1 files changed, 206 insertions, 66 deletions
diff --git a/debian/patches/systemd-readiness.patch b/debian/patches/systemd-readiness.patch
index 8f1e1ae..883e35b 100644
--- a/debian/patches/systemd-readiness.patch
+++ b/debian/patches/systemd-readiness.patch
@@ -1,84 +1,224 @@
-From b939a041afc3938937a3e9d2495202cf1a7b90ab Mon Sep 17 00:00:00 2001
-From: Michael Biebl <biebl@debian.org>
-Date: Mon, 21 Dec 2015 16:08:47 +0000
-Subject: Add systemd readiness notification support
+From 3d48cca71737962972c5bbd0171919ecbc348443 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Wed, 3 Apr 2024 14:40:32 +1100
+Subject: notify systemd on listen and reload
 
+Standalone implementation that does not depend on libsystemd.
+With assistance from Luca Boccassi, and feedback/testing from Colin
+Watson. bz2641
+
+Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c
 Bug-Debian: https://bugs.debian.org/778913
-Forwarded: no
-Last-Update: 2017-08-22
+Last-Update: 2024-04-03
 
 Patch-Name: systemd-readiness.patch
 ---
- configure.ac | 24 ++++++++++++++++++++++++
- sshd.c       |  9 +++++++++
- 2 files changed, 33 insertions(+)
+ configure.ac                |  1 +
+ openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++-
+ openbsd-compat/port-linux.h |  5 ++
+ platform.c                  | 11 +++++
+ platform.h                  |  1 +
+ sshd.c                      |  2 +
+ 6 files changed, 115 insertions(+), 2 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 2b2c4f086..81f75eb85 100644
+index 2b2c4f086..c7b563ef2 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4950,6 +4950,29 @@ AC_SUBST([GSSLIBS])
- AC_SUBST([K5LIBS])
- AC_SUBST([CHANNELLIBS])
+@@ -939,6 +939,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+ 	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
+ 	AC_DEFINE([USE_BTMP])
+ 	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
++	AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
+ 	inet6_default_4in6=yes
+ 	case `uname -r` in
+ 	1.*|2.0.*)
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index 0394f4808..8e2824594 100644
+--- a/openbsd-compat/port-linux.c
++++ b/openbsd-compat/port-linux.c
+@@ -21,16 +21,23 @@
  
-+# Check whether user wants systemd support
-+SYSTEMD_MSG="no"
-+AC_ARG_WITH(systemd,
-+	[  --with-systemd          Enable systemd support],
-+	[ if test "x$withval" != "xno" ; then
-+		AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
-+		if test "$PKGCONFIG" != "no"; then
-+			AC_MSG_CHECKING([for libsystemd])
-+			if $PKGCONFIG --exists libsystemd; then
-+				SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
-+				SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
-+				CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
-+				SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
-+				AC_MSG_RESULT([yes])
-+				AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
-+				SYSTEMD_MSG="yes"
-+			else
-+				AC_MSG_RESULT([no])
-+			fi
-+		fi
-+	fi ]
-+)
-+
- # Looking for programs, paths and files
+ #include "includes.h"
  
- PRIVSEP_PATH=/var/empty
-@@ -5769,6 +5792,7 @@ echo "                   libldns support: $LDNS_MSG"
- echo "  Solaris process contract support: $SPC_MSG"
- echo "           Solaris project support: $SP_MSG"
- echo "         Solaris privilege support: $SPP_MSG"
-+echo "                   systemd support: $SYSTEMD_MSG"
- echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
- echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
- echo "                  BSD Auth support: $BSD_AUTH_MSG"
-diff --git a/sshd.c b/sshd.c
-index 8fab51ebb..b981e7758 100644
---- a/sshd.c
-+++ b/sshd.c
-@@ -88,6 +88,10 @@
- #include <prot.h>
+-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \
++    defined(SYSTEMD_NOTIFY)
++#include <sys/socket.h>
++#include <sys/un.h>
++
+ #include <errno.h>
++#include <inttypes.h>
+ #include <stdarg.h>
+ #include <string.h>
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <time.h>
+ 
+ #include "log.h"
+ #include "xmalloc.h"
+ #include "port-linux.h"
++#include "misc.h"
+ 
+ #ifdef WITH_SELINUX
+ #include <selinux/selinux.h>
+@@ -317,4 +324,90 @@ oom_adjust_restore(void)
+ 	return;
+ }
+ #endif /* LINUX_OOM_ADJUST */
+-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
++
++#ifdef SYSTEMD_NOTIFY
++
++static void ssh_systemd_notify(const char *, ...)
++    __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1)));
++
++static void
++ssh_systemd_notify(const char *fmt, ...)
++{
++	char *s = NULL;
++	const char *path;
++	struct stat sb;
++	struct sockaddr_un addr;
++	int fd = -1;
++	va_list ap;
++
++	if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0)
++		return;
++
++	va_start(ap, fmt);
++	xvasprintf(&s, fmt, ap);
++	va_end(ap);
++
++	/* Only AF_UNIX is supported, with path or abstract sockets */
++	if (path[0] != '/' && path[0] != '@') {
++		error_f("socket \"%s\" is not compatible with AF_UNIX", path);
++		goto out;
++	}
++
++	if (path[0] == '/' && stat(path, &sb) != 0) {
++		error_f("socket \"%s\" stat: %s", path, strerror(errno));
++		goto out;
++	}
++
++	memset(&addr, 0, sizeof(addr));
++	addr.sun_family = AF_UNIX;
++	if (strlcpy(addr.sun_path, path,
++	    sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) {
++		error_f("socket path \"%s\" too long", path);
++		goto out;
++	}
++	/* Support for abstract socket */
++	if (addr.sun_path[0] == '@')
++		addr.sun_path[0] = 0;
++	if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
++		error_f("socket \"%s\": %s", path, strerror(errno));
++		goto out;
++	}
++	if (connect(fd, &addr, sizeof(addr)) != 0) {
++		error_f("socket \"%s\" connect: %s", path, strerror(errno));
++		goto out;
++	}
++	if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) {
++		error_f("socket \"%s\" write: %s", path, strerror(errno));
++		goto out;
++	}
++	debug_f("socket \"%s\" notified %s", path, s);
++ out:
++	if (fd != -1)
++		close(fd);
++	free(s);
++}
++
++void
++ssh_systemd_notify_ready(void)
++{
++	ssh_systemd_notify("READY=1");
++}
++
++void
++ssh_systemd_notify_reload(void)
++{
++	struct timespec now;
++
++	monotime_ts(&now);
++	if (now.tv_sec < 0 || now.tv_nsec < 0) {
++		error_f("monotime returned negative value");
++		ssh_systemd_notify("RELOADING=1");
++	} else {
++		ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu",
++		    ((uint64_t)now.tv_sec * 1000000ULL) +
++		    ((uint64_t)now.tv_nsec / 1000ULL));
++	}
++}
++#endif /* SYSTEMD_NOTIFY */
++
++#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+index c88129428..6c4c37115 100644
+--- a/openbsd-compat/port-linux.h
++++ b/openbsd-compat/port-linux.h
+@@ -30,4 +30,9 @@ void oom_adjust_restore(void);
+ void oom_adjust_setup(void);
  #endif
  
-+#ifdef HAVE_SYSTEMD
-+#include <systemd/sd-daemon.h>
++#ifdef SYSTEMD_NOTIFY
++void ssh_systemd_notify_ready(void);
++void ssh_systemd_notify_reload(void);
 +#endif
 +
- #include "xmalloc.h"
- #include "ssh.h"
- #include "ssh2.h"
-@@ -2101,6 +2105,11 @@ main(int ac, char **av)
- 			}
- 		}
+ #endif /* ! _PORT_LINUX_H */
+diff --git a/platform.c b/platform.c
+index 70c3a9b58..163a54a46 100644
+--- a/platform.c
++++ b/platform.c
+@@ -44,6 +44,14 @@ platform_pre_listen(void)
+ #endif
+ }
  
-+#ifdef HAVE_SYSTEMD
-+		/* Signal systemd that we are ready to accept connections */
-+		sd_notify(0, "READY=1");
++void
++platform_post_listen(void)
++{
++#ifdef SYSTEMD_NOTIFY
++	ssh_systemd_notify_ready();
 +#endif
++}
++
+ void
+ platform_pre_fork(void)
+ {
+@@ -55,6 +63,9 @@ platform_pre_fork(void)
+ void
+ platform_pre_restart(void)
+ {
++#ifdef SYSTEMD_NOTIFY
++	ssh_systemd_notify_reload();
++#endif
+ #ifdef LINUX_OOM_ADJUST
+ 	oom_adjust_restore();
+ #endif
+diff --git a/platform.h b/platform.h
+index 027fdfb51..1b77c3e3d 100644
+--- a/platform.h
++++ b/platform.h
+@@ -21,6 +21,7 @@
+ void platform_pre_listen(void);
+ void platform_pre_fork(void);
+ void platform_pre_restart(void);
++void platform_post_listen(void);
+ void platform_post_fork_parent(pid_t child_pid);
+ void platform_post_fork_child(void);
+ int  platform_privileged_uidswap(void);
+diff --git a/sshd.c b/sshd.c
+index 8fab51ebb..a18b85d1d 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -2085,6 +2085,8 @@ main(int ac, char **av)
+ 		ssh_signal(SIGTERM, sigterm_handler);
+ 		ssh_signal(SIGQUIT, sigterm_handler);
+ 
++		platform_post_listen();
 +
- 		/* Accept a connection and return in a forked child */
- 		server_accept_loop(&sock_in, &sock_out,
- 		    &newsock, config_s);
+ 		/*
+ 		 * Write out the pid file after the sigterm handler
+ 		 * is setup and the listen sockets are bound