uboot: (firmwareOdroidC2/C4) don't invoke patch tool, use patches = [] instead

https://github.com/NixOS/nixpkgs/blob/master/pkgs/stdenv/generic/setup.sh#L948 this can do it nicely. Signed-off-by: Anton Arapov <anton@deadbeef.mx>
2021-04-03 12:58:10 +02:00 · 2021-04-03 12:58:10 +02:00 · 56de2bcd43
commit 56de2bcd43
30691 changed files with 3076956 additions and 0 deletions
--- a/pkgs/tools/networking/openssh/common.nix
+++ b/pkgs/tools/networking/openssh/common.nix
@ -0,0 +1,177 @@
+{ pname
+, version
+, extraDesc ? ""
+, src
+, extraPatches ? []
+, extraNativeBuildInputs ? []
+, extraConfigureFlags ? []
+, extraMeta ? {}
+}:
+
+{ lib, stdenv
+# This *is* correct, though unusual. as a way of getting krb5-config from the
+# package without splicing See: https://github.com/NixOS/nixpkgs/pull/107606
+, pkgs
+, fetchurl
+, fetchpatch
+, zlib
+, openssl
+, libedit
+, pkg-config
+, pam
+, libredirect
+, etcDir ? null
+, withKerberos ? !(stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64)
+, libkrb5
+, libfido2
+, hostname
+, nixosTests
+, withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
+, linkOpenssl ? true
+}:
+
+with lib;
+stdenv.mkDerivation rec {
+  inherit pname version src;
+
+  patches = [
+    ./locale_archive.patch
+
+    (fetchurl {
+      url = "https://git.alpinelinux.org/aports/plain/main/openssh/gss-serv.c.patch?id=a7509603971ce2f3282486a43bb773b1b522af83";
+      sha256 = "sha256-eFFOd4B2nccRZAQWwdBPBoKWjfEdKEVGJvKZAzLu3HU=";
+    })
+
+    # See discussion in https://github.com/NixOS/nixpkgs/pull/16966
+    ./dont_create_privsep_path.patch
+  ] ++ extraPatches;
+
+  postPatch =
+    # On Hydra this makes installation fail (sometimes?),
+    # and nix store doesn't allow such fancy permission bits anyway.
+    ''
+      substituteInPlace Makefile.in --replace '$(INSTALL) -m 4711' '$(INSTALL) -m 0711'
+    '';
+
+  nativeBuildInputs = [ pkg-config ]
+    # This is not the same as the libkrb5 from the inputs! pkgs.libkrb5 is
+    # needed here to access krb5-config in order to cross compile. See:
+    # https://github.com/NixOS/nixpkgs/pull/107606
+    ++ optional withKerberos pkgs.libkrb5
+    ++ extraNativeBuildInputs;
+  buildInputs = [ zlib openssl libedit ]
+    ++ optional withFIDO libfido2
+    ++ optional withKerberos libkrb5
+    ++ optional stdenv.isLinux pam;
+
+  preConfigure = ''
+    # Setting LD causes `configure' and `make' to disagree about which linker
+    # to use: `configure' wants `gcc', but `make' wants `ld'.
+    unset LD
+  '';
+
+  # I set --disable-strip because later we strip anyway. And it fails to strip
+  # properly when cross building.
+  configureFlags = [
+    "--sbindir=\${out}/bin"
+    "--localstatedir=/var"
+    "--with-pid-dir=/run"
+    "--with-mantype=man"
+    "--with-libedit=yes"
+    "--disable-strip"
+    (if stdenv.isLinux then "--with-pam" else "--without-pam")
+  ] ++ optional (etcDir != null) "--sysconfdir=${etcDir}"
+    ++ optional withFIDO "--with-security-key-builtin=yes"
+    ++ optional withKerberos (assert libkrb5 != null; "--with-kerberos5=${libkrb5}")
+    ++ optional stdenv.isDarwin "--disable-libutil"
+    ++ optional (!linkOpenssl) "--without-openssl"
+    ++ extraConfigureFlags;
+
+  ${if stdenv.hostPlatform.isStatic then "NIX_LDFLAGS" else null}= [ "-laudit" ] ++ lib.optionals withKerberos [ "-lkeyutils" ];
+
+  buildFlags = [ "SSH_KEYSIGN=ssh-keysign" ];
+
+  enableParallelBuilding = true;
+
+  hardeningEnable = [ "pie" ];
+
+  doCheck = true;
+  enableParallelChecking = false;
+  checkInputs = optional (!stdenv.isDarwin) hostname;
+  preCheck = lib.optionalString (stdenv.hostPlatform == stdenv.buildPlatform) ''
+    # construct a dummy HOME
+    export HOME=$(realpath ../dummy-home)
+    mkdir -p ~/.ssh
+
+    # construct a dummy /etc/passwd file for the sshd under test
+    # to use to look up the connecting user
+    DUMMY_PASSWD=$(realpath ../dummy-passwd)
+    cat > $DUMMY_PASSWD <<EOF
+    $(whoami)::$(id -u):$(id -g)::$HOME:$SHELL
+    EOF
+
+    # we need to NIX_REDIRECTS /etc/passwd both for processes
+    # invoked directly and those invoked by the "remote" session
+    cat > ~/.ssh/environment.base <<EOF
+    NIX_REDIRECTS=/etc/passwd=$DUMMY_PASSWD
+    LD_PRELOAD=${libredirect}/lib/libredirect.so
+    EOF
+
+    # use an ssh environment file to ensure environment is set
+    # up appropriately for build environment even when no shell
+    # is invoked by the ssh session. otherwise the PATH will
+    # only contain default unix paths like /bin which we don't
+    # have in our build environment
+    cat - regress/test-exec.sh > regress/test-exec.sh.new <<EOF
+    cp $HOME/.ssh/environment.base $HOME/.ssh/environment
+    echo "PATH=\$PATH" >> $HOME/.ssh/environment
+    EOF
+    mv regress/test-exec.sh.new regress/test-exec.sh
+
+    # explicitly enable the PermitUserEnvironment feature
+    substituteInPlace regress/test-exec.sh \
+      --replace \
+        'cat << EOF > $OBJ/sshd_config' \
+        $'cat << EOF > $OBJ/sshd_config\n\tPermitUserEnvironment yes'
+
+    # some tests want to use files under /bin as example files
+    for f in regress/sftp-cmds.sh regress/forwarding.sh; do
+      substituteInPlace $f --replace '/bin' "$(dirname $(type -p ls))"
+    done
+
+    # set up NIX_REDIRECTS for direct invocations
+    set -a; source ~/.ssh/environment.base; set +a
+  '';
+  # integration tests hard to get working on darwin with its shaky
+  # sandbox
+  # t-exec tests fail on musl
+  checkTarget = optional (!stdenv.isDarwin && !stdenv.hostPlatform.isMusl) "t-exec"
+    # other tests are less demanding of the environment
+    ++ [ "unit" "file-tests" "interop-tests" ];
+
+  postInstall = ''
+    # Install ssh-copy-id, it's very useful.
+    cp contrib/ssh-copy-id $out/bin/
+    chmod +x $out/bin/ssh-copy-id
+    cp contrib/ssh-copy-id.1 $out/share/man/man1/
+  '';
+
+  installTargets = [ "install-nokeys" ];
+  installFlags = [
+    "sysconfdir=\${out}/etc/ssh"
+  ];
+
+  passthru.tests = {
+    borgbackup-integration = nixosTests.borgbackup;
+  };
+
+  meta = {
+    description = "An implementation of the SSH protocol${extraDesc}";
+    homepage = "https://www.openssh.com/";
+    changelog = "https://www.openssh.com/releasenotes.html";
+    license = licenses.bsd2;
