Update to 7.6p1

- Update x509 patch to 11.0
- HPN/NONECIPHER do not apply currently and are disabled by default,
  same as the base sshd.  A compatibility patch is applied if
  these options are disabled to prevent startup failures; the options
  are kept as deprecated.
- SCTP patch does not apply.

Changes: https://www.openssh.com/txt/release-7.6

Notable changes:
  - SSH version 1 support dropped.
  - Dropped support for hmac-ripemd160 MAC.
  - Dropped support for the ciphers arcfour, blowfish and CAST.
  - RSA keys less than 1024 bits are refused.

6 files changed, 184 insertions, 35 deletions

diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index fc1b2d5808ad..ad75a1918828 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,8 +2,8 @@
 # $FreeBSD$
 
 PORTNAME=	openssh
-DISTVERSION=	7.5p1
-PORTREVISION=	1
+DISTVERSION=	7.6p1
+PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -30,7 +30,7 @@ BROKEN_SSL_REASON_openssl-devel=	incomplete definition of type struct rsa_st
 OPTIONS_DEFINE=		PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN X509 KERB_GSSAPI \
 			OVERWRITE_BASE SCTP LDNS NONECIPHER
-OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS HPN LDNS
+OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
 TCP_WRAPPERS_DESC=	tcp_wrappers support
@@ -61,14 +61,15 @@ HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
 
 # See http://www.roumenpetrov.info/openssh/
-X509_VERSION=		10.1
+X509_VERSION=		11.0
 X509_PATCH_SITES=	http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
 X509_EXTRA_PATCHES+=	${FILESDIR}/extra-patch-x509-glue
-X509_PATCHFILES=	${PORTNAME}-7.5p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_PATCHFILES=	${PORTNAME}-7.6p1+x509-${X509_VERSION}.diff.gz:-p1:x509
 
 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
 # and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
 #SCTP_PATCHFILES=	${PORTNAME}-7.2_p1-sctp.patch.gz:-p1
+SCTP_BROKEN=		Does not apply to 7.6+
 SCTP_CONFIGURE_WITH=	sctp
 SCTP_EXTRA_PATCHES+=	${FILESDIR}/extra-patch-sctp:-p1
 
@@ -95,7 +96,7 @@ EXTRA_PATCHES:=		${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
 
 # Must add this patch before HPN due to conflicts
 .if ${PORT_OPTIONS:MKERB_GSSAPI}
-BROKEN=	No patch for 7.5 yet.
+BROKEN=	No patch for 7.6 yet.
 # Patch from:
 # http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch
 # which was originally based on 5.7 patch from
@@ -110,12 +111,16 @@ PATCHFILES+=	openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz:-p1:g
 
 # http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
+BROKEN=			Not yet updated for 7.6+ and disabled in base
 PORTDOCS+=		HPN-README
 HPN_VERSION=		14v5
 HPN_DISTVERSION=	6.7p1
 #PATCH_SITES+=		SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
 #PATCHFILES+=		${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn:-p2
+.elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER}
+# Apply compatibility patch
+EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn-compat
 .endif
 
 CONFIGURE_LIBS+=	-lutil
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index 0af7af217ca8..22bf6d8421e7 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,9 +1,7 @@
-TIMESTAMP = 1484161900
-SHA256 (openssh-7.5p1.tar.gz) = 9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0
-SIZE (openssh-7.5p1.tar.gz) = 1510857
+TIMESTAMP = 1507833573
+SHA256 (openssh-7.6p1.tar.gz) = a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723
+SIZE (openssh-7.6p1.tar.gz) = 1489788
 SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc
 SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501
-SHA256 (openssh-7.5p1+x509-10.1.diff.gz) = e7abe401e7f651779c680491cfefbfcf4f26743202641b2bda934f80bb4464d2
-SIZE (openssh-7.5p1+x509-10.1.diff.gz) = 460721
-SHA256 (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = f77ac434e6914814bc2f16d1581efd74baedaa86f1249a3cee00566d458c5f6b
-SIZE (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = 27091
+SHA256 (openssh-7.6p1+x509-11.0.diff.gz) = bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e
+SIZE (openssh-7.6p1+x509-11.0.diff.gz) = 440219
diff --git a/security/openssh-portable/files/extra-patch-hpn-compat b/security/openssh-portable/files/extra-patch-hpn-compat
new file mode 100644
index 000000000000..97644213a647
--- /dev/null
+++ b/security/openssh-portable/files/extra-patch-hpn-compat
@@ -0,0 +1,46 @@
+------------------------------------------------------------------------
+r294563 | des | 2016-01-22 05:13:46 -0800 (Fri, 22 Jan 2016) | 3 lines
+Changed paths:
+   M /head/crypto/openssh/servconf.c
+
+Instead of removing the NoneEnabled option, mark it as unsupported.
+(should have done this in r291198, but didn't think of it until now)
+
+------------------------------------------------------------------------
+------------------------------------------------------------------------
+r294564 | des | 2016-01-22 06:22:11 -0800 (Fri, 22 Jan 2016) | 2 lines
+Changed paths:
+   M /head/crypto/openssh/readconf.c
+
+r294563 was incomplete; re-add the client-side options as well.
+
+------------------------------------------------------------------------
+
+--- readconf.c.orig	2017-10-12 12:18:59.927293000 -0700
++++ readconf.c	2017-10-12 12:19:45.048532000 -0700
+@@ -305,6 +305,12 @@ static struct {
+ 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
+ 	{ "ignoreunknown", oIgnoreUnknown },
+ 	{ "proxyjump", oProxyJump },
++	{ "hpndisabled", oDeprecated },
++	{ "hpnbuffersize", oDeprecated },
++	{ "tcprcvbufpoll", oDeprecated },
++	{ "tcprcvbuf", oDeprecated },
++	{ "noneenabled", oUnsupported },
++	{ "noneswitch", oUnsupported },
+ 
+ 	{ NULL, oBadOption }
+ };
+--- servconf.c.orig	2017-10-02 12:34:26.000000000 -0700
++++ servconf.c	2017-10-12 12:20:19.089884000 -0700
+@@ -566,6 +566,10 @@ static struct {
+ 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
+ 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
+ 	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
++	{ "noneenabled", sUnsupported, SSHCFG_ALL },
++	{ "hpndisabled", sDeprecated, SSHCFG_ALL },
++	{ "hpnbuffersize", sDeprecated, SSHCFG_ALL },
++	{ "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
+ 	{ NULL, sBadOption, 0 }
+ };
+ 
diff --git a/security/openssh-portable/files/extra-patch-x509-glue b/security/openssh-portable/files/extra-patch-x509-glue
index fe9cbd9d3ec4..c7057ec24704 100644
--- a/security/openssh-portable/files/extra-patch-x509-glue
+++ b/security/openssh-portable/files/extra-patch-x509-glue
@@ -1,6 +1,6 @@
---- session.c.orig	2017-01-12 11:58:30.754769000 -0800
-+++ session.c	2017-01-12 11:58:35.360654000 -0800
-@@ -1252,36 +1252,6 @@ do_setup_env(Session *s, const char *she
+--- session.c.orig	2017-10-12 11:52:52.953370000 -0700
++++ session.c	2017-10-12 11:53:40.793055000 -0700
+@@ -1045,36 +1045,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  	if (getenv("TZ"))
  		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
  
@@ -37,3 +37,111 @@
  	/* Set custom environment options from RSA authentication. */
  	while (custom_environment) {
  		struct envstring *ce = custom_environment;
+--- sshd_config.5.orig	2017-10-12 11:51:06.638814000 -0700
++++ sshd_config.5	2017-10-12 11:51:33.780459000 -0700
+@@ -1641,52 +1641,7 @@ is set to
+ then the pre-authentication unprivileged process is subject to additional
+ restrictions.
+ The default is
+-.Cm sandbox .
+-.It Cm VACertificateFile
+-File with X.509 certificates in PEM format concatenated together.
+-In use when
+-.Cm VAType
+-is set to
+-.Cm ocspspec .
+-The default value is
+-.Sq
+-..
+-(empty).
+-Certificates from that file explicitly trust
+-.Sq "OCSP Responder"
+-public key.
+-They are used as trusted certificates in addition to certificates from
+-.Cm CACertificateFile
+-and
+-.Cm CACertificatePath
+-to verify responder certificate.
+-.It Cm VAType
+-Specifies whether
+-.Sq "Online Certificate Status Protocol"
+-(OCSP) is used to validate X.509 certificates.
+-Accepted values are case insensitive:
+-.Bl -tag -offset indent -compact
+-.It none
+-do not use OCSP to validate certificates;
+-.It ocspcert
+-validate only certificates that specify
+-.Sq "OCSP Service Locator"
+-URL;
+-.It ocspspec
+-use specified in the configuration
+-.Sq "OCSP Responder"
+-to validate all certificates.
+-.El
+-The default is
+-.Cm none .
+-.It Cm VAOCSPResponderURL
+-.Sq "Access Location"
+-/
+-.Sq "OCSP Service Locator"
+-URL of the OCSP provider. In use when
+-.Cm VAType
+-is set to
+-.Cm ocspspec .
++.Cm no .
+ .It Cm VersionAddendum
+ Optionally specifies additional text to append to the SSH protocol banner
+ sent by the server upon connection.
+@@ -1737,6 +1692,51 @@ the wildcard address.
+ By default,
+ sshd binds the forwarding server to the loopback address and sets the
+ hostname part of the
++.It Cm VACertificateFile
++File with X.509 certificates in PEM format concatenated together.
++In use when
++.Cm VAType
++is set to
++.Cm ocspspec .
++The default value is
++.Sq
++..
++(empty).
++Certificates from that file explicitly trust
++.Sq "OCSP Responder"
++public key.
++They are used as trusted certificates in addition to certificates from
++.Cm CACertificateFile
++and
++.Cm CACertificatePath
++to verify responder certificate.
++.It Cm VAType
++Specifies whether
++.Sq "Online Certificate Status Protocol"
++(OCSP) is used to validate X.509 certificates.
++Accepted values are case insensitive:
++.Bl -tag -offset indent -compact
++.It none
++do not use OCSP to validate certificates;
++.It ocspcert
++validate only certificates that specify
++.Sq "OCSP Service Locator"
++URL;
++.It ocspspec
++use specified in the configuration
++.Sq "OCSP Responder"
++to validate all certificates.
++.El
++The default is
++.Cm none .
++.It Cm VAOCSPResponderURL
++.Sq "Access Location"
++/
++.Sq "OCSP Service Locator"
++URL of the OCSP provider. In use when
++.Cm VAType
++is set to
++.Cm ocspspec .
+ .Ev DISPLAY
+ environment variable to
+ .Cm localhost .
diff --git a/security/openssh-portable/files/patch-configure.ac b/security/openssh-portable/files/patch-configure.ac
index 3f2b13b6cefc..0400779a3591 100644
--- a/security/openssh-portable/files/patch-configure.ac
+++ b/security/openssh-portable/files/patch-configure.ac
@@ -1,13 +1,5 @@
 --- configure.ac.orig	2017-04-08 02:15:16 UTC
 +++ configure.ac
-@@ -1486,6 +1486,7 @@ AC_ARG_WITH(ldns,
- 		else
- 			LIBS="$LIBS `$LDNSCONFIG --libs`"
- 			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
-+			ldns=yes
- 		fi
- 	elif test "x$withval" != "xno" ; then
- 			CPPFLAGS="$CPPFLAGS -I${withval}/include"
 @@ -1544,7 +1545,7 @@ AC_ARG_WITH([libedit],
  			LIBEDIT=`$PKGCONFIG --libs libedit`
  			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
index 97bc26aa335b..f9c56a0fb3ad 100644
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ b/security/openssh-portable/files/patch-ssh-agent.c
@@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct 2011) | 5 lines
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.
 
---- ssh-agent.c.orig	2015-05-29 03:27:21.000000000 -0500
-+++ ssh-agent.c	2015-06-02 09:46:54.719580000 -0500
-@@ -157,15 +157,34 @@ static long lifetime = 0;
+--- ssh-agent.c.orig	2017-10-02 12:34:26.000000000 -0700
++++ ssh-agent.c	2017-10-12 11:31:40.908737000 -0700
+@@ -162,15 +162,34 @@ static long lifetime = 0;
  
  static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
  
@@ -45,7 +45,7 @@ disconnected.
  }
  
  static void
-@@ -963,6 +982,10 @@ new_socket(sock_type type, int fd)
+@@ -745,6 +764,10 @@ new_socket(sock_type type, int fd)
  {
  	u_int i, old_alloc, new_alloc;
  
@@ -56,7 +56,7 @@ disconnected.
  	set_nonblock(fd);
  
  	if (fd > max_fd)
-@@ -1190,7 +1213,7 @@ static void
+@@ -1007,7 +1030,7 @@ static void
  usage(void)
  {
  	fprintf(stderr,
@@ -65,7 +65,7 @@ disconnected.
  	    "                 [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
  	    "       ssh-agent [-c | -s] -k\n");
  	exit(1);
-@@ -1222,6 +1245,7 @@ main(int ac, char **av)
+@@ -1039,6 +1062,7 @@ main(int ac, char **av)
  	/* drop */
  	setegid(getgid());
  	setgid(getgid());
@@ -73,7 +73,7 @@ disconnected.
  
  	platform_disable_tracing(0);	/* strict=no */
  
-@@ -1232,7 +1256,7 @@ main(int ac, char **av)
+@@ -1049,7 +1073,7 @@ main(int ac, char **av)
  	__progname = ssh_get_progname(av[0]);
  	seed_rng();
  
@@ -82,13 +82,13 @@ disconnected.
  		switch (ch) {
  		case 'E':
  			fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -1276,6 +1300,9 @@ main(int ac, char **av)
+@@ -1092,6 +1116,9 @@ main(int ac, char **av)
+ 				fprintf(stderr, "Invalid lifetime\n");
  				usage();
  			}
- 			break;
++			break;
 +		case 'x':
 +			xcount = 0;
-+			break;
+ 			break;
  		default:
  			usage();
- 		}