From owner-svn-ports-head@freebsd.org Fri Jul 12 03:48:50 2019 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DF67D15E54EE; Fri, 12 Jul 2019 03:48:49 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8C756817C3; Fri, 12 Jul 2019 03:48:49 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4CD368BA6; Fri, 12 Jul 2019 03:48:49 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x6C3mnTw071207; Fri, 12 Jul 2019 03:48:49 GMT (envelope-from bdrewery@FreeBSD.org) Received: (from bdrewery@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x6C3mmnL071202; Fri, 12 Jul 2019 03:48:48 GMT (envelope-from bdrewery@FreeBSD.org) Message-Id: <201907120348.x6C3mmnL071202@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bdrewery set sender to bdrewery@FreeBSD.org using -f From: Bryan Drewery Date: Fri, 12 Jul 2019 03:48:48 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r506433 - in head/security/openssh-portable: . files X-SVN-Group: ports-head X-SVN-Commit-Author: bdrewery X-SVN-Commit-Paths: in head/security/openssh-portable: . files X-SVN-Commit-Revision: 506433 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 8C756817C3 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.97)[-0.966,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jul 2019 03:48:50 -0000 Author: bdrewery Date: Fri Jul 12 03:48:47 2019 New Revision: 506433 URL: https://svnweb.freebsd.org/changeset/ports/506433 Log: Update to 8.0p1 Changes: https://www.openssh.com/txt/release-8.0 With help from: Lee Prokowich Sponsored by: DellEMC Deleted: head/security/openssh-portable/files/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969 Modified: head/security/openssh-portable/Makefile head/security/openssh-portable/distinfo head/security/openssh-portable/files/extra-patch-hpn head/security/openssh-portable/files/extra-patch-tcpwrappers head/security/openssh-portable/files/patch-auth2.c head/security/openssh-portable/files/patch-session.c Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Fri Jul 12 02:25:07 2019 (r506432) +++ head/security/openssh-portable/Makefile Fri Jul 12 03:48:47 2019 (r506433) @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= openssh -DISTVERSION= 7.9p1 -PORTREVISION= 1 +DISTVERSION= 8.0p1 +PORTREVISION= 0 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= OPENBSD/OpenSSH/portable @@ -39,6 +39,8 @@ x509_CONFLICTS_INSTALL= openssh-portable openssh-port openssh-portable-gssapi x509_PKGNAMESUFFIX= -portable-x509 +GSSAPI_BROKEN= GSSAPI not yet updated for ${DISTVERSION} +X509_BROKEN= X509 not yet updated for ${DISTVERSION} - Does anyone use this? Contact maintainer bdrewery@FreeBSD.org OPTIONS_DEFINE= DOCS PAM TCP_WRAPPERS LIBEDIT BSM \ HPN X509 KERB_GSSAPI \ LDNS NONECIPHER XMSS @@ -101,13 +103,9 @@ ETCDIR?= ${PREFIX}/etc/ssh PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex -# Upstream OpenSSL fix but does not apply for x509 patch. -EXTRA_PATCHES+= ${FILESDIR}/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969 - # X509 patch includes TCP Wrapper support already .if ${PORT_OPTIONS:MX509} EXTRA_PATCHES:= ${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA_PATCHES}} -EXTRA_PATCHES:= ${EXTRA_PATCHES:N${FILESDIR}/extra-patch-c0a35265907533be10ca151ac797f34ae0d68969} .endif # Must add this patch before HPN due to conflicts Modified: head/security/openssh-portable/distinfo ============================================================================== --- head/security/openssh-portable/distinfo Fri Jul 12 02:25:07 2019 (r506432) +++ head/security/openssh-portable/distinfo Fri Jul 12 03:48:47 2019 (r506433) @@ -1,6 +1,6 @@ -TIMESTAMP = 1541877994 -SHA256 (openssh-7.9p1.tar.gz) = 6b4b3ba2253d84ed3771c8050728d597c91cfce898713beb7b64a305b6f11aad -SIZE (openssh-7.9p1.tar.gz) = 1565384 +TIMESTAMP = 1562109185 +SHA256 (openssh-8.0p1.tar.gz) = bd943879e69498e8031eb6b7f44d08cdc37d59a7ab689aa0b437320c3481fd68 +SIZE (openssh-8.0p1.tar.gz) = 1597697 SHA256 (openssh-7.9p1+x509-11.5.diff.gz) = 1d15099ce54614f158f10f55b6b4992d915353f92a05e179a64b0655650c00bb SIZE (openssh-7.9p1+x509-11.5.diff.gz) = 594995 SHA256 (openssh-7.9p1-gsskex-all-20141021-debian-rh-20181020.patch.gz) = a9fe46bc97ebb6f32dad44c6e62e712b224392463b2084300835736fe848eabc Modified: head/security/openssh-portable/files/extra-patch-hpn ============================================================================== --- head/security/openssh-portable/files/extra-patch-hpn Fri Jul 12 02:25:07 2019 (r506432) +++ head/security/openssh-portable/files/extra-patch-hpn Fri Jul 12 03:48:47 2019 (r506433) @@ -133,7 +133,7 @@ diff -urN -x configure -x config.guess -x config.h.in + Library of Medicine, and the National Science Foundation. --- work/openssh-7.7p1/channels.c.orig 2018-04-01 22:38:28.000000000 -0700 +++ work/openssh-7.7p1/channels.c 2018-06-27 16:37:07.663857000 -0700 -@@ -215,6 +215,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann +@@ -220,6 +220,12 @@ static int rdynamic_connect_finish(struct ssh *, Chann /* Setup helper */ static void channel_handler_init(struct ssh_channels *sc); @@ -146,7 +146,7 @@ diff -urN -x configure -x config.guess -x config.h.in /* -- channel core */ void -@@ -391,6 +397,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in +@@ -392,6 +398,9 @@ channel_new(struct ssh *ssh, char *ctype, int type, in c->local_window = window; c->local_window_max = window; c->local_maxpacket = maxpack; @@ -156,30 +156,30 @@ diff -urN -x configure -x config.guess -x config.h.in c->remote_name = xstrdup(remote_name); c->ctl_chan = -1; c->delayed = 1; /* prevent call to channel_post handler */ -@@ -977,6 +986,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c, +@@ -1059,6 +1068,30 @@ channel_pre_connecting(struct ssh *ssh, Channel *c, FD_SET(c->sock, writeset); } +#ifdef HPN_ENABLED +static int -+channel_tcpwinsz(void) ++channel_tcpwinsz(struct ssh *ssh) +{ + u_int32_t tcpwinsz = 0; + socklen_t optsz = sizeof(tcpwinsz); + int ret = -1; + + /* if we aren't on a socket return 128KB */ -+ if (!packet_connection_is_on_socket()) ++ if (!ssh_packet_connection_is_on_socket(ssh)) + return 128 * 1024; + -+ ret = getsockopt(packet_get_connection_in(), ++ ret = getsockopt(ssh_packet_get_connection_in(ssh), + SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz); + /* return no more than SSHBUF_SIZE_MAX (currently 256MB) */ + if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX) + tcpwinsz = SSHBUF_SIZE_MAX; + + debug2("tcpwinsz: tcp connection %d, Receive window: %d", -+ packet_get_connection_in(), tcpwinsz); ++ ssh_packet_get_connection_in(ssh), tcpwinsz); + return tcpwinsz; +} +#endif @@ -187,13 +187,13 @@ diff -urN -x configure -x config.guess -x config.h.in static void channel_pre_open(struct ssh *ssh, Channel *c, fd_set *readset, fd_set *writeset) -@@ -2074,21 +2107,32 @@ channel_check_window(struct ssh *ssh, Channel *c) +@@ -2158,21 +2191,32 @@ channel_check_window(struct ssh *ssh, Channel *c) c->local_maxpacket*3) || c->local_window < c->local_window_max/2) && c->local_consumed > 0) { + u_int addition = 0; +#ifdef HPN_ENABLED -+ u_int32_t tcpwinsz = channel_tcpwinsz(); ++ u_int32_t tcpwinsz = channel_tcpwinsz(ssh); + /* adjust max window size if we are in a dynamic environment */ + if (c->dynamic_window && (tcpwinsz > c->local_window_max)) { + /* grow the window somewhat aggressively to maintain pressure */ @@ -223,7 +223,7 @@ diff -urN -x configure -x config.guess -x config.h.in c->local_consumed = 0; } return 1; -@@ -3258,6 +3302,17 @@ channel_fwd_bind_addr(const char *listen_addr, int *wi +@@ -3354,6 +3398,17 @@ channel_fwd_bind_addr(struct ssh *ssh, const char *lis return addr; } @@ -241,7 +241,7 @@ diff -urN -x configure -x config.guess -x config.h.in static int channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type, struct Forward *fwd, int *allocated_listen_port, -@@ -3398,6 +3453,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int +@@ -3494,6 +3549,17 @@ channel_setup_fwd_listener_tcpip(struct ssh *ssh, int } /* Allocate a channel number for the socket. */ @@ -259,7 +259,7 @@ diff -urN -x configure -x config.guess -x config.h.in c = channel_new(ssh, "port listener", type, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "port listener", 1); -@@ -4457,6 +4523,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ +@@ -4631,6 +4697,14 @@ x11_create_display_inet(struct ssh *ssh, int x11_displ *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); for (n = 0; n < num_socks; n++) { sock = socks[n]; @@ -426,7 +426,7 @@ diff -urN -x configure -x config.guess -x config.h.in --- work.clean/openssh-7.2p1/kex.c.orig 2016-02-25 19:40:04.000000000 -0800 +++ work.clean/openssh-7.2p1/kex.c 2016-02-29 08:02:25.565288000 -0800 -@@ -822,6 +822,20 @@ kex_choose_conf(struct ssh *ssh) +@@ -907,6 +907,20 @@ kex_choose_conf(struct ssh *ssh) peer[ncomp] = NULL; goto out; } @@ -447,6 +447,30 @@ diff -urN -x configure -x config.guess -x config.h.in debug("kex: %s cipher: %s MAC: %s compression: %s", ctos ? "client->server" : "server->client", newkeys->enc.name, +@@ -1108,7 +1122,7 @@ send_error(struct ssh *ssh, char *msg) + */ + int + kex_exchange_identification(struct ssh *ssh, int timeout_ms, +- const char *version_addendum) ++ const char *version_addendum, int hpn_disabled) + { + int remote_major, remote_minor, mismatch; + size_t len, i, n; +@@ -1125,8 +1139,13 @@ kex_exchange_identification(struct ssh *ssh, int timeo + sshbuf_reset(our_version); + if (version_addendum != NULL && *version_addendum == '\0') + version_addendum = NULL; +- if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s\r\n", ++ if ((r = sshbuf_putf(our_version, "SSH-%d.%d-%.100s%s%s%s\r\n", + PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, ++#ifdef HPN_ENABLED ++ hpn_disabled ? "" : SSH_HPN, ++#else ++ "", ++#endif + version_addendum == NULL ? "" : " ", + version_addendum == NULL ? "" : version_addendum)) != 0) { + error("%s: sshbuf_putf: %s", __func__, ssh_err(r)); --- work/openssh-7.7p1/packet.c.orig 2018-04-01 22:38:28.000000000 -0700 +++ work/openssh-7.7p1/packet.c 2018-06-27 16:42:42.739507000 -0700 @@ -926,6 +926,24 @@ ssh_set_newkeys(struct ssh *ssh, int mode) @@ -491,8 +515,8 @@ diff -urN -x configure -x config.guess -x config.h.in * Permit one packet in or out per rekey - this allows us to --- work.clean/openssh-6.8p1/packet.h 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/packet.h 2015-04-03 16:10:34.728161000 -0500 -@@ -188,6 +188,11 @@ - int sshpkt_get_end(struct ssh *ssh); +@@ -206,6 +206,11 @@ int sshpkt_get_end(struct ssh *ssh); + void sshpkt_fmt_connection_id(struct ssh *ssh, char *s, size_t l); const u_char *sshpkt_ptr(struct ssh *, size_t *lenp); +#ifdef NONE_CIPHER_ENABLED @@ -500,9 +524,9 @@ diff -urN -x configure -x config.guess -x config.h.in +int ssh_packet_authentication_state(struct ssh *ssh); +#endif + - /* OLD API */ - extern struct ssh *active_state; - #include "opacket.h" + #if !defined(WITH_OPENSSL) + # undef BIGNUM + # undef EC_KEY --- work/openssh-7.7p1/readconf.c.orig 2018-04-01 22:38:28.000000000 -0700 +++ work/openssh-7.7p1/readconf.c 2018-06-27 16:58:41.109275000 -0700 @@ -66,6 +66,9 @@ @@ -663,7 +687,7 @@ diff -urN -x configure -x config.guess -x config.h.in int no_host_authentication_for_localhost; --- work.clean/openssh-6.8p1/scp.c 2015-03-17 00:49:20.000000000 -0500 +++ work/openssh-6.8p1/scp.c 2015-04-02 16:51:25.108407000 -0500 -@@ -764,7 +764,7 @@ source(int argc, char **argv) +@@ -1066,7 +1066,7 @@ source(int argc, char **argv) off_t i, statbytes; size_t amt, nr; int fd = -1, haderr, indx; @@ -672,15 +696,15 @@ diff -urN -x configure -x config.guess -x config.h.in int len; for (indx = 0; indx < argc; ++indx) { -@@ -932,7 +932,7 @@ sink(int argc, char **argv) +@@ -1239,7 +1239,7 @@ sink(int argc, char **argv, const char *src) off_t size, statbytes; unsigned long long ull; int setimes, targisdir, wrerrno = 0; - char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048]; + char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[16384]; + char **patterns = NULL; + size_t n, npatterns = 0; struct timeval tv[2]; - - #define atime tv[0] --- work/openssh-7.7p1/servconf.c.orig 2018-04-01 22:38:28.000000000 -0700 +++ work/openssh-7.7p1/servconf.c 2018-06-27 17:01:05.276677000 -0700 @@ -63,6 +63,9 @@ @@ -1066,7 +1090,7 @@ diff -urN -x configure -x config.guess -x config.h.in #define SSHBUF_MAX_ECPOINT ((528 * 2 / 8) + 1) /* Max EC point *bytes* */ --- work/openssh/sshconnect.c.orig 2018-10-16 17:01:20.000000000 -0700 +++ work/openssh/sshconnect.c 2018-11-12 09:04:24.340706000 -0800 -@@ -327,7 +327,32 @@ check_ifaddrs(const char *ifname, int af, const struct +@@ -355,7 +355,32 @@ check_ifaddrs(const char *ifname, int af, const struct } #endif @@ -1099,7 +1123,7 @@ diff -urN -x configure -x config.guess -x config.h.in * Creates a socket for use as the ssh connection. */ static int -@@ -349,6 +374,11 @@ ssh_create_socket(struct addrinfo *ai) +@@ -377,6 +402,11 @@ ssh_create_socket(struct addrinfo *ai) } fcntl(sock, F_SETFD, FD_CLOEXEC); @@ -1111,23 +1135,16 @@ diff -urN -x configure -x config.guess -x config.h.in /* Bind the socket to an alternative local IP address */ if (options.bind_address == NULL && options.bind_interface == NULL) return sock; -@@ -608,8 +638,14 @@ static void - send_client_banner(int connection_out, int minor1) - { - /* Send our own protocol version identification. */ -- xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n", -- PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION); -+ xasprintf(&client_version_string, "SSH-%d.%d-%.100s%s\r\n", -+ PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, -+#ifdef HPN_ENABLED -+ options.hpn_disabled ? "" : SSH_HPN -+#else -+ "" -+#endif -+ ); - if (atomicio(vwrite, connection_out, client_version_string, - strlen(client_version_string)) != strlen(client_version_string)) - fatal("write: %.100s", strerror(errno)); +@@ -1280,7 +1310,8 @@ ssh_login(struct ssh *ssh, Sensitive *sensitive, const + lowercase(host); + + /* Exchange protocol version identification strings with the server. */ +- if (kex_exchange_identification(ssh, timeout_ms, NULL) != 0) ++ if (kex_exchange_identification(ssh, timeout_ms, NULL, ++ options.hpn_disabled) != 0) + cleanup_exit(255); /* error already logged */ + + /* Put the connection into non-blocking mode. */ --- work/openssh/sshconnect2.c.orig 2018-10-16 17:01:20.000000000 -0700 +++ work/openssh/sshconnect2.c 2018-11-12 09:06:06.338515000 -0800 @@ -81,7 +81,13 @@ @@ -1144,20 +1161,19 @@ diff -urN -x configure -x config.guess -x config.h.in /* * SSH2 key exchange */ -@@ -154,10 +160,11 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd +@@ -154,16 +160,18 @@ order_hostkeyalgs(char *host, struct sockaddr *hostadd return ret; } +static char *myproposal[PROPOSAL_MAX]; +static const char *myproposal_default[PROPOSAL_MAX] = { KEX_CLIENT }; void - ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) + ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port) { - char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; char *s, *all_key; - struct kex *kex; int r; -@@ -165,6 +172,7 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_shor + xxx_host = host; xxx_hostaddr = hostaddr; @@ -1165,7 +1181,7 @@ diff -urN -x configure -x config.guess -x config.h.in if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) fatal("%s: kex_names_cat", __func__); myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(s); -@@ -412,6 +420,30 @@ ssh_userauth2(const char *local_user, const char *serv +@@ -422,6 +430,30 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, if (!authctxt.success) fatal("Authentication failed."); @@ -1182,7 +1198,7 @@ diff -urN -x configure -x config.guess -x config.h.in + memcpy(&myproposal, &myproposal_default, sizeof(myproposal)); + myproposal[PROPOSAL_ENC_ALGS_STOC] = "none"; + myproposal[PROPOSAL_ENC_ALGS_CTOS] = "none"; -+ kex_prop2buf(active_state->kex->my, myproposal); ++ kex_prop2buf(ssh->kex->my, myproposal); + packet_request_rekeying(); + fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n"); + } else { @@ -1198,22 +1214,7 @@ diff -urN -x configure -x config.guess -x config.h.in --- work/openssh-7.7p1/sshd.c.orig 2018-04-01 22:38:28.000000000 -0700 +++ work/openssh-7.7p1/sshd.c 2018-06-27 17:13:03.176633000 -0700 -@@ -372,8 +372,13 @@ sshd_exchange_identification(struct ssh *ssh, int sock - char buf[256]; /* Must not be larger than remote_version. */ - char remote_version[256]; /* Must be at least as big as buf. */ - -- xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s\r\n", -+ xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s\r\n", - PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION, -+#ifdef HPN_ENABLED -+ options.hpn_disabled ? "" : SSH_HPN, -+#else -+ "", -+#endif - *options.version_addendum == '\0' ? "" : " ", - options.version_addendum); - -@@ -1025,6 +1030,10 @@ listen_on_addrs(struct listenaddr *la) +@@ -957,6 +957,10 @@ listen_on_addrs(struct listenaddr *la) int ret, listen_sock; struct addrinfo *ai; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; @@ -1224,7 +1225,7 @@ diff -urN -x configure -x config.guess -x config.h.in for (ai = la->addrs; ai; ai = ai->ai_next) { if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) -@@ -1070,6 +1079,13 @@ listen_on_addrs(struct listenaddr *la) +@@ -1002,6 +1006,13 @@ listen_on_addrs(struct listenaddr *la) debug("Bind to port %s on %s.", strport, ntop); @@ -1238,7 +1239,7 @@ diff -urN -x configure -x config.guess -x config.h.in /* Bind the socket to the desired port. */ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { error("Bind to port %s on %s failed: %.200s.", -@@ -1634,6 +1650,15 @@ main(int ac, char **av) +@@ -1645,6 +1656,15 @@ main(int ac, char **av) /* Fill in default values for those options not explicitly set. */ fill_default_server_options(&options); @@ -1254,7 +1255,7 @@ diff -urN -x configure -x config.guess -x config.h.in /* challenge-response is implemented via keyboard interactive */ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; -@@ -2047,6 +2072,11 @@ main(int ac, char **av) +@@ -2090,6 +2110,11 @@ main(int ac, char **av) rdomain == NULL ? "" : "\""); free(laddr); @@ -1266,7 +1267,17 @@ diff -urN -x configure -x config.guess -x config.h.in /* * We don't want to listen forever unless the other side * successfully authenticates itself. So we set up an alarm which is -@@ -2212,6 +2242,11 @@ do_ssh2_kex(void) +@@ -2102,7 +2127,8 @@ main(int ac, char **av) + if (!debug_flag) + alarm(options.login_grace_time); + +- if (kex_exchange_identification(ssh, -1, options.version_addendum) != 0) ++ if (kex_exchange_identification(ssh, -1, options.version_addendum, ++ options.hpn_disabled) != 0) + cleanup_exit(255); /* error already logged */ + + ssh_packet_set_nonblocking(ssh); +@@ -2264,6 +2290,11 @@ do_ssh2_kex(struct ssh *ssh) char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; struct kex *kex; int r; @@ -1308,3 +1319,14 @@ diff -urN -x configure -x config.guess -x config.h.in #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE +#define SSH_HPN "-hpn14v15" +--- work/openssh/kex.h.orig 2019-07-10 17:35:36.523216000 -0700 ++++ work/openssh/kex.h 2019-07-10 17:35:41.997522000 -0700 +@@ -178,7 +178,7 @@ char *kex_alg_list(char); + char *kex_names_cat(const char *, const char *); + int kex_assemble_names(char **, const char *, const char *); + +-int kex_exchange_identification(struct ssh *, int, const char *); ++int kex_exchange_identification(struct ssh *, int, const char *, int); + + struct kex *kex_new(void); + int kex_ready(struct ssh *, char *[PROPOSAL_MAX]); Modified: head/security/openssh-portable/files/extra-patch-tcpwrappers ============================================================================== --- head/security/openssh-portable/files/extra-patch-tcpwrappers Fri Jul 12 02:25:07 2019 (r506432) +++ head/security/openssh-portable/files/extra-patch-tcpwrappers Fri Jul 12 03:48:47 2019 (r506433) @@ -66,7 +66,7 @@ index 0ade557..045f149 100644 + allow_severity = options.log_facility|LOG_INFO; + deny_severity = options.log_facility|LOG_WARNING; + /* Check whether logins are denied from this host. */ -+ if (packet_connection_is_on_socket()) { ++ if (ssh_packet_connection_is_on_socket(ssh)) { + struct request_info req; + + request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); @@ -85,9 +85,9 @@ index 0ade557..045f149 100644 laddr = get_local_ipaddr(sock_in); diff --git configure.ac configure.ac index f48ba4a..66fbe82 100644 ---- configure.ac.orig 2018-10-16 17:01:20.000000000 -0700 -+++ configure.ac 2018-11-10 11:29:32.626326000 -0800 -@@ -1493,6 +1493,62 @@ else +--- configure.ac.orig 2019-04-17 15:52:57.000000000 -0700 ++++ configure.ac 2019-07-02 20:58:48.627832000 -0700 +@@ -1494,6 +1494,62 @@ else AC_MSG_RESULT([no]) fi @@ -150,7 +150,7 @@ index f48ba4a..66fbe82 100644 # Check whether user wants to use ldns LDNS_MSG="no" AC_ARG_WITH(ldns, -@@ -5305,6 +5361,7 @@ echo " PAM support: $PAM_MSG" +@@ -5245,6 +5301,7 @@ echo " PAM support: $PAM_MSG" echo " OSF SIA support: $SIA_MSG" echo " KerberosV support: $KRB5_MSG" echo " SELinux support: $SELINUX_MSG" Modified: head/security/openssh-portable/files/patch-auth2.c ============================================================================== --- head/security/openssh-portable/files/patch-auth2.c Fri Jul 12 02:25:07 2019 (r506432) +++ head/security/openssh-portable/files/patch-auth2.c Fri Jul 12 03:48:47 2019 (r506433) @@ -43,12 +43,12 @@ Apply class-imposed login restrictions. + if (!auth_hostok(lc, from_host, from_ip)) { + logit("Denied connection for %.200s from %.200s [%.200s].", + authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); ++ ssh_packet_disconnect(ssh, "Sorry, you are not allowed to connect."); + } + if (!auth_timeok(lc, time(NULL))) { + logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", + authctxt->pw->pw_name, from_host); -+ packet_disconnect("Logins not available right now."); ++ ssh_packet_disconnect(ssh, "Logins not available right now."); + } + login_close(lc); + lc = NULL; Modified: head/security/openssh-portable/files/patch-session.c ============================================================================== --- head/security/openssh-portable/files/patch-session.c Fri Jul 12 02:25:07 2019 (r506432) +++ head/security/openssh-portable/files/patch-session.c Fri Jul 12 03:48:47 2019 (r506433) @@ -10,9 +10,9 @@ Reviewed by: ache Sponsored by: DARPA, NAI Labs ---- session.c.orig 2018-10-16 17:01:20.000000000 -0700 -+++ session.c 2018-11-10 11:45:14.645263000 -0800 -@@ -1020,6 +1020,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +--- session.c.orig 2019-04-17 15:52:57.000000000 -0700 ++++ session.c 2019-07-02 16:15:23.270321000 -0700 +@@ -990,6 +990,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * struct passwd *pw = s->pw; #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; @@ -22,7 +22,7 @@ Sponsored by: DARPA, NAI Labs #endif /* Initialize the environment. */ -@@ -1041,6 +1044,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1011,6 +1014,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * } #endif @@ -32,7 +32,7 @@ Sponsored by: DARPA, NAI Labs #ifdef GSSAPI /* Allow any GSSAPI methods that we've used to alter * the childs environment as they see fit -@@ -1058,11 +1064,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1028,11 +1034,21 @@ do_setup_env(struct ssh *ssh, Session *s, const char * child_set_env(&env, &envsize, "LOGIN", pw->pw_name); #endif child_set_env(&env, &envsize, "HOME", pw->pw_dir); @@ -58,19 +58,25 @@ Sponsored by: DARPA, NAI Labs #else /* HAVE_LOGIN_CAP */ # ifndef HAVE_CYGWIN /* -@@ -1082,11 +1098,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char * +@@ -1052,17 +1068,9 @@ do_setup_env(struct ssh *ssh, Session *s, const char * # endif /* HAVE_CYGWIN */ #endif /* HAVE_LOGIN_CAP */ -- snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); -- child_set_env(&env, &envsize, "MAIL", buf); +- if (!options.use_pam) { +- snprintf(buf, sizeof buf, "%.200s/%.50s", +- _PATH_MAILDIR, pw->pw_name); +- child_set_env(&env, &envsize, "MAIL", buf); +- } - /* Normal systems set SHELL by default. */ child_set_env(&env, &envsize, "SHELL", shell); - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); -@@ -1389,7 +1400,7 @@ do_setusercontext(struct passwd *pw) + if (s->term) + child_set_env(&env, &envsize, "TERM", s->term); + if (s->display) +@@ -1365,7 +1373,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid,