From owner-svn-ports-head@freebsd.org  Thu Oct 12 19:40:59 2017
Return-Path: <owner-svn-ports-head@freebsd.org>
Delivered-To: svn-ports-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B586DE32F8A;
 Thu, 12 Oct 2017 19:40:59 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 82BCC6479C;
 Thu, 12 Oct 2017 19:40:59 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v9CJew2N058765;
 Thu, 12 Oct 2017 19:40:58 GMT (envelope-from bdrewery@FreeBSD.org)
Received: (from bdrewery@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id v9CJewkg058757;
 Thu, 12 Oct 2017 19:40:58 GMT (envelope-from bdrewery@FreeBSD.org)
Message-Id: <201710121940.v9CJewkg058757@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: bdrewery set sender to
 bdrewery@FreeBSD.org using -f
From: Bryan Drewery <bdrewery@FreeBSD.org>
Date: Thu, 12 Oct 2017 19:40:58 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r451927 - in head: . security/openssh-portable
 security/openssh-portable/files
X-SVN-Group: ports-head
X-SVN-Commit-Author: bdrewery
X-SVN-Commit-Paths: in head: . security/openssh-portable
 security/openssh-portable/files
X-SVN-Commit-Revision: 451927
X-SVN-Commit-Repository: ports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the ports tree for head
 <svn-ports-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-head>, 
 <mailto:svn-ports-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-head/>
List-Post: <mailto:svn-ports-head@freebsd.org>
List-Help: <mailto:svn-ports-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-head>,
 <mailto:svn-ports-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2017 19:40:59 -0000

Author: bdrewery
Date: Thu Oct 12 19:40:58 2017
New Revision: 451927
URL: https://svnweb.freebsd.org/changeset/ports/451927

Log:
  Update to 7.6p1
  
  - Update x509 patch to 11.0
  - HPN/NONECIPHER do not apply currently and are disabled by default,
    same as the base sshd.  A compatibility patch is applied if
    these options are disabled to prevent startup failures; the options
    are kept as deprecated.
  - SCTP patch does not apply.
  
  Changes: https://www.openssh.com/txt/release-7.6
  
  Notable changes:
    - SSH version 1 support dropped.
    - Dropped support for hmac-ripemd160 MAC.
    - Dropped support for the ciphers arcfour, blowfish and CAST.
    - RSA keys less than 1024 bits are refused.

Added:
  head/security/openssh-portable/files/extra-patch-hpn-compat   (contents, props changed)
Modified:
  head/UPDATING
  head/security/openssh-portable/Makefile
  head/security/openssh-portable/distinfo
  head/security/openssh-portable/files/extra-patch-x509-glue
  head/security/openssh-portable/files/patch-configure.ac
  head/security/openssh-portable/files/patch-ssh-agent.c

Modified: head/UPDATING
==============================================================================
--- head/UPDATING	Thu Oct 12 19:30:51 2017	(r451926)
+++ head/UPDATING	Thu Oct 12 19:40:58 2017	(r451927)
@@ -5,7 +5,22 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.
 
-20171006:
+20171012:
+  AFFECTS: users of security/openssh-portable
+  AUTHOR: bdrewery@FreeBSD.org
+
+  OpenSSH has been upgraded to 7.6p1 which has removed several deprecated
+  features:
+
+    - SSH version 1 support dropped.
+    - Dropped support for hmac-ripemd160 MAC.
+    - Dropped support for the ciphers arcfour, blowfish and CAST.
+    - RSA keys less than 1024 bits are refused.
+
+  The HPN option is currently disabled by default, and does not build,
+  in the package.  This follows what happened in base as well.
+
+ 20171006:
   AFFECTS: users of graphics/netpbm
   AUTHOR: tobik@FreeBSD.org
 

Modified: head/security/openssh-portable/Makefile
==============================================================================
--- head/security/openssh-portable/Makefile	Thu Oct 12 19:30:51 2017	(r451926)
+++ head/security/openssh-portable/Makefile	Thu Oct 12 19:40:58 2017	(r451927)
@@ -2,8 +2,8 @@
 # $FreeBSD$
 
 PORTNAME=	openssh
-DISTVERSION=	7.5p1
-PORTREVISION=	1
+DISTVERSION=	7.6p1
+PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
 MASTER_SITES=	OPENBSD/OpenSSH/portable
@@ -30,7 +30,7 @@ BROKEN_SSL_REASON_openssl-devel=	incomplete definition
 OPTIONS_DEFINE=		PAM TCP_WRAPPERS LIBEDIT BSM \
 			HPN X509 KERB_GSSAPI \
 			OVERWRITE_BASE SCTP LDNS NONECIPHER
-OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS HPN LDNS
+OPTIONS_DEFAULT=	LIBEDIT PAM TCP_WRAPPERS LDNS
 OPTIONS_RADIO=		KERBEROS
 OPTIONS_RADIO_KERBEROS=	MIT HEIMDAL HEIMDAL_BASE
 TCP_WRAPPERS_DESC=	tcp_wrappers support
@@ -61,14 +61,15 @@ HPN_CONFIGURE_WITH=		hpn
 NONECIPHER_CONFIGURE_WITH=	nonecipher
 
 # See http://www.roumenpetrov.info/openssh/
-X509_VERSION=		10.1
+X509_VERSION=		11.0
 X509_PATCH_SITES=	http://www.roumenpetrov.info/openssh/x509-${X509_VERSION}/:x509
 X509_EXTRA_PATCHES+=	${FILESDIR}/extra-patch-x509-glue
-X509_PATCHFILES=	${PORTNAME}-7.5p1+x509-${X509_VERSION}.diff.gz:-p1:x509
+X509_PATCHFILES=	${PORTNAME}-7.6p1+x509-${X509_VERSION}.diff.gz:-p1:x509
 
 # See https://bugzilla.mindrot.org/show_bug.cgi?id=2016
 # and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
 #SCTP_PATCHFILES=	${PORTNAME}-7.2_p1-sctp.patch.gz:-p1
+SCTP_BROKEN=		Does not apply to 7.6+
 SCTP_CONFIGURE_WITH=	sctp
 SCTP_EXTRA_PATCHES+=	${FILESDIR}/extra-patch-sctp:-p1
 
@@ -95,7 +96,7 @@ EXTRA_PATCHES:=		${EXTRA_PATCHES:N${TCP_WRAPPERS_EXTRA
 
 # Must add this patch before HPN due to conflicts
 .if ${PORT_OPTIONS:MKERB_GSSAPI}
-BROKEN=	No patch for 7.5 yet.
+BROKEN=	No patch for 7.6 yet.
 # Patch from:
 # http://sources.debian.net/data/main/o/openssh/1:7.4p1-5/debian/patches/gssapi.patch
 # which was originally based on 5.7 patch from
@@ -110,12 +111,16 @@ PATCHFILES+=	openssh-7.4p1-gsskex-all-20141021-debian-
 
 # http://www.psc.edu/index.php/hpn-ssh https://github.com/rapier1/hpn-ssh https://github.com/rapier1/openssh-portable
 .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
+BROKEN=			Not yet updated for 7.6+ and disabled in base
 PORTDOCS+=		HPN-README
 HPN_VERSION=		14v5
 HPN_DISTVERSION=	6.7p1
 #PATCH_SITES+=		SOURCEFORGE/hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn
 #PATCHFILES+=		${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn:-p2
+.elif !${PORT_OPTIONS:MHPN} && !${PORT_OPTIONS:MNONECIPHER}
+# Apply compatibility patch
+EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hpn-compat
 .endif
 
 CONFIGURE_LIBS+=	-lutil

Modified: head/security/openssh-portable/distinfo
==============================================================================
--- head/security/openssh-portable/distinfo	Thu Oct 12 19:30:51 2017	(r451926)
+++ head/security/openssh-portable/distinfo	Thu Oct 12 19:40:58 2017	(r451927)
@@ -1,9 +1,7 @@
-TIMESTAMP = 1484161900
-SHA256 (openssh-7.5p1.tar.gz) = 9846e3c5fab9f0547400b4d2c017992f914222b3fd1f8eee6c7dc6bc5e59f9f0
-SIZE (openssh-7.5p1.tar.gz) = 1510857
+TIMESTAMP = 1507833573
+SHA256 (openssh-7.6p1.tar.gz) = a323caeeddfe145baaa0db16e98d784b1fbc7dd436a6bf1f479dfd5cd1d21723
+SIZE (openssh-7.6p1.tar.gz) = 1489788
 SHA256 (openssh-7.2_p1-sctp.patch.gz) = fb67e3e23f39fabf44ef198e3e19527417c75c9352747547448512032365dbfc
 SIZE (openssh-7.2_p1-sctp.patch.gz) = 8501
-SHA256 (openssh-7.5p1+x509-10.1.diff.gz) = e7abe401e7f651779c680491cfefbfcf4f26743202641b2bda934f80bb4464d2
-SIZE (openssh-7.5p1+x509-10.1.diff.gz) = 460721
-SHA256 (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = f77ac434e6914814bc2f16d1581efd74baedaa86f1249a3cee00566d458c5f6b
-SIZE (openssh-7.4p1-gsskex-all-20141021-debian-rh-20161228.patch.gz) = 27091
+SHA256 (openssh-7.6p1+x509-11.0.diff.gz) = bc4175ed8efce14579f10e242b25a23c959b1ff0e63b7c15493503eb654a960e
+SIZE (openssh-7.6p1+x509-11.0.diff.gz) = 440219

Added: head/security/openssh-portable/files/extra-patch-hpn-compat
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/security/openssh-portable/files/extra-patch-hpn-compat	Thu Oct 12 19:40:58 2017	(r451927)
@@ -0,0 +1,46 @@
+------------------------------------------------------------------------
+r294563 | des | 2016-01-22 05:13:46 -0800 (Fri, 22 Jan 2016) | 3 lines
+Changed paths:
+   M /head/crypto/openssh/servconf.c
+
+Instead of removing the NoneEnabled option, mark it as unsupported.
+(should have done this in r291198, but didn't think of it until now)
+
+------------------------------------------------------------------------
+------------------------------------------------------------------------
+r294564 | des | 2016-01-22 06:22:11 -0800 (Fri, 22 Jan 2016) | 2 lines
+Changed paths:
+   M /head/crypto/openssh/readconf.c
+
+r294563 was incomplete; re-add the client-side options as well.
+
+------------------------------------------------------------------------
+
+--- readconf.c.orig	2017-10-12 12:18:59.927293000 -0700
++++ readconf.c	2017-10-12 12:19:45.048532000 -0700
+@@ -305,6 +305,12 @@ static struct {
+ 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
+ 	{ "ignoreunknown", oIgnoreUnknown },
+ 	{ "proxyjump", oProxyJump },
++	{ "hpndisabled", oDeprecated },
++	{ "hpnbuffersize", oDeprecated },
++	{ "tcprcvbufpoll", oDeprecated },
++	{ "tcprcvbuf", oDeprecated },
++	{ "noneenabled", oUnsupported },
++	{ "noneswitch", oUnsupported },
+ 
+ 	{ NULL, oBadOption }
+ };
+--- servconf.c.orig	2017-10-02 12:34:26.000000000 -0700
++++ servconf.c	2017-10-12 12:20:19.089884000 -0700
+@@ -566,6 +566,10 @@ static struct {
+ 	{ "fingerprinthash", sFingerprintHash, SSHCFG_GLOBAL },
+ 	{ "disableforwarding", sDisableForwarding, SSHCFG_ALL },
+ 	{ "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL },
++	{ "noneenabled", sUnsupported, SSHCFG_ALL },
++	{ "hpndisabled", sDeprecated, SSHCFG_ALL },
++	{ "hpnbuffersize", sDeprecated, SSHCFG_ALL },
++	{ "tcprcvbufpoll", sDeprecated, SSHCFG_ALL },
+ 	{ NULL, sBadOption, 0 }
+ };
+ 

