| 1 |
commit: 11d6f23704e7ab84191e28e034816bfdb151d406 |
| 2 |
Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Wed Sep 1 18:23:13 2021 +0000 |
| 4 |
Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Wed Sep 1 18:23:13 2021 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11d6f237 |
| 7 |
|
| 8 |
net-misc/openssh-8.7_p1-r1: Revbump, add X509 patch |
| 9 |
|
| 10 |
Package-Manager: Portage-3.0.22, Repoman-3.0.3 |
| 11 |
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org> |
| 12 |
|
| 13 |
net-misc/openssh/Manifest | 1 + |
| 14 |
.../files/openssh-8.7_p1-X509-glue-13.2.patch | 73 ++++ |
| 15 |
.../files/openssh-8.7_p1-hpn-15.2-X509-glue.patch | 447 +++++++++++++++++++++ |
| 16 |
...nssh-8.7_p1.ebuild => openssh-8.7_p1-r1.ebuild} | 4 +- |
| 17 |
4 files changed, 523 insertions(+), 2 deletions(-) |
| 18 |
|
| 19 |
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest |
| 20 |
index b6ea0efce2b..ba9efbc35e8 100644 |
| 21 |
--- a/net-misc/openssh/Manifest |
| 22 |
+++ b/net-misc/openssh/Manifest |
| 23 |
@@ -4,6 +4,7 @@ DIST openssh-8.5p1.tar.gz 1779733 BLAKE2B f4e4bd39e2dd275d4811e06ca994f2239ad27c |
| 24 |
DIST openssh-8.6p1+x509-13.1.diff.gz 1011666 BLAKE2B 0ac0cf2ff962b8ef677c49de0bb586f375f14d8964e077c10f6a88ec15734807940ab6c0277e44ebdfde0e50c2c80103cff614a6cde4d66e9986152032eeaa90 SHA512 ae4986dd079678c7b0cfd805136ff7ac940d1049fdddeb5a7c4ea2141bfcca70463b951485fb2b113bc930f519b1b41562900ced0269f5673dbdad867f464251 |
| 25 |
DIST openssh-8.6p1-sctp-1.2.patch.xz 7696 BLAKE2B 37f9e943a1881af05d9cf2234433711dc45ca30c60af4c0ea38a1d361df02abb491fa114f3698285f582b40b838414c1a048c4f09aa4f7ae9499adb09201d2ac SHA512 ba8c4d38a3d90854e79dc18918fffde246d7609a3f1c3a35e06c0fbe33d3688ed29b0ec33556ae37d1654e1dc2133d892613ad8d1ecbdce9aaa5b9eb10dcbb7a |
| 26 |
DIST openssh-8.6p1.tar.gz 1786328 BLAKE2B 261a0f1a6235275894d487cce37537755c86835e3a34871462fe29bfe72b49cd9a6b6a547aea4bd554f0957e110c84458cc75a5f2560717fb04804d62228562a SHA512 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6 |
| 27 |
+DIST openssh-8.7p1+x509-13.2.diff.gz 1068695 BLAKE2B e542e5444f8360e0e28288d6a58d66995ff90e9f6bb1490b04a205162036e371a20d612655ca1bd479b8a04d5ccbfd9b7189b090d50ccbb019848e28571b036b SHA512 342e1ee050258c99f8f206664ef756e1be2c82e5faa5f966b80385aa2c6c601974681459ddba32c1ca5c33eda530af681e753471706c71902c1045a2913cd540 |
| 28 |
DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c |
| 29 |
DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2 |
| 30 |
DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f |
| 31 |
|
| 32 |
diff --git a/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch b/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch |
| 33 |
new file mode 100644 |
| 34 |
index 00000000000..d6f5e42027d |
| 35 |
--- /dev/null |
| 36 |
+++ b/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch |
| 37 |
@@ -0,0 +1,73 @@ |
| 38 |
+diff -ur '--exclude=.*.un~' a/openssh-8.7p1+x509-13.2.diff b/openssh-8.7p1+x509-13.2.diff |
| 39 |
+--- a/openssh-8.7p1+x509-13.2.diff 2021-08-30 17:47:40.415668320 -0700 |
| 40 |
++++ b/openssh-8.7p1+x509-13.2.diff 2021-08-30 17:49:14.916114987 -0700 |
| 41 |
+@@ -51082,12 +51082,11 @@ |
| 42 |
+ |
| 43 |
+ install-files: |
| 44 |
+ $(MKDIR_P) $(DESTDIR)$(bindir) |
| 45 |
+-@@ -391,6 +368,8 @@ |
| 46 |
++@@ -391,6 +368,7 @@ |
| 47 |
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 |
| 48 |
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 |
