* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh-contrib/files/
@ 2024-02-17 14:35 David Seifert
0 siblings, 0 replies; 3+ messages in thread
From: David Seifert @ 2024-02-17 14:35 UTC (permalink / raw
To: gentoo-commits
commit: 0104890e0756d76bcc03443bc0f35b9833c735bd
Author: Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Sat Feb 17 14:35:25 2024 +0000
Commit: David Seifert <soap <AT> gentoo <DOT> org>
CommitDate: Sat Feb 17 14:35:25 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0104890e
net-misc/openssh-contrib: remove unused patches
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Signed-off-by: David Seifert <soap <AT> gentoo.org>
.../files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch | 18 -------
.../openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch | 13 -----
...enssh-9.3_p1-openssl-version-compat-check.patch | 58 ----------------------
.../files/openssh-9.3_p2-zlib-1.3.patch | 21 --------
4 files changed, 110 deletions(-)
diff --git a/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch b/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
deleted file mode 100644
index 7199227589c6..000000000000
--- a/net-misc/openssh-contrib/files/openssh-8.5_p1-hpn-15.2-sctp-glue.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff -u a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff
---- a/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:06:45.020527770 -0700
-+++ b/openssh-8_5_P1-hpn-DynWinNoneSwitch-15.2.diff 2021-03-16 10:07:01.294423665 -0700
-@@ -1414,14 +1414,3 @@
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- # X11Forwarding no
--diff --git a/version.h b/version.h
--index 6b4fa372..332fb486 100644
----- a/version.h
--+++ b/version.h
--@@ -3,4 +3,5 @@
-- #define SSH_VERSION "OpenSSH_8.5"
--
-- #define SSH_PORTABLE "p1"
---#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--+#define SSH_HPN "-hpn15v2"
--+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN
diff --git a/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch b/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
deleted file mode 100644
index 9e08b2a553c2..000000000000
--- a/net-misc/openssh-contrib/files/openssh-8.9_p1-gss-use-HOST_NAME_MAX.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/gss-serv.c b/gss-serv.c
-index b5d4bb2d..00e3d118 100644
---- a/gss-serv.c
-+++ b/gss-serv.c
-@@ -105,7 +105,7 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
- gss_create_empty_oid_set(&status, &oidset);
- gss_add_oid_set_member(&status, ctx->oid, &oidset);
-
-- if (gethostname(lname, MAXHOSTNAMELEN)) {
-+ if (gethostname(lname, HOST_NAME_MAX)) {
- gss_release_oid_set(&status, &oidset);
- return (-1);
- }
diff --git a/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch b/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch
deleted file mode 100644
index b571ae253fff..000000000000
--- a/net-misc/openssh-contrib/files/openssh-9.3_p1-openssl-version-compat-check.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-https://bugzilla.mindrot.org/show_bug.cgi?id=3548
---- a/openbsd-compat/openssl-compat.c
-+++ b/openbsd-compat/openssl-compat.c
-@@ -48,19 +48,25 @@ ssh_compatible_openssl(long headerver, long libver)
- if (headerver == libver)
- return 1;
-
-- /* for versions < 1.0.0, major,minor,fix,status must match */
-- if (headerver < 0x1000000f) {
-- mask = 0xfffff00fL; /* major,minor,fix,status */
-- return (headerver & mask) == (libver & mask);
-+ /*
-+ * For versions < 3.0.0, major,minor,status must match and library
-+ * fix version must be equal to or newer than the header.
-+ */
-+ if (headerver < 0x3000000f) {
-+ mask = 0xfff0000fL; /* major,minor,status */
-+ hfix = (headerver & 0x000ff000) >> 12;
-+ lfix = (libver & 0x000ff000) >> 12;
-+ if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
-+ return 1;
- }
-
- /*
-- * For versions >= 1.0.0, major,minor,status must match and library
-- * fix version must be equal to or newer than the header.
-+ * For versions >= 3.0.0, major must match and minor,status must be
-+ * equal to or greater than the header.
