From owner-svn-ports-all@freebsd.org  Mon Feb 29 18:37:00 2016
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0878EAB8181;
 Mon, 29 Feb 2016 18:37:00 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id BE8CC8F5;
 Mon, 29 Feb 2016 18:36:59 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u1TIawvj049002;
 Mon, 29 Feb 2016 18:36:58 GMT (envelope-from bdrewery@FreeBSD.org)
Received: (from bdrewery@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u1TIawTQ048995;
 Mon, 29 Feb 2016 18:36:58 GMT (envelope-from bdrewery@FreeBSD.org)
Message-Id: <201602291836.u1TIawTQ048995@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: bdrewery set sender to
 bdrewery@FreeBSD.org using -f
From: Bryan Drewery <bdrewery@FreeBSD.org>
Date: Mon, 29 Feb 2016 18:36:58 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r409823 - in head/security/openssh-portable: . files
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Feb 2016 18:37:00 -0000

Author: bdrewery
Date: Mon Feb 29 18:36:57 2016
New Revision: 409823
URL: https://svnweb.freebsd.org/changeset/ports/409823

Log:
  - Update to 7.2p1
  - Mark X509 and KERB_GSSAPI as BROKEN.
  
  Changelog: http://www.openssh.com/txt/release-7.2
  
  With help from:	brnrd

Deleted:
  head/security/openssh-portable/files/extra-patch-hostkeyalg_plus
Modified:
  head/security/openssh-portable/Makefile
  head/security/openssh-portable/distinfo
  head/security/openssh-portable/files/extra-patch-hpn
  head/security/openssh-portable/files/extra-patch-ldns
  head/security/openssh-portable/files/patch-servconf.c
  head/security/openssh-portable/files/patch-ssh-agent.1
  head/security/openssh-portable/pkg-plist

Modified: head/security/openssh-portable/Makefile
==============================================================================
--- head/security/openssh-portable/Makefile	Mon Feb 29 18:35:00 2016	(r409822)
+++ head/security/openssh-portable/Makefile	Mon Feb 29 18:36:57 2016	(r409823)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	openssh
-DISTVERSION=	7.1p2
+DISTVERSION=	7.2p1
 PORTREVISION=	0
 PORTEPOCH=	1
 CATEGORIES=	security ipv6
@@ -68,6 +68,7 @@ X509_PATCHFILES=	${PORTNAME}-7.0p1+x509-
 # and https://bugzilla.mindrot.org/show_bug.cgi?id=1604
 SCTP_PATCHFILES=	${PORTNAME}-6.8p1-sctp-2573.patch.gz:-p1
 SCTP_CONFIGURE_WITH=	sctp
+SCTP_BROKEN=		SCTP does not apply with 7.2+
 
 MIT_LIB_DEPENDS=		libkrb5.so.3:${PORTSDIR}/security/krb5
 HEIMDAL_LIB_DEPENDS=		libkrb5.so.26:${PORTSDIR}/security/heimdal
@@ -92,6 +93,7 @@ EXTRA_PATCHES:=		${EXTRA_PATCHES:N${TCP_
 
 # Must add this patch before HPN due to conflicts
 .if ${PORT_OPTIONS:MKERB_GSSAPI}
+BROKEN=		KERN_GSSAPI does not yet apply with 7.2+
 # 7.1 patch taken from
 # http://sources.debian.net/data/main/o/openssh/1:7.1p2-2/debian/patches/gssapi.patch
 # which was originally based on 5.7 patch from
@@ -117,13 +119,11 @@ CONFIGURE_LIBS+=	-lutil
 
 CONFIGURE_ARGS+=	--disable-utmp --disable-wtmp --disable-wtmpx --without-lastlog
 
-EXTRA_PATCHES+=		${FILESDIR}/extra-patch-hostkeyalg_plus:-p1
-
 # Keep this last
 EXTRA_PATCHES+=		${FILESDIR}/extra-patch-version-addendum
 
 .if ${PORT_OPTIONS:MX509}
-BROKEN=	Patch does not apply with 7.1
+BROKEN=	X509 does not apply with 7.1+
 .  if ${PORT_OPTIONS:MHPN} || ${PORT_OPTIONS:MNONECIPHER}
 BROKEN=		X509 patch and HPN patch do not apply cleanly together
 .  endif

Modified: head/security/openssh-portable/distinfo
==============================================================================
--- head/security/openssh-portable/distinfo	Mon Feb 29 18:35:00 2016	(r409822)
+++ head/security/openssh-portable/distinfo	Mon Feb 29 18:36:57 2016	(r409823)
@@ -1,5 +1,5 @@
-SHA256 (openssh-7.1p2.tar.gz) = dd75f024dcf21e06a0d6421d582690bf987a1f6323e32ad6619392f3bfde6bbd
-SIZE (openssh-7.1p2.tar.gz) = 1475829
+SHA256 (openssh-7.2p1.tar.gz) = 973cc37b2f3597e4cf599b09e604e79c0fe5d9b6f595a24e91ed0662860b4ac3
+SIZE (openssh-7.2p1.tar.gz) = 1499707
 SHA256 (openssh-6.8p1-sctp-2573.patch.gz) = 0348713ad4cb4463e90cf5202ed41c8f726d7d604f3f93922a9aa55b86abf04a
 SIZE (openssh-6.8p1-sctp-2573.patch.gz) = 8531
 SHA256 (openssh-7.0p1+x509-8.5.diff.gz) = 6000557f1ddae06aff8837d440d93342a923fada571fec59fc5dedf388fb5f9e

Modified: head/security/openssh-portable/files/extra-patch-hpn
==============================================================================
--- head/security/openssh-portable/files/extra-patch-hpn	Mon Feb 29 18:35:00 2016	(r409822)
+++ head/security/openssh-portable/files/extra-patch-hpn	Mon Feb 29 18:36:57 2016	(r409823)
@@ -447,29 +447,18 @@ diff -urN -x configure -x config.guess -
  
  echo ""
  
---- work.clean/openssh-6.8p1/kex.c.orig	2015-08-11 01:57:29.000000000 -0700
-+++ work.clean/openssh-6.8p1/kex.c	2015-08-17 17:02:06.770901000 -0700
-@@ -652,6 +652,13 @@ kex_choose_conf(struct ssh *ssh)
- 	int nenc, nmac, ncomp;
- 	u_int mode, ctos, need, dh_need, authlen;
- 	int r, first_kex_follows;
-+#ifdef NONE_CIPHER_ENABLED
-+	/* XXX: Could this move into the lower block? */
-+	int auth_flag;
-+
-+	auth_flag = ssh_packet_authentication_state(ssh);
-+	debug ("AUTH STATE IS %d", auth_flag);
-+#endif
- 
- 	if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0 ||
- 	    (r = kex_buf2prop(kex->peer, &first_kex_follows, &peer)) != 0)
-@@ -709,6 +716,17 @@ kex_choose_conf(struct ssh *ssh)
+--- work.clean/openssh-7.2p1/kex.c.orig	2016-02-25 19:40:04.000000000 -0800
++++ work.clean/openssh-7.2p1/kex.c	2016-02-29 08:02:25.565288000 -0800
+@@ -822,6 +822,20 @@ kex_choose_conf(struct ssh *ssh)
  			peer[ncomp] = NULL;
  			goto out;
  		}
 +#ifdef NONE_CIPHER_ENABLED
 +		debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
 +		if (strcmp(newkeys->enc.name, "none") == 0) {
++			int auth_flag;
++
++			auth_flag = ssh_packet_authentication_state(ssh);
 +			debug("Requesting NONE. Authflag is %d", auth_flag);
 +			if (auth_flag == 1) {
 +				debug("None requested post authentication.");
@@ -478,13 +467,13 @@ diff -urN -x configure -x config.guess -
 +			}
 +		}
 +#endif
- 		debug("kex: %s %s %s %s",
+ 		debug("kex: %s cipher: %s MAC: %s compression: %s",
  		    ctos ? "client->server" : "server->client",
  		    newkeys->enc.name,
---- work.clean/openssh-6.8p1/packet.c	2015-03-17 00:49:20.000000000 -0500
-+++ work/openssh-6.8p1/packet.c	2015-04-03 16:10:57.002066000 -0500
-@@ -2199,6 +2199,24 @@
- 	}
+--- work.clean/openssh-7.2p1/packet.c.orig	2016-02-25 19:40:04.000000000 -0800
++++ work.clean/openssh-7.2p1/packet.c	2016-02-29 08:05:15.744201000 -0800
+@@ -1037,6 +1037,24 @@ ssh_set_newkeys(struct ssh *ssh, int mod
+ 	return 0;
  }
  
 +#ifdef NONE_CIPHER_ENABLED
@@ -506,10 +495,10 @@ diff -urN -x configure -x config.guess -
 +#endif
 +
  #define MAX_PACKETS	(1U<<31)
- int
- ssh_packet_need_rekeying(struct ssh *ssh)
-@@ -2207,6 +2225,12 @@
- 
+ static int
+ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len)
+@@ -1055,6 +1073,12 @@ ssh_packet_need_rekeying(struct ssh *ssh
+ 	/* Peer can't rekey */
  	if (ssh->compat & SSH_BUG_NOREKEY)
  		return 0;
 +#ifdef NONE_CIPHER_ENABLED
@@ -518,9 +507,9 @@ diff -urN -x configure -x config.guess -
 +               return 1;
 +        }
 +#endif
- 	return
- 	    (state->p_send.packets > MAX_PACKETS) ||
- 	    (state->p_read.packets > MAX_PACKETS) ||
+ 
+ 	/*
+ 	 * Permit one packet in or out per rekey - this allows us to
 --- work.clean/openssh-6.8p1/packet.h	2015-03-17 00:49:20.000000000 -0500
 +++ work/openssh-6.8p1/packet.h	2015-04-03 16:10:34.728161000 -0500
 @@ -188,6 +188,11 @@
@@ -1110,8 +1099,8 @@ diff -urN -x configure -x config.guess -
  	}
  	if (roaming_atomicio(vwrite, connection_out, client_version_string,
  	    strlen(client_version_string)) != strlen(client_version_string))
---- work.clean/openssh-7.1p2/sshconnect2.c.orig	2016-01-13 17:10:45.000000000 -0800
-+++ work.clean/openssh-7.1p2/sshconnect2.c	2016-01-19 17:49:17.929000000 -0800
+--- work.clean/openssh-7.2p1/sshconnect2.c.orig	2016-02-25 19:40:04.000000000 -0800
++++ work.clean/openssh-7.2p1/sshconnect2.c	2016-02-29 08:06:31.134954000 -0800
 @@ -80,6 +80,14 @@
  extern char *client_version_string;
  extern char *server_version_string;
@@ -1127,7 +1116,7 @@ diff -urN -x configure -x config.guess -
  
  /*
   * SSH2 key exchange
-@@ -153,13 +161,16 @@ order_hostkeyalgs(char *host, struct soc
+@@ -153,14 +161,17 @@ order_hostkeyalgs(char *host, struct soc
  	return ret;
  }
  
@@ -1137,6 +1126,7 @@ diff -urN -x configure -x config.guess -
  ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
  {
 -	char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
+ 	char *s;
  	struct kex *kex;
  	int r;
  
@@ -1145,7 +1135,7 @@ diff -urN -x configure -x config.guess -
  	xxx_host = host;
  	xxx_hostaddr = hostaddr;
  
-@@ -232,6 +243,9 @@ ssh_kex2(char *host, struct sockaddr *ho
+@@ -235,6 +246,9 @@ ssh_kex2(char *host, struct sockaddr *ho
  	packet_send();
  	packet_write_wait();
  #endif
@@ -1155,9 +1145,9 @@ diff -urN -x configure -x config.guess -
  }
  
  /*
-@@ -416,6 +430,29 @@ ssh_userauth2(const char *local_user, co
+@@ -404,6 +418,29 @@ ssh_userauth2(const char *local_user, co
  	pubkey_cleanup(&authctxt);
- 	dispatch_range(SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
+ 	ssh_dispatch_range(ssh, SSH2_MSG_USERAUTH_MIN, SSH2_MSG_USERAUTH_MAX, NULL);
  
 +#ifdef NONE_CIPHER_ENABLED
 +	/*

Modified: head/security/openssh-portable/files/extra-patch-ldns
==============================================================================
--- head/security/openssh-portable/files/extra-patch-ldns	Mon Feb 29 18:35:00 2016	(r409822)
+++ head/security/openssh-portable/files/extra-patch-ldns	Mon Feb 29 18:36:57 2016	(r409823)
@@ -35,9 +35,9 @@ be verified, OpenSSH will print a messag
 +#   VerifyHostKeyDNS yes
  #   ProxyCommand ssh -q -W %h:%p gateway.example.com
  #   RekeyLimit 1G 1h
---- ssh_config.5	2013-10-03 08:15:03.621130815 -0500
-+++ ssh_config.5	2013-10-03 08:15:22.851132133 -0500
-@@ -1246,7 +1246,10 @@ The argument must be
+--- ssh_config.5.orig	2016-02-25 19:40:04.000000000 -0800
++++ ssh_config.5	2016-02-29 07:57:41.763889000 -0800
+@@ -1715,7 +1715,10 @@
  or
  .Dq ask .
  The default is
@@ -46,6 +46,6 @@ be verified, OpenSSH will print a messag
 +if compiled with LDNS and
 +.Dq no
 +otherwise.
- Note that this option applies to protocol version 2 only.
  .Pp
  See also VERIFYING HOST KEYS in
+ .Xr ssh 1 .

Modified: head/security/openssh-portable/files/patch-servconf.c
==============================================================================
--- head/security/openssh-portable/files/patch-servconf.c	Mon Feb 29 18:35:00 2016	(r409822)
+++ head/security/openssh-portable/files/patch-servconf.c	Mon Feb 29 18:36:57 2016	(r409823)
@@ -38,12 +38,3 @@
  	if (options->kbd_interactive_authentication == -1)
  		options->kbd_interactive_authentication = 0;
  	if (options->challenge_response_authentication == -1)
-@@ -412,7 +417,7 @@ fill_default_server_options(ServerOption
- 
- 	/* Turn privilege separation on by default */
- 	if (use_privsep == -1)
--		use_privsep = PRIVSEP_NOSANDBOX;
-+		use_privsep = PRIVSEP_ON;
- 
- #define CLEAR_ON_NONE(v) \
- 	do { \

Modified: head/security/openssh-portable/files/patch-ssh-agent.1
==============================================================================
--- head/security/openssh-portable/files/patch-ssh-agent.1	Mon Feb 29 18:35:00 2016	(r409822)
+++ head/security/openssh-portable/files/patch-ssh-agent.1	Mon Feb 29 18:36:57 2016	(r409823)
@@ -10,8 +10,8 @@ disconnected.
  .Sh SYNOPSIS
  .Nm ssh-agent
  .Op Fl c | s
--.Op Fl Dd
-+.Op Fl Ddx
+-.Op Fl \&Dd
++.Op Fl \&Ddx
  .Op Fl a Ar bind_address
  .Op Fl E Ar fingerprint_hash
  .Op Fl t Ar life

Modified: head/security/openssh-portable/pkg-plist
==============================================================================
--- head/security/openssh-portable/pkg-plist	Mon Feb 29 18:35:00 2016	(r409822)
+++ head/security/openssh-portable/pkg-plist	Mon Feb 29 18:36:57 2016	(r409823)
@@ -1,5 +1,3 @@
-@comment slogin must be deleted first
-bin/slogin
 bin/scp
 bin/sftp
 bin/ssh
@@ -23,7 +21,6 @@ man/man1/ssh-keygen.1.gz
 man/man1/ssh-keyscan.1.gz
 man/man1/scp.1.gz
 man/man1/ssh.1.gz
-man/man1/slogin.1.gz
 man/man5/moduli.5.gz
 man/man5/ssh_config.5.gz
 man/man5/sshd_config.5.gz