| 49 |
+ $(MKDIR_P) $(DESTDIR)$(libexecdir) |
| 50 |
+ + $(MKDIR_P) $(DESTDIR)$(sshcadir) |
| 51 |
+-+ $(MKDIR_P) $(DESTDIR)$(piddir) |
| 52 |
+ $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) |
| 53 |
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) |
| 54 |
+ $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) |
| 55 |
+@@ -69793,7 +69792,7 @@ |
| 56 |
+ - echo "putty interop tests not enabled" |
| 57 |
+ - exit 0 |
| 58 |
+ -fi |
| 59 |
+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } |
| 60 |
+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } |
| 61 |
+ |
| 62 |
+ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do |
| 63 |
+ verbose "$tid: cipher $c" |
| 64 |
+@@ -69808,7 +69807,7 @@ |
| 65 |
+ - echo "putty interop tests not enabled" |
| 66 |
+ - exit 0 |
| 67 |
+ -fi |
| 68 |
+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } |
| 69 |
+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } |
| 70 |
+ |
| 71 |
+ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do |
| 72 |
+ verbose "$tid: kex $k" |
| 73 |
+@@ -69823,7 +69822,7 @@ |
| 74 |
+ - echo "putty interop tests not enabled" |
| 75 |
+ - exit 0 |
| 76 |
+ -fi |
| 77 |
+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } |
| 78 |
+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } |
| 79 |
+ |
| 80 |
+ if [ "`${SSH} -Q compression`" = "none" ]; then |
| 81 |
+ comp="0" |
| 82 |
+@@ -70130,9 +70129,9 @@ |
| 83 |
+ |
| 84 |
+ +# cross-project configuration |
| 85 |
+ +if test "$sshd_type" = "pkix" ; then |
| 86 |
+-+ unset_arg='' |
| 87 |
+++ unset_arg= |
| 88 |
+ +else |
| 89 |
+-+ unset_arg=none |
| 90 |
+++ unset_arg= |
| 91 |
+ +fi |
| 92 |
+ + |
| 93 |
+ cat > $OBJ/sshd_config.i << _EOF |
| 94 |
+@@ -131673,16 +131672,6 @@ |
| 95 |
+ +int asnmprintf(char **, size_t, int *, const char *, ...) |
| 96 |
+ __attribute__((format(printf, 4, 5))); |
| 97 |
+ void msetlocale(void); |
| 98 |
+-diff -ruN openssh-8.7p1/version.h openssh-8.7p1+x509-13.2/version.h |
| 99 |
+---- openssh-8.7p1/version.h 2021-08-20 07:03:49.000000000 +0300 |
| 100 |
+-+++ openssh-8.7p1+x509-13.2/version.h 2021-08-30 20:07:00.000000000 +0300 |
| 101 |
+-@@ -2,5 +2,4 @@ |
| 102 |
+- |
| 103 |
+- #define SSH_VERSION "OpenSSH_8.7" |
| 104 |
+- |
| 105 |
+--#define SSH_PORTABLE "p1" |
| 106 |
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
| 107 |
+-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" |
| 108 |
+ diff -ruN openssh-8.7p1/version.m4 openssh-8.7p1+x509-13.2/version.m4 |
| 109 |
+ --- openssh-8.7p1/version.m4 1970-01-01 02:00:00.000000000 +0200 |
| 110 |
+ +++ openssh-8.7p1+x509-13.2/version.m4 2021-08-30 20:07:00.000000000 +0300 |
| 111 |
|
| 112 |
diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch |
| 113 |
new file mode 100644 |
| 114 |
index 00000000000..49c05917779 |
| 115 |
--- /dev/null |
| 116 |
+++ b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch |
| 117 |
@@ -0,0 +1,447 @@ |
| 118 |
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff |
| 119 |
+--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:12:46.412119817 -0700 |
| 120 |
++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:26:11.116026151 -0700 |
| 121 |
+@@ -3,9 +3,9 @@ |
| 122 |
+ --- a/Makefile.in |
| 123 |
+ +++ b/Makefile.in |
| 124 |
+ @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@ |
| 125 |
+- CFLAGS_NOPIE=@CFLAGS_NOPIE@ |
| 126 |
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