- */
-- mask = 0xfff00000L; /* major,minor,status */
-- hfix = (headerver & 0x000ff000) >> 12;
-- lfix = (libver & 0x000ff000) >> 12;
-+ mask = 0xf000000fL; /* major, status */
-+ hfix = (headerver & 0x0ffffff0L) >> 12;
-+ lfix = (libver & 0x0ffffff0L) >> 12;
- if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
- return 1;
- return 0;
---- a/openbsd-compat/regress/opensslvertest.c
-+++ b/openbsd-compat/regress/opensslvertest.c
-@@ -31,7 +31,7 @@ struct version_test {
- { 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */
- { 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */
- { 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */
-- { 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */
-+ { 0x0090802fL, 0x0090902fL, 1}, /* newer library minor version: ok */
- { 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */
- { 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */
-
-@@ -41,7 +41,7 @@ struct version_test {
- { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */
- { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */
- { 0x1000101fL, 0x1000001fL, 0}, /* older library fix version: NO */
-- { 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */
-+ { 0x1000101fL, 0x1010101fL, 1}, /* newer library minor version: ok */
- { 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */
- { 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */
- };
diff --git a/net-misc/openssh-contrib/files/openssh-9.3_p2-zlib-1.3.patch b/net-misc/openssh-contrib/files/openssh-9.3_p2-zlib-1.3.patch
deleted file mode 100644
index f1336bbe0380..000000000000
--- a/net-misc/openssh-contrib/files/openssh-9.3_p2-zlib-1.3.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-https://bugs.gentoo.org/912766
-https://github.com/openssh/openssh-portable/commit/cb4ed12ffc332d1f72d054ed92655b5f1c38f621
-
-From cb4ed12ffc332d1f72d054ed92655b5f1c38f621 Mon Sep 17 00:00:00 2001
-From: Darren Tucker <dtucker@dtucker.net>
-Date: Sat, 19 Aug 2023 07:39:08 +1000
-Subject: [PATCH] Fix zlib version check for 1.3 and future version.
-
-bz#3604.
---- a/configure.ac
-+++ b/configure.ac
-@@ -1464,7 +1464,7 @@ else
- [[
- int a=0, b=0, c=0, d=0, n, v;
- n = sscanf(ZLIB_VERSION, "%d.%d.%d.%d", &a, &b, &c, &d);
-- if (n != 3 && n != 4)
-+ if (n < 1)
- exit(1);
- v = a*1000000 + b*10000 + c*100 + d;
- fprintf(stderr, "found zlib version %s (%d)\n", ZLIB_VERSION, v);
-
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh-contrib/files/
@ 2024-04-18 19:32 Conrad Kostecki
0 siblings, 0 replies; 3+ messages in thread
From: Conrad Kostecki @ 2024-04-18 19:32 UTC (permalink / raw
To: gentoo-commits
commit: e72afe2da1a4936ca807afe37799f8442e569c7c
Author: Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Thu Apr 18 18:14:24 2024 +0000
Commit: Conrad Kostecki <conikost <AT> gentoo <DOT> org>
CommitDate: Thu Apr 18 19:31:48 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e72afe2d
net-misc/openssh-contrib: remove unused patch
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>
.../openssh-contrib/files/openssh-8.6_p1-hpn-version.patch | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch b/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch
deleted file mode 100644
index 6dc290d6737b..000000000000
--- a/net-misc/openssh-contrib/files/openssh-8.6_p1-hpn-version.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/kex.c b/kex.c
-index 34808b5c..88d7ccac 100644
---- a/kex.c
-+++ b/kex.c
-@@ -1205,7 +1205,7 @@ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
- if (version_addendum != NULL && *version_addendum == '\0')
- version_addendum = NULL;
- if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
-- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE,
- version_addendum == NULL ? "" : " ",
- version_addendum == NULL ? "" : version_addendum)) != 0) {
- oerrno = errno;
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh-contrib/files/
@ 2024-07-05 17:41 Conrad Kostecki
0 siblings, 0 replies; 3+ messages in thread
From: Conrad Kostecki @ 2024-07-05 17:41 UTC (permalink / raw
To: gentoo-commits
commit: 1269a83244e2c7aa6e32f9a3bc8bdec8fa7f569f
Author: Michael Mair-Keimberger <mmk <AT> levelnine <DOT> at>
AuthorDate: Thu Jul 4 06:59:58 2024 +0000
Commit: Conrad Kostecki <conikost <AT> gentoo <DOT> org>
CommitDate: Fri Jul 5 17:41:16 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1269a832
net-misc/openssh-contrib: remove unused patches
Signed-off-by: Michael Mair-Keimberger <mmk <AT> levelnine.at>
Closes: https://github.com/gentoo/gentoo/pull/37421
Signed-off-by: Conrad Kostecki <conikost <AT> gentoo.org>
.../openssh-6.7_p1-openssl-ignore-status.patch | 17 -
...penssh-7.5_p1-disable-conch-interop-tests.patch | 20 --
.../files/openssh-7.9_p1-include-stdlib.patch | 48 ---
.../files/openssh-8.0_p1-fix-putty-tests.patch | 57 ----
.../files/openssh-8.7_p1-GSSAPI-dns.patch | 357 ---------------------
.../files/openssh-8.9_p1-allow-ppoll_time64.patch | 14 -
...mget-shmat-shmdt-in-preauth-privsep-child.patch | 20 --
7 files changed, 533 deletions(-)
diff --git a/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch b/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch
deleted file mode 100644
index fa33af39b6f8..000000000000
--- a/net-misc/openssh-contrib/files/openssh-6.7_p1-openssl-ignore-status.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-the last nibble of the openssl version represents the status. that is,
-whether it is a beta or release. when it comes to version checks in
-openssh, this component does not matter, so ignore it.
