- Update to OpenSSH 7.0p1

- Update X509 patch to 8.5 Changes: http://www.openssh.com/txt/release-7.0
author: bdrewery <bdrewery@FreeBSD.org> 2015-08-18 23:42:52 +0800
committer: bdrewery <bdrewery@FreeBSD.org> 2015-08-18 23:42:52 +0800
commit: fc23e9f49e4c631742fb1e2e04181f5affac109b (patch)
tree: 94c90925587e271c68ee59895cae385c86b46f31 /security
parent: 9a4caedce3fbaa75c59dfb90ab11ae466f8df232 (diff)
download: freebsd-ports-gnome-fc23e9f49e4c631742fb1e2e04181f5affac109b.tar.gz
freebsd-ports-gnome-fc23e9f49e4c631742fb1e2e04181f5affac109b.tar.zst
freebsd-ports-gnome-fc23e9f49e4c631742fb1e2e04181f5affac109b.zip
5 files changed, 56 insertions, 115 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile
index 88450728b476..13b814c4d045 100644
--- a/security/openssh-portable/Makefile
+++ b/security/openssh-portable/Makefile
@@ -2,8 +2,8 @@
 # $FreeBSD$
 
 PORTNAME=	openssh
-DISTVERSION=	6.9p1
-PORTREVISION=	2
+DISTVERSION=	7.0p1
+PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -60,9 +60,9 @@ HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
 
 # See http://www.roumenpetrov.info/openssh/
-X509_VERSION=		8.4
+X509_VERSION=		8.5
 X509_PATCH_SITES=	http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
-X509_PATCHFILES=	${PORTNAME}-6.9p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_PATCHFILES=	${PORTNAME}-7.0p1+x509-${X509_VERSION}.diff.gz:-p1:x509
 
 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
 # and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo
index ccb41cef2a6e..09617047608d 100644
--- a/security/openssh-portable/distinfo
+++ b/security/openssh-portable/distinfo
@@ -1,8 +1,8 @@
-SHA256 (openssh-6.9p1.tar.gz) = 6e074df538f357d440be6cf93dc581a21f22d39e236f217fcd8eacbb6c896cfe
-SIZE (openssh-6.9p1.tar.gz) = 1487617
-SHA256 (openssh-6.9p1+x509-8.4.diff.gz) = 0ed8bfff0d2ecd9f3791ae1f168ca3270bb66d7ab7bc0a8ff2d61d2ab829c3fb
-SIZE (openssh-6.9p1+x509-8.4.diff.gz) = 425687
-SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8
-SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825
+SHA256 (openssh-7.0p1.tar.gz) = fd5932493a19f4c81153d812ee4e042b49bbd3b759ab3d9344abecc2bc1485e5
+SIZE (openssh-7.0p1.tar.gz) = 1493376
 SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a
 SIZE (openssh-6.8p1-sctp-2573.patch.gz) = 8531
+SHA256 (openssh-7.0p1+x509-8.5.diff.gz) = 6000557f1ddae06aff8837d440d93342a923fada571fec59fc5dedf388fb5f9e
+SIZE (openssh-7.0p1+x509-8.5.diff.gz) = 411960
+SHA256 (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 9a361408269a542d28dae77320f30e94a44098acdbbbc552efb0bdeac6270dc8
+SIZE (openssh-6.7p1-gsskex-all-20141021-284f364.patch.gz) = 25825
diff --git a/security/openssh-portable/files/extra-patch-hpn b/security/openssh-portable/files/extra-patch-hpn
index e4cc3f46d454..2155fd45ab29 100644
--- a/security/openssh-portable/files/extra-patch-hpn
+++ b/security/openssh-portable/files/extra-patch-hpn
@@ -447,9 +447,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  
  echo ""
  
---- work.clean/openssh-6.8p1/kex.c	2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/kex.c	2015-04-03 17:06:44.032682000 -0500
-@@ -587,6 +587,13 @@
+--- work.clean/openssh-6.8p1/kex.c.orig	2015-08-11 01:57:29.000000000 -0700
++++ work.clean/openssh-6.8p1/kex.c	2015-08-17 17:02:06.770901000 -0700
+@@ -652,6 +652,13 @@ kex_choose_conf(struct ssh *ssh)
  	int nenc, nmac, ncomp;
  	u_int mode, ctos, need, dh_need, authlen;
  	int r, first_kex_follows;
@@ -463,10 +463,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  
  	if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0 ||
  	    (r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
-@@ -635,6 +642,17 @@
- 		if ((r = choose_comp(&newkeys->comp, cprop[ncomp],
- 		    sprop[ncomp])) != 0)
+@@ -709,6 +716,17 @@ kex_choose_conf(struct ssh *ssh)
+ 			peer[ncomp] = NULL;
  			goto out;
+ 		}
 +#ifdef NONE_CIPHER_ENABLED
 +		debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
 +		if (strcmp(newkeys->enc.name, "none") == 0) {
@@ -548,9 +548,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  /* OLD API */
  extern struct ssh *active_state;
  #include "opacket.h"
---- work.clean/openssh-6.8p1/readconf.c	2015-04-01 22:07:18.135435000 -0500
-+++ work/openssh-6.8p1/readconf.c	2015-04-03 15:10:44.188916000 -0500
-@@ -154,6 +154,12 @@
+--- work/openssh-6.9p1/readconf.c.orig	2015-07-27 13:32:13.169218000 -0500
++++ work/openssh-6.9p1/readconf.c	2015-07-27 13:33:00.429332000 -0500
+@@ -153,6 +153,12 @@ typedef enum {
  	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
  	oVisualHostKey, oUseRoaming,
  	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
@@ -563,10 +563,10 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
  	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
  	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
-@@ -276,6 +282,16 @@
- 	{ "fingerprinthash", oFingerprintHash },
+@@ -277,6 +283,16 @@ static struct {
  	{ "updatehostkeys", oUpdateHostkeys },
  	{ "hostbasedkeytypes", oHostbasedKeyTypes },
+ 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
 +#ifdef NONE_CIPHER_ENABLED
 +	{ "noneenabled", oNoneEnabled },
 +	{ "noneswitch", oNoneSwitch },
@@ -580,7 +580,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	{ "ignoreunknown", oIgnoreUnknown },
  
  	{ NULL, oBadOption }
-@@ -917,6 +933,44 @@
+@@ -906,6 +922,44 @@ parse_time:
  		intptr = &options->check_host_ip;
  		goto parse_flag;
  
@@ -625,7 +625,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	case oVerifyHostKeyDNS:
  		intptr = &options->verify_host_key_dns;
  		multistate_ptr = multistate_yesnoask;
-@@ -1678,6 +1732,16 @@
+@@ -1665,6 +1719,16 @@ initialize_options(Options * options)
  	options->ip_qos_interactive = -1;
  	options->ip_qos_bulk = -1;
  	options->request_tty = -1;
@@ -642,7 +642,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	options->proxy_use_fdpass = -1;
  	options->ignored_unknown = NULL;
  	options->num_canonical_domains = 0;
-@@ -1838,6 +1902,35 @@
+@@ -1826,6 +1890,35 @@ fill_default_options(Options * options)
  		options->server_alive_interval = 0;
  	if (options->server_alive_count_max == -1)
  		options->server_alive_count_max = 3;
@@ -1199,9 +1199,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	debug("Authentication succeeded (%s).", authctxt.method->name);
  }
  
---- work.clean/openssh-6.8p1/sshd.c.orig	2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/sshd.c	2015-05-06 13:29:02.129507000 -0500
-@@ -430,8 +430,13 @@ sshd_exchange_identification(int sock_in
+--- work.clean/openssh-6.8p1/sshd.c.orig	2015-08-17 17:01:06.925269000 -0700
++++ work.clean/openssh-6.8p1/sshd.c	2015-08-17 17:05:40.008253000 -0700
+@@ -438,8 +438,13 @@ sshd_exchange_identification(int sock_in
  		minor = PROTOCOL_MINOR_1;
  	}
  
@@ -1216,7 +1216,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  	    *options.version_addendum == '\0' ? "" : " ",
  	    options.version_addendum, newline);
  
-@@ -1149,6 +1154,10 @@ server_listen(void)
+@@ -1162,6 +1167,10 @@ server_listen(void)
  	int ret, listen_sock, on = 1;
  	struct addrinfo *ai;
  	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -1227,7 +1227,7 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  
  	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
  		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1189,6 +1198,13 @@ server_listen(void)
+@@ -1202,6 +1211,13 @@ server_listen(void)
  
  		debug("Bind to port %s on %s.", strport, ntop);
  
@@ -1241,9 +1241,9 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
  		/* Bind the socket to the desired port. */
  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
  			error("Bind to port %s on %s failed: %.200s.",
-@@ -2132,6 +2148,11 @@ main(int ac, char **av)
- 	    remote_ip, remote_port,
- 	    get_local_ipaddr(sock_in), get_local_port());
+@@ -2130,6 +2146,11 @@ main(int ac, char **av)
+ 		cleanup_exit(255);
+ 	}
  
 +#ifdef HPN_ENABLED
 +	/* set the HPN options for the child */
@@ -1251,21 +1251,23 @@ diff -urN -x configure -x config.guess -x config.h.in -x config.sub work.clean/o
 +#endif
 +
  	/*
- 	 * We don't want to listen forever unless the other side
- 	 * successfully authenticates itself.  So we set up an alarm which is
-@@ -2531,6 +2552,12 @@ do_ssh2_kex(void)
- 	if (options.ciphers != NULL) {
- 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
+ 	 * We use get_canonical_hostname with usedns = 0 instead of
+ 	 * get_remote_ipaddr here so IP options will be checked.
+@@ -2564,6 +2585,14 @@ do_ssh2_kex(void)
+ 	struct kex *kex;
+ 	int r;
+ 
 +#ifdef NONE_CIPHER_ENABLED
-+        } else if (options.none_enabled == 1) {
++        if (options.none_enabled == 1) {
 +                debug ("WARNING: None cipher enabled");
 +                myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 +                myproposal[PROPOSAL_ENC_ALGS_STOC] = KEX_ENCRYPT_INCLUDE_NONE;
++	}
 +#endif
- 	}
- 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
- 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
++
+ 	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+ 	    options.kex_algorithms);
+ 	myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(
 --- work.clean/openssh-6.8p1/sshd_config	2015-04-01 22:07:18.248858000 -0500
 +++ work/openssh-6.8p1/sshd_config	2015-04-01 22:16:49.932279000 -0500
 @@ -127,6 +127,20 @@
diff --git a/security/openssh-portable/files/patch-auth2-chall.c b/security/openssh-portable/files/patch-auth2-chall.c
deleted file mode 100644
index 2f4984b50bbd..000000000000
--- a/security/openssh-portable/files/patch-auth2-chall.c
+++ /dev/null
@@ -1,52 +0,0 @@
-From 5b64f85bb811246c59ebab70aed331f26ba37b18 Mon Sep 17 00:00:00 2001
-From: "djm@openbsd.org" <djm@openbsd.org>
-Date: Sat, 18 Jul 2015 07:57:14 +0000
-Subject: upstream commit
-
-only query each keyboard-interactive device once per
- authentication request regardless of how many times it is listed; ok markus@
-
-Upstream-ID: d73fafba6e86030436ff673656ec1f33d9ffeda1
----
- auth2-chall.c | 11 ++++++++---
- 1 file changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/auth2-chall.c b/auth2-chall.c
-index ddabe1a..4aff09d 100644
---- auth2-chall.c
-+++ auth2-chall.c
-@@ -1,4 +1,4 @@
--/* $OpenBSD: auth2-chall.c,v 1.42 2015/01/19 20:07:45 markus Exp $ */
-+/* $OpenBSD: auth2-chall.c,v 1.43 2015/07/18 07:57:14 djm Exp $ */
- /*
-  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
-  * Copyright (c) 2001 Per Allansson.  All rights reserved.
-@@ -83,6 +83,7 @@ struct KbdintAuthctxt
- 	void *ctxt;
- 	KbdintDevice *device;
- 	u_int nreq;
-+	u_int devices_done;
- };
- 
- #ifdef USE_PAM
-@@ -169,11 +170,15 @@ kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
- 		if (len == 0)
- 			break;
- 		for (i = 0; devices[i]; i++) {
--			if (!auth2_method_allowed(authctxt,
-+			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
-+			    !auth2_method_allowed(authctxt,
- 			    "keyboard-interactive", devices[i]->name))
- 				continue;
--			if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
-+			if (strncmp(kbdintctxt->devices, devices[i]->name,
-+			    len) == 0) {
- 				kbdintctxt->device = devices[i];
-+				kbdintctxt->devices_done |= 1 << i;
-+			}
- 		}
- 		t = kbdintctxt->devices;
- 		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
--- 
-cgit v0.11.2
-
diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c
index 229ab3c12310..8b4f66596516 100644
--- a/security/openssh-portable/files/patch-servconf.c
+++ b/security/openssh-portable/files/patch-servconf.c
@@ -1,6 +1,6 @@
---- servconf.c.orig	2015-03-22 23:58:50.869706000 -0500
-+++ servconf.c	2015-03-22 23:59:46.645390000 -0500
-@@ -81,6 +81,7 @@
+--- servconf.c.orig	2015-08-17 20:37:29.913831000 -0700
++++ servconf.c	2015-08-17 20:37:29.950132000 -0700
+@@ -57,6 +57,7 @@
  #include "auth.h"
  #include "myproposal.h"
  #include "digest.h"
@@ -8,25 +8,16 @@
  
  static void add_listen_addr(ServerOptions *, char *, int);
  static void add_one_listen_addr(ServerOptions *, char *, int);
-@@ -216,7 +217,7 @@ fill_default_server_options(ServerOption
+@@ -193,7 +194,7 @@ fill_default_server_options(ServerOption
  
  	/* Portable-specific options */
  	if (options->use_pam == -1)
 -		options->use_pam = 0;
 +		options->use_pam = 1;
  
- 	/* X.509 Standard Options */
- #ifdef OPENSSL_FIPS
-@@ -277,7 +278,7 @@ fill_default_server_options(ServerOption
- 	if (options->key_regeneration_time == -1)
- 		options->key_regeneration_time = 3600;
- 	if (options->permit_root_login == PERMIT_NOT_SET)
--		options->permit_root_login = PERMIT_YES;
-+		options->permit_root_login = PERMIT_NO;
- 	if (options->ignore_rhosts == -1)
- 		options->ignore_rhosts = 1;
- 	if (options->ignore_user_known_hosts == -1)
-@@ -287,7 +288,7 @@ fill_default_server_options(ServerOption
+ 	/* Standard Options */
+ 	if (options->protocol == SSH_PROTO_UNKNOWN)
+@@ -242,7 +243,7 @@ fill_default_server_options(ServerOption
  	if (options->print_lastlog == -1)
  		options->print_lastlog = 1;
  	if (options->x11_forwarding == -1)
@@ -35,9 +26,9 @@
  	if (options->x11_display_offset == -1)
  		options->x11_display_offset = 10;
  	if (options->x11_use_localhost == -1)
-@@ -333,7 +334,11 @@ fill_default_server_options(ServerOption
- 	if (options->gss_cleanup_creds == -1)
- 		options->gss_cleanup_creds = 1;
+@@ -288,7 +289,11 @@ fill_default_server_options(ServerOption
+ 	if (options->gss_strict_acceptor == -1)
+ 		options->gss_strict_acceptor = 0;
  	if (options->password_authentication == -1)
 +#ifdef USE_PAM
 +		options->password_authentication = 0;
@@ -47,8 +38,8 @@
  	if (options->kbd_interactive_authentication == -1)
  		options->kbd_interactive_authentication = 0;
  	if (options->challenge_response_authentication == -1)
-@@ -396,7 +401,7 @@ fill_default_server_options(ServerOption
- 		options->fingerprint_hash = SSH_FP_HASH_DEFAULT;
+@@ -412,7 +417,7 @@ fill_default_server_options(ServerOption
+ 
  	/* Turn privilege separation on by default */
  	if (use_privsep == -1)
 -		use_privsep = PRIVSEP_NOSANDBOX;
author	bdrewery <bdrewery@FreeBSD.org>	2015-08-18 23:42:52 +0800
committer	bdrewery <bdrewery@FreeBSD.org>	2015-08-18 23:42:52 +0800
commit	fc23e9f49e4c631742fb1e2e04181f5affac109b (patch)
tree	94c90925587e271c68ee59895cae385c86b46f31 /security
parent	9a4caedce3fbaa75c59dfb90ab11ae466f8df232 (diff)
download	freebsd-ports-gnome-fc23e9f49e4c631742fb1e2e04181f5affac109b.tar.gz freebsd-ports-gnome-fc23e9f49e4c631742fb1e2e04181f5affac109b.tar.zst freebsd-ports-gnome-fc23e9f49e4c631742fb1e2e04181f5affac109b.zip