| 127 |
+- PICFLAG=@PICFLAG@ |
| 128 |
++ LD=@LD@ |
| 129 |
++ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) |
| 130 |
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ |
| 131 |
+ -LIBS=@LIBS@ |
| 132 |
+ +LIBS=@LIBS@ -lpthread |
| 133 |
+ K5LIBS=@K5LIBS@ |
| 134 |
+@@ -803,8 +803,8 @@ |
| 135 |
+ ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) |
| 136 |
+ { |
| 137 |
+ struct session_state *state; |
| 138 |
+-- const struct sshcipher *none = cipher_by_name("none"); |
| 139 |
+-+ struct sshcipher *none = cipher_by_name("none"); |
| 140 |
++- const struct sshcipher *none = cipher_none(); |
| 141 |
+++ struct sshcipher *none = cipher_none(); |
| 142 |
+ int r; |
| 143 |
+ |
| 144 |
+ if (none == NULL) { |
| 145 |
+@@ -894,24 +894,24 @@ |
| 146 |
+ intptr = &options->compression; |
| 147 |
+ multistate_ptr = multistate_compression; |
| 148 |
+ @@ -2272,6 +2278,7 @@ initialize_options(Options * options) |
| 149 |
+- options->revoked_host_keys = NULL; |
| 150 |
+ options->fingerprint_hash = -1; |
| 151 |
+ options->update_hostkeys = -1; |
| 152 |
++ options->known_hosts_command = NULL; |
| 153 |
+ + options->disable_multithreaded = -1; |
| 154 |
+- options->hostbased_accepted_algos = NULL; |
| 155 |
+- options->pubkey_accepted_algos = NULL; |
| 156 |
+- options->known_hosts_command = NULL; |
| 157 |
++ } |
| 158 |
++ |
| 159 |
++ /* |
| 160 |
+ @@ -2467,6 +2474,10 @@ fill_default_options(Options * options) |
| 161 |
++ options->update_hostkeys = 0; |
| 162 |
+ if (options->sk_provider == NULL) |
| 163 |
+ options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); |
| 164 |
+- #endif |
| 165 |
+ + if (options->update_hostkeys == -1) |
| 166 |
+ + options->update_hostkeys = 0; |
| 167 |
+ + if (options->disable_multithreaded == -1) |
| 168 |
+ + options->disable_multithreaded = 0; |
| 169 |
+ |
| 170 |
+- /* Expand KEX name lists */ |
| 171 |
+- all_cipher = cipher_alg_list(',', 0); |
| 172 |
++ /* expand KEX and etc. name lists */ |
| 173 |
++ { char *all; |
| 174 |
+ diff --git a/readconf.h b/readconf.h |
| 175 |
+ index 2fba866e..7f8f0227 100644 |
| 176 |
+ --- a/readconf.h |
| 177 |
+@@ -950,9 +950,9 @@ |
| 178 |
+ /* Portable-specific options */ |
| 179 |
+ sUsePAM, |
| 180 |
+ + sDisableMTAES, |
| 181 |
+- /* Standard Options */ |
| 182 |
+- sPort, sHostKeyFile, sLoginGraceTime, |
| 183 |
+- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, |
| 184 |
++ /* X.509 Standard Options */ |
| 185 |
++ sHostbasedAlgorithms, |
| 186 |
++ sPubkeyAlgorithms, |
| 187 |
+ @@ -662,6 +666,7 @@ static struct { |
| 188 |
+ { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
| 189 |
+ { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, |
| 190 |
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff |
| 191 |
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 11:12:46.412119817 -0700 |
| 192 |
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 14:17:59.366248683 -0700 |
| 193 |
+@@ -157,6 +157,36 @@ |
| 194 |
+ + Allan Jude provided the code for the NoneMac and buffer normalization. |
| 195 |
+ + This work was financed, in part, by Cisco System, Inc., the National |
| 196 |
+ + Library of Medicine, and the National Science Foundation. |
| 197 |
++diff --git a/auth2.c b/auth2.c |
| 198 |
++--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700 |
| 199 |
+++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700 |
| 200 |
++@@ -229,16 +229,17 @@ |
