Index: head/security/openssh-portable/Makefile =================================================================== --- head/security/openssh-portable/Makefile (revision 468997) +++ head/security/openssh-portable/Makefile (revision 468998) @@ -1,217 +1,221 @@ # Created by: dwcjr@inethouston.net # $FreeBSD$ PORTNAME= openssh DISTVERSION= 7.7p1 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable PKGNAMESUFFIX?= -portable MAINTAINER= bdrewery@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH #LICENSE= BSD2,BSD3,MIT,public domain,BSD-Style,BEER-WARE,"any purpose with notice intact",ISC-Style #LICENSE_FILE= ${WRKSRC}/LICENCE CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel-* USES= alias autoreconf ncurses ssl GNU_CONFIGURE= yes CONFIGURE_ENV= ac_cv_func_strnvis=no CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwords \ --without-zlib-version-check --with-ssl-engine \ --with-mantype=man ETCOLD= ${PREFIX}/etc BROKEN_SSL= openssl-devel BROKEN_SSL_REASON_openssl-devel= error: OpenSSL >= 1.1.0 is not yet supported OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ HPN X509 KERB_GSSAPI \ - LDNS NONECIPHER + LDNS NONECIPHER XMSS OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= tcp_wrappers support BSM_DESC= OpenBSM Auditing KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI) HPN_DESC= HPN-SSH patch LDNS_DESC= SSHFP/LDNS support X509_DESC= x509 certificate patch HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) HEIMDAL_BASE_DESC= Heimdal Kerberos (base) MIT_DESC= MIT Kerberos (security/krb5) NONECIPHER_DESC= NONE Cipher support +XMSS_DESC= XMSS key support (experimental) OPTIONS_SUB= yes TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns=${LOCALBASE} LDNS_LIB_DEPENDS= libldns.so:dns/ldns LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns LDNS_CFLAGS= -I${LOCALBASE}/include LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib' # http://www.psc.edu/index.php/hpn-ssh HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher # See http://www.roumenpetrov.info/openssh/ X509_VERSION= 11.3 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 X509_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-x509-glue X509_PATCHFILES= ${PORTNAME}-7.7p1+x509-${X509_VERSION}.diff.gz:-p1:x509 MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5 HEIMDAL_LIB_DEPENDS= libkrb5.so.26:security/heimdal PAM_CONFIGURE_WITH= pam TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers LIBEDIT_CONFIGURE_WITH= libedit LIBEDIT_USES= libedit BSM_CONFIGURE_ON= --with-audit=bsm ETCDIR?= ${PREFIX}/etc/ssh .include PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex # X509 patch includes TCP Wrapper support already .if ${PORT_OPTIONS:MX509} EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}} .endif # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} #BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. # Patch from: # https://sources.debian.org/data/main/o/openssh/1:7.7p1-2/debian/patches/gssapi.patch # which was originally based on 5.7 patch from # http://www.sxw.org.uk/computing/patches/ # It is mirrored simply to apply gzip -9. . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif PATCHFILES+= openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz:-p1:gsskex .endif # http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} BROKEN= HPN: Not yet updated for ${DISTVERSION} and disabled in base PORTDOCS+= HPN-README HPN_VERSION= 14v5 HPN_DISTVERSION= 6.7p1 #PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn #PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 .elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER} # Apply compatibility patch EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-compat .endif CONFIGURE_LIBS+= -lutil CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog # Keep this last EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum .if ${PORT_OPTIONS:MX509} . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} BROKEN= X509 patch and HPN patch do not apply cleanly together . endif . if ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= X509 patch incompatible with KERB_GSSAPI patch . endif .endif .if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently .endif .if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so) IGNORE= you have selected HEIMDAL_BASE but do not have heimdal installed in base .endif .if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE} . if ${PORT_OPTIONS:MHEIMDAL_BASE} CONFIGURE_LIBS+= -lgssapi_krb5 CONFIGURE_ARGS+= --with-kerberos5=/usr . else CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE} . endif . if ${OPENSSLBASE} == "/usr" CONFIGURE_ARGS+= --without-rpath LDFLAGS= # empty . endif .else . if ${PORT_OPTIONS:MKERB_GSSAPI} IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE . endif .endif .if ${OPENSSLBASE} != "/usr" CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} .endif EMPTYDIR= /var/empty USE_RC_SUBR= openssh # After all CONFIGURE_ARGS+= --sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR} .if !empty(CONFIGURE_LIBS) CONFIGURE_ARGS+= --with-libs='${CONFIGURE_LIBS}' .endif CONFIGURE_ARGS+= --with-xauth=${LOCALBASE}/bin/xauth RC_SCRIPT_NAME= openssh VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME} post-patch: @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure @${REINPLACE_CMD} \ -e 's|install: \(.*\) host-key check-config|install: \1|g' \ ${WRKSRC}/Makefile.in @${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \ -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8 @${REINPLACE_CMD} \ -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config @${REINPLACE_CMD} \ -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config.5 @${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT "${VERSION_ADDENDUM_DEFAULT}"' >> \ ${WRKSRC}/version.h + +post-configure-XMSS-on: + @${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h post-install: ${MV} ${STAGEDIR}${ETCDIR}/ssh_config \ ${STAGEDIR}${ETCDIR}//ssh_config.sample ${MV} ${STAGEDIR}${ETCDIR}/sshd_config \ ${STAGEDIR}${ETCDIR}/sshd_config.sample .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} ${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR} .endif test: build cd ${WRKSRC} && ${SETENV} -i \ OBJ=${WRKDIR} ${MAKE_ENV} \ TEST_SHELL=${SH} \ SUDO="${SUDO}" \ LOGNAME="${LOGNAME}" \ TEST_SSH_TRACE=yes \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests .include Index: head/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb =================================================================== --- head/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb (nonexistent) +++ head/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb (revision 468998) @@ -0,0 +1,35 @@ +From 341727df910e12e26ef161508ed76d91c40a61eb Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Mon, 9 Apr 2018 23:54:49 +0000 +Subject: [PATCH] upstream: don't kill ssh-agent's listening socket entriely if + we + +fail to accept a connection; bz#2837, patch from Lukas Kuster + +OpenBSD-Commit-ID: 52413f5069179bebf30d38f524afe1a2133c738f +--- + ssh-agent.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git ssh-agent.c ssh-agent.c +index 2a4578b03..68de56ce6 100644 +--- ssh-agent.c ++++ ssh-agent.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: ssh-agent.c,v 1.228 2018/02/23 15:58:37 markus Exp $ */ ++/* $OpenBSD: ssh-agent.c,v 1.229 2018/04/09 23:54:49 djm Exp $ */ + /* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +@@ -909,9 +909,8 @@ after_poll(struct pollfd *pfd, size_t npfd) + /* Process events */ + switch (sockets[socknum].type) { + case AUTH_SOCKET: +- if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 && +- handle_socket_read(socknum) != 0) +- close_socket(&sockets[socknum]); ++ if ((pfd[i].revents & (POLLIN|POLLERR)) != 0) ++ handle_socket_read(socknum); + break; + case AUTH_CONNECTION: + if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 && Property changes on: head/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b =================================================================== --- head/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b (nonexistent) +++ head/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b (revision 468998) @@ -0,0 +1,24 @@ +From 85fe48fd49f2e81fa30902841b362cfbb7f1933b Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Sat, 14 Apr 2018 21:50:41 +0000 +Subject: [PATCH] upstream: don't free the %C expansion, it's used later for + +LocalCommand + +OpenBSD-Commit-ID: 857b5cb37b2d856bfdfce61289a415257a487fb1 +--- + ssh.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git ssh.c ssh.c +index d3619fe29..9c011dd7e 100644 +--- ssh.c ++++ ssh.c +@@ -1323,7 +1323,6 @@ main(int ac, char **av) + (char *)NULL); + free(cp); + } +- free(conn_hash_hex); + + if (config_test) { + dump_client_config(&options, host); Property changes on: head/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20 =================================================================== --- head/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20 (nonexistent) +++ head/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20 (revision 468998) @@ -0,0 +1,36 @@ +From 868afa68469de50d8a43e5daf867d7c624a34d20 Mon Sep 17 00:00:00 2001 +From: "djm@openbsd.org" +Date: Mon, 16 Apr 2018 22:50:44 +0000 +Subject: [PATCH] upstream: Disable SSH2_MSG_DEBUG messages for Twisted Conch + clients + +without version numbers since they choke on them under some circumstances. +https://twistedmatrix.com/trac/ticket/9422 via Colin Watson + +Newer Conch versions have a version number in their ident string and +handle debug messages okay. https://twistedmatrix.com/trac/ticket/9424 + +OpenBSD-Commit-ID: 6cf7be262af0419c58ddae11324d9c0dc1577539 +--- + compat.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git compat.c compat.c +index 861e9e21f..1c0e08732 100644 +--- compat.c ++++ compat.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: compat.c,v 1.106 2018/02/16 04:43:11 dtucker Exp $ */ ++/* $OpenBSD: compat.c,v 1.107 2018/04/16 22:50:44 djm Exp $ */ + /* + * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. + * +@@ -128,6 +128,8 @@ compat_datafellows(const char *version) + SSH_OLD_DHGEX }, + { "ConfD-*", + SSH_BUG_UTF8TTYMODE }, ++ { "Twisted_*", 0 }, ++ { "Twisted*", SSH_BUG_DEBUG }, + { NULL, 0 } + }; + Property changes on: head/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad =================================================================== --- head/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad (nonexistent) +++ head/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad (revision 468998) @@ -0,0 +1,32 @@ +From b81b2d120e9c8a83489e241620843687758925ad Mon Sep 17 00:00:00 2001 +From: Damien Miller +Date: Fri, 13 Apr 2018 13:38:06 +1000 +Subject: [PATCH] Fix tunnel forwarding broken in 7.7p1 + +bz2855, ok dtucker@ +--- + openbsd-compat/port-net.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git openbsd-compat/port-net.c openbsd-compat/port-net.c +index 7050629c3..bb535626f 100644 +--- openbsd-compat/port-net.c ++++ openbsd-compat/port-net.c +@@ -185,7 +185,7 @@ sys_tun_open(int tun, int mode, char **ifname) + else + debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd); + +- if (ifname != NULL && (*ifname = strdup(ifr.ifr_name))) ++ if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)) == NULL) + goto failed; + + return (fd); +@@ -272,7 +272,7 @@ sys_tun_open(int tun, int mode, char **ifname) + goto failed; + } + +- if (ifname != NULL && (*ifname = strdup(ifr.ifr_name))) ++ if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)) == NULL) + goto failed; + + close(sock); Property changes on: head/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 =================================================================== --- head/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 (nonexistent) +++ head/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 (revision 468998) @@ -0,0 +1,24 @@ +From f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 Mon Sep 17 00:00:00 2001 +From: Darren Tucker +Date: Thu, 19 Apr 2018 09:53:14 +1000 +Subject: [PATCH] Omit 3des-cbc if OpenSSL built without DES. + +Patch from hongxu.jia at windriver.com, ok djm@ +--- + cipher.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git cipher.c cipher.c +index 578763616..a72682a82 100644 +--- cipher.c ++++ cipher.c +@@ -82,7 +82,9 @@ struct sshcipher { + + static const struct sshcipher ciphers[] = { + #ifdef WITH_OPENSSL ++#ifndef OPENSSL_NO_DES + { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc }, ++#endif + { "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc }, + { "aes192-cbc", 16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc }, + { "aes256-cbc", 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc }, Property changes on: head/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property