diff --git a/openssh/build.sh b/openssh/build.sh index 5b8ff21..34a49fd 100755 --- a/openssh/build.sh +++ b/openssh/build.sh @@ -7,10 +7,16 @@ # Check the following 4 variables before running the script topdir=openssh version=8.9p1 -pkgver=1 +pkgver=2 source[0]=https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/$topdir-$version.tar.gz # If there are no patches, simply comment this -#patch[0]= +patch[0]=0001-upstream-free-3-wants-stdlib.h.patch +patch[1]=0002-Improve-detection-of-fzero-call-used-regs-all-suppor.patch +patch[2]=0003-Allow-ppoll_time64-in-seccomp-sandbox.patch +patch[3]=0004-upstream-pack-pollfd-array-before-server_accept_loop.patch +patch[4]=0005-Default-to-not-using-sandbox-when-cross-compiling.patch +patch[5]=0006-Resync-fmt_scaled.-with-OpenBSD.patch +patch[6]=0007-Fix-authopt-test-on-platforms-without-IPv6-support.patch # Source function library . ${BUILDPKG_SCRIPTS}/buildpkg.functions @@ -27,6 +33,8 @@ reg prep prep() { generic_prep + setdir source + autoreconf } reg build diff --git a/openssh/meta/ChangeLog b/openssh/meta/ChangeLog index 6ea37a6..221e270 100644 --- a/openssh/meta/ChangeLog +++ b/openssh/meta/ChangeLog @@ -1,5 +1,8 @@ CHANGELOG --------- +* Fri Mar 11 2022 Tom G. Christensen - 8.9p1-2 +- Update to V_8_9_P1-6-g58802008 + * Thu Feb 24 2022 Tom G. Christensen - 8.9p1-1 - Update to 8.9p1 diff --git a/openssh/src/0001-upstream-free-3-wants-stdlib.h.patch b/openssh/src/0001-upstream-free-3-wants-stdlib.h.patch new file mode 100644 index 0000000..d793899 --- /dev/null +++ b/openssh/src/0001-upstream-free-3-wants-stdlib.h.patch @@ -0,0 +1,40 @@ +From 2ebf478107ecb3c554fceb26d01bca59c6d0ed1e Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Wed, 23 Feb 2022 21:21:49 +0000 +Subject: [PATCH 1/7] upstream: free(3) wants stdlib.h + +OpenBSD-Commit-ID: 227a8c70a95b4428c49e46863c9ef4bd318a3b8a +--- + auth-rhosts.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/auth-rhosts.c b/auth-rhosts.c +index cac5cd84..4fc9252a 100644 +--- a/auth-rhosts.c ++++ b/auth-rhosts.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: auth-rhosts.c,v 1.55 2022/02/23 11:15:57 djm Exp $ */ ++/* $OpenBSD: auth-rhosts.c,v 1.56 2022/02/23 21:21:49 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -19,6 +19,7 @@ + #include + #include + ++#include + #ifdef HAVE_NETGROUP_H + # include + #endif +@@ -26,7 +27,7 @@ + #include + #include + #include +-#include ++#include + #include + + #include "packet.h" +-- +2.16.6 + diff --git a/openssh/src/0002-Improve-detection-of-fzero-call-used-regs-all-suppor.patch b/openssh/src/0002-Improve-detection-of-fzero-call-used-regs-all-suppor.patch new file mode 100644 index 0000000..8c41ba5 --- /dev/null +++ b/openssh/src/0002-Improve-detection-of-fzero-call-used-regs-all-suppor.patch @@ -0,0 +1,35 @@ +From 6c4a67ece33d9551429490898bb3c793a689e913 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Thu, 24 Feb 2022 16:04:18 +0000 +Subject: [PATCH 2/7] Improve detection of -fzero-call-used-regs=all support + +GCC doesn't tell us whether this option is supported unless it runs into +the situation where it would need to emit corresponding code. +--- + m4/openssh.m4 | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/m4/openssh.m4 b/m4/openssh.m4 +index 4f9c3792..8c33c701 100644 +--- a/m4/openssh.m4 ++++ b/m4/openssh.m4 +@@ -14,6 +14,8 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{ + AC_COMPILE_IFELSE([AC_LANG_SOURCE([[ + #include + #include ++/* Trivial function to help test for -fzero-call-used-regs */ ++void f(int n) {} + int main(int argc, char **argv) { + (void)argv; + /* Some math to catch -ftrapv problems in the toolchain */ +@@ -21,6 +23,7 @@ int main(int argc, char **argv) { + float l = i * 2.1; + double m = l / 0.5; + long long int n = argc * 12345LL, o = 12345LL * (long long int)argc; ++ f(0); + printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o); + /* + * Test fallthrough behaviour. clang 10's -Wimplicit-fallthrough does +-- +2.16.6 + diff --git a/openssh/src/0003-Allow-ppoll_time64-in-seccomp-sandbox.patch b/openssh/src/0003-Allow-ppoll_time64-in-seccomp-sandbox.patch new file mode 100644 index 0000000..5fbcb22 --- /dev/null +++ b/openssh/src/0003-Allow-ppoll_time64-in-seccomp-sandbox.patch @@ -0,0 +1,29 @@ +From 995cf19fbef0b10dbcf1dd8d6382cec9194e08c5 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Sat, 26 Feb 2022 14:06:14 +1100 +Subject: [PATCH 3/7] Allow ppoll_time64 in seccomp sandbox. + +Should fix sandbox violations on (some? at least i386 and armhf) 32bit +Linux platforms. Patch from chutzpahu at gentoo.org and cjwatson at +debian.org via bz#3396. +--- + sandbox-seccomp-filter.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index 2e065ba3..4ce80cb2 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -276,6 +276,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_ppoll + SC_ALLOW(__NR_ppoll), + #endif ++#ifdef __NR_ppoll_time64 ++ SC_ALLOW(__NR_ppoll_time64), ++#endif + #ifdef __NR_poll + SC_ALLOW(__NR_poll), + #endif +-- +2.16.6 + diff --git a/openssh/src/0004-upstream-pack-pollfd-array-before-server_accept_loop.patch b/openssh/src/0004-upstream-pack-pollfd-array-before-server_accept_loop.patch new file mode 100644 index 0000000..f3d204b --- /dev/null +++ b/openssh/src/0004-upstream-pack-pollfd-array-before-server_accept_loop.patch @@ -0,0 +1,98 @@ +From 238ac091dd57316bc9690d9cc42229fe21ce0def Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Tue, 1 Mar 2022 01:59:19 +0000 +Subject: [PATCH 4/7] upstream: pack pollfd array before server_accept_loop() + ppoll() + +call, and terminate sshd if ppoll() returns errno==EINVAL + +avoids spin in ppoll when MaxStartups > RLIMIT_NOFILE, reported by +Daniel Micay + +feedback/ok deraadt + +OpenBSD-Commit-ID: dbab1c24993ac977ec24d83283b8b7528f7c2c15 +--- + sshd.c | 29 +++++++++++++++++++---------- + 1 file changed, 19 insertions(+), 10 deletions(-) + +diff --git a/sshd.c b/sshd.c +index ef18ba46..30aeb806 100644 +--- a/sshd.c ++++ b/sshd.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: sshd.c,v 1.583 2022/02/01 07:57:32 dtucker Exp $ */ ++/* $OpenBSD: sshd.c,v 1.584 2022/03/01 01:59:19 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -1129,9 +1129,9 @@ static void + server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) + { + struct pollfd *pfd = NULL; +- int i, j, ret; ++ int i, j, ret, npfd; + int ostartups = -1, startups = 0, listening = 0, lameduck = 0; +- int startup_p[2] = { -1 , -1 }; ++ int startup_p[2] = { -1 , -1 }, *startup_pollfd; + char c = 0; + struct sockaddr_storage from; + socklen_t fromlen; +@@ -1142,6 +1142,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) + /* pipes connected to unauthenticated child sshd processes */ + startup_pipes = xcalloc(options.max_startups, sizeof(int)); + startup_flags = xcalloc(options.max_startups, sizeof(int)); ++ startup_pollfd = xcalloc(options.max_startups, sizeof(int)); + for (i = 0; i < options.max_startups; i++) + startup_pipes[i] = -1; + +@@ -1157,6 +1158,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) + sigaddset(&nsigset, SIGTERM); + sigaddset(&nsigset, SIGQUIT); + ++ /* sized for worst-case */ + pfd = xcalloc(num_listen_socks + options.max_startups, + sizeof(struct pollfd)); + +@@ -1196,24 +1198,31 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) + pfd[i].fd = listen_socks[i]; + pfd[i].events = POLLIN; + } ++ npfd = num_listen_socks; + for (i = 0; i < options.max_startups; i++) { +- pfd[num_listen_socks+i].fd = startup_pipes[i]; +- if (startup_pipes[i] != -1) +- pfd[num_listen_socks+i].events = POLLIN; ++ startup_pollfd[i] = -1; ++ if (startup_pipes[i] != -1) { ++ pfd[npfd].fd = startup_pipes[i]; ++ pfd[npfd].events = POLLIN; ++ startup_pollfd[i] = npfd++; ++ } + } + + /* Wait until a connection arrives or a child exits. */ +- ret = ppoll(pfd, num_listen_socks + options.max_startups, +- NULL, &osigset); +- if (ret == -1 && errno != EINTR) ++ ret = ppoll(pfd, npfd, NULL, &osigset); ++ if (ret == -1 && errno != EINTR) { + error("ppoll: %.100s", strerror(errno)); ++ if (errno == EINVAL) ++ cleanup_exit(1); /* can't recover */ ++ } + sigprocmask(SIG_SETMASK, &osigset, NULL); + if (ret == -1) + continue; + + for (i = 0; i < options.max_startups; i++) { + if (startup_pipes[i] == -1 || +- !(pfd[num_listen_socks+i].revents & (POLLIN|POLLHUP))) ++ startup_pollfd[i] == -1 || ++ !(pfd[startup_pollfd[i]].revents & (POLLIN|POLLHUP))) + continue; + switch (read(startup_pipes[i], &c, sizeof(c))) { + case -1: +-- +2.16.6 + diff --git a/openssh/src/0005-Default-to-not-using-sandbox-when-cross-compiling.patch b/openssh/src/0005-Default-to-not-using-sandbox-when-cross-compiling.patch new file mode 100644 index 0000000..bc84d72 --- /dev/null +++ b/openssh/src/0005-Default-to-not-using-sandbox-when-cross-compiling.patch @@ -0,0 +1,30 @@ +From 244f64071150d8e78b114a32c0e5ca1a0d21d54c Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Tue, 8 Mar 2022 20:04:06 +1100 +Subject: [PATCH 5/7] Default to not using sandbox when cross compiling. + +On most systems poll(2) does not work when the number of FDs is reduced +with setrlimit, so assume it doesn't when cross compiling and we can't +run the test. bz#3398. +--- + configure.ac | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 17fb1e60..a165d087 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -3574,8 +3574,8 @@ AC_RUN_IFELSE( + select_works_with_rlimit=yes], + [AC_MSG_RESULT([no]) + select_works_with_rlimit=no], +- [AC_MSG_WARN([cross compiling: assuming yes]) +- select_works_with_rlimit=yes] ++ [AC_MSG_WARN([cross compiling: assuming no]) ++ select_works_with_rlimit=no] + ) + + AC_CHECK_MEMBERS([struct pollfd.fd], [], [], [[ +-- +2.16.6 + diff --git a/openssh/src/0006-Resync-fmt_scaled.-with-OpenBSD.patch b/openssh/src/0006-Resync-fmt_scaled.-with-OpenBSD.patch new file mode 100644 index 0000000..3e9da7f --- /dev/null +++ b/openssh/src/0006-Resync-fmt_scaled.-with-OpenBSD.patch @@ -0,0 +1,91 @@ +From 5880200867e440f8ab5fd893c93db86555990443 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Fri, 11 Mar 2022 18:43:58 +1100 +Subject: [PATCH 6/7] Resync fmt_scaled. with OpenBSD. + +Fixes underflow reported in bz#3401. +--- + openbsd-compat/fmt_scaled.c | 32 +++++++++++++++++++------------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +diff --git a/openbsd-compat/fmt_scaled.c b/openbsd-compat/fmt_scaled.c +index 2f76ef93..87d40d2d 100644 +--- a/openbsd-compat/fmt_scaled.c ++++ b/openbsd-compat/fmt_scaled.