eef60f21ad6e0c64098d07e09379f9f73f0ce2e5df975aa1bd43944582f8b8b3e
36 DIST openssh-8.0p1-sctp-1.2.patch.xz 7348 BLAKE2B bc3d3815f1ef5dbab605b93182a00c2fec258f49d56684defb6564d2b60886429c615a7ab076cc071a590f9df0908b1862ceb0961b7e6f6d1090237fec9035d3 SHA512 2f9f774286db75d0240e6fb01655a8a193fb2a5dc4596ad68ed22d64f97c9c46dad61a06478f2e972fd37cbad4d9aca5829bb91097cc56638601ff94a972b24f
37 DIST openssh-8.0p1.tar.gz 1597697 BLAKE2B 5ba79872eabb3b3964d95a8cdd690bfe0323f018d7f944d4e1acb52576c9f6d7a1ddac15e88dc42eac6ecbfabfad1c228e303a2262588769e307c38107a4cd54 SHA512 e280fa2d56f550efd37c5d2477670326261aa8b94d991f9eb17aad90e0c6c9c939efa90fe87d33260d0f709485cb05c379f0fd1bd44fc0d5190298b6398c9982
38
39 diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch
40 new file mode 100644
41 index 00000000000..bffc591ef66
42 --- /dev/null
43 +++ b/net-misc/openssh/files/openssh-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch
44 @@ -0,0 +1,76 @@
45 +https://github.com/openssh/openssh-portable/commit/29e0ecd9b4eb3b9f305e2240351f0c59cad9ef81
46 +
47 +--- a/sshkey.c
48 ++++ b/sshkey.c
49 +@@ -3209,6 +3209,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
50 + if ((r = sshkey_froms(buf, &k)) != 0 ||
51 + (r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0)
52 + goto out;
53 ++ if (k->type != type) {
54 ++ r = SSH_ERR_INVALID_FORMAT;
55 ++ goto out;
56 ++ }
57 + if (!DSA_set0_key(k->dsa, NULL, dsa_priv_key)) {
58 + r = SSH_ERR_LIBCRYPTO_ERROR;
59 + goto out;
60 +@@ -3252,6 +3256,11 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
61 + if ((r = sshkey_froms(buf, &k)) != 0 ||
62 + (r = sshbuf_get_bignum2(buf, &exponent)) != 0)
63 + goto out;
64 ++ if (k->type != type ||
65 ++ k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) {
66 ++ r = SSH_ERR_INVALID_FORMAT;
67 ++ goto out;
68 ++ }
69 + if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
70 + r = SSH_ERR_LIBCRYPTO_ERROR;
71 + goto out;
72 +@@ -3296,6 +3305,10 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
73 + (r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 ||
74 + (r = sshbuf_get_bignum2(buf, &rsa_q)) != 0)
75 + goto out;
76 ++ if (k->type != type) {
77 ++ r = SSH_ERR_INVALID_FORMAT;
78 ++ goto out;
79 ++ }
80 + if (!RSA_set0_key(k->rsa, NULL, NULL, rsa_d)) {
81 + r = SSH_ERR_LIBCRYPTO_ERROR;
82 + goto out;
83 +@@ -3333,13 +3346,17 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
84 + (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
85 + (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
86 + goto out;
87 ++ if (k->type != type) {
88 ++ r = SSH_ERR_INVALID_FORMAT;
89 ++ goto out;
90 ++ }
91 + if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
92 + r = SSH_ERR_INVALID_FORMAT;
93 + goto out;
94 + }
95 + k->ed25519_pk = ed25519_pk;
96 + k->ed25519_sk = ed25519_sk;
97 +- ed25519_pk = ed25519_sk = NULL;
98 ++ ed25519_pk = ed25519_sk = NULL; /* transferred */
99 + break;
100 + #ifdef WITH_XMSS
101 + case KEY_XMSS:
102 +@@ -3370,7 +3387,7 @@ sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
103 + (r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 ||
104 + (r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0)
105 + goto out;
106 +- if (strcmp(xmss_name, k->xmss_name)) {
107 ++ if (k->type != type || strcmp(xmss_name, k->xmss_name) != 0) {
108 + r = SSH_ERR_INVALID_FORMAT;
109 + goto out;
110 + }
111 +@@ -3877,7 +3894,8 @@ sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase,
112 + }
113 +
114 + /* check that an appropriate amount of auth data is present */
115 +- if (sshbuf_len(decoded) < encrypted_len + authlen) {
116 ++ if (sshbuf_len(decoded) < authlen ||
117 ++ sshbuf_len(decoded) - authlen < encrypted_len) {
118 + r = SSH_ERR_INVALID_FORMAT;
