commit: 7a0b15d0ae44c5d039c28da66f7120ff21df5943
Author: layman <layman <AT> localhost>
AuthorDate: Sat May 24 20:37:41 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sun May 25 00:44:25 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=7a0b15d0
net-misc/openssh: bump to 6.6.1_p1
Package-Manager: portage-2.2.10
---
.../openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch | 26 ++++
net-misc/openssh/files/openssh-6.6.1_p1.patch | 167 +++++++++++++++++++++
...4_p1-r99.ebuild => openssh-6.6.1_p1-r99.ebuild} | 30 ++--
3 files changed, 214 insertions(+), 9 deletions(-)
diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch
b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch
new file mode 100644
index 0000000..c76015d
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch
@@ -0,0 +1,26 @@
+make the hpn patch apply when the x509 patch has also been applied
+
+--- openssh-6.6.1p1-hpnssh14v4.diff
++++ openssh-6.6.1p1-hpnssh14v4.diff
+@@ -1742,18 +1742,14 @@
+ if (options->ip_qos_interactive == -1)
+ options->ip_qos_interactive = IPTOS_LOWDELAY;
+ if (options->ip_qos_bulk == -1)
+-@@ -345,9 +393,10 @@
++@@ -345,6 +393,7 @@
+ sUsePrivilegeSeparation, sAllowAgentForwarding,
+ sHostCertificate,
+ sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+-+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
+++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled,
+ sKexAlgorithms, sIPQoS, sVersionAddendum,
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
+-- sAuthenticationMethods, sHostKeyAgent,
+-+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent,
+- sDeprecated, sUnsupported
+- } ServerOpCodes;
+-
++ sAuthenticationMethods, sHostKeyAgent,
+ @@ -468,6 +517,10 @@
+ { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
+ { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
diff --git a/net-misc/openssh/files/openssh-6.6.1_p1.patch
b/net-misc/openssh/files/openssh-6.6.1_p1.patch
new file mode 100644
index 0000000..b11f6fb
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.6.1_p1.patch
@@ -0,0 +1,167 @@
+Hi,
+
+So I screwed up when writing the support for the curve25519 KEX method
+that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
+leading zero bytes where they should have been skipped. The impact of
+this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
+peer that implements curve25519-sha256 at libssh.org properly about 0.2%
+of the time (one in every 512ish connections).
+
+We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
+key exchange for previous versions, but I'd recommend distributors
+of OpenSSH apply this patch so the affected code doesn't become
+too entrenched in LTS releases.
+
+The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
+to distinguish itself from the incorrect versions so the compatibility
+code to disable the affected KEX isn't activated.
+
+I've committed this on the 6.6 branch too.
+
+Apologies for the hassle.
+
+-d
+
+Index: version.h
+===================================================================
+RCS file: /var/cvs/openssh/version.h,v
+retrieving revision 1.82
+diff -u -p -r1.82 version.h
+--- version.h 27 Feb 2014 23:01:54 -0000 1.82
++++ version.h 20 Apr 2014 03:35:15 -0000
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
+
+-#define SSH_VERSION "OpenSSH_6.6"
++#define SSH_VERSION "OpenSSH_6.6.1"
+
+ #define SSH_PORTABLE "p1"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+Index: compat.c
+===================================================================
+RCS file: /var/cvs/openssh/compat.c,v
+retrieving revision 1.82
+retrieving revision 1.85
+diff -u -p -r1.82 -r1.85
+--- compat.c 31 Dec 2013 01:25:41 -0000 1.82
++++ compat.c 20 Apr 2014 03:33:59 -0000 1.85
+@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
+ { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
+ { "OpenSSH_4*", 0 },
+ { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
++ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
++ { "OpenSSH_6.5*,"
++ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
+ { "OpenSSH*", SSH_NEW_OPENSSH },
+ { "*MindTerm*", 0 },
+ { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop
+ return cipher_prop;
+ }
+
+-
+ char *
+ compat_pkalg_proposal(char *pkalg_prop)
+ {
+@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop)
+ if (*pkalg_prop == '\0')
+ fatal("No supported PK algorithms found");
+ return pkalg_prop;
++}
++
++char *
++compat_kex_proposal(char *kex_prop)
++{
++ if (!(datafellows & SSH_BUG_CURVE25519PAD))
++ return kex_prop;
++ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
++ kex_prop = filter_proposal(kex_prop, "curve25519-sha256 at libssh.org");
++ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
++ if (*kex_prop == '\0')
++ fatal("No supported key exchange algorithms found");
++ return kex_prop;
+ }
+
+Index: compat.h
+===================================================================
+RCS file: /var/cvs/openssh/compat.h,v
+retrieving revision 1.42
+retrieving revision 1.43
+diff -u -p -r1.42 -r1.43
+--- compat.h 31 Dec 2013 01:25:41 -0000 1.42
++++ compat.h 20 Apr 2014 03:25:31 -0000 1.43
+@@ -59,6 +59,7 @@
+ #define SSH_BUG_RFWD_ADDR 0x02000000
+ #define SSH_NEW_OPENSSH 0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT 0x08000000
++#define SSH_BUG_CURVE25519PAD 0x10000000
+
+ void enable_compat13(void);
+ void enable_compat20(void);
+@@ -66,6 +67,7 @@ void compat_datafellows(const char *
+ int proto_spec(const char *);
+ char *compat_cipher_proposal(char *);
+ char *compat_pkalg_proposal(char *);
++char *compat_kex_proposal(char *);
+
+ extern int compat13;
+ extern int compat20;
+Index: sshd.c
+===================================================================
+RCS file: /var/cvs/openssh/sshd.c,v
+retrieving revision 1.448
+retrieving revision 1.453
+diff -u -p -r1.448 -r1.453
+--- sshd.c 26 Feb 2014 23:20:08 -0000 1.448
++++ sshd.c 20 Apr 2014 03:28:41 -0000 1.453
+@@ -2462,6 +2438,9 @@ do_ssh2_kex(void)
+ if (options.kex_algorithms != NULL)
+ myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ myproposal[PROPOSAL_KEX_ALGS]);
++
+ if (options.rekey_limit || options.rekey_interval)
+ packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+ (time_t)options.rekey_interval);
+Index: sshconnect2.c
+===================================================================
+RCS file: /var/cvs/openssh/sshconnect2.c,v
+retrieving revision 1.197
+retrieving revision 1.199
+diff -u -p -r1.197 -r1.199
+--- sshconnect2.c 4 Feb 2014 00:20:16 -0000 1.197
++++ sshconnect2.c 20 Apr 2014 03:25:31 -0000 1.199
+@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *ho
+ }
+ if (options.kex_algorithms != NULL)
+ myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ myproposal[PROPOSAL_KEX_ALGS]);
+
+ if (options.rekey_limit || options.rekey_interval)
+ packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+Index: bufaux.c
+===================================================================
+RCS file: /var/cvs/openssh/bufaux.c,v
+retrieving revision 1.62
+retrieving revision 1.63
+diff -u -p -r1.62 -r1.63
+--- bufaux.c 4 Feb 2014 00:20:15 -0000 1.62
++++ bufaux.c 20 Apr 2014 03:24:50 -0000 1.63
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
++/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <ylo at cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
+@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *b
+
+ if (l > 8 * 1024)
+ fatal("%s: length %u too long", __func__, l);
++ /* Skip leading zero bytes */
++ for (; l > 0 && *s == 0; l--, s++)
++ ;
+ p = buf = xmalloc(l + 1);
+ /*
+ * If most significant bit is set then prepend a zero byte to
diff --git a/net-misc/openssh/openssh-6.4_p1-r99.ebuild
b/net-misc/openssh/openssh-6.6.1_p1-r99.ebuild
similarity index 89%
rename from net-misc/openssh/openssh-6.4_p1-r99.ebuild
rename to net-misc/openssh/openssh-6.6.1_p1-r99.ebuild
index 6d71913..6dd6a08 100644
--- a/net-misc/openssh/openssh-6.4_p1-r99.ebuild
+++ b/net-misc/openssh/openssh-6.6.1_p1-r99.ebuild
@@ -1,29 +1,31 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.4_p1-r1.ebuild,v
1.6 2014/01/02 12:06:49 polynomial-c Exp $
+# $Header:
/var/cvsroot/gentoo-x86/net-misc/openssh/openssh-6.6.1_p1-r99.ebuild,v 1.2
2014/03/20 20:58:31 vapier Exp $
EAPI="4"
inherit eutils user flag-o-matic multilib autotools pam systemd versionator
# Make it more portable between straight releases
# and _p? releases.
-PARCH=${P/_}
+PARCH=${P/.1_}
-HPN_PATCH="${PN}-6.3p1-hpnssh14v2.diff.gz"
-LDAP_PATCH="${PN}-lpk-6.3p1-0.3.14.patch.gz"
-X509_VER="7.7" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
+#HPN_PATCH="${PN}-6.6p1-hpnssh14v4.diff.gz"
+HPN_PATCH="${PN}-6.6.1p1-hpnssh14v4.diff.xz"
+LDAP_PATCH="${PN}-lpk-6.5p1-0.3.14.patch.gz"
+X509_VER="7.9" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
DESCRIPTION="Port of OpenBSD's free SSH release"
HOMEPAGE="http://www.openssh.org/";
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
- ${HPN_PATCH:+hpn? ( mirror://gentoo/${HPN_PATCH} )}
+ ${HPN_PATCH:+hpn? ( http://dev.gentoo.org/~polynomial-c/${HPN_PATCH} )}
${LDAP_PATCH:+ldap? ( mirror://gentoo/${LDAP_PATCH} )}
${X509_PATCH:+X509? (
http://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
"
+ #${HPN_PATCH:+hpn? ( mirror://sourceforge/hpnssh/${HPN_PATCH} )}
LICENSE="BSD GPL-2"
SLOT="0"
-KEYWORDS="amd64 arm ~mips x86"
+KEYWORDS="~amd64 ~arm ~mips ~x86"
IUSE="bindist ${HPN_PATCH:++}hpn kerberos ldap ldns libedit pam selinux skey
static tcpd X X509"
LIB_DEPEND="selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
@@ -98,10 +100,13 @@ src_prepare() {
# don't break .ssh/authorized_keys2 for fun
sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
+ epatch "${FILESDIR}"/${P}.patch #508604
+
epatch "${FILESDIR}"/${PN}-5.9_p1-sshd-gssapi-multihomed.patch #378361
if use X509 ; then
pushd .. >/dev/null
- epatch "${FILESDIR}"/${PN}-6.4_p1-x509-glue.patch
+ epatch "${FILESDIR}"/${PN}-6.6_p1-x509-glue.patch
+ use hpn && epatch
"${FILESDIR}"/${PN}-6.6.1_p1-x509-hpn14v4-glue-p2.patch
popd >/dev/null
epatch "${WORKDIR}"/${X509_PATCH%.*}
epatch "${FILESDIR}"/${PN}-6.3_p1-x509-hpn14v2-glue.patch
@@ -116,8 +121,10 @@ src_prepare() {
use ldap && ewarn "Sorry, X509 and LDAP conflict internally,
disabling LDAP"
fi
epatch "${FILESDIR}"/${PN}-4.7_p1-GSSAPI-dns.patch #165444 integrated
into gsskex
+ epatch "${FILESDIR}"/${PN}-6.6_p1-openssl-ignore-status.patch
if [[ -n ${HPN_PATCH} ]] && use hpn; then
epatch "${WORKDIR}"/${HPN_PATCH%.*}
+ epatch "${FILESDIR}"/${PN}-6.5_p1-hpn-cipher-align.patch #498632
save_version HPN
fi
@@ -129,7 +136,12 @@ src_prepare() {
# Disable fortify flags ... our gcc does this for us
-e 's:-D_FORTIFY_SOURCE=2::'
)
- sed -i "${sed_args[@]}" configure{,.ac} || die
+ # The -ftrapv flag ICEs on hppa #505182
+ use hppa && sed_args+=(
+ -e '/CFLAGS/s:-ftrapv:-fdisable-this-test:'
+ -e '/OSSH_CHECK_CFLAG_LINK.*-ftrapv/d'
+ )
+ sed -i "${sed_args[@]}" configure{.ac,} || die
epatch "${FILESDIR}"/${PN}-6.4p1-avoid-exit.patch
epatch "${FILESDIR}"/${PN}-6.4p1-missing-sys_param_h.patch
