openssh: update identitypersist patch, add ldns and ssl options.

2015-03-18 12:05:46 +01:00 · 2015-03-18 12:05:46 +01:00 · 3ba4c1abb9
parent 58518a8f31
commit 3ba4c1abb9
3 changed files with 210 additions and 8 deletions
--- a/common/options.description
+++ b/common/options.description
@ -27,6 +27,7 @@ desc_option_imagemagick="Enable support for ImageMagick"
 desc_option_jack="Enable support for the JACK sound server"
 desc_option_jpeg="Enable support for JPEG images"
 desc_option_lame="Enable support for the LAME encoder"
+desc_option_ldns="Enable support for LDNS DNSSEC library"
 desc_option_libao="Enable support for libao sound library"
 desc_option_libedit="Enable support for NetBSD's libedit"
 desc_option_lua="Enable support for Lua"
--- a/srcpkgs/openssh/files/openssh-6.8p1-identitypersist.patch
+++ b/srcpkgs/openssh/files/openssh-6.8p1-identitypersist.patch
@ -0,0 +1,199 @@
+From a2431e7ad6a99821a09e9e3037faf89e15d3b2a3 Mon Sep 17 00:00:00 2001
+From: Christian Neukirchen <chneukirchen@gmail.com>
+Date: Wed, 18 Mar 2015 11:46:16 +0100
+Subject: [PATCH] Add an identity to the agent automatically when loading the
+ identity
+
+Updated patch from https://bugzilla.mindrot.org/show_bug.cgi?id=2191
+Originally by Tomohiro Matsuyama.
+---
+ readconf.c    | 39 +++++++++++++++++++++++++++++++++++++++
+ readconf.h    |  4 ++++
+ sshconnect2.c | 31 ++++++++++++++++++++++++-------
+ 3 files changed, 67 insertions(+), 7 deletions(-)
+
+diff --git readconf.c readconf.c
+index 42a2961..4eb0bae 100644
+--- readconf.c
+++ readconf.c
+@@ -148,6 +148,7 @@ typedef enum {
+ 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+ 	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+	oIdentityPersist, oIdentityPersistConfirm,
+ 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
+ 	oHashKnownHosts,
+ 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+@@ -249,6 +250,8 @@ static struct {
+ 	{ "addressfamily", oAddressFamily },
+ 	{ "serveraliveinterval", oServerAliveInterval },
+ 	{ "serveralivecountmax", oServerAliveCountMax },
+	{ "identitypersist", oIdentityPersist },
+	{ "identitypersistconfirm", oIdentityPersistConfirm },
+ 	{ "sendenv", oSendEnv },
+ 	{ "controlpath", oControlPath },
+ 	{ "controlmaster", oControlMaster },
+@@ -1274,6 +1277,33 @@ parse_int:
+ 		intptr = &options->server_alive_count_max;
+ 		goto parse_int;
+ 
+	case oIdentityPersist:
+		/* no/false/yes/true, or a time spec */
+		intptr = &options->identity_persist;
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing IdentityPersist"
+			    " argument.", filename, linenum);
+		value = 0;
+		value2 = 0;	/* lifetime */
+		if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
+			value = 0;
+		else if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
+			value = 1;
+		else if ((value2 = convtime(arg)) >= 0)
+			value = 1;
+		else
+			fatal("%.200s line %d: Bad IdentityPersist argument.",
+			    filename, linenum);
+		if (*activep && *intptr == -1) {
+			*intptr = value;
+			options->identity_persist_lifetime = value2;
+		}
+		break;
+	case oIdentityPersistConfirm:
+		intptr = &options->identity_persist_confirm;
+		goto parse_flag;
+
+ 	case oSendEnv:
+ 		while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
+ 			if (strchr(arg, '=') != NULL)
+@@ -1649,6 +1679,9 @@ initialize_options(Options * options)
+ 	options->verify_host_key_dns = -1;
+ 	options->server_alive_interval = -1;
+ 	options->server_alive_count_max = -1;
+	options->identity_persist = -1;
+	options->identity_persist_lifetime = -1;
+	options->identity_persist_confirm = -1;
+ 	options->num_send_env = 0;
+ 	options->control_path = NULL;
+ 	options->control_master = -1;
+@@ -1819,6 +1852,12 @@ fill_default_options(Options * options)
+ 		options->server_alive_interval = 0;
+ 	if (options->server_alive_count_max == -1)
+ 		options->server_alive_count_max = 3;
+	if (options->identity_persist == -1)
+		options->identity_persist = 0;
+	if (options->identity_persist_lifetime == -1)
+		options->identity_persist_lifetime = 0;
+	if (options->identity_persist_confirm == -1)
+		options->identity_persist_confirm = 0;
+ 	if (options->control_master == -1)
+ 		options->control_master = 0;
+ 	if (options->control_persist == -1) {
+diff --git readconf.h readconf.h
+index 576b9e3..bc0b2ce 100644
+--- readconf.h
+++ readconf.h
+@@ -112,6 +112,10 @@ typedef struct {
+ 	int	server_alive_interval;
+ 	int	server_alive_count_max;
+ 
+	int	identity_persist;
+	int	identity_persist_lifetime;
+	int	identity_persist_confirm;
+
+ 	int     num_send_env;
+ 	char   *send_env[MAX_SEND_ENV];
+ 
+diff --git sshconnect2.c sshconnect2.c
+index ba56f64..5058e7c 100644
+--- sshconnect2.c
+++ sshconnect2.c
+@@ -320,7 +320,7 @@ void	userauth(Authctxt *, char *);
+ static int sign_and_send_pubkey(Authctxt *, Identity *);
+ static void pubkey_prepare(Authctxt *);
+ static void pubkey_cleanup(Authctxt *);
+-static Key *load_identity_file(char *, int);
+static Key *load_identity_file(Authctxt *, char *, int);
+ 
+ static Authmethod *authmethod_get(char *authlist);
+ static Authmethod *authmethod_lookup(const char *name);
+@@ -978,7 +978,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
+ }
+ 
+ static int
+-identity_sign(struct identity *id, u_char **sigp, size_t *lenp,
+identity_sign(Authctxt *authctxt, struct identity *id, u_char **sigp, size_t *lenp,
+     const u_char *data, size_t datalen, u_int compat)
+ {
+ 	Key *prv;
+@@ -997,7 +997,7 @@ identity_sign(struct identity *id, u_char **sigp, size_t *lenp,
+ 		return (sshkey_sign(id->key, sigp, lenp, data, datalen,
+ 		    compat));
+ 	/* load the private key from the file */
+-	if ((prv = load_identity_file(id->filename, id->userprovided)) == NULL)
+	if ((prv = load_identity_file(authctxt, id->filename, id->userprovided)) == NULL)
+ 		return (-1); /* XXX return decent error code */
+ 	ret = sshkey_sign(prv, sigp, lenp, data, datalen, compat);
+ 	sshkey_free(prv);
+@@ -1052,7 +1052,7 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
+ 	buffer_put_string(&b, blob, bloblen);
+ 
+ 	/* generate signature */
+-	ret = identity_sign(id, &signature, &slen,
+	ret = identity_sign(authctxt, id, &signature, &slen,
+ 	    buffer_ptr(&b), buffer_len(&b), datafellows);
+ 	if (ret != 0) {
+ 		free(blob);
+@@ -1125,11 +1125,13 @@ send_pubkey_test(Authctxt *authctxt, Identity *id)
+ }
+ 
+ static Key *
+-load_identity_file(char *filename, int userprovided)
+load_identity_file(Authctxt *authctxt, char *filename, int userprovided)
+ {
+ 	Key *private;
+ 	char prompt[300], *passphrase;
+	char *comment = NULL;
