aboutsummaryrefslogtreecommitdiffstats
path: root/security/openssh-portable
diff options
context:
space:
mode:
authorbdrewery <bdrewery@FreeBSD.org>2014-04-24 09:54:58 +0800
committerbdrewery <bdrewery@FreeBSD.org>2014-04-24 09:54:58 +0800
commit83c12372d165e3fb9e048a766eee00b210e60f19 (patch)
tree2cd33f47bdb61b1c52d37c0af545aac085efac81 /security/openssh-portable
parent1428a9bcad7c112680adefc89b75bf68d3b74b08 (diff)
downloadfreebsd-ports-gnome-83c12372d165e3fb9e048a766eee00b210e60f19.tar.gz
freebsd-ports-gnome-83c12372d165e3fb9e048a766eee00b210e60f19.tar.zst
freebsd-ports-gnome-83c12372d165e3fb9e048a766eee00b210e60f19.zip
- Update to "6.6.1" [1]
- Switch to using @sample keyword, fixing orphans. Upstream note on "6.6.1" [1]: OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519 key exchange incorrectly, causing connection failures about 0.2% of the time when this method is used against a peer that implements the method properly. Fix the problem and disable the curve25519 KEX when speaking to OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1 to enable the compatability code. [1] https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html
Diffstat (limited to 'security/openssh-portable')
-rw-r--r--security/openssh-portable/Makefile22
-rw-r--r--security/openssh-portable/distinfo4
-rw-r--r--security/openssh-portable/files/extra-patch-openssh661162
-rw-r--r--security/openssh-portable/pkg-plist8
4 files changed, 178 insertions, 18 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index aecf455f8880..dc951a456adb 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -3,7 +3,7 @@
PORTNAME= openssh
DISTVERSION= 6.6p1
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH= 1
CATEGORIES= security ipv6
MASTER_SITES= ${MASTER_SITE_OPENBSD}
@@ -32,6 +32,9 @@ ETCOLD= ${PREFIX}/etc
SUDO?= # empty
MAKE_ENV+= SUDO="${SUDO}"
+# https://github.com/openssh/openssh-portable/commit/5618210618256bbf5f4f71b2887ff186fd451736.patch
+EXTRA_PATCHES+= ${FILESDIR}/extra-patch-openssh661
+
OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \
HPN LPK X509 KERB_GSSAPI \
OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER
@@ -102,14 +105,15 @@ TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrappers
LIBEDIT_CONFIGURE_WITH= libedit
BSM_CONFIGURE_ON= --with-audit=bsm
-
.include <bsd.port.pre.mk>
+PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex
+
# http://www.psc.edu/index.php/hpn-ssh
.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
PORTDOCS+= HPN-README
HPN_VERSION= 14v2
-HPN_DISTVERSION= 6.6p1
+HPN_DISTVERSION= 6.6.1p1
PATCH_SITES+= ${MASTER_SITE_SOURCEFORGE:S/$/:hpn/}
PATCH_SITE_SUBDIR+= hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
@@ -120,8 +124,6 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-no-hpn
. endif
.endif
-PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex
-
.if ${OSVERSION} >= 900000
CONFIGURE_LIBS+= -lutil
.endif
@@ -157,15 +159,15 @@ BROKEN= KERB_GSSAPI Requires either MIT or HEMIDAL, does not build with base He
.endif
.if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so)
-IGNORE= You have selected HEIMDAL_BASE but do not have heimdal installed in base
+IGNORE= you have selected HEIMDAL_BASE but do not have heimdal installed in base
.endif
.if ${PORT_OPTIONS:MPAM} && !exists(/usr/include/security/pam_modules.h)
-IGNORE= Pam must be installed in base
+IGNORE= PAM must be installed in base
.endif
.if ${PORT_OPTIONS:MTCP_WRAPPERS} && !exists(/usr/include/tcpd.h)
-IGNORE= Required /usr/include/tcpd.h missing
+IGNORE= required /usr/include/tcpd.h missing
.endif
.if defined(OPENSSH_OVERWRITE_BASE)
@@ -257,8 +259,8 @@ pre-install:
.endif
post-install:
- ${INSTALL_DATA} ${WRKSRC}/ssh_config.out ${STAGEDIR}${ETCSSH}/ssh_config-dist
- ${INSTALL_DATA} ${WRKSRC}/sshd_config.out ${STAGEDIR}${ETCSSH}/sshd_config-dist
+ ${MV} ${STAGEDIR}${ETCSSH}/ssh_config ${STAGEDIR}${ETCSSH}/ssh_config.sample
+ ${MV} ${STAGEDIR}${ETCSSH}/sshd_config ${STAGEDIR}${ETCSSH}/sshd_config.sample
.if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER}
