1 |
commit: 11d6f23704e7ab84191e28e034816bfdb151d406 |
2 |
Author: Patrick McLean <chutzpah <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Sep 1 18:23:13 2021 +0000 |
4 |
Commit: Patrick McLean <chutzpah <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Sep 1 18:23:13 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11d6f237 |
7 |
|
8 |
net-misc/openssh-8.7_p1-r1: Revbump, add X509 patch |
9 |
|
10 |
Package-Manager: Portage-3.0.22, Repoman-3.0.3 |
11 |
Signed-off-by: Patrick McLean <chutzpah <AT> gentoo.org> |
12 |
|
13 |
net-misc/openssh/Manifest | 1 + |
14 |
.../files/openssh-8.7_p1-X509-glue-13.2.patch | 73 ++++ |
15 |
.../files/openssh-8.7_p1-hpn-15.2-X509-glue.patch | 447 +++++++++++++++++++++ |
16 |
...nssh-8.7_p1.ebuild => openssh-8.7_p1-r1.ebuild} | 4 +- |
17 |
4 files changed, 523 insertions(+), 2 deletions(-) |
18 |
|
19 |
diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest |
20 |
index b6ea0efce2b..ba9efbc35e8 100644 |
21 |
--- a/net-misc/openssh/Manifest |
22 |
+++ b/net-misc/openssh/Manifest |
23 |
@@ -4,6 +4,7 @@ DIST openssh-8.5p1.tar.gz 1779733 BLAKE2B f4e4bd39e2dd275d4811e06ca994f2239ad27c |
24 |
DIST openssh-8.6p1+x509-13.1.diff.gz 1011666 BLAKE2B 0ac0cf2ff962b8ef677c49de0bb586f375f14d8964e077c10f6a88ec15734807940ab6c0277e44ebdfde0e50c2c80103cff614a6cde4d66e9986152032eeaa90 SHA512 ae4986dd079678c7b0cfd805136ff7ac940d1049fdddeb5a7c4ea2141bfcca70463b951485fb2b113bc930f519b1b41562900ced0269f5673dbdad867f464251 |
25 |
DIST openssh-8.6p1-sctp-1.2.patch.xz 7696 BLAKE2B 37f9e943a1881af05d9cf2234433711dc45ca30c60af4c0ea38a1d361df02abb491fa114f3698285f582b40b838414c1a048c4f09aa4f7ae9499adb09201d2ac SHA512 ba8c4d38a3d90854e79dc18918fffde246d7609a3f1c3a35e06c0fbe33d3688ed29b0ec33556ae37d1654e1dc2133d892613ad8d1ecbdce9aaa5b9eb10dcbb7a |
26 |
DIST openssh-8.6p1.tar.gz 1786328 BLAKE2B 261a0f1a6235275894d487cce37537755c86835e3a34871462fe29bfe72b49cd9a6b6a547aea4bd554f0957e110c84458cc75a5f2560717fb04804d62228562a SHA512 9854eda0b773c64c9f1f74844ce466b2b42ee8845f58ad062b73141d617af944fa4ebafdf72069f400106d2c2bd0a69c92fe805ec1fc26d4f0faadf06c3fbbe6 |
27 |
+DIST openssh-8.7p1+x509-13.2.diff.gz 1068695 BLAKE2B e542e5444f8360e0e28288d6a58d66995ff90e9f6bb1490b04a205162036e371a20d612655ca1bd479b8a04d5ccbfd9b7189b090d50ccbb019848e28571b036b SHA512 342e1ee050258c99f8f206664ef756e1be2c82e5faa5f966b80385aa2c6c601974681459ddba32c1ca5c33eda530af681e753471706c71902c1045a2913cd540 |
28 |
DIST openssh-8.7p1-sctp-1.2.patch.xz 6740 BLAKE2B 468a455018ffddf4fa64d63acb732ad3e1fb722ae8b24d06cf3a683167a4580626b477bbc286f296c83d39dd36c101ac58597a21daa63de83ad55af00aa3a6be SHA512 aa9067c9025b6e4edfad5e45ec92da43db14edb11aae02cbbc296e66b48377cbbf62cdafcdd5edfd1fd4bf69420ee017223ab52e50a42b1976002d767984777c |
29 |
DIST openssh-8.7p1.tar.gz 1814595 BLAKE2B 9fdb8898485053d08c9eca419c15d0d03b7a60152cf6a9d7f1beed3a21c9e6ac3bd9f854580e6e474fb0c871f3d4be9ef4b49bee8c355d9e5769a5505f4e6ea9 SHA512 08c81024d9e1248abfda6cc874886ff5ae916669b93cd6aff640e0614ee8cbcbc3fe87a9ce47136b6443ddbb1168b114367c74e117551905994e1a7e3fa2c0c2 |
30 |
DIST openssh-8_5_P1-hpn-AES-CTR-15.2.diff 30096 BLAKE2B f0c020dd2403806c79d4c37a019996d275655b04997301e247f5c4dd7fad35d12b3b7c25afb1b078d915ef2a4ae02f736f0aec9ba2a8c56a405d7ca303bcadf7 SHA512 4c2dbf99a9b5953fdb955f700272bbaeaa025f108a8860d2190197962b849f8385327af82c4d6a3a130a7fba35a74a8ec9437d642867601acb29817c49632a8f |
31 |
|
32 |
diff --git a/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch b/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch |
33 |
new file mode 100644 |
34 |
index 00000000000..d6f5e42027d |
35 |
--- /dev/null |
36 |
+++ b/net-misc/openssh/files/openssh-8.7_p1-X509-glue-13.2.patch |
37 |
@@ -0,0 +1,73 @@ |
38 |
+diff -ur '--exclude=.*.un~' a/openssh-8.7p1+x509-13.2.diff b/openssh-8.7p1+x509-13.2.diff |
39 |
+--- a/openssh-8.7p1+x509-13.2.diff 2021-08-30 17:47:40.415668320 -0700 |
40 |
++++ b/openssh-8.7p1+x509-13.2.diff 2021-08-30 17:49:14.916114987 -0700 |
41 |
+@@ -51082,12 +51082,11 @@ |
42 |
+ |
43 |
+ install-files: |
44 |
+ $(MKDIR_P) $(DESTDIR)$(bindir) |
45 |
+-@@ -391,6 +368,8 @@ |
46 |
++@@ -391,6 +368,7 @@ |
47 |
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 |
48 |
+ $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 |
49 |
+ $(MKDIR_P) $(DESTDIR)$(libexecdir) |
50 |
+ + $(MKDIR_P) $(DESTDIR)$(sshcadir) |
51 |
+-+ $(MKDIR_P) $(DESTDIR)$(piddir) |
52 |
+ $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) |
53 |
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) |
54 |
+ $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) |
55 |
+@@ -69793,7 +69792,7 @@ |
56 |
+ - echo "putty interop tests not enabled" |
57 |
+ - exit 0 |
58 |
+ -fi |
59 |
+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } |
60 |
+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } |
61 |
+ |
62 |
+ for c in aes 3des aes128-ctr aes192-ctr aes256-ctr chacha20 ; do |
63 |
+ verbose "$tid: cipher $c" |
64 |
+@@ -69808,7 +69807,7 @@ |
65 |
+ - echo "putty interop tests not enabled" |
66 |
+ - exit 0 |
67 |
+ -fi |
68 |
+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } |
69 |
+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } |
70 |
+ |
71 |
+ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ecdh ; do |
72 |
+ verbose "$tid: kex $k" |
73 |
+@@ -69823,7 +69822,7 @@ |
74 |
+ - echo "putty interop tests not enabled" |
75 |
+ - exit 0 |
76 |
+ -fi |
77 |
+-+$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 1; } |
78 |
+++$REGRESS_INTEROP_PUTTY || { echo "putty interop tests are not enabled" >&1; exit 0; } |
79 |
+ |
80 |
+ if [ "`${SSH} -Q compression`" = "none" ]; then |
81 |
+ comp="0" |
82 |
+@@ -70130,9 +70129,9 @@ |
83 |
+ |
84 |
+ +# cross-project configuration |
85 |
+ +if test "$sshd_type" = "pkix" ; then |
86 |
+-+ unset_arg='' |
87 |
+++ unset_arg= |
88 |
+ +else |
89 |
+-+ unset_arg=none |
90 |
+++ unset_arg= |
91 |
+ +fi |
92 |
+ + |
93 |
+ cat > $OBJ/sshd_config.i << _EOF |
94 |
+@@ -131673,16 +131672,6 @@ |
95 |
+ +int asnmprintf(char **, size_t, int *, const char *, ...) |
96 |
+ __attribute__((format(printf, 4, 5))); |
97 |
+ void msetlocale(void); |
98 |
+-diff -ruN openssh-8.7p1/version.h openssh-8.7p1+x509-13.2/version.h |
99 |
+---- openssh-8.7p1/version.h 2021-08-20 07:03:49.000000000 +0300 |
100 |
+-+++ openssh-8.7p1+x509-13.2/version.h 2021-08-30 20:07:00.000000000 +0300 |
101 |
+-@@ -2,5 +2,4 @@ |
102 |
+- |
103 |
+- #define SSH_VERSION "OpenSSH_8.7" |
104 |
+- |
105 |
+--#define SSH_PORTABLE "p1" |
106 |
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
107 |
+-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" |
108 |
+ diff -ruN openssh-8.7p1/version.m4 openssh-8.7p1+x509-13.2/version.m4 |
109 |
+ --- openssh-8.7p1/version.m4 1970-01-01 02:00:00.000000000 +0200 |
110 |
+ +++ openssh-8.7p1+x509-13.2/version.m4 2021-08-30 20:07:00.000000000 +0300 |
111 |
|
112 |
diff --git a/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch |
113 |
new file mode 100644 |
114 |
index 00000000000..49c05917779 |
115 |
--- /dev/null |
116 |
+++ b/net-misc/openssh/files/openssh-8.7_p1-hpn-15.2-X509-glue.patch |
117 |
@@ -0,0 +1,447 @@ |
118 |
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff |
119 |
+--- a/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:12:46.412119817 -0700 |
120 |
++++ b/openssh-8_5_P1-hpn-AES-CTR-15.2.diff 2021-08-31 11:26:11.116026151 -0700 |
121 |
+@@ -3,9 +3,9 @@ |
122 |
+ --- a/Makefile.in |
123 |
+ +++ b/Makefile.in |
124 |
+ @@ -46,7 +46,7 @@ CFLAGS=@CFLAGS@ |
125 |
+- CFLAGS_NOPIE=@CFLAGS_NOPIE@ |
126 |
+- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ |
127 |
+- PICFLAG=@PICFLAG@ |
128 |
++ LD=@LD@ |
129 |
++ CFLAGS=@CFLAGS@ $(CFLAGS_EXTRA) |
130 |
++ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ |
131 |
+ -LIBS=@LIBS@ |
132 |
+ +LIBS=@LIBS@ -lpthread |
133 |
+ K5LIBS=@K5LIBS@ |
134 |
+@@ -803,8 +803,8 @@ |
135 |
+ ssh_packet_set_connection(struct ssh *ssh, int fd_in, int fd_out) |
136 |
+ { |
137 |
+ struct session_state *state; |
138 |
+-- const struct sshcipher *none = cipher_by_name("none"); |
139 |
+-+ struct sshcipher *none = cipher_by_name("none"); |
140 |
++- const struct sshcipher *none = cipher_none(); |
141 |
+++ struct sshcipher *none = cipher_none(); |
142 |
+ int r; |
143 |
+ |
144 |
+ if (none == NULL) { |
145 |
+@@ -894,24 +894,24 @@ |
146 |
+ intptr = &options->compression; |
147 |
+ multistate_ptr = multistate_compression; |
148 |
+ @@ -2272,6 +2278,7 @@ initialize_options(Options * options) |
149 |
+- options->revoked_host_keys = NULL; |
150 |
+ options->fingerprint_hash = -1; |
151 |
+ options->update_hostkeys = -1; |
152 |
++ options->known_hosts_command = NULL; |
153 |
+ + options->disable_multithreaded = -1; |
154 |
+- options->hostbased_accepted_algos = NULL; |
155 |
+- options->pubkey_accepted_algos = NULL; |
156 |
+- options->known_hosts_command = NULL; |
157 |
++ } |
158 |
++ |
159 |
++ /* |
160 |
+ @@ -2467,6 +2474,10 @@ fill_default_options(Options * options) |
161 |
++ options->update_hostkeys = 0; |
162 |
+ if (options->sk_provider == NULL) |
163 |
+ options->sk_provider = xstrdup("$SSH_SK_PROVIDER"); |
164 |
+- #endif |
165 |
+ + if (options->update_hostkeys == -1) |
166 |
+ + options->update_hostkeys = 0; |
167 |
+ + if (options->disable_multithreaded == -1) |
168 |
+ + options->disable_multithreaded = 0; |
169 |
+ |
170 |
+- /* Expand KEX name lists */ |
171 |
+- all_cipher = cipher_alg_list(',', 0); |
172 |
++ /* expand KEX and etc. name lists */ |
173 |
++ { char *all; |
174 |
+ diff --git a/readconf.h b/readconf.h |
175 |
+ index 2fba866e..7f8f0227 100644 |
176 |
+ --- a/readconf.h |
177 |
+@@ -950,9 +950,9 @@ |
178 |
+ /* Portable-specific options */ |
179 |
+ sUsePAM, |
180 |
+ + sDisableMTAES, |
181 |
+- /* Standard Options */ |
182 |
+- sPort, sHostKeyFile, sLoginGraceTime, |
183 |
+- sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose, |
184 |
++ /* X.509 Standard Options */ |
185 |
++ sHostbasedAlgorithms, |
186 |
++ sPubkeyAlgorithms, |
187 |
+ @@ -662,6 +666,7 @@ static struct { |
188 |
+ { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
189 |
+ { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, |
190 |
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff |
191 |
+--- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 11:12:46.412119817 -0700 |
192 |
++++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-08-31 14:17:59.366248683 -0700 |
