Index: head/security/openssh-portable/Makefile =================================================================== --- head/security/openssh-portable/Makefile (revision 484764) +++ head/security/openssh-portable/Makefile (revision 484765) @@ -1,229 +1,226 @@ # Created by: dwcjr@inethouston.net # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 7.7p1 -PORTREVISION= 6 +DISTVERSION= 7.9p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable PKGNAMESUFFIX?= -portable MAINTAINER= bdrewery@FreeBSD.org COMMENT= The portable version of OpenBSD's OpenSSH #LICENSE= BSD2,BSD3,MIT,public domain,BSD-Style,BEER-WARE,"any purpose with notice intact",ISC-Style #LICENSE_FILE= ${WRKSRC}/LICENCE CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel-* USES= alias autoreconf ncurses ssl GNU_CONFIGURE= yes CONFIGURE_ENV= ac_cv_func_strnvis=no CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwords \ --without-zlib-version-check --with-ssl-engine \ --with-mantype=man ETCOLD= ${PREFIX}/etc -BROKEN_SSL= openssl111 -BROKEN_SSL_REASON_openssl111= error: OpenSSL >= 1.1.0 is not yet supported - FLAVORS= default hpn default_CONFLICTS_INSTALL= openssl-portable-hpn hpn_CONFLICTS_INSTALL= openssh-portable hpn_PKGNAMESUFFIX= -portable-hpn OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ HPN X509 KERB_GSSAPI \ LDNS NONECIPHER XMSS OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS .if ${FLAVOR:U} == hpn OPTIONS_DEFINE+= DOCS OPTIONS_DEFAULT+= HPN NONECIPHER .endif OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= tcp_wrappers support BSM_DESC= OpenBSM Auditing KERB_GSSAPI_DESC= Kerberos/GSSAPI patch (req: GSSAPI) HPN_DESC= HPN-SSH patch LDNS_DESC= SSHFP/LDNS support X509_DESC= x509 certificate patch HEIMDAL_DESC= Heimdal Kerberos (security/heimdal) HEIMDAL_BASE_DESC= Heimdal Kerberos (base) MIT_DESC= MIT Kerberos (security/krb5) NONECIPHER_DESC= NONE Cipher support XMSS_DESC= XMSS key support (experimental) OPTIONS_SUB= yes TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns=${LOCALBASE} LDNS_LIB_DEPENDS= libldns.so:dns/ldns LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns LDNS_CFLAGS= -I${LOCALBASE}/include LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib' HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher # See http://www.roumenpetrov.info/openssh/ -X509_VERSION= 11.3.2 +X509_VERSION= 11.5 X509_PATCH_SITES= http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509 X509_EXTRA_PATCHES+= ${FILESDIR}/extra-patch-x509-glue -X509_PATCHFILES= ${PORTNAME}-7.7p1+x509-${X509_VERSION}.diff.gz:-p1:x509 +X509_PATCHFILES= ${PORTNAME}-7.9p1+x509-${X509_VERSION}.diff.gz:-p1:x509 MIT_LIB_DEPENDS= libkrb5.so.3:security/krb5 HEIMDAL_LIB_DEPENDS= libkrb5.so.26:security/heimdal PAM_CONFIGURE_WITH= pam TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers LIBEDIT_CONFIGURE_WITH= libedit LIBEDIT_USES= libedit BSM_CONFIGURE_ON= --with-audit=bsm ETCDIR?= ${PREFIX}/etc/ssh .include PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex # X509 patch includes TCP Wrapper support already .if ${PORT_OPTIONS:MX509} EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}} .endif # Must add this patch before HPN due to conflicts .if ${PORT_OPTIONS:MKERB_GSSAPI} -#BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. +BROKEN= KERB_GSSAPI No patch for ${DISTVERSION} yet. # Patch from: # https://sources.debian.org/data/main/o/openssh/1:7.7p1-2/debian/patches/gssapi.patch # which was originally based on 5.7 patch from # http://www.sxw.org.uk/computing/patches/ # It is mirrored simply to apply gzip -9. . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif PATCHFILES+= openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz:-p1:gsskex .endif # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} -#BROKEN= HPN: Not yet updated for ${DISTVERSION} and disabled in base +BROKEN= HPN: Not yet updated for ${DISTVERSION} yet. PORTDOCS+= HPN-README HPN_VERSION= 14v15 HPN_DISTVERSION= 7.7p1 #PATCH_SITES+= SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn #PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 .elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER} # Apply compatibility patch EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-compat .endif CONFIGURE_LIBS+= -lutil CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog # Keep this last EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum .if ${PORT_OPTIONS:MX509} . if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} BROKEN= X509 patch and HPN patch do not apply cleanly together . endif . if ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= X509 patch incompatible with KERB_GSSAPI patch . endif .endif .if ${PORT_OPTIONS:MHEIMDAL_BASE} && ${PORT_OPTIONS:MKERB_GSSAPI} BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base Heimdal currently .endif .if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so) IGNORE= you have selected HEIMDAL_BASE but do not have heimdal installed in base .endif .if ${PORT_OPTIONS:MMIT} || ${PORT_OPTIONS:MHEIMDAL} || ${PORT_OPTIONS:MHEIMDAL_BASE} . if ${PORT_OPTIONS:MHEIMDAL_BASE} CONFIGURE_LIBS+= -lgssapi_krb5 CONFIGURE_ARGS+= --with-kerberos5=/usr . else CONFIGURE_ARGS+= --with-kerberos5=${LOCALBASE} . endif . if ${OPENSSLBASE} == "/usr" CONFIGURE_ARGS+= --without-rpath LDFLAGS= # empty . endif .else . if ${PORT_OPTIONS:MKERB_GSSAPI} IGNORE= KERB_GSSAPI requires one of MIT HEIMDAL or HEIMDAL_BASE . endif .endif .if ${OPENSSLBASE} != "/usr" CONFIGURE_ARGS+= --with-ssl-dir=${OPENSSLBASE} .endif EMPTYDIR= /var/empty USE_RC_SUBR= openssh # After all CONFIGURE_ARGS+= --sysconfdir=${ETCDIR} --with-privsep-path=${EMPTYDIR} .if !empty(CONFIGURE_LIBS) CONFIGURE_ARGS+= --with-libs='${CONFIGURE_LIBS}' .endif CONFIGURE_ARGS+= --with-xauth=${LOCALBASE}/bin/xauth RC_SCRIPT_NAME= openssh VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME} post-patch: @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure @${REINPLACE_CMD} \ -e 's|install: \(.*\) host-key check-config|install: \1|g' \ ${WRKSRC}/Makefile.in @${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \ -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8 @${REINPLACE_CMD} \ -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config @${REINPLACE_CMD} \ -e 's|%%SSH_VERSION_FREEBSD_PORT%%|${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config.5 @${ECHO_CMD} '#define SSH_VERSION_FREEBSD_PORT "${VERSION_ADDENDUM_DEFAULT}"' >> \ ${WRKSRC}/version.h post-configure-XMSS-on: @${ECHO_CMD} "#define WITH_XMSS 1" >> ${WRKSRC}/config.h post-install: ${MV} ${STAGEDIR}${ETCDIR}/ssh_config \ ${STAGEDIR}${ETCDIR}//ssh_config.sample ${MV} ${STAGEDIR}${ETCDIR}/sshd_config \ ${STAGEDIR}${ETCDIR}/sshd_config.sample .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER} ${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR} .endif test: build cd ${WRKSRC} && ${SETENV} -i \ OBJ=${WRKDIR} ${MAKE_ENV} \ TEST_SHELL=${SH} \ SUDO="${SUDO}" \ LOGNAME="${LOGNAME}" \ TEST_SSH_TRACE=yes \ PATH=${WRKSRC}:${PREFIX}/bin:${PREFIX}/sbin:${PATH} \ ${MAKE_CMD} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} tests .include Index: head/security/openssh-portable/distinfo =================================================================== --- head/security/openssh-portable/distinfo (revision 484764) +++ head/security/openssh-portable/distinfo (revision 484765) @@ -1,7 +1,7 @@ -TIMESTAMP = 1524589531 -SHA256 (openssh-7.7p1.tar.gz) = d73be7e684e99efcd024be15a30bffcbe41b012b2f7b3c9084aed621775e6b8f -SIZE (openssh-7.7p1.tar.gz) = 1536900 -SHA256 (openssh-7.7p1+x509-11.3.2.diff.gz) = f0549007b2bdb99c41d83e622b6504365a3fa0a5ac22e3d0755c89cb0e29a02f -SIZE (openssh-7.7p1+x509-11.3.2.diff.gz) = 