${MKDIR} ${STAGEDIR}${DOCSDIR}
${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR}
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index bdcac54dc38f..59371f6b15df 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,7 +1,7 @@
SHA256 (openssh-6.6p1.tar.gz) = 48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb
SIZE (openssh-6.6p1.tar.gz) = 1282502
-SHA256 (openssh-6.6p1-hpnssh14v2.diff.gz) = 2a1b34dc3bf922e12cbca687e57b1fad2a0b087e38022e6782e99b45fcc1a315
-SIZE (openssh-6.6p1-hpnssh14v2.diff.gz) = 24469
+SHA256 (openssh-6.6.1p1-hpnssh14v2.diff.gz) = b7f5bd22f1c0bacd41fc4884aeb19bba460d548af875eeb6c857cb77bab53376
+SIZE (openssh-6.6.1p1-hpnssh14v2.diff.gz) = 24473
SHA256 (openssh-6.6p1+x509-7.9.diff.gz) = 463473f75c1dc250ea4eda21f2c79df6f0b479ea499d044cb51d73073881ca34
SIZE (openssh-6.6p1+x509-7.9.diff.gz) = 224691
SHA256 (openssh-6.6p1-gsskex-all-20140318.patch.gz) = 9436c03ba46cdda8753f8957816a9832fd04e1244992ba8e729968c93682a236
diff --git a/security/openssh-portable/files/extra-patch-openssh661 b/security/openssh-portable/files/extra-patch-openssh661
new file mode 100644
index 000000000000..d11c14f610f3
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-openssh661
@@ -0,0 +1,162 @@
+From 5618210618256bbf5f4f71b2887ff186fd451736 Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Sun, 20 Apr 2014 13:44:47 +1000
+Subject: [PATCH] - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c
+ version.h] OpenSSH 6.5 and 6.6 sometimes encode a value used in the
+ curve25519 key exchange incorrectly, causing connection failures about
+ 0.2% of the time when this method is used against a peer that implements
+ the method properly.
+
+ Fix the problem and disable the curve25519 KEX when speaking to
+ OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
+ to enable the compatability code.
+---
+ ChangeLog | 11 +++++++++++
+ bufaux.c | 5 ++++-
+ compat.c | 17 ++++++++++++++++-
+ compat.h | 2 ++
+ sshconnect2.c | 2 ++
+ sshd.c | 3 +++
+ version.h | 2 +-
+ 7 files changed, 39 insertions(+), 3 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 9c59cc4..60f181a 100644
+--- ChangeLog
++++ ChangeLog
+@@ -1,3 +1,14 @@
++20140420
++ - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h]
++ OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519
++ key exchange incorrectly, causing connection failures about 0.2% of
++ the time when this method is used against a peer that implements
++ the method properly.
++
++ Fix the problem and disable the curve25519 KEX when speaking to
++ OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1
++ to enable the compatability code.
++
+ 20140313
+ - (djm) Release OpenSSH 6.6
+
+diff --git a/bufaux.c b/bufaux.c
+index e24b5fc..f6a6f2a 100644
+--- bufaux.c
++++ bufaux.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
++/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */
+ /*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
+
+ if (l > 8 * 1024)
+ fatal("%s: length %u too long", __func__, l);
++ /* Skip leading zero bytes */
++ for (; l > 0 && *s == 0; l--, s++)
++ ;
+ p = buf = xmalloc(l + 1);
+ /*
+ * If most significant bit is set then prepend a zero byte to
+diff --git a/compat.c b/compat.c
+index 9d9fabe..2709dc5 100644
+--- compat.c
++++ compat.c
+@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
+ { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
+ { "OpenSSH_4*", 0 },
+ { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
++ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH},
++ { "OpenSSH_6.5*,"
++ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
+ { "OpenSSH*", SSH_NEW_OPENSSH },
+ { "*MindTerm*", 0 },
+ { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
+@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
+ return cipher_prop;
+ }
+
+-
+ char *
+ compat_pkalg_proposal(char *pkalg_prop)
+ {
+@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
+ return pkalg_prop;
+ }
+
++char *
++compat_kex_proposal(char *kex_prop)
++{
++ if (!(datafellows & SSH_BUG_CURVE25519PAD))
++ return kex_prop;
++ debug2("%s: original KEX proposal: %s", __func__, kex_prop);
++ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
++ debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
++ if (*kex_prop == '\0')
++ fatal("No supported key exchange algorithms found");
++ return kex_prop;
++}
++
+diff --git a/compat.h b/compat.h
+index b174fa1..a6c3f3d 100644
+--- compat.h
++++ compat.h
+@@ -59,6 +59,7 @@
+ #define SSH_BUG_RFWD_ADDR 0x02000000
+ #define SSH_NEW_OPENSSH 0x04000000
+ #define SSH_BUG_DYNAMIC_RPORT 0x08000000
++#define SSH_BUG_CURVE25519PAD 0x10000000
+
+ void enable_compat13(void);
+ void enable_compat20(void);
+@@ -66,6 +67,7 @@ void compat_datafellows(const char *);
+ int proto_spec(const char *);
+ char *compat_cipher_proposal(char *);
+ char *compat_pkalg_proposal(char *);
++char *compat_kex_proposal(char *);
+
+ extern int compat13;
+ extern int compat20;
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 7f4ff41..ec3ad6a 100644
+--- sshconnect2.c
++++ sshconnect2.c
+@@ -195,6 +195,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+ }
+ if (options.kex_algorithms != NULL)
+ myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ myproposal[PROPOSAL_KEX_ALGS]);
+
+ if (options.rekey_limit || options.rekey_interval)
+ packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+diff --git a/sshd.c b/sshd.c
+index 7523de9..e9084b7 100644
+--- sshd.c
++++ sshd.c
+@@ -2462,6 +2462,9 @@ do_ssh2_kex(void)
+ if (options.kex_algorithms != NULL)
+ myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+
++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
++ myproposal[PROPOSAL_KEX_ALGS]);
++
+ if (options.rekey_limit || options.rekey_interval)
+ packet_set_rekey_limits((u_int32_t)options.rekey_limit,
+ (time_t)options.rekey_interval);
+diff --git a/version.h b/version.h
+index a1579ac..a33e77c 100644
+--- version.h
++++ version.h
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
+
+-#define SSH_VERSION "OpenSSH_6.6"
++#define SSH_VERSION "OpenSSH_6.6.1"
+
+ #define SSH_PORTABLE "p1"
+ #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+--
+1.9.1
+
diff --git a/security/openssh-portable/pkg-plist b/security/openssh-portable/pkg-plist
index 2a1c35454a06..eef6a9b5b185 100644
--- a/security/openssh-portable/pkg-plist
+++ b/security/openssh-portable/pkg-plist
@@ -9,15 +9,11 @@ bin/ssh-keygen
bin/ssh-keyscan
%%NOTBASE%%@exec if [ -f %D/etc/ssh_config -a ! -f %D/etc/ssh/ssh_config ]; then ln %D/etc/ssh_config %D/etc/ssh/ssh_config ; fi
%%NOTBASE%%@exec if [ -f %D/etc/sshd_config -a ! -f %D/etc/ssh/sshd_config ]; then ln %D/etc/sshd_config %D/etc/ssh/sshd_config ; fi
-%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/ssh_config %D/etc/ssh/ssh_config-dist; then rm -f %D/etc/ssh/ssh_config; fi
-%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/sshd_config %D/etc/ssh/sshd_config-dist; then rm -f %D/etc/ssh/sshd_config; fi
%%OVERWRITE_BASE%%@cwd /
%%NOTBASE%%etc/ssh/moduli
-etc/ssh/ssh_config-dist
-etc/ssh/sshd_config-dist
+@sample etc/ssh/ssh_config.sample
+@sample etc/ssh/sshd_config.sample
%%OVERWRITE_BASE%%@cwd %%BASEPREFIX%%
-%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_config ]; then cp -p %D/etc/ssh/ssh_config-dist %D/etc/ssh/ssh_config ; fi
-%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/sshd_config ]; then cp -p %D/etc/ssh/sshd_config-dist %D/etc/ssh/sshd_config ; fi
%%NOTBASE%%%%X509%%@dirrmtry etc/ssh/ca
%%NOTBASE%%@dirrmtry etc/ssh
@exec if [ -f %D/etc/ssh_host_ecdsa_key ] && grep -q DSA %D/etc/ssh_host_ecdsa_key; then echo; echo "\!/ Warning \!/"; echo; echo "Your %D/etc/ssh_host_ecdsa_key is not a valid ECDSA key. It is incorrectly"; echo "a DSA key due to a bug fixed in 2012 in the security/openssh-portable port."; echo; echo "Regenerate a proper one with: rm -f %D/etc/ssh_host_ecdsa_key*; service openssh restart"; echo; echo "Clients should not see any key change warning since the ECDSA was not valid and was not actually"; echo "used by the server."; echo; echo "\!/ Warning \!/"; fi