Index: head/security/openssh-portable/Makefile =================================================================== --- head/security/openssh-portable/Makefile (revision 374832) +++ head/security/openssh-portable/Makefile (revision 374833) @@ -1,267 +1,263 @@ # Created by: dwcjr@inethouston.net # $FreeBSD$ PORTNAME= openssh DISTVERSION= 6.7p1 -PORTREVISION= 0 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= ${MASTER_SITE_OPENBSD} MASTER_SITE_SUBDIR= OpenSSH/portable PKGNAMESUFFIX?= -portable MAINTAINER= bdrewery@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH #LICENSE= BSD2,BSD3,MIT,public domain,BSD-Style,BEER-WARE,"any purpose with notice intact",ISC-Style #LICENSE_FILE= ${WRKSRC}/LICENCE CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* USES= alias USE_AUTOTOOLS= autoconf autoheader USE_OPENSSL= yes GNU_CONFIGURE= yes CONFIGURE_ENV= ac_cv_func_strnvis=no CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwords \ --without-zlib-version-check --with-ssl-engine PRECIOUS= ssh_config sshd_config ssh_host_key ssh_host_key.pub \ ssh_host_rsa_key ssh_host_rsa_key.pub ssh_host_dsa_key \ ssh_host_dsa_key.pub ETCOLD= ${PREFIX}/etc SUDO?= # empty MAKE_ENV+= SUDO="${SUDO}" OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ HPN X509 KERB_GSSAPI \ OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER -OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS +OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS HPN LDNS NONECIPHER OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= tcp_wrappers support BSM_DESC= OpenBSM Auditing KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI) -HPN_DESC= HPN-SSH patch [BROKEN] +HPN_DESC= HPN-SSH patch LDNS_DESC= SSHFP/LDNS support X509_DESC= x509 certificate patch SCTP_DESC= SCTP support OVERWRITE_BASE_DESC= OpenSSH overwrite base HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) HEIMDAL_BASE_DESC= Heimdal Kerberos (base) MIT_DESC= MIT Kerberos (security/krb5) -AES_THREADED_DESC= Threaded AES-CTR [BROKEN] -NONECIPHER_DESC= NONE Cipher support [BROKEN] +AES_THREADED_DESC= Threaded AES-CTR +NONECIPHER_DESC= NONE Cipher support OPTIONS_SUB= yes PLIST_SUB+= MANPREFIX=${MANPREFIX} TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns LDNS_LIB_DEPENDS= libldns.so:${PORTSDIR}/dns/ldns LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns LDNS_CFLAGS= -I${LOCALBASE}/include LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib' # http://www.psc.edu/index.php/hpn-ssh HPN_EXTRA_PATCHES= ${FILESDIR}/extra-patch-hpn-window-size HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher AES_THREADED_CONFIGURE_WITH= aes-threaded # See http://www.roumenpetrov.info/openssh/ X509_VERSION= 8.2 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 X509_PATCHFILES= ${PORTNAME}-6.7p1+x509-${X509_VERSION}.diff.gz:-p1:x509 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016 SCTP_PATCHFILES= ${PORTNAME}-6.7p1-sctp-2496.patch.gz:-p1 SCTP_CONFIGURE_WITH= sctp # 6.7 patch taken from # http://sources.debian.net/data/main/o/openssh/1:6.7p1-3/debian/patches/gssapi.patch # which was originally based on 5.7 patch from # http://www.sxw.org.uk/computing/patches/ KERB_GSSAPI_PATCHFILES= openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz:-p1:gsskex MIT_LIB_DEPENDS= libkrb5.so.3:${PORTSDIR}/security/krb5 HEIMDAL_LIB_DEPENDS= libkrb5.so.26:${PORTSDIR}/security/heimdal PAM_CONFIGURE_WITH= pam TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers LIBEDIT_CONFIGURE_WITH= libedit BSM_CONFIGURE_ON= --with-audit=bsm .include PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex # X509 patch includes TCP Wrapper support already .if ${PORT_OPTIONS:MX509} EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}} .endif # http://www.psc.edu/index.php/hpn-ssh .