aboutsummaryrefslogtreecommitdiff
path: root/security/openssh-portable
diff options
context:
space:
mode:
authorBryan Drewery <bdrewery@FreeBSD.org>2016-02-29 18:36:57 +0000
committerBryan Drewery <bdrewery@FreeBSD.org>2016-02-29 18:36:57 +0000
commit32641bdf90fdf5c9677a23e7905da5bc38c74fd8 (patch)
tree6c63a0cddd544c37d8fc0c6813d69ad1f0bb5b48 /security/openssh-portable
parentfe2e23cbdd1c0a3bc3f0503e7625d5994f365a80 (diff)
downloadports-32641bdf90fdf5c9677a23e7905da5bc38c74fd8.tar.gz
ports-32641bdf90fdf5c9677a23e7905da5bc38c74fd8.zip
Notes
Diffstat (limited to 'security/openssh-portable')
-rw-r--r--security/openssh-portable/Makefile8
-rw-r--r--security/openssh-portable/distinfo4
-rw-r--r--security/openssh-portable/files/extra-patch-hostkeyalg_plus51
-rw-r--r--security/openssh-portable/files/extra-patch-hpn60
-rw-r--r--security/openssh-portable/files/extra-patch-ldns8
-rw-r--r--security/openssh-portable/files/patch-servconf.c9
-rw-r--r--security/openssh-portable/files/patch-ssh-agent.14
-rw-r--r--security/openssh-portable/pkg-plist3
8 files changed, 37 insertions, 110 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 1f90ee9e0ccf..ddee856fab7d 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= openssh
-DISTVERSION= 7.1p2
+DISTVERSION= 7.2p1
PORTREVISION= 0
PORTEPOCH= 1
CATEGORIES= security ipv6
@@ -68,6 +68,7 @@ X509_PATCHFILES= ${PORTNAME}-7.0p1+x509-${X509_VERSION}.diff.gz:-p1:x509
# and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
SCTP_PATCHFILES= ${PORTNAME}-6.8p1-sctp-2573.patch.gz:-p1
SCTP_CONFIGURE_WITH= sctp
+SCTP_BROKEN= SCTP does not apply with 7.2+
MIT_LIB_DEPENDS= libkrb5.so.3:${PORTSDIR}/security/krb5
HEIMDAL_LIB_DEPENDS= libkrb5.so.26:${PORTSDIR}/security/heimdal
@@ -92,6 +93,7 @@ EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
# Must add this patch before HPN due to conflicts
.if ${PORT_OPTIONS:MKERB_GSSAPI}
+BROKEN= KERN_GSSAPI does not yet apply with 7.2+
# 7.1 patch taken from
# http://sources.debian.net/data/main/o/openssh/1:7.1p2-2/debian/patches/gssapi.patch
# which was originally based on 5.7 patch from
@@ -117,13 +119,11 @@ CONFIGURE_LIBS+= -lutil
CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
-EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hostkeyalg_plus:-p1
-
# Keep this last
EXTRA_PATCHES+= ${FILESDIR}/extra-patch-version-addendum
.if ${PORT_OPTIONS:MX509}
-BROKEN= Patch does not apply with 7.1
+BROKEN= X509 does not apply with 7.1+
. if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
BROKEN= X509 patch and HPN patch do not apply cleanly together
. endif
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index 9e0fe401e6e8..70657107af38 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,5 +1,5 @@
-SHA256 (openssh-7.1p2.tar.gz) = dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd
-SIZE (openssh-7.1p2.tar.gz) = 1475829
+SHA256 (openssh-7.2p1.tar.gz) = 973cc37b2f3597e4cf599b09e604e79c0fe5d9b6f595a24e91ed0662860b4ac3
+SIZE (openssh-7.2p1.tar.gz) = 1499707
SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a
SIZE (openssh-6.8p1-sctp-2573.patch.gz) = 8531
SHA256 (openssh-7.0p1+x509-8.5.diff.gz) = 6000557f1ddae06aff8837d440d93342a923fada571fec59fc5dedf388fb5f9e
diff --git a/security/openssh-portable/files/extra-patch-hostkeyalg_plus b/security/openssh-portable/files/extra-patch-hostkeyalg_plus
deleted file mode 100644
index d97b2e17d49f..000000000000
--- a/security/openssh-portable/files/extra-patch-hostkeyalg_plus
+++ /dev/null
@@ -1,51 +0,0 @@
-Author: djm@mindrot.org
-
-Fix HostKeyAlgorithms `+' support.
