commit: 5f063681189a28383878a828fbec840e6f4e54e3 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Wed Sep 24 15:36:17 2025 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Wed Sep 24 15:38:05 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5f063681
net-misc/openssh: backport new key exchange (and other fixes) to 9.8_p1, 9.9_p2 Upstream asked that a new key exchange algorithm be backported to older releases being shipped by distros [0], so let's do that. While at it, include other changes from the corresponding release branches. As for why we're still packaging older releases anyway: it's because older OpenSSH is useful to connect to old machines, and for security testing. [0] https://marc.info/?l=openssh-unix-dev&m=175495631413568&w=2 Signed-off-by: Sam James <sam <AT> gentoo.org> ...01-Fix-detection-of-setres-id-on-GNU-Hurd.patch | 36 ++ .../0002-Add-9.8-branch-to-ci-status-page.patch | 30 ++ ...003-Cast-to-sockaddr-in-systemd-interface.patch | 29 ++ ...correct-keyword-from-Yatao-Su-via-GHPR509.patch | 29 ++ ...0005-support-sntrup761x25519-sha512-alias.patch | 250 ++++++++++++ .../0006-back-out-unrelated-manpages-changes.patch | 206 ++++++++++ ...ention-sntrup761x25519-sha512-in-manpages.patch | 48 +++ ...-for-le32toh-le64toh-htole64-individually.patch | 87 ++++ ...Update-autoconf-files-for-endian.h-change.patch | 118 ++++++ ...-Rebuild-config-files-if-Makefile-changes.patch | 30 ++ ...e-__builtin_popcount-replacement-function.patch | 92 +++++ ...x-PerSourcePenalty-incorrectly-using-cras.patch | 32 ++ .../0006-regenerate-configure-config.h.in.patch | 80 ++++ ...ime-caches-for-DNS-names-needed-for-tests.patch | 44 ++ ...12-runners-are-deprecated-replace-with-15.patch | 41 ++ ...emove-redundant-field-of-definition-check.patch | 51 +++ ...eck-if-dbclient-supports-SHA1-before-tryi.patch | 64 +++ net-misc/openssh/openssh-9.8_p1-r4.ebuild | 438 ++++++++++++++++++++ net-misc/openssh/openssh-9.9_p2-r4.ebuild | 441 +++++++++++++++++++++ 19 files changed, 2146 insertions(+) diff --git a/net-misc/openssh/files/9.8_p1/0001-Fix-detection-of-setres-id-on-GNU-Hurd.patch b/net-misc/openssh/files/9.8_p1/0001-Fix-detection-of-setres-id-on-GNU-Hurd.patch new file mode 100644 index 000000000000..1001988825ae --- /dev/null +++ b/net-misc/openssh/files/9.8_p1/0001-Fix-detection-of-setres-id-on-GNU-Hurd.patch @@ -0,0 +1,36 @@ +From 20950a7c047ca08f9317d27866c06587ed51a338 Mon Sep 17 00:00:00 2001 +Message-ID: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git....@gentoo.org> +From: Samuel Thibault <[email protected]> +Date: Tue, 26 Mar 2024 22:15:08 +0100 +Subject: [PATCH 1/7] Fix detection of setres*id on GNU/Hurd + +Like Linux, proper _SOURCE macros need to be set to get declarations of +various standard functions, notably setres*id. Now that Debian is using +-Werror=implicit-function-declaration this is really required. While at +it, define other _SOURCE macros like on GNU/Linux, since GNU/Hurd uses +the same glibc. +--- + configure.ac | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/configure.ac b/configure.ac +index 5a865f8e1..2eede34c3 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1348,6 +1348,13 @@ EOD + AC_DEFINE([BROKEN_SETVBUF], [1], + [LynxOS has broken setvbuf() implementation]) + ;; ++*-*-gnu*) ++ dnl GNU Hurd. Needs to be after the linux and the other *-gnu entries. ++ dnl Target SUSv3/POSIX.1-2001 plus BSD specifics. ++ dnl _DEFAULT_SOURCE is the new name for _BSD_SOURCE ++ dnl _GNU_SOURCE is needed for setres*id prototypes. ++ CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE" ++ ;; + esac + + AC_MSG_CHECKING([compiler and flags for sanity]) +-- +2.51.0 + diff --git a/net-misc/openssh/files/9.8_p1/0002-Add-9.8-branch-to-ci-status-page.patch b/net-misc/openssh/files/9.8_p1/0002-Add-9.8-branch-to-ci-status-page.patch new file mode 100644 index 000000000000..cc74ec2d3045 --- /dev/null +++ b/net-misc/openssh/files/9.8_p1/0002-Add-9.8-branch-to-ci-status-page.patch @@ -0,0 +1,30 @@ +From 34f7a962f992a43e33b5b6e2dd71f1582433d551 Mon Sep 17 00:00:00 2001 +Message-ID: <34f7a962f992a43e33b5b6e2dd71f1582433d551.1758727870.git....@gentoo.org> +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git....@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git....@gentoo.org> +From: Darren Tucker <[email protected]> +Date: Thu, 4 Jul 2024 20:12:26 +1000 +Subject: [PATCH 2/7] Add 9.8 branch to ci-status page. + +--- + .github/ci-status.md | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/.github/ci-status.md b/.github/ci-status.md +index fbf7c5fd6..4fa73894c 100644 +--- a/.github/ci-status.md ++++ b/.github/ci-status.md +@@ -6,6 +6,10 @@ master : + [](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh) + [](https://scan.coverity.com/projects/openssh-portable) + ++9.8 : ++[](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_8) ++[](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_8) ++ + 9.7 : + [](https://github.com/openssh/openssh-portable/actions/workflows/c-cpp.yml?query=branch:V_9_7) + [](https://github.com/openssh/openssh-portable-selfhosted/actions/workflows/selfhosted.yml?query=branch:V_9_7) +-- +2.51.0 + diff --git a/net-misc/openssh/files/9.8_p1/0003-Cast-to-sockaddr-in-systemd-interface.patch b/net-misc/openssh/files/9.8_p1/0003-Cast-to-sockaddr-in-systemd-interface.patch new file mode 100644 index 000000000000..aa7d593abf9f --- /dev/null +++ b/net-misc/openssh/files/9.8_p1/0003-Cast-to-sockaddr-in-systemd-interface.patch @@ -0,0 +1,29 @@ +From b35a64dd7d5278af859ff8cca1fbe42d2c308ac0 Mon Sep 17 00:00:00 2001 +Message-ID: <b35a64dd7d5278af859ff8cca1fbe42d2c308ac0.1758727870.git....@gentoo.org> +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git....@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git....@gentoo.org> +From: Darren Tucker <[email protected]> +Date: Sun, 7 Jul 2024 18:46:19 +1000 +Subject: [PATCH 3/7] Cast to sockaddr * in systemd interface. + +Fixes build with musl libx. bz#3707. +--- + openbsd-compat/port-linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c +index 4c024c6d2..8adfec5a7 100644 +--- a/openbsd-compat/port-linux.c ++++ b/openbsd-compat/port-linux.c +@@ -366,7 +366,7 @@ ssh_systemd_notify(const char *fmt, ...) + error_f("socket \"%s\": %s", path, strerror(errno)); + goto out; + } +- if (connect(fd, &addr, sizeof(addr)) != 0) { ++ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) { + error_f("socket \"%s\" connect: %s", path, strerror(errno)); + goto out; + } +-- +2.51.0 + diff --git a/net-misc/openssh/files/9.8_p1/0004-upstream-correct-keyword-from-Yatao-Su-via-GHPR509.patch b/net-misc/openssh/files/9.8_p1/0004-upstream-correct-keyword-from-Yatao-Su-via-GHPR509.patch new file mode 100644 index 000000000000..7d236829a55f --- /dev/null +++ b/net-misc/openssh/files/9.8_p1/0004-upstream-correct-keyword-from-Yatao-Su-via-GHPR509.patch @@ -0,0 +1,29 @@ +From c21fc9d953f6d858ea0a9d7da38359d2eb397ed0 Mon Sep 17 00:00:00 2001 +Message-ID: <c21fc9d953f6d858ea0a9d7da38359d2eb397ed0.1758727870.git....@gentoo.org> +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git....@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git....@gentoo.org> +From: "[email protected]" <[email protected]> +Date: Wed, 10 Jul 2024 21:58:34 +0000 +Subject: [PATCH 4/7] upstream: correct keyword; from Yatao Su via GHPR509 + +OpenBSD-Commit-ID: 81c778c76dea7ef407603caa157eb0c381c52ad2 +--- + sshd_config.5 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sshd_config.5 b/sshd_config.5 +index 1ab0f41d9..ce872de52 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -1586,7 +1586,7 @@ accumulated. + .Pp + Penalties are enabled by default with the default settings listed below + but may disabled using the +-.Cm off ++.Cm no + keyword. + The defaults may be overridden by specifying one or more of the keywords below, + separated by whitespace. +-- +2.51.0 + diff --git a/net-misc/openssh/files/9.8_p1/0005-support-sntrup761x25519-sha512-alias.patch b/net-misc/openssh/files/9.8_p1/0005-support-sntrup761x25519-sha512-alias.patch new file mode 100644 index 000000000000..d61a90605d27 --- /dev/null +++ b/net-misc/openssh/files/9.8_p1/0005-support-sntrup761x25519-sha512-alias.patch @@ -0,0 +1,250 @@ +From 26f73db15e0eee558a11b42a9d794d78c87dd11e Mon Sep 17 00:00:00 2001 +Message-ID: <26f73db15e0eee558a11b42a9d794d78c87dd11e.1758727870.git....@gentoo.org> +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git....@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git....