[gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/
commit: 45ef61e72bd8a80130cb333a78137942b0ed5d93
Author: Felix Janda felix.janda AT posteo DOT de
AuthorDate: Sat May 9 15:01:18 2015 +
Commit: Anthony G. Basile blueness AT gentoo DOT org
CommitDate: Sun May 10 12:52:47 2015 +
URL:https://gitweb.gentoo.org/proj/hardened-dev.git/commit/?id=45ef61e7
net-misc/openssh: disable stack-protector for x86 and ppc
net-misc/openssh/openssh-6.7_p1-r99.ebuild | 4
1 file changed, 4 insertions(+)
diff --git a/net-misc/openssh/openssh-6.7_p1-r99.ebuild
b/net-misc/openssh/openssh-6.7_p1-r99.ebuild
index 7edc50d..f6ad39c 100644
--- a/net-misc/openssh/openssh-6.7_p1-r99.ebuild
+++ b/net-misc/openssh/openssh-6.7_p1-r99.ebuild
@@ -189,6 +189,10 @@ src_configure() {
append-ldflags -lutil
fi
+ # __stack_chk_fail_local
+ use x86 myconf+=( --without-stackprotect)
+ use ppc myconf+=( --without-stackprotect)
+
econf \
--with-ldflags=${LDFLAGS} \
--disable-strip \
[gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/files/, net-misc/openssh/
commit: 10c887587f0221a5ecd59b10fdc37f717629da74
Author: Anthony G. Basile blueness AT gentoo DOT org
AuthorDate: Wed Dec 31 18:23:51 2014 +
Commit: Anthony G. Basile blueness AT gentoo DOT org
CommitDate: Wed Dec 31 18:23:51 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=10c88758
net-misc/openssh: makre 6.7_p1 stable on all arches
Package-Manager: portage-2.2.14
Manifest-Sign-Key: 0xF52D4BBA
---
.../openssh-5.9_p1-sshd-gssapi-multihomed.patch| 184
.../openssh/files/openssh-6.4p1-avoid-exit.patch | 499 -
.../files/openssh-6.5_p1-hpn-cipher-align.patch| 114 -
.../openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch| 26 --
net-misc/openssh/files/openssh-6.6.1_p1.patch | 167 ---
.../openssh-6.6_p1-openssl-ignore-status.patch | 17 -
.../openssh/files/openssh-6.6_p1-x509-glue.patch | 16 -
.../openssh-6.6_p1-x509-hpn14v4-glue-p2.patch | 26 --
net-misc/openssh/metadata.xml | 1 +
net-misc/openssh/openssh-6.6.1_p1-r99.ebuild | 323 -
net-misc/openssh/openssh-6.6_p1-r99.ebuild | 320 -
net-misc/openssh/openssh-6.7_p1-r99.ebuild | 2 +-
12 files changed, 2 insertions(+), 1693 deletions(-)
diff --git a/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch
b/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch
deleted file mode 100644
index 6377d03..000
--- a/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch
+++ /dev/null
@@ -1,184 +0,0 @@
-Index: gss-serv.c
-===
-RCS file: /cvs/src/usr.bin/ssh/gss-serv.c,v
-retrieving revision 1.22
-diff -u -p -r1.22 gss-serv.c
gss-serv.c 8 May 2008 12:02:23 - 1.22
-+++ gss-serv.c 11 Jan 2010 05:38:29 -
-@@ -41,9 +41,12 @@
- #include channels.h
- #include session.h
- #include misc.h
-+#include servconf.h
-
- #include ssh-gss.h
-
-+extern ServerOptions options;
-+
- static ssh_gssapi_client gssapi_client =
- { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
- GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
-@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
- char lname[MAXHOSTNAMELEN];
- gss_OID_set oidset;
-
-- gss_create_empty_oid_set(status, oidset);
-- gss_add_oid_set_member(status, ctx-oid, oidset);
--
-- if (gethostname(lname, MAXHOSTNAMELEN)) {
-- gss_release_oid_set(status, oidset);
-- return (-1);
-- }
-+ if (options.gss_strict_acceptor) {
