summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 08:23:18 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 08:23:18 +0000
commita598ae3ee009e375186625b34440bb06bc330dda (patch)
tree0a6eae443d047346a6ccf4d3d80fd12579a8694e
parentReleasing progress-linux version 1:9.7p1-3~progress7.99u1. (diff)
downloadopenssh-a598ae3ee009e375186625b34440bb06bc330dda.tar.xz
openssh-a598ae3ee009e375186625b34440bb06bc330dda.zip
Merging debian version 1:9.7p1-4.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
-rw-r--r--debian/.git-dpm4
-rw-r--r--debian/changelog9
-rw-r--r--debian/control1
-rw-r--r--debian/patches/configure-cache-vars.patch137
-rw-r--r--debian/patches/debian-config.patch2
-rw-r--r--debian/patches/maxhostnamelen.patch2
-rw-r--r--debian/patches/regress-conch-dev-zero.patch2
-rw-r--r--debian/patches/restore-authorized_keys2.patch2
-rw-r--r--debian/patches/revert-ipqos-defaults.patch2
-rw-r--r--debian/patches/series1
-rw-r--r--debian/patches/skip-utimensat-test-on-zfs.patch2
-rw-r--r--debian/patches/systemd-readiness.patch272
-rw-r--r--debian/patches/systemd-socket-activation.patch86
-rw-r--r--debian/patches/zero-call-used-regs-m68k.patch2
-rwxr-xr-xdebian/rules7
15 files changed, 439 insertions, 92 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 430b68a..c9f38ee 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-7dc177f6145fd9f52b0ba7a072c3fd4739720a65
-7dc177f6145fd9f52b0ba7a072c3fd4739720a65
+1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea
+1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea
cf05e8418c088a6e5712344cecaf6ee2d5eb550f
cf05e8418c088a6e5712344cecaf6ee2d5eb550f
openssh_9.7p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index b790dc3..11dd5cf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+openssh (1:9.7p1-4) unstable; urgency=medium
+
+ * Rework systemd readiness notification and socket activation patches to
+ not link against libsystemd (the former via an upstream patch).
+ * Force -fzero-call-used-regs=used not to be used on ppc64el (it's
+ unsupported, but configure fails to detect this).
+
+ -- Colin Watson <cjwatson@debian.org> Wed, 03 Apr 2024 12:06:08 +0100
+
openssh (1:9.7p1-3~progress7.99u1) graograman-backports; urgency=medium
* Uploading to graograman-backports, remaining changes:
diff --git a/debian/control b/debian/control
index c21abfb..3e1d8eb 100644
--- a/debian/control
+++ b/debian/control
@@ -14,7 +14,6 @@ Build-Depends: debhelper (>= 13.1~),
libpam0g-dev | libpam-dev,
libselinux1-dev [linux-any],
libssl-dev (>= 1.1.1),
- libsystemd-dev [linux-any] | libelogind-dev [linux-any],
libwrap0-dev | libwrap-dev,
pkgconf,
zlib1g-dev,
diff --git a/debian/patches/configure-cache-vars.patch b/debian/patches/configure-cache-vars.patch
new file mode 100644
index 0000000..a79f5f1
--- /dev/null
+++ b/debian/patches/configure-cache-vars.patch
@@ -0,0 +1,137 @@
+From 1506d4bbf5fa2d7a3d2f8ae77914dd46b10c40ea Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@debian.org>
+Date: Wed, 3 Apr 2024 11:52:04 +0100
+Subject: Add Autoconf cache variables for OSSH_CHECK_*FLAG_*
+
+This allows overriding them on configure's command line in case the
+automatic checks go wrong somehow. bz#3673
+
+Forwarded: https://bugzilla.mindrot.org/show_bug.cgi?id=3673#c3
+Last-Update: 2024-04-03
+
+Patch-Name: configure-cache-vars.patch
+---
+ m4/openssh.m4 | 42 ++++++++++++++++++++++++------------------
+ 1 file changed, 24 insertions(+), 18 deletions(-)
+
+diff --git a/m4/openssh.m4 b/m4/openssh.m4
+index 176a8d1c9..f420146f1 100644
+--- a/m4/openssh.m4
++++ b/m4/openssh.m4
+@@ -62,7 +62,8 @@ dnl Check that $CC accepts a flag 'check_flag'. If it is supported append
+ dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append
+ dnl 'check_flag'.
+ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
+- AC_MSG_CHECKING([if $CC supports compile flag $1])
++ ossh_cache_var=AS_TR_SH([ossh_cv_cflag_$1])
++ AC_CACHE_CHECK([if $CC supports compile flag $1], [$ossh_cache_var], [
+ saved_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $WERROR $1"
+ _define_flag="$2"
+@@ -71,22 +72,23 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
+ [
+ if $ac_cv_path_EGREP -i "unrecognized option|warning.*ignored" conftest.err >/dev/null
+ then
+- AC_MSG_RESULT([no])
++ eval "$ossh_cache_var=no"
+ CFLAGS="$saved_CFLAGS"
+ else
+ dnl If we are compiling natively, try running the program.
+ AC_RUN_IFELSE([OSSH_COMPILER_FLAG_TEST_PROGRAM],
+- [ AC_MSG_RESULT([yes])
++ [ eval "$ossh_cache_var=yes"
+ CFLAGS="$saved_CFLAGS $_define_flag" ],
+- [ AC_MSG_RESULT([no, fails at run time])
++ [ eval "$ossh_cache_var='no, fails at run time'"
+ CFLAGS="$saved_CFLAGS" ],
+- [ AC_MSG_RESULT([yes])
++ [ eval "$ossh_cache_var=yes"
+ CFLAGS="$saved_CFLAGS $_define_flag" ],
+ )
+ fi],
+- [ AC_MSG_RESULT([no])
++ [ eval "$ossh_cache_var=no"
+ CFLAGS="$saved_CFLAGS" ]
+ )
++ ])
+ }])
+
+ dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag])
+@@ -94,7 +96,8 @@ dnl Check that $CC accepts a flag 'check_flag'. If it is supported append
+ dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append
+ dnl 'check_flag'.
+ AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{
+- AC_MSG_CHECKING([if $CC supports compile flag $1 and linking succeeds])
++ ossh_cache_var=AS_TR_SH([ossh_cv_cflag_$1])
++ AC_CACHE_CHECK([if $CC supports compile flag $1 and linking succeeds], [$ossh_cache_var], [
+ saved_CFLAGS="$CFLAGS"
+ CFLAGS="$CFLAGS $WERROR $1"
+ _define_flag="$2"
+@@ -103,22 +106,23 @@ AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{
+ [
+ if $ac_cv_path_EGREP -i "unrecognized option|warning.*ignored" conftest.err >/dev/null
+ then
+- AC_MSG_RESULT([no])
++ eval "$ossh_cache_var=no"
+ CFLAGS="$saved_CFLAGS"
+ else
+ dnl If we are compiling natively, try running the program.
+ AC_RUN_IFELSE([OSSH_COMPILER_FLAG_TEST_PROGRAM],
+- [ AC_MSG_RESULT([yes])
++ [ eval "$ossh_cache_var=yes"
+ CFLAGS="$saved_CFLAGS $_define_flag" ],
+- [ AC_MSG_RESULT([no, fails at run time])
++ [ eval "$ossh_cache_var='no, fails at run time'"
+ CFLAGS="$saved_CFLAGS" ],
+- [ AC_MSG_RESULT([yes])
++ [ eval "$ossh_cache_var=yes"
+ CFLAGS="$saved_CFLAGS $_define_flag" ],
+ )
+ fi],
+- [ AC_MSG_RESULT([no])
++ [ eval "$ossh_cache_var=no"
+ CFLAGS="$saved_CFLAGS" ]
+ )
++ ])
+ }])
+
+ dnl OSSH_CHECK_LDFLAG_LINK(check_flag[, define_flag])
+@@ -126,7 +130,8 @@ dnl Check that $LD accepts a flag 'check_flag'. If it is supported append
+ dnl 'define_flag' to $LDFLAGS. If 'define_flag' is not specified, then append
+ dnl 'check_flag'.
+ AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{
+- AC_MSG_CHECKING([if $LD supports link flag $1])
++ ossh_cache_var=AS_TR_SH([ossh_cv_ldflag_$1])
++ AC_CACHE_CHECK([if $LD supports link flag $1], [$ossh_cache_var], [
+ saved_LDFLAGS="$LDFLAGS"
+ LDFLAGS="$LDFLAGS $WERROR $1"
+ _define_flag="$2"
+@@ -135,22 +140,23 @@ AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{
+ [
+ if $ac_cv_path_EGREP -i "unrecognized option|warning.*ignored" conftest.err >/dev/null
+ then
+- AC_MSG_RESULT([no])
++ eval "$ossh_cache_var=no"
+ LDFLAGS="$saved_LDFLAGS"
+ else
+ dnl If we are compiling natively, try running the program.
+ AC_RUN_IFELSE([OSSH_COMPILER_FLAG_TEST_PROGRAM],
+- [ AC_MSG_RESULT([yes])
++ [ eval "$ossh_cache_var=yes"
+ LDFLAGS="$saved_LDFLAGS $_define_flag" ],
+- [ AC_MSG_RESULT([no, fails at run time])
++ [ eval "$ossh_cache_var='no, fails at run time'"
+ LDFLAGS="$saved_LDFLAGS" ],
+- [ AC_MSG_RESULT([yes])
++ [ eval "$ossh_cache_var=yes"
+ LDFLAGS="$saved_LDFLAGS $_define_flag" ]
+ )
+ fi ],
+- [ AC_MSG_RESULT([no])
++ [ eval "$ossh_cache_var=no"
+ LDFLAGS="$saved_LDFLAGS" ]
+ )
++ ])
+ }])
+
+ dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol)
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index f53bac5..ce3c1c0 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 4f52dcf6ce616f6e674d6af0ceebb3e2f6b147a3 Mon Sep 17 00:00:00 2001
+From 04acdcf452c7a88ac8c37ca6870a571125fbc8da Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Feb 2014 16:10:18 +0000
Subject: Various Debian-specific configuration changes
diff --git a/debian/patches/maxhostnamelen.patch b/debian/patches/maxhostnamelen.patch
index 4cfe801..bd5733b 100644
--- a/debian/patches/maxhostnamelen.patch
+++ b/debian/patches/maxhostnamelen.patch
@@ -1,4 +1,4 @@
-From 25f238231292eefa02a723b84de6428baca3b7ab Mon Sep 17 00:00:00 2001
+From 8bc03da34ff88845e6b10631719f872e81eaea74 Mon Sep 17 00:00:00 2001
From: Svante Signell <svante.signell@gmail.com>
Date: Fri, 5 Nov 2021 23:22:53 +0000
Subject: Define MAXHOSTNAMELEN on GNU/Hurd
diff --git a/debian/patches/regress-conch-dev-zero.patch b/debian/patches/regress-conch-dev-zero.patch
index fed6e66..bdf1449 100644
--- a/debian/patches/regress-conch-dev-zero.patch
+++ b/debian/patches/regress-conch-dev-zero.patch
@@ -1,4 +1,4 @@
-From 7dc177f6145fd9f52b0ba7a072c3fd4739720a65 Mon Sep 17 00:00:00 2001
+From 6bd1413e583b16d600b39b15203b5b78a4e77f0a Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 31 Mar 2024 00:24:11 +0000
Subject: regress: Redirect conch stdin from /dev/zero
diff --git a/debian/patches/restore-authorized_keys2.patch b/debian/patches/restore-authorized_keys2.patch
index a614c3c..9e540cf 100644
--- a/debian/patches/restore-authorized_keys2.patch
+++ b/debian/patches/restore-authorized_keys2.patch
@@ -1,4 +1,4 @@
-From 629d831d473ca49b8593e4a711012bb812e544b7 Mon Sep 17 00:00:00 2001
+From 06af6b2c9be423445bab0c964f4e85f439a91278 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 5 Mar 2017 02:02:11 +0000
Subject: Restore reading authorized_keys2 by default
diff --git a/debian/patches/revert-ipqos-defaults.patch b/debian/patches/revert-ipqos-defaults.patch
index 619328b..0b33aee 100644
--- a/debian/patches/revert-ipqos-defaults.patch
+++ b/debian/patches/revert-ipqos-defaults.patch
@@ -1,4 +1,4 @@
-From c6529b6eeabc3312e7b0c00c8451a496eb5d8ae6 Mon Sep 17 00:00:00 2001
+From d9fbfaf30a64cff9b4fdad1ff0974e239f29f7db Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 8 Apr 2019 10:46:29 +0100
Subject: Revert "upstream: Update default IPQoS in ssh(1), sshd(8) to DSCP
diff --git a/debian/patches/series b/debian/patches/series
index 90ac393..311759a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,6 +27,7 @@ systemd-socket-activation.patch
skip-utimensat-test-on-zfs.patch
zero-call-used-regs-m68k.patch
regress-conch-dev-zero.patch
+configure-cache-vars.patch
progress-linux/0001-ssh-keygen-default-rsa-size.patch
progress-linux/0002-ssh-keygen-default-ecdsa-size.patch
progress-linux/0003-ssh_config-update.patch
diff --git a/debian/patches/skip-utimensat-test-on-zfs.patch b/debian/patches/skip-utimensat-test-on-zfs.patch
index 7707531..6a50e08 100644
--- a/debian/patches/skip-utimensat-test-on-zfs.patch
+++ b/debian/patches/skip-utimensat-test-on-zfs.patch
@@ -1,4 +1,4 @@
-From 4c1c5dc36c96a8e6dd34fd43caf83d292a33b797 Mon Sep 17 00:00:00 2001
+From c295622811895faaf4c0be0820cbb919c80b1143 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Mon, 11 Mar 2024 16:24:49 +0000
Subject: Skip utimensat test on ZFS
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index 8f1e1ae..883e35b 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,84 +1,224 @@
-From b939a041afc3938937a3e9d2495202cf1a7b90ab Mon Sep 17 00:00:00 2001
-From: Michael Biebl <biebl@debian.org>
-Date: Mon, 21 Dec 2015 16:08:47 +0000
-Subject: Add systemd readiness notification support
+From 3d48cca71737962972c5bbd0171919ecbc348443 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Wed, 3 Apr 2024 14:40:32 +1100
+Subject: notify systemd on listen and reload
+Standalone implementation that does not depend on libsystemd.
+With assistance from Luca Boccassi, and feedback/testing from Colin
+Watson. bz2641
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c
Bug-Debian: https://bugs.debian.org/778913
-Forwarded: no
-Last-Update: 2017-08-22
+Last-Update: 2024-04-03
Patch-Name: systemd-readiness.patch
---
- configure.ac | 24 ++++++++++++++++++++++++
- sshd.c | 9 +++++++++
- 2 files changed, 33 insertions(+)
+ configure.ac | 1 +
+ openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++-
+ openbsd-compat/port-linux.h | 5 ++
+ platform.c | 11 +++++
+ platform.h | 1 +
+ sshd.c | 2 +
+ 6 files changed, 115 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
-index 2b2c4f086..81f75eb85 100644
+index 2b2c4f086..c7b563ef2 100644
--- a/configure.ac
+++ b/configure.ac
-@@ -4950,6 +4950,29 @@ AC_SUBST([GSSLIBS])
- AC_SUBST([K5LIBS])
- AC_SUBST([CHANNELLIBS])
+@@ -939,6 +939,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+ AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
+ AC_DEFINE([USE_BTMP])
+ AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
++ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
+ inet6_default_4in6=yes
+ case `uname -r` in
+ 1.*|2.0.*)
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index 0394f4808..8e2824594 100644
+--- a/openbsd-compat/port-linux.c
++++ b/openbsd-compat/port-linux.c
+@@ -21,16 +21,23 @@
-+# Check whether user wants systemd support
-+SYSTEMD_MSG="no"
-+AC_ARG_WITH(systemd,
-+ [ --with-systemd Enable systemd support],
-+ [ if test "x$withval" != "xno" ; then
-+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
-+ if test "$PKGCONFIG" != "no"; then
-+ AC_MSG_CHECKING([for libsystemd])
-+ if $PKGCONFIG --exists libsystemd; then
-+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
-+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
-+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
-+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
-+ AC_MSG_RESULT([yes])
-+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
-+ SYSTEMD_MSG="yes"
-+ else
-+ AC_MSG_RESULT([no])
-+ fi
-+ fi
-+ fi ]
-+)
-+
- # Looking for programs, paths and files
+ #include "includes.h"
- PRIVSEP_PATH=/var/empty
-@@ -5769,6 +5792,7 @@ echo " libldns support: $LDNS_MSG"
- echo " Solaris process contract support: $SPC_MSG"
- echo " Solaris project support: $SP_MSG"
- echo " Solaris privilege support: $SPP_MSG"
-+echo " systemd support: $SYSTEMD_MSG"
- echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
- echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
- echo " BSD Auth support: $BSD_AUTH_MSG"
-diff --git a/sshd.c b/sshd.c
-index 8fab51ebb..b981e7758 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -88,6 +88,10 @@
- #include <prot.h>
+-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \
++ defined(SYSTEMD_NOTIFY)
++#include <sys/socket.h>
++#include <sys/un.h>
++
+ #include <errno.h>
++#include <inttypes.h>
+ #include <stdarg.h>
+ #include <string.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <time.h>
+
+ #include "log.h"
+ #include "xmalloc.h"
+ #include "port-linux.h"
++#include "misc.h"
+
+ #ifdef WITH_SELINUX
+ #include <selinux/selinux.h>
+@@ -317,4 +324,90 @@ oom_adjust_restore(void)
+ return;
+ }
+ #endif /* LINUX_OOM_ADJUST */
+-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
++
++#ifdef SYSTEMD_NOTIFY
++
++static void ssh_systemd_notify(const char *, ...)
++ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1)));
++
++static void
++ssh_systemd_notify(const char *fmt, ...)
++{
++ char *s = NULL;
++ const char *path;
++ struct stat sb;
++ struct sockaddr_un addr;
++ int fd = -1;
++ va_list ap;
++
++ if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0)
++ return;
++
++ va_start(ap, fmt);
++ xvasprintf(&s, fmt, ap);
++ va_end(ap);
++
++ /* Only AF_UNIX is supported, with path or abstract sockets */
++ if (path[0] != '/' && path[0] != '@') {
++ error_f("socket \"%s\" is not compatible with AF_UNIX", path);
++ goto out;
++ }
++
++ if (path[0] == '/' && stat(path, &sb) != 0) {
++ error_f("socket \"%s\" stat: %s", path, strerror(errno));
++ goto out;
++ }
++
++ memset(&addr, 0, sizeof(addr));
++ addr.sun_family = AF_UNIX;
++ if (strlcpy(addr.sun_path, path,
++ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) {
++ error_f("socket path \"%s\" too long", path);
++ goto out;
++ }
++ /* Support for abstract socket */
++ if (addr.sun_path[0] == '@')
++ addr.sun_path[0] = 0;
++ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
++ error_f("socket \"%s\": %s", path, strerror(errno));
++ goto out;
++ }
++ if (connect(fd, &addr, sizeof(addr)) != 0) {
++ error_f("socket \"%s\" connect: %s", path, strerror(errno));
++ goto out;
++ }
++ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) {
++ error_f("socket \"%s\" write: %s", path, strerror(errno));
++ goto out;
++ }
++ debug_f("socket \"%s\" notified %s", path, s);
++ out:
++ if (fd != -1)
++ close(fd);
++ free(s);
++}
++
++void
++ssh_systemd_notify_ready(void)
++{
++ ssh_systemd_notify("READY=1");
++}
++
++void
++ssh_systemd_notify_reload(void)
++{
++ struct timespec now;
++
++ monotime_ts(&now);
++ if (now.tv_sec < 0 || now.tv_nsec < 0) {
++ error_f("monotime returned negative value");
++ ssh_systemd_notify("RELOADING=1");
++ } else {
++ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu",
++ ((uint64_t)now.tv_sec * 1000000ULL) +
++ ((uint64_t)now.tv_nsec / 1000ULL));
++ }
++}
++#endif /* SYSTEMD_NOTIFY */
++
++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+index c88129428..6c4c37115 100644
+--- a/openbsd-compat/port-linux.h
++++ b/openbsd-compat/port-linux.h
+@@ -30,4 +30,9 @@ void oom_adjust_restore(void);
+ void oom_adjust_setup(void);
#endif
-+#ifdef HAVE_SYSTEMD
-+#include <systemd/sd-daemon.h>
++#ifdef SYSTEMD_NOTIFY
++void ssh_systemd_notify_ready(void);
++void ssh_systemd_notify_reload(void);
+#endif
+
- #include "xmalloc.h"
- #include "ssh.h"
- #include "ssh2.h"
-@@ -2101,6 +2105,11 @@ main(int ac, char **av)
- }
- }
+ #endif /* ! _PORT_LINUX_H */
+diff --git a/platform.c b/platform.c
+index 70c3a9b58..163a54a46 100644
+--- a/platform.c
++++ b/platform.c
+@@ -44,6 +44,14 @@ platform_pre_listen(void)
+ #endif
+ }
-+#ifdef HAVE_SYSTEMD
-+ /* Signal systemd that we are ready to accept connections */
-+ sd_notify(0, "READY=1");
++void
++platform_post_listen(void)
++{
++#ifdef SYSTEMD_NOTIFY
++ ssh_systemd_notify_ready();
+#endif
++}
++
+ void
+ platform_pre_fork(void)
+ {
+@@ -55,6 +63,9 @@ platform_pre_fork(void)
+ void
+ platform_pre_restart(void)
+ {
++#ifdef SYSTEMD_NOTIFY
++ ssh_systemd_notify_reload();
++#endif
+ #ifdef LINUX_OOM_ADJUST
+ oom_adjust_restore();
+ #endif
+diff --git a/platform.h b/platform.h
+index 027fdfb51..1b77c3e3d 100644
+--- a/platform.h
++++ b/platform.h
+@@ -21,6 +21,7 @@
+ void platform_pre_listen(void);
+ void platform_pre_fork(void);
+ void platform_pre_restart(void);
++void platform_post_listen(void);
+ void platform_post_fork_parent(pid_t child_pid);
+ void platform_post_fork_child(void);
+ int platform_privileged_uidswap(void);
+diff --git a/sshd.c b/sshd.c
+index 8fab51ebb..a18b85d1d 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -2085,6 +2085,8 @@ main(int ac, char **av)
+ ssh_signal(SIGTERM, sigterm_handler);
+ ssh_signal(SIGQUIT, sigterm_handler);
+
++ platform_post_listen();
+
- /* Accept a connection and return in a forked child */
- server_accept_loop(&sock_in, &sock_out,
- &newsock, config_s);
+ /*
+ * Write out the pid file after the sigterm handler
+ * is setup and the listen sockets are bound
diff --git a/debian/patches/systemd-socket-activation.patch b/debian/patches/systemd-socket-activation.patch
index 9867ccf..d2c5284 100644
--- a/debian/patches/systemd-socket-activation.patch
+++ b/debian/patches/systemd-socket-activation.patch
@@ -1,4 +1,4 @@
-From d4af38f9aa8f2daa0ae01b994666116f1420d305 Mon Sep 17 00:00:00 2001
+From f01545e3f9350c080a525c246b9d46ba71cb0d09 Mon Sep 17 00:00:00 2001
From: Steve Langasek <steve.langasek@ubuntu.com>
Date: Thu, 1 Sep 2022 16:03:37 +0100
Subject: Support systemd socket activation
@@ -9,18 +9,32 @@ the child process handle the accept(). This lets us do delayed start
of the sshd daemon without becoming incompatible with config options
like ClientAliveCountMax.