@gentoo.org> +From: Damien Miller <[email protected]> +Date: Mon, 11 Aug 2025 16:40:24 +1000 +Subject: [PATCH 5/7] support sntrup761x25519-sha512 alias + +OpenSSH 9.8 supports the [email protected] +key agreement algorithm. As part of standardisation, this algorithm +has been assigned the name sntrup761x25519-sha512. + +This commit enables the existing algorithm under this new name. +--- + configure | 3 +++ + kex-names.c | 2 ++ + kex.h | 1 + + moduli.0 | 2 +- + myproposal.h | 1 + + scp.0 | 2 +- + sftp-server.0 | 2 +- + sftp.0 | 2 +- + ssh-add.0 | 2 +- + ssh-agent.0 | 2 +- + ssh-keygen.0 | 2 +- + ssh-keyscan.0 | 2 +- + ssh-keysign.0 | 2 +- + ssh-pkcs11-helper.0 | 2 +- + ssh-sk-helper.0 | 2 +- + ssh.0 | 2 +- + ssh_config.0 | 2 +- + sshd.0 | 2 +- + sshd_config.0 | 6 +++--- + 19 files changed, 24 insertions(+), 17 deletions(-) + +diff --git a/configure b/configure +index 07d19fd30..32e38c4cb 100755 +--- a/configure ++++ b/configure +@@ -13317,6 +13317,9 @@ EOD + printf "%s\n" "#define BROKEN_SETVBUF 1" >>confdefs.h + + ;; ++*-*-gnu*) ++ CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE" ++ ;; + esac + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking compiler and flags for sanity" >&5 +diff --git a/kex-names.c b/kex-names.c +index 339eb1c23..1869b8ee1 100644 +--- a/kex-names.c ++++ b/kex-names.c +@@ -77,6 +77,8 @@ static const struct kexalg kexalgs[] = { + { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, + { KEX_CURVE25519_SHA256_OLD, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, + #ifdef USE_SNTRUP761X25519 ++ { KEX_SNTRUP761X25519_SHA512_IANA, KEX_KEM_SNTRUP761X25519_SHA512, 0, ++ SSH_DIGEST_SHA512 }, + { KEX_SNTRUP761X25519_SHA512, KEX_KEM_SNTRUP761X25519_SHA512, 0, + SSH_DIGEST_SHA512 }, + #endif +diff --git a/kex.h b/kex.h +index 34665eb20..ed22b929f 100644 +--- a/kex.h ++++ b/kex.h +@@ -63,6 +63,7 @@ + #define KEX_CURVE25519_SHA256 "curve25519-sha256" + #define KEX_CURVE25519_SHA256_OLD "[email protected]" + #define KEX_SNTRUP761X25519_SHA512 "[email protected]" ++#define KEX_SNTRUP761X25519_SHA512_IANA "sntrup761x25519-sha512" + + #define COMP_NONE 0 + /* pre-auth compression (COMP_ZLIB) is only supported in the client */ +diff --git a/moduli.0 b/moduli.0 +index 057a018ef..90700a16f 100644 +--- a/moduli.0 ++++ b/moduli.0 +@@ -71,4 +71,4 @@ STANDARDS + M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for + the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006. + +-OpenBSD 7.5 April 16, 2022 OpenBSD 7.5 ++OpenBSD 7.7 April 16, 2022 OpenBSD 7.7 +diff --git a/myproposal.h b/myproposal.h +index ee6e9f741..0528cd783 100644 +--- a/myproposal.h ++++ b/myproposal.h +@@ -25,6 +25,7 @@ + */ + + #define KEX_SERVER_KEX \ ++ "sntrup761x25519-sha512," \ + "[email protected]," \ + "curve25519-sha256," \ + "[email protected]," \ +diff --git a/scp.0 b/scp.0 +index e098ddf55..85d5f83d5 100644 +--- a/scp.0 ++++ b/scp.0 +@@ -229,4 +229,4 @@ CAVEATS + requires careful quoting of any characters that have special meaning to + the remote shell, such as quote characters. + +-OpenBSD 7.5 December 16, 2022 OpenBSD 7.5 ++OpenBSD 7.7 December 16, 2022 OpenBSD 7.7 +diff --git a/sftp-server.0 b/sftp-server.0 +index 23fdda399..273b69908 100644 +--- a/sftp-server.0 ++++ b/sftp-server.0 +@@ -95,4 +95,4 @@ HISTORY + AUTHORS + Markus Friedl <[email protected]> + +-OpenBSD 7.5 July 27, 2021 OpenBSD 7.5 ++OpenBSD 7.7 July 27, 2021 OpenBSD 7.7 +diff --git a/sftp.0 b/sftp.0 +index c6a9e60c4..0476733c1 100644 +--- a/sftp.0 ++++ b/sftp.0 +@@ -435,4 +435,4 @@ SEE ALSO + T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- + filexfer-00.txt, January 2001, work in progress material. + +-OpenBSD 7.5 December 16, 2022 OpenBSD 7.5 ++OpenBSD 7.7 December 16, 2022 OpenBSD 7.7 +diff --git a/ssh-add.0 b/ssh-add.0 +index 30eed6672..20f1a88e2 100644 +--- a/ssh-add.0 ++++ b/ssh-add.0 +@@ -206,4 +206,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/ssh-agent.0 b/ssh-agent.0 +index 2e4ef7b6e..238fa54e2 100644 +--- a/ssh-agent.0 ++++ b/ssh-agent.0 +@@ -137,4 +137,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.5 August 10, 2023 OpenBSD 7.5 ++OpenBSD 7.7 August 10, 2023 OpenBSD 7.7 +diff --git a/ssh-keygen.0 b/ssh-keygen.0 +index a731a7fa8..13b032f46 100644 +--- a/ssh-keygen.0 ++++ b/ssh-keygen.0 +@@ -904,4 +904,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 +index 110399094..cf0962c82 100644 +--- a/ssh-keyscan.0 ++++ b/ssh-keyscan.0 +@@ -120,4 +120,4 @@ AUTHORS + Davison <[email protected]> added support for protocol version + 2. + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/ssh-keysign.0 b/ssh-keysign.0 +index 577955d1b..ff3305809 100644 +--- a/ssh-keysign.0 ++++ b/ssh-keysign.0 +@@ -47,4 +47,4 @@ HISTORY + AUTHORS + Markus Friedl <[email protected]> + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0 +index 564587259..4b1cb8d7d 100644 +--- a/ssh-pkcs11-helper.0 ++++ b/ssh-pkcs11-helper.0 +@@ -32,4 +32,4 @@ HISTORY + AUTHORS + Markus Friedl <[email protected]> + +-OpenBSD 7.5 April 29, 2022 OpenBSD 7.5 ++OpenBSD 7.7 April 29, 2022 OpenBSD 7.7 +diff --git a/ssh-sk-helper.0 b/ssh-sk-helper.0 +index ea2117abd..4abc5e8a0 100644 +--- a/ssh-sk-helper.0 ++++ b/ssh-sk-helper.0 +@@ -31,4 +31,4 @@ HISTORY + AUTHORS + Damien Miller <[email protected]> + +-OpenBSD 7.5 April 29, 2022 OpenBSD 7.5 ++OpenBSD 7.7 April 29, 2022 OpenBSD 7.7 +diff --git a/ssh.0 b/ssh.0 +index 78863b1b0..9c34e3e6e 100644 +--- a/ssh.0 ++++ b/ssh.0 +@@ -1016,4 +1016,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.5 June 27, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 27, 2024 OpenBSD 7.7 +diff --git a/ssh_config.0 b/ssh_config.0 +index ef6c0936a..f9a82781b 100644 +--- a/ssh_config.0 ++++ b/ssh_config.0 +@@ -1428,4 +1428,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/sshd.0 b/sshd.0 +index c7de2d311..eac127dcf 100644 +--- a/sshd.0 ++++ b/sshd.0 +@@ -682,4 +682,4 @@ AUTHORS + versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support + for privilege separation. + +-OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 +diff --git a/sshd_config.0 b/sshd_config.0 +index 6883dda4b..ca030fcca 100644 +--- a/sshd_config.0 ++++ b/sshd_config.0 +@@ -950,8 +950,8 @@ DESCRIPTION + accumulated. + + Penalties are enabled by default with the default settings listed +- below but may disabled using the off keyword. The defaults may +- be overridden by specifying one or more of the keywords below, ++ below but may disabled using the no keyword. The defaults may be ++ overridden by specifying one or more of the keywords below, + separated by whitespace. All keywords accept arguments, e.g. + "crash:2m". + +@@ -1390,4 +1390,4 @@ AUTHORS + versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support + for privilege separation. + +-OpenBSD 7.5 June 24, 2024 OpenBSD 7.5 ++OpenBSD 7.7 June 24, 2024 OpenBSD 7.7 +-- +2.51.0 + diff --git a/net-misc/openssh/files/9.8_p1/0006-back-out-unrelated-manpages-changes.patch b/net-misc/openssh/files/9.8_p1/0006-back-out-unrelated-manpages-changes.patch new file mode 100644 index 000000000000..f5ca5ebacf01 --- /dev/null +++ b/net-misc/openssh/files/9.8_p1/0006-back-out-unrelated-manpages-changes.patch @@ -0,0 +1,206 @@ +From d1460a177431d034248b62b36240f634482e48de Mon Sep 17 00:00:00 2001 +Message-ID: <d1460a177431d034248b62b36240f634482e48de.1758727870.git....@gentoo.org> +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git....@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git....@gentoo.org> +From: Damien Miller <[email protected]> +Date: Wed, 13 Aug 2025 09:19:53 +1000 +Subject: [PATCH 6/7] back out unrelated manpages changes + +spotted by Colin Wilson +--- + configure | 3 --- + moduli.0 | 2 +- + scp.0 | 2 +- + sftp-server.0 | 2 +- + sftp.0 | 2 +- + ssh-add.0 | 2 +- + ssh-agent.0 | 2 +- + ssh-keygen.0 | 2 +- + ssh-keyscan.0 | 2 +- + ssh-keysign.0 | 2 +- + ssh-pkcs11-helper.0 | 2 +- + ssh-sk-helper.0 | 2 +- + ssh.0 | 2 +- + ssh_config.0 | 2 +- + sshd.0 | 2 +- + sshd_config.0 | 6 +++--- + 16 files changed, 17 insertions(+), 20 deletions(-) + +diff --git a/configure b/configure +index 32e38c4cb..07d19fd30 100755 +--- a/configure ++++ b/configure +@@ -13317,9 +13317,6 @@ EOD + printf "%s\n" "#define BROKEN_SETVBUF 1" >>confdefs.h + + ;; +-*-*-gnu*) +- CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE" +- ;; + esac + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking compiler and flags for sanity" >&5 +diff --git a/moduli.0 b/moduli.0 +index 90700a16f..057a018ef 100644 +--- a/moduli.0 ++++ b/moduli.0 +@@ -71,4 +71,4 @@ STANDARDS + M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for + the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006. + +-OpenBSD 7.7 April 16, 2022 OpenBSD 7.7 ++OpenBSD 7.5 April 16, 2022 OpenBSD 7.5 +diff --git a/scp.0 b/scp.0 +index 85d5f83d5..e098ddf55 100644 +--- a/scp.0 ++++ b/scp.0 +@@ -229,4 +229,4 @@ CAVEATS + requires careful quoting of any characters that have special meaning to + the remote shell, such as quote characters. + +-OpenBSD 7.7 December 16, 2022 OpenBSD 7.7 ++OpenBSD 7.5 December 16, 2022 OpenBSD 7.5 +diff --git a/sftp-server.0 b/sftp-server.0 +index 273b69908..23fdda399 100644 +--- a/sftp-server.0 ++++ b/sftp-server.0 +@@ -95,4 +95,4 @@ HISTORY + AUTHORS + Markus Friedl <[email protected]> + +-OpenBSD 7.7 July 27, 2021 OpenBSD 7.7 ++OpenBSD 7.5 July 27, 2021 OpenBSD 7.5 +diff --git a/sftp.0 b/sftp.0 +index 0476733c1..c6a9e60c4 100644 +--- a/sftp.0 ++++ b/sftp.0 +@@ -435,4 +435,4 @@ SEE ALSO + T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- + filexfer-00.txt, January 2001, work in progress material. + +-OpenBSD 7.7 December 16, 2022 OpenBSD 7.7 ++OpenBSD 7.5 December 16, 2022 OpenBSD 7.5 +diff --git a/ssh-add.0 b/ssh-add.0 +index 20f1a88e2..30eed6672 100644 +--- a/ssh-add.0 ++++ b/ssh-add.0 +@@ -206,4 +206,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/ssh-agent.0 b/ssh-agent.0 +index 238fa54e2..2e4ef7b6e 100644 +--- a/ssh-agent.0 ++++ b/ssh-agent.0 +@@ -137,4 +137,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.7 August 10, 2023 OpenBSD 7.7 ++OpenBSD 7.5 August 10, 2023 OpenBSD 7.5 +diff --git a/ssh-keygen.0 b/ssh-keygen.0 +index 13b032f46..a731a7fa8 100644 +--- a/ssh-keygen.0 ++++ b/ssh-keygen.0 +@@ -904,4 +904,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/ssh-keyscan.0 b/ssh-keyscan.0 +index cf0962c82..110399094 100644 +--- a/ssh-keyscan.0 ++++ b/ssh-keyscan.0 +@@ -120,4 +120,4 @@ AUTHORS + Davison <[email protected]> added support for protocol version + 2. + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/ssh-keysign.0 b/ssh-keysign.0 +index ff3305809..577955d1b 100644 +--- a/ssh-keysign.0 ++++ b/ssh-keysign.0 +@@ -47,4 +47,4 @@ HISTORY + AUTHORS + Markus Friedl <[email protected]> + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0 +index 4b1cb8d7d..564587259 100644 +--- a/ssh-pkcs11-helper.0 ++++ b/ssh-pkcs11-helper.0 +@@ -32,4 +32,4 @@ HISTORY + AUTHORS + Markus Friedl <[email protected]> + +-OpenBSD 7.7 April 29, 2022 OpenBSD 7.7 ++OpenBSD 7.5 April 29, 2022 OpenBSD 7.5 +diff --git a/ssh-sk-helper.0 b/ssh-sk-helper.0 +index 4abc5e8a0..ea2117abd 100644 +--- a/ssh-sk-helper.0 ++++ b/ssh-sk-helper.0 +@@ -31,4 +31,4 @@ HISTORY + AUTHORS + Damien Miller <[email protected]> + +-OpenBSD 7.7 April 29, 2022 OpenBSD 7.7 ++OpenBSD 7.5 April 29, 2022 OpenBSD 7.5 +diff --git a/ssh.0 b/ssh.0 +index 9c34e3e6e..78863b1b0 100644 +--- a/ssh.0 ++++ b/ssh.0 +@@ -1016,4 +1016,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.7 June 27, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 27, 2024 OpenBSD 7.5 +diff --git a/ssh_config.0 b/ssh_config.0 +index f9a82781b..ef6c0936a 100644 +--- a/ssh_config.0 ++++ b/ssh_config.0 +@@ -1428,4 +1428,4 @@ AUTHORS + created OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/sshd.0 b/sshd.0 +index eac127dcf..c7de2d311 100644 +--- a/sshd.0 ++++ b/sshd.0 +@@ -682,4 +682,4 @@ AUTHORS + versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support + for privilege separation. + +-OpenBSD 7.7 June 17, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 17, 2024 OpenBSD 7.5 +diff --git a/sshd_config.0 b/sshd_config.0 +index ca030fcca..6883dda4b 100644 +--- a/sshd_config.0 ++++ b/sshd_config.0 +@@ -950,8 +950,8 @@ DESCRIPTION + accumulated. + + Penalties are enabled by default with the default settings listed +- below but may disabled using the no keyword. The defaults may be +- overridden by specifying one or more of the keywords below, ++ below but may disabled using the off keyword. The defaults may ++ be overridden by specifying one or more of the keywords below, + separated by whitespace. All keywords accept arguments, e.g. + "crash:2m". + +@@ -1390,4 +1390,4 @@ AUTHORS + versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support + for privilege separation. + +-OpenBSD 7.7 June 24, 2024 OpenBSD 7.7 ++OpenBSD 7.5 June 24, 2024 OpenBSD 7.5 +-- +2.51.0 + diff --git a/net-misc/openssh/files/9.8_p1/0007-mention-sntrup761x25519-sha512-in-manpages.patch b/net-misc/openssh/files/9.8_p1/0007-mention-sntrup761x25519-sha512-in-manpages.patch new file mode 100644 index 000000000000..d9a7a0143d91 --- /dev/null +++ b/net-misc/openssh/files/9.8_p1/0007-mention-sntrup761x25519-sha512-in-manpages.patch @@ -0,0 +1,48 @@ +From a38b48e77ccfe9528dd4a8516c114950fa7a111d Mon Sep 17 00:00:00 2001 +Message-ID: <a38b48e77ccfe9528dd4a8516c114950fa7a111d.1758727870.git....@gentoo.org> +In-Reply-To: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git....@gentoo.org> +References: <20950a7c047ca08f9317d27866c06587ed51a338.1758727870.git....@gentoo.org> +From: Damien Miller <[email protected]> +Date: Wed, 13 Aug 2025 09:16:34 +1000 +Subject: [PATCH 7/7] mention sntrup761x25519-sha512 in manpages + +Spotted by Colin Watson +--- + ssh_config.5 | 1 + + sshd_config.5 | 3 +++ + 2 files changed, 4 insertions(+) + +diff --git a/ssh_config.5 b/ssh_config.5 +index 2e1902283..9473f4692 100644 +--- a/ssh_config.5 ++++ b/ssh_config.5 +@@ -1281,6 +1281,7 @@ default set. + .Pp + The default is: + .Bd -literal -offset indent ++sntrup761x25519-sha512, + [email protected], + curve25519-sha256,[email protected], + ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +diff --git a/sshd_config.5 b/sshd_config.5 +index ce872de52..3c727f4d3 100644 +--- a/sshd_config.5 ++++ b/sshd_config.5 +@@ -1050,11 +1050,14 @@ ecdh-sha2-nistp384 + .It + ecdh-sha2-nistp521 + .It ++sntrup761x25519-sha512 ++.It + [email protected] + .El + .Pp + The default is: + .Bd -literal -offset indent ++sntrup761x25519-sha512, + [email protected], + curve25519-sha256,[email protected], + ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, +-- +2.51.0 + diff --git a/net-misc/openssh/files/9.9_p2/0001-Check-for-le32toh-le64toh-htole64-individually.patch b/net-misc/openssh/files/9.9_p2/0001-Check-for-le32toh-le64toh-htole64-individually.patch new file mode 100644 index 000000000000..ae9ca600d6f7 --- /dev/null +++ b/net-misc/openssh/files/9.9_p2/0001-Check-for-le32toh-le64toh-htole64-individually.patch @@ -0,0 +1,87 @@ +From 4b8d141ec165aa29a48316768089cb03aed3aada Mon Sep 17 00:00:00 2001 +Message-ID: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +From: Darren Tucker <[email protected]> +Date: Wed, 26 Feb 2025 18:16:03 +1100 +Subject: [PATCH 01/10] Check for le32toh, le64toh, htole64 individually. + +It appears that at least some versions of endian.h in glibc do not have +the latter two, so check for and replace each one individually. +bz#3794, ok djm@ +--- + configure.ac | 12 ++++++++++++ + defines.h | 28 +++++++++++++++++++++------- + 2 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 9053a9a2b..57a8d1007 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -536,6 +536,18 @@ AC_CHECK_HEADERS([ \ + wchar.h \ + ]) + ++AC_CHECK_DECLS([le32toh, le64toh, htole64], [], [], [ ++#ifdef HAVE_SYS_TYPES_H ++# include <sys/types.h> ++#endif ++#ifdef HAVE_STDINT_H ++# include <stdint.h> ++#endif ++#ifdef HAVE_ENDIAN_H ++# include <endian.h> ++#endif ++]) ++ + # On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h] + # to be included first. + AC_CHECK_HEADERS([sys/audit.h], [], [], [ +diff --git a/defines.h b/defines.h +index c1c21aba6..090f49f55 100644 +--- a/defines.h ++++ b/defines.h +@@ -646,7 +646,9 @@ struct winsize { + # endif /* WORDS_BIGENDIAN */ + #endif /* BYTE_ORDER */ + +-#ifndef HAVE_ENDIAN_H ++#if (defined(HAVE_DECL_LE32TOH) && HAVE_DECL_LE32TOH == 0) || \ ++ (defined(HAVE_DECL_LE64TOH) && HAVE_DECL_LE64TOH == 0) || \ ++ (defined(HAVE_DECL_HTOLE64) && HAVE_DECL_HTOLE64 == 0) + # define openssh_swap32(v) \ + (uint32_t)(((uint32_t)(v) & 0xff) << 24 | \ + ((uint32_t)(v) & 0xff00) << 8 | \ +@@ -662,13 +664,25 @@ struct winsize { + ((uint64_t)(v) & 0xff000000000000ULL) >> 40 | \ + ((uint64_t)(v) & 0xff00000000000000ULL) >> 56) + # ifdef WORDS_BIGENDIAN +-# define le32toh(v) (openssh_swap32(v)) +-# define le64toh(v) (openssh_swap64(v)) +-# define htole64(v) (openssh_swap64(v)) ++# if defined(HAVE_DECL_LE32TOH) && HAVE_DECL_LE32TOH == 0 ++# define le32toh(v) (openssh_swap32(v)) ++# endif ++# if defined(HAVE_DECL_LE64TOH) && HAVE_DECL_LE64TOH == 0 ++# define le64toh(v) (openssh_swap64(v)) ++# endif ++# if defined(HAVE_DECL_HTOLE64) && HAVE_DECL_HTOLE64 == 0 ++# define htole64(v) (openssh_swap64(v)) ++# endif + # else +-# define le32toh(v) ((uint32_t)v) +-# define le64toh(v) ((uint64_t)v) +-# define htole64(v) ((uint64_t)v) ++# if defined(HAVE_DECL_LE32TOH) && HAVE_DECL_LE32TOH == 0 ++# define le32toh(v) ((uint32_t)v) ++# endif ++# if defined(HAVE_DECL_LE64TOH) && HAVE_DECL_LE64TOH == 0 ++# define le64toh(v) ((uint64_t)v) ++# endif ++# if defined(HAVE_DECL_HTOLE64) && HAVE_DECL_HTOLE64 == 0 ++# define htole64(v) ((uint64_t)v) ++# endif + # endif + #endif + +-- +2.51.0 + diff --git a/net-misc/openssh/files/9.9_p2/0002-Update-autoconf-files-for-endian.h-change.patch b/net-misc/openssh/files/9.9_p2/0002-Update-autoconf-files-for-endian.h-change.patch new file mode 100644 index 000000000000..778ffba81cf9 --- /dev/null +++ b/net-misc/openssh/files/9.9_p2/0002-Update-autoconf-files-for-endian.h-change.patch @@ -0,0 +1,118 @@ +From de4bcb51c893d81a741d4fac37c10107738a952f Mon Sep 17 00:00:00 2001 +Message-ID: <de4bcb51c893d81a741d4fac37c10107738a952f.1758727915.git....@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +From: Darren Tucker <[email protected]> +Date: Wed, 26 Feb 2025 18:25:33 +1100 +Subject: [PATCH 02/10] Update autoconf files for endian.h change. + +--- + config.h.in | 12 +++++++++++ + configure | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 72 insertions(+) + +diff --git a/config.h.in b/config.h.in +index 14bee6087..c841417f4 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -363,10 +363,22 @@ + don't. */ + #undef HAVE_DECL_HOWMANY + ++/* Define to 1 if you have the declaration of `htole64', and to 0 if you ++ don't. */ ++#undef HAVE_DECL_HTOLE64 ++ + /* Define to 1 if you have the declaration of `h_errno', and to 0 if you + don't. */ + #undef HAVE_DECL_H_ERRNO + ++/* Define to 1 if you have the declaration of `le32toh', and to 0 if you ++ don't. */ ++#undef HAVE_DECL_LE32TOH ++ ++/* Define to 1 if you have the declaration of `le64toh', and to 0 if you ++ don't. */ ++#undef HAVE_DECL_LE64TOH ++ + /* Define to 1 if you have the declaration of `loginfailed', and to 0 if you + don't. */ + #undef HAVE_DECL_LOGINFAILED +diff --git a/configure b/configure +index b4d33b7cd..ec1de26c2 100755 +--- a/configure ++++ b/configure +@@ -11325,6 +11325,65 @@ then : + fi + + ++ac_fn_check_decl "$LINENO" "le32toh" "ac_cv_have_decl_le32toh" " ++#ifdef HAVE_SYS_TYPES_H ++# include <sys/types.h> ++#endif ++#ifdef HAVE_STDINT_H ++# include <stdint.h> ++#endif ++#ifdef HAVE_ENDIAN_H ++# include <endian.h> ++#endif ++ ++" "$ac_c_undeclared_builtin_options" "CFLAGS" ++if test "x$ac_cv_have_decl_le32toh" = xyes ++then : ++ ac_have_decl=1 ++else $as_nop ++ ac_have_decl=0 ++fi ++printf "%s\n" "#define HAVE_DECL_LE32TOH $ac_have_decl" >>confdefs.h ++ac_fn_check_decl "$LINENO" "le64toh" "ac_cv_have_decl_le64toh" " ++#ifdef HAVE_SYS_TYPES_H ++# include <sys/types.h> ++#endif ++#ifdef HAVE_STDINT_H ++# include <stdint.h> ++#endif ++#ifdef HAVE_ENDIAN_H ++# include <endian.h> ++#endif ++ ++" "$ac_c_undeclared_builtin_options" "CFLAGS" ++if test "x$ac_cv_have_decl_le64toh" = xyes ++then : ++ ac_have_decl=1 ++else $as_nop ++ ac_have_decl=0 ++fi ++printf "%s\n" "#define HAVE_DECL_LE64TOH $ac_have_decl" >>confdefs.h ++ac_fn_check_decl "$LINENO" "htole64" "ac_cv_have_decl_htole64" " ++#ifdef HAVE_SYS_TYPES_H ++# include <sys/types.h> ++#endif ++#ifdef HAVE_STDINT_H ++# include <stdint.h> ++#endif ++#ifdef HAVE_ENDIAN_H ++# include <endian.h> ++#endif ++ ++" "$ac_c_undeclared_builtin_options" "CFLAGS" ++if test "x$ac_cv_have_decl_htole64" = xyes ++then : ++ ac_have_decl=1 ++else $as_nop ++ ac_have_decl=0 ++fi ++printf "%s\n" "#define HAVE_DECL_HTOLE64 $ac_have_decl" >>confdefs.h ++ ++ + # On some platforms (eg SunOS4) sys/audit.h requires sys/[time|types|label.h] + # to be included first. + ac_fn_c_check_header_compile "$LINENO" "sys/audit.h" "ac_cv_header_sys_audit_h" " +@@ -27710,3 +27769,4 @@ if test "$AUDIT_MODULE" = "bsm" ; then + echo "WARNING: BSM audit support is currently considered EXPERIMENTAL." + echo "See the Solaris section in README.platform for details." + fi ++ +-- +2.51.0 + diff --git a/net-misc/openssh/files/9.9_p2/0003-Rebuild-config-files-if-Makefile-changes.patch b/net-misc/openssh/files/9.9_p2/0003-Rebuild-config-files-if-Makefile-changes.patch new file mode 100644 index 000000000000..ad90441cef5a --- /dev/null +++ b/net-misc/openssh/files/9.9_p2/0003-Rebuild-config-files-if-Makefile-changes.patch @@ -0,0 +1,30 @@ +From ef95df4089f0dba640671ca6acfb876a78794b83 Mon Sep 17 00:00:00 2001 +Message-ID: <ef95df4089f0dba640671ca6acfb876a78794b83.1758727915.git....@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +From: Darren Tucker <[email protected]> +Date: Sat, 1 Mar 2025 10:28:59 +1100 +Subject: [PATCH 03/10] Rebuild config files if Makefile changes. + +This ensures paths are updated if they are changed by re-running configure. +Patch from rapier at psc.edu. +--- + Makefile.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile.in b/Makefile.in +index 4243006b0..fc7a1a354 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -267,7 +267,7 @@ $(MANPAGES): $(MANPAGES_IN) + $(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \ + fi + +-$(CONFIGFILES): $(CONFIGFILES_IN) ++$(CONFIGFILES): $(CONFIGFILES_IN) Makefile + conffile=`echo $@ | sed 's/.out$$//'`; \ + $(FIXPATHSCMD) $(srcdir)/$${conffile} > $@ + +-- +2.51.0 + diff --git a/net-misc/openssh/files/9.9_p2/0004-include-__builtin_popcount-replacement-function.patch b/net-misc/openssh/files/9.9_p2/0004-include-__builtin_popcount-replacement-function.patch new file mode 100644 index 000000000000..6d0c87adb83b --- /dev/null +++ b/net-misc/openssh/files/9.9_p2/0004-include-__builtin_popcount-replacement-function.patch @@ -0,0 +1,92 @@ +From 3b4adf2018ae8fdd48623b6b5ede182319a76b8f Mon Sep 17 00:00:00 2001 +Message-ID: <3b4adf2018ae8fdd48623b6b5ede182319a76b8f.1758727915.git....@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +From: Damien Miller <[email protected]> +Date: Sun, 2 Mar 2025 22:06:53 +1100 +Subject: [PATCH 04/10] include __builtin_popcount replacement function + +Some systems/compilers lack __builtin_popcount(), so replace it as +necessary. Reported by Dennis Clarke; ok dtucker@ +--- + configure.ac | 13 +++++++++++++ + libcrux_mlkem768_sha3.h | 8 ++++++-- + mlkem768.sh | 10 +++++++++- + 3 files changed, 28 insertions(+), 3 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 57a8d1007..dbe189066 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2041,6 +2041,19 @@ AC_CHECK_FUNCS([ \ + warn \ + ]) + ++AC_MSG_CHECKING([whether compiler supports __builtin_popcount]) ++AC_LINK_IFELSE([AC_LANG_PROGRAM([[ ++ #include <stdlib.h> ++ ]], ++ [[ int x = 123, y; ++ y = __builtin_popcount(123); ++ exit(y == 6 ? 0 : -1); ]])], ++ [ AC_MSG_RESULT([yes]) ], [ ++ AC_MSG_RESULT([no]) ++ AC_DEFINE([MISSING_BUILTIN_POPCOUNT], [1], [Define if your compiler lacks __builtin_popcount]) ++ ] ++) ++ + AC_CHECK_DECLS([bzero, memmem]) + + dnl Wide character support. +diff --git a/libcrux_mlkem768_sha3.h b/libcrux_mlkem768_sha3.h +index b8ac1436f..885e82baf 100644 +--- a/libcrux_mlkem768_sha3.h ++++ b/libcrux_mlkem768_sha3.h +@@ -177,10 +177,14 @@ static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) { + } + + static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) { +-#ifdef _MSC_VER ++#if defined(_MSC_VER) + return __popcnt(x0); +-#else ++#elif !defined(MISSING_BUILTIN_POPCOUNT) + return __builtin_popcount(x0); ++#else ++ const uint8_t v[16] = { 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4 }; ++ return v[x0 & 0xf] + v[(x0 >> 4) & 0xf]; ++ + #endif + } + +diff --git a/mlkem768.sh b/mlkem768.sh +index 3d12b2ed8..cbc3d14da 100644 +--- a/mlkem768.sh ++++ b/mlkem768.sh +@@ -49,6 +49,11 @@ echo '#define KRML_HOST_EPRINTF(...)' + echo '#define KRML_HOST_EXIT(x) fatal_f("internal error")' + echo + ++__builtin_popcount_replacement=' ++ const uint8_t v[16] = { 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4 }; ++ return v[x0 & 0xf] + v[(x0 >> 4) & 0xf]; ++' ++ + for i in $FILES; do + echo "/* from $i */" + # Changes to all files: +@@ -62,7 +67,10 @@ for i in $FILES; do + # Replace endian functions with versions that work. + perl -0777 -pe 's/(static inline void core_num__u64_9__to_le_bytes.*\n)([^}]*\n)/\1 v = htole64(v);\n\2/' | + perl -0777 -pe 's/(static inline uint64_t core_num__u64_9__from_le_bytes.*?)return v;/\1return le64toh(v);/s' | +- perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s' ++ perl -0777 -pe 's/(static inline uint32_t core_num__u32_8__from_le_bytes.*?)return v;/\1return le32toh(v);/s' | ++ # Compat for popcount. ++ perl -0777 -pe 's/\#ifdef (_MSC_VER)(.*?return __popcnt\(x0\);)/\#if defined(\1)\2/s' | ++ perl -0777 -pe "s/\\#else(\\n\\s+return __builtin_popcount\\(x0\\);)/\\#elif !defined(MISSING_BUILTIN_POPCOUNT)\\1\\n#else$__builtin_popcount_replacement/s" + ;; + # Default: pass through. + *) +-- +2.51.0 + diff --git a/net-misc/openssh/files/9.9_p2/0005-upstream-fix-PerSourcePenalty-incorrectly-using-cras.patch b/net-misc/openssh/files/9.9_p2/0005-upstream-fix-PerSourcePenalty-incorrectly-using-cras.patch new file mode 100644 index 000000000000..a2c7e98087d9 --- /dev/null +++ b/net-misc/openssh/files/9.9_p2/0005-upstream-fix-PerSourcePenalty-incorrectly-using-cras.patch @@ -0,0 +1,32 @@ +From d58ae05bb7838e1fdae967752f06b0b2471a63f5 Mon Sep 17 00:00:00 2001 +Message-ID: <d58ae05bb7838e1fdae967752f06b0b2471a63f5.1758727915.git....@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +From: "[email protected]" <[email protected]> +Date: Sun, 2 Mar 2025 22:44:00 +0000 +Subject: [PATCH 05/10] upstream: fix PerSourcePenalty incorrectly using + "crash" penalty when + +LoginGraceTime was exceeded. Reported by irwin AT princeton.edu via bz3797 + +OpenBSD-Commit-ID: 1ba3e490a5a9451359618c550d995380af454d25 +--- + srclimit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/srclimit.c b/srclimit.c +index 33116fa52..c63a462e2 100644 +--- a/srclimit.c ++++ b/srclimit.c +@@ -386,7 +386,7 @@ srclimit_penalise(struct xaddr *addr, int penalty_type) + reason = "penalty: connection prohibited by RefuseConnection"; + break; + case SRCLIMIT_PENALTY_GRACE_EXCEEDED: +- penalty_secs = penalty_cfg.penalty_crash; ++ penalty_secs = penalty_cfg.penalty_grace; + reason = "penalty: exceeded LoginGraceTime"; + break; + default: +-- +2.51.0 + diff --git a/net-misc/openssh/files/9.9_p2/0006-regenerate-configure-config.h.in.patch b/net-misc/openssh/files/9.9_p2/0006-regenerate-configure-config.h.in.patch new file mode 100644 index 000000000000..8ba648a42135 --- /dev/null +++ b/net-misc/openssh/files/9.9_p2/0006-regenerate-configure-config.h.in.patch @@ -0,0 +1,80 @@ +From 7d5b6c7ec3c597a6d57f64d0db925142bccd38a3 Mon Sep 17 00:00:00 2001 +Message-ID: <7d5b6c7ec3c597a6d57f64d0db925142bccd38a3.1758727915.git....@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +From: Damien Miller <[email protected]> +Date: Mon, 3 Mar 2025 14:21:12 +1100 +Subject: [PATCH 06/10] regenerate configure, config.h.in + +--- + config.h.in | 3 +++ + configure | 35 ++++++++++++++++++++++++++++++++++- + 2 files changed, 37 insertions(+), 1 deletion(-) + +diff --git a/config.h.in b/config.h.in +index c841417f4..57f63355b 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -1748,6 +1748,9 @@ + /* Set this to your mail directory if you do not have _PATH_MAILDIR */ + #undef MAIL_DIRECTORY + ++/* Define if your compiler lacks __builtin_popcount */ ++#undef MISSING_BUILTIN_POPCOUNT ++ + /* Need setpgrp to for controlling tty */ + #undef NEED_SETPGRP + +diff --git a/configure b/configure +index ec1de26c2..a18079da2 100755 +--- a/configure ++++ b/configure +@@ -16785,6 +16785,40 @@ then : + fi + + ++{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether compiler supports __builtin_popcount" >&5 ++printf %s "checking whether compiler supports __builtin_popcount... " >&6; } ++cat confdefs.h - <<_ACEOF >conftest.$ac_ext ++/* end confdefs.h. */ ++ ++ #include <stdlib.h> ++ ++int ++main (void) ++{ ++ int x = 123, y; ++ y = __builtin_popcount(123); ++ exit(y == 6 ? 0 : -1); ++ ; ++ return 0; ++} ++_ACEOF ++if ac_fn_c_try_link "$LINENO" ++then : ++ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 ++printf "%s\n" "yes" >&6; } ++else $as_nop ++ ++ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 ++printf "%s\n" "no" >&6; } ++ ++printf "%s\n" "#define MISSING_BUILTIN_POPCOUNT 1" >>confdefs.h ++ ++ ++ ++fi ++rm -f core conftest.err conftest.$ac_objext conftest.beam \ ++ conftest$ac_exeext conftest.$ac_ext ++ + ac_fn_check_decl "$LINENO" "bzero" "ac_cv_have_decl_bzero" "$ac_includes_default" "$ac_c_undeclared_builtin_options" "CFLAGS" + if test "x$ac_cv_have_decl_bzero" = xyes + then : +@@ -27769,4 +27803,3 @@ if test "$AUDIT_MODULE" = "bsm" ; then + echo "WARNING: BSM audit support is currently considered EXPERIMENTAL." + echo "See the Solaris section in README.platform for details." + fi +- +-- +2.51.0 + diff --git a/net-misc/openssh/files/9.9_p2/0007-upstream-Prime-caches-for-DNS-names-needed-for-tests.patch b/net-misc/openssh/files/9.9_p2/0007-upstream-Prime-caches-for-DNS-names-needed-for-tests.patch new file mode 100644 index 000000000000..45ae5eb7844d --- /dev/null +++ b/net-misc/openssh/files/9.9_p2/0007-upstream-Prime-caches-for-DNS-names-needed-for-tests.patch @@ -0,0 +1,44 @@ +From be8026caf9da985638c762c353c397c0922be233 Mon Sep 17 00:00:00 2001 +Message-ID: <be8026caf9da985638c762c353c397c0922be233.1758727915.git....@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +From: "[email protected]" <[email protected]> +Date: Tue, 11 Mar 2025 11:46:44 +0000 +Subject: [PATCH 07/10] upstream: Prime caches for DNS names needed for tests. + +When running the SSHFP tests, particularly on an ephemeral VM, the first +query or two can fail for some reason, presumably because something isn't +fully initialized or something. To work around this, issue queries for the +names we'll need before we need them. + +OpenBSD-Regress-ID: 900841133540e7dead253407db5a874a6ed09eca +--- + regress/sshfp-connect.sh | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/regress/sshfp-connect.sh b/regress/sshfp-connect.sh +index f78646922..3c73a35d0 100644 +--- a/regress/sshfp-connect.sh ++++ b/regress/sshfp-connect.sh +@@ -1,4 +1,4 @@ +-# $OpenBSD: sshfp-connect.sh,v 1.4 2021/09/01 00:50:27 dtucker Exp $ ++# $OpenBSD: sshfp-connect.sh,v 1.5 2025/03/11 11:46:44 dtucker Exp $ + # Placed in the Public Domain. + + # This test requires external setup and thus is skipped unless +@@ -29,6 +29,12 @@ if ! $SSH -Q key-plain | grep ssh-rsa >/dev/null; then + elif [ -z "${TEST_SSH_SSHFP_DOMAIN}" ]; then + skip "TEST_SSH_SSHFP_DOMAIN not set." + else ++ # Prime any DNS caches and resolvers. ++ for i in sshtest sshtest-sha1 sshtest-sha256; do ++ host -t sshfp ${i}.${TEST_SSH_SSHFP_DOMAIN} >/dev/null 2>&1 ++ host -t sshfp ${i}-bad.${TEST_SSH_SSHFP_DOMAIN} >/dev/null 2>&1 ++ done ++ + # Set RSA host key to match fingerprints above. + mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig + $SUDO cp $SRC/rsa_openssh.prv $OBJ/host.ssh-rsa +-- +2.51.0 + diff --git a/net-misc/openssh/files/9.9_p2/0008-MacOS-12-runners-are-deprecated-replace-with-15.patch b/net-misc/openssh/files/9.9_p2/0008-MacOS-12-runners-are-deprecated-replace-with-15.patch new file mode 100644 index 000000000000..f66f88bba73a --- /dev/null +++ b/net-misc/openssh/files/9.9_p2/0008-MacOS-12-runners-are-deprecated-replace-with-15.patch @@ -0,0 +1,41 @@ +From aab12549a939d07f638df486f910544c6b11b972 Mon Sep 17 00:00:00 2001 +Message-ID: <aab12549a939d07f638df486f910544c6b11b972.1758727915.git....@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +From: Darren Tucker <[email protected]> +Date: Thu, 17 Oct 2024 19:18:23 +1100 +Subject: [PATCH 08/10] MacOS 12 runners are deprecated, replace with 15. + +--- + .github/workflows/c-cpp.yml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml +index c179f73d1..c49aa5ee8 100644 +--- a/.github/workflows/c-cpp.yml ++++ b/.github/workflows/c-cpp.yml +@@ -17,9 +17,9 @@ jobs: + target: + - ubuntu-20.04 + - ubuntu-22.04 +- - macos-12 + - macos-13 + - macos-14 ++ - macos-15 + - windows-2019 + - windows-2022 + config: [default] +@@ -100,9 +100,9 @@ jobs: + - { target: ubuntu-22.04, config: selinux } + - { target: ubuntu-22.04, config: kitchensink } + - { target: ubuntu-22.04, config: without-openssl } +- - { target: macos-12, config: pam } + - { target: macos-13, config: pam } + - { target: macos-14, config: pam } ++ - { target: macos-15, config: pam } + runs-on: ${{ matrix.target }} + steps: + - name: set cygwin git params +-- +2.51.0 + diff --git a/net-misc/openssh/files/9.9_p2/0009-upstream-Remove-redundant-field-of-definition-check.patch b/net-misc/openssh/files/9.9_p2/0009-upstream-Remove-redundant-field-of-definition-check.patch new file mode 100644 index 000000000000..0daf93d329a7 --- /dev/null +++ b/net-misc/openssh/files/9.9_p2/0009-upstream-Remove-redundant-field-of-definition-check.patch @@ -0,0 +1,51 @@ +From 8e4bd6ebdbde0ff22e0c1c1f1a134ef255af7595 Mon Sep 17 00:00:00 2001 +Message-ID: <8e4bd6ebdbde0ff22e0c1c1f1a134ef255af7595.1758727915.git....@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +From: "[email protected]" <[email protected]> +Date: Tue, 3 Dec 2024 15:53:51 +0000 +Subject: [PATCH 09/10] upstream: Remove redundant field of definition check + +This will allow us to get rid of EC_GROUP_method_of() in the near future. + +ok djm + +OpenBSD-Commit-ID: b4a3d2e00990cf5c2ec6881c21ddca67327c2df8 +--- + sshkey.c | 13 ------------- + 1 file changed, 13 deletions(-) + +diff --git a/sshkey.c b/sshkey.c +index 1db83788d..44be674d1 100644 +--- a/sshkey.c ++++ b/sshkey.c +@@ -2708,14 +2708,6 @@ sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public) + * EC_POINT_oct2point then the caller will need to explicitly check. + */ + +- /* +- * We shouldn't ever hit this case because bignum_get_ecpoint() +- * refuses to load GF2m points. +- */ +- if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != +- NID_X9_62_prime_field) +- goto out; +- + /* Q != infinity */ + if (EC_POINT_is_at_infinity(group, public)) + goto out; +@@ -2815,11 +2807,6 @@ sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point) + fprintf(stderr, "%s: BN_new failed\n", __func__); + goto out; + } +- if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != +- NID_X9_62_prime_field) { +- fprintf(stderr, "%s: group is not a prime field\n", __func__); +- goto out; +- } + if (EC_POINT_get_affine_coordinates_GFp(group, point, + x, y, NULL) != 1) { + fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n", +-- +2.51.0 + diff --git a/net-misc/openssh/files/9.9_p2/0010-upstream-Check-if-dbclient-supports-SHA1-before-tryi.patch b/net-misc/openssh/files/9.9_p2/0010-upstream-Check-if-dbclient-supports-SHA1-before-tryi.patch new file mode 100644 index 000000000000..11cd63dfe7c0 --- /dev/null +++ b/net-misc/openssh/files/9.9_p2/0010-upstream-Check-if-dbclient-supports-SHA1-before-tryi.patch @@ -0,0 +1,64 @@ +From 3eeda15eb9d3b9f2fd762ba3493ba88abe6bbcd9 Mon Sep 17 00:00:00 2001 +Message-ID: <3eeda15eb9d3b9f2fd762ba3493ba88abe6bbcd9.1758727915.git....@gentoo.org> +In-Reply-To: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +References: <4b8d141ec165aa29a48316768089cb03aed3aada.1758727915.git....@gentoo.org> +From: "[email protected]" <[email protected]> +Date: Tue, 11 Mar 2025 07:42:08 +0000 +Subject: [PATCH 10/10] upstream: Check if dbclient supports SHA1 before trying + SHA1-based + +KEX. + +Dropbear 2025.87 removed SHA1 support by default, which means +diffie-hellman-group14-sha1 is not available. Unfortunately there isn't a +flag to query supported KEX, so instead check MACs and if it doesn't have +SHA1 methods, assuming SHA1 based KEXes are likewise not available. Spotted +by anton@. + +OpenBSD-Regress-ID: acfa8e26c001cb18b9fb81a27271c3b51288d304 +--- + regress/dropbear-kex.sh | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/regress/dropbear-kex.sh b/regress/dropbear-kex.sh +index d9f1b32c0..72717fbb7 100644 +--- a/regress/dropbear-kex.sh ++++ b/regress/dropbear-kex.sh +@@ -1,4 +1,4 @@ +-# $OpenBSD: dropbear-kex.sh,v 1.3 2024/06/19 10:10:46 dtucker Exp $ ++# $OpenBSD: dropbear-kex.sh,v 1.4 2025/03/11 07:42:08 dtucker Exp $ + # Placed in the Public Domain. + + tid="dropbear kex" +@@ -10,8 +10,14 @@ fi + cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak + + kex="curve25519-sha256 [email protected]" +-if $SSH -Q kex | grep 'diffie-hellman-group14-sha1'; then +- kex="$kex diffie-hellman-group14-sha256 diffie-hellman-group14-sha1" ++if $SSH -Q kex | grep 'diffie-hellman-group14-sha256' >/dev/null; then ++ kex="$kex diffie-hellman-group14-sha256" ++fi ++# There's no flag to query KEX, so if MACs does not contain SHA1, assume ++# there's also SHA1-based KEX methods either. ++if $SSH -Q kex | grep 'diffie-hellman-group14-sha1' >/dev/null && \ ++ $DBCLIENT -m help hst 2>&1 | grep -- '-sha1' >/dev/null ; then ++ kex="$kex diffie-hellman-group14-sha1" + fi + + for k in $kex; do +@@ -19,8 +25,9 @@ for k in $kex; do + rm -f ${COPY} + # dbclient doesn't have switch for kex, so force in server + (cat $OBJ/sshd_proxy.bak; echo "KexAlgorithms $k") >$OBJ/sshd_proxy +- env HOME=$OBJ dbclient -y -i $OBJ/.dropbear/id_ed25519 2>$OBJ/dbclient.log \ +- -J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY} ++ env HOME=$OBJ \ ++ ${DBCLIENT} -y -i $OBJ/.dropbear/id_ed25519 2>$OBJ/dbclient.log \ ++ -J "$OBJ/ssh_proxy.sh" somehost cat ${DATA} > ${COPY} + if [ $? -ne 0 ]; then + fail "ssh cat $DATA failed" + fi +-- +2.51.0 + diff --git a/net-misc/openssh/openssh-9.8_p1-r4.ebuild b/net-misc/openssh/openssh-9.8_p1-r4.ebuild new file mode 100644 index 000000000000..9a5c53176df5 --- /dev/null +++ b/net-misc/openssh/openssh-9.8_p1-r4.ebuild @@ -0,0 +1,438 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc +inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="https://www.openssh.com/"; +SRC_URI=" + mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) +" +S="${WORKDIR}/${PARCH}" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 audit debug kerberos ldns legacy-ciphers libedit livecd pam +pie security-key selinux +ssl static test xmss" + +RESTRICT="!test? ( test )" + +REQUIRED_USE=" + ldns? ( ssl ) + pie? ( !static ) + static? ( !kerberos !pam ) + xmss? ( ssl ) + test? ( ssl ) +" + +# tests currently fail with XMSS +REQUIRED_USE+="test? ( !xmss )" + +LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) + ldns? ( + net-libs/ldns[static-libs(+)] + net-libs/ldns[ecdsa(+),ssl(+)] + ) + libedit? ( dev-libs/libedit:=[static-libs(+)] ) + security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) + virtual/libcrypt:=[static-libs(+)] + >=sys-libs/zlib-1.2.3:=[static-libs(+)] +" +RDEPEND=" + acct-group/sshd + acct-user/sshd + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( sys-libs/pam ) + kerberos? ( virtual/krb5 ) +" +DEPEND=" + ${RDEPEND} + virtual/os-headers + kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) + static? ( ${LIB_DEPEND} ) +" +RDEPEND=" + ${RDEPEND} + !net-misc/openssh-contrib + pam? ( >=sys-auth/pambase-20081028 ) + !prefix? ( sys-apps/shadow ) +" +BDEPEND=" + dev-build/autoconf + virtual/pkgconfig + verify-sig? ( sec-keys/openpgp-keys-openssh ) +" + +PATCHES=( + "${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch" + "${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch" + "${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch" + "${FILESDIR}/${PN}-9.8_p1-inetd.patch" + # Backports from upstream release branch + "${FILESDIR}/${PV}" +) + +pkg_pretend() { + local i enabled_eol_flags disabled_eol_flags + for i in hpn sctp X509; do + if has_version "net-misc/openssh[${i}]"; then + enabled_eol_flags+="${i}," + disabled_eol_flags+="-${i}," + fi + done + + if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then + # Skip for binary packages entirely because of environment saving, bug #907892 + [[ ${MERGE_TYPE} == binary ]] && return + + ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore." + ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality," + ewarn "since these USE flags required third-party patches that often trigger bugs" + ewarn "and are of questionable provenance." + ewarn + ewarn "If you must continue relying on this functionality, switch to" + ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your" + ewarn "world file first: 'emerge --deselect net-misc/openssh'" + ewarn + ewarn "In order to prevent loss of SSH remote login access, we will abort the build." + ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib" + ewarn "variant, when re-emerging you will have to set" + ewarn + ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + + die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." + fi +} + +src_prepare() { + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + [[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) + + default + + # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox + sed -e '/\t\tpercent \\/ d' \ + -i regress/Makefile || die + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + use xmss && append-cflags -DWITH_XMSS + + if [[ ${CHOST} == *-solaris* ]] ; then + # Solaris' glob.h doesn't have things like GLOB_TILDE, configure + # doesn't check for this, so force the replacement to be put in + # place + append-cppflags -DBROKEN_GLOB + fi + + # use replacement, RPF_ECHO_ON doesn't exist here + [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + # optional at runtime; guarantee a known path + --with-xauth="${EPREFIX}"/usr/bin/xauth + + # --with-hardening adds the following in addition to flags we + # already set in our toolchain: + # * -ftrapv (which is broken with GCC anyway), + # * -ftrivial-auto-var-init=zero (which is nice, but not the end of + # the world to not have) + # * -fzero-call-used-regs=used (history of miscompilations with + # Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086, + # gcc PR104820, gcc PR104817, gcc PR110934)). + # + # Furthermore, OSSH_CHECK_CFLAG_COMPILE does not use AC_CACHE_CHECK, + # so we cannot just disable -fzero-call-used-regs=used. + # + # Therefore, just pass --without-hardening, given it doesn't negate + # our already hardened toolchain defaults, and avoids adding flags + # which are known-broken in both Clang and GCC and haven't been + # proven reliable. + --without-hardening + + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + $(use_with ldns) + $(use_enable legacy-ciphers dsa-keys) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use_with selinux) + $(use_with security-key security-key-builtin) + $(use_with ssl openssl) + $(use_with ssl ssl-engine) + ) + + if use elibc_musl; then + # musl defines bogus values for UTMP_FILE and WTMP_FILE (bug #753230) + myconf+=( --disable-utmp --disable-wtmp ) + fi + + # Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all + # bug #869839 (https://github.com/llvm/llvm-project/issues/57692) + tc-is-clang && myconf+=( --without-hardening ) + + econf "${myconf[@]}" +} + +create_config_dropins() { + local locale_vars=( + # These are language variables that POSIX defines. + # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 + LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME + + # These are the GNU extensions. + # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html + LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE + ) + + mkdir -p "${WORKDIR}"/etc/ssh/ssh{,d}_config.d || die + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die + # Send locale environment variables (bug #367017) + SendEnv ${locale_vars[*]} + + # Send COLORTERM to match TERM (bug #658540) + SendEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die + RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die + # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ + ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die + # Allow client to pass locale environment variables (bug #367017) + AcceptEnv ${locale_vars[*]} + + # Allow client to pass COLORTERM to match TERM (bug #658540) + AcceptEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die + # override default of no subsystems + Subsystem sftp ${EPREFIX}/usr/$(get_libdir)/misc/sftp-server + EOF + + if use pam ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die + UsePAM yes + # This interferes with PAM. + PasswordAuthentication no + # PAM can do its own handling of MOTD. + PrintMotd no + PrintLastLog no + EOF + fi + + if use livecd ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die + # Allow root login with password on livecds. + PermitRootLogin Yes + EOF + fi +} + +src_compile() { + default + create_config_dropins +} + +src_test() { + local tests=( compat-tests ) + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + ewarn "user, so we will run a subset only." + tests+=( interop-tests ) + else + tests+=( tests ) + fi + + local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 + mkdir -p "${HOME}"/.ssh || die + emake -j1 "${tests[@]}" </dev/null +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd-r1.initd sshd + newconfd "${FILESDIR}"/sshd-r1.confd sshd + + if use pam; then + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + fi + + doman contrib/ssh-copy-id.1 + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + + rmdir "${ED}"/var/empty || die + + systemd_dounit "${FILESDIR}"/sshd.socket + systemd_newunit "${FILESDIR}"/sshd.service.2 sshd.service + systemd_newunit "${FILESDIR}"/sshd_at.service.1 '[email protected]' + + # Install dropins with explicit mode, bug 906638, 915840 + diropts -m0755 + insopts -m0644 + insinto /etc/ssh + doins -r "${WORKDIR}"/etc/ssh/ssh_config.d + doins "${WORKDIR}"/etc/ssh/ssh_revoked_hosts + diropts -m0700 + insopts -m0600 + doins -r "${WORKDIR}"/etc/ssh/sshd_config.d +} + +pkg_preinst() { + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then + show_ssl_warning=1 + fi +} + +pkg_postinst() { + # bug #139235 + optfeature "x11 forwarding" x11-apps/xauth + + local old_ver + for old_ver in ${REPLACING_VERSIONS}; do + if ver_test "${old_ver}" -lt "5.8_p1"; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if ver_test "${old_ver}" -lt "7.0_p1"; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if ver_test "${old_ver}" -lt "7.1_p1"; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ver_test "${old_ver}" -lt "7.6_p1"; then + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." + elog "Furthermore, rsa keys with less than 1024 bits will be refused." + fi + if ver_test "${old_ver}" -lt "7.7_p1"; then + elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." + elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" + elog "if you need to authenticate against LDAP." + elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." + fi + if ver_test "${old_ver}" -lt "8.2_p1"; then + ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" + ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" + ewarn "connection is generally safe." + fi + if ver_test "${old_ver}" -lt "9.2_p1-r1" && systemd_is_booted; then + ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to" + ewarn "'Restart=on-failure', which causes the service to automatically restart if it" + ewarn "terminates with an unclean exit code or signal. This feature is useful for most users," + ewarn "but it can increase the vulnerability of the system in the event of a future exploit." + ewarn "If you have a web-facing setup or are concerned about security, it is recommended to" + ewarn "set 'Restart=no' in your sshd unit file." + fi + done + + if [[ -n ${show_ssl_warning} ]]; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi + + openssh_maybe_restart +} + +openssh_maybe_restart() { + local ver + declare -a versions + read -ra versions <<<"${REPLACING_VERSIONS}" + for ver in "${versions[@]}"; do + # Exclude 9.8_p1 because it didn't have the safety check + [[ ${ver} == 9.8_p1 ]] && break + + if [[ ${ver%_*} == "${PV%_*}" ]]; then + # No major version change has occurred + return + fi + done + + if [[ ${ROOT} ]]; then + return + elif [[ -d /run/systemd/system ]] && sshd -t >/dev/null 2>&1; then + ewarn "The ebuild will now attempt to restart OpenSSH to avoid" + ewarn "bricking the running instance. See bug #709748." + ebegin "Attempting to restart openssh via 'systemctl try-restart sshd'" + systemctl try-restart sshd + eend $? + elif [[ -d /run/openrc ]]; then + # We don't check for sshd -t here because the OpenRC init script + # has a stop_pre() which does checkconfig, i.e. we defer to it + # to give nicer output for a failed sanity check. + ewarn "The ebuild will now attempt to restart OpenSSH to avoid" + ewarn "bricking the running instance. See bug #709748." + ebegin "Attempting to restart openssh via 'rc-service -q --ifstarted --nodeps sshd restart'" + rc-service -q --ifstarted --nodeps sshd restart + eend $? + fi +} diff --git a/net-misc/openssh/openssh-9.9_p2-r4.ebuild b/net-misc/openssh/openssh-9.9_p2-r4.ebuild new file mode 100644 index 000000000000..d5dac20fd937 --- /dev/null +++ b/net-misc/openssh/openssh-9.9_p2-r4.ebuild @@ -0,0 +1,441 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Remember to check the upstream release/stable branches for patches +# to backport! See https://marc.info/?l=openssh-unix-dev&m=172723798122122&w=2. + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssh.org.asc +inherit user-info flag-o-matic autotools optfeature pam systemd toolchain-funcs verify-sig eapi9-ver + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_} + +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="https://www.openssh.com/"; +SRC_URI=" + mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz + verify-sig? ( mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz.asc ) +" +S="${WORKDIR}/${PARCH}" + +LICENSE="BSD GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" +# Probably want to drop ssl defaulting to on in a future version. +IUSE="abi_mips_n32 audit debug kerberos ldns legacy-ciphers libedit livecd pam +pie security-key selinux +ssl static test xmss" + +RESTRICT="!test? ( test )" + +REQUIRED_USE=" + ldns? ( ssl ) + pie? ( !static ) + static? ( !kerberos !pam ) + xmss? ( ssl ) + test? ( ssl ) +" + +# tests currently fail with XMSS +REQUIRED_USE+="test? ( !xmss )" + +LIB_DEPEND=" + audit? ( sys-process/audit[static-libs(+)] ) + ldns? ( + net-libs/ldns[static-libs(+)] + net-libs/ldns[ecdsa(+),ssl(+)] + ) + libedit? ( dev-libs/libedit:=[static-libs(+)] ) + security-key? ( >=dev-libs/libfido2-1.5.0:=[static-libs(+)] ) + selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] ) + ssl? ( >=dev-libs/openssl-1.1.1l-r1:0=[static-libs(+)] ) + virtual/libcrypt:=[static-libs(+)] + >=sys-libs/zlib-1.2.3:=[static-libs(+)] +" +RDEPEND=" + acct-group/sshd + acct-user/sshd + !static? ( ${LIB_DEPEND//\[static-libs(+)]} ) + pam? ( sys-libs/pam ) + kerberos? ( virtual/krb5 ) +" +DEPEND=" + ${RDEPEND} + virtual/os-headers + kernel_linux? ( !prefix-guest? ( >=sys-kernel/linux-headers-5.1 ) ) + static? ( ${LIB_DEPEND} ) +" +RDEPEND=" + ${RDEPEND} + !net-misc/openssh-contrib + pam? ( >=sys-auth/pambase-20081028 ) + !prefix? ( sys-apps/shadow ) +" +BDEPEND=" + dev-build/autoconf + virtual/pkgconfig + verify-sig? ( sec-keys/openpgp-keys-openssh ) +" + +PATCHES=( + "${FILESDIR}/${PN}-9.4_p1-Allow-MAP_NORESERVE-in-sandbox-seccomp-filter-maps.patch" + "${FILESDIR}/${PN}-9.6_p1-fix-xmss-c99.patch" + "${FILESDIR}/${PN}-9.7_p1-config-tweaks.patch" + # Backports from upstream release branch + "${FILESDIR}/${PV}" + # Our own backports + "${FILESDIR}/${PN}-9.9_p1-x-forwarding-slow.patch" +) + +pkg_pretend() { + local i enabled_eol_flags disabled_eol_flags + for i in hpn sctp X509; do + if has_version "net-misc/openssh[${i}]"; then + enabled_eol_flags+="${i}," + disabled_eol_flags+="-${i}," + fi + done + + if [[ -n ${enabled_eol_flags} && ${OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING} != yes ]]; then + # Skip for binary packages entirely because of environment saving, bug #907892 + [[ ${MERGE_TYPE} == binary ]] && return + + ewarn "net-misc/openssh does not support USE='${enabled_eol_flags%,}' anymore." + ewarn "The Base system team *STRONGLY* recommends you not rely on this functionality," + ewarn "since these USE flags required third-party patches that often trigger bugs" + ewarn "and are of questionable provenance." + ewarn + ewarn "If you must continue relying on this functionality, switch to" + ewarn "net-misc/openssh-contrib. You will have to remove net-misc/openssh from your" + ewarn "world file first: 'emerge --deselect net-misc/openssh'" + ewarn + ewarn "In order to prevent loss of SSH remote login access, we will abort the build." + ewarn "Whether you proceed with disabling the USE flags or switch to the -contrib" + ewarn "variant, when re-emerging you will have to set" + ewarn + ewarn " OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + + die "Building net-misc/openssh[${disabled_eol_flags%,}] without OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes" + fi + + # Make sure people who are using tcp wrappers are notified of its removal. #531156 + if grep -qs '^ *sshd *:' "${EROOT}"/etc/hosts.{allow,deny} ; then + ewarn "Sorry, but openssh no longer supports tcp-wrappers, and it seems like" + ewarn "you're trying to use it. Update your ${EROOT}/etc/hosts.{allow,deny} please." + fi +} + +src_prepare() { + # don't break .ssh/authorized_keys2 for fun + sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die + + [[ -d ${WORKDIR}/patches ]] && PATCHES+=( "${WORKDIR}"/patches ) + + default + + # These tests are currently incompatible with PORTAGE_TMPDIR/sandbox + sed -e '/\t\tpercent \\/ d' \ + -i regress/Makefile || die + + tc-export PKG_CONFIG + local sed_args=( + -e "s:-lcrypto:$(${PKG_CONFIG} --libs openssl):" + # Disable fortify flags ... our gcc does this for us + -e 's:-D_FORTIFY_SOURCE=2::' + ) + + # _XOPEN_SOURCE causes header conflicts on Solaris + [[ ${CHOST} == *-solaris* ]] && sed_args+=( + -e 's/-D_XOPEN_SOURCE//' + ) + sed -i "${sed_args[@]}" configure{.ac,} || die + + eautoreconf +} + +src_configure() { + addwrite /dev/ptmx + + use debug && append-cppflags -DSANDBOX_SECCOMP_FILTER_DEBUG + use static && append-ldflags -static + use xmss && append-cflags -DWITH_XMSS + + if [[ ${CHOST} == *-solaris* ]] ; then + # Solaris' glob.h doesn't have things like GLOB_TILDE, configure + # doesn't check for this, so force the replacement to be put in + # place + append-cppflags -DBROKEN_GLOB + fi + + # use replacement, RPF_ECHO_ON doesn't exist here + [[ ${CHOST} == *-darwin* ]] && export ac_cv_func_readpassphrase=no + + local myconf=( + --with-ldflags="${LDFLAGS}" + --disable-strip + --with-pid-dir="${EPREFIX}"$(usex kernel_linux '' '/var')/run + --sysconfdir="${EPREFIX}"/etc/ssh + --libexecdir="${EPREFIX}"/usr/$(get_libdir)/misc + --datadir="${EPREFIX}"/usr/share/openssh + --with-privsep-path="${EPREFIX}"/var/empty + --with-privsep-user=sshd + # optional at runtime; guarantee a known path + --with-xauth="${EPREFIX}"/usr/bin/xauth + + # --with-hardening adds the following in addition to flags we + # already set in our toolchain: + # * -ftrapv (which is broken with GCC anyway), + # * -ftrivial-auto-var-init=zero (which is nice, but not the end of + # the world to not have) + # * -fzero-call-used-regs=used (history of miscompilations with + # Clang (bug #872548), ICEs on m68k (bug #920350, gcc PR113086, + # gcc PR104820, gcc PR104817, gcc PR110934)). + # + # Furthermore, OSSH_CHECK_CFLAG_COMPILE does not use AC_CACHE_CHECK, + # so we cannot just disable -fzero-call-used-regs=used. + # + # Therefore, just pass --without-hardening, given it doesn't negate + # our already hardened toolchain defaults, and avoids adding flags + # which are known-broken in both Clang and GCC and haven't been + # proven reliable. + --without-hardening + + $(use_with audit audit linux) + $(use_with kerberos kerberos5 "${EPREFIX}"/usr) + $(use_with ldns) + $(use_enable legacy-ciphers dsa-keys) + $(use_with libedit) + $(use_with pam) + $(use_with pie) + $(use_with selinux) + $(use_with security-key security-key-builtin) + $(use_with ssl openssl) + $(use_with ssl ssl-engine) + ) + + if use elibc_musl; then + # musl defines bogus values for UTMP_FILE and WTMP_FILE (bug #753230) + myconf+=( --disable-utmp --disable-wtmp ) + fi + + # Workaround for Clang 15 miscompilation with -fzero-call-used-regs=all + # bug #869839 (https://github.com/llvm/llvm-project/issues/57692) + tc-is-clang && myconf+=( --without-hardening ) + + econf "${myconf[@]}" +} + +create_config_dropins() { + local locale_vars=( + # These are language variables that POSIX defines. + # http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_02 + LANG LC_ALL LC_COLLATE LC_CTYPE LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME + + # These are the GNU extensions. + # https://www.gnu.org/software/autoconf/manual/html_node/Special-Shell-Variables.html + LANGUAGE LC_ADDRESS LC_IDENTIFICATION LC_MEASUREMENT LC_NAME LC_PAPER LC_TELEPHONE + ) + + mkdir -p "${WORKDIR}"/etc/ssh/ssh{,d}_config.d || die + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo.conf || die + # Send locale environment variables (bug #367017) + SendEnv ${locale_vars[*]} + + # Send COLORTERM to match TERM (bug #658540) + SendEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_config.d/9999999gentoo-security.conf || die + RevokedHostKeys "${EPREFIX}/etc/ssh/ssh_revoked_hosts" + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/ssh_revoked_hosts || die + # https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/ + ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo.conf || die + # Allow client to pass locale environment variables (bug #367017) + AcceptEnv ${locale_vars[*]} + + # Allow client to pass COLORTERM to match TERM (bug #658540) + AcceptEnv COLORTERM + EOF + + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-subsystem.conf || die + # override default of no subsystems + Subsystem sftp ${EPREFIX}/usr/$(get_libdir)/misc/sftp-server + EOF + + if use pam ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-pam.conf || die + UsePAM yes + # This interferes with PAM. + PasswordAuthentication no + # PAM can do its own handling of MOTD. + PrintMotd no + PrintLastLog no + EOF + fi + + if use livecd ; then + cat <<-EOF > "${WORKDIR}"/etc/ssh/sshd_config.d/9999999gentoo-livecd.conf || die + # Allow root login with password on livecds. + PermitRootLogin Yes + EOF + fi +} + +src_compile() { + default + create_config_dropins +} + +src_test() { + local tests=( compat-tests ) + local shell=$(egetshell "${UID}") + if [[ ${shell} == */nologin ]] || [[ ${shell} == */false ]] ; then + ewarn "Running the full OpenSSH testsuite requires a usable shell for the 'portage'" + ewarn "user, so we will run a subset only." + tests+=( interop-tests ) + else + tests+=( tests ) + fi + + local -x SUDO= SSH_SK_PROVIDER= TEST_SSH_UNSAFE_PERMISSIONS=1 + mkdir -p "${HOME}"/.ssh || die + emake -j1 "${tests[@]}" </dev/null +} + +src_install() { + emake install-nokeys DESTDIR="${D}" + fperms 600 /etc/ssh/sshd_config + dobin contrib/ssh-copy-id + newinitd "${FILESDIR}"/sshd-r1.initd sshd + newconfd "${FILESDIR}"/sshd-r1.confd sshd + exeinto /etc/user/init.d + newexe "${FILESDIR}"/ssh-agent.initd ssh-agent + + if use pam; then + newpamd "${FILESDIR}"/sshd.pam_include.2 sshd + fi + + doman contrib/ssh-copy-id.1 + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + + rmdir "${ED}"/var/empty || die + + systemd_dounit "${FILESDIR}"/sshd.socket + systemd_newunit "${FILESDIR}"/sshd.service.2 sshd.service + systemd_newunit "${FILESDIR}"/sshd_at.service.1 '[email protected]' + + # Install dropins with explicit mode, bug 906638, 915840 + diropts -m0755 + insopts -m0644 + insinto /etc/ssh + doins -r "${WORKDIR}"/etc/ssh/ssh_config.d + doins "${WORKDIR}"/etc/ssh/ssh_revoked_hosts + diropts -m0700 + insopts -m0600 + doins -r "${WORKDIR}"/etc/ssh/sshd_config.d +} + +pkg_preinst() { + if ! use ssl && has_version "${CATEGORY}/${PN}[ssl]"; then + show_ssl_warning=1 + fi +} + +pkg_postinst() { + # bug #139235 + optfeature "x11 forwarding" x11-apps/xauth + + if ver_replacing -lt "5.8_p1"; then + elog "Starting with openssh-5.8p1, the server will default to a newer key" + elog "algorithm (ECDSA). You are encouraged to manually update your stored" + elog "keys list as servers update theirs. See ssh-keyscan(1) for more info." + fi + if ver_replacing -lt "7.0_p1"; then + elog "Starting with openssh-6.7, support for USE=tcpd has been dropped by upstream." + elog "Make sure to update any configs that you might have. Note that xinetd might" + elog "be an alternative for you as it supports USE=tcpd." + fi + if ver_replacing -lt "7.1_p1"; then #557388 #555518 + elog "Starting with openssh-7.0, support for ssh-dss keys were disabled due to their" + elog "weak sizes. If you rely on these key types, you can re-enable the key types by" + elog "adding to your sshd_config or ~/.ssh/config files:" + elog " PubkeyAcceptedKeyTypes=+ssh-dss" + elog "You should however generate new keys using rsa or ed25519." + + elog "Starting with openssh-7.0, the default for PermitRootLogin changed from 'yes'" + elog "to 'prohibit-password'. That means password auth for root users no longer works" + elog "out of the box. If you need this, please update your sshd_config explicitly." + fi + if ver_replacing -lt "7.6_p1"; then + elog "Starting with openssh-7.6p1, openssh upstream has removed ssh1 support entirely." + elog "Furthermore, rsa keys with less than 1024 bits will be refused." + fi + if ver_replacing -lt "7.7_p1"; then + elog "Starting with openssh-7.7p1, we no longer patch openssh to provide LDAP functionality." + elog "Install sys-auth/ssh-ldap-pubkey and use OpenSSH's \"AuthorizedKeysCommand\" option" + elog "if you need to authenticate against LDAP." + elog "See https://wiki.gentoo.org/wiki/SSH/LDAP_migration for more details." + fi + if ver_replacing -lt "8.2_p1"; then + ewarn "After upgrading to openssh-8.2p1 please restart sshd, otherwise you" + ewarn "will not be able to establish new sessions. Restarting sshd over a ssh" + ewarn "connection is generally safe." + fi + if ver_replacing -lt "9.2_p1-r1" && systemd_is_booted; then + ewarn "From openssh-9.2_p1-r1 the supplied systemd unit file defaults to" + ewarn "'Restart=on-failure', which causes the service to automatically restart if it" + ewarn "terminates with an unclean exit code or signal. This feature is useful for most users," + ewarn "but it can increase the vulnerability of the system in the event of a future exploit." + ewarn "If you have a web-facing setup or are concerned about security, it is recommended to" + ewarn "set 'Restart=no' in your sshd unit file." + fi + + if [[ -n ${show_ssl_warning} ]]; then + elog "Be aware that by disabling openssl support in openssh, the server and clients" + elog "no longer support dss/rsa/ecdsa keys. You will need to generate ed25519 keys" + elog "and update all clients/servers that utilize them." + fi + + openssh_maybe_restart +} + +openssh_maybe_restart() { + local ver + declare -a versions + read -ra versions <<<"${REPLACING_VERSIONS}" + for ver in "${versions[@]}"; do + # Exclude 9.8_p1 because it didn't have the safety check + [[ ${ver} == 9.8_p1 ]] && break + + if [[ ${ver%_*} == "${PV%_*}" ]]; then + # No major version change has occurred + return + fi + done + + if [[ ${ROOT} ]]; then + return + elif [[ -d /run/systemd/system ]] && sshd -t >/dev/null 2>&1; then + ewarn "The ebuild will now attempt to restart OpenSSH to avoid" + ewarn "bricking the running instance. See bug #709748." + ebegin "Attempting to restart openssh via 'systemctl try-restart sshd'" + systemctl try-restart sshd + eend $? + elif [[ -d /run/openrc ]]; then + # We don't check for sshd -t here because the OpenRC init script + # has a stop_pre() which does checkconfig, i.e. we defer to it + # to give nicer output for a failed sanity check. + ewarn "The ebuild will now attempt to restart OpenSSH to avoid" + ewarn "bricking the running instance. See bug #709748." + ebegin "Attempting to restart openssh via 'rc-service -q --ifstarted --nodeps sshd restart'" + rc-service -q --ifstarted --nodeps sshd restart + eend $? + fi +}