-+ gss_create_empty_oid_set(status, oidset);
-+ gss_add_oid_set_member(status, ctx-oid, oidset);
-+
-+ if (gethostname(lname, MAXHOSTNAMELEN)) {
-+ gss_release_oid_set(status, oidset);
-+ return (-1);
-+ }
-+
-+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
-+ gss_release_oid_set(status, oidset);
-+ return (ctx-major);
-+ }
-+
-+ if ((ctx-major = gss_acquire_cred(ctx-minor,
-+ ctx-name, 0, oidset, GSS_C_ACCEPT, ctx-creds,
-+ NULL, NULL)))
-+ ssh_gssapi_error(ctx);
-
-- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
- gss_release_oid_set(status, oidset);
- return (ctx-major);
-+ } else {
-+ ctx-name = GSS_C_NO_NAME;
-+ ctx-creds = GSS_C_NO_CREDENTIAL;
- }
--
-- if ((ctx-major = gss_acquire_cred(ctx-minor,
-- ctx-name, 0, oidset, GSS_C_ACCEPT, ctx-creds, NULL, NULL)))
-- ssh_gssapi_error(ctx);
--
-- gss_release_oid_set(status, oidset);
-- return (ctx-major);
-+ return GSS_S_COMPLETE;
- }
-
- /* Privileged */
-Index: servconf.c
-===
-RCS file: /cvs/src/usr.bin/ssh/servconf.c,v
-retrieving revision 1.201
-diff -u -p -r1.201 servconf.c
servconf.c 10 Jan 2010 03:51:17 - 1.201
-+++ servconf.c 11 Jan 2010 05:34:56 -
-@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions
- options-kerberos_get_afs_token = -1;
- options-gss_authentication=-1;
- options-gss_cleanup_creds = -1;
-+ options-gss_strict_acceptor = -1;
- options-password_authentication = -1;
- options-kbd_interactive_authentication = -1;
- options-challenge_response_authentication = -1;
-@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption
- options-gss_authentication = 0;
- if (options-gss_cleanup_creds == -1)
- options-gss_cleanup_creds = 1;
-+ if (options-gss_strict_acceptor == -1)
-+ options-gss_strict_acceptor = 0;
- if (options-password_authentication == -1)
- options-password_authentication = 1;
- if
[gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/, net-misc/openssh/files/
commit: c84c8147dc01677b7fffde06a97af0753e88a207
Author: Felix Janda felix.janda AT posteo DOT de
AuthorDate: Wed Dec 10 22:37:47 2014 +
Commit: Anthony G. Basile blueness AT gentoo DOT org
CommitDate: Thu Dec 11 14:28:48 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=c84c8147
net-misc/openssh: bump to 6.7_p1
Signed-off-by: Anthony G. Basile blueness AT gentoo.org
---
.../openssh-6.7_p1-openssl-ignore-status.patch | 17 +
.../files/openssh-6.7_p1-sctp-x509-glue.patch | 42 ++
.../openssh-6.7_p1-sshd-gssapi-multihomed.patch| 162
.../openssh/files/openssh-6.7_p1-x509-glue.patch | 46 +++
.../openssh/files/openssh-6.7p1-avoid-exit.patch | 441 +
net-misc/openssh/openssh-6.7_p1-r99.ebuild | 326 +++
6 files changed, 1034 insertions(+)
diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
new file mode 100644
index 000..fa33af3
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch
@@ -0,0 +1,17 @@
+the last nibble of the openssl version represents the status. that is,
+whether it is a beta or release. when it comes to version checks in
+openssh, this component does not matter, so ignore it.
+
+https://bugzilla.mindrot.org/show_bug.cgi?id=2212
+
+--- a/openbsd-compat/openssl-compat.c
b/openbsd-compat/openssl-compat.c
+@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
+* For versions = 1.0.0, major,minor,status must match and library
+* fix version must be equal to or newer than the header.