119 + goto out;
120 + }
121
122 diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch
123 new file mode 100644
124 index 00000000000..ba0bd02371d
125 --- /dev/null
126 +++ b/net-misc/openssh/files/openssh-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch
127 @@ -0,0 +1,14 @@
128 +https://github.com/openssh/openssh-portable/commit/a546b17bbaeb12beac4c9aeed56f74a42b18a93a
129 +
130 +--- a/sshkey-xmss.c
131 ++++ b/sshkey-xmss.c
132 +@@ -977,7 +977,8 @@ sshkey_xmss_decrypt_state(const struct sshkey *k, struct sshbuf *encoded,
133 + goto out;
134 + }
135 + /* check that an appropriate amount of auth data is present */
136 +- if (sshbuf_len(encoded) < encrypted_len + authlen) {
137 ++ if (sshbuf_len(encoded) < authlen ||
138 ++ sshbuf_len(encoded) - authlen < encrypted_len) {
139 + r = SSH_ERR_INVALID_FORMAT;
140 + goto out;
141 + }
142
143 diff --git a/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch b/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch
144 new file mode 100644
145 index 00000000000..4310aa123fc
146 --- /dev/null
147 +++ b/net-misc/openssh/files/openssh-8.0_p1-fix-putty-tests.patch
148 @@ -0,0 +1,57 @@
149 +Make sure that host keys are already accepted before
150 +running tests.
151 +
152 +https://bugs.gentoo.org/493866
153 +
154 +--- a/regress/putty-ciphers.sh
155 ++++ b/regress/putty-ciphers.sh
156 +@@ -10,11 +10,17 @@ fi
157 +
158 + for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do
159 + verbose "$tid: cipher $c"
160 ++ rm -f ${COPY}
161 + cp ${OBJ}/.putty/sessions/localhost_proxy \
162 + ${OBJ}/.putty/sessions/cipher_$c
163 + echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
164 +
165 +- rm -f ${COPY}
166 ++ env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \
167 ++ -i ${OBJ}/putty.rsa2 "exit"
168 ++ if [ $? -ne 0 ]; then
169 ++ fail "failed to pre-cache host key"
170 ++ fi
171 ++
172 + env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
173 + cat ${DATA} > ${COPY}
174 + if [ $? -ne 0 ]; then
175 +--- a/regress/putty-kex.sh
176 ++++ b/regress/putty-kex.sh
177 +@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do
178 + ${OBJ}/.putty/sessions/kex_$k
179 + echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
180 +
181 ++ env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \
182 ++ -i ${OBJ}/putty.rsa2 "exit"
183 ++ if [ $? -ne 0 ]; then
184 ++ fail "failed to pre-cache host key"
185 ++ fi
186 ++
187 + env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
188 + if [ $? -ne 0 ]; then
189 + fail "KEX $k failed"
190 +--- a/regress/putty-transfer.sh
191 ++++ b/regress/putty-transfer.sh
192 +@@ -14,6 +14,13 @@ for c in 0 1 ; do
193 + cp ${OBJ}/.putty/sessions/localhost_proxy \
194 + ${OBJ}/.putty/sessions/compression_$c
195 + echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
196 ++
197 ++ env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \
198 ++ -i ${OBJ}/putty.rsa2 "exit"
199 ++ if [ $? -ne 0 ]; then
200 ++ fail "failed to pre-cache host key"
201 ++ fi
202 ++
203 + env HOME=$PWD ${PLINK} -load compression_$c -batch \
204 + -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY}
205 + if [ $? -ne 0 ]; then
206
207 diff --git a/net-misc/openssh/openssh-8.0_p1-r4.ebuild b/net-misc/openssh/openssh-8.0_p1-r4.ebuild
208 new file mode 100644
209 index 00000000000..bb9b0b1209e
210 --- /dev/null
211 +++ b/net-misc/openssh/openssh-8.0_p1-r4.ebuild
212 @@ -0,0 +1,467 @@
213 +# Copyright 1999-2019 Gentoo Authors
214 +# Distributed under the terms of the GNU General Public License v2
215 +
216 +EAPI=6
217 +
218 +inherit user eapi7-ver flag-o-matic multilib autotools pam systemd
219 +
220 +# Make it more portable between straight releases
221 +# and _p? releases.
