diff options
Diffstat (limited to 'net-misc/openssh/files')
10 files changed, 20 insertions, 718 deletions
diff --git a/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch deleted file mode 100644 index 7b12e9a6..00000000 --- a/net-misc/openssh/files/openssh-6.8_p1-sctp-x509-glue.patch +++ /dev/null @@ -1,90 +0,0 @@ ---- openssh-6.8_p1-sctp.patch.orig 2015-03-18 17:52:40.563506822 -0700 -+++ openssh-6.8_p1-sctp.patch 2015-03-18 18:14:30.919753194 -0700 -@@ -184,34 +184,6 @@ - int port; /* Port to connect. */ - int address_family; - int connection_attempts; /* Max attempts (seconds) before ----- a/scp.1 --+++ b/scp.1 --@@ -19,7 +19,7 @@ -- .Sh SYNOPSIS -- .Nm scp -- .Bk -words ---.Op Fl 12346BCpqrv --+.Op Fl 12346BCpqrvz -- .Op Fl c Ar cipher -- .Op Fl F Ar ssh_config -- .Op Fl i Ar identity_file --@@ -178,6 +178,7 @@ For full details of the options listed b -- .It ServerAliveCountMax -- .It StrictHostKeyChecking -- .It TCPKeepAlive --+.It Transport -- .It UpdateHostKeys -- .It UsePrivilegedPort -- .It User --@@ -218,6 +219,8 @@ and -- to print debugging messages about their progress. -- This is helpful in -- debugging connection, authentication, and configuration problems. --+.It Fl z --+Use the SCTP protocol for connection instead of TCP which is the default. -- .El -- .Sh EXIT STATUS -- .Ex -std scp - --- a/scp.c - +++ b/scp.c - @@ -395,7 +395,11 @@ main(int argc, char **argv) -@@ -471,34 +443,6 @@ - int protocol; /* Supported protocol versions. */ - struct ForwardOptions fwd_opts; /* forwarding options */ - SyslogFacility log_facility; /* Facility for system logging. */ ----- a/ssh.1 --+++ b/ssh.1 --@@ -43,7 +43,7 @@ -- .Sh SYNOPSIS -- .Nm ssh -- .Bk -words ---.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy --+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz -- .Op Fl b Ar bind_address -- .Op Fl c Ar cipher_spec -- .Op Fl D Oo Ar bind_address : Oc Ns Ar port --@@ -473,6 +473,7 @@ For full details of the options listed b -- .It StreamLocalBindUnlink -- .It StrictHostKeyChecking -- .It TCPKeepAlive --+.It Transport -- .It Tunnel -- .It TunnelDevice -- .It UsePrivilegedPort --@@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte -- controls. -- .It Fl y -- Send log information using the --+.It Fl z --+Use the SCTP protocol for connection instead of TCP which is the default. -- .Xr syslog 3 -- system module. -- By default this information is sent to stderr. - --- a/ssh.c - +++ b/ssh.c - @@ -194,12 +194,17 @@ extern int muxserver_sock; -@@ -520,13 +464,11 @@ - " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" - " [-F configfile] [-I pkcs11] [-i identity_file]\n" - " [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n" --@@ -506,7 +512,7 @@ main(int ac, char **av) -- argv0 = av[0]; -+@@ -506,4 +512,4 @@ main(int ac, char **av) - -- again: --- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" --+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT -- "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { -+- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" -++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT -+ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { - switch (opt) { - case '1': - @@ -732,6 +738,11 @@ main(int ac, char **av) diff --git a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch b/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch deleted file mode 100644 index a355e2c9..00000000 --- a/net-misc/openssh/files/openssh-6.8_p1-ssl-engine-configure.patch +++ /dev/null @@ -1,33 +0,0 @@ -https://github.com/openssh/openssh-portable/pull/29 - -From 003ed46d1bd94bac29c53b26ae70f6321ea11c80 Mon Sep 17 00:00:00 2001 -From: Mike Frysinger <vapier@gentoo.org> -Date: Wed, 18 Mar 