+    platforms = platforms.unix ++ platforms.windows;
+    maintainers = (extraMeta.maintainers or []) ++ (with maintainers; [ eelco aneeshusa ]);
+    mainProgram = "ssh";
+  } // extraMeta;
+}
--- a/pkgs/tools/networking/openssh/copyid.nix
+++ b/pkgs/tools/networking/openssh/copyid.nix
@ -0,0 +1,11 @@
+{ runCommand, openssh }:
+
+runCommand "ssh-copy-id-${openssh.version}" {
+  meta = openssh.meta // {
+    description = "A tool to copy SSH public keys to a remote machine";
+    priority = (openssh.meta.priority or 0) - 1;
+  };
+} ''
+  install -Dm 755 {${openssh},$out}/bin/ssh-copy-id
+  install -Dm 644 {${openssh},$out}/share/man/man1/ssh-copy-id.1.gz
+''
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@ -0,0 +1,78 @@
+{ callPackage, lib, fetchurl, fetchpatch, fetchFromGitHub, autoreconfHook }:
+let
+  common = opts: callPackage (import ./common.nix opts) { };
+in
+{
+
+  openssh = common rec {
+    pname = "openssh";
+    version = "9.0p1";
+
+    src = fetchurl {
+      url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
+      sha256 = "12m2f9czvgmi7akp7xah6y7mrrpi280a3ksk47iwr7hy2q1475q3";
+    };
+
+    extraPatches = [ ./ssh-keysign-8.5.patch ];
+    extraMeta.maintainers = with lib.maintainers; [ das_j ];
+  };
+
+  openssh_hpn = common rec {
+    pname = "openssh-with-hpn";
+    version = "9.0p1";
+    extraDesc = " with high performance networking patches";
+
+    src = fetchurl {
+      url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
+      sha256 = "12m2f9czvgmi7akp7xah6y7mrrpi280a3ksk47iwr7hy2q1475q3";
+    };
+
+    extraPatches = [
+      ./ssh-keysign-8.5.patch
+
+      # HPN Patch from FreeBSD ports
+      (fetchpatch {
+        name = "ssh-hpn.patch";
+        url = "https://raw.githubusercontent.com/freebsd/freebsd-ports/ae66cffc19f357cbd51d5841c9b110a9ffd63e32/security/openssh-portable/files/extra-patch-hpn";
+        stripLen = 1;
+        sha256 = "sha256-p3CmMqTgrqFZUo4ZuqaPLczAhjmPufkCvptVW5dI+MI=";
+      })
+    ];
+
+    extraNativeBuildInputs = [ autoreconfHook ];
+
+    extraConfigureFlags = [ "--with-hpn" ];
+    extraMeta.maintainers = with lib.maintainers; [ abbe ];
+  };
+
+  openssh_gssapi = common rec {
+    pname = "openssh-with-gssapi";
+    version = "8.4p1";
+    extraDesc = " with GSSAPI support";
+
+    src = fetchurl {
+      url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
+      sha256 = "091b3pxdlj47scxx6kkf4agkx8c8sdacdxx8m1dw1cby80pd40as";
+    };
+
+    extraPatches = [
+      ./ssh-keysign-8.4.patch
+
+      # See https://github.com/openssh/openssh-portable/pull/206
+      ./ssh-copy-id-fix-eof.patch
+
+      (fetchpatch {
+        name = "openssh-gssapi.patch";
+        url = "https://salsa.debian.org/ssh-team/openssh/raw/debian/1%25${version}-2/debian/patches/gssapi.patch";
+        sha256 = "1z1ckzimlkm1dmr9f5fqjnjg28gsqcwx6xka0klak857548d2lp2";
+      })
+    ];
+
+    extraNativeBuildInputs = [ autoreconfHook ];
+
+    extraMeta.knownVulnerabilities = [
+      "CVE-2021-28041"
+      "CVE-2021-41617"
+    ];
+  };
+}
--- a/pkgs/tools/networking/openssh/dont_create_privsep_path.patch
+++ b/pkgs/tools/networking/openssh/dont_create_privsep_path.patch
@ -0,0 +1,12 @@
+diff --git i/Makefile.in w/Makefile.in
+index 04e1c8e5..9bd5d01b 100644
+--- i/Makefile.in
+++ w/Makefile.in
+@@ -329,7 +329,6 @@ install-files:
+ 	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)5
+ 	$(MKDIR_P) $(DESTDIR)$(mandir)/$(mansubdir)8
+ 	$(MKDIR_P) $(DESTDIR)$(libexecdir)
+-	$(MKDIR_P) -m 0755 $(DESTDIR)$(PRIVSEP_PATH)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
+ 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