193 |
+@@ -157,6 +157,36 @@ |
194 |
+ + Allan Jude provided the code for the NoneMac and buffer normalization. |
195 |
+ + This work was financed, in part, by Cisco System, Inc., the National |
196 |
+ + Library of Medicine, and the National Science Foundation. |
197 |
++diff --git a/auth2.c b/auth2.c |
198 |
++--- a/auth2.c 2021-03-15 19:30:45.404060786 -0700 |
199 |
+++++ b/auth2.c 2021-03-15 19:37:22.078476597 -0700 |
200 |
++@@ -229,16 +229,17 @@ |
201 |
++ double delay; |
202 |
++ |
203 |
++ digest_alg = ssh_digest_maxbytes(); |
204 |
++- len = ssh_digest_bytes(digest_alg); |
205 |
++- hash = xmalloc(len); |
206 |
+++ if (len = ssh_digest_bytes(digest_alg) > 0) { |
207 |
+++ hash = xmalloc(len); |
208 |
++ |
209 |
++- (void)snprintf(b, sizeof b, "%llu%s", |
210 |
++- (unsigned long long)options.timing_secret, user); |
211 |
++- if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) |
212 |
++- fatal_f("ssh_digest_memory"); |
213 |
++- /* 0-4.2 ms of delay */ |
214 |
++- delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; |
215 |
++- freezero(hash, len); |
216 |
+++ (void)snprintf(b, sizeof b, "%llu%s", |
217 |
+++ (unsigned long long)options.timing_secret, user); |
218 |
+++ if (ssh_digest_memory(digest_alg, b, strlen(b), hash, len) != 0) |
219 |
+++ fatal_f("ssh_digest_memory"); |
220 |
+++ /* 0-4.2 ms of delay */ |
221 |
+++ delay = (double)PEEK_U32(hash) / 1000 / 1000 / 1000 / 1000; |
222 |
+++ freezero(hash, len); |
223 |
+++ } |
224 |
++ debug3_f("user specific delay %0.3lfms", delay/1000); |
225 |
++ return MIN_FAIL_DELAY_SECONDS + delay; |
226 |
++ } |
227 |
+ diff --git a/channels.c b/channels.c |
228 |
+ index b60d56c4..0e363c15 100644 |
229 |
+ --- a/channels.c |
230 |
+@@ -209,14 +239,14 @@ |
231 |
+ static void |
232 |
+ channel_pre_open(struct ssh *ssh, Channel *c, |
233 |
+ fd_set *readset, fd_set *writeset) |
234 |
+-@@ -2120,22 +2147,32 @@ channel_check_window(struct ssh *ssh, Channel *c) |
235 |
++@@ -2164,21 +2191,31 @@ channel_check_window(struct ssh *ssh, Channel *c) |
236 |
+ |
237 |
+ if (c->type == SSH_CHANNEL_OPEN && |
238 |
+ !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && |
239 |
+ - ((c->local_window_max - c->local_window > |
240 |
+ - c->local_maxpacket*3) || |
241 |
+-+ ((ssh_packet_is_interactive(ssh) && |
242 |
+-+ c->local_window_max - c->local_window > c->local_maxpacket*3) || |
243 |
+++ ((ssh_packet_is_interactive(ssh) && |
244 |
+++ c->local_window_max - c->local_window > c->local_maxpacket*3) || |
245 |
+ c->local_window < c->local_window_max/2) && |
246 |
+ c->local_consumed > 0) { |
247 |
+ + u_int addition = 0; |
248 |
+@@ -235,9 +265,8 @@ |
249 |
+ (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || |
250 |
+ - (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || |
251 |
+ + (r = sshpkt_put_u32(ssh, c->local_consumed + addition)) != 0 || |
252 |
+- (r = sshpkt_send(ssh)) != 0) { |
253 |
+- fatal_fr(r, "channel %i", c->self); |
254 |
+- } |
255 |
++ (r = sshpkt_send(ssh)) != 0) |
256 |
++ fatal_fr(r, "channel %d", c->self); |
257 |
+ - debug2("channel %d: window %d sent adjust %d", c->self, |
258 |
+ - c->local_window, c->local_consumed); |
259 |
+ - c->local_window += c->local_consumed; |
260 |
+@@ -337,70 +366,92 @@ |
261 |
+ index 70f492f8..5503af1d 100644 |
262 |
+ --- a/clientloop.c |
263 |
+ +++ b/clientloop.c |
264 |
+-@@ -1578,9 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan) |
265 |
++@@ -1578,10 +1578,11 @@ client_request_x11(struct ssh *ssh, const char *request_type, int rchan) |
266 |
+ sock = x11_connect_display(ssh); |
267 |
+ if (sock < 0) |
268 |
+ return NULL; |
269 |
+ - c = channel_new(ssh, "x11", |
270 |
+ - SSH_CHANNEL_X11_OPEN, sock, sock, -1, |
271 |
+-- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); |
272 |
+-+ c = channel_new(ssh, "x11", |
273 |
+-+ SSH_CHANNEL_X11_OPEN, sock, sock, -1, |
274 |
+-+ /* again is this really necessary for X11? */ |
275 |
+-+ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, |
276 |
+-+ CHAN_X11_PACKET_DEFAULT, 0, "x11", 1); |
277 |
++- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", |
278 |
++- CHANNEL_NONBLOCK_SET); |
279 |
+++ c = channel_new(ssh, "x11", |
280 |
+++ SSH_CHANNEL_X11_OPEN, sock, sock, -1, |
281 |
+++ /* again is this really necessary for X11? */ |
282 |
+++ options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, |
283 |
+++ CHAN_X11_PACKET_DEFAULT, 0, "x11", CHANNEL_NONBLOCK_SET); |
284 |
+ c->force_drain = 1; |
285 |
+ return c; |
286 |
+ } |
287 |
+-@@ -1608,9 +1610,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan) |
288 |
++@@ -1608,9 +1609,10 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan) |
289 |
+ return NULL; |
290 |
+ } |
291 |
+ c = channel_new(ssh, "authentication agent connection", |
292 |
+ - SSH_CHANNEL_OPEN, sock, sock, -1, |
293 |
+ - CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, |
294 |
+-- "authentication agent connection", 1); |
295 |
+-+ SSH_CHANNEL_OPEN, sock, sock, -1, |
296 |
+-+ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size, |
297 |
+-+ CHAN_TCP_PACKET_DEFAULT, 0, |
298 |
+-+ "authentication agent connection", 1); |
299 |
++- "authentication agent connection", CHANNEL_NONBLOCK_SET); |
300 |
+++ SSH_CHANNEL_OPEN, sock, sock, -1, |
301 |
+++ options.hpn_disabled ? CHAN_X11_WINDOW_DEFAULT : options.hpn_buffer_size, |
302 |
+++ CHAN_TCP_PACKET_DEFAULT, 0, |
303 |
+++ "authentication agent connection", CHANNEL_NONBLOCK_SET); |
304 |
+ c->force_drain = 1; |
305 |
+ return c; |
306 |
+ } |
307 |
+-@@ -1635,10 +1638,13 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, |
308 |
++@@ -1635,9 +1637,9 @@ client_request_tun_fwd(struct ssh *ssh, int tun_mode, |
309 |
+ } |
310 |
+ debug("Tunnel forwarding using interface %s", ifname); |
311 |
+ |
312 |
+ - c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, |
313 |
+-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); |
314 |
+-+ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, |
315 |
++- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", |
316 |
++- CHANNEL_NONBLOCK_SET); |
317 |
+++ c = channel_new(ssh, "tun", SSH_CHANNEL_OPENING, fd, fd, -1, |
318 |
+ + options.hpn_disabled ? CHAN_TCP_WINDOW_DEFAULT : options.hpn_buffer_size, |
319 |
+-+ CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); |
320 |
+++ CHAN_TCP_PACKET_DEFAULT, 0, "tun", CHANNEL_NONBLOCK_SET); |
321 |
+ c->datagram = 1; |
322 |
+ |
323 |
+-+ |
324 |
+-+ |
325 |
+ #if defined(SSH_TUN_FILTER) |
326 |
+- if (options.tun_open == SSH_TUNMODE_POINTOPOINT) |
327 |
+- channel_register_filter(ssh, c->self, sys_tun_infilter, |
328 |
+ diff --git a/compat.c b/compat.c |
329 |
+ index 69befa96..90b5f338 100644 |
330 |
+ --- a/compat.c |
331 |
+ +++ b/compat.c |
332 |
+-@@ -149,6 +149,14 @@ compat_banner(struct ssh *ssh, const char *version) |
333 |
+- debug_f("match: %s pat %s compat 0x%08x", |
334 |
++@@ -43,7 +43,7 @@ compat_datafellows(const char *version) |
335 |
