From owner-svn-ports-all@freebsd.org Mon Nov 12 21:55:37 2018 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8ACF7112462C; Mon, 12 Nov 2018 21:55:37 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D4EDD862C4; Mon, 12 Nov 2018 21:55:36 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B5D20269FD; Mon, 12 Nov 2018 21:55:36 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wACLtaA3094479; Mon, 12 Nov 2018 21:55:36 GMT (envelope-from bdrewery@FreeBSD.org) Received: (from bdrewery@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wACLtZd7094475; Mon, 12 Nov 2018 21:55:35 GMT (envelope-from bdrewery@FreeBSD.org) Message-Id: <201811122155.wACLtZd7094475@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bdrewery set sender to bdrewery@FreeBSD.org using -f From: Bryan Drewery Date: Mon, 12 Nov 2018 21:55:35 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r484842 - in head/security/openssh-portable: . files X-SVN-Group: ports-head X-SVN-Commit-Author: bdrewery X-SVN-Commit-Paths: in head/security/openssh-portable: . files X-SVN-Commit-Revision: 484842 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: D4EDD862C4 X-Spamd-Result: default: False [-106.88 / 200.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; ALLOW_DOMAIN_WHITELIST(-100.00)[FreeBSD.org]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; HAS_XAW(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all]; DMARC_NA(0.00)[FreeBSD.org]; RCVD_COUNT_THREE(0.00)[4]; MX_GOOD(-0.01)[cached: mx1.FreeBSD.org]; NEURAL_HAM_SHORT(-1.00)[-1.000,0]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; IP_SCORE(-3.77)[ip: (-9.91), ipnet: 2610:1c1:1::/48(-4.93), asn: 11403(-3.91), country: US(-0.09)] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Nov 2018 21:55:37 -0000 Author: bdrewery Date: Mon Nov 12 21:55:35 2018 New Revision: 484842 URL: https://svnweb.freebsd.org/changeset/ports/484842 Log: - Fix X509 build after r484765 openssl fix - Fix patch URL for KERB_GSSAPI - Add FLAVORs for x509 and gssapi since they are distinct types of OpenSSH rather than feature flags. Approved by: portmgr (implicit) Added: head/security/openssh-portable/files/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969 - copied unchanged from r484841, head/security/openssh-portable/files/patch-c0a35265907533be10ca151ac797f34ae0d68969 Deleted: head/security/openssh-portable/files/patch-c0a35265907533be10ca151ac797f34ae0d68969 Modified: head/security/openssh-portable/Makefile head/security/openssh-portable/files/extra-patch-x509-glue head/security/openssh-portable/files/patch-session.c Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Mon Nov 12 21:48:58 2018 (r484841) +++ head/security/openssh-portable/Makefile Mon Nov 12 21:55:35 2018 (r484842) @@ -26,10 +26,18 @@ CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwor ETCOLD= ${PREFIX}/etc -FLAVORS= default hpn -default_CONFLICTS_INSTALL= openssl-portable-hpn -hpn_CONFLICTS_INSTALL= openssh-portable +FLAVORS= default hpn gssapi x509 +default_CONFLICTS_INSTALL= openssh-portable-hpn openssh-portable-gssapi \ + openssh-portable-x509 +hpn_CONFLICTS_INSTALL= openssh-portable openssh-portable-gssapi \ + openssh-portable-x509 hpn_PKGNAMESUFFIX= -portable-hpn +gssapi_CONFLICTS_INSTALL= openssh-portable openssh-portable-hpn \ + openssh-portable-x509 +gssapi_PKGNAMESUFFIX= -portable-gssapi +x509_CONFLICTS_INSTALL= openssh-portable openssh-portable-hpn \ + openssh-portable-gssapi +x509_PKGNAMESUFFIX= -portable-x509 OPTIONS_DEFINE= DOCS PAM TCP_WRAPPERS LIBEDIT BSM \ HPN X509 KERB_GSSAPI \ @@ -38,6 +46,12 @@ OPTIONS_DEFAULT= LIBEDIT PAM TCP_WRAPPERS LDNS .if ${FLAVOR:U} == hpn OPTIONS_DEFAULT+= HPN NONECIPHER .endif +.if ${FLAVOR:U} == gssapi +OPTIONS_DEFAULT+= KERB_GSSAPI MIT +.endif +.if ${FLAVOR:U} == x509 +OPTIONS_DEFAULT+= X509 +.endif OPTIONS_RADIO= KERBEROS OPTIONS_RADIO_KERBEROS= MIT HEIMDAL HEIMDAL_BASE TCP_WRAPPERS_DESC= tcp_wrappers support @@ -87,9 +101,13 @@ ETCDIR?= ${PREFIX}/etc/ssh PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex +# Upstream OpenSSL fix but does not apply for x509 patch. +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969 + # X509 patch includes TCP Wrapper support already .if ${PORT_OPTIONS:MX509} EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}} +EXTRA_PATCHES:= ${EXTRA_PATCHES:N${FILESDIR}/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969} .endif # Must add this patch before HPN due to conflicts @@ -104,7 +122,7 @@ EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA # Needed glue for applying HPN patch without conflict EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-gss-glue . endif -PATCHFILES+= openssh-7.7p1-gsskex-all-20141021-debian-rh-20171004.patch.gz:-p1:gsskex +PATCHFILES+= openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz:-p1:gsskex .endif # https://www.psc.edu/hpn-ssh https://github.com/rapier1/openssh-portable/tree/hpn-openssl1.1-7_7_P1 Copied: head/security/openssh-portable/files/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969 (from r484841, head/security/openssh-portable/files/patch-c0a35265907533be10ca151ac797f34ae0d68969) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openssh-portable/files/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969 Mon Nov 12 21:55:35 2018 (r484842, copy of r484841, head/security/openssh-portable/files/patch-c0a35265907533be10ca151ac797f34ae0d68969) @@ -0,0 +1,19 @@ +commit c0a35265907533be10ca151ac797f34ae0d68969 +Author: Damien Miller +Date: Mon Oct 22 11:22:50 2018 +1100 + + fix compile for openssl 1.0.x w/ --with-ssl-engine + + bz#2921, patch from cotequeiroz + +--- openbsd-compat/openssl-compat.c.orig 2018-11-12 12:52:26 UTC ++++ openbsd-compat/openssl-compat.c +@@ -76,7 +76,7 @@ ssh_OpenSSL_add_all_algorithms(void) + ENGINE_load_builtin_engines(); + ENGINE_register_all_complete(); + +-#if OPENSSL_VERSION_NUMBER < 0x10001000L ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + OPENSSL_config(NULL); + #else + OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | Modified: head/security/openssh-portable/files/extra-patch-x509-glue ============================================================================== --- head/security/openssh-portable/files/extra-patch-x509-glue Mon Nov 12 21:48:58 2018 (r484841) +++ head/security/openssh-portable/files/extra-patch-x509-glue Mon Nov 12 21:55:35 2018 (r484842) @@ -1,42 +1,3 @@ ---- session.c.orig 2017-10-12 11:52:52.953370000 -0700 -+++ session.c 2017-10-12 11:53:40.793055000 -0700 -@@ -1062,36 +1062,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char * - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); - --#ifdef __ANDROID__ --{ --#define COPY_ANDROID_ENV(name) { \ -- char *s = getenv(name); \ -- if (s) child_set_env(&env, &envsize, name, s); } -- -- /* from /init.rc */ -- COPY_ANDROID_ENV("ANDROID_BOOTLOGO"); -- COPY_ANDROID_ENV("ANDROID_ROOT"); -- COPY_ANDROID_ENV("ANDROID_ASSETS"); -- COPY_ANDROID_ENV("ANDROID_DATA"); -- COPY_ANDROID_ENV("ASEC_MOUNTPOINT"); -- COPY_ANDROID_ENV("LOOP_MOUNTPOINT"); -- COPY_ANDROID_ENV("BOOTCLASSPATH"); -- -- /* FIXME: keep android property workspace open -- * (see openbsd-compat/bsd-closefrom.c) -- */ -- COPY_ANDROID_ENV("ANDROID_PROPERTY_WORKSPACE"); -- -- COPY_ANDROID_ENV("EXTERNAL_STORAGE"); /* ??? */ -- COPY_ANDROID_ENV("SECONDARY_STORAGE"); /* ??? */ -- COPY_ANDROID_ENV("SD_EXT_DIRECTORY"); /* ??? */ -- -- /* may contain path to custom libraries */ -- COPY_ANDROID_ENV("LD_LIBRARY_PATH"); --#undef COPY_ANDROID_ENV --} --#endif -- - /* Set custom environment options from pubkey authentication. */ - if (options.permit_user_env) { - for (n = 0 ; n < auth_opts->nenv; n++) { --- sshd_config.5.orig 2017-10-12 11:51:06.638814000 -0700 +++ sshd_config.5 2017-10-12 11:51:33.780459000 -0700 @@ -1682,7 +1682,57 @@ is set to Modified: head/security/openssh-portable/files/patch-session.c ============================================================================== --- head/security/openssh-portable/files/patch-session.c Mon Nov 12 21:48:58 2018 (r484841) +++ head/security/openssh-portable/files/patch-session.c Mon Nov 12 21:55:35 2018 (r484842) @@ -50,7 +50,7 @@ Sponsored by: DARPA, NAI Labs + *environ = NULL; + (void) setusercontext(lc, pw, pw->pw_uid, + LOGIN_SETENV|LOGIN_SETPATH); -+ copy_environment(environ, &env, &envsize); ++ copy_environment_blacklist(environ, &env, &envsize, NULL); + for (var = environ; *var != NULL; ++var) + free(*var); + free(environ); @@ -58,7 +58,7 @@ Sponsored by: DARPA, NAI Labs #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN /* -@@ -1082,14 +1098,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1082,11 +1098,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char * # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ @@ -70,9 +70,6 @@ Sponsored by: DARPA, NAI Labs - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); - if (s->term) - child_set_env(&env, &envsize, "TERM", s->term); - if (s->display) @@ -1389,7 +1400,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP