diff options
author | Bryan Drewery <bdrewery@FreeBSD.org> | 2020-11-20 03:41:56 +0000 |
---|---|---|
committer | Bryan Drewery <bdrewery@FreeBSD.org> | 2020-11-20 03:41:56 +0000 |
commit | 4bc67aef4720fe98ace40a9f43b0ab0f7a46a518 (patch) | |
tree | 7872877efd366fa28f1ff88aaa49d4bc67dd6d08 /security/openssh-portable | |
parent | 3485074c901eaa20693a7cf3a439b3e2c13411a3 (diff) | |
download | ports-4bc67aef4720fe98ace40a9f43b0ab0f7a46a518.tar.gz ports-4bc67aef4720fe98ace40a9f43b0ab0f7a46a518.zip |
Notes
Diffstat (limited to 'security/openssh-portable')
4 files changed, 49 insertions, 16 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index fa5da6504aa7..082ee450370c 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -3,7 +3,7 @@ PORTNAME= openssh DISTVERSION= 8.4p1 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable @@ -19,12 +19,12 @@ LICENSE_PERMS= dist-mirror dist-sell pkg-mirror pkg-sell auto-accept CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel-* -USES= alias autoreconf ncurses ssl +USES= alias autoreconf localbase ncurses pkgconfig ssl GNU_CONFIGURE= yes -CONFIGURE_ENV= ac_cv_func_strnvis=no -CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwords \ - --without-zlib-version-check --with-ssl-engine \ - --with-mantype=man +CONFIGURE_ARGS= --prefix=${PREFIX} \ + --with-ssl-engine \ + --with-mantype=man \ + --with-Werror ETCOLD= ${PREFIX}/etc @@ -70,8 +70,6 @@ TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcpwrappers LDNS_CONFIGURE_WITH= ldns=${LOCALBASE} LDNS_LIB_DEPENDS= libldns.so:dns/ldns LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns -LDNS_CFLAGS= -I${LOCALBASE}/include -LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib' HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher @@ -89,6 +87,8 @@ BSM_CONFIGURE_ON= --with-audit=bsm FIDO_U2F_LIB_DEPENDS= libfido2.so:security/libfido2 FIDO_U2F_CONFIGURE_ON= --with-security-key-builtin FIDO_U2F_CONFIGURE_OFF= --disable-security-key +# Until https://reviews.freebsd.org/D27289 is committed +FIDO_U2F_EXTRA_PATCHES= ${FILESDIR}/extra-patch-libfido2-configure.ac BLACKLISTD_EXTRA_PATCHES= ${FILESDIR}/extra-patch-blacklistd @@ -114,6 +114,7 @@ PATCH_SITES+= https://sources.debian.org/data/main/o/openssh/1:${GSSAPI_DEBIAN_S # Bump this when updating the patch location GSSAPI_UPDATE_DATE= 20200607 PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-sshconnect2.c .endif .if ${PORT_OPTIONS:MBLACKLISTD} @@ -134,8 +135,6 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-compat .endif -CONFIGURE_LIBS+= -lutil - CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog # Keep this last @@ -186,12 +185,9 @@ RC_SCRIPT_NAME= openssh VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME} post-patch: - @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure @${REINPLACE_CMD} \ -e 's|install: \(.*\) host-key check-config|install: \1|g' \ ${WRKSRC}/Makefile.in - @${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \ - -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8 @${REINPLACE_CMD} \ -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config diff --git a/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c b/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c new file mode 100644 index 000000000000..7cb08ee12a5e --- /dev/null +++ b/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c @@ -0,0 +1,12 @@ +Avoid free(const char*) +--- sshconnect2.c.orig 2020-11-19 14:56:54.387846000 -0800 ++++ sshconnect2.c 2020-11-19 14:57:04.445045000 -0800 +@@ -846,7 +846,7 @@ userauth_gssapi(struct ssh *ssh) + /* Fall back to specified host if we are using proxy command + * and can not use DNS on that socket */ + if (strcmp(gss_host, "UNKNOWN") == 0) { +- gss_host = authctxt->host; ++ gss_host = xstrdup(authctxt->host); + } + } else { + gss_host = xstrdup(authctxt->host); diff --git a/security/openssh-portable/files/extra-patch-libfido2-configure.ac b/security/openssh-portable/files/extra-patch-libfido2-configure.ac new file mode 100644 index 000000000000..6cd9a550119b --- /dev/null +++ b/security/openssh-portable/files/extra-patch-libfido2-configure.ac @@ -0,0 +1,16 @@ +Workaround libfido2 package having a libfido2.pc that requires libcrypto +even with base OpenSSL which does not provide the proper pc file. + +--- configure.ac.orig 2020-11-19 14:21:03.890890000 -0800 ++++ configure.ac 2020-11-19 14:21:57.061193000 -0800 +@@ -3256,8 +3256,8 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_interna + fi + fi + if test "x$use_pkgconfig_for_libfido2" = "xyes"; then +- LIBFIDO2=`$PKGCONFIG --libs libfido2` +- CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`" ++ LIBFIDO2="-lfido2 -lcrypto" ++ #CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`" + else + LIBFIDO2="-lfido2 -lcbor" + fi diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c index 92a7756bffd7..84c78b3f9526 100644 --- a/security/openssh-portable/files/patch-session.c +++ b/security/openssh-portable/files/patch-session.c @@ -13,8 +13,8 @@ to the child process. Reviewed by: ache Sponsored by: DARPA, NAI Labs ---- session.c.orig 2020-02-13 16:40:54.000000000 -0800 -+++ session.c 2020-03-23 16:01:07.583958000 -0700 +--- session.c.orig 2020-09-27 00:25:01.000000000 -0700 ++++ session.c 2020-11-19 14:41:50.745308000 -0800 @@ -946,7 +946,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui } #endif /* HAVE_ETC_DEFAULT_LOGIN */ @@ -58,7 +58,16 @@ Sponsored by: DARPA, NAI Labs if (s->term) child_set_env(&env, &envsize, "TERM", s->term); if (s->display) -@@ -1369,7 +1387,7 @@ do_setusercontext(struct passwd *pw) +@@ -1285,7 +1303,7 @@ do_nologin(struct passwd *pw) + #ifdef HAVE_LOGIN_CAP + if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0) + return; +- nl = login_getcapstr(lc, "nologin", def_nl, def_nl); ++ nl = (char*)login_getcapstr(lc, "nologin", def_nl, def_nl); + #else + if (pw->pw_uid == 0) + return; +@@ -1373,7 +1391,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid, |