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: fmt_scaled.c,v 1.17 2018/05/14 04:39:04 djm Exp $ */ ++/* $OpenBSD: fmt_scaled.c,v 1.21 2022/03/11 07:29:53 dtucker Exp $ */ + + /* + * Copyright (c) 2001, 2002, 2003 Ian F. Darwin. All rights reserved. +@@ -54,9 +54,9 @@ typedef enum { + } unit_type; + + /* These three arrays MUST be in sync! XXX make a struct */ +-static unit_type units[] = { NONE, KILO, MEGA, GIGA, TERA, PETA, EXA }; +-static char scale_chars[] = "BKMGTPE"; +-static long long scale_factors[] = { ++static const unit_type units[] = { NONE, KILO, MEGA, GIGA, TERA, PETA, EXA }; ++static const char scale_chars[] = "BKMGTPE"; ++static const long long scale_factors[] = { + 1LL, + 1024LL, + 1024LL*1024, +@@ -153,10 +153,8 @@ scan_scaled(char *scaled, long long *result) + } + } + +- if (sign) { ++ if (sign) + whole *= sign; +- fpart *= sign; +- } + + /* If no scale factor given, we're done. fraction is discarded. */ + if (!*p) { +@@ -191,7 +189,8 @@ scan_scaled(char *scaled, long long *result) + /* truncate fpart so it doesn't overflow. + * then scale fractional part. + */ +- while (fpart >= LLONG_MAX / scale_fact) { ++ while (fpart >= LLONG_MAX / scale_fact || ++ fpart <= LLONG_MIN / scale_fact) { + fpart /= 10; + fract_digits--; + } +@@ -200,7 +199,10 @@ scan_scaled(char *scaled, long long *result) + for (i = 0; i < fract_digits -1; i++) + fpart /= 10; + } +- whole += fpart; ++ if (sign == -1) ++ whole -= fpart; ++ else ++ whole += fpart; + *result = whole; + return 0; + } +@@ -222,12 +224,16 @@ fmt_scaled(long long number, char *result) + unsigned int i; + unit_type unit = NONE; + ++ /* Not every negative long long has a positive representation. */ ++ if (number == LLONG_MIN) { ++ errno = ERANGE; ++ return -1; ++ } ++ + abval = llabs(number); + +- /* Not every negative long long has a positive representation. +- * Also check for numbers that are just too darned big to format +- */ +- if (abval < 0 || abval / 1024 >= scale_factors[SCALE_LENGTH-1]) { ++ /* Also check for numbers that are just too darned big to format. */ ++ if (abval / 1024 >= scale_factors[SCALE_LENGTH-1]) { + errno = ERANGE; + return -1; + } +-- +2.16.6 + diff --git a/openssh/src/0007-Fix-authopt-test-on-platforms-without-IPv6-support.patch b/openssh/src/0007-Fix-authopt-test-on-platforms-without-IPv6-support.patch new file mode 100644 index 0000000..3d8a2ce --- /dev/null +++ b/openssh/src/0007-Fix-authopt-test-on-platforms-without-IPv6-support.patch @@ -0,0 +1,91 @@ +From 3908845fd109cc532e793473aa60a20bfa2e450f Mon Sep 17 00:00:00 2001 +From: "Tom G. Christensen" +Date: Fri, 11 Mar 2022 17:00:40 +0100 +Subject: [PATCH 7/7] Fix authopt test on platforms without IPv6 support + +--- + regress/unittests/authopt/testdata/mktestdata.sh | 1 + + .../authopt/testdata/sourceaddr_ipv4only.cert | 1 + + regress/unittests/authopt/tests.c | 22 ++++++++++++++++------ + 3 files changed, 18 insertions(+), 6 deletions(-) + create mode 100644 regress/unittests/authopt/testdata/sourceaddr_ipv4only.cert + +diff --git a/regress/unittests/authopt/testdata/mktestdata.sh b/regress/unittests/authopt/testdata/mktestdata.sh +index 06a24e39..0510163c 100644 +--- a/regress/unittests/authopt/testdata/mktestdata.sh ++++ b/regress/unittests/authopt/testdata/mktestdata.sh +@@ -36,6 +36,7 @@ sign only_x11fwd.cert -Oclear -Opermit-X11-forwarding + + sign force_command.cert -Oforce-command="foo" + sign sourceaddr.cert -Osource-address="127.0.0.1/32,::1/128" ++sign sourceaddr_ipv4only.cert -Osource-address="127.0.0.1/32" + + # ssh-keygen won't permit generation of certs with invalid source-address + # values, so we do it as a custom extension. +diff --git a/regress/unittests/authopt/testdata/sourceaddr_ipv4only.cert b/regress/unittests/authopt/testdata/sourceaddr_ipv4only.cert +new file mode 100644 +index 00000000..ca756ca5 +--- /dev/null ++++ b/regress/unittests/authopt/testdata/sourceaddr_ipv4only.cert +@@ -0,0 +1 @@ ++ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIOjl/9se9GhdE8SARP9lHV9IVWeokGjUS1JVk+95JyztAAAAILsTBtFFO81VAwEYCCi+LGl5aa5b7UIrFIKD637xgvN9AAAAAAAAAAEAAAABAAAABHVzZXIAAAAIAAAABHVzZXIAAAAANowB8AAAAAA4a+PwAAAAJgAAAA5zb3VyY2UtYWRkcmVzcwAAABAAAAAMMTI3LjAuMC4xLzMyAAAAggAAABVwZXJtaXQtWDExLWZvcndhcmRpbmcAAAAAAAAAF3Blcm1pdC1hZ2VudC1mb3J3YXJkaW5nAAAAAAAAABZwZXJtaXQtcG9ydC1mb3J3YXJkaW5nAAAAAAAAAApwZXJtaXQtcHR5AAAAAAAAAA5wZXJtaXQtdXNlci1yYwAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACCzFxz+o7QkolOrc+Crw/t3wYPP82mX3vEYDRP+21UyCQAAAFMAAAALc3NoLWVkMjU1MTkAAABAlroivhFKt2b6GIX3IFjBOOD5kn6URV7HNbk4JRwZheujUIe0T7x/v3mN53dug0hbtl0M4jAxYhG+7Kq8RnMsDA== user key +diff --git a/regress/unittests/authopt/tests.c b/regress/unittests/authopt/tests.c +index d9e19030..25ba5f2d 100644 +--- a/regress/unittests/authopt/tests.c ++++ b/regress/unittests/authopt/tests.c +@@ -24,6 +24,16 @@ + #include "misc.h" + #include "log.h" + ++#ifndef HAVE_STRUCT_IN6_ADDR ++# define SOURCEADDR_CERT_FILE "sourceaddr_ipv4only.cert" ++# define SOURCEADDR_CERT_NAME "sourceaddr_ipv4only" ++# define HOST_CERT_LOCALHOST "127.0.0.1/32" ++#else ++# define SOURCEADDR_CERT_FILE "sourceaddr.cert" ++# define SOURCEADDR_CERT_NAME "sourceaddr" ++# define HOST_CERT_LOCALHOST "127.0.0.1/32,::1/128" ++#endif ++ + static struct sshkey * + load_key(const char *name) + { +@@ -349,9 +359,9 @@ test_cert_parse(void) + TEST_DONE(); + + TEST_START("sshauthopt_from_cert source-address"); +- cert = load_key("sourceaddr.cert"); ++ cert = load_key(SOURCEADDR_CERT_FILE); + expected = default_authkey_opts(); +- expected->required_from_host_cert = strdup("127.0.0.1/32,::1/128"); ++ expected->required_from_host_cert = strdup(HOST_CERT_LOCALHOST); + ASSERT_PTR_NE(expected->required_from_host_cert, NULL); + opts = sshauthopt_from_cert(cert); + CHECK_SUCCESS_AND_CLEANUP(); +@@ -481,9 +491,9 @@ test_merge(void) + FLAG_TEST("x11fwd", "x11-forwarding", permit_x11_forwarding_flag); + #undef FLAG_TEST + +- PREPARE("source-address both", "sourceaddr", "from=\"127.0.0.1\""); ++ PREPARE("source-address both", SOURCEADDR_CERT_NAME, "from=\"127.0.0.1\""); + expected = default_authkey_opts(); +- expected->required_from_host_cert = strdup("127.0.0.1/32,::1/128"); ++ expected->required_from_host_cert = strdup(HOST_CERT_LOCALHOST); + ASSERT_PTR_NE(expected->required_from_host_cert, NULL); + expected->required_from_host_keys = strdup("127.0.0.1"); + ASSERT_PTR_NE(expected->required_from_host_keys, NULL); +@@ -502,9 +512,9 @@ test_merge(void) + CHECK_SUCCESS_AND_CLEANUP(); + TEST_DONE(); + +- PREPARE("source-address cert", "sourceaddr", ""); ++ PREPARE("source-address cert", SOURCEADDR_CERT_NAME, ""); + expected = default_authkey_opts(); +- expected->required_from_host_cert = strdup("127.0.0.1/32,::1/128"); ++ expected->required_from_host_cert = strdup(HOST_CERT_LOCALHOST); + ASSERT_PTR_NE(expected->required_from_host_cert, NULL); + CHECK_SUCCESS_AND_CLEANUP(); + TEST_DONE(); +-- +2.16.6 +