openssh: update to openssh-6.7p1

2025-07-24 11:16:51 +00:00 · 2014-10-07 19:51:43 +03:00 · 2014-10-07 19:51:43 +03:00 · 90a729457b
commit 90a729457b
parent dc51895fff
3 changed files with 52 additions and 420 deletions
--- a/packages/network/openssh/package.mk
+++ b/packages/network/openssh/package.mk
@ -17,7 +17,7 @@
 ################################################################################

 PKG_NAME="openssh"
-PKG_VERSION="6.6p1"
+PKG_VERSION="6.7p1"
 PKG_REV="1"
 PKG_ARCH="any"
 PKG_LICENSE="OSS"
--- a/packages/network/openssh/patches/openssh-keydir.patch
+++ b/packages/network/openssh/patches/openssh-keydir.patch
@ -1,49 +1,11 @@
-diff -Naur openssh-6.6p1/configure.ac openssh-6.6p1.patch/configure.ac
--- openssh-6.6p1/configure.ac	2014-02-21 18:09:34.000000000 +0100
-+++ openssh-6.6p1.patch/configure.ac	2014-08-03 14:19:49.867173481 +0200
-@@ -4444,6 +4444,17 @@
- 	]
- )
- 
-+# Set keydir
-+AC_ARG_WITH([keydir],
-+	[  --with-keydir=      Specify different path for storing keys],
-+	[
-+		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
-+		    test "x${withval}" != "xyes"; then
-+			KEYDIR=$withval
-+		fi
-+	]
-+)
-+AC_SUBST([KEYDIR])
- 
- AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
- IPV4_IN6_HACK_MSG="no"
-@@ -4814,6 +4825,7 @@
- H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
- I=`eval echo ${user_path}` ; I=`eval echo ${I}`
- J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
-+K=`eval echo ${KEYDIR}` ; K=`eval echo ${K}`
- 
- echo ""
- echo "OpenSSH has been configured with the following options:"
-@@ -4837,6 +4849,9 @@
- if test ! -z "$superuser_path" ; then
- echo "          sshd superuser user PATH: $J"
- fi
-+if test ! -z "$KEYDIR" ; then
-+echo "                      sshd keydir : $K"
-+fi
- echo "                    Manpage format: $MANTYPE"
- echo "                       PAM support: $PAM_MSG"
- echo "                   OSF SIA support: $SIA_MSG"
-diff -Naur openssh-6.6p1/Makefile.in openssh-6.6p1.patch/Makefile.in
--- openssh-6.6p1/Makefile.in	2014-02-04 01:12:56.000000000 +0100
-+++ openssh-6.6p1.patch/Makefile.in	2014-08-03 14:12:36.716017883 +0200
-@@ -29,8 +29,10 @@
- PRIVSEP_PATH=@PRIVSEP_PATH@
+diff --git a/Makefile.in b/Makefile.in
+index 06be3d5..5272bda 100644
+--- a/Makefile.in
+++ b/Makefile.in
+@@ -30,8 +30,10 @@ PRIVSEP_PATH=@PRIVSEP_PATH@
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
 STRIP_OPT=@STRIP_OPT@
+ TEST_SHELL=@TEST_SHELL@
 +KEYDIR=@KEYDIR@
 
 PATHS= -DSSHDIR=\"$(sysconfdir)\" \
@ -51,7 +13,7 @@ diff -Naur openssh-6.6p1/Makefile.in openssh-6.6p1.patch/Makefile.in
 	-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
 	-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
 	-D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \
-@@ -111,11 +113,11 @@
+@@ -121,11 +123,11 @@ PATHSUBS	= \
 	-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
 	-e 's|/usr/libexec|$(libexecdir)|g' \
 	-e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
@ -68,9 +30,50 @@ diff -Naur openssh-6.6p1/Makefile.in openssh-6.6p1.patch/Makefile.in
 	-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
 	-e 's|/etc/moduli|$(sysconfdir)/moduli|g' \
 	-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
-diff -Naur openssh-6.6p1/pathnames.h openssh-6.6p1.patch/pathnames.h
--- openssh-6.6p1/pathnames.h	2013-12-07 01:24:02.000000000 +0100
-+++ openssh-6.6p1.patch/pathnames.h	2014-08-03 13:03:43.612029243 +0200
+diff --git a/configure.ac b/configure.ac
+index 67c4486..b4297bf 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -4429,6 +4429,17 @@ AC_ARG_WITH([superuser-path],
+ 	]
+ )
+ 
+# Set keydir
+AC_ARG_WITH([keydir],
+	[  --with-keydir=      Specify different path for storing keys],
+	[
+		if test -n "$withval"  &&  test "x$withval" != "xno"  &&  \
+                    test "x${withval}" != "xyes"; then
+			KEYDIR=$withval
+		fi
+	]
+)
+AC_SUBST([KEYDIR])
+ 
+ AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
+ IPV4_IN6_HACK_MSG="no"
+@@ -4799,6 +4810,7 @@ G=`eval echo ${piddir}` ; G=`eval echo ${G}`
+ H=`eval echo ${PRIVSEP_PATH}` ; H=`eval echo ${H}`
+ I=`eval echo ${user_path}` ; I=`eval echo ${I}`
+ J=`eval echo ${superuser_path}` ; J=`eval echo ${J}`
+K=`eval echo ${KEYDIR}` ; K=`eval echo ${K}`
+ 
+ echo ""
+ echo "OpenSSH has been configured with the following options:"
+@@ -4822,6 +4834,9 @@ fi
+ if test ! -z "$superuser_path" ; then
+ echo "          sshd superuser user PATH: $J"
+ fi
+if test ! -z "$KEYDIR" ; then
+echo "                       sshd keydir: $K"
+fi
+ echo "                    Manpage format: $MANTYPE"
+ echo "                       PAM support: $PAM_MSG"
+ echo "                   OSF SIA support: $SIA_MSG"
+diff --git a/pathnames.h b/pathnames.h
+index ec89fc6..8a33ca2 100644
+--- a/pathnames.h
+++ b/pathnames.h
@@ -18,6 +18,10 @@
 #define SSHDIR				ETCDIR "/ssh"
 #endif
--- a/packages/network/openssh/patches/openssh-libressl-compat_arc4random.patch
+++ b/packages/network/openssh/patches/openssh-libressl-compat_arc4random.patch
@ -1,371 +0,0 @@
-diff -Naur openssh-6.6p1-van/openbsd-compat/arc4random.c openssh-6.6p1/openbsd-compat/arc4random.c
--- openssh-6.6p1-van/openbsd-compat/arc4random.c	2013-10-09 01:44:49.000000000 +0200
-+++ openssh-6.6p1/openbsd-compat/arc4random.c	2014-07-12 02:18:41.091969421 +0200
-@@ -1,6 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/crypto/arc4random.c */
-
-/*	$OpenBSD: arc4random.c,v 1.25 2013/10/01 18:34:57 markus Exp $	*/
-+/*	$OpenBSD: arc4random.c,v 1.38 2014/06/26 19:23:15 deraadt Exp $	*/
- 
- /*
-  * Copyright (c) 1996, David Mazieres <dm@uun.org>
-@@ -24,43 +22,46 @@
-  * ChaCha based random number generator for OpenBSD.
-  */
- 
-#include "includes.h"
-
-+#include <fcntl.h>
-+#include <limits.h>
-+#include <signal.h>
-+#include <stdint.h>
- #include <stdlib.h>
- #include <string.h>
- #include <unistd.h>
- #include <sys/types.h>
-+#include <sys/param.h>
-+#include <sys/time.h>
-+#include <sys/mman.h>
- 
-#ifndef HAVE_ARC4RANDOM
-
-#include <openssl/rand.h>
-#include <openssl/err.h>
-
-#include "log.h"
-+#include "thread_private.h"
- 
- #define KEYSTREAM_ONLY
- #include "chacha_private.h"
- 
-+#define min(a, b) ((a) < (b) ? (a) : (b))
- #ifdef __GNUC__
- #define inline __inline
- #else				/* !__GNUC__ */
- #define inline
- #endif				/* !__GNUC__ */
- 
-/* OpenSSH isn't multithreaded */
-#define _ARC4_LOCK()
-#define _ARC4_UNLOCK()
-
- #define KEYSZ	32
- #define IVSZ	8
- #define BLOCKSZ	64
- #define RSBUFSZ	(16*BLOCKSZ)
-static int rs_initialized;
-static pid_t rs_stir_pid;
-static chacha_ctx rs;		/* chacha context for random keystream */
-static u_char rs_buf[RSBUFSZ];	/* keystream blocks */
-static size_t rs_have;		/* valid bytes at end of rs_buf */
-static size_t rs_count;		/* bytes till reseed */
-+
-+/* Marked MAP_INHERIT_ZERO, so zero'd out in fork children. */
-+static struct {
-+	size_t		rs_have;	/* valid bytes at end of rs_buf */
-+	size_t		rs_count;	/* bytes till reseed */
-+} *rs;
-+
-+/* Preserved in fork children. */
-+static struct {
-+	chacha_ctx	rs_chacha;	/* chacha context for random keystream */
-+	u_char		rs_buf[RSBUFSZ];	/* keystream blocks */
-+} *rsx;
- 
- static inline void _rs_rekey(u_char *dat, size_t datlen);
- 
-@@ -69,8 +70,24 @@
- {
- 	if (n < KEYSZ + IVSZ)
- 		return;
-	chacha_keysetup(&rs, buf, KEYSZ * 8, 0);
-	chacha_ivsetup(&rs, buf + KEYSZ);
-+
-+	if (rs == NULL) {
-+		if ((rs = mmap(NULL, sizeof(*rs), PROT_READ|PROT_WRITE,
-+		    MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED)
-+			abort();
-+#ifdef MAP_INHERIT_ZERO
-+		if (minherit(rs, sizeof(*rs), MAP_INHERIT_ZERO) == -1)
-+			abort();
-+#endif
-+	}
-+	if (rsx == NULL) {
-+		if ((rsx = mmap(NULL, sizeof(*rsx), PROT_READ|PROT_WRITE,
-+		    MAP_ANON|MAP_PRIVATE, -1, 0)) == MAP_FAILED)
-+			abort();
-+	}
-+
-+	chacha_keysetup(&rsx->rs_chacha, buf, KEYSZ * 8, 0);
-+	chacha_ivsetup(&rsx->rs_chacha, buf + KEYSZ);
- }
- 
- static void
-@@ -78,120 +95,108 @@
- {
- 	u_char rnd[KEYSZ + IVSZ];
- 
-	if (RAND_bytes(rnd, sizeof(rnd)) <= 0)
-		fatal("Couldn't obtain random bytes (error %ld)",
-		    ERR_get_error());
-+	if (getentropy(rnd, sizeof rnd) == -1)
-+		raise(SIGKILL);
- 
-	if (!rs_initialized) {
-		rs_initialized = 1;
-+	if (!rs)
- 		_rs_init(rnd, sizeof(rnd));
-	} else
-+	else
- 		_rs_rekey(rnd, sizeof(rnd));
-	memset(rnd, 0, sizeof(rnd));
-+	explicit_bzero(rnd, sizeof(rnd));	/* discard source seed */
- 
- 	/* invalidate rs_buf */
-	rs_have = 0;
-	memset(rs_buf, 0, RSBUFSZ);
-+	rs->rs_have = 0;
-+	memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
- 
-	rs_count = 1600000;
-+	rs->rs_count = 1600000;
- }
- 
- static inline void
- _rs_stir_if_needed(size_t len)
- {
-+#ifndef MAP_INHERIT_ZERO
-+	static pid_t _rs_pid = 0;
- 	pid_t pid = getpid();
- 
-	if (rs_count <= len || !rs_initialized || rs_stir_pid != pid) {