2015 12:37:24 -0400 -Subject: [PATCH] do not abort when --without-ssl-engine --without-openssl is - set - ---- - configure.ac | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/configure.ac b/configure.ac -index b4d6598..7806d20 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -2276,10 +2276,10 @@ openssl_engine=no - AC_ARG_WITH([ssl-engine], - [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], - [ -- if test "x$openssl" = "xno" ; then -- AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) -- fi - if test "x$withval" != "xno" ; then -+ if test "x$openssl" = "xno" ; then -+ AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) -+ fi - openssl_engine=yes - fi - ] --- -2.3.2 - diff --git a/net-misc/openssh/files/openssh-6.9_p1-libseccomp.patch b/net-misc/openssh/files/openssh-6.9_p1-libseccomp.patch deleted file mode 100644 index 2993c0e3..00000000 --- a/net-misc/openssh/files/openssh-6.9_p1-libseccomp.patch +++ /dev/null @@ -1,244 +0,0 @@ -diff --git a/Makefile.in b/Makefile.in -index 06be3d5..b1f0931 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -106,7 +106,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ - sftp-server.o sftp-common.o \ - roaming_common.o roaming_serv.o \ - sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ -- sandbox-seccomp-filter.o sandbox-capsicum.o -+ sandbox-seccomp-filter.o sandbox-libseccomp-filter.o sandbox-capsicum.o - - MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out - MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 -diff --git a/configure.ac b/configure.ac -index 67c4486..ddaf7c0 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -2867,11 +2867,22 @@ else - fi - AC_SUBST([SSH_PRIVSEP_USER]) - -+AC_CHECK_DECL([SCMP_ARCH_NATIVE], [have_libseccomp_filter=1], , [ -+ #include <sys/types.h> -+ #include <seccomp.h> -+]) -+if test "x$have_libseccomp_filter" = "x1" ; then -+ AC_CHECK_LIB([seccomp], [seccomp_init], -+ [LIBS="$LIBS -lseccomp"], -+ [have_libseccomp_filter=0]) -+fi -+ - if test "x$have_linux_no_new_privs" = "x1" ; then - AC_CHECK_DECL([SECCOMP_MODE_FILTER], [have_seccomp_filter=1], , [ - #include <sys/types.h> - #include <linux/seccomp.h> - ]) -+ - fi - if test "x$have_seccomp_filter" = "x1" ; then - AC_MSG_CHECKING([kernel for seccomp_filter support]) -@@ -2898,7 +2909,7 @@ fi - # Decide which sandbox style to use - sandbox_arg="" - AC_ARG_WITH([sandbox], -- [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)], -+ [ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, libseccomp_filter, capsicum)], - [ - if test "x$withval" = "xyes" ; then - sandbox_arg="" -@@ -3008,6 +3019,13 @@ elif test "x$sandbox_arg" = "xdarwin" || \ - AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function]) - SANDBOX_STYLE="darwin" - AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)]) -+elif test "x$sandbox_arg" = "xlibseccomp_filter" || \ -+ ( test -z "$sandbox_arg" && \ -+ test "x$have_libseccomp_filter" = "x1" ) ; then -+ test "x$have_libseccomp_filter" != "x1" && \ -+ AC_MSG_ERROR([libseccomp_filter sandbox not supported on $host]) -+ SANDBOX_STYLE="libseccomp_filter" -+ AC_DEFINE([SANDBOX_LIBSECCOMP_FILTER], [1], [Sandbox using libseccomp filter]) - elif test "x$sandbox_arg" = "xseccomp_filter" || \ - ( test -z "$sandbox_arg" && \ - test "x$have_seccomp_filter" = "x1" && \ -diff --git a/sandbox-libseccomp-filter.c b/sandbox-libseccomp-filter.c -new file mode 100644 -index 0000000..d03856b ---- /dev/null -+++ b/sandbox-libseccomp-filter.c -@@ -0,0 +1,175 @@ -+/* -+ * Copyright (c) 2012 Will Drewry <wad@dataspill.org> -+ * -+ * Permission to use, copy, modify, and distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+#include "includes.h" -+ -+#ifdef SANDBOX_LIBSECCOMP_FILTER -+ -+#include <sys/types.h> -+#include <sys/resource.h> -+#include <seccomp.h> -+ -+#include <errno.h> -+#include <signal.h> -+#include <stdarg.h> -+#include <stddef.h> /* for offsetof */ -+#include <stdio.h> -+#include <stdlib.h> -+#include <string.h> -+#include <unistd.h> -+ -+#include "log.h" -+#include "ssh-sandbox.h" -+#include "xmalloc.h" -+ -+struct ssh_sandbox { -+ pid_t child_pid; -+}; -+ -+struct ssh_sandbox * -+ssh_sandbox_init(struct monitor *monitor) -+{ -+ struct ssh_sandbox *box; -+ -+ /* -+ * Strictly, we don't need to maintain any state here but we need -+ * to return non-NULL to satisfy the API. -+ */ -+ debug3("%s: preparing libseccomp filter sandbox", __func__); -+ box = xcalloc(1, sizeof(*box)); -+ box->child_pid = 0; -+ -+ return box; -+} -+ -+static int -+seccomp_add_secondary_archs(scmp_filter_ctx *c) -+{ -+#if defined(__i386__) || defined(__x86_64__) -+ int r; -+ r = seccomp_arch_add(c, SCMP_ARCH_X86); -+ if (r < 0 && r != -EEXIST) -+ return r; -+ r = seccomp_arch_add(c, SCMP_ARCH_X86_64); -+ if (r < 0 && r != -EEXIST) -+ return r; -+ r = seccomp_arch_add(c, SCMP_ARCH_X32); -+ if (r < 0 && r != -EEXIST) -+ return r; -+#endif -+ return 0; -+} -+ -+struct scmp_action_def { -+ uint32_t action; -+ int syscall; -+}; -+ -+static const struct scmp_action_def preauth_insns[] = { -+ {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(open)}, -+ {SCMP_ACT_ERRNO(EACCES), SCMP_SYS(stat)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(getpid)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(getpid)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(gettimeofday)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(clock_gettime)}, -+#ifdef __NR_time /* not defined on EABI ARM */ -+ {SCMP_ACT_ALLOW, SCMP_SYS(time)}, -+#endif -+ {SCMP_ACT_ALLOW, SCMP_SYS(read)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(write)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(close)}, -+#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */ -+ {SCMP_ACT_ALLOW, SCMP_SYS(shutdown)}, -+#endif -+ {SCMP_ACT_ALLOW, SCMP_SYS(brk)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(poll)}, -+#ifdef __NR__newselect -+ {SCMP_ACT_ALLOW, SCMP_SYS(_newselect)}, -+#endif -+ {SCMP_ACT_ALLOW, SCMP_SYS(select)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(madvise)}, -+#ifdef __NR_mmap2 /* EABI ARM only has mmap2() */ -+ {SCMP_ACT_ALLOW, SCMP_SYS(mmap2)}, -+#endif -+#ifdef __NR_mmap -+ {SCMP_ACT_ALLOW, SCMP_SYS(mmap)}, -+#endif -+#ifdef __dietlibc__ -+ {SCMP_ACT_ALLOW, SCMP_SYS(mremap)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(exit)}, -+#endif -+ {SCMP_ACT_ALLOW, SCMP_SYS(munmap)}, -+ {SCMP_ACT_ALLOW, SCMP_SYS(exit_group)}, -+#ifdef __NR_rt_sigprocmask -+ {SCMP_ACT_ALLOW, SCMP_SYS(rt_sigprocmask)}, -+#else -+ {SCMP_ACT_ALLOW, SCMP_SYS(sigprocmask)}, -+#endif -+ {0, 0} -+}; -+ -+ -+void -+ssh_sandbox_child(struct ssh_sandbox *box) -+{ -+ scmp_filter_ctx *seccomp; -+ struct rlimit rl_zero; -+ const struct scmp_action_def *insn; -+ int r; -+ -+ /* Set rlimits for completeness if possible. */ -+ rl_zero.rlim_cur = rl_zero.rlim_max = 0; -+ if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1) -+ fatal("%s: setrlimit(RLIMIT_FSIZE, { 0, 0 }): %s", -+ __func__, strerror(errno)); -+ if (setrlimit(RLIMIT_NOFILE, &rl_zero) == -1) -+ fatal("%s: setrlimit(RLIMIT_NOFILE, { 0, 0 }): %s", -+ __func__, strerror(errno)); -+ if (setrlimit(RLIMIT_NPROC, &rl_zero) == -1) -+ fatal("%s: setrlimit(RLIMIT_NPROC, { 0, 0 }): %s", -+ __func__, strerror(errno)); -+ -+ seccomp = seccomp_init(SCMP_ACT_KILL); -+ if (!seccomp) -+ fatal("%s:libseccomp activation failed", __func__); -+ if (seccomp_add_secondary_archs(seccomp)) -+ fatal("%s:libseccomp secondary arch setup failed", __func__); -+ -+ for (insn = preauth_insns; insn->action; insn++) { -+ if (seccomp_rule_add(seccomp, insn->action, insn->syscall, 0) < 0) -+ fatal("%s:libseccomp rule failed", __func__); -+ } -+ -+ if ((r = seccomp_load(seccomp)) < 0) -+ fatal("%s:libseccomp unable to load filter %d", __func__, r); -+ -+ seccomp_release(seccomp); -+} -+ -+void -+ssh_sandbox_parent_finish(struct ssh_sandbox *box) -+{ -+ free(box); -+ debug3("%s: finished", __func__); -+} -+ -+void -+ssh_sandbox_parent_preauth(struct ssh_sandbox *box, pid_t child_pid) -+{ -+ box->child_pid = child_pid; -+} -+ -+#endif /* SANDBOX_LIBSECCOMP_FILTER */ diff --git a/net-misc/openssh/files/openssh-6.9_p1-x509-warnings.patch b/net-misc/openssh/files/openssh-6.9_p1-x509-warnings.patch deleted file mode 100644 index 9ce2967a..00000000 --- a/net-misc/openssh/files/openssh-6.9_p1-x509-warnings.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -ur openssh-6.9p1.orig/sshconnect2.c openssh-6.9p1/sshconnect2.c ---- openssh-6.9p1.orig/sshconnect2.c 2015-07-01 14:56:26.766316866 -0700 -+++ openssh-6.9p1/sshconnect2.c 2015-07-01 14:59:22.828692366 -0700 -@@ -1404,7 +1404,7 @@ - static int - get_allowed_keytype(Key *k) { - char *pattern; -- char *alg; -+ const char *alg; - - if (k->type == KEY_RSA1 || k->type == KEY_UNSPEC) - return KEY_UNSPEC; -diff -ur openssh-6.9p1.orig/x509_nm_cmp.c openssh-6.9p1/x509_nm_cmp.c ---- openssh-6.9p1.orig/x509_nm_cmp.c 2015-07-01 14:56:26.129311890 -0700 -+++ openssh-6.9p1/x509_nm_cmp.c 2015-07-01 14:59:14.086624068 -0700 -@@ -133,7 +133,7 @@ - tag = M_ASN1_STRING_type(in); - if (tag != V_ASN1_UTF8STRING) { - /*OpenSSL method surprisingly require non-const(!?) ASN1_STRING!*/ -- return(ASN1_STRING_to_UTF8(out, in)); -+ return(ASN1_STRING_to_UTF8(out, (ASN1_STRING *) in)); - } - - l = M_ASN1_STRING_length(in); diff --git a/net-misc/openssh/files/openssh-7.0_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-7.0_p1-sctp-x509-glue.patch deleted file mode 100644 index d793f908..00000000 --- a/net-misc/openssh/files/openssh-7.0_p1-sctp-x509-glue.patch +++ /dev/null @@ -1,74 +0,0 @@ ---- openssh-6.8_p1-sctp.patch.1 2015-08-12 16:01:13.854769013 -0700 -+++ openssh-6.8_p1-sctp.patch 2015-08-12 16:00:38.208488789 -0700 -@@ -195,14 +195,6 @@ - .Op Fl c Ar cipher - .Op Fl F Ar ssh_config - .Op Fl i Ar identity_file --@@ -178,6 +178,7 @@ For full details of the options listed b -- .It ServerAliveCountMax -- .It StrictHostKeyChecking -- .It TCPKeepAlive --+.It Transport -- .It UpdateHostKeys -- .It UsePrivilegedPort -- .It User - @@ -218,6 +219,8 @@ and - to print debugging messages about their progress. - This is helpful in -@@ -477,19 +469,11 @@ - .Sh SYNOPSIS - .Nm ssh - .Bk -words ---.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy --+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz -+-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy -++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz - .Op Fl b Ar bind_address - .Op Fl c Ar cipher_spec - .Op Fl D Oo Ar bind_address : Oc Ns Ar port --@@ -473,6 +473,7 @@ For full details of the options listed b -- .It StreamLocalBindUnlink -- .It StrictHostKeyChecking -- .It TCPKeepAlive --+.It Transport -- .It Tunnel -- .It TunnelDevice -- .It UsePrivilegedPort - @@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte - controls. - .It Fl y -@@ -501,7 +485,7 @@ - By default this information is sent to stderr. - --- a/ssh.c - +++ b/ssh.c --@@ -194,12 +194,17 @@ extern int muxserver_sock; -+@@ -194,11 +194,16 @@ extern int muxserver_sock; - extern u_int muxclient_command; - - /* Prints a help message to the user. This function never returns. */ -@@ -515,18 +499,17 @@ - usage(void) - { - fprintf(stderr, ---"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" --+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" -+-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" -++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" - " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" - " [-F configfile] [-I pkcs11] [-i identity_file]\n" -- " [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]\n" - @@ -506,7 +512,7 @@ main(int ac, char **av) -- argv0 = av[0]; -+ # define ENGCONFIG "" -+ #endif - -- again: --- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" --+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT -- "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { -+- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" -++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT -+ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { - switch (opt) { - case '1': - @@ -732,6 +738,11 @@ main(int ac, char **av) diff --git a/net-misc/openssh/files/openssh-7.1_p2-x509-hpn14v10-glue.patch b/net-misc/openssh/files/openssh-7.1_p2-x509-hpn14v10-glue.patch deleted file mode 100644 index 51245697..00000000 --- a/net-misc/openssh/files/openssh-7.1_p2-x509-hpn14v10-glue.patch +++ /dev/null @@ -1,51 +0,0 @@ ---- openssh-7.1p2/Makefile.in -+++ openssh-7.1p2/Makefile.in -@@ -45,7 +45,7 @@ - CC=@CC@ - LD=@LD@ - CFLAGS=@CFLAGS@ --CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ @LDAP_CPPFLAGS@ $(PATHS) @DEFS@ -+CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ - LIBS=@LIBS@ - K5LIBS=@K5LIBS@ - GSSLIBS=@GSSLIBS@ -@@ -53,6 +53,7 @@ - SSHDLIBS=@SSHDLIBS@ - LIBEDIT=@LIBEDIT@ - LIBLDAP=@LDAP_LDFLAGS@ @LDAP_LIBS@ -+CPPFLAGS+=@LDAP_CPPFLAGS@ - AR=@AR@ - AWK=@AWK@ - RANLIB=@RANLIB@ ---- openssh-7.1p2/sshconnect.c -+++ openssh-7.1p2/sshconnect.c -@@ -465,7 +465,7 @@ - { - /* Send our own protocol version identification. */ - if (compat20) { -- xasprintf(&client_version_string, "SSH-%d.%d-%.100s PKIX\r\n", -+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); - } else { - xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n", ---- openssh-7.1p2/sshd.c -+++ openssh-7.1p2/sshd.c -@@ -472,8 +472,8 @@ - comment = ""; - } - -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s%s", -- major, minor, SSH_VERSION, comment, -+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s", -+ major, minor, SSH_VERSION, - *options.version_addendum == '\0' ? "" : " ", - options.version_addendum, newline); - ---- openssh-7.1p2/version.h -+++ openssh-7.1p2/version.h -@@ -3,4 +3,5 @@ - #define SSH_VERSION "OpenSSH_7.1" - - #define SSH_PORTABLE "p2" -+#define SSH_X509 " PKIX" - #define SSH_RELEASE SSH_VERSION SSH_PORTABLE diff --git a/net-misc/openssh/files/openssh-7.2_p1-GSSAPI-dns.patch b/net-misc/openssh/files/openssh-7.2_p1-GSSAPI-dns.patch deleted file mode 100644 index 29e94e43..00000000 --- a/net-misc/openssh/files/openssh-7.2_p1-GSSAPI-dns.patch +++ /dev/null @@ -1,106 +0,0 @@ -http://bugs.gentoo.org/165444 -https://bugzilla.mindrot.org/show_bug.cgi?id=1008 - ---- openssh-7.2p1/readconf.c -+++ openssh-7.2p1/readconf.c -@@ -148,6 +148,7 @@ - oClearAllForwardings, oNoHostAuthenticationForLocalhost, - oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, - oAddressFamily, oGssAuthentication, oGssDelegateCreds, -+ oGssTrustDns, - oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, - oSendEnv, oControlPath, oControlMaster, oControlPersist, - oHashKnownHosts, -@@ -194,9 +195,11 @@ - #if defined(GSSAPI) - { "gssapiauthentication", oGssAuthentication }, - { "gssapidelegatecredentials", oGssDelegateCreds }, -+ { "gssapitrustdns", oGssTrustDns }, - #else - { "gssapiauthentication", oUnsupported }, - { "gssapidelegatecredentials", oUnsupported }, -+ { "gssapitrustdns", oUnsupported }, - #endif - { "fallbacktorsh", oDeprecated }, - { "usersh", oDeprecated }, -@@ -930,6 +933,10 @@ - intptr = &options->gss_deleg_creds; - goto parse_flag; - -+ case oGssTrustDns: -+ intptr = &options->gss_trust_dns; -+ goto parse_flag; -+ - case oBatchMode: - intptr = &options->batch_mode; - goto parse_flag; -@@ -1649,6 +1656,7 @@ - options->challenge_response_authentication = -1; - options->gss_authentication = -1; - options->gss_deleg_creds = -1; -+ options->gss_trust_dns = -1; - options->password_authentication = -1; - options->kbd_interactive_authentication = -1; - options->kbd_interactive_devices = NULL; -@@ -1779,6 +1787,8 @@ - options->gss_authentication = 0; - if (options->gss_deleg_creds == -1) - options->gss_deleg_creds = 0; -+ if (options->gss_trust_dns == -1) -+ options->gss_trust_dns = 0; - if (options->password_authentication == -1) - options->password_authentication = 1; - if (options->kbd_interactive_authentication == -1) ---- openssh-7.2p1/readconf.h -+++ openssh-7.2p1/readconf.h -@@ -46,6 +46,7 @@ - /* Try S/Key or TIS, authentication. */ - int gss_authentication; /* Try GSS authentication */ - int gss_deleg_creds; /* Delegate GSS credentials */ -+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */ - int password_authentication; /* Try password - * authentication. */ - int kbd_interactive_authentication; /* Try keyboard-interactive auth. */ ---- openssh-7.2p1/ssh_config.5 -+++ openssh-7.2p1/ssh_config.5 -@@ -830,6 +830,16 @@ - Forward (delegate) credentials to the server. - The default is - .Dq no . -+Note that this option applies to protocol version 2 connections using GSSAPI. -+.It Cm GSSAPITrustDns -+Set to -+.Dq yes to indicate that the DNS is trusted to securely canonicalize -+the name of the host being connected to. If -+.Dq no, the hostname entered on the -+command line will be passed untouched to the GSSAPI library. -+The default is -+.Dq no . -+This option only applies to protocol version 2 connections using GSSAPI. - .It Cm HashKnownHosts - Indicates that - .Xr ssh 1 ---- openssh-7.2p1/sshconnect2.c -+++ openssh-7.2p1/sshconnect2.c -@@ -656,6 +656,12 @@ - static u_int mech = 0; - OM_uint32 min; - int ok = 0; -+ const char *gss_host; -+ -+ if (options.gss_trust_dns) -+ gss_host = get_canonical_hostname(1); -+ else -+ gss_host = authctxt->host; - - /* Try one GSSAPI method at a time, rather than sending them all at - * once. */ -@@ -668,7 +674,7 @@ - /* My DER encoding requires length<128 */ - if (gss_supported->elements[mech].length < 128 && - ssh_gssapi_check_mechanism(&gssctxt, -- &gss_supported->elements[mech], authctxt->host)) { -+ &gss_supported->elements[mech], gss_host)) { - ok = 1; /* Mechanism works */ - } else { - mech++; diff --git a/net-misc/openssh/files/openssh-7.2_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-7.2_p1-sctp-x509-glue.patch deleted file mode 100644 index 2884ee92..00000000 --- a/net-misc/openssh/files/openssh-7.2_p1-sctp-x509-glue.patch +++ /dev/null @@ -1,74 +0,0 @@ ---- openssh-7.2_p1-sctp.patch -+++ openssh-7.2_p1-sctp.patch -@@ -195,14 +195,6 @@ - .Op Fl c Ar cipher - .Op Fl F Ar ssh_config - .Op Fl i Ar identity_file --@@ -181,6 +181,7 @@ For full details of the options listed below, and their possible values, see -- .It ServerAliveCountMax -- .It StrictHostKeyChecking -- .It TCPKeepAlive --+.It Transport -- .It UpdateHostKeys -- .It UsePrivilegedPort -- .It User - @@ -222,6 +223,8 @@ and - to print debugging messages about their progress. - This is helpful in -@@ -477,19 +469,11 @@ - .Sh SYNOPSIS - .Nm ssh - .Bk -words ---.Op Fl 1246AaCfGgKkMNnqsTtVvXxYy --+.Op Fl 1246AaCfGgKkMNnqsTtVvXxYyz -+-.Op