Date: Thu, 24 Apr 2014 01:54:58 +0000 (UTC) From: Bryan Drewery <bdrewery@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r351982 - in head/security/openssh-portable: . files Message-ID: <201404240154.s3O1sw0D059912@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bdrewery Date: Thu Apr 24 01:54:58 2014 New Revision: 351982 URL: http://svnweb.freebsd.org/changeset/ports/351982 QAT: https://qat.redports.org/buildarchive/r351982/ Log: - Update to "6.6.1" [1] - Switch to using @sample keyword, fixing orphans. Upstream note on "6.6.1" [1]: OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519 key exchange incorrectly, causing connection failures about 0.2% of the time when this method is used against a peer that implements the method properly. Fix the problem and disable the curve25519 KEX when speaking to OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1 to enable the compatability code. [1] https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032494.html Added: head/security/openssh-portable/files/extra-patch-openssh661 (contents, props changed) Modified: head/security/openssh-portable/Makefile head/security/openssh-portable/distinfo head/security/openssh-portable/pkg-plist Modified: head/security/openssh-portable/Makefile ============================================================================== --- head/security/openssh-portable/Makefile Thu Apr 24 01:04:52 2014 (r351981) +++ head/security/openssh-portable/Makefile Thu Apr 24 01:54:58 2014 (r351982) @@ -3,7 +3,7 @@ PORTNAME= openssh DISTVERSION= 6.6p1 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= ${MASTER_SITE_OPENBSD} @@ -32,6 +32,9 @@ ETCOLD= ${PREFIX}/etc SUDO?= # empty MAKE_ENV+= SUDO="${SUDO}" +# https://github.com/openssh/openssh-portable/commit/5618210618256bbf5f4f71b2887ff186fd451736.patch +EXTRA_PATCHES+= ${FILESDIR}/extra-patch-openssh661 + OPTIONS_DEFINE= PAM TCP_WRAPPERS LIBEDIT BSM \ HPN LPK X509 KERB_GSSAPI \ OVERWRITE_BASE SCTP AES_THREADED LDNS NONECIPHER @@ -102,14 +105,15 @@ TCP_WRAPPERS_CONFIGURE_WITH= tcp-wrapper LIBEDIT_CONFIGURE_WITH= libedit BSM_CONFIGURE_ON= --with-audit=bsm - .include <bsd.port.pre.mk> +PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex + # http://www.psc.edu/index.php/hpn-ssh .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER} PORTDOCS+= HPN-README HPN_VERSION= 14v2 -HPN_DISTVERSION= 6.6p1 +HPN_DISTVERSION= 6.6.1p1 PATCH_SITES+= ${MASTER_SITE_SOURCEFORGE:S/$/:hpn/} PATCH_SITE_SUBDIR+= hpnssh/HPN-SSH%20${HPN_VERSION}%20${HPN_DISTVERSION}/:hpn PATCHFILES+= ${PORTNAME}-${HPN_DISTVERSION}-hpnssh${HPN_VERSION}.diff.gz:-p1:hpn @@ -120,8 +124,6 @@ EXTRA_PATCHES+= ${FILESDIR}/extra-patch . endif .endif -PATCH_SITES+= http://mirror.shatow.net/freebsd/${PORTNAME}/:DEFAULT,x509,hpn,gsskex - .if ${OSVERSION} >= 900000 CONFIGURE_LIBS+= -lutil .endif @@ -157,15 +159,15 @@ BROKEN= KERB_GSSAPI Requires either MIT .endif .if ${PORT_OPTIONS:MHEIMDAL_BASE} && !exists(/usr/lib/libkrb5.so) -IGNORE= You have selected HEIMDAL_BASE but do not have heimdal installed in base +IGNORE= you have selected HEIMDAL_BASE but do not have heimdal installed in base .endif .if ${PORT_OPTIONS:MPAM} && !exists(/usr/include/security/pam_modules.h) -IGNORE= Pam must be installed in base +IGNORE= PAM must be installed in base .endif .if ${PORT_OPTIONS:MTCP_WRAPPERS} && !exists(/usr/include/tcpd.h) -IGNORE= Required /usr/include/tcpd.h missing +IGNORE= required /usr/include/tcpd.h missing .endif .if defined(OPENSSH_OVERWRITE_BASE) @@ -257,8 +259,8 @@ pre-install: .endif post-install: - ${INSTALL_DATA} ${WRKSRC}/ssh_config.out ${STAGEDIR}${ETCSSH}/ssh_config-dist - ${INSTALL_DATA} ${WRKSRC}/sshd_config.out ${STAGEDIR}${ETCSSH}/sshd_config-dist + ${MV} ${STAGEDIR}${ETCSSH}/ssh_config ${STAGEDIR}${ETCSSH}/ssh_config.sample + ${MV} ${STAGEDIR}${ETCSSH}/sshd_config ${STAGEDIR}${ETCSSH}/sshd_config.sample .if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MAES_THREADED} || ${PORT_OPTIONS:MNONECIPHER} ${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/HPN-README ${STAGEDIR}${DOCSDIR} Modified: head/security/openssh-portable/distinfo ============================================================================== --- head/security/openssh-portable/distinfo Thu Apr 24 01:04:52 2014 (r351981) +++ head/security/openssh-portable/distinfo Thu Apr 24 01:54:58 2014 (r351982) @@ -1,7 +1,7 @@ SHA256 (openssh-6.6p1.tar.gz) = 48c1f0664b4534875038004cc4f3555b8329c2a81c1df48db5c517800de203bb SIZE (openssh-6.6p1.tar.gz) = 1282502 -SHA256 (openssh-6.6p1-hpnssh14v2.diff.gz) = 2a1b34dc3bf922e12cbca687e57b1fad2a0b087e38022e6782e99b45fcc1a315 -SIZE (openssh-6.6p1-hpnssh14v2.diff.gz) = 24469 +SHA256 (openssh-6.6.1p1-hpnssh14v2.diff.gz) = b7f5bd22f1c0bacd41fc4884aeb19bba460d548af875eeb6c857cb77bab53376 +SIZE (openssh-6.6.1p1-hpnssh14v2.diff.gz) = 24473 SHA256 (openssh-6.6p1+x509-7.9.diff.gz) = 463473f75c1dc250ea4eda21f2c79df6f0b479ea499d044cb51d73073881ca34 SIZE (openssh-6.6p1+x509-7.9.diff.gz) = 224691 SHA256 (openssh-6.6p1-gsskex-all-20140318.patch.gz) = 9436c03ba46cdda8753f8957816a9832fd04e1244992ba8e729968c93682a236 Added: head/security/openssh-portable/files/extra-patch-openssh661 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/openssh-portable/files/extra-patch-openssh661 Thu Apr 24 01:54:58 2014 (r351982) @@ -0,0 +1,162 @@ +From 5618210618256bbf5f4f71b2887ff186fd451736 Mon Sep 17 00:00:00 2001 +From: Damien Miller <djm@mindrot.org> +Date: Sun, 20 Apr 2014 13:44:47 +1000 +Subject: [PATCH] - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c + version.h] OpenSSH 6.5 and 6.6 sometimes encode a value used in the + curve25519 key exchange incorrectly, causing connection failures about + 0.2% of the time when this method is used against a peer that implements + the method properly. + + Fix the problem and disable the curve25519 KEX when speaking to + OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1 + to enable the compatability code. +--- + ChangeLog | 11 +++++++++++ + bufaux.c | 5 ++++- + compat.c | 17 ++++++++++++++++- + compat.h | 2 ++ + sshconnect2.c | 2 ++ + sshd.c | 3 +++ + version.h | 2 +- + 7 files changed, 39 insertions(+), 3 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 9c59cc4..60f181a 100644 +--- ChangeLog ++++ ChangeLog +@@ -1,3 +1,14 @@ ++20140420 ++ - (djm) [bufaux.c compat.c compat.h sshconnect2.c sshd.c version.h] ++ OpenSSH 6.5 and 6.6 sometimes encode a value used in the curve25519 ++ key exchange incorrectly, causing connection failures about 0.2% of ++ the time when this method is used against a peer that implements ++ the method properly. ++ ++ Fix the problem and disable the curve25519 KEX when speaking to ++ OpenSSH 6.5 or 6.6. This version will identify itself as 6.6.1 ++ to enable the compatability code. ++ + 20140313 + - (djm) Release OpenSSH 6.6 + +diff --git a/bufaux.c b/bufaux.c +index e24b5fc..f6a6f2a 100644 +--- bufaux.c ++++ bufaux.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */ ++/* $OpenBSD: bufaux.c,v 1.57 2014/04/16 23:22:45 djm Exp $ */ + /* + * Author: Tatu Ylonen <ylo@cs.hut.fi> + * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland +@@ -372,6 +372,9 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l) + + if (l > 8 * 1024) + fatal("%s: length %u too long", __func__, l); ++ /* Skip leading zero bytes */ ++ for (; l > 0 && *s == 0; l--, s++) ++ ; + p = buf = xmalloc(l + 1); + /* + * If most significant bit is set then prepend a zero byte to +diff --git a/compat.c b/compat.c +index 9d9fabe..2709dc5 100644 +--- compat.c ++++ compat.c +@@ -95,6 +95,9 @@ compat_datafellows(const char *version) + { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, + { "OpenSSH_4*", 0 }, + { "OpenSSH_5*", SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT}, ++ { "OpenSSH_6.6.1*", SSH_NEW_OPENSSH}, ++ { "OpenSSH_6.5*," ++ "OpenSSH_6.6*", SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD}, + { "OpenSSH*", SSH_NEW_OPENSSH }, + { "*MindTerm*", 0 }, + { "2.1.0*", SSH_BUG_SIGBLOB|SSH_BUG_HMAC| +@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop) + return cipher_prop; + } + +- + char * + compat_pkalg_proposal(char *pkalg_prop) + { +@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop) + return pkalg_prop; + } + ++char * ++compat_kex_proposal(char *kex_prop) ++{ ++ if (!