Update to OpenSSH 3.2.3

- patch openssh-3.1-adv.token.patch is now obsolete.
- remerged PAM changes form previous port
- declare CMSG_* macros.
- fixed bad type in function input_userauth_passwd_changereq

Update to OpenSSH-portable-3.2.3p1

- patch openssh-3.1p1-adv.token.patch is now obsolete
- keep previously declared CONFIGURE_ARGS
- remove openssh-mit-krb5-20020326.diff (should be in the distribution now)
- patch patch-readpassphrase.c is now in teh distribution
- merged previous patches.
- extend CONFIGURE_ARGS so it find OPENSSL again.
- new patches for GSSAPI, not fully tested.

If you have the patch applied:
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/36080

Builds with openssl-0.9.6d under:
2.2.8-RELEASE
3.2-RELEASE
4.2-RELEASE
4.6-RC

10 files changed, 104 insertions, 88 deletions

diff --git a/security/openssh/Makefile b/security/openssh/Makefile
index a449e9bb666d..dd0343f0278c 100644
--- a/security/openssh/Makefile
+++ b/security/openssh/Makefile
@@ -6,8 +6,7 @@
 #
 
 PORTNAME=	openssh
-PORTVERSION=	3.1
-PORTREVISION=	7
+PORTVERSION=	3.2.3
 CATEGORIES=	security
 MASTER_SITES=	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ \
 		ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/ \
@@ -16,7 +15,7 @@ DISTNAME=	openssh-${PORTVERSION}
 EXTRACT_SUFX=	.tgz
 
 PATCH_SITES=	${MASTER_SITES}
-PATCHFILES=	openbsd28_3.1.patch openssh-3.1-adv.token.patch
+PATCHFILES=	openbsd28_${PORTVERSION}.patch
 
 MAINTAINER=	dinoex@FreeBSD.org
 
diff --git a/security/openssh/distinfo b/security/openssh/distinfo
index 7b78282ed9bd..b4d0760d40d5 100644
--- a/security/openssh/distinfo
+++ b/security/openssh/distinfo
@@ -1,3 +1,2 @@
-MD5 (openssh-3.1.tgz) = b43deb1a3b2047216a28c00ccc45f548
-MD5 (openbsd28_3.1.patch) = eb904373fad27e1f71ddf5939f4923a6
-MD5 (openssh-3.1-adv.token.patch) = 4e37cb88fab56f7769126edfa66490ff
+MD5 (openssh-3.2.3.tgz) = 778b0ff9dd86a61eb40c89409d359fcc
+MD5 (openbsd28_3.2.3.patch) = 187fc78696a650763607dc44d993e1fd
diff --git a/security/openssh/files/patch-auth1.c b/security/openssh/files/patch-auth1.c
index 7be939c24a5a..c579f6153dfb 100644
--- a/security/openssh/files/patch-auth1.c
+++ b/security/openssh/files/patch-auth1.c
@@ -1,5 +1,5 @@
---- auth1.c.orig	Sun Feb  3 18:53:25 2002
-+++ auth1.c	Sun Mar 17 20:14:40 2002
+--- auth1.c.orig	Wed Apr 10 10:21:47 2002
++++ auth1.c	Thu May 23 13:07:12 2002
 @@ -75,6 +75,18 @@
  	u_int ulen;
  	int type = 0;
@@ -23,10 +23,11 @@
  #if defined(KRB4) || defined(KRB5)
  	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
  #endif
+-	    PRIVSEP(auth_password(authctxt, ""))) {
 +#ifdef USE_PAM
-+	    auth_pam_password(authctxt, "")
++	   PRIVSEP(auth_pam_password(authctxt, ""))) {
 +#else
- 	    auth_password(authctxt, "")) {
++	   PRIVSEP(auth_password(authctxt, ""))) {
 +#endif
  		auth_log(authctxt, 1, "without authentication", "");
  		return;
@@ -92,14 +93,14 @@
  			return;
  
 @@ -354,6 +409,11 @@
- 		pw = NULL;
- 	}
- 	authctxt->pw = pw;
+ 		authctxt->valid = 1;
+ 	else
+ 		debug("do_authentication: illegal user %s", user);
 +
 +#ifdef USE_PAM
 +	if (pw != NULL)
 +		start_pam(pw);
 +#endif
  
- 	setproctitle("%s", pw ? user : "unknown");
- 
+ 	setproctitle("%s%s", authctxt->pw ? user : "unknown",
+ 	    use_privsep ? " [net]" : "");
diff --git a/security/openssh/files/patch-auth2.c b/security/openssh/files/patch-auth2.c
index a7134d573432..5359ba294756 100644
--- a/security/openssh/files/patch-auth2.c
+++ b/security/openssh/files/patch-auth2.c
@@ -1,6 +1,6 @@
---- auth2.c.orig	Sun Feb 24 20:14:59 2002
-+++ auth2.c	Sun Mar 17 20:15:23 2002
-@@ -166,6 +166,15 @@
+--- auth2.c.orig	Mon May 13 04:37:39 2002
++++ auth2.c	Thu May 23 13:11:43 2002
+@@ -168,6 +168,15 @@
  	Authmethod *m = NULL;
  	char *user, *service, *method, *style = NULL;
  	int authenticated = 0;
@@ -17,7 +17,7 @@
  	if (authctxt == NULL)
  		fatal("input_userauth_request: no authctxt");
 @@ -187,6 +196,11 @@
- 			authctxt->pw = pwcopy(pw);
+ 		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
  			authctxt->valid = 1;
  			debug2("input_userauth_request: setting up authctxt for %s", user);
 +
@@ -28,7 +28,7 @@
  		} else {
  			log("input_userauth_request: illegal user %s", user);
  		}
-@@ -200,6 +214,41 @@
+@@ -203,6 +217,41 @@
  		    "(%s,%s) -> (%s,%s)",
  		    authctxt->user, authctxt->service, user, service);
  	}
@@ -70,7 +70,7 @@
  	/* reset state */
  	auth2_challenge_stop(authctxt);
  	authctxt->postponed = 0;
-@@ -210,6 +259,12 @@
+@@ -213,6 +262,12 @@
  		debug2("input_userauth_request: try method %s", method);
  		authenticated =	m->userauth(authctxt);
  	}
@@ -83,16 +83,15 @@
  	userauth_finish(authctxt, authenticated, method);
  
  	xfree(service);
-@@ -299,7 +354,12 @@
+@@ -321,7 +376,11 @@
  		m->enabled = NULL;
  	packet_check_eom();
  	userauth_banner();
-+
 +#ifdef USE_PAM
-+	return authctxt->valid ? auth_pam_password(authctxt, "") : 0;
-+#else /* !USE_PAM */
- 	return authctxt->valid ? auth_password(authctxt, "") : 0;
-+#endif /* USE_PAM */
++	return (authctxt->valid ? PRIVSEP(auth_pam_password(authctxt, "")) : 0);
++#else
+ 	return (authctxt->valid ? PRIVSEP(auth_password(authctxt, "")) : 0);
++#endif
  }
  
  static int
diff --git a/security/openssh/files/patch-includes.h b/security/openssh/files/patch-includes.h
index f110376005d8..dd24de4adc86 100644
--- a/security/openssh/files/patch-includes.h
+++ b/security/openssh/files/patch-includes.h
@@ -1,5 +1,5 @@
 --- includes.h.orig	Sat Jan 26 17:44:22 2002
-+++ includes.h	Fri Mar  8 20:59:17 2002
++++ includes.h	Fri May 24 08:21:58 2002
 @@ -24,12 +24,12 @@
  #include <sys/select.h>
  #include <sys/param.h>
@@ -22,7 +22,7 @@
  #include <stdio.h>
  #include <ctype.h>
  #include <errno.h>
-@@ -62,5 +61,46 @@
+@@ -62,5 +61,64 @@
   * client program.  Socketpairs do not seem to work on all systems.
   */
  #define USE_PIPES 1
@@ -66,6 +66,24 @@
 +#define	INET_ADDRSTRLEN	46
 +#endif
 +
++#ifndef OSSH_ALIGNBYTES
++#define OSSH_ALIGNBYTES (sizeof(int) - 1)
++#endif
++
++#ifndef __CMSG_ALIGN
++#define __CMSG_ALIGN(p) (((u_int)(p) + OSSH_ALIGNBYTES) &~ OSSH_ALIGNBYTES)
++#endif
++
++/* Length of the contents of a control message of length len */
++#ifndef CMSG_LEN
++#define CMSG_LEN(len)   (__CMSG_ALIGN(sizeof(struct cmsghdr)) + (len))
++#endif
++
++/* Length of the space taken up by a padded control message of length len */
++#ifndef CMSG_SPACE
++#define CMSG_SPACE(len) (__CMSG_ALIGN(sizeof(struct cmsghdr)) + __CMSG_ALIGN(len))
++#endif
++
 +#endif
  
  #endif				/* INCLUDES_H */
diff --git a/security/openssh/files/patch-lib-Makefile b/security/openssh/files/patch-lib-Makefile
index f3bbcbbe37d3..560d1b24c052 100644
--- a/security/openssh/files/patch-lib-Makefile
+++ b/security/openssh/files/patch-lib-Makefile
@@ -1,19 +1,18 @@
---- lib/Makefile.orig	Tue Jun 26 19:52:41 2001
-+++ lib/Makefile	Thu Nov 15 06:10:43 2001
-@@ -9,7 +9,11 @@
- 	rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c \
- 	key.c dispatch.c kex.c mac.c uuencode.c misc.c \
+--- lib/Makefile.orig	Thu May 23 13:12:23 2002
++++ lib/Makefile	Thu May 23 13:14:17 2002
+@@ -11,6 +11,11 @@
  	rijndael.c ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c \
--	scard.c
-+	scard.c strlcpy.c strlcat.c
-+
+ 	scard.c monitor_wrap.c monitor_fdpass.c
+ 
++SRCS+=	strlcpy.c strlcat.c
 +.if defined(COMPAT_GETADDRINFO)
 +SRCS+=	getaddrinfo.c getnameinfo.c name6.c rcmd.c bindresvport.c
 +.endif
++
+ SRCS+=	readpassphrase.c
  
- NOPROFILE= yes
- NOPIC=	yes
-@@ -18,6 +22,8 @@
+ DEBUGLIBS= no
+@@ -21,6 +26,8 @@
  	@echo -n
  
  .include <bsd.own.mk>
diff --git a/security/openssh/files/patch-session.c b/security/openssh/files/patch-session.c
index 4189bcc32426..932ab1e51c3d 100644
--- a/security/openssh/files/patch-session.c
+++ b/security/openssh/files/patch-session.c
@@ -1,8 +1,8 @@
---- session.c.orig	Mon Mar 25 06:21:20 2002
-+++ session.c	Mon Mar 25 06:22:52 2002
-@@ -57,6 +57,13 @@
- #include "canohost.h"
+--- session.c.orig	Thu May 23 13:15:39 2002
++++ session.c	Thu May 23 13:31:48 2002
+@@ -58,6 +58,13 @@
  #include "session.h"
+ #include "monitor_wrap.h"
  
 +#ifdef __FreeBSD__
 +#include <libutil.h>
@@ -11,10 +11,10 @@
 +#define _PATH_CHPASS "/usr/bin/passwd"
 +#endif /* __FreeBSD__ */
 +
- /* types */
+ /* func */
  
- #define TTYSZ 64
-@@ -386,6 +393,10 @@
+ Session *session_new(void);
+@@ -346,6 +353,10 @@
  	if (s == NULL)
  		fatal("do_exec_no_pty: no session");
  
@@ -25,7 +25,7 @@
  	session_proctitle(s);
  
  	/* Fork the child. */
-@@ -394,6 +405,13 @@
+@@ -354,6 +365,13 @@
  		log_init(__progname, options.log_level, options.log_facility, log_stderr);
  
  		/*
@@ -39,7 +39,7 @@
  		 * Create a new session and process group since the 4.4BSD
  		 * setlogin() affects the entire process group.
  		 */
-@@ -494,11 +512,24 @@
+@@ -454,11 +472,24 @@
  	ptyfd = s->ptyfd;
  	ttyfd = s->ttyfd;
  
@@ -64,15 +64,8 @@
  		/* Close the master side of the pseudo tty. */
  		close(ptyfd);
  
-@@ -583,12 +614,24 @@
- do_login(Session *s, const char *command)
- {
- 	char *time_string;
-+	char *newcommand;
- 	char hostname[MAXHOSTNAMELEN];
- 	socklen_t fromlen;
+@@ -547,6 +578,18 @@
  	struct sockaddr_storage from;
- 	time_t last_login_time;
  	struct passwd * pw = s->pw;
  	pid_t pid = getpid();
 +#ifdef HAVE_LOGIN_CAP
@@ -83,15 +76,16 @@
 +#endif /* HAVE_LOGIN_CAP */
 +#ifdef __FreeBSD__
 +#define DEFAULT_WARN  (2L * 7L * 86400L)  /* Two weeks */
++	char *newcommand;
 +	struct timeval tv;
 +	time_t warntime = DEFAULT_WARN;
 +#endif /* __FreeBSD__ */
  
  	/*
  	 * Get IP address of client. If the connection is not a socket, let
-@@ -616,10 +659,101 @@
- 	    get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
- 	    (struct sockaddr *)&from);
+@@ -569,10 +612,97 @@
+ 		    options.verify_reverse_mapping),
+ 		    (struct sockaddr *)&from);
  
 +#ifdef USE_PAM
 +	/*
@@ -102,9 +96,6 @@
 +		print_pam_messages();
 +		do_pam_chauthtok();
 +	}
-+#endif
-+
-+#ifdef USE_PAM
 +	if (!check_quietlogin(s, command) && !pam_password_change_required())
 +		print_pam_messages();
 +#endif /* USE_PAM */
@@ -176,7 +167,7 @@
  	if (check_quietlogin(s, command))
  		return;
  
--	if (options.print_lastlog && last_login_time != 0) {
+-	if (options.print_lastlog && s->last_login_time != 0) {
 +	/*
 +	 * If the user has logged in before, display the time of last
 +	 * login. However, don't display anything extra if a command
@@ -186,14 +177,13 @@
 +	 * us as well, so check if login(1) is used
 +	 */
 +	if (command == NULL && options.print_lastlog &&
-+	    last_login_time != 0 &&
++	    s->last_login_time != 0 &&
 +	    !options.use_login) {
-+
- 		time_string = ctime(&last_login_time);
+ 		time_string = ctime(&s->last_login_time);
  		if (strchr(time_string, '\n'))
  			*strchr(time_string, '\n') = 0;
-@@ -629,7 +763,30 @@
- 			printf("Last login: %s from %s\r\n", time_string, hostname);
+@@ -583,7 +713,30 @@
+ 			    s->hostname);
  	}
  
 -	do_motd();
@@ -224,7 +214,7 @@
  }
  
  /*
-@@ -645,9 +802,9 @@
+@@ -599,9 +752,9 @@
  #ifdef HAVE_LOGIN_CAP
  		f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
  		    "/etc/motd"), "r");
@@ -236,7 +226,7 @@
  		if (f) {
  			while (fgets(buf, sizeof(buf), f))
  				fputs(buf, stdout);
-@@ -674,10 +831,10 @@
+@@ -628,10 +781,10 @@
  #ifdef HAVE_LOGIN_CAP
  	if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
  		return 1;
@@ -249,7 +239,7 @@
  	return 0;
  }
  
-@@ -775,6 +932,10 @@
+@@ -729,6 +882,10 @@
  	env[0] = NULL;
  
  	if (!options.use_login) {
@@ -260,7 +250,7 @@
  		/* Set basic environment. */
  		child_set_env(&env, &envsize, "USER", pw->pw_name);
  		child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
-@@ -782,9 +943,15 @@
+@@ -736,9 +893,15 @@
  #ifdef HAVE_LOGIN_CAP
  		(void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH);
  		child_set_env(&env, &envsize, "PATH", getenv("PATH"));
@@ -278,7 +268,7 @@
  
  		snprintf(buf, sizeof buf, "%.200s/%.50s",
  			 _PATH_MAILDIR, pw->pw_name);
-@@ -837,6 +1004,11 @@
+@@ -791,6 +954,11 @@
  		child_set_env(&env, &envsize, "KRB5CCNAME",
  		    s->authctxt->krb5_ticket_file);
  #endif
@@ -290,8 +280,8 @@
  	if (auth_get_socket_name() != NULL)
  		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
  		    auth_get_socket_name());
-@@ -979,6 +1151,36 @@
- 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
+@@ -947,6 +1115,36 @@
+ 	exit(1);
  }
  
 +#ifdef USE_PAM
@@ -327,7 +317,7 @@
  /*
   * Performs common processing for the child, such as setting up the
   * environment, closing extra file descriptors, setting the user and group
-@@ -1057,7 +1259,7 @@
+@@ -1025,7 +1223,7 @@
  	 * initgroups, because at least on Solaris 2.3 it leaves file
  	 * descriptors open.
  	 */
@@ -336,7 +326,7 @@
  		close(i);
  
  	/*
-@@ -1087,6 +1289,31 @@
+@@ -1055,6 +1253,31 @@
  			exit(1);
  #endif
  	}
diff --git a/security/openssh/files/patch-sshconnect2.c b/security/openssh/files/patch-sshconnect2.c
new file mode 100644
index 000000000000..fd2a7088f8b9
--- /dev/null
+++ b/security/openssh/files/patch-sshconnect2.c
@@ -0,0 +1,11 @@
+--- sshconnect2.c.orig	Tue Mar 26 16:58:46 2002
++++ sshconnect2.c	Fri May 24 08:08:54 2002
+@@ -472,7 +472,7 @@
+  * parse PASSWD_CHANGEREQ, prompt user and send SSH2_MSG_USERAUTH_REQUEST
+  */
+ void
+-input_userauth_passwd_changereq(int type, uint32_t seqnr, void *ctxt)
++input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
+ {
+ 	Authctxt *authctxt = ctxt;
+ 	char *info, *lang, *password = NULL, *retype = NULL;
diff --git a/security/openssh/files/patch-sshd-Makefile b/security/openssh/files/patch-sshd-Makefile
index 07528232bb5a..f50ffc148958 100644
--- a/security/openssh/files/patch-sshd-Makefile
+++ b/security/openssh/files/patch-sshd-Makefile
@@ -1,5 +1,5 @@
---- sshd/Makefile.orig	Fri Mar  8 05:54:03 2002
-+++ sshd/Makefile	Fri Mar  8 06:00:30 2002
+--- sshd/Makefile.orig	Thu May 23 13:33:56 2002
++++ sshd/Makefile	Thu May 23 13:36:15 2002
 @@ -5,8 +5,8 @@
  PROG=	sshd
  BINOWN=	root
@@ -12,7 +12,7 @@
  #CFLAGS+=-DBSD_AUTH
  
 @@ -17,9 +17,10 @@
- 	auth-skey.c auth-bsdauth.c
+ 	auth-skey.c auth-bsdauth.c monitor_mm.c monitor.c
  
  .include <bsd.own.mk> # for KERBEROS and AFS
 +.include "../Makefile.inc"
@@ -22,10 +22,10 @@
 +CFLAGS+=-DKRB5 -I/usr/include/kerberosV
  SRCS+=  auth-krb5.c
  LDADD+= -lkrb5 -lkafs -lasn1 -lcom_err
- DPADD+= ${LIBKRB5} ${LIBKAFS} ${LIBASN1}
+ DPADD+= ${LIBKRB5} ${LIBKAFS} ${LIBASN1} ${LIBCOM_ERR}
 @@ -31,15 +32,15 @@
  LDADD+=  -lkafs
- DPADD+=  ${LIBKRBAFS}
+ DPADD+=  ${LIBKAFS}
  .endif # AFS
 -CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
 +CFLAGS+= -DKRB4 -I/usr/include/kerberosIV
@@ -39,6 +39,6 @@
  
 -LDADD+=	-lcrypto -lutil -lz -ldes
 +LDADD+=	${CRYPTOLIBS} -lcrypt -lutil -lz
- DPADD+=	${LIBCRYPTO} ${LIBUTIL} ${LIBZ}
+ DPADD+=	${LIBCRYPTO} ${LIBUTIL} ${LIBZ} ${LIBDES}
  
  .if (${TCP_WRAPPERS:L} == "yes")
diff --git a/security/openssh/files/patch-sshd_config b/security/openssh/files/patch-sshd_config
index 13df05806802..01317a3a5eea 100644
--- a/security/openssh/files/patch-sshd_config
+++ b/security/openssh/files/patch-sshd_config
@@ -1,5 +1,5 @@
---- sshd_config.orig	Fri Mar  8 06:01:02 2002
-+++ sshd_config	Fri Mar  8 06:03:06 2002
+--- sshd_config.orig	Thu May 23 13:37:04 2002
++++ sshd_config	Thu May 23 13:38:05 2002
 @@ -30,8 +30,10 @@
  
  # Authentication:
@@ -13,11 +13,11 @@
  #StrictModes yes
  
  #RSAAuthentication yes
-@@ -76,6 +78,7 @@
+@@ -74,6 +76,7 @@
  #PrintLastLog yes
  #KeepAlive yes
  #UseLogin no
 +UseLogin yes
+ #UsePrivilegeSeparation no
  
  #MaxStartups 10
- # no default banner path