Fl 1246AaCdfgKkMNnqsTtVvXxYy -++.Op Fl 1246AaCdfgKkMNnqsTtVvXxYyz - .Op Fl b Ar bind_address - .Op Fl c Ar cipher_spec - .Op Fl D Oo Ar bind_address : Oc Ns Ar port --@@ -536,6 +536,7 @@ For full details of the options listed below, and their possible values, see -- .It StreamLocalBindUnlink -- .It StrictHostKeyChecking -- .It TCPKeepAlive --+.It Transport -- .It Tunnel -- .It TunnelDevice -- .It UpdateHostKeys - @@ -770,6 +771,8 @@ controls. - .Pp - .It Fl y -@@ -501,7 +485,7 @@ - index f9ff91f..d0d92ce 100644 - --- a/ssh.c - +++ b/ssh.c --@@ -195,12 +195,17 @@ extern int muxserver_sock; -+@@ -195,11 +195,16 @@ extern int muxserver_sock; - extern u_int muxclient_command; - - /* Prints a help message to the user. This function never returns. */ -@@ -515,18 +499,17 @@ - usage(void) - { - fprintf(stderr, ---"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" --+"usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" -+-"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]\n" -++"usage: ssh [-1246AaCdfgKkMNnqsTtVvXxYy" SCTP_OPT "] [-b bind_address] [-c cipher_spec]\n" - " [-D [bind_address:]port] [-E log_file] [-e escape_char]\n" - " [-F configfile] [-I pkcs11] [-i identity_file] [-L address]\n" -- " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" - @@ -605,7 +610,7 @@ main(int ac, char **av) -- argv0 = av[0]; -+ # define ENGCONFIG "" -+ #endif - -- again: --- while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" --+ while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" SCTP_OPT -- "ACD:E:F:GI:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { -+- while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" -++ while ((opt = getopt(ac, av, "1246ab:c:de:fgi:kl:m:no:p:qstvx" SCTP_OPT -+ "ACD:E:F:" ENGCONFIG "I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { - switch (opt) { - case '1': - @@ -845,6 +850,11 @@ main(int ac, char **av) diff --git a/net-misc/openssh/files/openssh-7.2_p1-x509-warnings.patch b/net-misc/openssh/files/openssh-7.2_p1-x509-warnings.patch deleted file mode 100644 index 9e51f6cd..00000000 --- a/net-misc/openssh/files/openssh-7.2_p1-x509-warnings.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- sshconnect2.c.dist 2016-07-16 12:24:22.784369522 +0100 -+++ sshconnect2.c 2016-07-16 12:29:42.459637342 +0100 -@@ -1456,7 +1456,7 @@ pubkey_cleanup(Authctxt *authctxt) - static int - get_allowed_keytype(Key *k) { - char *pattern; -- char *alg; -+ const char *alg; - - if (k->type == KEY_RSA1 || k->type == KEY_UNSPEC) - return KEY_UNSPEC; ---- x509_nm_cmp.c.dist 2016-07-16 12:27:40.188114003 +0100 -+++ x509_nm_cmp.c 2016-07-16 12:27:43.298067968 +0100 -@@ -166,7 +166,7 @@ ssh_ASN1_STRING_to_UTF8(unsigned char ** - - tag = ASN1_STRING_type(in); - if (tag != V_ASN1_UTF8STRING) { -- return(ASN1_STRING_to_UTF8(out, in)); -+ return(ASN1_STRING_to_UTF8(out, (ASN1_STRING *) in)); - } - - l = ASN1_STRING_length(in); diff --git a/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch new file mode 100644 index 00000000..a5647ce9 --- /dev/null +++ b/net-misc/openssh/files/openssh-7.5_p1-disable-conch-interop-tests.patch @@ -0,0 +1,20 @@ +Disable conch interop tests which are failing when called +via portage for yet unknown reason and because using conch +seems to be flaky (test is failing when using Python2 but +passing when using Python3). + +Bug: https://bugs.gentoo.org/605446 + +--- a/regress/conch-ciphers.sh ++++ b/regress/conch-ciphers.sh +@@ -3,6 +3,10 @@ + + tid="conch ciphers" + ++# https://bugs.gentoo.org/605446 ++echo "conch interop tests skipped due to Gentoo bug #605446" ++exit 0 ++ + if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then + echo "conch interop tests not enabled" + exit 0 |