-
-https://bugzilla.mindrot.org/show_bug.cgi?id=2212
-
---- a/openbsd-compat/openssl-compat.c
-+++ b/openbsd-compat/openssl-compat.c
-@@ -58,7 +58,7 @@ ssh_compatible_openssl(long headerver, long libver)
- * For versions >= 1.0.0, major,minor,status must match and library
- * fix version must be equal to or newer than the header.
- */
-- mask = 0xfff0000fL; /* major,minor,status */
-+ mask = 0xfff00000L; /* major,minor,status */
- hfix = (headerver & 0x000ff000) >> 12;
- lfix = (libver & 0x000ff000) >> 12;
- if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
diff --git a/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch b/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch
deleted file mode 100644
index a5647ce9d8d3..000000000000
--- a/net-misc/openssh-contrib/files/openssh-7.5_p1-disable-conch-interop-tests.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-Disable conch interop tests which are failing when called
-via portage for yet unknown reason and because using conch
-seems to be flaky (test is failing when using Python2 but
-passing when using Python3).
-
-Bug: https://bugs.gentoo.org/605446
-
---- a/regress/conch-ciphers.sh
-+++ b/regress/conch-ciphers.sh
-@@ -3,6 +3,10 @@
-
- tid="conch ciphers"
-
-+# https://bugs.gentoo.org/605446
-+echo "conch interop tests skipped due to Gentoo bug #605446"
-+exit 0
-+
- if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
- echo "conch interop tests not enabled"
- exit 0
diff --git a/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch b/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch
deleted file mode 100644
index c5697c2b8bd1..000000000000
--- a/net-misc/openssh-contrib/files/openssh-7.9_p1-include-stdlib.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-diff --git a/auth-options.c b/auth-options.c
-index b05d6d6f..d1f42f04 100644
---- a/auth-options.c
-+++ b/auth-options.c
-@@ -26,6 +26,7 @@
- #include <stdarg.h>
- #include <ctype.h>
- #include <limits.h>
-+#include <stdlib.h>
-
- #include "openbsd-compat/sys-queue.h"
-
-diff --git a/hmac.c b/hmac.c
-index 1c879640..a29f32c5 100644
---- a/hmac.c
-+++ b/hmac.c
-@@ -19,6 +19,7 @@
-
- #include <sys/types.h>
- #include <string.h>
-+#include <stdlib.h>
-
- #include "sshbuf.h"
- #include "digest.h"
-diff --git a/krl.c b/krl.c
-index 8e2d5d5d..c32e147a 100644
---- a/krl.c
-+++ b/krl.c
-@@ -28,6 +28,7 @@
- #include <string.h>
- #include <time.h>
- #include <unistd.h>
-+#include <stdlib.h>
-
- #include "sshbuf.h"
- #include "ssherr.h"
-diff --git a/mac.c b/mac.c
-index 51dc11d7..3d11eba6 100644
---- a/mac.c
-+++ b/mac.c
-@@ -29,6 +29,7 @@
-
- #include <string.h>
- #include <stdio.h>
-+#include <stdlib.h>
-
- #include "digest.h"
- #include "hmac.h"
diff --git a/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch b/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch
deleted file mode 100644
index 4310aa123fc8..000000000000
--- a/net-misc/openssh-contrib/files/openssh-8.0_p1-fix-putty-tests.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-Make sure that host keys are already accepted before
-running tests.