(datafellows & SSH_BUG_CURVE25519PAD)) ++ return kex_prop; ++ debug2("%s: original KEX proposal: %s", __func__, kex_prop); ++ kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org"); ++ debug2("%s: compat KEX proposal: %s", __func__, kex_prop); ++ if (*kex_prop == '\0') ++ fatal("No supported key exchange algorithms found"); ++ return kex_prop; ++} ++ +diff --git a/compat.h b/compat.h +index b174fa1..a6c3f3d 100644 +--- compat.h ++++ compat.h +@@ -59,6 +59,7 @@ + #define SSH_BUG_RFWD_ADDR 0x02000000 + #define SSH_NEW_OPENSSH 0x04000000 + #define SSH_BUG_DYNAMIC_RPORT 0x08000000 ++#define SSH_BUG_CURVE25519PAD 0x10000000 + + void enable_compat13(void); + void enable_compat20(void); +@@ -66,6 +67,7 @@ void compat_datafellows(const char *); + int proto_spec(const char *); + char *compat_cipher_proposal(char *); + char *compat_pkalg_proposal(char *); ++char *compat_kex_proposal(char *); + + extern int compat13; + extern int compat20; +diff --git a/sshconnect2.c b/sshconnect2.c +index 7f4ff41..ec3ad6a 100644 +--- sshconnect2.c ++++ sshconnect2.c +@@ -195,6 +195,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port) + } + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; ++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( ++ myproposal[PROPOSAL_KEX_ALGS]); + + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, +diff --git a/sshd.c b/sshd.c +index 7523de9..e9084b7 100644 +--- sshd.c ++++ sshd.c +@@ -2462,6 +2462,9 @@ do_ssh2_kex(void) + if (options.kex_algorithms != NULL) + myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms; + ++ myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal( ++ myproposal[PROPOSAL_KEX_ALGS]); ++ + if (options.rekey_limit || options.rekey_interval) + packet_set_rekey_limits((u_int32_t)options.rekey_limit, + (time_t)options.rekey_interval); +diff --git a/version.h b/version.h +index a1579ac..a33e77c 100644 +--- version.h ++++ version.h +@@ -1,6 +1,6 @@ + /* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */ + +-#define SSH_VERSION "OpenSSH_6.6" ++#define SSH_VERSION "OpenSSH_6.6.1" + + #define SSH_PORTABLE "p1" + #define SSH_RELEASE SSH_VERSION SSH_PORTABLE +-- +1.9.1 + Modified: head/security/openssh-portable/pkg-plist ============================================================================== --- head/security/openssh-portable/pkg-plist Thu Apr 24 01:04:52 2014 (r351981) +++ head/security/openssh-portable/pkg-plist Thu Apr 24 01:54:58 2014 (r351982) @@ -9,15 +9,11 @@ bin/ssh-keygen bin/ssh-keyscan %%NOTBASE%%@exec if [ -f %D/etc/ssh_config -a ! -f %D/etc/ssh/ssh_config ]; then ln %D/etc/ssh_config %D/etc/ssh/ssh_config ; fi %%NOTBASE%%@exec if [ -f %D/etc/sshd_config -a ! -f %D/etc/ssh/sshd_config ]; then ln %D/etc/sshd_config %D/etc/ssh/sshd_config ; fi -%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/ssh_config %D/etc/ssh/ssh_config-dist; then rm -f %D/etc/ssh/ssh_config; fi -%%NOTBASE%%@unexec if cmp -s %D/etc/ssh/sshd_config %D/etc/ssh/sshd_config-dist; then rm -f %D/etc/ssh/sshd_config; fi %%OVERWRITE_BASE%%@cwd / %%NOTBASE%%etc/ssh/moduli -etc/ssh/ssh_config-dist -etc/ssh/sshd_config-dist +@sample etc/ssh/ssh_config.sample +@sample etc/ssh/sshd_config.sample %%OVERWRITE_BASE%%@cwd %%BASEPREFIX%% -%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/ssh_config ]; then cp -p %D/etc/ssh/ssh_config-dist %D/etc/ssh/ssh_config ; fi -%%NOTBASE%%@exec if [ ! -f %D/etc/ssh/sshd_config ]; then cp -p %D/etc/ssh/sshd_config-dist %D/etc/ssh/sshd_config ; fi %%NOTBASE%%%%X509%%@dirrmtry etc/ssh/ca %%NOTBASE%%@dirrmtry etc/ssh @exec if [ -f %D/etc/ssh_host_ecdsa_key ] && grep -q DSA %D/etc/ssh_host_ecdsa_key; then echo; echo "\!/ Warning \!/"; echo; echo "Your %D/etc/ssh_host_ecdsa_key is not a valid ECDSA key. It is incorrectly"; echo "a DSA key due to a bug fixed in 2012 in the security/openssh-portable port."; echo; echo "Regenerate a proper one with: rm -f %D/etc/ssh_host_ecdsa_key*; service openssh restart"; echo; echo "Clients should not see any key change warning since the ECDSA was not valid and was not actually"; echo "used by the server."; echo; echo "\!/ Warning \!/"; fi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404240154.s3O1sw0D059912>