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER} PORTDOCS+= HPN-README -HPN_VERSION= 14v2 -HPN_DISTVERSION= 6.6.1p1 -PATCH_SITES+= ${MASTER_SITE_SOURCEFORGE:S/$/:hpn/} -PATCH_SITE_SUBDIR+= hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn +HPN_VERSION= 14v5 +HPN_DISTVERSION= 6.7p1 +#PATCH_SITES+= ${MASTER_SITE_SOURCEFORGE:S/$/:hpn/} +#PATCH_SITE_SUBDIR+= hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-build-options # Remove HPN if only AES requested . if !${PORT_OPTIONS:MHPN} EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-no-hpn . endif .endif .if ${OSVERSION} >= 900000 CONFIGURE_LIBS+= -lutil .endif # 900007 is when utmp(5) was removed and utmpx(3) added .if ${OSVERSION} >= 900007 CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog .else EXTRA_PATCHES+= ${FILESDIR}/extra-patch-sshd-utmp-size -.endif - -.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER} -BROKEN= HPN does not apply yet. Use security/openssh-portable66 .endif .if ${PORT_OPTIONS:MX509} . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER} BROKEN= X509 patch and HPN patch do not apply cleanly together . endif . if ${PORT_OPTIONS:MSCTP} BROKEN= X509 patch and SCTP patch do not apply cleanly together . endif . if ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= X509 patch incompatible with KERB_GSSAPI patch . endif .endif .if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently .endif .if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so) IGNORE= you have selected HEIMDAL_BASE but do not have heimdal installed in base .endif .if ${PORT_OPTIONS:MPAM} && !exists(/usr/include/security/pam_modules.h) IGNORE= PAM must be installed in base .endif .if ${PORT_OPTIONS:MTCP_WRAPPERS} && !exists(/usr/include/tcpd.h) IGNORE= required /usr/include/tcpd.h missing .endif .if defined(OPENSSH_OVERWRITE_BASE) PORT_OPTIONS+= OVERWRITE_BASE .endif .if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE} . if ${PORT_OPTIONS:MHEIMDAL_BASE} CONFIGURE_LIBS+= -lgssapi_krb5 CONFIGURE_ARGS+= --with-kerberos5=/usr . else CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE} . endif . if ${OPENSSLBASE} == "/usr" CONFIGURE_ARGS+= --without-rpath LDFLAGS= # empty . endif .else . if ${PORT_OPTIONS:MKERB_GSSAPI} IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE . endif .endif .if ${OPENSSLBASE} != "/usr" CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} .endif EMPTYDIR= /var/empty .if ${PORT_OPTIONS:MOVERWRITE_BASE} # XXX: Mark this BROKEN rather than remove the option to force people to notice for POLA. DEPRECATED= Overwrite-base option/port/pkg will be removed. There is no real need for foot-shooting. EXPIRATION_DATE= 2015-01-01 WITH_OPENSSL_BASE= yes CONFIGURE_ARGS+= --localstatedir=/var PREFIX= /usr NO_MTREE= yes ETCSSH= /etc/ssh USE_RCORDER= openssh PLIST_SUB+= NOTBASE="@comment " .else ETCSSH= ${PREFIX}/etc/ssh USE_RC_SUBR= openssh PLIST_SUB+= NOTBASE="" .endif PLIST_SUB+= BASEPREFIX="${PREFIX}" # After all SUB_LIST+= ETCSSH="${ETCSSH}" CONFIGURE_ARGS+= --sysconfdir=${ETCSSH} --with-privsep-path=${EMPTYDIR} .if !empty(CONFIGURE_LIBS) CONFIGURE_ARGS+= --with-libs='${CONFIGURE_LIBS}' .endif RC_SCRIPT_NAME= openssh post-patch: @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure @${REINPLACE_CMD} \ -e 's|install: \(.*\) host-key check-config|install: \1|g' \ -e 's|-lpthread|${PTHREAD_LIBS}|' \ ${WRKSRC}/Makefile.in @${REINPLACE_CMD} -e 's|/usr/X11R6|${LOCALBASE}|' \ ${WRKSRC}/pathnames.h ${WRKSRC}/sshd_config.5 \ ${WRKSRC}/ssh_config.5 .if !