-
-https://bugs.gentoo.org/493866
-
---- a/regress/putty-ciphers.sh
-+++ b/regress/putty-ciphers.sh
-@@ -10,11 +10,17 @@ fi
-
- for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do
- verbose "$tid: cipher $c"
-+ rm -f ${COPY}
- cp ${OBJ}/.putty/sessions/localhost_proxy \
- ${OBJ}/.putty/sessions/cipher_$c
- echo "Cipher=$c" >> ${OBJ}/.putty/sessions/cipher_$c
-
-- rm -f ${COPY}
-+ env HOME=$PWD echo "y" | ${PLINK} -load cipher_$c \
-+ -i ${OBJ}/putty.rsa2 "exit"
-+ if [ $? -ne 0 ]; then
-+ fail "failed to pre-cache host key"
-+ fi
-+
- env HOME=$PWD ${PLINK} -load cipher_$c -batch -i ${OBJ}/putty.rsa2 \
- cat ${DATA} > ${COPY}
- if [ $? -ne 0 ]; then
---- a/regress/putty-kex.sh
-+++ b/regress/putty-kex.sh
-@@ -14,6 +14,12 @@ for k in dh-gex-sha1 dh-group1-sha1 dh-group14-sha1 ; do
- ${OBJ}/.putty/sessions/kex_$k
- echo "KEX=$k" >> ${OBJ}/.putty/sessions/kex_$k
-
-+ env HOME=$PWD echo "y" | ${PLINK} -load kex_$k \
-+ -i ${OBJ}/putty.rsa2 "exit"
-+ if [ $? -ne 0 ]; then
-+ fail "failed to pre-cache host key"
-+ fi
-+
- env HOME=$PWD ${PLINK} -load kex_$k -batch -i ${OBJ}/putty.rsa2 true
- if [ $? -ne 0 ]; then
- fail "KEX $k failed"
---- a/regress/putty-transfer.sh
-+++ b/regress/putty-transfer.sh
-@@ -14,6 +14,13 @@ for c in 0 1 ; do
- cp ${OBJ}/.putty/sessions/localhost_proxy \
- ${OBJ}/.putty/sessions/compression_$c
- echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
-+
-+ env HOME=$PWD echo "y" | ${PLINK} -load compression_$c \
-+ -i ${OBJ}/putty.rsa2 "exit"
-+ if [ $? -ne 0 ]; then
-+ fail "failed to pre-cache host key"
-+ fi
-+
- env HOME=$PWD ${PLINK} -load compression_$c -batch \
- -i ${OBJ}/putty.rsa2 cat ${DATA} > ${COPY}
- if [ $? -ne 0 ]; then
diff --git a/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch b/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch
deleted file mode 100644
index ffc40b70ae3d..000000000000
--- a/net-misc/openssh-contrib/files/openssh-8.7_p1-GSSAPI-dns.patch
+++ /dev/null
@@ -1,357 +0,0 @@
-diff --git a/auth.c b/auth.c
-index 00b168b4..8ee93581 100644
---- a/auth.c
-+++ b/auth.c
-@@ -729,118 +729,6 @@ fakepw(void)
- return (&fake);
- }
-
--/*
-- * Returns the remote DNS hostname as a string. The returned string must not
-- * be freed. NB. this will usually trigger a DNS query the first time it is
-- * called.
-- * This function does additional checks on the hostname to mitigate some
-- * attacks on based on conflation of hostnames and IP addresses.
-- */
--
--static char *
--remote_hostname(struct ssh *ssh)
--{
-- struct sockaddr_storage from;
-- socklen_t fromlen;
-- struct addrinfo hints, *ai, *aitop;
-- char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-- const char *ntop = ssh_remote_ipaddr(ssh);
--
-- /* Get IP address of client. */
-- fromlen = sizeof(from);
-- memset(&from, 0, sizeof(from));
-- if (getpeername(ssh_packet_get_connection_in(ssh),
-- (struct sockaddr *)&from, &fromlen) == -1) {
-- debug("getpeername failed: %.100s", strerror(errno));
-- return xstrdup(ntop);
-- }
--
-- ipv64_normalise_mapped(&from, &fromlen);
-- if (from.ss_family == AF_INET6)
-- fromlen = sizeof(struct sockaddr_in6);
--
-- debug3("Trying to reverse map address %.100s.", ntop);
-- /* Map the IP address to a host name. */
-- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-- NULL, 0, NI_NAMEREQD) != 0) {
-- /* Host name not found. Use ip address. */
-- return xstrdup(ntop);
-- }
--
-- /*
-- * if reverse lookup result looks like a numeric hostname,
-- * someone is trying to trick us by PTR record like following:
-- * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
-- */
-- memset(&hints, 0, sizeof(hints));
-- hints.ai_socktype = SOCK_DGRAM; /*dummy*/
-- hints.ai_flags = AI_NUMERICHOST;
-- if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-- logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-- name, ntop);
-- freeaddrinfo(ai);
-- return xstrdup(ntop);
-- }
--
-- /* Names are stored in lowercase. */
-- lowercase(name);
--
-- /*
-- * Map it back to an IP address and check that the given
-- * address actually is an address of this host. This is
-- * necessary because anyone with access to a name server can
-- * define arbitrary names for an IP address. Mapping from
-- * name to IP address can be trusted better (but can still be
-- * fooled if the intruder has access to the name server of
-- * the domain).
-- */
-- memset(&hints, 0, sizeof(hints));
-- hints.ai_family = from.ss_family;
-- hints.ai_socktype = SOCK_STREAM;
-- if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-- logit("reverse mapping checking getaddrinfo for %.700s "
-- "[%s] failed.", name, ntop);
-- return xstrdup(ntop);
-- }
-- /* Look for the address from the list of addresses. */
-- for (ai = aitop; ai; ai = ai->ai_next) {
-- if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-- sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-- (strcmp(ntop, ntop2) == 0))
-- break;
-- }
-- freeaddrinfo(aitop);
-- /* If we reached the end of the list, the address was not there. */
-- if (ai == NULL) {
-- /* Address not found for the host name. */
-- logit("Address %.100s maps to %.600s, but this does not "
-- "map back to the address.", ntop, name);
-- return xstrdup(ntop);
-- }
-- return xstrdup(name);
--}
--
--/*
-- * Return the canonical name of the host in the other side of the current
-- * connection. The host name is cached, so it is efficient to call this
-- * several times.
-- */
--
--const char *
--auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
--{
-- static char *dnsname;
--
-- if (!use_dns)
-- return ssh_remote_ipaddr(ssh);
-- else if (dnsname != NULL)
-- return dnsname;
-- else {
-- dnsname = remote_hostname(ssh);
-- return dnsname;
-- }
--}
--
- /* These functions link key/cert options to the auth framework */
-
- /* Log sshauthopt options locally and (optionally) for remote transmission */
-diff --git a/canohost.c b/canohost.c
-index a810da0e..18e9d8d4 100644
---- a/canohost.c
-+++ b/canohost.c
-@@ -202,3 +202,117 @@ get_local_port(int sock)
- {
- return get_sock_port(sock, 1);
- }
-+
-+/*
-+ * Returns the remote DNS hostname as a string. The returned string must not
-+ * be freed. NB. this will usually trigger a DNS query the first time it is
-+ * called.
-+ * This function does additional checks on the hostname to mitigate some
-+ * attacks on legacy rhosts-style authentication.
-+ * XXX is RhostsRSAAuthentication vulnerable to these?
-+ * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
-+ */
-+
-+static char *
-+remote_hostname(struct ssh *ssh)
-+{
-+ struct sockaddr_storage from;
-+ socklen_t fromlen;
-+ struct addrinfo hints, *ai, *aitop;
-+ char name[NI_MAXHOST], ntop2[NI_MAXHOST];
-+ const char *ntop = ssh_remote_ipaddr(ssh);
-+
-+ /* Get IP address of client. */
-+ fromlen = sizeof(from);
-+ memset(&from, 0, sizeof(from));
-+ if (getpeername(ssh_packet_get_connection_in(ssh),
-+ (struct sockaddr *)&from, &fromlen) == -1) {
-+ debug("getpeername failed: %.100s", strerror(errno));
-+ return xstrdup(ntop);
-+ }
-+
-+ ipv64_normalise_mapped(&from, &fromlen);
-+ if (from.ss_family == AF_INET6)
-+ fromlen = sizeof(struct sockaddr_in6);
-+
-+ debug3("Trying to reverse map address %.100s.", ntop);
-+ /* Map the IP address to a host name. */
-+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-+ NULL, 0, NI_NAMEREQD) != 0) {
-+ /* Host name not found. Use ip address. */
-+ return xstrdup(ntop);
-+ }
-+
-+ /*
-+ * if reverse lookup result looks like a numeric hostname,
-+ * someone is trying to trick us by PTR record like following:
-+ * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
-+ */
-+ memset(&hints, 0, sizeof(hints));
-+ hints.ai_socktype = SOCK_DGRAM; /*dummy*/
-+ hints.ai_flags = AI_NUMERICHOST;
-+ if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-+ logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-+ name, ntop);
-+ freeaddrinfo(ai);
-+ return xstrdup(ntop);
-+ }
-+
-+ /* Names are stored in lowercase. */
-+ lowercase(name);
-+
-+ /*
-+ * Map it back to an IP address and check that the given
-+ * address actually is an address of this host. This is
-+ * necessary because anyone with access to a name server can
-+ * define arbitrary names for an IP address. Mapping from
-+ * name to IP address can be trusted better (but can still be
-+ * fooled if the intruder has access to the name server of
-+ * the domain).
-+ */
-+ memset(&hints, 0, sizeof(hints));
-+ hints.ai_family = from.ss_family;
-+ hints.ai_socktype = SOCK_STREAM;
-+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-+ logit("reverse mapping checking getaddrinfo for %.700s "
-+ "[%s] failed.", name, ntop);
-+ return xstrdup(ntop);
-+ }
-+ /* Look for the address from the list of addresses. */
-+ for (ai = aitop; ai; ai = ai->ai_next) {
-+ if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-+ sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-+ (strcmp(ntop, ntop2) == 0))
-+ break;
-+ }
-+ freeaddrinfo(aitop);
-+ /* If we reached the end of the list, the address was not there. */
-+ if (ai == NULL) {
-+ /* Address not found for the host name. */
-+ logit("Address %.100s maps to %.600s, but this does not "
-+ "map back to the address.", ntop, name);
-+ return xstrdup(ntop);
-+ }
-+ return xstrdup(name);
-+}
-+
-+/*
-+ * Return the canonical name of the host in the other side of the current
-+ * connection. The host name is cached, so it is efficient to call this
-+ * several times.
-+ */
-+
-+const char *
-+auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
-+{
-+ static char *dnsname;
-+
-+ if (!use_dns)
-+ return ssh_remote_ipaddr(ssh);
-+ else if (dnsname != NULL)
-+ return dnsname;
-+ else {
-+ dnsname = remote_hostname(ssh);
-+ return dnsname;
-+ }
-+}
-diff --git a/readconf.c b/readconf.c
-index 03369a08..b45898ce 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -161,6 +161,7 @@ typedef enum {
- oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+ oGssTrustDns,
- oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
- oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist,
- oHashKnownHosts,
-@@ -207,9 +208,11 @@ static struct {
- #if defined(GSSAPI)
- { "gssapiauthentication", oGssAuthentication },
- { "gssapidelegatecredentials", oGssDelegateCreds },
-+ { "gssapitrustdns", oGssTrustDns },
- # else
- { "gssapiauthentication", oUnsupported },
- { "gssapidelegatecredentials", oUnsupported },
-+ { "gssapitrustdns", oUnsupported },
- #endif
- #ifdef ENABLE_PKCS11
- { "pkcs11provider", oPKCS11Provider },
-@@ -1117,6 +1120,10 @@ parse_time:
- intptr = &options->gss_deleg_creds;
- goto parse_flag;
-
-+ case oGssTrustDns:
-+ intptr = &options->gss_trust_dns;
-+ goto parse_flag;
-+
- case oBatchMode:
- intptr = &options->batch_mode;
- goto parse_flag;
-@@ -2307,6 +2314,7 @@ initialize_options(Options * options)
- options->pubkey_authentication = -1;
- options->gss_authentication = -1;
- options->gss_deleg_creds = -1;
-+ options->gss_trust_dns = -1;
- options->password_authentication = -1;
- options->kbd_interactive_authentication = -1;
- options->kbd_interactive_devices = NULL;
-@@ -2465,6 +2473,8 @@ fill_default_options(Options * options)
- options->gss_authentication = 0;
- if (options->gss_deleg_creds == -1)
- options->gss_deleg_creds = 0;
-+ if (options->gss_trust_dns == -1)
-+ options->gss_trust_dns = 0;
- if (options->password_authentication == -1)
- options->password_authentication = 1;
- if (options->kbd_interactive_authentication == -1)
-diff --git a/readconf.h b/readconf.h
-index f7d53b06..c3a91898 100644
---- a/readconf.h
-+++ b/readconf.h
-@@ -40,6 +40,7 @@ typedef struct {
- int hostbased_authentication; /* ssh2's rhosts_rsa */
- int gss_authentication; /* Try GSS authentication */
- int gss_deleg_creds; /* Delegate GSS credentials */
-+ int gss_trust_dns; /* Trust DNS for GSS canonicalization */
- int password_authentication; /* Try password
- * authentication. */
- int kbd_interactive_authentication; /* Try keyboard-interactive auth. */
-diff --git a/ssh_config.5 b/ssh_config.5
-index cd0eea86..27101943 100644
---- a/ssh_config.5
-+++ b/ssh_config.5
-@@ -832,6 +832,16 @@ The default is
- Forward (delegate) credentials to the server.
