diff options
Diffstat (limited to 'security/openssh-portable/files')
5 files changed, 227 insertions, 12 deletions
diff --git a/security/openssh-portable/files/extra-patch-hpn-build-options b/security/openssh-portable/files/extra-patch-hpn-build-options new file mode 100644 index 000000000000..c4551a51e756 --- /dev/null +++ b/security/openssh-portable/files/extra-patch-hpn-build-options @@ -0,0 +1,142 @@ +--- sshconnect2.c.orig 2013-10-11 08:52:17.836129741 -0500 ++++ sshconnect2.c 2013-10-11 08:53:05.776132295 -0500 +@@ -451,6 +451,7 @@ ssh_userauth2(const char *local_user, co + } + } + ++#ifdef AES_THREADED + /* if we are using aes-ctr there can be issues in either a fork or sandbox + * so the initial aes-ctr is defined to point to the original single process + * evp. After authentication we'll be past the fork and the sandboxed privsep +@@ -466,6 +467,7 @@ ssh_userauth2(const char *local_user, co + cipher_reset_multithreaded(); + packet_request_rekeying(); + } ++#endif + + debug("Authentication succeeded (%s).", authctxt.method->name); + } +--- sshd.c.orig 2013-10-11 08:52:17.848126748 -0500 ++++ sshd.c 2013-10-11 08:53:25.929132033 -0500 +@@ -2186,6 +2186,7 @@ main(int ac, char **av) + + /* Start session. */ + ++#ifdef AES_THREADED + /* if we are using aes-ctr there can be issues in either a fork or sandbox + * so the initial aes-ctr is defined to point ot the original single process + * evp. After authentication we'll be past the fork and the sandboxed privsep +@@ -2201,6 +2202,7 @@ main(int ac, char **av) + cipher_reset_multithreaded(); + packet_request_rekeying(); + } ++#endif + + do_authenticated(authctxt); + +--- readconf.c.orig 2013-10-11 09:24:10.812126846 -0500 ++++ readconf.c 2013-10-11 09:19:12.295135966 -0500 +@@ -251,12 +251,16 @@ static struct { + { "kexalgorithms", oKexAlgorithms }, + { "ipqos", oIPQoS }, + { "requesttty", oRequestTTY }, ++#ifdef NONECIPHER + { "noneenabled", oNoneEnabled }, + { "noneswitch", oNoneSwitch }, ++#endif ++#ifdef HPN + { "tcprcvbufpoll", oTcpRcvBufPoll }, + { "tcprcvbuf", oTcpRcvBuf }, + { "hpndisabled", oHPNDisabled }, + { "hpnbuffersize", oHPNBufferSize }, ++#endif + { "ignoreunknown", oIgnoreUnknown }, + + { NULL, oBadOption } +@@ -1417,12 +1421,20 @@ fill_default_options(Options * options) + options->server_alive_interval = 0; + if (options->server_alive_count_max == -1) + options->server_alive_count_max = 3; ++#ifdef NONECIPHER + if (options->none_switch == -1) ++#endif + options->none_switch = 0; ++#ifdef NONECIPHER + if (options->none_enabled == -1) ++#endif + options->none_enabled = 0; ++#ifdef HPN + if (options->hpn_disabled == -1) + options->hpn_disabled = 0; ++#else ++ options->hpn_disabled = 1; ++#endif + if (options->hpn_buffer_size > -1) + { + /* if a user tries to set the size to 0 set it to 1KB */ +--- servconf.c.orig 2013-10-11 09:24:44.734138483 -0500 ++++ servconf.c 2013-10-11 09:25:50.777137928 -0500 +@@ -305,10 +305,16 @@ fill_default_server_options(ServerOption + options->permit_tun = SSH_TUNMODE_NO; + if (options->zero_knowledge_password_authentication == -1) + options->zero_knowledge_password_authentication = 0; ++#ifdef NONECIPHER + if (options->none_enabled == -1) ++#endif + options->none_enabled = 0; ++#ifdef HPN + if (options->hpn_disabled == -1) + options->hpn_disabled = 0; ++#else ++ options->hpn_disabled = 1; ++#endif + + if (options->hpn_buffer_size == -1) { + /* option not explicitly set. Now we have to figure out */ +--- configure.ac.orig 2013-10-12 17:17:41.525139481 -0500 ++++ configure.ac 2013-10-12 17:18:35.610130039 -0500 +@@ -3968,6 +3968,34 @@ + ] + ) # maildir + ++#check whether user wants HPN support ++HPN_MSG="no" ++AC_ARG_WITH(hpn, ++ [ --with-hpn Enable HPN support], ++ [ if test "x$withval" != "xno" ; then ++ AC_DEFINE(HPN,1,[Define if you want HPN support.]) ++ HPN_MSG="yes" ++ fi ] ++) ++#check whether user wants NONECIPHER support ++NONECIPHER_MSG="no" ++AC_ARG_WITH(nonecipher, ++ [ --with-nonecipher Enable NONECIPHER support], ++ [ if test "x$withval" != "xno" ; then ++ AC_DEFINE(NONECIPHER,1,[Define if you want NONECIPHER support.]) ++ NONECIPHER_MSG="yes" ++ fi ] ++) ++#check whether user wants AES_THREADED support ++AES_THREADED_MSG="no" ++AC_ARG_WITH(aes-threaded, ++ [ --with-aes-threaded Enable AES_THREADED support], ++ [ if test "x$withval" != "xno" ; then ++ AC_DEFINE(AES_THREADED,1,[Define if you want AES_THREADED support.]) ++ AES_THREADED_MSG="yes" ++ fi ] ++) ++ + if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then + AC_MSG_WARN([cross compiling: Disabling /dev/ptmx test]) + disable_ptmx_check=yes +@@ -4636,6 +4664,9 @@ + echo " BSD Auth support: $BSD_AUTH_MSG" + echo " Random number source: $RAND_MSG" + echo " Privsep sandbox style: $SANDBOX_STYLE" ++echo " HPN support: $HPN_MSG" ++echo " NONECIPHER support: $NONECIPHER_MSG" ++echo " AES_THREADED support: $AES_THREADED_MSG" + + echo "" + diff --git a/security/openssh-portable/files/extra-patch-hpn-no-hpn b/security/openssh-portable/files/extra-patch-hpn-no-hpn new file mode 100644 index 000000000000..dc3b112a2fee --- /dev/null +++ b/security/openssh-portable/files/extra-patch-hpn-no-hpn @@ -0,0 +1,32 @@ +--- sshd_config.orig 2013-10-12 06:40:05.766128740 -0500 ++++ sshd_config 2013-10-12 06:40:06.646129924 -0500 +@@ -125,20 +125,6 @@ + # override default of no subsystems + Subsystem sftp /usr/libexec/sftp-server + +-# the following are HPN related configuration options +-# tcp receive buffer polling. disable in non autotuning kernels +-#TcpRcvBufPoll yes +- +-# disable hpn performance boosts +-#HPNDisabled no +- +-# buffer size for hpn to non-hpn connections +-#HPNBufferSize 2048 +- +- +-# allow the use of the none cipher +-#NoneEnabled no +- + # Example of overriding settings on a per-user basis + #Match User anoncvs + # X11Forwarding no +--- version.h.orig 2013-10-12 06:42:19.578133368 -0500 ++++ version.h 2013-10-12 06:42:28.581136160 -0500 +@@ -3,5 +3,4 @@ + #define SSH_VERSION "OpenSSH_6.3" + + #define SSH_PORTABLE "p1" +-#define SSH_HPN "-hpn14v2" +-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_HPN ++#define SSH_RELEASE SSH_VERSION SSH_PORTABLE diff --git a/security/openssh-portable/files/extra-patch-ldns b/security/openssh-portable/files/extra-patch-ldns new file mode 100644 index 000000000000..162d8686a33c --- /dev/null +++ b/security/openssh-portable/files/extra-patch-ldns @@ -0,0 +1,51 @@ +r255461 | des | 2013-09-10 17:30:22 -0500 (Tue, 10 Sep 2013) | 7 lines +Changed paths: + M /head/crypto/openssh/readconf.c + M /head/crypto/openssh/ssh_config + M /head/crypto/openssh/ssh_config.5 + +Change the default value of VerifyHostKeyDNS to "yes" if compiled with +LDNS. With that setting, OpenSSH will silently accept host keys that +match verified SSHFP records. If an SSHFP record exists but could not +be verified, OpenSSH will print a message and prompt the user as usual. + +--- readconf.c 2013-10-03 08:15:03.496131082 -0500 ++++ readconf.c 2013-10-03 08:15:22.716134315 -0500 +@@ -1414,8 +1414,14 @@ fill_default_options(Options * options) + options->rekey_limit = 0; + if (options->rekey_interval == -1) + options->rekey_interval = 0; ++#if HAVE_LDNS ++ if (options->verify_host_key_dns == -1) ++ /* automatically trust a verified SSHFP record */ ++ options->verify_host_key_dns = 1; ++#else + if (options->verify_host_key_dns == -1) + options->verify_host_key_dns = 0; ++#endif + if (options->server_alive_interval == -1) + options->server_alive_interval = 0; + if (options->server_alive_count_max == -1) +--- ssh_config 2013-10-03 08:15:03.537131330 -0500 ++++ ssh_config 2013-10-03 08:15:22.755131175 -0500 +@@ -44,5 +44,6 @@ + # TunnelDevice any:any + # PermitLocalCommand no + # VisualHostKey no ++# VerifyHostKeyDNS yes + # ProxyCommand ssh -q -W %h:%p gateway.example.com + # RekeyLimit 1G 1h +--- ssh_config.5 2013-10-03 08:15:03.621130815 -0500 ++++ ssh_config.5 2013-10-03 08:15:22.851132133 -0500 +@@ -1246,7 +1246,10 @@ The argument must be + or + .Dq ask . + The default is +-.Dq no . ++.Dq yes ++if compiled with LDNS and ++.Dq no ++otherwise. + Note that this option applies to protocol version 2 only. + .Pp + See also VERIFYING HOST KEYS in diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c index 7a19c85c4787..b91928b93483 100644 --- a/security/openssh-portable/files/patch-session.c +++ b/security/openssh-portable/files/patch-session.c @@ -41,8 +41,8 @@ + LOGIN_SETENV|LOGIN_SETPATH); + copy_environment(environ, &env, &envsize); + for (var = environ; *var != NULL; ++var) -+ xfree(*var); -+ xfree(environ); ++ free(*var); ++ free(environ); + environ = senv; #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c index 38abeaf70fbb..a7f6af9a6f27 100644 --- a/security/openssh-portable/files/patch-ssh-agent.c +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -90,13 +90,3 @@ disconnected. default: usage(); } -@@ -1348,8 +1376,7 @@ - if (ac > 0) - parent_alive_interval = 10; - idtab_init(); -- if (!d_flag) -- signal(SIGINT, SIG_IGN); -+ signal(SIGINT, d_flag ? cleanup_handler : SIG_IGN); - signal(SIGPIPE, SIG_IGN); - signal(SIGHUP, cleanup_handler); - signal(SIGTERM, cleanup_handler); |