[gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/
commit: 45ef61e72bd8a80130cb333a78137942b0ed5d93 Author: Felix Janda felix.janda AT posteo DOT de AuthorDate: Sat May 9 15:01:18 2015 + Commit: Anthony G. Basile blueness AT gentoo DOT org CommitDate: Sun May 10 12:52:47 2015 + URL:https://gitweb.gentoo.org/proj/hardened-dev.git/commit/?id=45ef61e7 net-misc/openssh: disable stack-protector for x86 and ppc net-misc/openssh/openssh-6.7_p1-r99.ebuild | 4 1 file changed, 4 insertions(+) diff --git a/net-misc/openssh/openssh-6.7_p1-r99.ebuild b/net-misc/openssh/openssh-6.7_p1-r99.ebuild index 7edc50d..f6ad39c 100644 --- a/net-misc/openssh/openssh-6.7_p1-r99.ebuild +++ b/net-misc/openssh/openssh-6.7_p1-r99.ebuild @@ -189,6 +189,10 @@ src_configure() { append-ldflags -lutil fi + # __stack_chk_fail_local + use x86 myconf+=( --without-stackprotect) + use ppc myconf+=( --without-stackprotect) + econf \ --with-ldflags=${LDFLAGS} \ --disable-strip \
[gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/files/, net-misc/openssh/
commit: 10c887587f0221a5ecd59b10fdc37f717629da74 Author: Anthony G. Basile blueness AT gentoo DOT org AuthorDate: Wed Dec 31 18:23:51 2014 + Commit: Anthony G. Basile blueness AT gentoo DOT org CommitDate: Wed Dec 31 18:23:51 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=10c88758 net-misc/openssh: makre 6.7_p1 stable on all arches Package-Manager: portage-2.2.14 Manifest-Sign-Key: 0xF52D4BBA --- .../openssh-5.9_p1-sshd-gssapi-multihomed.patch| 184 .../openssh/files/openssh-6.4p1-avoid-exit.patch | 499 - .../files/openssh-6.5_p1-hpn-cipher-align.patch| 114 - .../openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch| 26 -- net-misc/openssh/files/openssh-6.6.1_p1.patch | 167 --- .../openssh-6.6_p1-openssl-ignore-status.patch | 17 - .../openssh/files/openssh-6.6_p1-x509-glue.patch | 16 - .../openssh-6.6_p1-x509-hpn14v4-glue-p2.patch | 26 -- net-misc/openssh/metadata.xml | 1 + net-misc/openssh/openssh-6.6.1_p1-r99.ebuild | 323 - net-misc/openssh/openssh-6.6_p1-r99.ebuild | 320 - net-misc/openssh/openssh-6.7_p1-r99.ebuild | 2 +- 12 files changed, 2 insertions(+), 1693 deletions(-) diff --git a/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch deleted file mode 100644 index 6377d03..000 --- a/net-misc/openssh/files/openssh-5.9_p1-sshd-gssapi-multihomed.patch +++ /dev/null @@ -1,184 +0,0 @@ -Index: gss-serv.c -=== -RCS file: /cvs/src/usr.bin/ssh/gss-serv.c,v -retrieving revision 1.22 -diff -u -p -r1.22 gss-serv.c gss-serv.c 8 May 2008 12:02:23 - 1.22 -+++ gss-serv.c 11 Jan 2010 05:38:29 - -@@ -41,9 +41,12 @@ - #include channels.h - #include session.h - #include misc.h -+#include servconf.h - - #include ssh-gss.h - -+extern ServerOptions options; -+ - static ssh_gssapi_client gssapi_client = - { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, - GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; -@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) - char lname[MAXHOSTNAMELEN]; - gss_OID_set oidset; - -- gss_create_empty_oid_set(status, oidset); -- gss_add_oid_set_member(status, ctx-oid, oidset); -- -- if (gethostname(lname, MAXHOSTNAMELEN)) { -- gss_release_oid_set(status, oidset); -- return (-1); -- } -+ if (options.gss_strict_acceptor) { -+ gss_create_empty_oid_set(status, oidset); -+ gss_add_oid_set_member(status, ctx-oid, oidset); -+ -+ if (gethostname(lname, MAXHOSTNAMELEN)) { -+ gss_release_oid_set(status, oidset); -+ return (-1); -+ } -+ -+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { -+ gss_release_oid_set(status, oidset); -+ return (ctx-major); -+ } -+ -+ if ((ctx-major = gss_acquire_cred(ctx-minor, -+ ctx-name, 0, oidset, GSS_C_ACCEPT, ctx-creds, -+ NULL, NULL))) -+ ssh_gssapi_error(ctx); - -- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) { - gss_release_oid_set(status, oidset); - return (ctx-major); -+ } else { -+ ctx-name = GSS_C_NO_NAME; -+ ctx-creds = GSS_C_NO_CREDENTIAL; - } -- -- if ((ctx-major = gss_acquire_cred(ctx-minor, -- ctx-name, 0, oidset, GSS_C_ACCEPT, ctx-creds, NULL, NULL))) -- ssh_gssapi_error(ctx); -- -- gss_release_oid_set(status, oidset); -- return (ctx-major); -+ return GSS_S_COMPLETE; - } - - /* Privileged */ -Index: servconf.c -=== -RCS file: /cvs/src/usr.bin/ssh/servconf.c,v -retrieving revision 1.201 -diff -u -p -r1.201 servconf.c servconf.c 10 Jan 2010 03:51:17 - 1.201 -+++ servconf.c 11 Jan 2010 05:34:56 - -@@ -86,6 +86,7 @@ initialize_server_options(ServerOptions - options-kerberos_get_afs_token = -1; - options-gss_authentication=-1; - options-gss_cleanup_creds = -1; -+ options-gss_strict_acceptor = -1; - options-password_authentication = -1; - options-kbd_interactive_authentication = -1; - options-challenge_response_authentication = -1; -@@ -200,6 +201,8 @@ fill_default_server_options(ServerOption - options-gss_authentication = 0; - if (options-gss_cleanup_creds == -1) - options-gss_cleanup_creds = 1; -+ if (options-gss_strict_acceptor == -1) -+ options-gss_strict_acceptor = 0; - if (options-password_authentication == -1) - options-password_authentication = 1; - if
[gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/, net-misc/openssh/files/
commit: c84c8147dc01677b7fffde06a97af0753e88a207 Author: Felix Janda felix.janda AT posteo DOT de AuthorDate: Wed Dec 10 22:37:47 2014 + Commit: Anthony G. Basile blueness AT gentoo DOT org CommitDate: Thu Dec 11 14:28:48 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=c84c8147 net-misc/openssh: bump to 6.7_p1 Signed-off-by: Anthony G. Basile blueness AT gentoo.org --- .../openssh-6.7_p1-openssl-ignore-status.patch | 17 + .../files/openssh-6.7_p1-sctp-x509-glue.patch | 42 ++ .../openssh-6.7_p1-sshd-gssapi-multihomed.patch| 162 .../openssh/files/openssh-6.7_p1-x509-glue.patch | 46 +++ .../openssh/files/openssh-6.7p1-avoid-exit.patch | 441 + net-misc/openssh/openssh-6.7_p1-r99.ebuild | 326 +++ 6 files changed, 1034 insertions(+) diff --git a/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch new file mode 100644 index 000..fa33af3 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7_p1-openssl-ignore-status.patch @@ -0,0 +1,17 @@ +the last nibble of the openssl version represents the status. that is, +whether it is a beta or release. when it comes to version checks in +openssh, this component does not matter, so ignore it. + +https://bugzilla.mindrot.org/show_bug.cgi?id=2212 + +--- a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c +@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver) +* For versions = 1.0.0, major,minor,status must match and library +* fix version must be equal to or newer than the header. +*/ +- mask = 0xffffL; /* major,minor,status */ ++ mask = 0xfff0L; /* major,minor,status */ + hfix = (headerver 0x000ff000) 12; + lfix = (libver 0x000ff000) 12; + if ( (headerver mask) == (libver mask) lfix = hfix) diff --git a/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch b/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch new file mode 100644 index 000..bd0b7ce --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7_p1-sctp-x509-glue.patch @@ -0,0 +1,42 @@ +--- openssh-6.7_p1-sctp.patch.orig 2014-11-24 10:34:31.817538707 -0800 openssh-6.7_p1-sctp.patch 2014-11-24 10:38:52.744990154 -0800 +@@ -195,14 +195,6 @@ + .Op Fl c Ar cipher + .Op Fl F Ar ssh_config + .Op Fl i Ar identity_file +-@@ -178,6 +178,7 @@ For full details of the options listed b +- .It ServerAliveCountMax +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It UsePrivilegedPort +- .It User +- .It UserKnownHostsFile + @@ -218,6 +219,8 @@ and + to print debugging messages about their progress. + This is helpful in +@@ -482,14 +474,6 @@ + .Op Fl b Ar bind_address + .Op Fl c Ar cipher_spec + .Op Fl D Oo Ar bind_address : Oc Ns Ar port +-@@ -473,6 +473,7 @@ For full details of the options listed b +- .It StreamLocalBindUnlink +- .It StrictHostKeyChecking +- .It TCPKeepAlive +-+.It Transport +- .It Tunnel +- .It TunnelDevice +- .It UsePrivilegedPort + @@ -665,6 +666,8 @@ Trusted X11 forwardings are not subjecte + controls. + .It Fl y +@@ -527,7 +511,7 @@ +- again: ++ + - while ((opt = getopt(ac, av, 1246ab:c:e:fgi:kl:m:no:p:qstvx + + while ((opt = getopt(ac, av, 1246ab:c:e:fgi:kl:m:no:p:qstvx SCTP_OPT +- ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy)) != -1) { ++ ACD:E:F: ENGCONFIG I:KL:MNO:PQ:R:S:TVw:W:XYy)) != -1) { + switch (opt) { + case '1': + @@ -732,6 +738,11 @@ main(int ac, char **av) diff --git a/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch b/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch new file mode 100644 index 000..96818e4 --- /dev/null +++ b/net-misc/openssh/files/openssh-6.7_p1-sshd-gssapi-multihomed.patch @@ -0,0 +1,162 @@ +https://bugs.gentoo.org/378361 +https://bugzilla.mindrot.org/show_bug.cgi?id=928 + +--- a/gss-serv.c b/gss-serv.c +@@ -41,9 +41,12 @@ + #include channels.h + #include session.h + #include misc.h ++#include servconf.h + + #include ssh-gss.h + ++extern ServerOptions options; ++ + static ssh_gssapi_client gssapi_client = + { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER, + GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}}; +@@ -77,25 +80,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) + char lname[NI_MAXHOST]; + gss_OID_set oidset; + +- gss_create_empty_oid_set(status, oidset); +- gss_add_oid_set_member(status, ctx-oid, oidset); +- +- if (gethostname(lname, sizeof(lname))) { +- gss_release_oid_set(status, oidset); +- return (-1); +- } ++ if (options.gss_strict_acceptor) { ++ gss_create_empty_oid_set(status, oidset); ++ gss_add_oid_set_member(status, ctx-oid, oidset); ++ ++ if (gethostname(lname, MAXHOSTNAMELEN)) { ++
[gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/
commit: 7d717d6413251a58a4ad004a1058da2ae22dd119 Author: Felix Janda felix.janda AT posteo DOT de AuthorDate: Mon Nov 10 19:05:11 2014 + Commit: Anthony G. Basile blueness AT gentoo DOT org CommitDate: Tue Nov 18 21:59:09 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=7d717d64 net-misc/openssh: disable stack-protector for powerpc Signed-off-by: Anthony G. Basile blueness AT gentoo.org --- net-misc/openssh/openssh-6.6_p1-r99.ebuild | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net-misc/openssh/openssh-6.6_p1-r99.ebuild b/net-misc/openssh/openssh-6.6_p1-r99.ebuild index 61acd18..3d51e6e 100644 --- a/net-misc/openssh/openssh-6.6_p1-r99.ebuild +++ b/net-misc/openssh/openssh-6.6_p1-r99.ebuild @@ -180,7 +180,9 @@ src_configure() { append-ldflags -lutil fi + # __stack_chk_fail_local use x86 myconf=${myconf} --without-stackprotect + use ppc myconf=${myconf} --without-stackprotect econf \ --with-ldflags=${LDFLAGS} \
[gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/files/, net-misc/openssh/
commit: 7a0b15d0ae44c5d039c28da66f7120ff21df5943 Author: layman layman AT localhost AuthorDate: Sat May 24 20:37:41 2014 + Commit: Anthony G. Basile blueness AT gentoo DOT org CommitDate: Sun May 25 00:44:25 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=7a0b15d0 net-misc/openssh: bump to 6.6.1_p1 Package-Manager: portage-2.2.10 --- .../openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch| 26 net-misc/openssh/files/openssh-6.6.1_p1.patch | 167 + ...4_p1-r99.ebuild = openssh-6.6.1_p1-r99.ebuild} | 30 ++-- 3 files changed, 214 insertions(+), 9 deletions(-) diff --git a/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch new file mode 100644 index 000..c76015d --- /dev/null +++ b/net-misc/openssh/files/openssh-6.6.1_p1-x509-hpn14v4-glue-p2.patch @@ -0,0 +1,26 @@ +make the hpn patch apply when the x509 patch has also been applied + +--- openssh-6.6.1p1-hpnssh14v4.diff openssh-6.6.1p1-hpnssh14v4.diff +@@ -1742,18 +1742,14 @@ + if (options-ip_qos_interactive == -1) + options-ip_qos_interactive = IPTOS_LOWDELAY; + if (options-ip_qos_bulk == -1) +-@@ -345,9 +393,10 @@ ++@@ -345,6 +393,7 @@ + sUsePrivilegeSeparation, sAllowAgentForwarding, + sHostCertificate, + sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, +-+ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, +++ sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize, sNoneEnabled, + sKexAlgorithms, sIPQoS, sVersionAddendum, + sAuthorizedKeysCommand, sAuthorizedKeysCommandUser, +-- sAuthenticationMethods, sHostKeyAgent, +-+ sAuthenticationMethods, sNoneEnabled, sHostKeyAgent, +- sDeprecated, sUnsupported +- } ServerOpCodes; +- ++ sAuthenticationMethods, sHostKeyAgent, + @@ -468,6 +517,10 @@ + { revokedkeys, sRevokedKeys, SSHCFG_ALL }, + { trustedusercakeys, sTrustedUserCAKeys, SSHCFG_ALL }, diff --git a/net-misc/openssh/files/openssh-6.6.1_p1.patch b/net-misc/openssh/files/openssh-6.6.1_p1.patch new file mode 100644 index 000..b11f6fb --- /dev/null +++ b/net-misc/openssh/files/openssh-6.6.1_p1.patch @@ -0,0 +1,167 @@ +Hi, + +So I screwed up when writing the support for the curve25519 KEX method +that doesn't depend on OpenSSL's BIGNUM type - a bug in my code left +leading zero bytes where they should have been skipped. The impact of +this is that OpenSSH 6.5 and 6.6 will fail during key exchange with a +peer that implements curve25519-sha256 at libssh.org properly about 0.2% +of the time (one in every 512ish connections). + +We've fixed this for OpenSSH 6.7 by avoiding the curve25519-sha256 +key exchange for previous versions, but I'd recommend distributors +of OpenSSH apply this patch so the affected code doesn't become +too entrenched in LTS releases. + +The patch fixes the bug and makes OpenSSH identify itself as 6.6.1 so as +to distinguish itself from the incorrect versions so the compatibility +code to disable the affected KEX isn't activated. + +I've committed this on the 6.6 branch too. + +Apologies for the hassle. + +-d + +Index: version.h +=== +RCS file: /var/cvs/openssh/version.h,v +retrieving revision 1.82 +diff -u -p -r1.82 version.h +--- version.h 27 Feb 2014 23:01:54 - 1.82 version.h 20 Apr 2014 03:35:15 - +@@ -1,6 +1,6 @@ + /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ + +-#define SSH_VERSION OpenSSH_6.6 ++#define SSH_VERSION