From owner-svn-ports-all@freebsd.org Fri Nov 20 03:41:57 2020 Return-Path: Delivered-To: svn-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BF0E247C5E0; Fri, 20 Nov 2020 03:41:57 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ccj5x51Lrz4WFk; Fri, 20 Nov 2020 03:41:57 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9EF267662; Fri, 20 Nov 2020 03:41:57 +0000 (UTC) (envelope-from bdrewery@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0AK3fvaH001223; Fri, 20 Nov 2020 03:41:57 GMT (envelope-from bdrewery@FreeBSD.org) Received: (from bdrewery@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0AK3fuMh001219; Fri, 20 Nov 2020 03:41:56 GMT (envelope-from bdrewery@FreeBSD.org) Message-Id: <202011200341.0AK3fuMh001219@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bdrewery set sender to bdrewery@FreeBSD.org using -f From: Bryan Drewery Date: Fri, 20 Nov 2020 03:41:56 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r555734 - in head/security/openssh-portable: . files X-SVN-Group: ports-head X-SVN-Commit-Author: bdrewery X-SVN-Commit-Paths: in head/security/openssh-portable: . files X-SVN-Commit-Revision: 555734 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Nov 2020 03:41:57 -0000 Author: bdrewery Date: Fri Nov 20 03:41:56 2020 New Revision: 555734 URL: https://svnweb.freebsd.org/changeset/ports/555734 Log: - Add pkg-config dependency which avoids some maintainer testing errors and also removes a few unneeded library links such as -lcurses. - libfido2 package is broken with pkg-config and base ssl. Workaround this by not using pkg-config for that library for now. - Add USES=localbase to simplify some options - Make crypt(3) MD5 password support optional but still on-by-default. The default in FreeBSD changed in 10.0 but that does not mean - Enable -Werror - Remove some old baggage from the port build o The zlib version check has not been needed for a while. o sshd.8 has not had %%PREFIX%% or %$RC_SCRIPT_NAME%% since 2011 and is not worth more patches/complexity. o The strnvis(3) problem noted in r311891 was fixed in OpenSSH 7.4. o autoreconf is run so it makes no sense to patch configure for -ldes o --with-md5-passwords is not needed as our crypt(3) supports it natively. This is only relevant without PAM. Added: head/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c (contents, props changed) head/security/openssh-portable/files/extra-patch-libfido2-configure.ac (contents, props changed) Modified: head/security/openssh-portable/Makefile head/security/openssh-portable/files/patch-session.c Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Fri Nov 20 02:48:57 2020 (r555733) +++ head/security/openssh-portable/Makefile Fri Nov 20 03:41:56 2020 (r555734) @@ -3,7 +3,7 @@ PORTNAME= openssh DISTVERSION= 8.4p1 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= security MASTER_SITES= OPENBSD/OpenSSH/portable @@ -19,12 +19,12 @@ LICENSE_PERMS= dist-mirror dist-sell pkg-mirror pkg-se CONFLICTS?= openssh-3.* ssh-1.* ssh2-3.* openssh-portable-devel-* -USES= alias autoreconf ncurses ssl +USES= alias autoreconf localbase ncurses pkgconfig ssl GNU_CONFIGURE= yes -CONFIGURE_ENV= ac_cv_func_strnvis=no -CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwords \ - --without-zlib-version-check --with-ssl-engine \ - --with-mantype=man +CONFIGURE_ARGS= --prefix=${PREFIX} \ + --with-ssl-engine \ + --with-mantype=man \ + --with-Werror ETCOLD= ${PREFIX}/etc @@ -70,8 +70,6 @@ TCP_WRAPPERS_EXTRA_PATCHES=${FILESDIR}/extra-patch-tcp LDNS_CONFIGURE_WITH= ldns=${LOCALBASE} LDNS_LIB_DEPENDS= libldns.so:dns/ldns LDNS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ldns -LDNS_CFLAGS= -I${LOCALBASE}/include -LDNS_CONFIGURE_ON= --with-ldflags='-L${LOCALBASE}/lib' HPN_CONFIGURE_WITH= hpn NONECIPHER_CONFIGURE_WITH= nonecipher @@ -89,6 +87,8 @@ BSM_CONFIGURE_ON= --with-audit=bsm FIDO_U2F_LIB_DEPENDS= libfido2.so:security/libfido2 FIDO_U2F_CONFIGURE_ON= --with-security-key-builtin FIDO_U2F_CONFIGURE_OFF= --disable-security-key +# Until https://reviews.freebsd.org/D27289 is committed +FIDO_U2F_EXTRA_PATCHES= ${FILESDIR}/extra-patch-libfido2-configure.ac