-
-diff --git a/readconf.c b/readconf.c
-index 374e741..23d74fb 100644
---- a/readconf.c
-+++ b/readconf.c
-@@ -2229,6 +2229,10 @@ dump_client_config(Options *o, const char *host)
- int i;
- char vbuf[5];
-
-+ /* This is normally prepared in ssh_kex2 */
-+ if (kex_assemble_names(KEX_DEFAULT_PK_ALG, &o->hostkeyalgorithms) != 0)
-+ fatal("%s: kex_assemble_names failed", __func__);
-+
- /* Most interesting options first: user, host, port */
- dump_cfg_string(oUser, o->user);
- dump_cfg_string(oHostName, host);
-@@ -2289,7 +2293,7 @@ dump_client_config(Options *o, const char *host)
- dump_cfg_string(oBindAddress, o->bind_address);
- dump_cfg_string(oCiphers, o->ciphers ? o->ciphers : KEX_CLIENT_ENCRYPT);
- dump_cfg_string(oControlPath, o->control_path);
-- dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms ? o->hostkeyalgorithms : KEX_DEFAULT_PK_ALG);
-+ dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms);
- dump_cfg_string(oHostKeyAlias, o->host_key_alias);
- dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types);
- dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
-diff --git a/servconf.c b/servconf.c
-index 04404a4..08c8139 100644
---- a/servconf.c
-+++ b/servconf.c
-@@ -242,8 +242,6 @@ fill_default_server_options(ServerOptions *options)
- options->hostbased_authentication = 0;
- if (options->hostbased_uses_name_from_packet_only == -1)
- options->hostbased_uses_name_from_packet_only = 0;
-- if (options->hostkeyalgorithms == NULL)
-- options->hostkeyalgorithms = xstrdup(KEX_DEFAULT_PK_ALG);
- if (options->rsa_authentication == -1)
- options->rsa_authentication = 1;
- if (options->pubkey_authentication == -1)
-@@ -329,6 +327,8 @@ fill_default_server_options(ServerOptions *options)
- kex_assemble_names(KEX_SERVER_MAC, &options->macs) != 0 ||
- kex_assemble_names(KEX_SERVER_KEX, &options->kex_algorithms) != 0 ||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
-+ &options->hostkeyalgorithms) != 0 ||
-+ kex_assemble_names(KEX_DEFAULT_PK_ALG,
- &options->hostbased_key_types) != 0 ||
- kex_assemble_names(KEX_DEFAULT_PK_ALG,
- &options->pubkey_key_types) != 0)
-
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
index 9629e9b8c26b..f9ee8cf68a29 100644
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -447,29 +447,18 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
echo ""
---- work.clean/openssh-6.8p1/kex.c.orig 2015-08-11 01:57:29.000000000 -0700
-+++ work.clean/openssh-6.8p1/kex.c 2015-08-17 17:02:06.770901000 -0700
-@@ -652,6 +652,13 @@ kex_choose_conf(struct ssh *ssh)
- int nenc, nmac, ncomp;
- u_int mode, ctos, need, dh_need, authlen;
- int r, first_kex_follows;
-+#ifdef NONE_CIPHER_ENABLED
-+ /* XXX: Could this move into the lower block? */
-+ int auth_flag;
-+
-+ auth_flag = ssh_packet_authentication_state(ssh);
-+ debug ("AUTH STATE IS %d", auth_flag);
-+#endif
-
- if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0 ||
- (r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
-@@ -709,6 +716,17 @@ kex_choose_conf(struct ssh *ssh)
+--- work.clean/openssh-7.2p1/kex.c.orig 2016-02-25 19:40:04.000000000 -0800
++++ work.clean/openssh-7.2p1/kex.c 2016-02-29 08:02:25.565288000 -0800
+@@ -822,6 +822,20 @@ kex_choose_conf(struct ssh *ssh)
peer[ncomp] = NULL;
goto out;
}
+#ifdef NONE_CIPHER_ENABLED
+ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
+ if (strcmp(newkeys->enc.name, "none") == 0) {
++ int auth_flag;
++
++ auth_flag = ssh_packet_authentication_state(ssh);
+ debug("Requesting NONE. Authflag is %d", auth_flag);
+ if (auth_flag == 1) {
