From 6931d8352352ff7ba35beae2b6a05a2b7d72b5e4 Mon Sep 17 00:00:00 2001 From: Alarig Le Lay Date: Sat, 14 Jan 2023 11:51:48 +0100 Subject: [PATCH] net-misc/openssh: patch for getentropy fallback --- .../files/openssh-9.1_p1-getentropy.patch | 69 +++++++++++++++++++ net-misc/openssh/openssh-9.1_p1-r1.ebuild | 4 +- 2 files changed, 71 insertions(+), 2 deletions(-) create mode 100644 net-misc/openssh/files/openssh-9.1_p1-getentropy.patch diff --git a/net-misc/openssh/files/openssh-9.1_p1-getentropy.patch b/net-misc/openssh/files/openssh-9.1_p1-getentropy.patch new file mode 100644 index 0000000..e1f5110 --- /dev/null +++ b/net-misc/openssh/files/openssh-9.1_p1-getentropy.patch @@ -0,0 +1,69 @@ +diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c +index 02f15f9c..ffd33734 100644 +--- a/openbsd-compat/arc4random.c ++++ b/openbsd-compat/arc4random.c +@@ -44,13 +44,15 @@ + #ifndef HAVE_ARC4RANDOM + + /* +- * If we're not using a native getentropy, use the one from bsd-getentropy.c +- * under a different name, so that if in future these binaries are run on +- * a system that has a native getentropy OpenSSL cannot call the wrong one. ++ * Always use the getentropy implementation from bsd-getentropy.c, which ++ * will call a native getentropy if available then fall back as required. ++ * We use a different name so that OpenSSL cannot call the wrong getentropy. + */ +-#ifndef HAVE_GETENTROPY +-# define getentropy(x, y) (_ssh_compat_getentropy((x), (y))) ++int _ssh_compat_getentropy(void *, size_t); ++#ifdef getentropy ++# undef getentropy + #endif ++#define getentropy(x, y) (_ssh_compat_getentropy((x), (y))) + + #include "log.h" + +diff --git a/openbsd-compat/bsd-getentropy.c b/openbsd-compat/bsd-getentropy.c +index bd4b6695..554dfad7 100644 +--- a/openbsd-compat/bsd-getentropy.c ++++ b/openbsd-compat/bsd-getentropy.c +@@ -18,8 +18,6 @@ + + #include "includes.h" + +-#ifndef HAVE_GETENTROPY +- + #ifndef SSH_RANDOM_DEV + # define SSH_RANDOM_DEV "/dev/urandom" + #endif /* SSH_RANDOM_DEV */ +@@ -52,6 +50,10 @@ _ssh_compat_getentropy(void *s, size_t len) + ssize_t r; + size_t o = 0; + ++#ifdef HAVE_GETENTROPY ++ if (r = getentropy(s, len) == 0) ++ return 0; ++#endif /* HAVE_GETENTROPY */ + #ifdef HAVE_GETRANDOM + if ((r = getrandom(s, len, 0)) > 0 && (size_t)r == len) + return 0; +@@ -79,4 +81,3 @@ _ssh_compat_getentropy(void *s, size_t len) + #endif /* WITH_OPENSSL */ + return 0; + } +-#endif /* WITH_GETENTROPY */ +diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h +index 4af207cd..8f815090 100644 +--- a/openbsd-compat/openbsd-compat.h ++++ b/openbsd-compat/openbsd-compat.h +@@ -69,10 +69,6 @@ void closefrom(int); + int ftruncate(int filedes, off_t length); + #endif + +-#if defined(HAVE_DECL_GETENTROPY) && HAVE_DECL_GETENTROPY == 0 +-int _ssh_compat_getentropy(void *, size_t); +-#endif +- + #ifndef HAVE_GETLINE + #include + ssize_t getline(char **, size_t *, FILE *); diff --git a/net-misc/openssh/openssh-9.1_p1-r1.ebuild b/net-misc/openssh/openssh-9.1_p1-r1.ebuild index 1f5c19c..f34e43e 100644 --- a/net-misc/openssh/openssh-9.1_p1-r1.ebuild +++ b/net-misc/openssh/openssh-9.1_p1-r1.ebuild @@ -51,7 +51,7 @@ LICENSE="BSD GPL-2" SLOT="0" KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" # Probably want to drop ssl defaulting to on in a future version. -IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie +sandbox sctp security-key selinux +ssl static test X X509 xmss" +IUSE="abi_mips_n32 audit debug hpn kerberos ldns libedit livecd pam +pie sctp security-key selinux +ssl static test X X509 xmss" RESTRICT="!test? ( test )" @@ -124,6 +124,7 @@ PATCHES=( "${FILESDIR}/${PN}-8.9_p1-allow-ppoll_time64.patch" #834019 "${FILESDIR}/${PN}-8.9_p1-gss-use-HOST_NAME_MAX.patch" #834044 "${FILESDIR}/${PN}-9.1_p1-build-tests.patch" + "${FILESDIR}/${P}-getentropy.patch" ) pkg_pretend() { @@ -342,7 +343,6 @@ src_configure() { $(use_with ssl openssl) $(use_with ssl ssl-engine) $(use_with !elibc_Cygwin hardening) #659210 - $(use_with sandbox sandbox) ) if use elibc_musl; then