diff options
author | Patrick McLean <patrick.mclean@sony.com> | 2019-04-18 20:55:01 -0700 |
---|---|---|
committer | Patrick McLean <chutzpah@gentoo.org> | 2019-04-18 20:55:55 -0700 |
commit | 4c0b9982d08f85a5701b2d0552fe0e38d2a90094 (patch) | |
tree | 8802bcc4371848363cfc27d3db9e01b6e090f483 /net-misc/openssh/files | |
parent | app-editors/wily: amd64 stable wrt bug #679242 (diff) | |
download | gentoo-4c0b9982d08f85a5701b2d0552fe0e38d2a90094.tar.gz gentoo-4c0b9982d08f85a5701b2d0552fe0e38d2a90094.tar.bz2 gentoo-4c0b9982d08f85a5701b2d0552fe0e38d2a90094.zip |
net-misc/openssh: Version bump to 8.0_p1
- Bump the X509 patchset as well to 12.0
- No longer apply the AES-CTR-MT with USE=X509 since it hasn't worked
in quite some time
- Forward port the HPN patchset
- Set the maxium number of threads in AES-CTR-MT to 16, since it
hangs at 20 threads
Copyright: Sony Interactive Entertainment Inc.
Package-Manager: Portage-2.3.63, Repoman-2.3.12
Signed-off-by: Patrick McLean <chutzpah@gentoo.org>
Diffstat (limited to 'net-misc/openssh/files')
8 files changed, 770 insertions, 0 deletions
diff --git a/net-misc/openssh/files/openssh-8.0_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-8.0_p1-GSSAPI-dns.patch new file mode 100644 index 000000000000..a3bd128aa46f --- /dev/null +++ b/net-misc/openssh/files/openssh-8.0_p1-GSSAPI-dns.patch @@ -0,0 +1,359 @@ +diff --git a/auth.c b/auth.c +index 8696f258..f4cd70a3 100644 +--- a/auth.c ++++ b/auth.c +@@ -723,120 +723,6 @@ fakepw(void) + return (&fake); + } + +-/* +- * Returns the remote DNS hostname as a string. The returned string must not +- * be freed. NB. this will usually trigger a DNS query the first time it is +- * called. +- * This function does additional checks on the hostname to mitigate some +- * attacks on legacy rhosts-style authentication. +- * XXX is RhostsRSAAuthentication vulnerable to these? +- * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) +- */ +- +-static char * +-remote_hostname(struct ssh *ssh) +-{ +- struct sockaddr_storage from; +- socklen_t fromlen; +- struct addrinfo hints, *ai, *aitop; +- char name[NI_MAXHOST], ntop2[NI_MAXHOST]; +- const char *ntop = ssh_remote_ipaddr(ssh); +- +- /* Get IP address of client. */ +- fromlen = sizeof(from); +- memset(&from, 0, sizeof(from)); +- if (getpeername(ssh_packet_get_connection_in(ssh), +- (struct sockaddr *)&from, &fromlen) < 0) { +- debug("getpeername failed: %.100s", strerror(errno)); +- return strdup(ntop); +- } +- +- ipv64_normalise_mapped(&from, &fromlen); +- if (from.ss_family == AF_INET6) +- fromlen = sizeof(struct sockaddr_in6); +- +- debug3("Trying to reverse map address %.100s.", ntop); +- /* Map the IP address to a host name. */ +- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), +- NULL, 0, NI_NAMEREQD) != 0) { +- /* Host name not found. Use ip address. */ +- return strdup(ntop); +- } +- +- /* +- * if reverse lookup result looks like a numeric hostname, +- * someone is trying to trick us by PTR record like following: +- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_socktype = SOCK_DGRAM; /*dummy*/ +- hints.ai_flags = AI_NUMERICHOST; +- if (getaddrinfo(name, NULL, &hints, &ai) == 0) { +- logit("Nasty PTR record \"%s\" is set up for %s, ignoring", +- name, ntop); +- freeaddrinfo(ai); +- return strdup(ntop); +- } +- +- /* Names are stored in lowercase. */ +- lowercase(name); +- +- /* +- * Map it back to an IP address and check that the given +- * address actually is an address of this host. This is +- * necessary because anyone with access to a name server can +- * define arbitrary names for an IP address. Mapping from +- * name to IP address can be trusted better (but can still be +- * fooled if the intruder has access to the name server of +- * the domain). +- */ +- memset(&hints, 0, sizeof(hints)); +- hints.ai_family = from.ss_family; +- hints.ai_socktype = SOCK_STREAM; +- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { +- logit("reverse mapping checking getaddrinfo for %.700s " +- "[%s] failed.", name, ntop); +- return strdup(ntop); +- } +- /* Look for the address from the list of addresses. */ +- for (ai = aitop; ai; ai = ai->ai_next) { +- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, +- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && +- (strcmp(ntop, ntop2) == 0)) +- break; +- } +- freeaddrinfo(aitop); +- /* If we reached the end of the list, the address was not there. */ +- if (ai == NULL) { +- /* Address not found for the host name. */ +- logit("Address %.100s maps to %.600s, but this does not " +- "map back to the address.", ntop, name); +- return strdup(ntop); +- } +- return strdup(name); +-} +- +-/* +- * Return the canonical name of the host in the other side of the current +- * connection. The host name is cached, so it is efficient to call this +- * several times. +- */ +- +-const char * +-auth_get_canonical_hostname(struct ssh *ssh, int use_dns) +-{ +- static char *dnsname; +- +- if (!use_dns) +- return ssh_remote_ipaddr(ssh); +- else if (dnsname != NULL) +- return dnsname; +- else { +- dnsname = remote_hostname(ssh); +- return dnsname; +- } +-} +- + /* + * Runs command in a subprocess with a minimal environment. + * Returns pid on success, 0 on failure. +diff --git a/canohost.c b/canohost.c +index f71a0856..3e162d8c 100644 +--- a/canohost.c ++++ b/canohost.c +@@ -202,3 +202,117 @@ get_local_port(int sock) + { + return get_sock_port(sock, 1); + } ++ ++/* ++ * Returns the remote DNS hostname as a string. The returned string must not ++ * be freed. NB. this will usually trigger a DNS query the first time it is ++ * called. ++ * This function does additional checks on the hostname to mitigate some ++ * attacks on legacy rhosts-style authentication. ++ * XXX is RhostsRSAAuthentication vulnerable to these? ++ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?) ++ */ ++ ++static char * ++remote_hostname(struct ssh *ssh) ++{ ++ struct sockaddr_storage from; ++ socklen_t fromlen; ++ struct addrinfo hints, *ai, *aitop; ++ char name[NI_MAXHOST], ntop2[NI_MAXHOST]; ++ const char *ntop = ssh_remote_ipaddr(ssh); ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getpeername(ssh_packet_get_connection_in(ssh), ++ (struct sockaddr *)&from, &fromlen) < 0) { ++ debug("getpeername failed: %.100s", strerror(errno)); ++ return strdup(ntop); ++ } ++ ++ ipv64_normalise_mapped(&from, &fromlen); ++ if (from.ss_family == AF_INET6) ++ fromlen = sizeof(struct sockaddr_in6); ++ ++ debug3("Trying to reverse map address %.100s.", ntop); ++ /* Map the IP address to a host name. */ ++ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), ++ NULL, 0, NI_NAMEREQD) != 0) { ++ /* Host name not found. Use ip address. */ ++ return strdup(ntop); ++ } ++ ++ /* ++ * if reverse lookup result looks like a numeric hostname, ++ * someone is trying to trick us by PTR record like following: ++ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_socktype = SOCK_DGRAM; /*dummy*/ ++ hints.ai_flags = AI_NUMERICHOST; ++ if (getaddrinfo(name, NULL, &hints, &ai) == 0) { ++ logit("Nasty PTR record \"%s\" is set up for %s, ignoring", ++ name, ntop); ++ freeaddrinfo(ai); ++ return strdup(ntop); ++ } ++ ++ /* Names are stored in lowercase. */ ++ lowercase(name); ++ ++ /* ++ * Map it back to an IP address and check that the given ++ * address actually is an address of this host. This is ++ * necessary