| 201 |
++ double delay; |
| 202 |
++ |
| 203 |
++ digest_alg = ssh_digest_maxbytes(); |
| 204 |
++- len = ssh_digest_bytes(digest_alg); |
| 205 |
++- hash = xmalloc(len); |
| 206 |
+++ if (len = ssh_digest_bytes(digest_alg) > 0) { |
| 207 |
+++ hash = xmalloc(len); |
| 208 |
++ |
| 209 |
++- (void)snprintf(b, sizeof b, "%llu%s", |
| 210 |
++- (unsigned long long)options.timing_secret, user); |
| 211 |
++- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) |
| 212 |
++- fatal_f("ssh_digest_memory"); |
| 213 |
++- /* 0-4.2 ms of delay */ |
| 214 |
++- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; |
| 215 |
++- freezero(hash, len); |
| 216 |
+++ (void)snprintf(b, sizeof b, "%llu%s", |
| 217 |
+++ (unsigned long long)options.timing_secret, user); |
| 218 |
+++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) |
| 219 |
+++ fatal_f("ssh_digest_memory"); |
| 220 |
+++ /* 0-4.2 ms of delay */ |
| 221 |
+++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; |
| 222 |
+++ freezero(hash, len); |
| 223 |
+++ } |
| 224 |
++ debug3_f("user specific delay %0.3lfms", delay/1000); |
| 225 |
++ return MIN_FAIL_DELAY_SECONDS + delay; |
| 226 |
++ } |
| 227 |
+ diff --git a/channels.c b/channels.c |
| 228 |
+ index b60d56c4..0e363c15 100644 |
| 229 |
+ --- a/channels.c |
| 230 |
+@@ -209,14 +239,14 @@ |
| 231 |
+ static void |
| 232 |
+ channel_pre_open(struct ssh *ssh, Channel *c, |
| 233 |
+ fd_set *readset, fd_set *writeset) |
| 234 |
+-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c) |
| 235 |
++@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c) |
| 236 |
+ |
| 237 |
+ if (c->type == SSH_CHANNEL_OPEN && |
| 238 |
+ !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && |
| 239 |
+ - ((c->local_window_max - c->local_window > |
| 240 |
+ - c->local_maxpacket*3) || |
| 241 |
+-+ ((ssh_packet_is_interactive(ssh) && |
| 242 |
+-+ c->local_window_max - c->local_window > c->local_maxpacket*3) || |
| 243 |
+++ ((ssh_packet_is_interactive(ssh) && |
| 244 |
+++ c->local_window_max - c->local_window > c->local_maxpacket*3) || |
| 245 |
+ c->local_window < c->local_window_max/2) && |
| 246 |
+ c->local_consumed > 0) { |
| 247 |
+ + u_int addition = 0; |
| 248 |
+@@ -235,9 +265,8 @@ |
| 249 |
+ (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
| 250 |
+ - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || |
| 251 |
+ + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || |
| 252 |
+- (r = sshpkt_send(ssh)) != 0) { |
| 253 |
+- fatal_fr(r, "channel %i", c->self); |
| 254 |
+- } |
| 255 |
++ (r = sshpkt_send(ssh)) != 0) |
| 256 |
++ fatal_fr(r, "channel %d", c->self); |
| 257 |
+ - debug2("channel %d: window %d sent adjust %d", c->self, |
| 258 |
+ - c->local_window, c->local_consumed); |
| 259 |
+ - c->local_window += c->local_consumed; |
| 260 |
+@@ -337,70 +366,92 @@ |
| 261 |
+ index 70f492f8..5503af1d 100644 |
| 262 |
+ --- a/clientloop.c |
| 263 |
+ +++ b/clientloop.c |
| 264 |
+-@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan) |
| 265 |
++@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan) |
| 266 |
+ sock = x11_connect_display(ssh); |
| 267 |
+ if (sock < 0) |
| 268 |
+ return NULL; |
| 269 |
+ - c = channel_new(ssh, "x11", |
| 270 |
+ - SSH_CHANNEL_X11_OPEN, sock, sock, -1, |
| 271 |
+-- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); |
| 272 |
+-+ c = channel_new(ssh, "x11", |
| 273 |
+-+ SSH_CHANNEL_X11_OPEN, sock, sock, -1, |
| 274 |