+ debug("None requested post authentication.");
@@ -478,13 +467,13 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ }
+ }
+#endif
- debug("kex: %s %s %s %s",
+ debug("kex: %s cipher: %s MAC: %s compression: %s",
ctos ? "client->server" : "server->client",
newkeys->enc.name,
---- work.clean/openssh-6.8p1/packet.c 2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/packet.c 2015-04-03 16:10:57.002066000 -0500
-@@ -2199,6 +2199,24 @@
- }
+--- work.clean/openssh-7.2p1/packet.c.orig 2016-02-25 19:40:04.000000000 -0800
++++ work.clean/openssh-7.2p1/packet.c 2016-02-29 08:05:15.744201000 -0800
+@@ -1037,6 +1037,24 @@ ssh_set_newkeys(struct ssh *ssh, int mod
+ return 0;
}
+#ifdef NONE_CIPHER_ENABLED
@@ -506,10 +495,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+#endif
+
#define MAX_PACKETS (1U<<31)
- int
- ssh_packet_need_rekeying(struct ssh *ssh)
-@@ -2207,6 +2225,12 @@
-
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+@@ -1055,6 +1073,12 @@ ssh_packet_need_rekeying(struct ssh *ssh
+ /* Peer can't rekey */
if (ssh->compat & SSH_BUG_NOREKEY)
return 0;
+#ifdef NONE_CIPHER_ENABLED
@@ -518,9 +507,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
+ return 1;
+ }
+#endif
- return
- (state->p_send.packets > MAX_PACKETS) ||
- (state->p_read.packets > MAX_PACKETS) ||
+
+ /*
+ * Permit one packet in or out per rekey - this allows us to
--- work.clean/openssh-6.8p1/packet.h 2015-03-17 00:49:20.000000000 -0500
+++ work/openssh-6.8p1/packet.h 2015-04-03 16:10:34.728161000 -0500
@@ -188,6 +188,11 @@
@@ -1110,8 +1099,8 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
}
if (roaming_atomicio(vwrite, connection_out, client_version_string,
strlen(client_version_string)) != strlen(client_version_string))
---- work.clean/openssh-7.1p2/sshconnect2.c.orig 2016-01-13 17:10:45.000000000 -0800
-+++ work.clean/openssh-7.1p2/sshconnect2.c 2016-01-19 17:49:17.929000000 -0800
+--- work.clean/openssh-7.2p1/sshconnect2.c.orig 2016-02-25 19:40:04.000000000 -0800
++++ work.clean/openssh-7.2p1/sshconnect2.c 2016-02-29 08:06:31.134954000 -0800
@@ -80,6 +80,14 @@
extern char *client_version_string;
extern char *server_version_string;
@@ -1127,7 +1116,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
/*
* SSH2 key exchange
-@@ -153,13 +161,16 @@ order_hostkeyalgs(char *host, struct soc
+@@ -153,14 +161,17 @@ order_hostkeyalgs(char *host, struct soc
return ret;
}
@@ -1137,6 +1126,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
{
- char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
+ char *s;
struct kex *kex;
int r;
@@ -1145,7 +1135,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
xxx_host = host;
xxx_hostaddr = hostaddr;
-@@ -232,6 +243,9 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -235,6 +246,9 @@ ssh_kex2(char *host, struct sockaddr *ho
packet_send();
packet_write_wait();
#endif
@@ -1155,9 +1145,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
}
/*
-@@ -416,6 +430,29 @@ ssh_userauth2(const char *local_user, co
+@@ -404,6 +418,29 @@ ssh_userauth2(const char *local_user, co
pubkey_cleanup(&authctxt);
- dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
+ ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
+#ifdef NONE_CIPHER_ENABLED
+ /*
diff --git a/security/openssh-portable/files/extra-patch-ldns b/security/openssh-portable/files/extra-patch-ldns
index 162d8686a33c..7bd369a84444 100644
--- a/security/openssh-portable/files/extra-patch-ldns
+++ b/security/openssh-portable/files/extra-patch-ldns
@@ -35,9 +35,9 @@ be verified, OpenSSH will print a message and prompt the user as usual.
+# VerifyHostKeyDNS yes
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
---- ssh_config.5 2013-10-03 08:15:03.621130815 -0500
-+++ ssh_config.5 2013-10-03 08:15:22.851132133 -0500
-@@ -1246,7 +1246,10 @@ The argument must be
+--- ssh_config.5.orig 2016-02-25 19:40:04.000000000 -0800
++++ ssh_config.5 2016-02-29 07:57:41.763889000 -0800
+@@ -1715,7 +1715,10 @@
or
.Dq ask .
The default is
@@ -46,6 +46,6 @@ be verified, OpenSSH will print a message and prompt the user as usual.
+if compiled with LDNS and
+.Dq no
+otherwise.
- Note that this option applies to protocol version 2 only.
.Pp
See also VERIFYING HOST KEYS in
+ .Xr ssh 1 .
diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c
index ef38b9962b5e..57d364a207f9 100644
--- a/security/openssh-portable/files/patch-servconf.c
+++ b/security/openssh-portable/files/patch-servconf.c
@@ -38,12 +38,3 @@
if (options->kbd_interactive_authentication == -1)
options->kbd_interactive_authentication = 0;
if (options->challenge_response_authentication == -1)
-@@ -412,7 +417,7 @@ fill_default_server_options(ServerOption
-
- /* Turn privilege separation on by default */
- if (use_privsep == -1)
-- use_privsep = PRIVSEP_NOSANDBOX;
-+ use_privsep = PRIVSEP_ON;
-
- #define CLEAR_ON_NONE(v) \
- do { \
diff --git a/security/openssh-portable/files/patch-ssh-agent.1 b/security/openssh-portable/files/patch-ssh-agent.1
index d26426eb8f4c..3acde74be9fe 100644
--- a/security/openssh-portable/files/patch-ssh-agent.1
+++ b/security/openssh-portable/files/patch-ssh-agent.1
@@ -10,8 +10,8 @@ disconnected.
.Sh SYNOPSIS
.Nm ssh-agent
.Op Fl c | s
--.Op Fl Dd
-+.Op Fl Ddx
+-.Op Fl \&Dd
++.Op Fl \&Ddx
.Op Fl a Ar bind_address
.Op Fl E Ar fingerprint_hash
.Op Fl t Ar life
diff --git a/security/openssh-portable/pkg-plist b/security/openssh-portable/pkg-plist
index 4acfecc1bacc..c528bdf21a6e 100644
--- a/security/openssh-portable/pkg-plist
+++ b/security/openssh-portable/pkg-plist
@@ -1,5 +1,3 @@
-@comment slogin must be deleted first
-bin/slogin
bin/scp
bin/sftp
bin/ssh
@@ -23,7 +21,6 @@ man/man1/ssh-keygen.1.gz
man/man1/ssh-keyscan.1.gz
man/man1/scp.1.gz
man/man1/ssh.1.gz
-man/man1/slogin.1.gz
man/man5/moduli.5.gz
man/man5/ssh_config.5.gz
man/man5/sshd_config.5.gz