OpenSSH_6.6.1 + + #define SSH_PORTABLE p1 + #define SSH_RELEASE SSH_VERSION SSH_PORTABLE +Index: compat.c +=== +RCS file: /var/cvs/openssh/compat.c,v +retrieving revision 1.82 +retrieving revision 1.85 +diff -u -p -r1.82 -r1.85 +--- compat.c 31 Dec 2013 01:25:41 - 1.82 compat.c 20 Apr 2014 03:33:59 - 1.85 +@@ -95,6 +95,9 @@ compat_datafellows(const char *version) + { Sun_SSH_1.0*, SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, + { OpenSSH_4*, 0 }, + { OpenSSH_5*, SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, ++ { OpenSSH_6.6.1*, SSH_NEW_OPENSSH}, ++ { OpenSSH_6.5*, ++OpenSSH_6.6*, SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, + { OpenSSH*, SSH_NEW_OPENSSH }, + { *MindTerm*, 0 }, + { 2.1.0*, SSH_BUG_SIGBLOB|SSH_BUG_HMAC| +@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop + return cipher_prop; + } + +- + char * + compat_pkalg_proposal(char *pkalg_prop) + { +@@ -263,5 +265,18 @@ compat_pkalg_proposal(char *pkalg_prop) + if (*pkalg_prop == '\0') + fatal(No supported PK algorithms found); + return pkalg_prop; ++} ++ ++char *
[gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/
commit: 2cafb689e1bf4a7ad609a3f4d662f6250b8c5579 Author: Anthony G. Basile blueness AT gentoo DOT org AuthorDate: Sat Mar 22 12:29:17 2014 + Commit: Anthony G. Basile blueness AT gentoo DOT org CommitDate: Sat Mar 22 12:29:17 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=2cafb689 net-misc/openssh: fix white space Package-Manager: portage-2.2.7 Manifest-Sign-Key: 0xF52D4BBA --- net-misc/openssh/openssh-6.6_p1-r99.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net-misc/openssh/openssh-6.6_p1-r99.ebuild b/net-misc/openssh/openssh-6.6_p1-r99.ebuild index 3232115..b082439 100644 --- a/net-misc/openssh/openssh-6.6_p1-r99.ebuild +++ b/net-misc/openssh/openssh-6.6_p1-r99.ebuild @@ -138,7 +138,7 @@ src_prepare() { epatch ${FILESDIR}/${PN}-6.4p1-avoid-exit.patch epatch ${FILESDIR}/${PN}-6.4p1-missing-sys_param_h.patch - epatch ${FILESDIR}/${PN}-6.4p1-fix-typo-construct_utmpx.patch + epatch ${FILESDIR}/${PN}-6.4p1-fix-typo-construct_utmpx.patch epatch_user #473004
[gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/
commit: 07c80e5acf14628024ef5f609f1be73993a7ea04 Author: Anthony G. Basile blueness AT gentoo DOT org AuthorDate: Sat Mar 22 13:45:03 2014 + Commit: Anthony G. Basile blueness AT gentoo DOT org CommitDate: Sat Mar 22 13:45:03 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=07c80e5a net-misc/openssh: see http://gcc.gnu.org/ml/gcc/2012-01/msg00012.html Package-Manager: portage-2.2.7 Manifest-Sign-Key: 0xF52D4BBA --- net-misc/openssh/openssh-6.6_p1-r99.ebuild | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net-misc/openssh/openssh-6.6_p1-r99.ebuild b/net-misc/openssh/openssh-6.6_p1-r99.ebuild index b082439..379d385 100644 --- a/net-misc/openssh/openssh-6.6_p1-r99.ebuild +++ b/net-misc/openssh/openssh-6.6_p1-r99.ebuild @@ -180,6 +180,8 @@ src_configure() { append-ldflags -lutil fi + use x86 myconf=${myconf} --without-stackprotect + econf \ --with-ldflags=${LDFLAGS} \ --disable-strip \
[gentoo-commits] proj/hardened-dev:musl commit in: net-misc/openssh/files/, net-misc/openssh/
commit: c28b27ab2f2d2ed00e42b95086675c06603f1bf7 Author: layman layman AT localhost AuthorDate: Fri Mar 21 16:41:30 2014 + Commit: Anthony G. Basile blueness AT gentoo DOT org CommitDate: Fri Mar 21 16:44:33 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=c28b27ab net-misc/openssh: bump to 6.6_p1 --- .../files/openssh-6.5_p1-hpn-cipher-align.patch| 114 .../openssh-6.6_p1-openssl-ignore-status.patch | 17 ++ .../openssh/files/openssh-6.6_p1-x509-glue.patch | 16 ++ .../openssh-6.6_p1-x509-hpn14v4-glue-p2.patch | 26 ++ net-misc/openssh/openssh-6.6_p1-r99.ebuild | 316 + 5 files changed, 489 insertions(+) diff --git a/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch b/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch new file mode 100644 index 000..cfb060f --- /dev/null +++ b/net-misc/openssh/files/openssh-6.5_p1-hpn-cipher-align.patch @@ -0,0 +1,114 @@ +https://bugs.gentoo.org/498632 + +make sure we do not use unaligned loads/stores as some arches really hate that. + +--- a/cipher-ctr-mt.c b/cipher-ctr-mt.c +@@ -58,8 +58,16 @@ + /* Collect thread stats and print at cancellation when in debug mode */ + /* #define CIPHER_THREAD_STATS */ + +-/* Use single-byte XOR instead of 8-byte XOR */ +-/* #define CIPHER_BYTE_XOR */ ++/* Can the system do unaligned loads natively? */ ++#if defined(__aarch64__) || \ ++defined(__i386__)|| \ ++defined(__powerpc__) || \ ++defined(__x86_64__) ++# define CIPHER_UNALIGNED_OK ++#endif ++#if defined(__SIZEOF_INT128__) ++# define CIPHER_INT128_OK ++#endif + /* END TUNABLES */ + + +@@ -285,8 +293,20 @@ thread_loop(void *x) + + static int + ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, +-u_int len) ++size_t len) + { ++ typedef union { ++#ifdef CIPHER_INT128_OK ++ __uint128_t *u128; ++#endif ++ uint64_t *u64; ++ uint32_t *u32; ++ uint8_t *u8; ++ const uint8_t *cu8; ++ uintptr_t u; ++ } ptrs_t; ++ ptrs_t destp, srcp, bufp; ++ uintptr_t align; + struct ssh_aes_ctr_ctx *c; + struct kq *q, *oldq; + int ridx; +@@ -301,35 +321,41 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, + ridx = c-ridx; + + /* src already padded to block multiple */ ++ srcp.cu8 = src; ++ destp.u8 = dest; + while (len 0) { + buf = q-keys[ridx]; ++ bufp.u8 = buf; + +-#ifdef CIPHER_BYTE_XOR +- dest[0] = src[0] ^ buf[0]; +- dest[1] = src[1] ^ buf[1]; +- dest[2] = src[2] ^ buf[2]; +- dest[3] = src[3] ^ buf[3]; +- dest[4] = src[4] ^ buf[4]; +- dest[5] = src[5] ^ buf[5]; +- dest[6] = src[6] ^ buf[6]; +- dest[7] = src[7] ^ buf[7]; +- dest[8] = src[8] ^ buf[8]; +- dest[9] = src[9] ^ buf[9]; +- dest[10] = src[10] ^ buf[10]; +- dest[11] = src[11] ^ buf[11]; +- dest[12] = src[12] ^ buf[12]; +- dest[13] = src[13] ^ buf[13]; +- dest[14] = src[14] ^ buf[14]; +- dest[15] = src[15] ^ buf[15]; +-#else +- *(uint64_t *)dest = *(uint64_t *)src ^ *(uint64_t *)buf; +- *(uint64_t *)(dest + 8) = *(uint64_t *)(src + 8) ^ +- *(uint64_t *)(buf + 8); +-#endif ++ /* figure out the alignment on the fly */ ++#ifdef CIPHER_UNALIGNED_OK ++ align = 0; ++#else ++ align = destp.u | srcp.u | bufp.u; ++#endif ++ ++#ifdef CIPHER_INT128_OK ++ if ((align 0xf) == 0) { ++ destp.u128[0] = srcp.u128[0] ^ bufp.u128[0]; ++ } else ++#endif ++ if ((align 0x7) == 0) { ++ destp.u64[0] = srcp.u64[0] ^ bufp.u64[0]; ++ destp.u64[1] = srcp.u64[1] ^ bufp.u64[1]; ++ } else if ((align 0x3) == 0) { ++ destp.u32[0] = srcp.u32[0] ^ bufp.u32[0]; ++ destp.u32[1] = srcp.u32[1] ^ bufp.u32[1]; ++ destp.u32[2] = srcp.u32[2] ^ bufp.u32[2]; ++ destp.u32[3] = srcp.u32[3] ^ bufp.u32[3]; ++ } else { ++ size_t i; ++ for (i = 0; i AES_BLOCK_SIZE; ++i) ++ dest[i] = src[i] ^ buf[i]; ++ } + +- dest += 16; +- src += 16; +- len -= 16; ++ destp.u += AES_BLOCK_SIZE; ++ srcp.u += AES_BLOCK_SIZE; ++ len -= AES_BLOCK_SIZE; + ssh_ctr_inc(ctx-iv, AES_BLOCK_SIZE); + + /* Increment read index, switch queues on rollover */ diff --git