- The default is
- .Cm no .
-+Note that this option applies to protocol version 2 connections using GSSAPI.
-+.It Cm GSSAPITrustDns
-+Set to
-+.Dq yes to indicate that the DNS is trusted to securely canonicalize
-+the name of the host being connected to. If
-+.Dq no, the hostname entered on the
-+command line will be passed untouched to the GSSAPI library.
-+The default is
-+.Dq no .
-+This option only applies to protocol version 2 connections using GSSAPI.
- .It Cm HashKnownHosts
- Indicates that
- .Xr ssh 1
-diff --git a/sshconnect2.c b/sshconnect2.c
-index fea50fab..aeff639b 100644
---- a/sshconnect2.c
-+++ b/sshconnect2.c
-@@ -776,6 +776,13 @@ userauth_gssapi(struct ssh *ssh)
- OM_uint32 min;
- int r, ok = 0;
- gss_OID mech = NULL;
-+ const char *gss_host;
-+
-+ if (options.gss_trust_dns) {
-+ extern const char *auth_get_canonical_hostname(struct ssh *ssh, int use_dns);
-+ gss_host = auth_get_canonical_hostname(ssh, 1);
-+ } else
-+ gss_host = authctxt->host;
-
- /* Try one GSSAPI method at a time, rather than sending them all at
- * once. */
-@@ -790,7 +797,7 @@ userauth_gssapi(struct ssh *ssh)
- elements[authctxt->mech_tried];
- /* My DER encoding requires length<128 */
- if (mech->length < 128 && ssh_gssapi_check_mechanism(&gssctxt,
-- mech, authctxt->host)) {
-+ mech, gss_host)) {
- ok = 1; /* Mechanism works */
- } else {
- authctxt->mech_tried++;
diff --git a/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch b/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch
deleted file mode 100644
index 8c46625aa29c..000000000000
--- a/net-misc/openssh-contrib/files/openssh-8.9_p1-allow-ppoll_time64.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 2e065ba3..4ce80cb2 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_ppoll
- SC_ALLOW(__NR_ppoll),
- #endif
-+#ifdef __NR_ppoll_time64
-+ SC_ALLOW(__NR_ppoll_time64),
-+#endif
- #ifdef __NR_poll
- SC_ALLOW(__NR_poll),
- #endif
diff --git a/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch b/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
deleted file mode 100644
index 4d098b2231c7..000000000000
--- a/net-misc/openssh-contrib/files/openssh-9.3_p1-deny-shmget-shmat-shmdt-in-preauth-privsep-child.patch
+++ /dev/null
@@ -1,20 +0,0 @@
-diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
-index 23b40b643..d93a357c6 100644
---- a/sandbox-seccomp-filter.c
-+++ b/sandbox-seccomp-filter.c
-@@ -257,6 +257,15 @@ static const struct sock_filter preauth_insns[] = {
- #ifdef __NR_statx
- SC_DENY(__NR_statx, EACCES),
- #endif
-+#ifdef __NR_shmget
-+ SC_DENY(__NR_shmget, EACCES),
-+#endif
-+#ifdef __NR_shmat
-+ SC_DENY(__NR_shmat, EACCES),
-+#endif
-+#ifdef __NR_shmdt
-+ SC_DENY(__NR_shmdt, EACCES),
-+#endif
-
- /* Syscalls to permit */
- #ifdef __NR_brk
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-07-05 17:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-18 19:32 [gentoo-commits] repo/gentoo:master commit in: net-misc/openssh-contrib/files/ Conrad Kostecki
-- strict thread matches above, loose matches on Subject: below --
2024-07-05 17:41 Conrad Kostecki
2024-02-17 14:35 David Seifert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox