Diff openssh-7.7_p1-r9 with a openssh-7.9_p1-r4

/usr/portage/net-misc/openssh/openssh-7.9_p1-r4.ebuild 2019-10-12 22:39:00.000000000 +0300
1 1
# Copyright 1999-2019 Gentoo Authors
2 2
# Distributed under the terms of the GNU General Public License v2
3 3

  
4
EAPI="6"
4
EAPI=6
5 5

  
6 6
inherit user flag-o-matic multilib autotools pam systemd
7 7

  
8 8
# Make it more portable between straight releases
9 9
# and _p? releases.
10 10
PARCH=${P/_}
11
#HPN_PV="${PV^^}"
12
HPN_PV="7.8_P1"
11 13

  
12
HPN_VER="14v15-gentoo2" HPN_PATCH="${PARCH}-hpnssh${HPN_VER}.patch.xz"
13
SCTP_VER="1.1" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
14
X509_VER="11.3.1" X509_PATCH="${PARCH}-x509-${X509_VER}.patch.xz"
14
HPN_VER="14.16"
15
HPN_PATCHES=(
16
	${PN}-${HPN_PV/./_}-hpn-DynWinNoneSwitch-${HPN_VER}.diff
17
	${PN}-${HPN_PV/./_}-hpn-AES-CTR-${HPN_VER}.diff
18
)
15 19

  
16
PATCH_SET="openssh-7.7p1-patches-1.2"
20
SCTP_VER="1.2" SCTP_PATCH="${PARCH}-sctp-${SCTP_VER}.patch.xz"
21
X509_VER="11.6" X509_PATCH="${PARCH}+x509-${X509_VER}.diff.gz"
22

  
23
PATCH_SET="openssh-7.9p1-patches-1.0"
17 24

  
18 25
DESCRIPTION="Port of OpenBSD's free SSH release"
19 26
HOMEPAGE="https://www.openssh.com/"
20 27
SRC_URI="mirror://openbsd/OpenSSH/portable/${PARCH}.tar.gz
21 28
	https://dev.gentoo.org/~whissi/dist/${PN}/${PATCH_SET}.tar.xz
22 29
	${SCTP_PATCH:+sctp? ( https://dev.gentoo.org/~whissi/dist/openssh/${SCTP_PATCH} )}
23
	${HPN_PATCH:+hpn? ( https://dev.gentoo.org/~whissi/dist/openssh/${HPN_PATCH} )}
24
	${X509_PATCH:+X509? ( https://dev.gentoo.org/~whissi/dist/openssh/${X509_PATCH} )}
30
	${HPN_VER:+hpn? ( $(printf "mirror://sourceforge/hpnssh/HPN-SSH%%20${HPN_VER/./v}%%20${HPN_PV/_P/p}/%s\n" "${HPN_PATCHES[@]}") )}
31
	${X509_PATCH:+X509? ( https://roumenpetrov.info/openssh/x509-${X509_VER}/${X509_PATCH} )}
25 32
	"
26 33

  
27 34
LICENSE="BSD GPL-2"
28 35
SLOT="0"
29 36
KEYWORDS="alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86 ~ppc-aix ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
30 37
# Probably want to drop ssl defaulting to on in a future version.
31
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux skey +ssl static test X X509"
38
IUSE="abi_mips_n32 audit bindist debug hpn kerberos kernel_linux ldns libedit libressl livecd pam +pie sctp selinux +ssl static test X X509"
32 39
RESTRICT="!test? ( test )"
33 40
REQUIRED_USE="ldns? ( ssl )
34 41
	pie? ( !static )
......
46 53
	libedit? ( dev-libs/libedit:=[static-libs(+)] )
47 54
	sctp? ( net-misc/lksctp-tools[static-libs(+)] )
48 55
	selinux? ( >=sys-libs/libselinux-1.28[static-libs(+)] )
49
	skey? ( >=sys-auth/skey-1.1.5-r1[static-libs(+)] )
50 56
	ssl? (
51 57
		!libressl? (
52
			>=dev-libs/openssl-1.0.1:0=[bindist=]
58
			|| (
59
				(
60
					>=dev-libs/openssl-1.0.1:0[bindist=]
61
					<dev-libs/openssl-1.1.0:0[bindist=]
62
				)
63
				>=dev-libs/openssl-1.1.0g:0[bindist=]
64
			)
53 65
			dev-libs/openssl:0=[static-libs(+)]
54 66
		)
55 67
		libressl? ( dev-libs/libressl:0=[static-libs(+)] )
......
76 88
	# than not be able to log in to their server any more
77 89
	maybe_fail() { [[ -z ${!2} ]] && echo "$1" ; }
78 90
	local fail="
79
		$(use hpn && maybe_fail hpn HPN_PATCH)
91
		$(use hpn && maybe_fail hpn HPN_VER)
80 92
		$(use sctp && maybe_fail sctp SCTP_PATCH)
81 93
		$(use X509 && maybe_fail X509 X509_PATCH)
82 94
	"
......
104 116
	# don't break .ssh/authorized_keys2 for fun
105 117
	sed -i '/^AuthorizedKeysFile/s:^:#:' sshd_config || die
106 118

