openssh: 7.7p1 -> 7.9p1 (#48784)

added openssh_gssapi to make it easier to test the patched version the HPN edition isn't available on top of 7.9p1 yet fix-host-key-algorithms-plus.patch didn't apply anymore, assuming it's fixed. release notes: https://www.openssh.com/txt/release-7.9
2018-10-26 01:17:55 +02:00 · 2018-10-26 01:17:55 +02:00 · 2337c7522a
commit 2337c7522a
parent 2cc4200de0
3 changed files with 10 additions and 66 deletions
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@ -13,39 +13,31 @@ let
  gssapiPatch = fetchpatch {
    name = "openssh-gssapi.patch";
    url = "https://salsa.debian.org/ssh-team/openssh/raw/"
-      + "e395eed38096fcda74398424ea94de3ec44effd5"
+      + "d80ebbf028196b2478beebf5a290b97f35e1eed9"
      + "/debian/patches/gssapi.patch";
-    sha256 = "0x7xysgdahb4jaq0f28g2d7yzp0d3mh59i4xnffszvjndhvbk27x";
+    sha256 = "14j9cabb3gkhkjc641zbiv29mbvsmgsvis3fbj8ywsd21zc7m2wv";
  };

 in
 with stdenv.lib;
 stdenv.mkDerivation rec {
  name = "openssh-${version}";
-  version = if hpnSupport then "7.7p1" else "7.7p1";
+  version = if hpnSupport then "7.8p1" else "7.9p1";

  src = if hpnSupport then
      fetchurl {
-        url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-7_7_P1.tar.gz";
-        sha256 = "1l4k8mg3gnzxbz53cma8s6ak56waz03ijsr08p8vgpi0c2rc5ri5";
+        url = "https://github.com/rapier1/openssh-portable/archive/hpn-KitchenSink-7_8_P1.tar.gz";
+        sha256 = "05q5hxx7fzcgd8a5i0zk4fwvmnz4xqk04j489irnwm7cka7xdqxw";
      }
    else
      fetchurl {
        url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz";
-        sha256 = "13vbbrvj3mmfhj83qyrg5c0ipr6bzw5s65dy4k8gr7p9hkkfffyp";
+        sha256 = "1b8sy6v0b8v4ggmknwcqx3y1rjcpsll0f1f8f4vyv11x4ni3njvb";
      };

  patches =
    [
-      # Remove on update!
-      (fetchpatch {
-        name = "fix-tunnel-forwarding.diff";
-        url = "https://github.com/openssh/openssh-portable/commit/cfb1d9bc767.diff";
-        sha256 = "1mszj7f1kj6bazr7asbi1bi4238lfpilpp98f6c1dn3py4fbsdg8";
-      })
-
      ./locale_archive.patch
-      ./fix-host-key-algorithms-plus.patch

      # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
      ./dont_create_privsep_path.patch
--- a/pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch
+++ b/pkgs/tools/networking/openssh/fix-host-key-algorithms-plus.patch
@ -1,52 +0,0 @@
-Specifying "HostKeyAlgorithms +ssh-dds" does not work properly because
-setting any value for HostKeyAlgorithms causes the known host keys to
-be ignored for the purpose of determining the priority of algorithms.
-This was fixed upstream for HostKeyAlgorithms in sshd_config, but not
-in ssh_config. The fix is to apply order_hostkeyalgs() if the user
-specifies a HostKeyAlgorithms starting with "+".
-
-diff -ru -x '*~' openssh-7.2p2-orig/sshconnect2.c openssh-7.2p2/sshconnect2.c
--- openssh-7.2p2-orig/sshconnect2.c	2016-03-09 19:04:48.000000000 +0100
-+++ openssh-7.2p2/sshconnect2.c	2016-04-01 15:39:45.140945902 +0200
-@@ -100,7 +100,7 @@
- }
- 
- static char *
-order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
-+order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port, char *algs)
- {
- 	char *oavail, *avail, *first, *last, *alg, *hostname, *ret;
- 	size_t maxlen;
-@@ -116,7 +116,7 @@
- 	for (i = 0; i < options.num_system_hostfiles; i++)
- 		load_hostkeys(hostkeys, hostname, options.system_hostfiles[i]);
- 
-	oavail = avail = xstrdup(KEX_DEFAULT_PK_ALG);
-+	oavail = avail = xstrdup(algs);
- 	maxlen = strlen(avail) + 1;
- 	first = xmalloc(maxlen);
- 	last = xmalloc(maxlen);
-@@ -181,18 +181,21 @@
- 	myproposal[PROPOSAL_MAC_ALGS_CTOS] =
- 	    myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
- 	if (options.hostkeyalgorithms != NULL) {
-+		int append = options.hostkeyalgorithms[0] == '+';
- 		if (kex_assemble_names(KEX_DEFAULT_PK_ALG,
- 		    &options.hostkeyalgorithms) != 0)
- 			fatal("%s: kex_assemble_namelist", __func__);
- 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
-		    compat_pkalg_proposal(options.hostkeyalgorithms);
-+		    compat_pkalg_proposal(append
-+			? order_hostkeyalgs(host, hostaddr, port, options.hostkeyalgorithms)
-+			: options.hostkeyalgorithms);
- 	} else {
- 		/* Enforce default */
- 		options.hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
- 		/* Prefer algorithms that we already have keys for */
- 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
- 		    compat_pkalg_proposal(
-		    order_hostkeyalgs(host, hostaddr, port));
-+		    order_hostkeyalgs(host, hostaddr, port, KEX_DEFAULT_PK_ALG));
- 	}
- 
- 	if (options.rekey_limit || options.rekey_interval)
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -4515,6 +4515,10 @@ with pkgs;

  openssh_hpn = pkgs.appendToName "with-hpn" (openssh.override { hpnSupport = true; });

+  openssh_gssapi = pkgs.appendToName "with-gssapi" (openssh.override {
+    withGssapiPatches = true;
+  });
+
  opensp = callPackage ../tools/text/sgml/opensp { };

  opentracker = callPackage ../applications/networking/p2p/opentracker { };