+-+ /* again is this really necessary for X11? */ |
| 275 |
+-+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, |
| 276 |
+-+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); |
| 277 |
++- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", |
| 278 |
++- CHANNEL_NONBLOCK_SET); |
| 279 |
+++ c = channel_new(ssh, "x11", |
| 280 |
+++ SSH_CHANNEL_X11_OPEN, sock, sock, -1, |
| 281 |
+++ /* again is this really necessary for X11? */ |
| 282 |
+++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, |
| 283 |
+++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET); |
| 284 |
+ c->force_drain = 1; |
| 285 |
+ return c; |
| 286 |
+ } |
| 287 |
+-@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan) |
| 288 |
++@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan) |
| 289 |
+ return NULL; |
| 290 |
+ } |
| 291 |
+ c = channel_new(ssh, "authentication agent connection", |
| 292 |
+ - SSH_CHANNEL_OPEN, sock, sock, -1, |
| 293 |
+ - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, |
| 294 |
+-- "authentication agent connection", 1); |
| 295 |
+-+ SSH_CHANNEL_OPEN, sock, sock, -1, |
| 296 |
+-+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size, |
| 297 |
+-+ CHAN_TCP_PACKET_DEFAULT, 0, |
| 298 |
+-+ "authentication agent connection", 1); |
| 299 |
++- "authentication agent connection", CHANNEL_NONBLOCK_SET); |
| 300 |
+++ SSH_CHANNEL_OPEN, sock, sock, -1, |
| 301 |
+++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size, |
| 302 |
+++ CHAN_TCP_PACKET_DEFAULT, 0, |
| 303 |
+++ "authentication agent connection", CHANNEL_NONBLOCK_SET); |
| 304 |
+ c->force_drain = 1; |
| 305 |
+ return c; |
| 306 |
+ } |
| 307 |
+-@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, |
| 308 |
++@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, |
| 309 |
+ } |
| 310 |
+ debug("Tunnel forwarding using interface %s", ifname); |
| 311 |
+ |
| 312 |
+ - c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, |
| 313 |
+-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); |
| 314 |
+-+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, |
| 315 |
++- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", |
| 316 |
++- CHANNEL_NONBLOCK_SET); |
| 317 |
+++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, |
| 318 |
+ + options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, |
| 319 |
+-+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); |
| 320 |
+++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET); |
| 321 |
+ c->datagram = 1; |
| 322 |
+ |
| 323 |
+-+ |
| 324 |
+-+ |
| 325 |
+ #if defined(SSH_TUN_FILTER) |
| 326 |
+- if (options.tun_open == SSH_TUNMODE_POINTOPOINT) |
| 327 |
+- channel_register_filter(ssh, c->self, sys_tun_infilter, |
| 328 |
+ diff --git a/compat.c b/compat.c |
| 329 |
+ index 69befa96..90b5f338 100644 |
| 330 |
+ --- a/compat.c |
| 331 |
+ +++ b/compat.c |
| 332 |
+-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version) |
| 333 |
+- debug_f("match: %s pat %s compat 0x%08x", |
| 334 |
++@@ -43,7 +43,7 @@ compat_datafellows(const char *version) |
| 335 |
++ static u_int |
| 336 |
++ compat_datafellows(const char *version) |
| 337 |
++ { |
| 338 |
++- int i; |
| 339 |
+++ int i, bugs = 0; |
| 340 |
++ static struct { |
| 341 |
++ char *pat; |
| 342 |
++ int bugs; |
| 343 |
++@@ -147,11 +147,26 @@ |
| 344 |
++ if (match_pattern_list(version, check[i].pat, 0) == 1) { |
| 345 |
++ debug("match: %s pat %s compat 0x%08x", |
| 346 |
+ version, check[i].pat, check[i].bugs); |
| 347 |
+- ssh->compat = check[i].bugs; |
| 348 |
+ + /* Check to see if the remote side is OpenSSH and not HPN */ |
| 349 |
+-+ /* TODO: need to use new method to test for this */ |
| 350 |
+ + if (strstr(version, "OpenSSH") != NULL) { |
| 351 |
+ + if (strstr(version, "hpn") == NULL) { |
| 352 |
+-+ ssh->compat |= SSH_BUG_LARGEWINDOW; |
| 353 |
+++ bugs |= SSH_BUG_LARGEWINDOW; |
| 354 |
+ + debug("Remote is NON-HPN aware"); |
| 355 |
+ + } |
| 356 |
+ + } |
| 357 |
+- return; |
| 358 |
++- return check[i].bugs; |
| 359 |
+++ bugs |= check[i].bugs; |
| 360 |
+ } |
| 361 |
+ } |
| 362 |
++- debug("no match: %s", version); |
| 363 |
++- return 0; |
| 364 |
+++ /* Check to see if the remote side is OpenSSH and not HPN */ |
| 365 |
+++ if (strstr(version, "OpenSSH") != NULL) { |
| 366 |
+++ if (strstr(version, "hpn") == NULL) { |
| 367 |
+++ bugs |= SSH_BUG_LARGEWINDOW; |
| 368 |
+++ debug("Remote is NON-HPN aware"); |
| 369 |
+++ } |
| 370 |
+++ } |
| 371 |
+++ if (bugs == 0) |
| 372 |
+++ debug("no match: %s", version); |
| 373 |
+++ return bugs; |
| 374 |
++ } |
| 375 |
++ |
| 376 |
++ char * |
| 377 |
+ diff --git a/compat.h b/compat.h |
| 378 |
+ index c197fafc..ea2e17a7 100644 |
| 379 |
+ --- a/compat.h |
| 380 |
+@@ -459,7 +510,7 @@ |
| 381 |
+ @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh) |
| 382 |
+ int nenc, nmac, ncomp; |
| 383 |
+ u_int mode, ctos, need, dh_need, authlen; |
| 384 |
+- int r, first_kex_follows; |
| 385 |
++ int r, first_kex_follows = 0; |
| 386 |
+ + int auth_flag = 0; |
| 387 |
+ + |
| 388 |
+ + auth_flag = packet_authentication_state(ssh); |
| 389 |
+@@ -553,7 +604,7 @@ |
| 390 |
+ #define MAX_PACKETS (1U<<31) |
| 391 |
+ static int |
| 392 |
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
| 393 |
+-@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
| 394 |
++@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
| 395 |
+ struct session_state *state = ssh->state; |
| 396 |
+ int len, r, ms_remain; |
| 397 |
+ fd_set *setp; |
| 398 |
+@@ -1035,19 +1086,6 @@ |
| 399 |
+ |
| 400 |
+ /* Minimum amount of data to read at a time */ |
| 401 |
+ #define MIN_READ_SIZE 512 |
| 402 |
+-diff --git a/ssh-keygen.c b/ssh-keygen.c |
| 403 |
+-index cfb5f115..36a6e519 100644 |
| 404 |
+---- a/ssh-keygen.c |
| 405 |
+-+++ b/ssh-keygen.c |
| 406 |
+-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device) |
| 407 |
+- freezero(pin, strlen(pin)); |
| 408 |
+- error_r(r, "Unable to load resident keys"); |
| 409 |
+- return -1; |
| 410 |
+-- } |
| 411 |
+-+ } |
| 412 |
+- if (nkeys == 0) |
| 413 |
+- logit("No keys to download"); |
| 414 |
+- if (pin != NULL) |
| 415 |
+ diff --git a/ssh.c b/ssh.c |
| 416 |
+ index 53330da5..27b9770e 100644 |
| 417 |
+ --- a/ssh.c |
| 418 |
+@@ -1093,7 +1131,7 @@ |
| 419 |
+ + else |
| 420 |
+ + options.hpn_buffer_size = 2 * 1024 * 1024; |
| 421 |
+ + |
| 422 |
+-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) { |
| 423 |
+++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) { |
| 424 |
+ + debug("HPN to Non-HPN Connection"); |
| 425 |
+ + } else { |
| 426 |
+ + int sock, socksize; |
| 427 |
+@@ -1157,14 +1195,14 @@ |
| 428 |
+ } |
| 429 |
+ @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh) |
| 430 |
+ window, packetmax, CHAN_EXTENDED_WRITE, |
| 431 |
+- "client-session", /*nonblock*/0); |
| 432 |
++ "client-session", CHANNEL_NONBLOCK_STDIO); |
| 433 |
+ |
