Index: head/security/openssh-portable/Makefile
===================================================================
--- head/security/openssh-portable/Makefile	(revision 473411)
+++ head/security/openssh-portable/Makefile	(revision 473412)
@@ -1,221 +1,221 @@
 # Created by: dwcjr@inethouston.net
 # $FreeBSD$
 
 PORTNAME=	openssh
 DISTVERSION=	7.7p1
-PORTREVISION=	3
+PORTREVISION=	4
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable
 PKGNAMESUFFIX?=	-portable
 
 MAINTAINER=	bdrewery@FreeBSD.org
 COMMENT=	The portable version of OpenBSD's OpenSSH
 
 #LICENSE=      BSD2,BSD3,MIT,public domain,BSD-Style,BEER-WARE,"any purpose with notice intact",ISC-Style
 #LICENSE_FILE= ${WRKSRC}/LICENCE
 
 CONFLICTS?=		openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel-*
 
 USES=			alias autoreconf ncurses ssl
 GNU_CONFIGURE=		yes
 CONFIGURE_ENV=		ac_cv_func_strnvis=no
 CONFIGURE_ARGS=		--prefix=${PREFIX} --with-md5-passwords \
 			--without-zlib-version-check --with-ssl-engine \
 			--with-mantype=man
 
 ETCOLD=			${PREFIX}/etc
 
 BROKEN_SSL=	openssl-devel
 BROKEN_SSL_REASON_openssl-devel=	error: OpenSSL >= 1.1.0 is not yet supported
 
 OPTIONS_DEFINE=		PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN X509 KERB_GSSAPI \
 			LDNS NONECIPHER XMSS
 OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
 TCP_WRAPPERS_DESC=	tcp_wrappers support
 BSM_DESC=		OpenBSM Auditing
 KERB_GSSAPI_DESC=	Kerberos/GSSAPI patch (req: GSSAPI)
 HPN_DESC=		HPN-SSH patch
 LDNS_DESC=		SSHFP/LDNS support
 X509_DESC=		x509 certificate patch
 HEIMDAL_DESC=		Heimdal Kerberos (security/heimdal)
 HEIMDAL_BASE_DESC=	Heimdal Kerberos (base)
 MIT_DESC=		MIT Kerberos (security/krb5)
 NONECIPHER_DESC=	NONE Cipher support
 XMSS_DESC=		XMSS key support (experimental)
 
 OPTIONS_SUB=		yes
 
 TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers
 
 LDNS_CONFIGURE_WITH=	ldns=${LOCALBASE}
 LDNS_LIB_DEPENDS=	libldns.so:dns/ldns
 LDNS_EXTRA_PATCHES=	${FILESDIR}/extra-patch-ldns
 LDNS_CFLAGS=		-I${LOCALBASE}/include
 LDNS_CONFIGURE_ON=	--with-ldflags='-L${LOCALBASE}/lib'
 
 # http://www.psc.edu/index.php/hpn-ssh
 HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
 
 # See http://www.roumenpetrov.info/openssh/
-X509_VERSION=		11.3
+X509_VERSION=		11.3.2
 X509_PATCH_SITES=	http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
 X509_EXTRA_PATCHES+=	${FILESDIR}/extra-patch-x509-glue
 X509_PATCHFILES=	${PORTNAME}-7.7p1+x509-${X509_VERSION}.diff.gz:-p1:x509
 
 MIT_LIB_DEPENDS=		libkrb5.so.3:security/krb5
 HEIMDAL_LIB_DEPENDS=		libkrb5.so.26:security/heimdal
 
 PAM_CONFIGURE_WITH=	pam
 TCP_WRAPPERS_CONFIGURE_WITH=	tcp-wrappers
 
 LIBEDIT_CONFIGURE_WITH=	libedit
 LIBEDIT_USES=		libedit
 BSM_CONFIGURE_ON=	--with-audit=bsm
 
 ETCDIR?=		${PREFIX}/etc/ssh
 
 .include <bsd.port.pre.mk>
 
 PATCH_SITES+=		http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex
 
 # X509 patch includes TCP Wrapper support already
 .if ${PORT_OPTIONS:MX509}
 EXTRA_PATCHES:=		${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
 .endif
 
 # Must add this patch before HPN due to conflicts
 .if ${PORT_OPTIONS:MKERB_GSSAPI}
 #BROKEN=	KERB_GSSAPI No patch for ${DISTVERSION} yet.
 # Patch from:
 # https://sources.debian.org/data/main/o/openssh/1:7.7p1-2/debian/patches/gssapi.patch
 # which was originally based on 5.7 patch from
 # http://www.sxw.org.uk/computing/patches/
 # It is mirrored simply to apply gzip -9.
 .  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 # Needed glue for applying HPN patch without conflict
 EXTRA_PATCHES+=	${FILESDIR}/extra-patch-hpn-gss-glue
 .  endif
 PATCHFILES+=	openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz:-p1:gsskex
 .endif
 
 # http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 BROKEN=			HPN: Not yet updated for ${DISTVERSION} and disabled in base
 PORTDOCS+=		HPN-README
 HPN_VERSION=		14v5
 HPN_DISTVERSION=	6.7p1
 #PATCH_SITES+=		SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
 #PATCHFILES+=		${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn:-p2
 .elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER}
 # Apply compatibility patch
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn-compat
 .endif
 
 CONFIGURE_LIBS+=	-lutil
 
 CONFIGURE_ARGS+=	--disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
 
 # Keep this last
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-version-addendum
 
 .if ${PORT_OPTIONS:MX509}
 .  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 BROKEN=		X509 patch and HPN patch do not apply cleanly together
 .  endif
 
 .  if ${PORT_OPTIONS:MKERB_GSSAPI}
 BROKEN=		X509 patch incompatible with KERB_GSSAPI patch
 .  endif
 
 .endif
 
 .if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI}
 BROKEN=		KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently
 .endif
 
 .if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so)
 IGNORE=		you have selected HEIMDAL_BASE but do not have heimdal installed in base
 .endif
 
 .if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE}
 .	if ${PORT_OPTIONS:MHEIMDAL_BASE}
 CONFIGURE_LIBS+=	-lgssapi_krb5
 CONFIGURE_ARGS+=	--with-kerberos5=/usr
 .	else
 CONFIGURE_ARGS+=	--with-kerberos5=${LOCALBASE}
 .	endif
 .	if ${OPENSSLBASE} == "/usr"
 CONFIGURE_ARGS+=	--without-rpath
 LDFLAGS=		# empty
 .	endif
 .else
 .	if ${PORT_OPTIONS:MKERB_GSSAPI}
 IGNORE=	KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE
 .	endif
 .endif
 
 .if ${OPENSSLBASE} != "/usr"
 CONFIGURE_ARGS+=	--with-ssl-dir=${OPENSSLBASE}
 .endif
 
 EMPTYDIR=		/var/empty
 
 USE_RC_SUBR=		openssh
 
 # After all
 CONFIGURE_ARGS+=	--sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR}
 .if !empty(CONFIGURE_LIBS)
 CONFIGURE_ARGS+=	--with-libs='${CONFIGURE_LIBS}'
 .endif
 
 CONFIGURE_ARGS+=	--with-xauth=${LOCALBASE}/bin/xauth
 
 RC_SCRIPT_NAME=		openssh
 VERSION_ADDENDUM_DEFAULT?=	${OPSYS}-${PKGNAME}
 
 post-patch:
 	@${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure
 	@${REINPLACE_CMD} \
 	    -e 's|install: \(.*\) host-key check-config|install: \1|g' \
 	    ${WRKSRC}/Makefile.in
 	@${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \
 		-e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8
 	@${REINPLACE_CMD} \
 	    -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \
 	    ${WRKSRC}/sshd_config
 	@${REINPLACE_CMD} \
 	    -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \
 	    ${WRKSRC}/sshd_config.5
 	@${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT	"${VERSION_ADDENDUM_DEFAULT}"' >> \
 		${WRKSRC}/version.h
 
 post-configure-XMSS-on:
 	@${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h
 
 post-install:
 	${MV} ${STAGEDIR}${ETCDIR}/ssh_config \
 	    ${STAGEDIR}${ETCDIR}//ssh_config.sample
 	${MV} ${STAGEDIR}${ETCDIR}/sshd_config \
 	    ${STAGEDIR}${ETCDIR}/sshd_config.sample
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 	${MKDIR} ${STAGEDIR}${DOCSDIR}
 	${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR}
 .endif
 
 test: build
 	cd ${WRKSRC} && ${SETENV} -i \
 		OBJ=${WRKDIR} ${MAKE_ENV} \
 		TEST_SHELL=${SH} \
 		SUDO="${SUDO}" \
 		LOGNAME="${LOGNAME}" \
 		TEST_SSH_TRACE=yes \
 		PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \
 		${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests
 
 .include <bsd.port.post.mk>
Index: head/security/openssh-portable/distinfo
===================================================================
--- head/security/openssh-portable/distinfo	(revision 473411)
+++ head/security/openssh-portable/distinfo	(revision 473412)
@@ -1,7 +1,7 @@
 TIMESTAMP = 1524589531
 SHA256 (openssh-7.7p1.tar.gz) = d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f
 SIZE (openssh-7.7p1.tar.gz) = 1536900
-SHA256 (openssh-7.7p1+x509-11.3.diff.gz) = 57be0d0028863f1f690b8b4ccae7583c0f8dd8ed2c688a912b25832bf7f9b185
-SIZE (openssh-7.7p1+x509-11.3.diff.gz) = 488467
+SHA256 (openssh-7.7p1+x509-11.3.2.diff.gz) = f0549007b2bdb99c41d83e622b6504365a3fa0a5ac22e3d0755c89cb0e29a02f
+SIZE (openssh-7.7p1+x509-11.3.2.diff.gz) = 492142
 SHA256 (openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz) = c58f10ed5d9550e6e4ac09898a1aa131321e69c4d65a742ab95d357b35576ef4
 SIZE (openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz) = 27251
Index: head/security/openssh-portable/files/extra-patch-x509-glue
===================================================================
--- head/security/openssh-portable/files/extra-patch-x509-glue	(revision 473411)
+++ head/security/openssh-portable/files/extra-patch-x509-glue	(revision 473412)
@@ -1,157 +1,191 @@
 --- session.c.orig	2017-10-12 11:52:52.953370000 -0700
 +++ session.c	2017-10-12 11:53:40.793055000 -0700
 @@ -1062,36 +1062,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  	if (getenv("TZ"))
  		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
  
 -#ifdef __ANDROID__
 -{
 -#define COPY_ANDROID_ENV(name)	{			\
 -	char *s = getenv(name);				\
 -	if (s)	child_set_env(&env, &envsize, name, s); }
 -
 -	/* from /init.rc */
 -	COPY_ANDROID_ENV("ANDROID_BOOTLOGO");
 -	COPY_ANDROID_ENV("ANDROID_ROOT");
 -	COPY_ANDROID_ENV("ANDROID_ASSETS");
 -	COPY_ANDROID_ENV("ANDROID_DATA");
 -	COPY_ANDROID_ENV("ASEC_MOUNTPOINT");
 -	COPY_ANDROID_ENV("LOOP_MOUNTPOINT");
 -	COPY_ANDROID_ENV("BOOTCLASSPATH");
 -
 -	/* FIXME: keep android property workspace open
 -	 * (see openbsd-compat/bsd-closefrom.c)
 -	 */
 -	COPY_ANDROID_ENV("ANDROID_PROPERTY_WORKSPACE");
 -
 -	COPY_ANDROID_ENV("EXTERNAL_STORAGE");		/* ??? */
 -	COPY_ANDROID_ENV("SECONDARY_STORAGE");		/* ??? */
 -	COPY_ANDROID_ENV("SD_EXT_DIRECTORY");		/* ??? */
 -
 -	/* may contain path to custom libraries */
 -	COPY_ANDROID_ENV("LD_LIBRARY_PATH");
 -#undef COPY_ANDROID_ENV
 -}
 -#endif
 -
  	/* Set custom environment options from pubkey authentication. */
  	if (options.permit_user_env) {
  		for (n = 0 ; n < auth_opts->nenv; n++) {
 --- sshd_config.5.orig	2017-10-12 11:51:06.638814000 -0700
 +++ sshd_config.5	2017-10-12 11:51:33.780459000 -0700
 @@ -1682,7 +1682,57 @@ is set to
  then the pre-authentication unprivileged process is subject to additional
  restrictions.
  The default is
 -.Cm sandbox .
 +.Cm no .
 +.It Cm VersionAddendum
 +Optionally specifies additional text to append to the SSH protocol banner
 +sent by the server upon connection.
 +The default is
 +.Cm none .
 +.It Cm X11DisplayOffset
 +Specifies the first display number available for
 +.Xr sshd 8 Ns 's
 +X11 forwarding.
 +This prevents sshd from interfering with real X11 servers.
 +The default is 10.
 +.It Cm X11Forwarding
 +Specifies whether X11 forwarding is permitted.
 +The argument must be
 +.Cm yes
 +or
 +.Cm no .
 +The default is
 +.Cm no .
 +.Pp
 +When X11 forwarding is enabled, there may be additional exposure to
 +the server and to client displays if the
 +.Xr sshd 8
 +proxy display is configured to listen on the wildcard address (see
 +.Cm X11UseLocalhost ) ,
 +though this is not the default.
 +Additionally, the authentication spoofing and authentication data
 +verification and substitution occur on the client side.
 +The security risk of using X11 forwarding is that the client's X11
 +display server may be exposed to attack when the SSH client requests
 +forwarding (see the warnings for
 +.Cm ForwardX11
 +in
 +.Xr ssh_config 5 ) .
 +A system administrator may have a stance in which they want to
 +protect clients that may expose themselves to attack by unwittingly
 +requesting X11 forwarding, which can warrant a
 +.Cm no
 +setting.
 +.Pp
 +Note that disabling X11 forwarding does not prevent users from
 +forwarding X11 traffic, as users can always install their own forwarders.
 +.It Cm X11UseLocalhost
 +Specifies whether
 +.Xr sshd 8
 +should bind the X11 forwarding server to the loopback address or to
 +the wildcard address.
 +By default,
 +sshd binds the forwarding server to the loopback address and sets the
 +hostname part of the
  .It Cm VACertificateFile
  File with X.509 certificates in PEM format concatenated together.
  In use when
 @@ -1735,56 +1785,6 @@ URL of the OCSP provider. In use when
  .Cm VAType
  is set to
  .Cm ocspspec .
 -.It Cm VersionAddendum
 -Optionally specifies additional text to append to the SSH protocol banner
 -sent by the server upon connection.
 -The default is
 -.Cm none .
 -.It Cm X11DisplayOffset
 -Specifies the first display number available for
 -.Xr sshd 8 Ns 's
 -X11 forwarding.
 -This prevents sshd from interfering with real X11 servers.
 -The default is 10.
 -.It Cm X11Forwarding
 -Specifies whether X11 forwarding is permitted.
 -The argument must be
 -.Cm yes
 -or
 -.Cm no .
 -The default is
 -.Cm no .
 -.Pp
 -When X11 forwarding is enabled, there may be additional exposure to
 -the server and to client displays if the
 -.Xr sshd 8
 -proxy display is configured to listen on the wildcard address (see
 -.Cm X11UseLocalhost ) ,
 -though this is not the default.
 -Additionally, the authentication spoofing and authentication data
 -verification and substitution occur on the client side.
 -The security risk of using X11 forwarding is that the client's X11
 -display server may be exposed to attack when the SSH client requests
 -forwarding (see the warnings for
 -.Cm ForwardX11
 -in
 -.Xr ssh_config 5 ) .
 -A system administrator may have a stance in which they want to
 -protect clients that may expose themselves to attack by unwittingly
 -requesting X11 forwarding, which can warrant a
 -.Cm no
 -setting.
 -.Pp
 -Note that disabling X11 forwarding does not prevent users from
 -forwarding X11 traffic, as users can always install their own forwarders.
 -.It Cm X11UseLocalhost
 -Specifies whether
 -.Xr sshd 8
 -should bind the X11 forwarding server to the loopback address or to
 -the wildcard address.
 -By default,
 -sshd binds the forwarding server to the loopback address and sets the
 -hostname part of the
  .Ev DISPLAY
  environment variable to
  .Cm localhost .
+--- openbsd-compat/port-net.c	2018-06-26 15:18:43.551904000 -0700
++++ openbsd-compat/port-net.c.orig	2018-04-01 22:38:28.000000000 -0700
+@@ -186,8 +185,8 @@ sys_tun_open(int tun, int mode, char **ifname)
+ 	else
+ 		debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd);
+ 
+-	if (ifname != NULL)
+-		*ifname = xstrdup(ifr.ifr_name);
++	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)))
++		goto failed;
+ 
+ 	return (fd);
+ 
+@@ -273,8 +272,8 @@ sys_tun_open(int tun, int mode, char **ifname)
+ 			goto failed;
+ 	}
+ 
+-	if (ifname != NULL)
+-		*ifname = xstrdup(ifr.ifr_name);
++	if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)))
++		goto failed;
+ 
+ 	close(sock);
+ 	return (fd);
+--- ssh.c.orig	2018-04-01 22:38:28.000000000 -0700
++++ ssh.c	2018-06-26 15:22:02.947595000 -0700
+@@ -1411,6 +1323,7 @@ main(int ac, char **av)
+ 		    (char *)NULL);
+ 		free(cp);
+ 	}
++	free(conn_hash_hex);
+ 
+ 	if (config_test) {
+ 		dump_client_config(&options, host);