  
107
	eapply "${FILESDIR}"/${PN}-7.7_p1-GSSAPI-dns.patch #165444 integrated into gsskex
119
	eapply "${FILESDIR}"/${PN}-7.9_p1-openssl-1.0.2-compat.patch
120
	eapply "${FILESDIR}"/${PN}-7.9_p1-include-stdlib.patch
121
	eapply "${FILESDIR}"/${PN}-7.8_p1-GSSAPI-dns.patch #165444 integrated into gsskex
108 122
	eapply "${FILESDIR}"/${PN}-6.7_p1-openssl-ignore-status.patch
109 123
	eapply "${FILESDIR}"/${PN}-7.5_p1-disable-conch-interop-tests.patch
110 124

  
125
	if use X509 ; then
126
		# patch doesn't apply due to X509 modifications
127
		rm \
128
			"${WORKDIR}"/patches/0001-fix-key-type-check.patch \
129
			"${WORKDIR}"/patches/0002-request-rsa-sha2-cert-signatures.patch \
130
			|| die
131
	else
132
		eapply "${FILESDIR}"/${PN}-7.9_p1-CVE-2018-20685.patch # X509 patch set includes this patch
133
	fi
134

  
135
	[[ -d ${WORKDIR}/patches ]] && eapply "${WORKDIR}"/patches
136

  
111 137
	local PATCHSET_VERSION_MACROS=()
112 138

  
113 139
	if use X509 ; then
140
		pushd "${WORKDIR}" || die
141
		eapply "${FILESDIR}/${P}-X509-glue-${X509_VER}.patch"
142
		eapply "${FILESDIR}/${P}-X509-dont-make-piddir-${X509_VER}.patch"
143
		popd || die
144

  
145
		if use hpn ; then
146
			einfo "Will disable MT AES cipher due to incompatbility caused by X509 patch set"
147
			HPN_DISABLE_MTAES=1
148
		fi
149

  
114 150
		eapply "${WORKDIR}"/${X509_PATCH%.*}
151
		eapply "${FILESDIR}"/${P}-X509-${X509_VER}-tests.patch
115 152

  
116 153
		# We need to patch package version or any X.509 sshd will reject our ssh client
117 154
		# with "userauth_pubkey: could not parse key: string is too large [preauth]"
......
126 163
			-e "/^#define SSH_PORTABLE.*/a #define SSH_X509               \"-PKIXSSH-${X509_VER}\"" \
127 164
			"${S}"/version.h || die "Failed to sed-in X.509 patch version"
128 165
		PATCHSET_VERSION_MACROS+=( 'SSH_X509' )
129

  
130
		einfo "Disabling broken X.509 agent test ..."
131
		sed -i \
132
			-e "/^ agent$/d" \
133
			"${S}"/tests/CA/config || die "Failed to disable broken X.509 agent test"
134

  
135
		# The following patches don't apply on top of X509 patch
136
		rm "${WORKDIR}"/patch/2002_all_openssh-7.7p1_upstream_bug2840.patch || die
137
		rm "${WORKDIR}"/patch/2009_all_openssh-7.7p1_make-shell-tests-portable.patch || die
138
		rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1_implement-EMFILE-mitigation-for-ssh-agent.patch || die
139
		rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
140
	else
141
		rm "${WORKDIR}"/patch/2016_all_openssh-7.7p1-X509_implement-EMFILE-mitigation-for-ssh-agent.patch || die
142
		rm "${WORKDIR}"/patch/2025_all_openssh-7.7p1-X509_prefer-argv0-to-ssh-when-re-executing-ssh-for-proxyjump.patch || die
143 166
	fi
144 167