++ static u_int |
336 |
++ compat_datafellows(const char *version) |
337 |
++ { |
338 |
++- int i; |
339 |
+++ int i, bugs = 0; |
340 |
++ static struct { |
341 |
++ char *pat; |
342 |
++ int bugs; |
343 |
++@@ -147,11 +147,26 @@ |
344 |
++ if (match_pattern_list(version, check[i].pat, 0) == 1) { |
345 |
++ debug("match: %s pat %s compat 0x%08x", |
346 |
+ version, check[i].pat, check[i].bugs); |
347 |
+- ssh->compat = check[i].bugs; |
348 |
+ + /* Check to see if the remote side is OpenSSH and not HPN */ |
349 |
+-+ /* TODO: need to use new method to test for this */ |
350 |
+ + if (strstr(version, "OpenSSH") != NULL) { |
351 |
+ + if (strstr(version, "hpn") == NULL) { |
352 |
+-+ ssh->compat |= SSH_BUG_LARGEWINDOW; |
353 |
+++ bugs |= SSH_BUG_LARGEWINDOW; |
354 |
+ + debug("Remote is NON-HPN aware"); |
355 |
+ + } |
356 |
+ + } |
357 |
+- return; |
358 |
++- return check[i].bugs; |
359 |
+++ bugs |= check[i].bugs; |
360 |
+ } |
361 |
+ } |
362 |
++- debug("no match: %s", version); |
363 |
++- return 0; |
364 |
+++ /* Check to see if the remote side is OpenSSH and not HPN */ |
365 |
+++ if (strstr(version, "OpenSSH") != NULL) { |
366 |
+++ if (strstr(version, "hpn") == NULL) { |
367 |
+++ bugs |= SSH_BUG_LARGEWINDOW; |
368 |
+++ debug("Remote is NON-HPN aware"); |
369 |
+++ } |
370 |
+++ } |
371 |
+++ if (bugs == 0) |
372 |
+++ debug("no match: %s", version); |
373 |
+++ return bugs; |
374 |
++ } |
375 |
++ |
376 |
++ char * |
377 |
+ diff --git a/compat.h b/compat.h |
378 |
+ index c197fafc..ea2e17a7 100644 |
379 |
+ --- a/compat.h |
380 |
+@@ -459,7 +510,7 @@ |
381 |
+ @@ -890,6 +890,10 @@ kex_choose_conf(struct ssh *ssh) |
382 |
+ int nenc, nmac, ncomp; |
383 |
+ u_int mode, ctos, need, dh_need, authlen; |
384 |
+- int r, first_kex_follows; |
385 |
++ int r, first_kex_follows = 0; |
386 |
+ + int auth_flag = 0; |
387 |
+ + |
388 |
+ + auth_flag = packet_authentication_state(ssh); |
389 |
+@@ -553,7 +604,7 @@ |
390 |
+ #define MAX_PACKETS (1U<<31) |
391 |
+ static int |
392 |
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) |
393 |
+-@@ -1317,7 +1351,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
394 |
++@@ -1317,7 +1336,7 @@ ssh_packet_read_seqnr(struct ssh *ssh, u_char *typep, u_int32_t *seqnr_p) |
395 |
+ struct session_state *state = ssh->state; |
396 |
+ int len, r, ms_remain; |
397 |
+ fd_set *setp; |
398 |
+@@ -1035,19 +1086,6 @@ |
399 |
+ |
400 |
+ /* Minimum amount of data to read at a time */ |
401 |
+ #define MIN_READ_SIZE 512 |
402 |
+-diff --git a/ssh-keygen.c b/ssh-keygen.c |
403 |
+-index cfb5f115..36a6e519 100644 |
404 |
+---- a/ssh-keygen.c |
405 |
+-+++ b/ssh-keygen.c |
406 |
+-@@ -2971,7 +2971,7 @@ do_download_sk(const char *skprovider, const char *device) |
407 |
+- freezero(pin, strlen(pin)); |
408 |
+- error_r(r, "Unable to load resident keys"); |
409 |
+- return -1; |
410 |
+-- } |
411 |
+-+ } |
412 |
+- if (nkeys == 0) |
413 |
+- logit("No keys to download"); |
414 |
+- if (pin != NULL) |
415 |
+ diff --git a/ssh.c b/ssh.c |
416 |
+ index 53330da5..27b9770e 100644 |
417 |
+ --- a/ssh.c |
418 |
+@@ -1093,7 +1131,7 @@ |
419 |
+ + else |
420 |
+ + options.hpn_buffer_size = 2 * 1024 * 1024; |
421 |
+ + |
422 |
+-+ if (ssh->compat & SSH_BUG_LARGEWINDOW) { |
423 |
+++ if (ssh_compat_fellows(ssh, SSH_BUG_LARGEWINDOW)) { |
424 |
+ + debug("HPN to Non-HPN Connection"); |
425 |
+ + } else { |
426 |
+ + int sock, socksize; |
427 |
+@@ -1157,14 +1195,14 @@ |
428 |
+ } |
429 |
+ @@ -2089,6 +2167,11 @@ ssh_session2_open(struct ssh *ssh) |
430 |
+ window, packetmax, CHAN_EXTENDED_WRITE, |
431 |
+- "client-session", /*nonblock*/0); |
432 |
++ "client-session", CHANNEL_NONBLOCK_STDIO); |
433 |
+ |
434 |
+ + if ((options.tcp_rcv_buf_poll > 0) && !options.hpn_disabled) { |
435 |
+ + c->dynamic_window = 1; |
436 |
+ + debug("Enabled Dynamic Window Scaling"); |
437 |
+ + } |
438 |
+ + |
439 |
+- debug3_f("channel_new: %d", c->self); |
440 |
++ debug2_f("channel %d", c->self); |
441 |
+ |
442 |
+ channel_send_open(ssh, c->self); |
443 |
+ @@ -2105,6 +2188,13 @@ ssh_session2(struct ssh *ssh, const struct ssh_conn_info *cinfo) |
444 |
+@@ -1335,7 +1373,29 @@ |
445 |
+ /* Bind the socket to the desired port. */ |
446 |
+ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) == -1) { |
447 |
+ error("Bind to port %s on %s failed: %.200s.", |
448 |
+-@@ -1727,6 +1734,19 @@ main(int ac, char **av) |
449 |
++@@ -1625,13 +1632,14 @@ |
450 |
++ if (ssh_digest_update(ctx, sshbuf_ptr(server_cfg), |
451 |
++ sshbuf_len(server_cfg)) != 0) |
452 |
++ fatal_f("ssh_digest_update"); |
453 |
++- len = ssh_digest_bytes(digest_alg); |
454 |
++- hash = xmalloc(len); |
455 |
++- if (ssh_digest_final(ctx, hash, len) != 0) |
456 |
++- fatal_f("ssh_digest_final"); |
457 |
++- options.timing_secret = PEEK_U64(hash); |
458 |
++- freezero(hash, len); |
459 |
++- ssh_digest_free(ctx); |
460 |
+++ if ((len = ssh_digest_bytes(digest_alg)) > 0) { |
461 |
+++ hash = xmalloc(len); |
462 |
+++ if (ssh_digest_final(ctx, hash, len) != 0) |
463 |
+++ fatal_f("ssh_digest_final"); |
464 |
+++ options.timing_secret = PEEK_U64(hash); |
465 |
+++ freezero(hash, len); |
466 |
+++ ssh_digest_free(ctx); |
467 |
+++ } |
468 |
++ ctx = NULL; |
469 |
++ return; |
470 |
++ } |
471 |
++@@ -1727,6 +1735,19 @@ main(int ac, char **av) |
472 |
+ fatal("AuthorizedPrincipalsCommand set without " |
473 |
+ "AuthorizedPrincipalsCommandUser"); |
474 |
+ |
475 |
+@@ -1355,7 +1415,7 @@ |
476 |
+ /* |
477 |
+ * Check whether there is any path through configured auth methods. |
478 |
+ * Unfortunately it is not possible to verify this generally before |
479 |
+-@@ -2166,6 +2186,9 @@ main(int ac, char **av) |
480 |
++@@ -2166,6 +2187,9 @@ main(int ac, char **av) |
481 |
+ rdomain == NULL ? "" : "\""); |
482 |
+ free(laddr); |
483 |
+ |
484 |
+@@ -1365,7 +1425,7 @@ |
485 |
+ /* |
486 |
+ * We don't want to listen forever unless the other side |
487 |
+ * successfully authenticates itself. So we set up an alarm which is |
488 |
+-@@ -2343,6 +2366,12 @@ do_ssh2_kex(struct ssh *ssh) |
489 |
++@@ -2343,6 +2367,12 @@ do_ssh2_kex(struct ssh *ssh) |
490 |
+ struct kex *kex; |
491 |
+ int r; |
492 |
+ |
493 |
+@@ -1405,14 +1465,3 @@ |
494 |
+ # Example of overriding settings on a per-user basis |
495 |
+ #Match User anoncvs |
496 |
+ # X11Forwarding no |
497 |
+-diff --git a/version.h b/version.h |
498 |
+-index 6b4fa372..332fb486 100644 |
499 |
+---- a/version.h |
500 |
+-+++ b/version.h |
501 |
+-@@ -3,4 +3,5 @@ |
502 |
+- #define SSH_VERSION "OpenSSH_8.5" |
503 |
+- |
504 |
+- #define SSH_PORTABLE "p1" |
505 |
+--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE |
506 |
+-+#define SSH_HPN "-hpn15v2" |
507 |
+-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN |
508 |
+diff -ur '--exclude=.*.un~' a/openssh-8_5_P1-hpn-PeakTput-15.2.diff b/openssh-8_5_P1-hpn-PeakTput-15.2.diff |
509 |
+--- a/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:12:16.778011216 -0700 |
510 |
++++ b/openssh-8_5_P1-hpn-PeakTput-15.2.diff 2021-08-31 11:13:11.573211934 -0700 |
511 |
+@@ -12,9 +12,9 @@ |
512 |
+ static long stalled; /* how long we have been stalled */ |
513 |
+ static int bytes_per_second; /* current speed in bytes per second */ |
514 |
+ @@ -127,6 +129,7 @@ refresh_progress_meter(int force_update) |
515 |
++ off_t bytes_left; |
516 |
+ int cur_speed; |
517 |
+- int hours, minutes, seconds; |
518 |
+- int file_len; |
519 |
++ int len; |
520 |
+ + off_t delta_pos; |
521 |
+ |
522 |
+ if ((!force_update && !alarm_fired && !win_resized) || !can_output()) |
523 |
+@@ -30,15 +30,17 @@ |
524 |
+ if (bytes_left > 0) |
525 |
+ elapsed = now - last_update; |
526 |
+ else { |
527 |
+-@@ -166,7 +173,7 @@ refresh_progress_meter(int force_update) |
528 |
+- |
529 |
++@@ -166,8 +173,8 @@ refresh_progress_meter(int force_update) |
530 |
++ buf[1] = '\0'; |
531 |
++ |
532 |
+ /* filename */ |
533 |
+- buf[0] = '\0'; |
534 |
+-- file_len = win_size - 36; |
535 |
+-+ file_len = win_size - 45; |
536 |
+- if (file_len > 0) { |
537 |
+- buf[0] = '\r'; |
538 |
+- snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s", |
539 |
++- if (win_size > 36) { |
540 |
+++ if (win_size > 45) { |
541 |
++- int file_len = win_size - 36; |
542 |
+++ int file_len = win_size - 45; |
543 |
++ snmprintf(buf+1, sizeof(buf)-1, &file_len, "%-*s ", |
544 |
++ file_len, file); |
545 |
++ } |
546 |
+ @@ -191,6 +198,15 @@ refresh_progress_meter(int force_update) |
547 |
+ (off_t)bytes_per_second); |
548 |
+ strlcat(buf, "/s ", win_size); |
549 |
+@@ -63,15 +65,3 @@ |
550 |
+ } |
551 |
+ |
552 |
+ /*ARGSUSED*/ |
553 |
+-diff --git a/ssh-keygen.c b/ssh-keygen.c |
554 |
+-index cfb5f115..986ff59b 100644 |
555 |
+---- a/ssh-keygen.c |
556 |
+-+++ b/ssh-keygen.c |
557 |
+-@@ -2959,7 +2959,6 @@ do_download_sk(const char *skprovider, const char *device) |
558 |
+- |
559 |
+- if (skprovider == NULL) |
560 |
+- fatal("Cannot download keys without provider"); |
561 |
+-- |
562 |
+- pin = read_passphrase("Enter PIN for authenticator: ", RP_ALLOW_STDIN); |
563 |
+- if (!quiet) { |
564 |
+- printf("You may need to touch your authenticator " |
565 |
|
566 |
diff --git a/net-misc/openssh/openssh-8.7_p1.ebuild b/net-misc/openssh/openssh-8.7_p1-r1.ebuild |
567 |
similarity index 99% |
568 |
rename from net-misc/openssh/openssh-8.7_p1.ebuild |
569 |
rename to net-misc/openssh/openssh-8.7_p1-r1.ebuild |
570 |
index 2b26a0f2548..f5ffce0f449 100644 |
571 |
--- a/net-misc/openssh/openssh-8.7_p1.ebuild |
572 |
+++ b/net-misc/openssh/openssh-8.7_p1-r1.ebuild |
573 |
@@ -21,7 +21,7 @@ HPN_PATCHES=( |
574 |
) |
575 |
|
576 |
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz" |
577 |
-#X509_VER="13.1" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" |
578 |
+X509_VER="13.2" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz" |
579 |
|
580 |
DESCRIPTION="Port of OpenBSD's free SSH release" |
581 |
HOMEPAGE="https://www.openssh.com/" |
582 |
@@ -186,7 +186,7 @@ src_prepare() { |
583 |
cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}" || die |
584 |
pushd "${hpn_patchdir}" &>/dev/null || die |
585 |
eapply "${FILESDIR}"/${P}-hpn-${HPN_VER}-glue.patch |
586 |
- use X509 && eapply "${FILESDIR}"/${PN}-8.6_p1-hpn-${HPN_VER}-X509-glue.patch |
587 |
+ use X509 && eapply "${FILESDIR}"/${PN}-8.7_p1-hpn-${HPN_VER}-X509-glue.patch |
588 |
use sctp && eapply "${FILESDIR}"/${PN}-8.5_p1-hpn-${HPN_VER}-sctp-glue.patch |
589 |
popd &>/dev/null || die |