| 434 |
+ + if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) { |
| 435 |
+ + c->dynamic_window = 1; |
| 436 |
+ + debug("Enabled Dynamic Window Scaling"); |
| 437 |
+ + } |
| 438 |
+ + |
| 439 |
+- debug3_f("channel_new: %d", c->self); |
| 440 |
++ debug2_f("channel %d", c->self); |
| 441 |
+ |
| 442 |
+ channel_send_open(ssh, c->self); |
| 443 |
+ @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo) |
| 444 |
+@@ -1335,7 +1373,29 @@ |
| 445 |
+ /* Bind the socket to the desired port. */ |
| 446 |
+ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { |
| 447 |
+ error("Bind to port %s on %s failed: %.200s.", |
| 448 |
+-@@ -1727,6 +1734,19 @@ main(int ac, char **av) |
| 449 |
++@@ -1625,13 +1632,14 @@ |
| 450 |
++ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg), |
| 451 |
++ sshbuf_len(server_cfg)) != 0) |
| 452 |
++ fatal_f("ssh_digest_update"); |
| 453 |
++- len = ssh_digest_bytes(digest_alg); |
| 454 |
++- hash = xmalloc(len); |
| 455 |
++- if (ssh_digest_final(ctx, hash, len) != 0) |
| 456 |
++- fatal_f("ssh_digest_final"); |
| 457 |
++- options.timing_secret = PEEK_U64(hash); |
| 458 |
++- freezero(hash, len); |
| 459 |
++- ssh_digest_free(ctx); |
| 460 |
+++ if ((len = ssh_digest_bytes(digest_alg)) > 0) { |
| 461 |
+++ hash = xmalloc(len); |
| 462 |
+++ if (ssh_digest_final(ctx, hash, len) != 0) |
| 463 |
+++ fatal_f("ssh_digest_final"); |
| 464 |
+++ options.timing_secret = PEEK_U64(hash); |
| 465 |
+++ freezero(hash, len); |
| 466 |
+++ ssh_digest_free(ctx); |
| 467 |
+++ } |
| 468 |
++ ctx = NULL; |
| 469 |
++ return; |
| 470 |
++ } |
| 471 |
++@@ -1727,6 +1735,19 @@ main(int ac, char **av) |
| 472 |
+ fatal("AuthorizedPrincipalsCommand set without " |
| 473 |
+ "AuthorizedPrincipalsCommandUser"); |
| 474 |
+ |
| 475 |
+@@ -1355,7 +1415,7 @@ |
| 476 |
+ /* |
| 477 |
+ * Check whether there is any path through configured auth methods. |
| 478 |
+ * Unfortunately it is not possible to verify this generally before |
| 479 |
+-@@ -2166,6 +2186,9 @@ main(int ac, char **av) |
| 480 |
++@@ -2166,6 +2187,9 @@ main(int ac, char **av) |
| 481 |
+ rdomain == NULL ? "" : "\""); |
| 482 |
+ free(laddr); |
| 483 |
+ |
| 484 |
+@@ -1365,7 +1425,7 @@ |
| 485 |
+ /* |
| 486 |
+ * We don't want to listen forever unless the other side |
| 487 |
+ * successfully authenticates itself. So we set up an alarm which is |
| 488 |
+-@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh) |
| 489 |
++@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh) |
| 490 |
+ struct kex *kex; |
| 491 |
+ int r; |
| 492 |
+ |
| 493 |
+@@ -1405,14 +1465,3 @@ |
| 494 |
+ # Example of overriding settings on a per-user basis |
| 495 |
+ #Match User anoncvs |
| 496 |
+ # X11Forwarding no |
| 497 |
+-diff --git a/version.h b/version.h |
| 498 |
+-index 6b4fa372..332fb486 100644 |
| 499 |
+---- a/version.h |
| 500 |
+-+++ b/version.h |
| 501 |
+-@@ -3,4 +3,5 @@ |
| 502 |
+- #define SSH_VERSION "OpenSSH_8.5" |
| 503 |
+- |
| 504 |
+- #define SSH_PORTABLE "p1" |
| 505 |
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
| 506 |
+-+#define SSH_HPN "-hpn15v2" |
| 507 |
+-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN |
| 508 |
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff |
| 509 |
+--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:12:16.778011216 -0700 |
| 510 |
++++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:13:11.573211934 -0700 |
| 511 |
+@@ -12,9 +12,9 @@ |
