Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 Jul 2019 03:48:48 +0000 (UTC)
From:      Bryan Drewery <bdrewery@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r506433 - in head/security/openssh-portable: . files
Message-ID:  <201907120348.x6C3mmnL071202@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: bdrewery
Date: Fri Jul 12 03:48:47 2019
New Revision: 506433
URL: https://svnweb.freebsd.org/changeset/ports/506433

Log:
  Update to 8.0p1
  
  Changes: https://www.openssh.com/txt/release-8.0
  
  With help from:	Lee Prokowich
  Sponsored by:	DellEMC

Deleted:
  head/security/openssh-portable/files/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969
Modified:
  head/security/openssh-portable/Makefile
  head/security/openssh-portable/distinfo
  head/security/openssh-portable/files/extra-patch-hpn
  head/security/openssh-portable/files/extra-patch-tcpwrappers
  head/security/openssh-portable/files/patch-auth2.c
  head/security/openssh-portable/files/patch-session.c

Modified: head/security/openssh-portable/Makefile
==============================================================================
--- head/security/openssh-portable/Makefile	Fri Jul 12 02:25:07 2019	(r506432)
+++ head/security/openssh-portable/Makefile	Fri Jul 12 03:48:47 2019	(r506433)
@@ -2,8 +2,8 @@
 # $FreeBSD$
 
 PORTNAME=	openssh
-DISTVERSION=	7.9p1
-PORTREVISION=	1
+DISTVERSION=	8.0p1
+PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -39,6 +39,8 @@ x509_CONFLICTS_INSTALL=		openssh-portable openssh-port
 				openssh-portable-gssapi
 x509_PKGNAMESUFFIX=		-portable-x509
 
+GSSAPI_BROKEN=		GSSAPI not yet updated for ${DISTVERSION}
+X509_BROKEN=		X509 not yet updated for ${DISTVERSION} - Does anyone use this? Contact maintainer bdrewery@FreeBSD.org
 OPTIONS_DEFINE=		DOCS PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN X509 KERB_GSSAPI \
 			LDNS NONECIPHER XMSS
@@ -101,13 +103,9 @@ ETCDIR?=		${PREFIX}/etc/ssh
 
 PATCH_SITES+=		http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex
 
-# Upstream OpenSSL fix but does not apply for x509 patch.
-EXTRA_PATCHES+=		${FILESDIR}/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969
-
 # X509 patch includes TCP Wrapper support already
 .if ${PORT_OPTIONS:MX509}
 EXTRA_PATCHES:=		${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}}
-EXTRA_PATCHES:=		${EXTRA_PATCHES:N${FILESDIR}/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969}
 .endif
 
 # Must add this patch before HPN due to conflicts

Modified: head/security/openssh-portable/distinfo
==============================================================================
--- head/security/openssh-portable/distinfo	Fri Jul 12 02:25:07 2019	(r506432)
+++ head/security/openssh-portable/distinfo	Fri Jul 12 03:48:47 2019	(r506433)
@@ -1,6 +1,6 @@
-TIMESTAMP = 1541877994
-SHA256 (openssh-7.9p1.tar.gz) = 6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad
-SIZE (openssh-7.9p1.tar.gz) = 1565384
+TIMESTAMP = 1562109185
+SHA256 (openssh-8.0p1.tar.gz) = bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68
+SIZE (openssh-8.0p1.tar.gz) = 1597697
 SHA256 (openssh-7.9p1+x509-11.5.diff.gz) = 1d15099ce54614f158f10f55b6b4992d915353f92a05e179a64b0655650c00bb
 SIZE (openssh-7.9p1+x509-11.5.diff.gz) = 594995
 SHA256 (openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz) = a9fe46bc97ebb6f32dad44c6e62e712b224392463b2084300835736fe848eabc

Modified: head/security/openssh-portable/files/extra-patch-hpn
==============================================================================
--- head/security/openssh-portable/files/extra-patch-hpn	Fri Jul 12 02:25:07 2019	(r506432)
+++ head/security/openssh-portable/files/extra-patch-hpn	Fri Jul 12 03:48:47 2019	(r506433)
@@ -133,7 +133,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +         Library of Medicine, and the National Science Foundation. 
 --- work/openssh-7.7p1/channels.c.orig	2018-04-01 22:38:28.000000000 -0700
 +++ work/openssh-7.7p1/channels.c	2018-06-27 16:37:07.663857000 -0700
-@@ -215,6 +215,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
+@@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann
  /* Setup helper */
  static void channel_handler_init(struct ssh_channels *sc);
  
@@ -146,7 +146,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  /* -- channel core */
  
  void
-@@ -391,6 +397,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
+@@ -392,6 +398,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in
  	c->local_window = window;
  	c->local_window_max = window;
  	c->local_maxpacket = maxpack;
@@ -156,30 +156,30 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	c->remote_name = xstrdup(remote_name);
  	c->ctl_chan = -1;
  	c->delayed = 1;		/* prevent call to channel_post handler */
-@@ -977,6 +986,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
+@@ -1059,6 +1068,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c,
  	FD_SET(c->sock, writeset);
  }
  
 +#ifdef HPN_ENABLED
 +static int
-+channel_tcpwinsz(void)
++channel_tcpwinsz(struct ssh *ssh)
 +{
 +	u_int32_t tcpwinsz = 0;
 +	socklen_t optsz = sizeof(tcpwinsz);
 +	int ret = -1;
 +
 +	/* if we aren't on a socket return 128KB */
-+	if (!packet_connection_is_on_socket())
++	if (!ssh_packet_connection_is_on_socket(ssh))
 +		return 128 * 1024;
 +
-+	ret = getsockopt(packet_get_connection_in(),
++	ret = getsockopt(ssh_packet_get_connection_in(ssh),
 +			 SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
 +	/* return no more than SSHBUF_SIZE_MAX (currently 256MB) */
 +	if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX)
 +		tcpwinsz = SSHBUF_SIZE_MAX;
 +
 +	debug2("tcpwinsz: tcp connection %d, Receive window: %d",
-+	       packet_get_connection_in(), tcpwinsz);
++	       ssh_packet_get_connection_in(ssh), tcpwinsz);
 +	return tcpwinsz;
 +}
 +#endif
@@ -187,13 +187,13 @@ diff -urN -x configure -x config.guess -x config.h.in 
  static void
  channel_pre_open(struct ssh *ssh, Channel *c,
      fd_set *readset, fd_set *writeset)
-@@ -2074,21 +2107,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
+@@ -2158,21 +2191,32 @@ channel_check_window(struct ssh *ssh, Channel *c)
  	    c->local_maxpacket*3) ||
  	    c->local_window < c->local_window_max/2) &&
  	    c->local_consumed > 0) {
 +		u_int addition = 0;
 +#ifdef HPN_ENABLED
-+		u_int32_t tcpwinsz = channel_tcpwinsz();
++		u_int32_t tcpwinsz = channel_tcpwinsz(ssh);
 +		/* adjust max window size if we are in a dynamic environment */
 +		if (c->dynamic_window && (tcpwinsz > c->local_window_max)) {
 +			/* grow the window somewhat aggressively to maintain pressure */
@@ -223,7 +223,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  		c->local_consumed = 0;
  	}
  	return 1;
-@@ -3258,6 +3302,17 @@ channel_fwd_bind_addr(const char *listen_addr, int *wi
+@@ -3354,6 +3398,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis
  	return addr;
  }
  
@@ -241,7 +241,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  static int
  channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
      struct Forward *fwd, int *allocated_listen_port,
-@@ -3398,6 +3453,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int 
+@@ -3494,6 +3549,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int 
  		}
  
  		/* Allocate a channel number for the socket. */
@@ -259,7 +259,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  		c = channel_new(ssh, "port listener", type, sock, sock, -1,
  		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
  		    0, "port listener", 1);
-@@ -4457,6 +4523,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
+@@ -4631,6 +4697,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ
  	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
  	for (n = 0; n < num_socks; n++) {
  		sock = socks[n];
@@ -426,7 +426,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  
 --- work.clean/openssh-7.2p1/kex.c.orig	2016-02-25 19:40:04.000000000 -0800
 +++ work.clean/openssh-7.2p1/kex.c	2016-02-29 08:02:25.565288000 -0800
-@@ -822,6 +822,20 @@ kex_choose_conf(struct ssh *ssh)
+@@ -907,6 +907,20 @@ kex_choose_conf(struct ssh *ssh)
  			peer[ncomp] = NULL;
  			goto out;
  		}
@@ -447,6 +447,30 @@ diff -urN -x configure -x config.guess -x config.h.in 
  		debug("kex: %s cipher: %s MAC: %s compression: %s",
  		    ctos ? "client->server" : "server->client",
  		    newkeys->enc.name,
+@@ -1108,7 +1122,7 @@ send_error(struct ssh *ssh, char *msg)
+  */
+ int
+ kex_exchange_identification(struct ssh *ssh, int timeout_ms,
+-    const char *version_addendum)
++    const char *version_addendum, int hpn_disabled)
+ {
+ 	int remote_major, remote_minor, mismatch;
+ 	size_t len, i, n;
+@@ -1125,8 +1139,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo
+ 	sshbuf_reset(our_version);
+ 	if (version_addendum != NULL && *version_addendum == '\0')
+ 		version_addendum = NULL;
+-	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n",
++	if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s%s\r\n",
+ 	   PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
++#ifdef HPN_ENABLED
++	    hpn_disabled ? "" : SSH_HPN,
++#else
++	    "",
++#endif
+ 	    version_addendum == NULL ? "" : " ",
+ 	    version_addendum == NULL ? "" : version_addendum)) != 0) {
+ 		error("%s: sshbuf_putf: %s", __func__, ssh_err(r));
 --- work/openssh-7.7p1/packet.c.orig	2018-04-01 22:38:28.000000000 -0700
 +++ work/openssh-7.7p1/packet.c	2018-06-27 16:42:42.739507000 -0700
 @@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
@@ -491,8 +515,8 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	 * Permit one packet in or out per rekey - this allows us to
 --- work.clean/openssh-6.8p1/packet.h	2015-03-17 00:49:20.000000000 -0500
 +++ work/openssh-6.8p1/packet.h	2015-04-03 16:10:34.728161000 -0500
-@@ -188,6 +188,11 @@
- int	sshpkt_get_end(struct ssh *ssh);
+@@ -206,6 +206,11 @@ int	sshpkt_get_end(struct ssh *ssh);
+ void	sshpkt_fmt_connection_id(struct ssh *ssh, char *s, size_t l);
  const u_char	*sshpkt_ptr(struct ssh *, size_t *lenp);
  
 +#ifdef NONE_CIPHER_ENABLED
@@ -500,9 +524,9 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +int   ssh_packet_authentication_state(struct ssh *ssh);
 +#endif
 +
- /* OLD API */
- extern struct ssh *active_state;
- #include "opacket.h"
+ #if !defined(WITH_OPENSSL)
+ # undef BIGNUM
+ # undef EC_KEY
 --- work/openssh-7.7p1/readconf.c.orig	2018-04-01 22:38:28.000000000 -0700
 +++ work/openssh-7.7p1/readconf.c	2018-06-27 16:58:41.109275000 -0700
 @@ -66,6 +66,9 @@
@@ -663,7 +687,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	int	no_host_authentication_for_localhost;
 --- work.clean/openssh-6.8p1/scp.c	2015-03-17 00:49:20.000000000 -0500
 +++ work/openssh-6.8p1/scp.c	2015-04-02 16:51:25.108407000 -0500
-@@ -764,7 +764,7 @@ source(int argc, char **argv)
+@@ -1066,7 +1066,7 @@ source(int argc, char **argv)
  	off_t i, statbytes;
  	size_t amt, nr;
  	int fd = -1, haderr, indx;
@@ -672,15 +696,15 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	int len;
  
  	for (indx = 0; indx < argc; ++indx) {
-@@ -932,7 +932,7 @@ sink(int argc, char **argv)
+@@ -1239,7 +1239,7 @@ sink(int argc, char **argv, const char *src)
  	off_t size, statbytes;
  	unsigned long long ull;
  	int setimes, targisdir, wrerrno = 0;
 -	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
 +	char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[16384];
+ 	char **patterns = NULL;
+ 	size_t n, npatterns = 0;
  	struct timeval tv[2];
- 
- #define	atime	tv[0]
 --- work/openssh-7.7p1/servconf.c.orig	2018-04-01 22:38:28.000000000 -0700
 +++ work/openssh-7.7p1/servconf.c	2018-06-27 17:01:05.276677000 -0700
 @@ -63,6 +63,9 @@
@@ -1066,7 +1090,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  #define SSHBUF_MAX_ECPOINT	((528 * 2 / 8) + 1) /* Max EC point *bytes* */
 --- work/openssh/sshconnect.c.orig	2018-10-16 17:01:20.000000000 -0700
 +++ work/openssh/sshconnect.c	2018-11-12 09:04:24.340706000 -0800
-@@ -327,7 +327,32 @@ check_ifaddrs(const char *ifname, int af, const struct
+@@ -355,7 +355,32 @@ check_ifaddrs(const char *ifname, int af, const struct
  }
  #endif
  
@@ -1099,7 +1123,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
   * Creates a socket for use as the ssh connection.
   */
  static int
-@@ -349,6 +374,11 @@ ssh_create_socket(struct addrinfo *ai)
+@@ -377,6 +402,11 @@ ssh_create_socket(struct addrinfo *ai)
  	}
  	fcntl(sock, F_SETFD, FD_CLOEXEC);
  
@@ -1111,23 +1135,16 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	/* Bind the socket to an alternative local IP address */
  	if (options.bind_address == NULL && options.bind_interface == NULL)
  		return sock;
-@@ -608,8 +638,14 @@ static void
- send_client_banner(int connection_out, int minor1)
- {
- 	/* Send our own protocol version identification. */
--	xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
--	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
-+	xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n",
-+	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+#ifdef HPN_ENABLED
-+	    options.hpn_disabled ? "" : SSH_HPN
-+#else
-+	    ""
-+#endif
-+	);
- 	if (atomicio(vwrite, connection_out, client_version_string,
- 	    strlen(client_version_string)) != strlen(client_version_string))
- 		fatal("write: %.100s", strerror(errno));
+@@ -1280,7 +1310,8 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const
+ 	lowercase(host);
+ 
+ 	/* Exchange protocol version identification strings with the server. */
+-	if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0)
++	if (kex_exchange_identification(ssh, timeout_ms, NULL,
++	    options.hpn_disabled) != 0)
+ 		cleanup_exit(255); /* error already logged */
+ 
+ 	/* Put the connection into non-blocking mode. */
 --- work/openssh/sshconnect2.c.orig	2018-10-16 17:01:20.000000000 -0700
 +++ work/openssh/sshconnect2.c	2018-11-12 09:06:06.338515000 -0800
 @@ -81,7 +81,13 @@
@@ -1144,20 +1161,19 @@ diff -urN -x configure -x config.guess -x config.h.in 
  /*
   * SSH2 key exchange
   */
-@@ -154,10 +160,11 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
+@@ -154,16 +160,18 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd
  	return ret;
  }
  
 +static char *myproposal[PROPOSAL_MAX];
 +static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT };
  void
- ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
  {
 -	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
  	char *s, *all_key;
- 	struct kex *kex;
  	int r;
-@@ -165,6 +172,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_shor
+ 
  	xxx_host = host;
  	xxx_hostaddr = hostaddr;
  
@@ -1165,7 +1181,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL)
  		fatal("%s: kex_names_cat", __func__);
  	myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s);
-@@ -412,6 +420,30 @@ ssh_userauth2(const char *local_user, const char *serv
+@@ -422,6 +430,30 @@ ssh_userauth2(struct ssh *ssh, const char *local_user,
  
  	if (!authctxt.success)
  		fatal("Authentication failed.");
@@ -1182,7 +1198,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
 +			memcpy(&myproposal, &myproposal_default, sizeof(myproposal));
 +			myproposal[PROPOSAL_ENC_ALGS_STOC] = "none";
 +			myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none";
-+			kex_prop2buf(active_state->kex->my, myproposal);
++			kex_prop2buf(ssh->kex->my, myproposal);
 +			packet_request_rekeying();
 +			fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
 +		} else {
@@ -1198,22 +1214,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  
 --- work/openssh-7.7p1/sshd.c.orig	2018-04-01 22:38:28.000000000 -0700
 +++ work/openssh-7.7p1/sshd.c	2018-06-27 17:13:03.176633000 -0700
-@@ -372,8 +372,13 @@ sshd_exchange_identification(struct ssh *ssh, int sock
- 	char buf[256];			/* Must not be larger than remote_version. */
- 	char remote_version[256];	/* Must be at least as big as buf. */
- 
--	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n",
-+	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s\r\n",
- 	    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION,
-+#ifdef HPN_ENABLED
-+	    options.hpn_disabled ? "" : SSH_HPN,
-+#else
-+	    "",
-+#endif
- 	    *options.version_addendum == '\0' ? "" : " ",
- 	    options.version_addendum);
- 
-@@ -1025,6 +1030,10 @@ listen_on_addrs(struct listenaddr *la)
+@@ -957,6 +957,10 @@ listen_on_addrs(struct listenaddr *la)
  	int ret, listen_sock;
  	struct addrinfo *ai;
  	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
@@ -1224,7 +1225,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  
  	for (ai = la->addrs; ai; ai = ai->ai_next) {
  		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
-@@ -1070,6 +1079,13 @@ listen_on_addrs(struct listenaddr *la)
+@@ -1002,6 +1006,13 @@ listen_on_addrs(struct listenaddr *la)
  
  		debug("Bind to port %s on %s.", strport, ntop);
  
@@ -1238,7 +1239,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  		/* Bind the socket to the desired port. */
  		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
  			error("Bind to port %s on %s failed: %.200s.",
-@@ -1634,6 +1650,15 @@ main(int ac, char **av)
+@@ -1645,6 +1656,15 @@ main(int ac, char **av)
  	/* Fill in default values for those options not explicitly set. */
  	fill_default_server_options(&options);
  
@@ -1254,7 +1255,7 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	/* challenge-response is implemented via keyboard interactive */
  	if (options.challenge_response_authentication)
  		options.kbd_interactive_authentication = 1;
-@@ -2047,6 +2072,11 @@ main(int ac, char **av)
+@@ -2090,6 +2110,11 @@ main(int ac, char **av)
  	    rdomain == NULL ? "" : "\"");
  	free(laddr);
  
@@ -1266,7 +1267,17 @@ diff -urN -x configure -x config.guess -x config.h.in 
  	/*
  	 * We don't want to listen forever unless the other side
  	 * successfully authenticates itself.  So we set up an alarm which is
-@@ -2212,6 +2242,11 @@ do_ssh2_kex(void)
+@@ -2102,7 +2127,8 @@ main(int ac, char **av)
+ 	if (!debug_flag)
+ 		alarm(options.login_grace_time);
+ 
+-	if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0)
++	if (kex_exchange_identification(ssh, -1, options.version_addendum,
++	    options.hpn_disabled) != 0)
+ 		cleanup_exit(255); /* error already logged */
+ 
+ 	ssh_packet_set_nonblocking(ssh);
+@@ -2264,6 +2290,11 @@ do_ssh2_kex(struct ssh *ssh)
  	char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
  	struct kex *kex;
  	int r;
@@ -1308,3 +1319,14 @@ diff -urN -x configure -x config.guess -x config.h.in 
  #define SSH_PORTABLE	"p1"
  #define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
 +#define SSH_HPN         "-hpn14v15"
+--- work/openssh/kex.h.orig	2019-07-10 17:35:36.523216000 -0700
++++ work/openssh/kex.h	2019-07-10 17:35:41.997522000 -0700
+@@ -178,7 +178,7 @@ char	*kex_alg_list(char);
+ char	*kex_names_cat(const char *, const char *);
+ int	 kex_assemble_names(char **, const char *, const char *);
+ 
+-int	 kex_exchange_identification(struct ssh *, int, const char *);
++int	 kex_exchange_identification(struct ssh *, int, const char *, int);
+ 
+ struct kex *kex_new(void);
+ int	 kex_ready(struct ssh *, char *[PROPOSAL_MAX]);

Modified: head/security/openssh-portable/files/extra-patch-tcpwrappers
==============================================================================
--- head/security/openssh-portable/files/extra-patch-tcpwrappers	Fri Jul 12 02:25:07 2019	(r506432)
+++ head/security/openssh-portable/files/extra-patch-tcpwrappers	Fri Jul 12 03:48:47 2019	(r506433)
@@ -66,7 +66,7 @@ index 0ade557..045f149 100644
 +	allow_severity = options.log_facility|LOG_INFO;
 +	deny_severity = options.log_facility|LOG_WARNING;
 +	/* Check whether logins are denied from this host. */
-+	if (packet_connection_is_on_socket()) {
++	if (ssh_packet_connection_is_on_socket(ssh)) {
 +		struct request_info req;
 +
 +		request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
@@ -85,9 +85,9 @@ index 0ade557..045f149 100644
  	laddr = get_local_ipaddr(sock_in);
 diff --git configure.ac configure.ac
 index f48ba4a..66fbe82 100644
---- configure.ac.orig	2018-10-16 17:01:20.000000000 -0700
-+++ configure.ac	2018-11-10 11:29:32.626326000 -0800
-@@ -1493,6 +1493,62 @@ else
+--- configure.ac.orig	2019-04-17 15:52:57.000000000 -0700
++++ configure.ac	2019-07-02 20:58:48.627832000 -0700
+@@ -1494,6 +1494,62 @@ else
  	AC_MSG_RESULT([no])
  fi
  
@@ -150,7 +150,7 @@ index f48ba4a..66fbe82 100644
  # Check whether user wants to use ldns
  LDNS_MSG="no"
  AC_ARG_WITH(ldns,
-@@ -5305,6 +5361,7 @@ echo "                       PAM support: $PAM_MSG"
+@@ -5245,6 +5301,7 @@ echo "                       PAM support: $PAM_MSG"
  echo "                   OSF SIA support: $SIA_MSG"
  echo "                 KerberosV support: $KRB5_MSG"
  echo "                   SELinux support: $SELINUX_MSG"

Modified: head/security/openssh-portable/files/patch-auth2.c
==============================================================================
--- head/security/openssh-portable/files/patch-auth2.c	Fri Jul 12 02:25:07 2019	(r506432)
+++ head/security/openssh-portable/files/patch-auth2.c	Fri Jul 12 03:48:47 2019	(r506433)
@@ -43,12 +43,12 @@ Apply class-imposed login restrictions.
 +		if (!auth_hostok(lc, from_host, from_ip)) {
 +			logit("Denied connection for %.200s from %.200s [%.200s].",
 +			    authctxt->pw->pw_name, from_host, from_ip);
-+			packet_disconnect("Sorry, you are not allowed to connect.");
++			ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect.");
 +		}
 +		if (!auth_timeok(lc, time(NULL))) {
 +			logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
 +			    authctxt->pw->pw_name, from_host);
-+			packet_disconnect("Logins not available right now.");
++			ssh_packet_disconnect(ssh, "Logins not available right now.");
 +		}
 +		login_close(lc);
 +		lc = NULL;

Modified: head/security/openssh-portable/files/patch-session.c
==============================================================================
--- head/security/openssh-portable/files/patch-session.c	Fri Jul 12 02:25:07 2019	(r506432)
+++ head/security/openssh-portable/files/patch-session.c	Fri Jul 12 03:48:47 2019	(r506433)
@@ -10,9 +10,9 @@ Reviewed by:    ache
 Sponsored by:   DARPA, NAI Labs
 
 
---- session.c.orig	2018-10-16 17:01:20.000000000 -0700
-+++ session.c	2018-11-10 11:45:14.645263000 -0800
-@@ -1020,6 +1020,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+--- session.c.orig	2019-04-17 15:52:57.000000000 -0700
++++ session.c	2019-07-02 16:15:23.270321000 -0700
+@@ -990,6 +990,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  	struct passwd *pw = s->pw;
  #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
  	char *path = NULL;
@@ -22,7 +22,7 @@ Sponsored by:   DARPA, NAI Labs
  #endif
  
  	/* Initialize the environment. */
-@@ -1041,6 +1044,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+@@ -1011,6 +1014,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  	}
  #endif
  
@@ -32,7 +32,7 @@ Sponsored by:   DARPA, NAI Labs
  #ifdef GSSAPI
  	/* Allow any GSSAPI methods that we've used to alter
  	 * the childs environment as they see fit
-@@ -1058,11 +1064,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+@@ -1028,11 +1034,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  	child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
  #endif
  	child_set_env(&env, &envsize, "HOME", pw->pw_dir);
@@ -58,19 +58,25 @@ Sponsored by:   DARPA, NAI Labs
  #else /* HAVE_LOGIN_CAP */
  # ifndef HAVE_CYGWIN
  	/*
-@@ -1082,11 +1098,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
+@@ -1052,17 +1068,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  # endif /* HAVE_CYGWIN */
  #endif /* HAVE_LOGIN_CAP */
  
--	snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name);
--	child_set_env(&env, &envsize, "MAIL", buf);
+-	if (!options.use_pam) {
+-		snprintf(buf, sizeof buf, "%.200s/%.50s",
+-		    _PATH_MAILDIR, pw->pw_name);
+-		child_set_env(&env, &envsize, "MAIL", buf);
+-	}
 -
  	/* Normal systems set SHELL by default. */
  	child_set_env(&env, &envsize, "SHELL", shell);
  
 -	if (getenv("TZ"))
 -		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
-@@ -1389,7 +1400,7 @@ do_setusercontext(struct passwd *pw)
+ 	if (s->term)
+ 		child_set_env(&env, &envsize, "TERM", s->term);
+ 	if (s->display)
+@@ -1365,7 +1373,7 @@ do_setusercontext(struct passwd *pw)
  	if (platform_privileged_uidswap()) {
  #ifdef HAVE_LOGIN_CAP
  		if (setusercontext(lc, pw, pw->pw_uid,



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201907120348.x6C3mmnL071202>