${PORT_OPTIONS:MOVERWRITE_BASE} @${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \ -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8 .endif @${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \ -e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h @${ECHO_CMD} '#define FREEBSD_PORT_VERSION " FreeBSD-${PKGNAME}"' >> \ ${WRKSRC}/version.h @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \ ${WRKSRC}/version.h @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \ ${WRKSRC}/version.h .if ${PORT_OPTIONS:MHPN} @${REINPLACE_CMD} -e 's|TMP_SSH_VERSION SSH_PORTABLE|TMP_SSH_VERSION SSH_PORTABLE SSH_HPN|' \ ${WRKSRC}/version.h .endif pre-install: # Workaround not running mtree BSD.root.dist on / since PREFIX=/usr .if ${PORT_OPTIONS:MOVERWRITE_BASE} ${MKDIR} ${STAGEDIR}/etc/rc.d .endif post-install: ${MV} ${STAGEDIR}${ETCSSH}/ssh_config ${STAGEDIR}${ETCSSH}/ssh_config.sample ${MV} ${STAGEDIR}${ETCSSH}/sshd_config ${STAGEDIR}${ETCSSH}/sshd_config.sample .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER} ${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR} .endif test: build (cd ${WRKSRC}/regress && ${SETENV} OBJ=${WRKDIR} ${MAKE_ENV} TEST_SHELL=/bin/sh \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS}) .include Index: head/security/openssh-portable/distinfo =================================================================== --- head/security/openssh-portable/distinfo (revision 374832) +++ head/security/openssh-portable/distinfo (revision 374833) @@ -1,12 +1,12 @@ SHA256 (openssh-6.7p1.tar.gz) = b2f8394eae858dabbdef7dac10b99aec00c95462753e80342e530bbb6f725507 SIZE (openssh-6.7p1.tar.gz) = 1351367 -SHA256 (openssh-6.6.1p1-hpnssh14v2.diff.gz) = b7f5bd22f1c0bacd41fc4884aeb19bba460d548af875eeb6c857cb77bab53376 -SIZE (openssh-6.6.1p1-hpnssh14v2.diff.gz) = 24473 +SHA256 (openssh-6.7p1-hpnssh14v5.diff.gz) = 846ad51577de8308d60dbfaa58ba18d112d0732fdf21063ebc78407fc8e4a7b6 +SIZE (openssh-6.7p1-hpnssh14v5.diff.gz) = 24326 SHA256 (openssh-6.7p1+x509-8.2.diff.gz) = 85acfcd560b40d4533b82a4e3f443b7137b377868bab424dacdf00581c83240f SIZE (openssh-6.7p1+x509-8.2.diff.gz) = 241798 SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8 SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825 SHA256 (openssh-lpk-6.3p1.patch.gz) = d2a8b7da7acebac2afc4d0a3dffe8fca2e49900cf733af2e7012f2449b3668e1 SIZE (openssh-lpk-6.3p1.patch.gz) = 17815 SHA256 (openssh-6.7p1-sctp-2496.patch.gz) = ec2b6aa8a6d65a2c11d4453a25294ae5082e7ed7c9f418ec081f750bfba022db SIZE (openssh-6.7p1-sctp-2496.patch.gz) = 8052 Index: head/security/openssh-portable/files/extra-patch-hpn-build-options =================================================================== --- head/security/openssh-portable/files/extra-patch-hpn-build-options (revision 374832) +++ head/security/openssh-portable/files/extra-patch-hpn-build-options (revision 374833) @@ -1,142 +1,142 @@ --- sshconnect2.c.orig 2013-10-11 08:52:17.836129741 -0500 +++ sshconnect2.c 2013-10-11 08:53:05.776132295 -0500 @@ -451,6 +451,7 @@ ssh_userauth2(const char *local_user, co } } +#ifdef AES_THREADED /* if we are using aes-ctr there can be issues in either a fork or sandbox * so the initial aes-ctr is defined to point to the original single process * evp. After authentication we'll be past the fork and the sandboxed privsep @@ -466,6 +467,7 @@ ssh_userauth2(const char *local_user, co cipher_reset_multithreaded(); packet_request_rekeying(); } +#endif debug("Authentication succeeded (%s).", authctxt.method->name); } --- sshd.c.orig 2013-10-11 08:52:17.848126748 -0500 +++ sshd.c 2013-10-11 08:53:25.929132033 -0500 @@ -2186,6 +2186,7 @@ main(int ac, char **av) /* Start session. */ +#ifdef AES_THREADED /* if we are using aes-ctr there can be issues in either a fork or sandbox * so the initial aes-ctr is defined to point ot the original single process * evp. After authentication we'll be past the fork and the sandboxed privsep @@ -2201,6 +2202,7 @@ main(int ac, char **av) cipher_reset_multithreaded(); packet_request_rekeying(); } +#endif do_authenticated(authctxt); --- readconf.c.orig 2013-10-11 09:24:10.812126846 -0500 +++ readconf.c 2013-10-11 09:19:12.295135966 -0500 @@ -268,12 +268,16 @@ static struct { - { "canonicalizehostname", oCanonicalizeHostname }, - { "canonicalizemaxdots", oCanonicalizeMaxDots }, { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs }, + { "streamlocalbindmask", oStreamLocalBindMask }, + { "streamlocalbindunlink", oStreamLocalBindUnlink }, +#ifdef NONECIPHER { "noneenabled", oNoneEnabled }, { "noneswitch", oNoneSwitch }, +#endif +#ifdef HPN { "tcprcvbufpoll", oTcpRcvBufPoll }, { "tcprcvbuf", oTcpRcvBuf }, { "hpndisabled", oHPNDisabled }, { "hpnbuffersize", oHPNBufferSize }, +#endif { "ignoreunknown", oIgnoreUnknown }, { NULL, oBadOption } -@@ -1739,12 +1743,20 @@ fill_default_options(Options * options) +@@ -1819,12 +1823,20 @@ fill_default_options(Options * options) options->server_alive_interval = 0; if (options->server_alive_count_max == -1) options->server_alive_count_max = 3; +#ifdef NONECIPHER if (options->none_switch == -1) +#endif options->none_switch = 0; +#ifdef NONECIPHER if (options->none_enabled == -1) +#endif options->none_enabled = 0; +#ifdef HPN if (options->hpn_disabled == -1) options->hpn_disabled = 0; +#else + options->hpn_disabled = 1; +#endif if (options->hpn_buffer_size > -1) { /* if a user tries to set the size to 0 set it to 1KB */ --- servconf.c.orig 2013-10-11 09:24:44.734138483 -0500 +++ servconf.c 2013-10-11 09:25:50.777137928 -0500 @@ -303,10 +303,16 @@ } if (options->permit_tun == -1) options->permit_tun = SSH_TUNMODE_NO; +#ifdef NONECIPHER if (options->none_enabled == -1) +#endif options->none_enabled = 0; +#ifdef HPN if (options->hpn_disabled == -1) options->hpn_disabled = 0; +#else + options->hpn_disabled = 1; +#endif if (options->hpn_buffer_size == -1) { /* option not explicitly set. Now we have to figure out */ --- configure.ac.orig 2013-10-12 17:17:41.525139481 -0500 +++ configure.ac 2013-10-12 17:18:35.610130039 -0500 @@ -3968,6 +3968,34 @@ ] ) # maildir +#check whether user wants HPN support +HPN_MSG="no" +AC_ARG_WITH(hpn, + [ --with-hpn Enable HPN support], + [ if test "x$withval" != "xno" ; then + AC_DEFINE(HPN,1,[Define if you want HPN support.]) + HPN_MSG="yes" + fi ] +) +#check whether user wants NONECIPHER support +NONECIPHER_MSG="no" +AC_ARG_WITH(nonecipher, + [ --with-nonecipher Enable NONECIPHER support], + [ if test "x$withval" != "xno" ; then + AC_DEFINE(NONECIPHER,1,[Define if you want NONECIPHER support.]) + NONECIPHER_MSG="yes" + fi ] +) +#check whether user wants AES_THREADED support +AES_THREADED_MSG="no" +AC_ARG_WITH(aes-threaded, + [ --with-aes-threaded Enable AES_THREADED support], + [ if test "x$withval" != "xno" ; then + AC_DEFINE(AES_THREADED,1,[Define if you want AES_THREADED support.]) + AES_THREADED_MSG="yes" + fi ] +) + if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test]) disable_ptmx_check=yes @@ -4636,6 +4664,9 @@ echo " BSD Auth support: $BSD_AUTH_MSG" echo " Random number source: $RAND_MSG" echo " Privsep sandbox style: $SANDBOX_STYLE" +echo " HPN support: $HPN_MSG" +echo " NONECIPHER support: $NONECIPHER_MSG" +echo " AES_THREADED support: $AES_THREADED_MSG" echo ""