-		rs_stir_pid = pid;
-+	/* If a system lacks MAP_INHERIT_ZERO, resort to getpid() */
-+	if (_rs_pid == 0 || _rs_pid != pid) {
-+		_rs_pid = pid;
-+		if (rs)
-+			rs->rs_count = 0;
-+	}
-+#endif
-+	if (!rs || rs->rs_count <= len)
- 		_rs_stir();
-	} else
-		rs_count -= len;
-+	if (rs->rs_count <= len)
-+		rs->rs_count = 0;
-+	else
-+		rs->rs_count -= len;
- }
- 
- static inline void
- _rs_rekey(u_char *dat, size_t datlen)
- {
- #ifndef KEYSTREAM_ONLY
-	memset(rs_buf, 0,RSBUFSZ);
-+	memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
- #endif
- 	/* fill rs_buf with the keystream */
-	chacha_encrypt_bytes(&rs, rs_buf, rs_buf, RSBUFSZ);
-+	chacha_encrypt_bytes(&rsx->rs_chacha, rsx->rs_buf,
-+	    rsx->rs_buf, sizeof(rsx->rs_buf));
- 	/* mix in optional user provided data */
- 	if (dat) {
- 		size_t i, m;
- 
-		m = MIN(datlen, KEYSZ + IVSZ);
-+		m = min(datlen, KEYSZ + IVSZ);
- 		for (i = 0; i < m; i++)
-			rs_buf[i] ^= dat[i];
-+			rsx->rs_buf[i] ^= dat[i];
- 	}
- 	/* immediately reinit for backtracking resistance */
-	_rs_init(rs_buf, KEYSZ + IVSZ);
-	memset(rs_buf, 0, KEYSZ + IVSZ);
-	rs_have = RSBUFSZ - KEYSZ - IVSZ;
-+	_rs_init(rsx->rs_buf, KEYSZ + IVSZ);
-+	memset(rsx->rs_buf, 0, KEYSZ + IVSZ);
-+	rs->rs_have = sizeof(rsx->rs_buf) - KEYSZ - IVSZ;
- }
- 
- static inline void
- _rs_random_buf(void *_buf, size_t n)
- {
- 	u_char *buf = (u_char *)_buf;
-+	u_char *keystream;
- 	size_t m;
- 
- 	_rs_stir_if_needed(n);
- 	while (n > 0) {
-		if (rs_have > 0) {
-			m = MIN(n, rs_have);
-			memcpy(buf, rs_buf + RSBUFSZ - rs_have, m);
-			memset(rs_buf + RSBUFSZ - rs_have, 0, m);
-+		if (rs->rs_have > 0) {
-+			m = min(n, rs->rs_have);
-+			keystream = rsx->rs_buf + sizeof(rsx->rs_buf)
-+			    - rs->rs_have;
-+			memcpy(buf, keystream, m);
-+			memset(keystream, 0, m);
- 			buf += m;
- 			n -= m;
-			rs_have -= m;
-+			rs->rs_have -= m;
- 		}
-		if (rs_have == 0)
-+		if (rs->rs_have == 0)
- 			_rs_rekey(NULL, 0);
- 	}
- }
- 
- static inline void
-_rs_random_u32(u_int32_t *val)
-+_rs_random_u32(uint32_t *val)
- {
-+	u_char *keystream;
- 	_rs_stir_if_needed(sizeof(*val));
-	if (rs_have < sizeof(*val))
-+	if (rs->rs_have < sizeof(*val))
- 		_rs_rekey(NULL, 0);
-	memcpy(val, rs_buf + RSBUFSZ - rs_have, sizeof(*val));
-	memset(rs_buf + RSBUFSZ - rs_have, 0, sizeof(*val));
-	rs_have -= sizeof(*val);
-	return;
-}
-
-void
-arc4random_stir(void)
-{
-	_ARC4_LOCK();
-	_rs_stir();
-	_ARC4_UNLOCK();
-}
-
-void
-arc4random_addrandom(u_char *dat, int datlen)
-{
-	int m;
-
-	_ARC4_LOCK();
-	if (!rs_initialized)
-		_rs_stir();
-	while (datlen > 0) {
-		m = MIN(datlen, KEYSZ + IVSZ);
-		_rs_rekey(dat, m);
-		dat += m;
-		datlen -= m;
-	}
-	_ARC4_UNLOCK();
-+	keystream = rsx->rs_buf + sizeof(rsx->rs_buf) - rs->rs_have;
-+	memcpy(val, keystream, sizeof(*val));
-+	memset(keystream, 0, sizeof(*val));
-+	rs->rs_have -= sizeof(*val);
- }
- 
-u_int32_t
-+uint32_t
- arc4random(void)
- {
-	u_int32_t val;
-+	uint32_t val;
- 
- 	_ARC4_LOCK();
- 	_rs_random_u32(&val);
-@@ -199,11 +204,6 @@
- 	return val;
- }
- 
-/*
- * If we are providing arc4random, then we can provide a more efficient 
- * arc4random_buf().
- */
-# ifndef HAVE_ARC4RANDOM_BUF
- void
- arc4random_buf(void *buf, size_t n)
- {
-@@ -211,29 +211,7 @@
- 	_rs_random_buf(buf, n);
- 	_ARC4_UNLOCK();
- }
-# endif /* !HAVE_ARC4RANDOM_BUF */
-#endif /* !HAVE_ARC4RANDOM */
- 
-/* arc4random_buf() that uses platform arc4random() */
-#if !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM)
-void
-arc4random_buf(void *_buf, size_t n)
-{
-	size_t i;
-	u_int32_t r = 0;
-	char *buf = (char *)_buf;
-
-	for (i = 0; i < n; i++) {
-		if (i % 4 == 0)
-			r = arc4random();
-		buf[i] = r & 0xff;
-		r >>= 8;
-	}
-	i = r = 0;
-}
-#endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */
-
-#ifndef HAVE_ARC4RANDOM_UNIFORM
- /*
-  * Calculate a uniformly distributed random number less than upper_bound
-  * avoiding "modulo bias".
-@@ -244,10 +222,10 @@
-  * [2**32 % upper_bound, 2**32) which maps back to [0, upper_bound)
-  * after reduction modulo upper_bound.
-  */
-u_int32_t
-arc4random_uniform(u_int32_t upper_bound)
-+uint32_t
-+arc4random_uniform(uint32_t upper_bound)
- {
-	u_int32_t r, min;
-+	uint32_t r, min;
- 
- 	if (upper_bound < 2)
- 		return 0;
-@@ -269,26 +247,11 @@
- 
- 	return r % upper_bound;
- }
-#endif /* !HAVE_ARC4RANDOM_UNIFORM */
-
-#if 0
-/*-------- Test code for i386 --------*/
-#include <stdio.h>
-#include <machine/pctr.h>
-int
-main(int argc, char **argv)
-+void
-+arc4random_stir(void)
- {
-	const int iter = 1000000;
-	int     i;
-	pctrval v;
-
-	v = rdtsc();
-	for (i = 0; i < iter; i++)
-		arc4random();
-	v = rdtsc() - v;
-	v /= iter;
-
-	printf("%qd cycles\n", v);
-	exit(0);
-+        _ARC4_LOCK();
-+        _rs_stir();
-+        _ARC4_UNLOCK();
- }
-#endif
-+
-diff -Naur openssh-6.6p1-van/openbsd-compat/thread_private.h openssh-6.6p1/openbsd-compat/thread_private.h
--- openssh-6.6p1-van/openbsd-compat/thread_private.h	1970-01-01 01:00:00.000000000 +0100
-+++ openssh-6.6p1/openbsd-compat/thread_private.h	2014-07-12 02:12:30.085607639 +0200
-@@ -0,0 +1,6 @@
-+#include <pthread.h>
-+
-+static pthread_mutex_t arc4random_mtx = PTHREAD_MUTEX_INITIALIZER;
-+
-+#define _ARC4_LOCK()   pthread_mutex_lock(&arc4random_mtx)
-+#define _ARC4_UNLOCK() pthread_mutex_unlock(&arc4random_mtx)