+*/
+- mask = 0xffffL; /* major,minor,status */
++ mask = 0xfff0L; /* major,minor,status */
+ hfix = (headerver 0x000ff000) 12;
+ lfix = (libver 0x000ff000) 12;
+ if ( (headerver mask) == (libver mask) lfix = hfix)
diff --git a/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch
b/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch
new file mode 100644
index 000..bd0b7ce
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch
@@ -0,0 +1,42 @@
+--- openssh-6.7_p1-sctp.patch.orig 2014-11-24 10:34:31.817538707 -0800
openssh-6.7_p1-sctp.patch 2014-11-24 10:38:52.744990154 -0800
+@@ -195,14 +195,6 @@
+ .Op Fl c Ar cipher
+ .Op Fl F Ar ssh_config
+ .Op Fl i Ar identity_file
+-@@ -178,6 +178,7 @@ For full details of the options listed b
+- .It ServerAliveCountMax
+- .It StrictHostKeyChecking
+- .It TCPKeepAlive
+-+.It Transport
+- .It UsePrivilegedPort
+- .It User
+- .It UserKnownHostsFile
+ @@ -218,6 +219,8 @@ and
+ to print debugging messages about their progress.
+ This is helpful in
+@@ -482,14 +474,6 @@
+ .Op Fl b Ar bind_address
+ .Op Fl c Ar cipher_spec
+ .Op Fl D Oo Ar bind_address : Oc Ns Ar port
+-@@ -473,6 +473,7 @@ For full details of the options listed b
+- .It StreamLocalBindUnlink
+- .It StrictHostKeyChecking
+- .It TCPKeepAlive
+-+.It Transport
+- .It Tunnel
+- .It TunnelDevice
+- .It UsePrivilegedPort
+ @@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte
+ controls.
+ .It Fl y
+@@ -527,7 +511,7 @@
+- again:
++
+ - while ((opt = getopt(ac, av, 1246ab:c:e:fgi:kl:m:no:p:qstvx
+ + while ((opt = getopt(ac, av, 1246ab:c:e:fgi:kl:m:no:p:qstvx SCTP_OPT
+- ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy)) != -1) {
++ ACD:E:F: ENGCONFIG I:KL:MNO:PQ:R:S:TVw:W:XYy)) != -1) {
+ switch (opt) {
+ case '1':
+ @@ -732,6 +738,11 @@ main(int ac, char **av)
diff --git a/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch
b/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch
new file mode 100644
index 000..96818e4
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch
@@ -0,0 +1,162 @@
+https://bugs.gentoo.org/378361
+https://bugzilla.mindrot.org/show_bug.cgi?id=928
+
+--- a/gss-serv.c
b/gss-serv.c
+@@ -41,9 +41,12 @@
+ #include channels.h
+ #include session.h
+ #include misc.h
++#include servconf.h
+
+ #include ssh-gss.h
+
++extern ServerOptions options;
++
+ static ssh_gssapi_client gssapi_client =
+ { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
+ GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
+@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
+ char lname[NI_MAXHOST];
+ gss_OID_set oidset;
+
+- gss_create_empty_oid_set(status, oidset);
+- gss_add_oid_set_member(status, ctx-oid, oidset);
+-
+- if (gethostname(lname, sizeof(lname))) {
+- gss_release_oid_set(status, oidset);
+- return (-1);
+- }
++ if (options.gss_strict_acceptor) {
++ gss_create_empty_oid_set(status, oidset);
++ gss_add_oid_set_member(status, ctx-oid, oidset);
++
++ if (gethostname(lname, MAXHOSTNAMELEN)) {
++
[gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/
commit: 7d717d6413251a58a4ad004a1058da2ae22dd119
Author: Felix Janda felix.janda AT posteo DOT de
AuthorDate: Mon Nov 10 19:05:11 2014 +
Commit: Anthony G. Basile blueness AT gentoo DOT org
CommitDate: Tue Nov 18 21:59:09 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=7d717d64
net-misc/openssh: disable stack-protector for powerpc
Signed-off-by: Anthony G. Basile blueness AT gentoo.org
---