BLACKLISTD_EXTRA_PATCHES= ${FILESDIR}/extra-patch-blacklistd @@ -114,6 +114,7 @@ PATCH_SITES+= https://sources.debian.org/data/main/o/o # Bump this when updating the patch location GSSAPI_UPDATE_DATE= 20200607 PATCHFILES+= openssh-${DISTVERSION}-gsskex-all-20141021-debian-rh-${GSSAPI_UPDATE_DATE}.patch:-p1:gsskex +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-gssapi-sshconnect2.c .endif .if ${PORT_OPTIONS:MBLACKLISTD} @@ -134,8 +135,6 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn:-p2 EXTRA_PATCHES+= ${FILESDIR}/extra-patch-hpn-compat .endif -CONFIGURE_LIBS+= -lutil - CONFIGURE_ARGS+= --disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog # Keep this last @@ -186,12 +185,9 @@ RC_SCRIPT_NAME= openssh VERSION_ADDENDUM_DEFAULT?= ${OPSYS}-${PKGNAME} post-patch: - @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure @${REINPLACE_CMD} \ -e 's|install: \(.*\) host-key check-config|install: \1|g' \ ${WRKSRC}/Makefile.in - @${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \ - -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8 @${REINPLACE_CMD} \ -e 's|\(VersionAddendum\) none|\1 ${VERSION_ADDENDUM_DEFAULT}|' \ ${WRKSRC}/sshd_config Added: head/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openssh-portable/files/extra-patch-gssapi-sshconnect2.c Fri Nov 20 03:41:56 2020 (r555734) @@ -0,0 +1,12 @@ +Avoid free(const char*) +--- sshconnect2.c.orig 2020-11-19 14:56:54.387846000 -0800 ++++ sshconnect2.c 2020-11-19 14:57:04.445045000 -0800 +@@ -846,7 +846,7 @@ userauth_gssapi(struct ssh *ssh) + /* Fall back to specified host if we are using proxy command + * and can not use DNS on that socket */ + if (strcmp(gss_host, "UNKNOWN") == 0) { +- gss_host = authctxt->host; ++ gss_host = xstrdup(authctxt->host); + } + } else { + gss_host = xstrdup(authctxt->host); Added: head/security/openssh-portable/files/extra-patch-libfido2-configure.ac ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openssh-portable/files/extra-patch-libfido2-configure.ac Fri Nov 20 03:41:56 2020 (r555734) @@ -0,0 +1,16 @@ +Workaround libfido2 package having a libfido2.pc that requires libcrypto +even with base OpenSSL which does not provide the proper pc file. + +--- configure.ac.orig 2020-11-19 14:21:03.890890000 -0800 ++++ configure.ac 2020-11-19 14:21:57.061193000 -0800 +@@ -3256,8 +3256,8 @@ if test "x$enable_sk" = "xyes" -a "x$enable_sk_interna + fi + fi + if test "x$use_pkgconfig_for_libfido2" = "xyes"; then +- LIBFIDO2=`$PKGCONFIG --libs libfido2` +- CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`" ++ LIBFIDO2="-lfido2 -lcrypto" ++ #CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`" + else + LIBFIDO2="-lfido2 -lcbor" + fi Modified: head/security/openssh-portable/files/patch-session.c ============================================================================== --- head/security/openssh-portable/files/patch-session.c Fri Nov 20 02:48:57 2020 (r555733) +++ head/security/openssh-portable/files/patch-session.c Fri Nov 20 03:41:56 2020 (r555734) @@ -13,8 +13,8 @@ to the child process. Reviewed by: ache Sponsored by: DARPA, NAI Labs ---- session.c.orig 2020-02-13 16:40:54.000000000 -0800 -+++ session.c 2020-03-23 16:01:07.583958000 -0700 +--- session.c.orig 2020-09-27 00:25:01.000000000 -0700 ++++ session.c 2020-11-19 14:41:50.745308000 -0800 @@ -946,7 +946,7 @@ read_etc_default_login(char ***env, u_int *envsize, ui } #endif /* HAVE_ETC_DEFAULT_LOGIN */ @@ -58,7 +58,16 @@ Sponsored by: DARPA, NAI Labs if (s->term) child_set_env(&env, &envsize, "TERM", s->term); if (s->display) -@@ -1369,7 +1387,7 @@ do_setusercontext(struct passwd *pw) +@@ -1285,7 +1303,7 @@ do_nologin(struct passwd *pw) + #ifdef HAVE_LOGIN_CAP + if (login_getcapbool(lc, "ignorenologin", 0) || pw->pw_uid == 0) + return; +- nl = login_getcapstr(lc, "nologin", def_nl, def_nl); ++ nl = (char*)login_getcapstr(lc, "nologin", def_nl, def_nl); + #else + if (pw->pw_uid == 0) + return; +@@ -1373,7 +1391,7 @@ do_setusercontext(struct passwd *pw) if (platform_privileged_uidswap()) { #ifdef HAVE_LOGIN_CAP if (setusercontext(lc, pw, pw->pw_uid,