  
145 168
	if use sctp ; then
......
158 181
	fi
159 182

  
160 183
	if use hpn ; then
161
		eapply "${WORKDIR}"/${HPN_PATCH%.*}
184
		local hpn_patchdir="${T}/${P}-hpn${HPN_VER}"
185
		mkdir "${hpn_patchdir}"
186
		cp $(printf -- "${DISTDIR}/%s\n" "${HPN_PATCHES[@]}") "${hpn_patchdir}"
187
		pushd "${hpn_patchdir}"
188
		eapply "${FILESDIR}"/${P}-hpn-glue.patch
189
		use X509 && eapply "${FILESDIR}"/${P}-hpn-X509-glue.patch
190
		use sctp && eapply "${FILESDIR}"/${P}-hpn-sctp-glue.patch
191
		popd
192

  
193
		eapply "${hpn_patchdir}"
194
		eapply "${FILESDIR}/openssh-7.9_p1-hpn-openssl-1.1.patch"
162 195

  
163 196
		einfo "Patching Makefile.in for HPN patch set ..."
164 197
		sed -i \
......
167 200

  
168 201
		einfo "Patching version.h to expose HPN patch set ..."
169 202
		sed -i \
170
			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER}\"" \
203
			-e "/^#define SSH_PORTABLE/a #define SSH_HPN         \"-hpn${HPN_VER//./v}\"" \
171 204
			"${S}"/version.h || die "Failed to sed-in HPN patch version"
172 205
		PATCHSET_VERSION_MACROS+=( 'SSH_HPN' )
173 206

  
......
190 223
		fi
191 224
	fi
192 225

  
193
	if use X509 || use hpn ; then
194
		einfo "Patching packet.c for X509 and/or HPN patch set ..."
195
		sed -i \
196
			-e "s/const struct sshcipher/struct sshcipher/" \
197
			"${S}"/packet.c || die "Failed to patch ssh_packet_set_connection() (packet.c)"
198
	fi
199

  
200 226
	if use X509 || use sctp || use hpn ; then
201 227
		einfo "Patching sshconnect.c to use SSH_RELEASE in send_client_banner() ..."
202 228
		sed -i \
......
218 244
		-e "/#UseLogin no/d" \
219 245
		"${S}"/sshd_config || die "Failed to remove removed UseLogin option (sshd_config)"
220 246

  
221
	eapply "${WORKDIR}"/patch/*.patch
222

  
223 247
	eapply_user #473004
224 248

  
225 249
	tc-export PKG_CONFIG
......
265 289
		# We apply the sctp patch conditionally, so can't pass --without-sctp
266 290
		# unconditionally else we get unknown flag warnings.
267 291
		$(use sctp && use_with sctp)
268
		$(use_with ldns)
292
		$(use_with ldns ldns "${EPREFIX%/}"/usr)
269 293
		$(use_with libedit)
270 294
		$(use_with pam)
271 295
		$(use_with pie)
272 296
		$(use_with selinux)
273
		$(use_with skey)
274 297
		$(use_with ssl openssl)
275 298
		$(use_with ssl md5-passwords)
276 299
		$(use_with ssl ssl-engine)
277 300
		$(use_with !elibc_Cygwin hardening) #659210
278 301
	)
279 302

  
280
	# stackprotect is broken on musl x86
281
	use elibc_musl && use x86 && myconf+=( --without-stackprotect )
303
	# stackprotect is broken on musl x86 and ppc
304
	use elibc_musl && ( use x86 || use ppc ) && myconf+=( --without-stackprotect )
282 305

  
283 306
	# The seccomp sandbox is broken on x32, so use the older method for now. #553748
284 307
	use amd64 && [[ ${ABI} == "x32" ]] && myconf+=( --with-sandbox=rlimit )
......
367 390
	emake install-nokeys DESTDIR="${D}"
368 391
	fperms 600 /etc/ssh/sshd_config
369 392
	dobin contrib/ssh-copy-id
370
	newinitd "${FILESDIR}"/sshd.initd sshd
393
	newinitd "${FILESDIR}"/sshd-r1.initd sshd
371 394
	newconfd "${FILESDIR}"/sshd-r1.confd sshd
372 395

  
373 396
	newpamd "${FILESDIR}"/sshd.pam_include.2 sshd
Thank you!