because anyone with access to a name server can ++ * define arbitrary names for an IP address. Mapping from ++ * name to IP address can be trusted better (but can still be ++ * fooled if the intruder has access to the name server of ++ * the domain). ++ */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = from.ss_family; ++ hints.ai_socktype = SOCK_STREAM; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { ++ logit("reverse mapping checking getaddrinfo for %.700s " ++ "[%s] failed.", name, ntop); ++ return strdup(ntop); ++ } ++ /* Look for the address from the list of addresses. */ ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, ++ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && ++ (strcmp(ntop, ntop2) == 0)) ++ break; ++ } ++ freeaddrinfo(aitop); ++ /* If we reached the end of the list, the address was not there. */ ++ if (ai == NULL) { ++ /* Address not found for the host name. */ ++ logit("Address %.100s maps to %.600s, but this does not " ++ "map back to the address.", ntop, name); ++ return strdup(ntop); ++ } ++ return strdup(name); ++} ++ ++/* ++ * Return the canonical name of the host in the other side of the current ++ * connection. The host name is cached, so it is efficient to call this ++ * several times. ++ */ ++ ++const char * ++auth_get_canonical_hostname(struct ssh *ssh, int use_dns) ++{ ++ static char *dnsname; ++ ++ if (!use_dns) ++ return ssh_remote_ipaddr(ssh); ++ else if (dnsname != NULL) ++ return dnsname; ++ else { ++ dnsname = remote_hostname(ssh); ++ return dnsname; ++ } ++} +diff --git a/readconf.c b/readconf.c +index 71a5c795..2a8c6990 100644 +--- a/readconf.c ++++ b/readconf.c +@@ -163,6 +163,7 @@ typedef enum { + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, + oAddressFamily, oGssAuthentication, oGssDelegateCreds, ++ oGssTrustDns, + oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, + oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, + oHashKnownHosts, +@@ -204,9 +205,11 @@ static struct { + #if defined(GSSAPI) + { "gssapiauthentication", oGssAuthentication }, + { "gssapidelegatecredentials", oGssDelegateCreds }, ++ { "gssapitrustdns", oGssTrustDns }, + # else + { "gssapiauthentication", oUnsupported }, + { "gssapidelegatecredentials", oUnsupported }, ++ { "gssapitrustdns", oUnsupported }, + #endif + #ifdef ENABLE_PKCS11 + { "pkcs11provider", oPKCS11Provider }, +@@ -993,6 +996,10 @@ parse_time: + intptr = &options->gss_deleg_creds; + goto parse_flag; + ++ case oGssTrustDns: ++ intptr = &options->gss_trust_dns; ++ goto parse_flag; ++ + case oBatchMode: + intptr = &options->batch_mode; + goto parse_flag; +@@ -1875,6 +1882,7 @@ initialize_options(Options * options) + options->challenge_response_authentication = -1; + options->gss_authentication = -1; + options->gss_deleg_creds = -1; ++ options->gss_trust_dns = -1; + options->password_authentication = -1; + options->kbd_interactive_authentication = -1; + options->kbd_interactive_devices = NULL; +@@ -2023,6 +2031,8 @@ fill_default_options(Options * options) + options->gss_authentication = 0; + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; ++ if (options->gss_trust_dns == -1) ++ options->gss_trust_dns = 0; + if (options->password_authentication == -1) + options->password_authentication = 1; + if (options->kbd_interactive_authentication == -1) +diff --git a/readconf.h b/readconf.h +index 69c24700..2758b633 100644 +--- a/readconf.h ++++ b/readconf.h +@@ -45,6 +45,7 @@ typedef struct { + /* Try S/Key or TIS, authentication. */ + int gss_authentication; /* Try GSS authentication */ + int gss_deleg_creds; /* Delegate GSS credentials */ ++ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ + int password_authentication; /* Try password + * authentication. */ + int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ +diff --git a/ssh_config.5 b/ssh_config.5 +index b7566782..64897e4e 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -758,6 +758,16 @@ The default is + Forward (delegate) credentials to the server. + The default is + .Cm no . ++Note that this option applies to protocol version 2 connections using GSSAPI. ++.It Cm GSSAPITrustDns ++Set to ++.Dq yes to indicate that the DNS is trusted to securely canonicalize ++the name of the host being connected to. If ++.Dq no, the hostname entered on the ++command line will be passed untouched to the GSSAPI library. ++The default is ++.Dq no . ++This option only applies to protocol version 2 connections using GSSAPI. + .It Cm HashKnownHosts + Indicates that + .Xr ssh 1 +diff --git a/sshconnect2.c b/sshconnect2.c +index dffee90b..a25a32b9 100644 +--- a/sshconnect2.c ++++ b/sshconnect2.c +@@ -698,6 +698,13 @@ userauth_gssapi(struct ssh *ssh) + OM_uint32 min; + int r, ok = 0; + gss_OID mech = NULL; ++ const char *gss_host; ++ ++ if (options.gss_trust_dns) { ++ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns); ++ gss_host = auth_get_canonical_hostname(active_state, 1); ++ } else ++ gss_host = authctxt->host; + + /* Try one GSSAPI method at a time, rather than sending them all at + * once. */ +@@ -712,7 +719,7 @@ userauth_gssapi(struct ssh *ssh) + elements[authctxt->mech_tried]; + /* My DER encoding requires length<128 */ + if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt, +- mech, authctxt->host)) { ++ mech, gss_host)) { + ok = 1; /* Mechanism works */ + } else { + authctxt->mech_tried++; diff --git a/net-misc/openssh/files/openssh-8.0_p1-X509-12.0-tests.patch b/net-misc/openssh/files/openssh-8.0_p1-X509-12.0-tests.patch new file mode 100644 index 000000000000..9766b1594ea0 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.0_p1-X509-12.0-tests.patch @@ -0,0 +1,12 @@ +diff -ur openssh-7.9p1.orig/openbsd-compat/regress/Makefile.in openssh-7.9p1/openbsd-compat/regress/Makefile.in +--- openssh-7.9p1.orig/openbsd-compat/regress/Makefile.in 2018-10-16 17:01:20.000000000 -0700 ++++ openssh-7.9p1/openbsd-compat/regress/Makefile.in 2018-12-19 11:03:14.421028691 -0800 +@@ -7,7 +7,7 @@ + CC=@CC@ + LD=@LD@ + CFLAGS=@CFLAGS@ +-CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@ ++CPPFLAGS=-I. -I.. -I$(srcdir) -I../.. @CPPFLAGS@ @DEFS@ + EXEEXT=@EXEEXT@ + LIBCOMPAT=../libopenbsd-compat.a + LIBS=@LIBS@ diff --git a/net-misc/openssh/files/openssh-8.0_p1-X509-dont-make-piddir-12.0.patch b/net-misc/openssh/files/openssh-8.0_p1-X509-dont-make-piddir-12.0.patch new file mode 100644 index 000000000000..aac98fef35df --- /dev/null +++ b/net-misc/openssh/files/openssh-8.0_p1-X509-dont-make-piddir-12.0.patch @@ -0,0 +1,16 @@ +--- a/openssh-8.0p1+x509-12.0.diff 2019-04-18 14:53:26.850768799 -0700 ++++ b/openssh-8.0p1+x509-12.0.diff 2019-04-18 14:56:48.870364519 -0700 +@@ -33578,12 +33578,11 @@ + + install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config + install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf +-@@ -334,6 +352,8 @@ ++@@ -334,6 +352,7 @@ + $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5 + $(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8 + $(MKDIR_P) $(DESTDIR)$(libexecdir) + + $(MKDIR_P) $(DESTDIR)$(sshcadir) +-+ $(MKDIR_P) $(DESTDIR)$(piddir) + $(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) diff --git a/net-misc/openssh/files/openssh-8.0_p1-X509-glue-12.0.patch b/net-misc/openssh/files/openssh-8.0_p1-X509-glue-12.0.patch new file mode 100644 index 000000000000..1667e13850cf --- /dev/null +++ b/net-misc/openssh/files/openssh-8.0_p1-X509-glue-12.0.patch @@ -0,0 +1,19 @@ +--- a/openssh-8.0p1+x509-12.0.diff 2019-04-18 14:53:02.804935946 -0700 ++++ b/openssh-8.0p1+x509-12.0.diff 2019-04-18 14:53:26.850768799 -0700 +@@ -75925,16 +75925,6 @@ + + return mbtowc(NULL, s, n); + +} + +#endif +-diff -ruN openssh-8.0p1/version.h openssh-8.0p1+x509-12.0/version.h +---- openssh-8.0p1/version.h 2019-04-18 01:52:57.000000000 +0300 +-+++ openssh-8.0p1+x509-12.0/version.h 2019-04-18 19:07:00.000000000 +0300 +-@@ -2,5 +2,4 @@ +- +- #define SSH_VERSION "OpenSSH_8.0" +- +--#define SSH_PORTABLE "p1" +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE +-+#define SSH_RELEASE PACKAGE_STRING ", " SSH_VERSION "p1" + diff -ruN openssh-8.0p1/version.m4 openssh-8.0p1+x509-12.0/version.m4 + --- openssh-8.0p1/version.m4 1970-01-01 02:00:00.000000000 +0200 + +++ openssh-8.0p1+x509-12.0/version.m4 2019-04-18 19:07:00.000000000 +0300 diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-X509-glue.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-X509-glue.patch new file mode 100644 index 000000000000..2a9d3bd2f331 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.0_p1-hpn-X509-glue.patch @@ -0,0 +1,114 @@ +--- a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-04-18 17:07:59.413376785 -0700 ++++ b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-04-18 20:05:12.622588051 -0700 +@@ -382,7 +382,7 @@ + @@ -822,6 +822,10 @@ kex_choose_conf(struct ssh *ssh) + int nenc, nmac, ncomp; + u_int mode, ctos, need, dh_need, authlen; +- int r, first_kex_follows; ++ int r, first_kex_follows = 0; + + int auth_flag; + + + + auth_flag = packet_authentication_state(ssh); +@@ -441,6 +441,39 @@ + int ssh_packet_get_state(struct ssh *, struct sshbuf *); + int ssh_packet_set_state(struct ssh *, struct sshbuf *); + ++diff --git a/packet.c b/packet.c ++index dcf35e6..9433f08 100644 ++--- a/packet.c +++++ b/packet.c ++@@ -920,6 +920,14 @@ ssh_set_newkeys(struct ssh *ssh, int mode) ++ return 0; ++ } ++ +++/* this supports the forced rekeying required for the NONE cipher */ +++int rekey_requested = 0; +++void +++packet_request_rekeying(void) +++{ +++ rekey_requested = 1; +++} +++ ++ #define MAX_PACKETS (1U<<31) ++ static int ++ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) ++@@ -946,6 +954,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) ++ if (state->p_send.packets == 0 && state->p_read.packets == 0) ++ return 0; ++ +++ /* used to force rekeying when called for by the none +++ * cipher switch and aes-mt-ctr methods -cjr */ +++ if (rekey_requested == 1) { +++ rekey_requested = 0; +++ return 1; +++ } +++ ++ /* Time-based rekeying */ ++ if (state->rekey_interval != 0 && ++ (int64_t)state->rekey_time + state->rekey_interval <= monotime()) + diff --git a/readconf.c b/readconf.c + index db5f2d5..33f18c9 100644 + --- a/readconf.c +@@ -453,10 +486,9 @@ + + /* Format of the configuration file: + +-@@ -166,6 +167,8 @@ typedef enum { ++@@ -166,5 +167,7 @@ typedef enum { + oTunnel, oTunnelDevice, + oLocalCommand, oPermitLocalCommand, oRemoteCommand, +- oDisableMTAES, + + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, + + oNoneEnabled, oNoneSwitch, + oVisualHostKey, +@@ -592,10 +624,9 @@ + int ip_qos_interactive; /* IP ToS/DSCP/class for interactive */ + int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ + SyslogFacility log_facility; /* Facility for system logging. */ +-@@ -111,7 +115,10 @@ typedef struct { ++@@ -111,6 +115,9 @@ typedef struct { + int enable_ssh_keysign; + int64_t rekey_limit; +- int disable_multithreaded; /*disable multithreaded aes-ctr*/ + + int none_switch; /* Use none cipher */ + + int none_enabled; /* Allow none to be used */ + int rekey_interval; +@@ -650,10 +681,8 @@ + + /* Portable-specific options */ + if (options->use_pam == -1) +-@@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options) ++@@ -391,4 +400,41 @@ fill_default_server_options(ServerOptions *options) + options->permit_tun = SSH_TUNMODE_NO; +- if (options->disable_multithreaded == -1) +- options->disable_multithreaded = 0; + + if (options->none_enabled == -1) + + options->none_enabled = 0; + + if (options->hpn_disabled == -1) +@@ -1095,9 +1124,9 @@ + + fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n"); + + } + + } ++ debug("Authentication succeeded (%s).", authctxt.method->name); ++ } + +- #ifdef WITH_OPENSSL +- if (options.disable_multithreaded == 0) { + diff --git a/sshd.c b/sshd.c + index a738c3a..b32dbe0 100644 + --- a/sshd.c +@@ -1181,14 +1210,3 @@ + # Example of overriding settings on a per-user basis + #Match User anoncvs + # X11Forwarding no +-diff --git a/version.h b/version.h +-index f1bbf00..21a70c2 100644 +---- a/version.h +-+++ b/version.h +-@@ -3,4 +3,5 @@ +- #define SSH_VERSION "OpenSSH_7.8" +- +- #define SSH_PORTABLE "p1" +--#define SSH_RELEASE SSH_VERSION SSH_PORTABLE +-+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN +-+ diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-glue.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-glue.patch new file mode 100644 index 000000000000..adbfa87af68b --- /dev/null +++ b/net-misc/openssh/files/openssh-8.0_p1-hpn-glue.patch @@ -0,0 +1,194 @@ +diff -ur --exclude '.*.un*' a/openssh-7_8_P1-hpn-AES-CTR-14.16.diff b/openssh-7_8_P1-hpn-AES-CTR-14.16.diff +--- a/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2019-04-18 15:07:06.748067368 -0700 ++++ b/openssh-7_8_P1-hpn-AES-CTR-14.16.diff 2019-04-18 19:42:26.689298696 -0700 +@@ -998,7 +998,7 @@ + + * so we repoint the define to the multithreaded evp. To start the threads we + + * then force a rekey + + */ +-+ const void *cc = ssh_packet_get_send_context(active_state); +++ const void *cc = ssh_packet_get_send_context(ssh); + + + + /* only do this for the ctr cipher. otherwise gcm mode breaks. Don't know why though */ + + if (strstr(cipher_ctx_name(cc), "ctr")) { +@@ -1028,7 +1028,7 @@ + + * so we repoint the define to the multithreaded evp. To start the threads we + + * then force a rekey + + */ +-+ const void *cc = ssh_packet_get_send_context(active_state); +++ const void *cc = ssh_packet_get_send_context(ssh); + + + + /* only rekey if necessary. If we don't do this gcm mode cipher breaks */ + + if (strstr(cipher_ctx_name(cc), "ctr")) { +diff -ur --exclude '.*.un*' a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff +--- a/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-04-18 15:07:11.289035776 -0700 ++++ b/openssh-7_8_P1-hpn-DynWinNoneSwitch-14.16.diff 2019-04-18 17:07:59.413376785 -0700 +@@ -162,24 +162,24 @@ + } + + +static int +-+channel_tcpwinsz(void) +++channel_tcpwinsz(struct ssh *ssh) + +{ + + u_int32_t tcpwinsz = 0; + + socklen_t optsz = sizeof(tcpwinsz); + + int ret = -1; + + + + /* if we aren't on a socket return 128KB */ +-+ if (!packet_connection_is_on_socket()) +++ if (!ssh_packet_connection_is_on_socket(ssh)) + + return 128 * 1024; + + +-+ ret = getsockopt(packet_get_connection_in(), +++ ret = getsockopt(ssh_packet_get_connection_in(ssh), + + SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); + + /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */ + + if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX) + + tcpwinsz = SSHBUF_SIZE_MAX; + + + + debug2("tcpwinsz: tcp connection %d, Receive window: %d", +-+ packet_get_connection_in(), tcpwinsz); +++ ssh_packet_get_connection_in(ssh), tcpwinsz); + + return tcpwinsz; + +} + + +@@ -191,7 +191,7 @@ + c->local_window < c->local_window_max/2) && + c->local_consumed > 0) { + + u_int addition = 0; +-+ u_int32_t tcpwinsz = channel_tcpwinsz(); +++ u_int32_t tcpwinsz = channel_tcpwinsz(ssh); + + /* adjust max window size if we are in a dynamic environment */ + + if (c->dynamic_window && (tcpwinsz > c->local_window_max)) { + + /* grow the window somewhat aggressively to maintain pressure */ +@@ -409,18 +409,10 @@ + index dcf35e6..da4ced0 100644 + --- a/packet.c + +++ b/packet.c +-@@ -920,6 +920,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) ++@@ -920,6 +920,16 @@ ssh_set_newkeys(struct ssh *ssh, int mode) + return 0; + } + +-+/* this supports the forced rekeying required for the NONE cipher */ +-+int rekey_requested = 0; +-+void +-+packet_request_rekeying(void) +-+{ +-+ rekey_requested = 1; +-+} +-+ + +/* used to determine if pre or post auth when rekeying for aes-ctr + + * and none cipher switch */ + +int +@@ -434,20 +426,6 @@ + #define MAX_PACKETS (1U<<31) + static int + ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) +-@@ -946,6 +964,13 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) +- if (state->p_send.packets == 0 && state->p_read.packets == 0) +- return 0; +- +-+ /* used to force rekeying when called for by the none +-+ * cipher switch methods -cjr */ +-+ if (rekey_requested == 1) { +-+ rekey_requested = 0; +-+ return 1; +-+ } +-+ +- /* Time-based rekeying */ +- if (state->rekey_interval != 0 && +- (int64_t)state->rekey_time + state->rekey_interval <= monotime()) + diff --git a/packet.h b/packet.h + index 170203c..f4d9df2 100644 + --- a/packet.h +@@ -476,9 +454,9 @@ + /* Format of the configuration file: + + @@ -166,6 +167,8 @@ typedef enum { +- oHashKnownHosts, + oTunnel, oTunnelDevice, + oLocalCommand, oPermitLocalCommand, oRemoteCommand, ++ oDisableMTAES, + + oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize, + + oNoneEnabled, oNoneSwitch, + oVisualHostKey, +@@ -615,9 +593,9 @@ + int ip_qos_bulk; /* IP ToS/DSCP/class for bulk traffic */ + SyslogFacility log_facility; /* Facility for system logging. */ + @@ -111,7 +115,10 @@ typedef struct { +- + int enable_ssh_keysign; + int64_t rekey_limit; ++ int disable_multithreaded; /*disable multithreaded aes-ctr*/ + + int none_switch; /* Use none cipher */ + + int none_enabled; /* Allow none to be used */ + int rekey_interval; +@@ -673,9 +651,9 @@ + /* Portable-specific options */ + if (options->use_pam == -1) + @@ -391,6 +400,43 @@ fill_default_server_options(ServerOptions *options) +- } +- if (options->permit_tun == -1) + options->permit_tun = SSH_TUNMODE_NO; ++ if (options->disable_multithreaded == -1) ++ options->disable_multithreaded = 0; + + if (options->none_enabled == -1) + + options->none_enabled = 0; + + if (options->hpn_disabled == -1) +@@ -1092,7 +1070,7 @@ + xxx_host = host; + xxx_hostaddr = hostaddr; + +-@@ -412,6 +423,28 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, ++@@ -412,6 +423,27 @@ ssh_userauth2(const char *local_user, const char *server_user, char *host, + + if (!authctxt.success) + fatal("Authentication failed."); +@@ -1108,7 +1086,7 @@ + + memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); + + myproposal[PROPOSAL_ENC_ALGS_STOC] = "none"; + + myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none"; +-+ kex_prop2buf(active_state->kex->my, myproposal); +++ kex_prop2buf(ssh->kex->my, myproposal); + + packet_request_rekeying(); + + fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n"); + + } else { +@@ -1117,23 +1095,13 @@ + + fprintf(stderr, "NONE cipher switch disabled when a TTY is allocated\n"); + + } + + } +-+ +- debug("Authentication succeeded (%s).", authctxt.method->name); +- } + ++ #ifdef WITH_OPENSSL ++ if (options.disable_multithreaded == 0) { + diff --git a/sshd.c b/sshd.c + index a738c3a..b32dbe0 100644 + --- a/sshd.c + +++ b/sshd.c +-@@ -373,7 +373,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out) +- char remote_version[256]; /* Must be at least as big as buf. */ +- +- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", +-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, +-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, +- *options.version_addendum == '\0' ? "" : " ", +- options.version_addendum); +- + @@ -1037,6 +1037,8 @@ listen_on_addrs(struct listenaddr *la) + int ret, listen_sock; + struct addrinfo *ai; +@@ -1217,11 +1185,10 @@ + index f1bbf00..21a70c2 100644 + --- a/version.h + +++ b/version.h +-@@ -3,4 +3,6 @@ ++@@ -3,4 +3,5 @@ + #define SSH_VERSION "OpenSSH_7.8" + + #define SSH_PORTABLE "p1" + -#define SSH_RELEASE SSH_VERSION SSH_PORTABLE +-+#define SSH_HPN "-hpn14v16" + +#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN + + diff --git a/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch b/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch new file mode 100644 index 000000000000..37905ce6afca --- /dev/null +++ b/net-misc/openssh/files/openssh-8.0_p1-hpn-version.patch @@ -0,0 +1,13 @@ +diff --git a/kex.c b/kex.c +index 34808b5c..88d7ccac 100644 +--- a/kex.c ++++ b/kex.c +@@ -1126,7 +1126,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms, + if (version_addendum != NULL && *version_addendum == '\0') + version_addendum = NULL; + if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", +- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, ++ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE, + version_addendum == NULL ? "" : " ", + version_addendum == NULL ? "" : version_addendum)) != 0) { + error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); diff --git a/net-misc/openssh/files/openssh-8.0_p1-tests.patch b/net-misc/openssh/files/openssh-8.0_p1-tests.patch new file mode 100644 index 000000000000..6b2ae489d0e8 --- /dev/null +++ b/net-misc/openssh/files/openssh-8.0_p1-tests.patch @@ -0,0 +1,43 @@ +diff --git a/openbsd-compat/regress/utimensattest.c b/openbsd-compat/regress/utimensattest.c +index a7bc7634..46f79db2 100644 +--- a/openbsd-compat/regress/utimensattest.c ++++ b/openbsd-compat/regress/utimensattest.c +@@ -23,6 +23,7 @@ + #include <stdlib.h> + #include <string.h> + #include <unistd.h> ++#include <time.h> + + #define TMPFILE "utimensat.tmp" + #define TMPFILE2 "utimensat.tmp2" +@@ -88,8 +89,30 @@ main(void) + if (symlink(TMPFILE2, TMPFILE) == -1) + fail("symlink", 0, 0); + ++#ifdef __linux__ ++ /* ++ * The semantics of the original test are wrong on Linux ++ * From the man page for utimensat(): ++ * AT_SYMLINK_NOFOLLOW ++ * If pathname specifies a symbolic link, then update the ++ * timestamps of the link, rather than the file to which it refers. ++ * ++ * So the call will succeed, and update the times on the symlink. ++ */ ++ if (utimensat(AT_FDCWD, TMPFILE, ts, AT_SYMLINK_NOFOLLOW) != -1) { ++ if (fstatat(AT_FDCWD, TMPFILE, &sb, 0) == -1) ++ fail("could not follow and stat symlink", 0, 0); ++ ++ if (sb.st_atim.tv_sec == ts[0].tv_sec ++ && sb.st_atim.tv_nsec == ts[0].tv_nsec ++ && sb.st_mtim.tv_nsec == ts[1].tv_sec ++ && sb.st_mtim.tv_nsec == ts[1].tv_nsec) ++ fail("utimensat followed symlink", 0, 0); ++ } ++#else /* __linux__ */ + if (utimensat(AT_FDCWD, TMPFILE, ts, AT_SYMLINK_NOFOLLOW) != -1) + fail("utimensat followed symlink", 0, 0); ++#endif /* __linux__ */ + + if (!(unlink(TMPFILE) == 0 && unlink(TMPFILE2) == 0)) + fail("unlink", 0, 0); |