222 +PARCH=${P/_}
223 +#HPN_PV="${PV^^}"
224 +HPN_PV="7.8_P1"
225 +
226 +HPN_VER="14.16"
227 +HPN_PATCHES=(
228 + ${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
229 + ${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
230 +)
231 +
232 +SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
233 +X509_VER="12.1-gentoo" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
234 +
235 +PATCH_SET="openssh-7.9p1-patches-1.0"
236 +
237 +DESCRIPTION="Port of OpenBSD's free SSH release"
238 +HOMEPAGE="https://www.openssh.com/"
239 +SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
240 + ${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
241 + ${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
242 + ${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )}
243 + "
244 +
245 +LICENSE="BSD GPL-2"
246 +SLOT="0"
247 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
248 +# Probably want to drop ssl defaulting to on in a future version.
249 +IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509 xmss"
250 +RESTRICT="!test? ( test )"
251 +REQUIRED_USE="ldns? ( ssl )
252 + pie? ( !static )
253 + static? ( !kerberos !pam )
254 + X509? ( !sctp ssl )
255 + test? ( ssl )"
256 +
257 +LIB_DEPEND="
258 + audit? ( sys-process/audit[static-libs(+)] )
259 + ldns? (
260 + net-libs/ldns[static-libs(+)]
261 + !bindist? ( net-libs/ldns[ecdsa,ssl(+)] )
262 + bindist? ( net-libs/ldns[-ecdsa,ssl(+)] )
263 + )
264 + libedit? ( dev-libs/libedit:=[static-libs(+)] )
265 + sctp? ( net-misc/lksctp-tools[static-libs(+)] )
266 + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
267 + ssl? (
268 + !libressl? (
269 + || (
270 + (
271 + >=dev-libs/openssl-1.0.1:0[bindist=]
272 + <dev-libs/openssl-1.1.0:0[bindist=]
273 + )
274 + >=dev-libs/openssl-1.1.0g:0[bindist=]
275 + )
276 + dev-libs/openssl:0=[static-libs(+)]
277 + )
278 + libressl? ( dev-libs/libressl:0=[static-libs(+)] )
279 + )
280 + >=sys-libs/zlib-1.2.3:=[static-libs(+)]"
281 +RDEPEND="
282 + !static? ( ${LIB_DEPEND//\[static-libs(+)]} )
283 + pam? ( virtual/pam )
284 + kerberos? ( virtual/krb5 )"
285 +DEPEND="${RDEPEND}
286 + static? ( ${LIB_DEPEND} )
287 + virtual/pkgconfig
288 + virtual/os-headers
289 + sys-devel/autoconf"
290 +RDEPEND="${RDEPEND}
291 + pam? ( >=sys-auth/pambase-20081028 )
292 + userland_GNU? ( virtual/shadow )
293 + X? ( x11-apps/xauth )"
294 +
295 +S="${WORKDIR}/${PARCH}"
296 +
297 +pkg_pretend() {
298 + # this sucks, but i'd rather have people unable to `emerge -u openssh`
299 + # than not be able to log in to their server any more
300 + maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
301 + local fail="
302 + $(use hpn && maybe_fail hpn HPN_VER)
303 + $(use sctp && maybe_fail sctp SCTP_PATCH)
304 + $(use X509 && maybe_fail X509 X509_PATCH)
305 + "
306 + fail=$(echo ${fail})
307 + if [[ -n ${fail} ]] ; then
308 + eerror "Sorry, but this version does not yet support features"
309 + eerror "that you requested: ${fail}"
310 + eerror "Please mask ${PF} for now and check back later:"
311 + eerror " # echo '=${CATEGORY}/${PF}' >> /etc/portage/package.mask"
312 + die "booooo"
313 + fi
314 +
315 + # Make sure people who are using tcp wrappers are notified of its removal. #531156
316 + if grep -qs '^ *sshd *:' "${EROOT%/}"/etc/hosts.{allow,deny} ; then
317 + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like"
318 + ewarn "you're trying to use it. Update your ${EROOT}etc/hosts.{allow,deny} please."