| 512 |
+ static long stalled; /* how long we have been stalled */ |
| 513 |
+ static int bytes_per_second; /* current speed in bytes per second */ |
| 514 |
+ @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update) |
| 515 |
++ off_t bytes_left; |
| 516 |
+ int cur_speed; |
| 517 |
+- int hours, minutes, seconds; |
| 518 |
+- int file_len; |
| 519 |
++ int len; |
| 520 |
+ + off_t delta_pos; |
| 521 |
+ |
| 522 |
+ if ((!force_update && !alarm_fired && !win_resized) || !can_output()) |
| 523 |
+@@ -30,15 +30,17 @@ |
| 524 |
+ if (bytes_left > 0) |
| 525 |
+ elapsed = now - last_update; |
| 526 |
+ else { |
| 527 |
+-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update) |
| 528 |
+- |
| 529 |
++@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update) |
| 530 |
++ buf[1] = '\0'; |
| 531 |
++ |
| 532 |
+ /* filename */ |
| 533 |
+- buf[0] = '\0'; |
| 534 |
+-- file_len = win_size - 36; |
| 535 |
+-+ file_len = win_size - 45; |
| 536 |
+- if (file_len > 0) { |
| 537 |
+- buf[0] = '\r'; |
| 538 |
+- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s", |
| 539 |
++- if (win_size > 36) { |
| 540 |
+++ if (win_size > 45) { |
| 541 |
++- int file_len = win_size - 36; |
| 542 |
+++ int file_len = win_size - 45; |
| 543 |
++ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ", |
| 544 |
++ file_len, file); |
| 545 |
++ } |
| 546 |
+ @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update) |
| 547 |
+ (off_t)bytes_per_second); |
| 548 |
+ strlcat(buf, "/s ", win_size); |
| 549 |
+@@ -63,15 +65,3 @@ |
| 550 |
+ } |
| 551 |
+ |
| 552 |
+ /*ARGSUSED*/ |
| 553 |
+-diff --git a/ssh-keygen.c b/ssh-keygen.c |
| 554 |
+-index cfb5f115..986ff59b 100644 |
| 555 |
+---- a/ssh-keygen.c |
| 556 |
+-+++ b/ssh-keygen.c |
| 557 |
+-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device) |
| 558 |
+- |
| 559 |
+- if (skprovider == NULL) |
| 560 |
+- fatal("Cannot download keys without provider"); |
| 561 |
+-- |
| 562 |
+- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN); |
| 563 |
+- if (!quiet) { |
| 564 |
+- printf("You may need to touch your authenticator " |
| 565 |
|
| 566 |
diff --git a/net-misc/openssh/openssh-8.7_p1.ebuild b/net-misc/openssh/openssh-8.7_p1-r1.ebuild |
| 567 |
similarity index 99% |
| 568 |
rename from net-misc/openssh/openssh-8.7_p1.ebuild |
| 569 |
rename to net-misc/openssh/openssh-8.7_p1-r1.ebuild |
| 570 |
index 2b26a0f2548..f5ffce0f449 100644 |
| 571 |
--- a/net-misc/openssh/openssh-8.7_p1.ebuild |
| 572 |
+++ b/net-misc/openssh/openssh-8.7_p1-r1.ebuild |
| 573 |
@@ -21,7 +21,7 @@ HPN_PATCHES=( |
| 574 |
) |
| 575 |
|
| 576 |
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" |
| 577 |
-#X509_VER="13.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" |
| 578 |
+X509_VER="13.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" |
| 579 |
|
| 580 |
DESCRIPTION="Port of OpenBSD's free SSH release" |
| 581 |
HOMEPAGE="https://www.openssh.com/" |
| 582 |
@@ -186,7 +186,7 @@ src_prepare() { |
| 583 |
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die |
| 584 |
pushd "${hpn_patchdir}" &>/dev/null || die |
| 585 |
eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch |
| 586 |
- use X509 && eapply "${FILESDIR}"/${PN}-8.6_p1-hpn-${HPN_VER}-X509-glue.patch |
| 587 |
+ use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch |
| 588 |
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch |
| 589 |
popd &>/dev/null || die |
Archives