+ 	int r, perm_ok = 0, quit = 0, i;
+	int agent_fd = -1;
+ 	struct stat st;
+ 
+ 	if (stat(filename, &st) < 0) {
+@@ -1151,8 +1153,23 @@ load_identity_file(char *filename, int userprovided)
+ 			}
+ 		}
+ 		switch ((r = sshkey_load_private_type(KEY_UNSPEC, filename,
+-		    passphrase, &private, NULL, &perm_ok))) {
+		    passphrase, &private, &comment, &perm_ok))) {
+ 		case 0:
+			ssh_get_authentication_socket(&agent_fd);
+			if (authctxt && agent_fd &&
+			    private && options.identity_persist) {
+				if (comment == NULL)
+					comment = xstrdup(filename);
+				if (ssh_add_identity_constrained(agent_fd,
+				    private, comment,
+				    options.identity_persist_lifetime,
+				    options.identity_persist_confirm) == 0) {
+					fprintf(stderr,
+					    "Identity added: %s (%s) %d\n",
+					    filename, comment, agent_fd);
+				}
+				free(comment);
+			}
+ 			break;
+ 		case SSH_ERR_KEY_WRONG_PASSPHRASE:
+ 			if (options.batch_mode) {
+@@ -1344,7 +1361,7 @@ userauth_pubkey(Authctxt *authctxt)
+ 			}
+ 		} else {
+ 			debug("Trying private key: %s", id->filename);
+-			id->key = load_identity_file(id->filename,
+			id->key = load_identity_file(authctxt, id->filename,
+ 			    id->userprovided);
+ 			if (id->key != NULL) {
+ 				id->isprivate = 1;
+-- 
+2.3.3
+
--- a/srcpkgs/openssh/template
+++ b/srcpkgs/openssh/template
@ -1,16 +1,18 @@
 # Template file for 'openssh'
 pkgname=openssh
 version=6.8p1
-revision=1
+revision=2
 build_style=gnu-configure
-configure_args="--without-tcp-wrappers --datadir=/usr/share/openssh
+configure_args="--datadir=/usr/share/openssh
 --sysconfdir=/etc/ssh --without-selinux --with-privsep-user=nobody
 --with-mantype=doc --without-rpath --with-xauth=/usr/bin/xauth
- --with-ssl-engine --disable-strip --with-privsep-path=/var/chroot/ssh
+ --disable-strip --with-privsep-path=/var/chroot/ssh
 --with-pid-dir=/run --with-pam --with-pie --without-kerberos5
- --with-ldns --without-ssh1 --with-libedit LD=$CC"
+ $(vopt_with ldns) $(vopt_if ssl --with-ssl-engine --without-openssl)
+ --without-ssh1 --with-libedit LD=$CC"
 hostmakedepends="automake libtool perl"
-makedepends="zlib-devel libressl-devel>=2.1.4 pam-devel libldns-devel libedit-devel"
+makedepends="zlib-devel pam-devel libedit-devel
+ $(vopt_if ssl 'libressl-devel>=2.1.4') $(vopt_if ldns libldns-devel)"
 short_desc="The OpenSSH implementation of SSH protocol"
 replaces="openssh-server>=0"
 conf_files="/etc/ssh/moduli /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/pam.d/sshd"
@ -22,13 +24,13 @@ distfiles="ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$version.
 checksum=3ff64ce73ee124480b5bf767b9830d7d3c03bbcb6abe716b78f0192c37ce160e

 # Package build options
-build_options="systemd openssh_identitypersist"
+build_options="systemd openssh_identitypersist ldns ssl"
+build_options_default="ldns ssl"
 desc_option_openssh_identitypersist="add key to ssh-agent(1) upon connecting"

 pre_configure() {
 	if [ "$build_option_openssh_identitypersist" ]; then
-		$XBPS_FETCH_CMD "https://bugzilla.mindrot.org/attachment.cgi?id=2396>identpersist.patch"
-		patch -sNp1 -i identpersist.patch
+		patch -sNp0 -i ${FILESDIR}/openssh-6.8p1-identitypersist.patch
 		msg_normal "$pkgver: applied identitypersist patch.\n"
 	fi
 	autoreconf -fi