net-misc/openssh/openssh-6.6_p1-r99.ebuild | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net-misc/openssh/openssh-6.6_p1-r99.ebuild
b/net-misc/openssh/openssh-6.6_p1-r99.ebuild
index 61acd18..3d51e6e 100644
--- a/net-misc/openssh/openssh-6.6_p1-r99.ebuild
+++ b/net-misc/openssh/openssh-6.6_p1-r99.ebuild
@@ -180,7 +180,9 @@ src_configure() {
append-ldflags -lutil
fi
+ # __stack_chk_fail_local
use x86 myconf=${myconf} --without-stackprotect
+ use ppc myconf=${myconf} --without-stackprotect
econf \
--with-ldflags=${LDFLAGS} \
[gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/files/, net-misc/openssh/
commit: 7a0b15d0ae44c5d039c28da66f7120ff21df5943
Author: layman layman AT localhost
AuthorDate: Sat May 24 20:37:41 2014 +
Commit: Anthony G. Basile blueness AT gentoo DOT org
CommitDate: Sun May 25 00:44:25 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=7a0b15d0
net-misc/openssh: bump to 6.6.1_p1
Package-Manager: portage-2.2.10
---
.../openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch| 26
net-misc/openssh/files/openssh-6.6.1_p1.patch | 167 +
...4_p1-r99.ebuild = openssh-6.6.1_p1-r99.ebuild} | 30 ++--
3 files changed, 214 insertions(+), 9 deletions(-)
diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch
b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch
new file mode 100644
index 000..c76015d
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch
@@ -0,0 +1,26 @@
+make the hpn patch apply when the x509 patch has also been applied
+
+--- openssh-6.6.1p1-hpnssh14v4.diff
openssh-6.6.1p1-hpnssh14v4.diff
+@@ -1742,18 +1742,14 @@
+ if (options-ip_qos_interactive == -1)
+ options-ip_qos_interactive = IPTOS_LOWDELAY;
+ if (options-ip_qos_bulk == -1)
+-@@ -345,9 +393,10 @@
++@@ -345,6 +393,7 @@
+ sUsePrivilegeSeparation, sAllowAgentForwarding,
+ sHostCertificate,
+ sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
+-+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
+++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled,
+ sKexAlgorithms, sIPQoS, sVersionAddendum,
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
+-- sAuthenticationMethods, sHostKeyAgent,
+-+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent,
+- sDeprecated, sUnsupported
+- } ServerOpCodes;
+-
++ sAuthenticationMethods, sHostKeyAgent,
+ @@ -468,6 +517,10 @@
+ { revokedkeys, sRevokedKeys, SSHCFG_ALL },
+ { trustedusercakeys, sTrustedUserCAKeys, SSHCFG_ALL },
diff --git a/net-misc/openssh/files/openssh-6.6.1_p1.patch
b/net-misc/openssh/files/openssh-6.6.1_p1.patch
new file mode 100644
index 000..b11f6fb
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.6.1_p1.patch
@@ -0,0 +1,167 @@
+Hi,
+
+So I screwed up when writing the support for the curve25519 KEX method
+that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left
+leading zero bytes where they should have been skipped. The impact of
+this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a
+peer that implements curve25519-sha256 at libssh.org properly about 0.2%
+of the time (one in every 512ish connections).
+
+We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256
+key exchange for previous versions, but I'd recommend distributors
+of OpenSSH apply this patch so the affected code doesn't become
+too entrenched in LTS releases.
+
+The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as
+to distinguish itself from the incorrect versions so the compatibility
+code to disable the affected KEX isn't activated.
+
+I've committed this on the 6.6 branch too.
+
+Apologies for the hassle.
+
+-d
+
+Index: version.h
+===
+RCS file: /var/cvs/openssh/version.h,v
+retrieving revision 1.82
+diff -u -p -r1.82 version.h
+--- version.h 27 Feb 2014 23:01:54 - 1.82
version.h 20 Apr 2014 03:35:15 -
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
+
+-#define SSH_VERSION OpenSSH_6.6
++#define SSH_VERSION OpenSSH_6.6.1
+
+ #define SSH_PORTABLE p1
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+Index: compat.c
+===
+RCS file: /var/cvs/openssh/compat.c,v
+retrieving revision 1.82
+retrieving revision 1.85
+diff -u -p -r1.82 -r1.85
+--- compat.c 31 Dec 2013 01:25:41 - 1.82
compat.c 20 Apr 2014 03:33:59 - 1.85
+@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
+ { Sun_SSH_1.0*, SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
+ { OpenSSH_4*, 0 },
+ { OpenSSH_5*, SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
++ { OpenSSH_6.6.1*, SSH_NEW_OPENSSH},
++ { OpenSSH_6.5*,
++OpenSSH_6.6*, SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
+ { OpenSSH*, SSH_NEW_OPENSSH },
+ { *MindTerm*, 0 },
+ { 2.1.0*, SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop
+ return cipher_prop;
+ }
+
+-
+ char *
+ compat_pkalg_proposal(char *pkalg_prop)
+ {
+@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop)
+ if (*pkalg_prop == '\0')
+ fatal(No supported PK algorithms found);
+ return pkalg_prop;
++}
++
++char *
[gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/
commit: 2cafb689e1bf4a7ad609a3f4d662f6250b8c5579
Author: Anthony G. Basile blueness AT gentoo DOT org
AuthorDate: Sat Mar 22 12:29:17 2014 +
Commit: Anthony G. Basile blueness AT gentoo DOT org
CommitDate: Sat Mar 22 12:29:17 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=2cafb689
net-misc/openssh: fix white space
Package-Manager: portage-2.2.7
Manifest-Sign-Key: 0xF52D4BBA
---
net-misc/openssh/openssh-6.6_p1-r99.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net-misc/openssh/openssh-6.6_p1-r99.ebuild
b/net-misc/openssh/openssh-6.6_p1-r99.ebuild
index 3232115..b082439 100644
--- a/net-misc/openssh/openssh-6.6_p1-r99.ebuild
+++ b/net-misc/openssh/openssh-6.6_p1-r99.ebuild
@@ -138,7 +138,7 @@ src_prepare() {
epatch ${FILESDIR}/${PN}-6.4p1-avoid-exit.patch
epatch ${FILESDIR}/${PN}-6.4p1-missing-sys_param_h.patch
- epatch ${FILESDIR}/${PN}-6.4p1-fix-typo-construct_utmpx.patch
+ epatch ${FILESDIR}/${PN}-6.4p1-fix-typo-construct_utmpx.patch
epatch_user #473004
[gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/
commit: 07c80e5acf14628024ef5f609f1be73993a7ea04
Author: Anthony G. Basile blueness AT gentoo DOT org
AuthorDate: Sat Mar 22 13:45:03 2014 +
Commit: Anthony G. Basile blueness AT gentoo DOT org
CommitDate: Sat Mar 22 13:45:03 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=07c80e5a
net-misc/openssh: see http://gcc.gnu.org/ml/gcc/2012-01/msg00012.html
Package-Manager: portage-2.2.7
Manifest-Sign-Key: 0xF52D4BBA
---
net-misc/openssh/openssh-6.6_p1-r99.ebuild | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net-misc/openssh/openssh-6.6_p1-r99.ebuild
b/net-misc/openssh/openssh-6.6_p1-r99.ebuild
index b082439..379d385 100644
--- a/net-misc/openssh/openssh-6.6_p1-r99.ebuild
+++ b/net-misc/openssh/openssh-6.6_p1-r99.ebuild
@@ -180,6 +180,8 @@ src_configure() {
append-ldflags -lutil
fi
+ use x86 myconf=${myconf} --without-stackprotect
+
econf \
--with-ldflags=${LDFLAGS} \
--disable-strip \
[gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/files/, net-misc/openssh/
commit: c28b27ab2f2d2ed00e42b95086675c06603f1bf7
Author: layman layman AT localhost
AuthorDate: Fri Mar 21 16:41:30 2014 +
Commit: Anthony G. Basile blueness AT gentoo DOT org
CommitDate: Fri Mar 21 16:44:33 2014 +
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=c28b27ab
net-misc/openssh: bump to 6.6_p1
---
.../files/openssh-6.5_p1-hpn-cipher-align.patch| 114
.../openssh-6.6_p1-openssl-ignore-status.patch | 17 ++
.../openssh/files/openssh-6.6_p1-x509-glue.patch | 16 ++
.../openssh-6.6_p1-x509-hpn14v4-glue-p2.patch | 26 ++
net-misc/openssh/openssh-6.6_p1-r99.ebuild | 316 +
5 files changed, 489 insertions(+)
diff --git a/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch
b/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch
new file mode 100644
index 000..cfb060f
--- /dev/null
+++ b/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch
@@ -0,0 +1,114 @@
+https://bugs.gentoo.org/498632
+
+make sure we do not use unaligned loads/stores as some arches really hate that.
+
+--- a/cipher-ctr-mt.c
b/cipher-ctr-mt.c
+@@ -58,8 +58,16 @@
+ /* Collect thread stats and print at cancellation when in debug mode */
+ /* #define CIPHER_THREAD_STATS */
+
+-/* Use single-byte XOR instead of 8-byte XOR */
+-/* #define CIPHER_BYTE_XOR */
++/* Can the system do unaligned loads natively? */
++#if defined(__aarch64__) || \
++defined(__i386__)|| \
++defined(__powerpc__) || \
++defined(__x86_64__)
++# define CIPHER_UNALIGNED_OK
++#endif
++#if defined(__SIZEOF_INT128__)
++# define CIPHER_INT128_OK
++#endif
+ /* END TUNABLES */
+
+
+@@ -285,8 +293,20 @@ thread_loop(void *x)
+
+ static int
+ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
+-u_int len)
++size_t len)
+ {
++ typedef union {
++#ifdef CIPHER_INT128_OK
++ __uint128_t *u128;
++#endif
++ uint64_t *u64;
++ uint32_t *u32;
++ uint8_t *u8;
++ const uint8_t *cu8;
++ uintptr_t u;
++ } ptrs_t;
++ ptrs_t destp, srcp, bufp;
++ uintptr_t align;
+ struct ssh_aes_ctr_ctx *c;
+ struct kq *q, *oldq;
+ int ridx;
+@@ -301,35 +321,41 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const
u_char *src,
+ ridx = c-ridx;
+
+ /* src already padded to block multiple */
++ srcp.cu8 = src;
++ destp.u8 = dest;
+ while (len 0) {
+ buf = q-keys[ridx];
++ bufp.u8 = buf;
+
+-#ifdef CIPHER_BYTE_XOR
+- dest[0] = src[0] ^ buf[0];
+- dest[1] = src[1] ^ buf[1];
+- dest[2] = src[2] ^ buf[2];
+- dest[3] = src[3] ^ buf[3];
+- dest[4] = src[4] ^ buf[4];
+- dest[5] = src[5] ^ buf[5];
+- dest[6] = src[6] ^ buf[6];
+- dest[7] = src[7] ^ buf[7];
+- dest[8] = src[8] ^ buf[8];
+- dest[9] = src[9] ^ buf[9];
+- dest[10] = src[10] ^ buf[10];
+- dest[11] = src[11] ^ buf[11];
+- dest[12] = src[12] ^ buf[12];
+- dest[13] = src[13] ^ buf[13];
+- dest[14] = src[14] ^ buf[14];
+- dest[15] = src[15] ^ buf[15];
+-#else
+- *(uint64_t *)dest = *(uint64_t *)src ^ *(uint64_t *)buf;
+- *(uint64_t *)(dest + 8) = *(uint64_t *)(src + 8) ^
+- *(uint64_t *)(buf + 8);
+-#endif
++ /* figure out the alignment on the fly */
++#ifdef CIPHER_UNALIGNED_OK
++ align = 0;
++#else
++ align = destp.u | srcp.u | bufp.u;
++#endif
++
++#ifdef CIPHER_INT128_OK
++ if ((align 0xf) == 0) {
++ destp.u128[0] = srcp.u128[0] ^ bufp.u128[0];
++ } else
++#endif
++ if ((align 0x7) == 0) {
++ destp.u64[0] = srcp.u64[0] ^ bufp.u64[0];
++ destp.u64[1] = srcp.u64[1] ^ bufp.u64[1];
++ } else if ((align 0x3) == 0) {
++ destp.u32[0] = srcp.u32[0] ^ bufp.u32[0];
++ destp.u32[1] = srcp.u32[1] ^ bufp.u32[1];
++ destp.u32[2] = srcp.u32[2] ^ bufp.u32[2];
++ destp.u32[3] = srcp.u32[3] ^ bufp.u32[3];
++ } else {
++ size_t i;
++ for (i = 0; i AES_BLOCK_SIZE; ++i)
++ dest[i] = src[i] ^ buf[i];
++ }
+
+- dest += 16;
+- src += 16;
+- len -= 16;
++ destp.u += AES_BLOCK_SIZE;
++ srcp.u += AES_BLOCK_SIZE;
++ len -= AES_BLOCK_SIZE;
+ ssh_ctr_inc(ctx-iv, AES_BLOCK_SIZE);
+
+ /* Increment read index, switch queues on rollover */
diff --git