-Last-Update: 2022-09-01
+Author: Colin Watson <cjwatson@debian.org>
+Last-Update: 2024-04-03
Patch-Name: systemd-socket-activation.patch
---
- sshd.c | 89 +++++++++++++++++++++++++++++++++++++++++++++++++---------
- 1 file changed, 75 insertions(+), 14 deletions(-)
+ configure.ac | 1 +
+ sshd.c | 131 +++++++++++++++++++++++++++++++++++++++++++++------
+ 2 files changed, 118 insertions(+), 14 deletions(-)
+diff --git a/configure.ac b/configure.ac
+index c7b563ef2..cdfb505bf 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -940,6 +940,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+ AC_DEFINE([USE_BTMP])
+ AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
+ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
++ AC_DEFINE([SYSTEMD_SOCKET_ACTIVATION], [1], [Have sshd accept systemd socket activation])
+ inet6_default_4in6=yes
+ case `uname -r` in
+ 1.*|2.0.*)
diff --git a/sshd.c b/sshd.c
-index b981e7758..565e17b16 100644
+index a18b85d1d..105c688e4 100644
--- a/sshd.c
+++ b/sshd.c
-@@ -140,10 +140,16 @@ int deny_severity;
+@@ -136,10 +136,18 @@ int deny_severity;
#endif /* LIBWRAP */
/* Re-exec fds */
@@ -28,8 +42,10 @@ index b981e7758..565e17b16 100644
-#define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2)
-#define REEXEC_CONFIG_PASS_FD (STDERR_FILENO + 3)
-#define REEXEC_MIN_FREE_FD (STDERR_FILENO + 4)
-+#ifdef HAVE_SYSTEMD
-+#define SYSTEMD_OFFSET sd_listen_fds(0)
++#ifdef SYSTEMD_SOCKET_ACTIVATION
++static int get_systemd_listen_fds(void);
++#define SYSTEMD_OFFSET get_systemd_listen_fds()
++#define SYSTEMD_LISTEN_FDS_START 3
+#else
+#define SYSTEMD_OFFSET 0
+#endif
@@ -41,11 +57,51 @@ index b981e7758..565e17b16 100644
extern char *__progname;
-@@ -1020,6 +1026,48 @@ server_accept_inetd(int *sock_in, int *sock_out)
+@@ -1016,6 +1024,88 @@ server_accept_inetd(int *sock_in, int *sock_out)
debug("inetd sockets after dupping: %d, %d", *sock_in, *sock_out);
}
-+#ifdef HAVE_SYSTEMD
++#ifdef SYSTEMD_SOCKET_ACTIVATION
++/*
++ * Get file descriptors passed by systemd; this implements the protocol
++ * described in the NOTES section of sd_listen_fds(3).
++ *
++ * We deliberately return 0 on error, so that the return value can safely be
++ * added as part of the REEXEC_*_FD macros without extra checks.
++ */
++static int
++get_systemd_listen_fds(void)
++{
++ const char *listen_pid_str, *listen_fds_str;
++ pid_t listen_pid;
++ int listen_fds;
++ const char *errstr = NULL;
++ int fd;
++
++ listen_pid_str = getenv("LISTEN_PID");
++ if (listen_pid_str == NULL)
++ return 0;
++ listen_pid = (pid_t)strtonum(listen_pid_str, 2, INT_MAX, &errstr);
++ if (errstr != NULL || getpid() != listen_pid)
++ return 0;
++
++ listen_fds_str = getenv("LISTEN_FDS");
++ if (listen_fds_str == NULL)
++ return 0;
++ listen_fds = (int)strtonum(listen_fds_str, 1,
++ INT_MAX - SYSTEMD_LISTEN_FDS_START, &errstr);
++ if (errstr != NULL)
++ return 0;
++
++ for (fd = SYSTEMD_LISTEN_FDS_START;
++ fd < SYSTEMD_LISTEN_FDS_START + listen_fds; fd++) {
++ if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
++ return 0;
++ }
++
++ return listen_fds;
++}
++
+/*
+ * Configure our socket fds that were passed from systemd
+ */
@@ -90,11 +146,11 @@ index b981e7758..565e17b16 100644
/*
* Listen for TCP connections
*/
-@@ -1099,22 +1147,35 @@ static void
+@@ -1095,22 +1185,35 @@ static void
server_listen(void)
{
u_int i;
-+#ifdef HAVE_SYSTEMD
++#ifdef SYSTEMD_SOCKET_ACTIVATION
+ int systemd_socket_count;
+#endif
@@ -108,13 +164,13 @@ index b981e7758..565e17b16 100644
- free(options.listen_addrs[i].rdomain);
- memset(&options.listen_addrs[i], 0,
- sizeof(options.listen_addrs[i]));
-+#ifdef HAVE_SYSTEMD
-+ systemd_socket_count = sd_listen_fds(0);
++#ifdef SYSTEMD_SOCKET_ACTIVATION
++ systemd_socket_count = get_systemd_listen_fds();
+ if (systemd_socket_count > 0)
+ {
+ int i;
+ for (i = 0; i < systemd_socket_count; i++)
-+ setup_systemd_socket(SD_LISTEN_FDS_START + i);
++ setup_systemd_socket(SYSTEMD_LISTEN_FDS_START + i);
+ } else
+#endif
+ {
diff --git a/debian/patches/zero-call-used-regs-m68k.patch b/debian/patches/zero-call-used-regs-m68k.patch
index 1e90eaa..84cd0a8 100644
--- a/debian/patches/zero-call-used-regs-m68k.patch
+++ b/debian/patches/zero-call-used-regs-m68k.patch
@@ -1,4 +1,4 @@
-From 781d9de6499eb979e9f1a66242bcf58250a1f21e Mon Sep 17 00:00:00 2001
+From f81c7307956c509e0638e8272454677d59961950 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Thu, 21 Mar 2024 10:20:21 +0000
Subject: Extend -fzero-call-used-regs check to catch m68k gcc bug
diff --git a/debian/rules b/debian/rules
index 6184bef..6431a78 100755
--- a/debian/rules
+++ b/debian/rules
@@ -68,6 +68,12 @@ endif
# Always use the internal mkdtemp; see https://bugs.debian.org/1001186.
confflags += ac_cv_func_mkdtemp=no
+# ppc64el doesn't support -fzero-call-used-regs=used, but configure fails to
+# detect that.
+ifeq ($(DEB_HOST_ARCH),ppc64el)
+confflags += ossh_cv_cflag__fzero_call_used_regs_used=no
+endif
+
# Everything above here is common to the deb and udeb builds.
confflags_udeb := $(confflags)
@@ -80,7 +86,6 @@ confflags += --with-ssl-engine
ifeq ($(DEB_HOST_ARCH_OS),linux)
confflags += --with-selinux
confflags += --with-audit=linux
-confflags += --with-systemd
confflags += --with-security-key-builtin
endif