--- a/pkgs/tools/networking/openssh/locale_archive.patch
+++ b/pkgs/tools/networking/openssh/locale_archive.patch
@ -0,0 +1,15 @@
+diff --git i/session.c w/session.c
+index 58826db1..658dd911 100644
+--- i/session.c
+++ w/session.c
+@@ -1053,6 +1053,10 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
+ 	if (getenv("TZ"))
+ 		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+ 
+	/* NixOS path to the glibc locale archive, to be set in the systemd job */
+	if (getenv("LOCALE_ARCHIVE"))
+		child_set_env(&env, &envsize, "LOCALE_ARCHIVE", getenv("LOCALE_ARCHIVE"));
+
+ 	/* Set custom environment options from pubkey authentication. */
+ 	if (options.permit_user_env) {
+ 		for (n = 0 ; n < auth_opts->nenv; n++) {
--- a/pkgs/tools/networking/openssh/ssh-copy-id-fix-eof.patch
+++ b/pkgs/tools/networking/openssh/ssh-copy-id-fix-eof.patch
@ -0,0 +1,21 @@
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index 392f64f..a769077 100644
+--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
+@@ -247,7 +247,7 @@ installkeys_sh() {
+   #    the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
+   #    the cat adds the keys we're getting via STDIN
+   #    and if available restorecon is used to restore the SELinux context
+-  INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
+  INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
+ 	cd;
+ 	umask 077;
+ 	mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
+@@ -258,6 +258,7 @@ installkeys_sh() {
+ 	  restorecon -F .ssh ${AUTH_KEY_FILE};
+ 	fi
+ EOF
+  )
+ 
+   # to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
+   printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
--- a/pkgs/tools/networking/openssh/ssh-keysign-8.4.patch
+++ b/pkgs/tools/networking/openssh/ssh-keysign-8.4.patch
@ -0,0 +1,29 @@
+diff --git a/pathnames.h b/pathnames.h
+index cb44caa4..354fdf05 100644
+--- a/pathnames.h
+++ b/pathnames.h
+@@ -124,7 +124,7 @@
+ 
+ /* Location of ssh-keysign for hostbased authentication */
+ #ifndef _PATH_SSH_KEY_SIGN
+-#define _PATH_SSH_KEY_SIGN		"/usr/libexec/ssh-keysign"
+#define _PATH_SSH_KEY_SIGN		"ssh-keysign"
+ #endif
+ 
+ /* Location of ssh-pkcs11-helper to support keys in tokens */
+diff --git a/sshconnect2.c b/sshconnect2.c
+index dffee90b..e9a86e59 100644
+--- a/sshconnect2.c
+++ b/sshconnect2.c
+@@ -1879,7 +1879,7 @@ ssh_keysign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp,
+ 		closefrom(sock + 1);
+ 		debug3("%s: [child] pid=%ld, exec %s",
+ 		    __func__, (long)getpid(), _PATH_SSH_KEY_SIGN);
+-		execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL);
+		execlp(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL);
+ 		fatal("%s: exec(%s): %s", __func__, _PATH_SSH_KEY_SIGN,
+ 		    strerror(errno));
+ 	}
+-- 
+2.22.0
+
--- a/pkgs/tools/networking/openssh/ssh-keysign-8.5.patch
+++ b/pkgs/tools/networking/openssh/ssh-keysign-8.5.patch
@ -0,0 +1,24 @@
+diff --git a/pathnames.h b/pathnames.h
+index cb44caa4..354fdf05 100644
+--- a/pathnames.h
+++ b/pathnames.h
+@@ -124,7 +124,7 @@
+ 
+ /* Location of ssh-keysign for hostbased authentication */
+ #ifndef _PATH_SSH_KEY_SIGN
+-#define _PATH_SSH_KEY_SIGN		"/usr/libexec/ssh-keysign"
+#define _PATH_SSH_KEY_SIGN		"ssh-keysign"
+ #endif
+ 
+ /* Location of ssh-pkcs11-helper to support keys in tokens */
+--- a/sshconnect2.c
+++ b/sshconnect2.c
+@@ -2021,7 +2021,7 @@
+ 
+ 		debug3_f("[child] pid=%ld, exec %s",
+ 		    (long)getpid(), _PATH_SSH_KEY_SIGN);
+-		execl(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL);
+		execlp(_PATH_SSH_KEY_SIGN, _PATH_SSH_KEY_SIGN, (char *)NULL);
+ 		fatal_f("exec(%s): %s", _PATH_SSH_KEY_SIGN,
+ 		    strerror(errno));
+ 	}