492142 +TIMESTAMP = 1541877994 +SHA256 (openssh-7.9p1.tar.gz) = 6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad +SIZE (openssh-7.9p1.tar.gz) = 1565384 +SHA256 (openssh-7.9p1+x509-11.5.diff.gz) = 1d15099ce54614f158f10f55b6b4992d915353f92a05e179a64b0655650c00bb +SIZE (openssh-7.9p1+x509-11.5.diff.gz) = 594995 SHA256 (openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz) = c58f10ed5d9550e6e4ac09898a1aa131321e69c4d65a742ab95d357b35576ef4 SIZE (openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz) = 27251 Index: head/security/openssh-portable/files/patch-misc.c =================================================================== --- head/security/openssh-portable/files/patch-misc.c (revision 484764) +++ head/security/openssh-portable/files/patch-misc.c (nonexistent) @@ -1,43 +0,0 @@ ------------------------------------------------------------------------- -r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines -Changed paths: - M /head/crypto/openssh/readconf.c - -Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED. -Submitted upstream, no reaction. - -Submitted by: delphij@ -[rewritten for 7.4 by bdrewery@] - ---- misc.c.orig 2017-01-12 11:54:41.058558000 -0800 -+++ misc.c 2017-01-12 11:55:16.531356000 -0800 -@@ -56,6 +56,8 @@ - #include - #endif - -+#include -+ - #include "xmalloc.h" - #include "misc.h" - #include "log.h" -@@ -1253,7 +1255,19 @@ forward_equals(const struct Forward *a, - int - bind_permitted(int port, uid_t uid) - { -- if (port < IPPORT_RESERVED && uid != 0) -+ int ipport_reserved; -+#ifdef __FreeBSD__ -+ size_t len_ipport_reserved = sizeof(ipport_reserved); -+ -+ if (sysctlbyname("net.inet.ip.portrange.reservedhigh", -+ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0) -+ ipport_reserved = IPPORT_RESERVED; -+ else -+ ipport_reserved++; -+#else -+ ipport_reserved = IPPORT_RESERVED; -+#endif -+ if (port < ipport_reserved && uid != 0) - return 0; - return 1; - } Property changes on: head/security/openssh-portable/files/patch-misc.c ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -1 \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b =================================================================== --- head/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b (revision 484764) +++ head/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b (nonexistent) @@ -1,24 +0,0 @@ -From 85fe48fd49f2e81fa30902841b362cfbb7f1933b Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" -Date: Sat, 14 Apr 2018 21:50:41 +0000 -Subject: [PATCH] upstream: don't free the %C expansion, it's used later for - -LocalCommand - -OpenBSD-Commit-ID: 857b5cb37b2d856bfdfce61289a415257a487fb1 ---- - ssh.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git ssh.c ssh.c -index d3619fe29..9c011dd7e 100644 ---- ssh.c -+++ ssh.c -@@ -1323,7 +1323,6 @@ main(int ac, char **av) - (char *)NULL); - free(cp); - } -- free(conn_hash_hex); - - if (config_test) { - dump_client_config(&options, host); Property changes on: head/security/openssh-portable/files/patch-85fe48fd49f2e81fa30902841b362cfbb7f1933b ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20 =================================================================== --- head/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20 (revision 484764) +++ head/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20 (nonexistent) @@ -1,36 +0,0 @@ -From 868afa68469de50d8a43e5daf867d7c624a34d20 Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" -Date: Mon, 16 Apr 2018 22:50:44 +0000 -Subject: [PATCH] upstream: Disable SSH2_MSG_DEBUG messages for Twisted Conch - clients - -without version numbers since they choke on them under some circumstances. -https://twistedmatrix.com/trac/ticket/9422 via Colin Watson - -Newer Conch versions have a version number in their ident string and -handle debug messages okay. https://twistedmatrix.com/trac/ticket/9424 - -OpenBSD-Commit-ID: 6cf7be262af0419c58ddae11324d9c0dc1577539 ---- - compat.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git compat.c compat.c -index 861e9e21f..1c0e08732 100644 ---- compat.c -+++ compat.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: compat.c,v 1.106 2018/02/16 04:43:11 dtucker Exp $ */ -+/* $OpenBSD: compat.c,v 1.107 2018/04/16 22:50:44 djm Exp $ */ - /* - * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. - * -@@ -128,6 +128,8 @@ compat_datafellows(const char *version) - SSH_OLD_DHGEX }, - { "ConfD-*", - SSH_BUG_UTF8TTYMODE }, -+ { "Twisted_*", 0 }, -+ { "Twisted*", SSH_BUG_DEBUG }, - { NULL, 0 } - }; - Property changes on: head/security/openssh-portable/files/patch-868afa68469de50d8a43e5daf867d7c624a34d20 ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb =================================================================== --- head/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb (revision 484764) +++ head/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb (nonexistent) @@ -1,35 +0,0 @@ -From 341727df910e12e26ef161508ed76d91c40a61eb Mon Sep 17 00:00:00 2001 -From: "djm@openbsd.org" -Date: Mon, 9 Apr 2018 23:54:49 +0000 -Subject: [PATCH] upstream: don't kill ssh-agent's listening socket entriely if - we - -fail to accept a connection; bz#2837, patch from Lukas Kuster - -OpenBSD-Commit-ID: 52413f5069179bebf30d38f524afe1a2133c738f ---- - ssh-agent.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git ssh-agent.c ssh-agent.c -index 2a4578b03..68de56ce6 100644 ---- ssh-agent.c -+++ ssh-agent.c -@@ -1,4 +1,4 @@ --/* $OpenBSD: ssh-agent.c,v 1.228 2018/02/23 15:58:37 markus Exp $ */ -+/* $OpenBSD: ssh-agent.c,v 1.229 2018/04/09 23:54:49 djm Exp $ */ - /* - * Author: Tatu Ylonen - * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland -@@ -909,9 +909,8 @@ after_poll(struct pollfd *pfd, size_t npfd) - /* Process events */ - switch (sockets[socknum].type) { - case AUTH_SOCKET: -- if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 && -- handle_socket_read(socknum) != 0) -- close_socket(&sockets[socknum]); -+ if ((pfd[i].revents & (POLLIN|POLLERR)) != 0) -+ handle_socket_read(socknum); - break; - case AUTH_CONNECTION: - if ((pfd[i].revents & (POLLIN|POLLERR)) != 0 && Property changes on: head/security/openssh-portable/files/patch-341727df910e12e26ef161508ed76d91c40a61eb ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad =================================================================== --- head/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad (revision 484764) +++ head/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad (nonexistent) @@ -1,32 +0,0 @@ -From b81b2d120e9c8a83489e241620843687758925ad Mon Sep 17 00:00:00 2001 -From: Damien Miller -Date: Fri, 13 Apr 2018 13:38:06 +1000 -Subject: [PATCH] Fix tunnel forwarding broken in 7.7p1 - -bz2855, ok dtucker@ ---- - openbsd-compat/port-net.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git openbsd-compat/port-net.c openbsd-compat/port-net.c -index 7050629c3..bb535626f 100644 ---- openbsd-compat/port-net.c -+++ openbsd-compat/port-net.c -@@ -185,7 +185,7 @@ sys_tun_open(int tun, int mode, char **ifname) - else - debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd); - -- if (ifname != NULL && (*ifname = strdup(ifr.ifr_name))) -+ if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)) == NULL) - goto failed; - - return (fd); -@@ -272,7 +272,7 @@ sys_tun_open(int tun, int mode, char **ifname) - goto failed; - } - -- if (ifname != NULL && (*ifname = strdup(ifr.ifr_name))) -+ if (ifname != NULL && (*ifname = strdup(ifr.ifr_name)) == NULL) - goto failed; - - close(sock); Property changes on: head/security/openssh-portable/files/patch-b81b2d120e9c8a83489e241620843687758925ad ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 =================================================================== --- head/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 (revision 484764) +++ head/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 (nonexistent) @@ -1,24 +0,0 @@ -From f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 Mon Sep 17 00:00:00 2001 -From: Darren Tucker -Date: Thu, 19 Apr 2018 09:53:14 +1000 -Subject: [PATCH] Omit 3des-cbc if OpenSSL built without DES. - -Patch from hongxu.jia at windriver.com, ok djm@ ---- - cipher.