319 + fi
320 +}
321 +
322 +src_prepare() {
323 + sed -i \
324 + -e "/_PATH_XAUTH/s:/usr/X11R6/bin/xauth:${EPREFIX%/}/usr/bin/xauth:" \
325 + pathnames.h || die
326 +
327 + # don't break .ssh/authorized_keys2 for fun
328 + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
329 +
330 + eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
331 + eapply "${FILESDIR}"/${PN}-8.0_p1-GSSAPI-dns.patch #165444 integrated into gsskex
332 + eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
333 + eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
334 + eapply "${FILESDIR}"/${PN}-8.0_p1-fix-putty-tests.patch
335 + eapply "${FILESDIR}"/${PN}-8.0_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
336 + eapply "${FILESDIR}"/${PN}-8.0_p1-fix-integer-overflow-in-XMSS-private-key-parsing.patch
337 + eapply "${FILESDIR}"/${PN}-8.0_p1-fix-an-unreachable-integer-overflow-similar-to-the-XMSS-case.patch
338 + use X509 || eapply "${FILESDIR}"/${PN}-8.0_p1-tests.patch
339 +
340 + [[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
341 +
342 + local PATCHSET_VERSION_MACROS=()
343 +
344 + if use X509 ; then
345 + # X509 12.1-gentoo patch contains the changes from below
346 + #pushd "${WORKDIR}" &>/dev/null || die
347 + #eapply "${FILESDIR}/${P}-X509-glue-"${X509_VER}".patch"
348 + #eapply "${FILESDIR}/${P}-X509-dont-make-piddir-"${X509_VER}".patch"
349 + #popd &>/dev/null || die
350 +
351 + eapply "${WORKDIR}"/${X509_PATCH%.*}
352 + eapply "${FILESDIR}"/${P}-X509-$(ver_cut 1-2 ${X509_VER})-tests.patch
353 +
354 + # We need to patch package version or any X.509 sshd will reject our ssh client
355 + # with "userauth_pubkey: could not parse key: string is too large [preauth]"
356 + # error
357 + einfo "Patching package version for X.509 patch set ..."
358 + sed -i \
359 + -e "s/^AC_INIT(\[OpenSSH\], \[Portable\]/AC_INIT([OpenSSH], [${X509_VER}]/" \
360 + "${S}"/configure.ac || die "Failed to patch package version for X.509 patch"
361 +
362 + einfo "Patching version.h to expose X.509 patch set ..."
363 + sed -i \
364 + -e "/^#define SSH_PORTABLE.*/a #define SSH_X509 \"-PKIXSSH-${X509_VER}\"" \
365 + "${S}"/version.h || die "Failed to sed-in X.509 patch version"
366 + PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
367 + fi
368 +
369 + if use sctp ; then
370 + eapply "${WORKDIR}"/${SCTP_PATCH%.*}
371 +
372 + einfo "Patching version.h to expose SCTP patch set ..."
373 + sed -i \
374 + -e "/^#define SSH_PORTABLE/a #define SSH_SCTP \"-sctp-${SCTP_VER}\"" \
375 + "${S}"/version.h || die "Failed to sed-in SCTP patch version"
376 + PATCHSET_VERSION_MACROS+=( 'SSH_SCTP' )
377 +
378 + einfo "Disabling know failing test (cfgparse) caused by SCTP patch ..."
379 + sed -i \
380 + -e "/\t\tcfgparse \\\/d" \
381 + "${S}"/regress/Makefile || die "Failed to disable known failing test (cfgparse) caused by SCTP patch"
382 + fi
383 +
384 + if use hpn ; then
385 + local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
386 + mkdir "${hpn_patchdir}"
387 + cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
388 + pushd "${hpn_patchdir}" &>/dev/null || die
389 + eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-glue.patch
390 + if use X509; then
391 + einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
392 + # X509 and AES-CTR-MT don't get along, let's just drop it
393 + rm openssh-${HPN_PV//./_}-hpn-AES-CTR-${HPN_VER}.diff || die
394 + eapply "${FILESDIR}"/${PN}-8.0_p1-hpn-X509-glue.patch
395 + fi
396 + use sctp && eapply "${FILESDIR}"/${PN}-7.9_p1-hpn-sctp-glue.patch
397 + popd &>/dev/null || die
398 +
399 + eapply "${hpn_patchdir}"
400 +
401 + if ! use X509; then
402 + eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch"
403 + eapply "${FILESDIR}/openssh-8.0_p1-hpn-version.patch"
404 + fi
405 +
406 + einfo "Patching Makefile.in for HPN patch set ..."
407 + sed -i \
408 + -e "/^LIBS=/ s/\$/ -lpthread/" \
409 + "${S}"/Makefile.in || die "Failed to patch Makefile.in"
410 +
411 + einfo "Patching version.h to expose HPN patch set ..."
412 + sed -i \
413 + -e "/^#define SSH_PORTABLE/a #define SSH_HPN \"-hpn${HPN_VER//./v}\"" \
414 + "${S}"/version.h || die "Failed to sed-in HPN patch version"
415 + PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
416 +
417 + if [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
418 + einfo "Disabling known non-working MT AES cipher per default ..."
419 +
420 + cat > "${T}"/disable_mtaes.conf <<- EOF
421 +
422 + # HPN's Multi-Threaded AES CTR cipher is currently known to be broken
423 + # and therefore disabled per default.
424 + DisableMTAES yes
425 + EOF
426 + sed -i \
427 + -e "/^#HPNDisabled.*/r ${T}/disable_mtaes.conf" \
428 + "${S}"/sshd_config || die "Failed to disabled MT AES ciphers in sshd_config"
429 +
430 + sed -i \
431 + -e "/AcceptEnv.*_XXX_TEST$/a \\\tDisableMTAES\t\tyes" \
432 + "${S}"/regress/test-exec.sh || die "Failed to disable MT AES ciphers in test config"
433 + fi
434 + fi
435 +
436 + if use X509 || use sctp || use hpn ; then
437 + einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
438 + sed -i \
439 + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
440 + "${S}"/sshconnect.c || die "Failed to patch send_client_banner() to use SSH_RELEASE (sshconnect.c)"
441 +
442 + einfo "Patching sshd.c to use SSH_RELEASE in sshd_exchange_identification() ..."
443 + sed -i \
444 + -e "s/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION/PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE/" \
445 + "${S}"/sshd.c || die "Failed to patch sshd_exchange_identification() to use SSH_RELEASE (sshd.c)"
446 +
447 + einfo "Patching version.h to add our patch sets to SSH_RELEASE ..."
448 + sed -i \
449 + -e "s/^#define SSH_RELEASE.*/#define SSH_RELEASE SSH_VERSION SSH_PORTABLE ${PATCHSET_VERSION_MACROS[*]}/" \
450 + "${S}"/version.h || die "Failed to patch SSH_RELEASE (version.h)"
451 + fi
452 +
453 + sed -i \
454 + -e "/#UseLogin no/d" \
455 + "${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
456 +
457 + eapply_user #473004
458 +
459 + tc-export PKG_CONFIG
460 + local sed_args=(
461 + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):"
462 + # Disable PATH reset, trust what portage gives us #254615
463 + -e 's:^PATH=/:#PATH=/:'
464 + # Disable fortify flags ... our gcc does this for us
465 + -e 's:-D_FORTIFY_SOURCE=2::'
466 + )
467 +
468 + # The -ftrapv flag ICEs on hppa #505182
469 + use hppa && sed_args+=(
470 + -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
471 + -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
472 + )
473 + # _XOPEN_SOURCE causes header conflicts on Solaris
474 + [[ ${CHOST} == *-solaris* ]] && sed_args+=(
475 + -e 's/-D_XOPEN_SOURCE//'
476 + )
477 + sed -i "${sed_args[@]}" configure{.ac,} || die
478 +
479 + eautoreconf
480 +}
481 +
482 +src_configure() {
483 + addwrite /dev/ptmx
484 +
485 + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG
486 + use static && append-ldflags -static
487 + use xmss && append-cflags -DWITH_XMSS
488 +
489 + local myconf=(
490 + --with-ldflags="${LDFLAGS}"
491 + --disable-strip
492 + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run
493 + --sysconfdir="${EPREFIX%/}"/etc/ssh
494 + --libexecdir="${EPREFIX%/}"/usr/$(get_libdir)/misc
495 + --datadir="${EPREFIX%/}"/usr/share/openssh
496 + --with-privsep-path="${EPREFIX%/}"/var/empty
497 + --with-privsep-user=sshd
498 + $(use_with audit audit linux)
499 + $(use_with kerberos kerberos5 "${EPREFIX%/}"/usr)
500 + # We apply the sctp patch conditionally, so can't pass --without-sctp
501 + # unconditionally else we get unknown flag warnings.
502 + $(use sctp && use_with sctp)
503 + $(use_with ldns ldns "${EPREFIX%/}"/usr)
504 + $(use_with libedit)
505 + $(use_with pam)
506 + $(use_with pie)
507 + $(use_with selinux)
508 + $(use_with ssl openssl)
509 + $(use_with ssl md5-passwords)
510 + $(use_with ssl ssl-engine)
511 + $(use_with !elibc_Cygwin hardening) #659210
512 + )
513 +
514 + # stackprotect is broken on musl x86 and ppc
515 + use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
516 +
517 + # The seccomp sandbox is broken on x32, so use the older method for now. #553748
518 + use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
519 +
520 + econf "${myconf[@]}"
521 +}
522 +
523 +src_test() {
524 + local t skipped=() failed=() passed=()
525 + local tests=( interop-tests compat-tests )
526 +
527 + local shell=$(egetshell "${UID}")
528 + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then
529 + elog "Running the full OpenSSH testsuite requires a usable shell for the 'portage'"
530 + elog "user, so we will run a subset only."
531 + skipped+=( tests )
532 + else
533 + tests+=( tests )
534 + fi
535 +
536 + # It will also attempt to write to the homedir .ssh.
537 + local sshhome=${T}/homedir
538 + mkdir -p "${sshhome}"/.ssh
539 + for t in "${tests[@]}" ; do
540 + # Some tests read from stdin ...
541 + HOMEDIR="${sshhome}" HOME="${sshhome}" SUDO="" \
542 + emake -k -j1 ${t} </dev/null \
543 + && passed+=( "${t}" ) \
544 + || failed+=( "${t}" )
545 + done
546 +
547 + einfo "Passed tests: ${passed[*]}"
548 + [[ ${#skipped[@]} -gt 0 ]] && ewarn "Skipped tests: ${skipped[*]}"
549 + [[ ${#failed[@]} -gt 0 ]] && die "Some tests failed: ${failed[*]}"
550 +}
551 +
552 +# Gentoo tweaks to default config files.
553 +tweak_ssh_configs() {
554 + local locale_vars=(
555 + # These are language variables that POSIX defines.
556 + # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02
557 + LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME
558 +
559 + # These are the GNU extensions.
560 + # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html
561 + LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE
562 + )
563 +
564 + # First the server config.
565 + cat <<-EOF >> "${ED%/}"/etc/ssh/sshd_config
566 +
567 + # Allow client to pass locale environment variables. #367017
568 + AcceptEnv ${locale_vars[*]}
569 +
570 + # Allow client to pass COLORTERM to match TERM. #658540
571 + AcceptEnv COLORTERM
572 + EOF
573 +
574 + # Then the client config.
575 + cat <<-EOF >> "${ED%/}"/etc/ssh/ssh_config
576 +
577 + # Send locale environment variables. #367017
578 + SendEnv ${locale_vars[*]}
579 +
580 + # Send COLORTERM to match TERM. #658540
581 + SendEnv COLORTERM
582 + EOF
583 +
584 + if use pam ; then
585 + sed -i \
586 + -e "/^#UsePAM /s:.*:UsePAM yes:" \
587 + -e "/^#PasswordAuthentication /s:.*:PasswordAuthentication no:" \
588 + -e "/^#PrintMotd /s:.*:PrintMotd no:" \
589 + -e "/^#PrintLastLog /s:.*:PrintLastLog no:" \
590 + "${ED%/}"/etc/ssh/sshd_config || die
591 + fi
592 +
593 + if use livecd ; then
594 + sed -i \
595 + -e '/^#PermitRootLogin/c# Allow root login with password on livecds.\nPermitRootLogin Yes' \
596 + "${ED%/}"/etc/ssh/sshd_config || die
597 + fi
598 +}
599 +
600 +src_install() {
601 + emake install-nokeys DESTDIR="${D}"
602 + fperms 600 /etc/ssh/sshd_config
603 + dobin contrib/ssh-copy-id
604 + newinitd "${FILESDIR}"/sshd-r1.initd sshd
605 + newconfd "${FILESDIR}"/sshd-r1.confd sshd
606 +
607 + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
608 +
609 + tweak_ssh_configs
610 +
611 + doman contrib/ssh-copy-id.1
612 + dodoc CREDITS OVERVIEW README* TODO sshd_config
613 + use hpn && dodoc HPN-README
614 + use X509 || dodoc ChangeLog
615 +
616 + diropts -m 0700
617 + dodir /etc/skel/.ssh
618 +
619 + keepdir /var/empty
620 +
621 + systemd_dounit "${FILESDIR}"/sshd.{service,socket}
622 + systemd_newunit "${FILESDIR}"/sshd_at.service 'sshd@.service'
623 +}
624 +
625 +pkg_preinst() {
626 + enewgroup sshd 22
627 + enewuser sshd 22 -1 /var/empty sshd
628 +}
629 +
630 +pkg_postinst() {
631 + if has_version "<${CATEGORY}/${PN}-5.8_p1" ; then
632 + elog "Starting with openssh-5.8p1, the server will default to a newer key"
633 + elog "algorithm (ECDSA). You are encouraged to manually update your stored"
634 + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info."
635 + fi
636 + if has_version "<${CATEGORY}/${PN}-7.0_p1" ; then
637 + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream."
638 + elog "Make sure to update any configs that you might have. Note that xinetd might"
639 + elog "be an alternative for you as it supports USE=tcpd."
640 + fi
641 + if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388 #555518
642 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their"
643 + elog "weak sizes. If you rely on these key types, you can re-enable the key types by"
644 + elog "adding to your sshd_config or ~/.ssh/config files:"
645 + elog " PubkeyAcceptedKeyTypes=+ssh-dss"
646 + elog "You should however generate new keys using rsa or ed25519."
647 +
648 + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'"
649 + elog "to 'prohibit-password'. That means password auth for root users no longer works"
650 + elog "out of the box. If you need this, please update your sshd_config explicitly."
651 + fi
652 + if has_version "<${CATEGORY}/${PN}-7.6_p1" ; then
653 + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely."
654 + elog "Furthermore, rsa keys with less than 1024 bits will be refused."
655 + fi
656 + if has_version "<${CATEGORY}/${PN}-7.7_p1" ; then
657 + elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality."
658 + elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option"
659 + elog "if you need to authenticate against LDAP."
660 + elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details."
661 + fi
662 + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]" ; then
663 + elog "Be aware that by disabling openssl support in openssh, the server and clients"
664 + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys"
665 + elog "and update all clients/servers that utilize them."
666 + fi
667 +
668 + if use hpn && [[ -n "${HPN_DISABLE_MTAES}" ]] ; then
669 + elog ""
670 + elog "HPN's multi-threaded AES CTR cipher is currently known to be broken"
671 + elog "and therefore disabled at runtime per default."
672 + elog "Make sure your sshd_config is up to date and contains"
673 + elog ""
674 + elog " DisableMTAES yes"
675 + elog ""
676 + elog "Otherwise you maybe unable to connect to this sshd using any AES CTR cipher."
677 + elog ""
678 + fi
679 +}
Report Message
Find on MARC Find on Google Groups