Modified: head/security/openssh-portable/files/extra-patch-x509-glue
==============================================================================
--- head/security/openssh-portable/files/extra-patch-x509-glue	Thu Oct 12 19:30:51 2017	(r451926)
+++ head/security/openssh-portable/files/extra-patch-x509-glue	Thu Oct 12 19:40:58 2017	(r451927)
@@ -1,6 +1,6 @@
---- session.c.orig	2017-01-12 11:58:30.754769000 -0800
-+++ session.c	2017-01-12 11:58:35.360654000 -0800
-@@ -1252,36 +1252,6 @@ do_setup_env(Session *s, const char *she
+--- session.c.orig	2017-10-12 11:52:52.953370000 -0700
++++ session.c	2017-10-12 11:53:40.793055000 -0700
+@@ -1045,36 +1045,6 @@ do_setup_env(struct ssh *ssh, Session *s, const char *
  	if (getenv("TZ"))
  		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
  
@@ -37,3 +37,111 @@
  	/* Set custom environment options from RSA authentication. */
  	while (custom_environment) {
  		struct envstring *ce = custom_environment;
+--- sshd_config.5.orig	2017-10-12 11:51:06.638814000 -0700
++++ sshd_config.5	2017-10-12 11:51:33.780459000 -0700
+@@ -1641,52 +1641,7 @@ is set to
+ then the pre-authentication unprivileged process is subject to additional
+ restrictions.
+ The default is
+-.Cm sandbox .
+-.It Cm VACertificateFile
+-File with X.509 certificates in PEM format concatenated together.
+-In use when
+-.Cm VAType
+-is set to
+-.Cm ocspspec .
+-The default value is
+-.Sq
+-..
+-(empty).
+-Certificates from that file explicitly trust
+-.Sq "OCSP Responder"
+-public key.
+-They are used as trusted certificates in addition to certificates from
+-.Cm CACertificateFile
+-and
+-.Cm CACertificatePath
+-to verify responder certificate.
+-.It Cm VAType
+-Specifies whether
+-.Sq "Online Certificate Status Protocol"
+-(OCSP) is used to validate X.509 certificates.
+-Accepted values are case insensitive:
+-.Bl -tag -offset indent -compact
+-.It none
+-do not use OCSP to validate certificates;
+-.It ocspcert
+-validate only certificates that specify
+-.Sq "OCSP Service Locator"
+-URL;
+-.It ocspspec
+-use specified in the configuration
+-.Sq "OCSP Responder"
+-to validate all certificates.
+-.El
+-The default is
+-.Cm none .
+-.It Cm VAOCSPResponderURL
+-.Sq "Access Location"
+-/
+-.Sq "OCSP Service Locator"
+-URL of the OCSP provider. In use when
+-.Cm VAType
+-is set to
+-.Cm ocspspec .
++.Cm no .
+ .It Cm VersionAddendum
+ Optionally specifies additional text to append to the SSH protocol banner
+ sent by the server upon connection.
+@@ -1737,6 +1692,51 @@ the wildcard address.
+ By default,
+ sshd binds the forwarding server to the loopback address and sets the
+ hostname part of the
++.It Cm VACertificateFile
++File with X.509 certificates in PEM format concatenated together.
++In use when
++.Cm VAType
++is set to
++.Cm ocspspec .
++The default value is
++.Sq
++..
++(empty).
++Certificates from that file explicitly trust
++.Sq "OCSP Responder"
++public key.
++They are used as trusted certificates in addition to certificates from
++.Cm CACertificateFile
++and
++.Cm CACertificatePath
++to verify responder certificate.
++.It Cm VAType
++Specifies whether
++.Sq "Online Certificate Status Protocol"
++(OCSP) is used to validate X.509 certificates.
++Accepted values are case insensitive:
++.Bl -tag -offset indent -compact
++.It none
++do not use OCSP to validate certificates;
++.It ocspcert
++validate only certificates that specify
++.Sq "OCSP Service Locator"
++URL;
++.It ocspspec
++use specified in the configuration
++.Sq "OCSP Responder"
++to validate all certificates.
++.El
++The default is
++.Cm none .
++.It Cm VAOCSPResponderURL
++.Sq "Access Location"
++/
++.Sq "OCSP Service Locator"
++URL of the OCSP provider. In use when
++.Cm VAType
++is set to
++.Cm ocspspec .
+ .Ev DISPLAY
+ environment variable to
+ .Cm localhost .

Modified: head/security/openssh-portable/files/patch-configure.ac
==============================================================================
--- head/security/openssh-portable/files/patch-configure.ac	Thu Oct 12 19:30:51 2017	(r451926)
+++ head/security/openssh-portable/files/patch-configure.ac	Thu Oct 12 19:40:58 2017	(r451927)
@@ -1,13 +1,5 @@
 --- configure.ac.orig	2017-04-08 02:15:16 UTC
 +++ configure.ac
-@@ -1486,6 +1486,7 @@ AC_ARG_WITH(ldns,
- 		else
- 			LIBS="$LIBS `$LDNSCONFIG --libs`"
- 			CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
-+			ldns=yes
- 		fi
- 	elif test "x$withval" != "xno" ; then
- 			CPPFLAGS="$CPPFLAGS -I${withval}/include"
 @@ -1544,7 +1545,7 @@ AC_ARG_WITH([libedit],
  			LIBEDIT=`$PKGCONFIG --libs libedit`
  			CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"

Modified: head/security/openssh-portable/files/patch-ssh-agent.c
==============================================================================
--- head/security/openssh-portable/files/patch-ssh-agent.c	Thu Oct 12 19:30:51 2017	(r451926)
+++ head/security/openssh-portable/files/patch-ssh-agent.c	Thu Oct 12 19:40:58 2017	(r451927)
@@ -8,9 +8,9 @@ r226103 | des | 2011-10-07 08:10:16 -0500 (Fri, 07 Oct
 Add a -x option that causes ssh-agent(1) to exit when all clients have
 disconnected.
 
---- ssh-agent.c.orig	2015-05-29 03:27:21.000000000 -0500
-+++ ssh-agent.c	2015-06-02 09:46:54.719580000 -0500
-@@ -157,15 +157,34 @@ static long lifetime = 0;
+--- ssh-agent.c.orig	2017-10-02 12:34:26.000000000 -0700
++++ ssh-agent.c	2017-10-12 11:31:40.908737000 -0700
+@@ -162,15 +162,34 @@ static long lifetime = 0;
  
  static int fingerprint_hash = SSH_FP_HASH_DEFAULT;
  
@@ -45,7 +45,7 @@ disconnected.
  }
  
  static void
-@@ -963,6 +982,10 @@ new_socket(sock_type type, int fd)
+@@ -745,6 +764,10 @@ new_socket(sock_type type, int fd)
  {
  	u_int i, old_alloc, new_alloc;
  
@@ -56,7 +56,7 @@ disconnected.
  	set_nonblock(fd);
  
  	if (fd > max_fd)
-@@ -1190,7 +1213,7 @@ static void
+@@ -1007,7 +1030,7 @@ static void
  usage(void)
  {
  	fprintf(stderr,
@@ -65,7 +65,7 @@ disconnected.
  	    "                 [-P pkcs11_whitelist] [-t life] [command [arg ...]]\n"
  	    "       ssh-agent [-c | -s] -k\n");
  	exit(1);
-@@ -1222,6 +1245,7 @@ main(int ac, char **av)
+@@ -1039,6 +1062,7 @@ main(int ac, char **av)
  	/* drop */
  	setegid(getgid());
  	setgid(getgid());
@@ -73,7 +73,7 @@ disconnected.
  
  	platform_disable_tracing(0);	/* strict=no */
  
-@@ -1232,7 +1256,7 @@ main(int ac, char **av)
+@@ -1049,7 +1073,7 @@ main(int ac, char **av)
  	__progname = ssh_get_progname(av[0]);
  	seed_rng();
  
@@ -82,13 +82,13 @@ disconnected.
  		switch (ch) {
  		case 'E':
  			fingerprint_hash = ssh_digest_alg_by_name(optarg);
-@@ -1276,6 +1300,9 @@ main(int ac, char **av)
+@@ -1092,6 +1116,9 @@ main(int ac, char **av)
+ 				fprintf(stderr, "Invalid lifetime\n");
  				usage();
  			}
- 			break;
++			break;
 +		case 'x':
 +			xcount = 0;
-+			break;
+ 			break;
  		default:
  			usage();
- 		}