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git cipher.c cipher.c -index 578763616..a72682a82 100644 ---- cipher.c -+++ cipher.c -@@ -82,7 +82,9 @@ struct sshcipher { - - static const struct sshcipher ciphers[] = { - #ifdef WITH_OPENSSL -+#ifndef OPENSSL_NO_DES - { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc }, -+#endif - { "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc }, - { "aes192-cbc", 16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc }, - { "aes256-cbc", 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc }, Property changes on: head/security/openssh-portable/files/patch-f5baa36ba79a6e8c534fb4e0a00f2614ccc42ea6 ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/openssh-portable/files/extra-patch-hpn-compat =================================================================== --- head/security/openssh-portable/files/extra-patch-hpn-compat (revision 484764) +++ head/security/openssh-portable/files/extra-patch-hpn-compat (revision 484765) @@ -1,46 +1,46 @@ ------------------------------------------------------------------------ r294563 | des | 2016-01-22 05:13:46 -0800 (Fri, 22 Jan 2016) | 3 lines Changed paths: M /head/crypto/openssh/servconf.c Instead of removing the NoneEnabled option, mark it as unsupported. (should have done this in r291198, but didn't think of it until now) ------------------------------------------------------------------------ ------------------------------------------------------------------------ r294564 | des | 2016-01-22 06:22:11 -0800 (Fri, 22 Jan 2016) | 2 lines Changed paths: M /head/crypto/openssh/readconf.c r294563 was incomplete; re-add the client-side options as well. ------------------------------------------------------------------------ --- readconf.c.orig 2017-10-12 12:18:59.927293000 -0700 +++ readconf.c 2017-10-12 12:19:45.048532000 -0700 @@ -305,6 +305,12 @@ static struct { { "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes }, { "ignoreunknown", oIgnoreUnknown }, { "proxyjump", oProxyJump }, + { "hpndisabled", oDeprecated }, + { "hpnbuffersize", oDeprecated }, + { "tcprcvbufpoll", oDeprecated }, + { "tcprcvbuf", oDeprecated }, + { "noneenabled", oUnsupported }, + { "noneswitch", oUnsupported }, { NULL, oBadOption } }; ---- servconf.c.orig 2017-10-02 12:34:26.000000000 -0700 -+++ servconf.c 2017-10-12 12:20:19.089884000 -0700 -@@ -618,6 +618,10 @@ static struct { - { "disableforwarding", sDisableForwarding, SSHCFG_ALL }, +--- servconf.c.orig 2018-10-16 17:01:20.000000000 -0700 ++++ servconf.c 2018-11-10 11:32:09.835817000 -0800 +@@ -645,6 +645,10 @@ static struct { { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, { "rdomain", sRDomain, SSHCFG_ALL }, + { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, + { "noneenabled", sUnsupported, SSHCFG_ALL }, + { "hpndisabled", sDeprecated, SSHCFG_ALL }, + { "hpnbuffersize", sDeprecated, SSHCFG_ALL }, + { "tcprcvbufpoll", sDeprecated, SSHCFG_ALL }, { NULL, sBadOption, 0 } }; Index: head/security/openssh-portable/files/extra-patch-tcpwrappers =================================================================== --- head/security/openssh-portable/files/extra-patch-tcpwrappers (revision 484764) +++ head/security/openssh-portable/files/extra-patch-tcpwrappers (revision 484765) @@ -1,160 +1,160 @@ Revert TCPWRAPPER removal -bdrewery commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054 Author: Damien Miller Date: Sun Apr 20 13:22:18 2014 +1000 - tedu@cvs.openbsd.org 2014/03/26 19:58:37 [sshd.8 sshd.c] remove libwrap support. ok deraadt djm mfriedl diff --git sshd.8 sshd.8 index 289e13d..e6a900b 100644 --- sshd.8 +++ sshd.8 @@ -851,6 +851,12 @@ the user's home directory becomes accessible. This file should be writable only by the user, and need not be readable by anyone else. .Pp +.It Pa /etc/hosts.allow +.It Pa /etc/hosts.deny +Access controls that should be enforced by tcp-wrappers are defined here. +Further details are described in +.Xr hosts_access 5 . +.Pp .It Pa /etc/hosts.equiv This file is for host-based authentication (see .Xr ssh 1 ) . @@ -954,6 +960,7 @@ The content of this file is not sensitive; it can be world-readable. .Xr ssh-keygen 1 , .Xr ssh-keyscan 1 , .Xr chroot 2 , +.Xr hosts_access 5 , .Xr login.conf 5 , .Xr moduli 5 , .Xr sshd_config 5 , diff --git sshd.c sshd.c index 0ade557..045f149 100644 --- sshd.c.orig 2018-04-04 15:34:54.865684000 -0700 +++ sshd.c 2018-04-04 15:40:20.964130000 -0700 @@ -1,4 +1,4 @@ -/* $OpenBSD: sshd.c,v 1.506 2018/03/03 03:15:51 djm Exp $ */ +/* $OpenBSD: sshd.c,v 1.422 2014/03/27 23:01:27 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -131,6 +131,13 @@ #include "version.h" #include "ssherr.h" +#ifdef LIBWRAP +#include +#include +int allow_severity; +int deny_severity; +#endif /* LIBWRAP */ + /* Re-exec fds */ #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) @@ -2072,6 +2079,25 @@ main(int ac, char **av) #endif rdomain = ssh_packet_rdomain_in(ssh); + +#ifdef LIBWRAP + allow_severity = options.log_facility|LOG_INFO; + deny_severity = options.log_facility|LOG_WARNING; + /* Check whether logins are denied from this host. */ + if (packet_connection_is_on_socket()) { + struct request_info req; + + request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); + fromhost(&req); + + if (!hosts_access(&req)) { + debug("Connection refused by tcp wrapper"); + refuse(&req); + /* NOTREACHED */ + fatal("libwrap refuse returns"); + } + } +#endif /* LIBWRAP */ /* Log the connection. */ laddr = get_local_ipaddr(sock_in); diff --git configure.ac configure.ac index f48ba4a..66fbe82 100644 ---- configure.ac -+++ configure.ac -@@ -1380,6 +1380,62 @@ AC_ARG_WITH([skey], - ] - ) +--- configure.ac.orig 2018-10-16 17:01:20.000000000 -0700 ++++ configure.ac 2018-11-10 11:29:32.626326000 -0800 +@@ -1493,6 +1493,62 @@ else + AC_MSG_RESULT([no]) + fi +# Check whether user wants TCP wrappers support +TCPW_MSG="no" +AC_ARG_WITH([tcp-wrappers], + [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], + [ + if test "x$withval" != "xno" ; then + saved_LIBS="$LIBS" + saved_LDFLAGS="$LDFLAGS" + saved_CPPFLAGS="$CPPFLAGS" + if test -n "${withval}" && \ + test "x${withval}" != "xyes"; then + if test -d "${withval}/lib"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + else + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + fi + if test -d "${withval}/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + fi + LIBS="-lwrap $LIBS" + AC_MSG_CHECKING([for libwrap]) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ +#include +#include +#include +#include +int deny_severity = 0, allow_severity = 0; + ]], [[ + hosts_access(0); + ]])], [ + AC_MSG_RESULT([yes]) + AC_DEFINE([LIBWRAP], [1], + [Define if you want + TCP Wrappers support]) + SSHDLIBS="$SSHDLIBS -lwrap" + TCPW_MSG="yes" + ], [ + AC_MSG_ERROR([*** libwrap missing]) + + ]) + LIBS="$saved_LIBS" + fi + ] +) + # Check whether user wants to use ldns LDNS_MSG="no" AC_ARG_WITH(ldns, -@@ -4803,6 +4859,7 @@ echo " KerberosV support: $KRB5_MSG" +@@ -5305,6 +5361,7 @@ echo " PAM support: $PAM_MSG" + echo " OSF SIA support: $SIA_MSG" + echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" +echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" echo " libedit support: $LIBEDIT_MSG" - echo " Solaris process contract support: $SPC_MSG" + echo " libldns support: $LDNS_MSG" Index: head/security/openssh-portable/files/patch-auth2.c =================================================================== --- head/security/openssh-portable/files/patch-auth2.c (revision 484764) +++ head/security/openssh-portable/files/patch-auth2.c (revision 484765) @@ -1,59 +1,60 @@ --- UTC r99053 | des | 2002-06-29 05:57:13 -0500 (Sat, 29 Jun 2002) | 4 lines Changed paths: M /head/crypto/openssh/auth2.c Apply class-imposed login restrictions. ---- auth2.c.orig 2017-03-19 19:39:27.000000000 -0700 -+++ auth2.c 2017-03-20 11:52:27.960733000 -0700 -@@ -47,6 +47,7 @@ - #include "key.h" +--- auth2.c.orig 2018-10-16 17:01:20.000000000 -0700 ++++ auth2.c 2018-11-10 11:35:07.816193000 -0800 +@@ -48,6 +48,7 @@ + #include "sshkey.h" #include "hostfile.h" #include "auth.h" +#include "canohost.h" #include "dispatch.h" #include "pathnames.h" - #include "buffer.h" -@@ -217,6 +218,13 @@ input_userauth_request(int type, u_int32 - Authmethod *m = NULL; + #include "sshbuf.h" +@@ -258,7 +259,14 @@ input_userauth_request(int type, u_int32_t seq, struct char *user, *service, *method, *style = NULL; int authenticated = 0; + double tstart = monotime_double(); +#ifdef HAVE_LOGIN_CAP + login_cap_t *lc; + const char *from_host, *from_ip; -+ + + from_host = auth_get_canonical_hostname(ssh, options.use_dns); + from_ip = ssh_remote_ipaddr(ssh); +#endif - ++ if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); -@@ -266,6 +274,27 @@ input_userauth_request(int type, u_int32 + +@@ -307,6 +315,27 @@ input_userauth_request(int type, u_int32_t seq, struct "(%s,%s) -> (%s,%s)", authctxt->user, authctxt->service, user, service); } + +#ifdef HAVE_LOGIN_CAP + if (authctxt->pw != NULL) { + lc = login_getpwclass(authctxt->pw); + if (lc == NULL) + lc = login_getclassbyname(NULL, authctxt->pw); + if (!auth_hostok(lc, from_host, from_ip)) { + logit("Denied connection for %.200s from %.200s [%.200s].", + authctxt->pw->pw_name, from_host, from_ip); + packet_disconnect("Sorry, you are not allowed to connect."); + } + if (!auth_timeok(lc, time(NULL))) { + logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", + authctxt->pw->pw_name, from_host); + packet_disconnect("Logins not available right now."); + } + login_close(lc); + lc = NULL; + } +#endif /* HAVE_LOGIN_CAP */ + /* reset state */ - auth2_challenge_stop(authctxt); + auth2_challenge_stop(ssh); Index: head/security/openssh-portable/files/patch-serverloop.c =================================================================== --- head/security/openssh-portable/files/patch-serverloop.c (nonexistent) +++ head/security/openssh-portable/files/patch-serverloop.c (revision 484765) @@ -0,0 +1,43 @@ +------------------------------------------------------------------------ +r181918 | des | 2008-08-20 05:40:07 -0500 (Wed, 20 Aug 2008) | 6 lines +Changed paths: + M /head/crypto/openssh/readconf.c + +Use net.inet.ip.portrange.reservedhigh instead of IPPORT_RESERVED. +Submitted upstream, no reaction. + +Submitted by: delphij@ +[rewritten for 7.4 by bdrewery@] + +--- serverloop.c.orig 2018-11-10 11:38:16.728617000 -0800 ++++ serverloop.c 2018-11-10 11:38:19.497300000 -0800 +@@ -55,6 +55,8 @@ + #include + #include + ++#include ++ + #include "openbsd-compat/sys-queue.h" + #include "xmalloc.h" + #include "packet.h" +@@ -109,7 +111,19 @@ bind_permitted(int port, uid_t uid) + { + if (use_privsep) + return 1; /* allow system to decide */ +- if (port < IPPORT_RESERVED && uid != 0) ++ int ipport_reserved; ++#ifdef __FreeBSD__ ++ size_t len_ipport_reserved = sizeof(ipport_reserved); ++ ++ if (sysctlbyname("net.inet.ip.portrange.reservedhigh", ++ &ipport_reserved, &len_ipport_reserved, NULL, 0) != 0) ++ ipport_reserved = IPPORT_RESERVED; ++ else ++ ipport_reserved++; ++#else ++ ipport_reserved = IPPORT_RESERVED; ++#endif ++ if (port < ipport_reserved && uid != 0) + return 0; + return 1; + } Property changes on: head/security/openssh-portable/files/patch-serverloop.c ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +1 \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/openssh-portable/files/patch-session.c =================================================================== --- head/security/openssh-portable/files/patch-session.c (revision 484764) +++ head/security/openssh-portable/files/patch-session.c (revision 484765) @@ -1,85 +1,84 @@ ------------------------------------------------------------------------ r99055 | des | 2002-06-29 04:21:58 -0700 (Sat, 29 Jun 2002) | 6 lines Changed paths: M /head/crypto/openssh/session.c Make sure the environment variables set by setusercontext() are passed on to the child process. Reviewed by: ache Sponsored by: DARPA, NAI Labs ---- session.c.orig 2018-04-01 22:38:28.000000000 -0700 -+++ session.c 2018-04-03 13:56:49.599400000 -0700 -@@ -982,6 +982,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +--- session.c.orig 2018-10-16 17:01:20.000000000 -0700 ++++ session.c 2018-11-10 11:45:14.645263000 -0800 +@@ -1020,6 +1020,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * struct passwd *pw = s->pw; #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; +#else + extern char **environ; + char **senv, **var; #endif /* Initialize the environment. */ -@@ -1003,6 +1006,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1041,6 +1044,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * } #endif + if (getenv("TZ")) + child_set_env(&env, &envsize, "TZ", getenv("TZ")); + #ifdef GSSAPI /* Allow any GSSAPI methods that we've used to alter * the childs environment as they see fit -@@ -1020,11 +1026,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1058,11 +1064,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char * child_set_env(&env, &envsize, "LOGIN", pw->pw_name); #endif child_set_env(&env, &envsize, "HOME", pw->pw_dir); + snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); + child_set_env(&env, &envsize, "MAIL", buf); #ifdef HAVE_LOGIN_CAP - if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) - child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); - else - child_set_env(&env, &envsize, "PATH", getenv("PATH")); + child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); + child_set_env(&env, &envsize, "TERM", "su"); + senv = environ; + environ = xmalloc(sizeof(char *)); + *environ = NULL; + (void) setusercontext(lc, pw, pw->pw_uid, + LOGIN_SETENV|LOGIN_SETPATH); + copy_environment(environ, &env, &envsize); + for (var = environ; *var != NULL; ++var) + free(*var); + free(environ); + environ = senv; #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN /* -@@ -1044,15 +1060,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1082,14 +1098,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ - snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); - child_set_env(&env, &envsize, "MAIL", buf); - /* Normal systems set SHELL by default. */ child_set_env(&env, &envsize, "SHELL", shell); - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); -- - /* Set custom environment options from pubkey authentication. */ - if (options.permit_user_env) { - for (n = 0 ; n < auth_opts->nenv; n++) { -@@ -1331,7 +1341,7 @@ do_setusercontext(struct passwd *pw) + if (s->term) + child_set_env(&env, &envsize, "TERM", s->term); + if (s->display) +@@ -1389,7 +1400,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, - (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { + (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { perror("unable to set user context"); exit(1); }